The Snowden Reader
Page 16
Unlike a phone company, the Government has the power to audit our tax returns, to prosecute and imprison us, to grant or deny licenses to do business, and many other things. And there is an entirely understandable concern that the Government may abuse this power. . . . [T]here is no question that the Government, because of its powers, is properly viewed in a different light.
On the other hand, just as consumers . . . make extensive use of modern technology, so . . . do potentially hostile foreign governments and foreign terrorist organizations. Indeed, we know that terrorists and weapons proliferators are using global information networks to conduct research, to communicate and to plan attacks. Information that can help us identify and prevent terrorist attacks or other threats to our security is often hiding in plain sight among the vast amounts of information flowing around the globe. New technology means that the Intelligence Community must continue to find new ways to locate and analyze foreign intelligence. . . .
One approach to protecting privacy would be to limit the Intelligence Community to a targeted, focused query looking for specific information about an identified individual based on probable cause. But from the national security perspective, that would not be sufficient. . . . Rather than attempting to solve crimes that have happened already, we are trying to find out what is going to happen before it happens. We may have only fragmentary information about someone who is plotting a terrorist attack, and need to find him and stop him. We may get information that is useless to us without a store of data to match it against, such as when we get the telephone number of a terrorist and want to find out who he has been in touch with. Or we may learn about a plot that we were previously unaware of, causing us to revisit old information and find connections that we didn’t notice before—and that we would never know about if we hadn’t collected the information and kept it for some period of time. . . .
So . . . there are vast amounts of data that contain[] intelligence needed to protect us not only from terrorism, but from cyber attacks, weapons of mass destruction, and good old-fashioned espionage. . . . [G]iving the Intelligence Community access to this data has obvious privacy implications. We achieve both security and privacy . . . by a framework that establishes appropriate controls on what the Government can do with the information it lawfully collects, and appropriate oversight to ensure that it respects those controls. . . . In this way we can allow the Intelligence Community to acquire necessary foreign intelligence, while providing privacy protections that take account of modern technology.
IV. FISA Collection
In showing that this approach is in fact the way our system deals with intelligence collection, I’ll use FISA as an example. . . . First, . . . FISA is an important mechanism through which Congress has legislated in the area of foreign intelligence collection. Second, . . . it covers a wide range of activities, and involves all three sources of law I mentioned earlier: constitutional, statutory and executive. . . .
. . .
I want to emphasize that the United States, as a democratic nation, takes seriously th[e] requirement that collection activities have a valid foreign intelligence purpose. We do not . . . steal the trade secrets of foreign companies in order to give American companies a competitive advantage. We do not indiscriminately sweep up and store the contents of the communications of Americans, or of the citizenry of any country.
We do not use our intelligence collection for . . . repressing the citizens of any country because of their political, religious or other beliefs. We collect metadata—information about communications—more broadly than we collect the actual content of communications, because it is less intrusive . . . and in fact can provide us information that helps us more narrowly focus our collection of content on appropriate targets. But it simply is not true that the United States Government is listening to everything said by every citizen of any country.
Let me turn now to FISA. I’m going to talk about three provisions of that law: traditional FISA orders, the FISA business records provision, and Section 702. These provisions impose limits on what kind of information can be collected and how it can be collected, require procedures restricting what we can do with the information we collect and how long we can keep it, and impose oversight to ensure that the rules are followed. This sets up a coherent regime in which protections are afforded at the front end, when information is collected; in the middle, when information is reviewed and used; and at the back end, through oversight, all working together to protect both national security and privacy. . . .
So let’s begin by talking about traditional FISA collection. Prior to the passage of FISA in 1978, the collection of foreign intelligence was essentially unregulated by statutory law. It was viewed as a core function of the Executive Branch. In fact, when the criminal wiretap provisions were originally enacted, Congress expressly provided that they did not “limit the constitutional power of the President . . . to obtain foreign intelligence information . . . deemed essential to the national security of the United States.” However, ten years later, as a result of abuses revealed by the Church and Pike Committees, Congress imposed a judicial check on some aspects of electronic surveillance for foreign intelligence purposes. This is what is now codified in Title I of FISA, sometimes referred to as “traditional FISA.”
FISA established a special court, the Foreign Intelligence Surveillance Court, to hear applications by the Government to conduct electronic surveillance for foreign intelligence purposes. Because traditional FISA surveillance involves acquiring the content of communications, it is intrusive . . . and because it can be directed at individuals inside the United States, including American citizens, it implicates the Fourth Amendment. In FISA, Congress required that to get a “traditional” FISA electronic surveillance order, the Government must establish probable cause to believe that the target of surveillance is a foreign power or an agent of a foreign power, a probable cause standard derived from the standard used for wiretaps in criminal cases. And if the target is a U.S. person, he or she cannot be deemed an agent of a foreign power based solely on activity protected by the First Amendment. . . .
