The Snowden Reader
Page 30
The government notes the minimization procedures compel it to review information lawfully collected under §702, which includes information about U.S. persons, to determine if the information should be retained or disseminated.
. . .
In the government’s view, it must conduct such queries to fulfill its compelling interest to detect and disrupt terrorist attacks by discovering potential links between foreign terrorist groups and people within the United States.
It is true, the FISC has approved minimization procedures which allow querying using U.S. person identifiers. . . . While the procedures previously imposed a “wholesale bar” on such queries, the new approved procedures allowed queries with U.S. person identifiers “subject to approval pursuant to internal NSA procedures and oversight by the Department of Justice.” . . . The FISC reasoned it had approved FISA Title I applications targeting U.S. persons that used minimization procedures allowing queries with U.S. person identifiers.
. . .
This is a very close question. On the one hand, why not require a warrant when using a U.S. person identifier to search a database of information already gathered? That is not the test, however. Just because a practice might better protect Americans’ privacy rights does not mean the Fourth Amendment requires the practice. Indeed, as the government argues, it must review information lawfully collected to decide whether to retain or disseminate it under the minimization procedures. . . . I do not find any significant additional intrusion past what must be done to apply minimization procedures. Thus, subsequent querying of a §702 collection, even if U.S. person identifiers are used, is not a separate search and does not make §702 surveillance unreasonable under the Fourth Amendment.
e. Summary
. . .
Based on the statutory protections, I conclude the government’s compelling interest in protecting national security outweighs the intrusion of §702 surveillance on an individual’s privacy. Accordingly, §702, as applied to defendant, is reasonable under the Fourth Amendment.
. . .
United States v. Mohamud, U.S. District Court, District of Oregon, June 24, 2014 (citations in text and footnotes omitted).
Source: United States v. Mohamud, Criminal No. 3:10-CR-00475-KI-1, U.S. District Court, District of Oregon, June 24, 2014.
Reports from U.S. Advisory and Oversight Bodies
30
Report of the President’s Review Group on Intelligence and Communications Technologies, Executive Summary
In response to the controversies generated by Snowden’s disclosures, President Obama established an expert group in August 2013 to review and develop recommendations on “how in light of advancements in communications technologies, the United States can employ its technical collection capabilities in a manner that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties, recognizing our need to maintain the public trust, and reducing the risk of unauthorized disclosure.” The group’s report was released in mid-December 2013. It received worldwide attention, particularly because it advised ending the telephone metadata program, providing more protection for the privacy of foreign nationals, and changing the way the Foreign Intelligence Surveillance Court operates.
Executive Summary
Overview
The national security threats facing the United States and our allies are numerous and significant, and they will remain so well into the future. These threats include international terrorism, the proliferation of weapons of mass destruction, and cyber espionage and warfare. A robust foreign intelligence collection capability is essential if we are to protect ourselves against such threats. Because our adversaries operate through the use of complex communications technologies, the National Security Agency . . . is indispensable to keeping our country and our allies safe and secure.
At the same time, the United States is deeply committed to the protection of privacy and civil liberties—fundamental values that can be and at times have been eroded by excessive intelligence collection. After careful consideration, we recommend a number of changes to our intelligence collection activities that will protect these values without undermining what we need to do to keep our nation safe.
Principles
We suggest careful consideration of the following principles:
1. The United States Government must protect, at once, two different forms of security: national security and personal privacy.
In the American tradition, the word “security” has had multiple meanings. In contemporary parlance, it often refers to national security or homeland security. . . . At the same time, the idea of security refers to a quite different and equally fundamental value, captured in the Fourth Amendment . . . : “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated . . .” (emphasis added). Both forms of security must be protected.
2. The central task is one of risk management; multiple risks are involved, and all of them must be considered.
When public officials acquire foreign intelligence information, they seek to reduce risks, above all risks to national security. The challenge, of course, is that multiple risks are involved. Government must consider all of those risks . . . when it is creating sensible safeguards. In addition to reducing risks to national security, public officials must consider four other risks:
• Risks to privacy;
• Risks to freedom and civil liberties, on the Internet and elsewhere;
• Risks to our relationships with other nations; and
• Risks to trade and commerce, including international commerce.