Moreover, by law the use of information collected under traditional FISA must be subject to minimization procedures, a concept that is key throughout FISA. Minimization procedures are procedures, approved by the FISA Court, that must be “reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” For example, they generally prohibit disseminating the identity of a U.S. person unless the identity itself is necessary to understand the foreign intelligence or is evidence of a crime. . . . These tailored minimization procedures are an important way in which we provide appropriate protections for privacy.
So let me explain . . . how traditional FISA surveillance works in practice. Let’s say that the FBI suspects someone inside the United States of being a spy, or a terrorist, and they want to conduct electronic surveillance. . . . [A]s a general rule they have to present an application to the FISA Court establishing probable cause to believe that the person is an agent of a foreign power. . . . That application . . . is reviewed at several levels within both the FBI and Department of Justice before it is submitted to the Court. Now, the target may have a conversation with a U.S. person that has nothing to do with the foreign intelligence purpose of the surveillance, such as talking to a neighbor about a dinner party.
Under the minimization procedures, an analyst who listens to a conversation involving a U.S. person that has no foreign intelligence value cannot generally share it or disseminate it unless it is evidence of a crime. Even if a conversation has foreign intelligence value—let’s say a terrorist is talking to a confederate—that information may only be disseminated to someone with an appropriate need to know the in
formation pursuant to his or her mission.
. . .
Now let me turn to the second activity, the collection of business records. After FISA was passed, it became apparent that it left some significant gaps in our intelligence collection authority. In particular, while the Government had the power in a criminal investigation to compel the production of records with a grand jury subpoena, it lacked similar authority in a foreign intelligence investigation. So a provision was added in 1998 to provide such authority, and was amended by Section 215 of the USA-PATRIOT Act passed shortly after 9/11. This provision, which is generally referred to as “Section 215,” allows us to apply to the FISA Court for an order requiring production of documents or other tangible things when they are relevant to an authorized national security investigation. . . . Moreover, as with traditional FISA, records obtained pursuant to the FISA business records provision are subject to court-approved minimization procedures that limit the retention and dissemination of information about U.S. persons. . . .
Now, of course, the FISA business records provision has been in the news because of one particular use of that provision [the disclosed telephone metadata program]. The FISA Court has repeatedly approved orders directing several telecommunications companies to produce certain categories of telephone metadata. . . . It’s important to emphasize that under this program we do not get the content of any conversation; we do not get the identity of any party to the conversation; and we do not get any cell site or GPS [Global Positioning System] locational information.
The limited scope of what we collect has important legal consequences. As I mentioned earlier, the Supreme Court has held that if you have voluntarily provided this kind of information to third parties, you have no reasonable expectation of privacy in that information. All of the metadata we get under this program is information that the telecommunications companies obtain and keep for their own business purposes. As a result, the Government can get this information without a warrant, consistent with the Fourth Amendment.
Nonetheless, I recognize that there is a difference between getting metadata about one telephone number and getting it in bulk. . . . Section 215 only allows us to get records if they are “relevant” to a national security investigation, and from a privacy perspective people worry that . . . the government could apply data mining techniques to a bulk data set and learn new personal facts about them—even though the underlying set of records is not subject to a reasonable expectation of privacy for Fourth Amendment purposes.
On the other hand, this information is clearly useful from an intelligence perspective. . . . It’s important to understand the problem this program was intended to solve. Many will recall that one of the criticisms made by the 9/11 Commission was that we were unable to find the connection between a hijacker who was in California and an al-Qaida safe house in Yemen. Although NSA had collected the conversations from the Yemen safe house, they had no way to determine that the person at the other end of the conversation was in the United States. . . . This collection program is designed to help us find those connections.
In order to do so, however, we need to be able to access the records of telephone calls, possibly going back many years. However, telephone companies have no legal obligation to keep this kind of information, and they generally destroy it after a period of time. . . . And the different telephone companies have separate datasets in different formats, which makes analysis of possible terrorist calls involving several providers considerably slower and more cumbersome. That could be a significant problem in a fast-moving investigation where speed and agility are critical, such as the plot to bomb the New York City subways in 2009.