3. The idea of “balancing” has an important element of truth, but it is also inadequate and misleading.
It is tempting to suggest that the underlying goal is to achieve the right “balance” between the two forms of security. The suggestion has an important element of truth. But some safeguards are not subject to balancing at all. In a free society, public officials should never engage in surveillance in order to punish their political enemies; to restrict freedom of speech or religion; to suppress legitimate criticism and dissent; to help their preferred companies or industries; to provide domestic companies with an unfair competitive advantage; or to benefit or burden members of groups defined in terms of religion, ethnicity, race, and gender.
4. The government should base its decisions on a careful analysis of consequences, including both benefits and costs (to the extent feasible).
In many areas of public policy, officials are increasingly insistent on the need for careful analysis of the consequences of their decisions, and on the importance of relying . . . on evidence and data. Before they are undertaken, surveillance decisions should depend (to the extent feasible) on a careful assessment of the anticipated consequences, including the full range of relevant risks. Such decisions should also be subject to continuing scrutiny, including retrospective analysis, to ensure that any errors are corrected.
Surveillance of US Persons
With respect to surveillance of US Persons, we recommend a series of significant reforms. Under section 215 of the Foreign Intelligence Surveillance Act (FISA), the government now stores bulk telephony meta-data, understood as information that includes the telephone numbers that both originate and receive calls, time of call, and date of call. (Meta-data does not include the content of calls.) . . . Congress should end such storage and transition to a system in which such meta-data is held privately for the government to query when necessary for national security purposes.
In our view, the current storage by the government of bulk meta-data creates potential risks to public trust, personal privacy, and civil liberty. We recognize that the government might need access to such meta-data, which should be held instead either by private providers or by a private third party. This approach would allow the government access to the relevant information when such access is justifie
d, and thus protect national security without unnecessarily threatening privacy and liberty. Consistent with this recommendation, . . . as a general rule and without senior policy review, the government should not be permitted to collect and store mass, undigested, non-public personal information about US persons for the purpose of enabling future queries and data-mining for foreign intelligence purposes.
We also recommend specific reforms that will provide Americans with greater safeguards against intrusions into their personal domain. We endorse new steps to protect American citizens engaged in communications with non-US persons. We recommend important restrictions on the ability of the Foreign Intelligence Surveillance Court (FISC) to compel third parties (such as telephone service providers) to disclose private information to the government. We endorse similar restrictions on the issuance of National Security Letters (by which the Federal Bureau of Investigation now compels individuals and organizations to turn over certain otherwise private records), recommending prior judicial review except in emergencies. . . .
We recommend concrete steps to promote transparency and accountability, and thus to promote public trust, which is essential in this domain. Legislation should be enacted requiring information about surveillance programs to be made available to the Congress and to the American people to the greatest extent possible (subject only to the need to protect classified information). . . . [L]egislation should be enacted authorizing telephone, Internet, and other providers to disclose publicly general information about orders they receive directing them to provide information to the government. Such information might disclose the number of orders that providers have received, the broad categories of information produced, and the number of users whose information has been produced. . . . [T]he government should publicly disclose, on a regular basis, general data about the orders it has issued in programs whose existence is unclassified.
Surveillance of Non-US Persons
Significant steps should be taken to protect the privacy of non-US persons. In particular, any programs that allow surveillance of such persons even outside the United States should satisfy six separate constraints. They:
1) must be authorized by duly enacted laws or properly authorized executive orders;
2) must be directed exclusively at protecting national security interests of the United States or our allies;
3) must not be directed at illicit or illegitimate ends, such as the theft of trade secrets or obtaining commercial gain for domestic industries;
4) must not target any non-United States person based solely on that person’s political views or religious convictions;
5) must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies; and
6) must be subject to careful oversight and to the highest degree of transparency consistent with protecting the national security of the United States and our allies.
. . .