The way we fill this intelligence gap while protecting privacy illustrates the analytical approach I outlined earlier. From a subscriber’s point of view, . . . the difference between a telephone company keeping records of his phone calls and the Intelligence Community keeping the same information is what the Government could do with the records. That’s an entirely legitimate concern. We deal with it by limiting what the Intelligence Community is allowed [to] do with the information we get under this program—limitations that are approved by the FISA Court:
• First, we put this information in secure databases.
• Second, the only intelligence purpose for which this information can be used is counterterrorism.
• Third, we allow only a limited number of specially trained analysts to search these databases.
• Fourth, even those trained analysts are allowed to search the database only when they have a reasonable and articulable suspicion that a particular telephone number is associated with particular foreign terrorist organizations that have been identified to the Court. The basis for that suspicion has to be documented in writing and approved by a supervisor.
• Fifth, they’re allowed to use this information only in a limited way, to map a network of telephone numbers calling other telephone numbers.
• Sixth, because the database contains only metadata, even if the analyst finds a previously unknown telephone number that warrants further investigation, all she can do is disseminate the telephone number. She doesn’t even know whose number it is. Any further investigation of that number has to be done pursuant to other lawful means, and in particular, any collection of the contents of communications would have to be done using another valid legal authority, such as a traditional FISA.
• Finally, the information is destroyed after five years.
The net result is that although we collect large volumes of metadata under this program, we only look at a tiny fraction of it, and only for a carefully circumscribed purpose—to help us find links between foreign terrorists and people in the United States. The collection has to be broad to be operationally effective, but it is limited to non-content data that has a low privacy value and is not protected by the Fourth Amendment. . . . Only the narrowest, most important use of this data is permitted; other uses are prohibited. In this way, we protect both privacy and national security.
Some have questioned how collection of a large volume of telephone metadata could comply with the statutory requirement that business records obtained pursuant to Section 215 be “relevant to an authorized investigation.” . . . First, remember that the “authorized investigation” is an intelligence investigation, not a criminal one. The statute requires that an authorized investigation be conducted in accordance with guidelines . . . [that] allow the FBI to conduct an investigation into a foreign terrorist entity if there is an “articulable factual basis . . . that reasonably indicates that the [entity] may have engaged in . . . international terrorism or other threat to the national security,” or may be planning or supporting such conduct. . . . And in this case, the Government’s applications to collect the telephony metadata have identified the particular terrorist entities that are the subject of the investigations.
Second, the standard of “relevance” required by this statute is not the standard that we think of in a civil or criminal trial under the rules of evidence. The courts have recognized in other contexts that “relevance” can be an extremely broad standard. . . .
In each of these contexts, the meaning of “relevance” is sufficiently broad to allow for . . . requests that encompass large volumes of records in order to locate within them a smaller subset of material that will be directly pertinent to or actually be used in furtherance of the investigation or proceedings. . . .
When it passed the business records provision, Congress made clear that it had in mind such broad concepts of relevance. The telephony metadata collection program meets this relevance standard because . . . the effectiveness of the queries . . . based on “reasonable and articulable suspicion” . . . depends on collecting and maintaining the data from which the narrowly focused queries can be made. . . . While the scope of the collection at issue here is broader than typically might be acquired through a grand jury subpoena or civil discovery request, the basic principle is similar: the information is relevan
t because you need to have the broader set of records in order to identify within them the information that is actually important to a terrorism investigation. . . .
I want to repeat that the conclusion that the bulk metadata collection is authorized under Section 215 is not that of the Intelligence Community alone. Applications to obtain this data have been repeatedly approved by numerous judges of the FISA Court, each of whom has determined that the application complies with all legal requirements. And Congress reauthorized Section 215 in 2011, after the Intelligence and Judiciary Committees of both Houses had been briefed on the program, and after information describing the program had been made available to all Members. In short, all three branches of Government have determined that this collection is lawful and reasonable—in large part because of the substantial protections we provide for the privacy of every person whose telephone number is collected.
The third program I want to talk about is Section 702. . . . Again, a little history is in order. . . . Title I of FISA, or traditional FISA, governs electronic surveillance conducted within the United States for foreign intelligence purposes. When FISA was first passed in 1978, Congress did not intend it to regulate the targeting of foreigners outside of the United States for foreign intelligence purposes.
This kind of surveillance was generally carved out of coverage under FISA by the way Congress defined “electronic surveillance.” Most international communications in 1978 took place via satellite, so Congress excluded international radio communications from the definition of electronic surveillance covered by FISA, even when the radio waves were intercepted in the United States, unless the target of the collection was a U.S. person in the United States.