Setting Priorities and Avoiding Unjustified or
Unnecessary Surveillance
To reduce the risk of unjustified, unnecessary, or excessive surveillance in foreign nations, including collection on foreign leaders, . . . the President should create a new process, requiring highest-level approval of all sensitive intelligence requirements and the methods that the Intelligence Community will use to meet them. This process should identify both the uses and the limits of surveillance on foreign leaders and in foreign nations.
. . . [T]hose involved in the process should consider whether (1) surveillance is motivated by especially important national security concerns or by concerns that are less pressing and (2) surveillance would involve leaders of nations with whom we share fundamental values and interests or leaders of other nations. With close reference to (2), . . . with a small number of closely allied governments, meeting specific criteria, the US Government should explore understandings or arrangements regarding intelligence collection guidelines and practices with respect to each others’ citizens (including, if and where appropriate, intentions, strictures, or limitations with respect to collections).
Organizational Reform
We recommend a series of organizational changes. With respect to the National Security Agency (NSA), we believe that the Director should be a Senate-confirmed position, with civilians eligible to hold that position; the President should give serious consideration to making the next Director of NSA a civilian. NSA should be clearly designated as a foreign intelligence organization. Other missions (including that of NSA’s Information Assurance Directorate) should generally be assigned elsewhere. The head of the military unit, US Cyber Command, and the Director of NSA should not be a single official.
We favor a newly chartered, strengthened, independent Civil Liberties and Privacy Protection Board (CLPP Board) to replace the Privacy and Civil Liberties Oversight Board (PCLOB). The CLPP Board should have broad authority to review government activity relating to foreign intelligence and counterterrorism whenever that activity has implications for civil liberties and privacy. A Special Assistant to the President for Privacy should also be designated, serving in both the Office of Management and Budget and the National Security Staff. This Special Assistant should chair a Chief Privacy Officer Council to help coordinate privacy policy throughout the Executive branch.
With respect to the FISC, . . . Congress should create the position of Public Interest Advocate to represent the interests of privacy and civil liberties before the FISC. . . . [T]he government should take steps to increase the transparency of the FISC’s decisions and . . . Congress should change the process by which judges are appointed to the FISC.
Global Communications Technology
Substantial steps should be taken to protect prosperity, security, and openness in a networked world. A free and open Internet is critical to both self-government and economic growth. The United States Government should reaffirm the 2011 International Strategy for Cyberspace. It should stress that Internet governance must not be limited to governments, but should include all appropriate stakeholders, including businesses, civil society, and technology specialists.
The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage. Among other measures relevant to the Internet, the US Government should also support international norms or agreements to increase confidence in the security of online communications.
For big data and data-mining programs directed at communications, the US Government should develop Privacy and Civil Liberties Impact Assessments to ensure that such efforts are statistically reliable, cost-effective, and protective of privacy and civil liberties.
Protecting What We Do Collect
We recommend a series of steps to reduce the risks associated with “insider threats.” . . . Classified information should be shared only with those who genuinely need to know. . . . The use of “for-profit” corporations to conduct personnel investigations should be reduced or terminated. Security clearance levels should be further differentiated. Departments and agencies should institute a Work-Related Access approach to the dissemination of sensitive, classified information. Employees with high-level security clearances should be subject to a Personnel Continuous Monitoring Program. Ongoing security clearance vetting of individuals should use a risk-management approach and depend on the sensitivity and quantity of the programs and information to which individuals are given access.
The security of information technology networks carrying classified information should be a matter of ongoing concern by Principals, who should conduct an annual assessment with the assistance of a “second opinion” team. Classified networks should increase the use of
physical and logical separation of data to restrict access, including through Information Rights Management software. Cyber-security software standards and practices on classified networks should be at least as good as those on the most secure private-sector enterprises.
Recommendations
Recommendation 1
We recommend that section 215 should be amended to authorize the Foreign Intelligence Surveillance Court to issue a section 215 order compelling a third party to disclose otherwise private information about particular individuals only if:
(1) it finds that the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and
(2) like a subpoena, the order is reasonable in focus, scope, and breadth.
Recommendation 2
We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the[ir] issuance . . . only upon a judicial finding that:
(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and