On January 17, 2014 President Obama came to the “Great Room” at the U.S. Department of Justice (for the first time) to announce his reforms to the NSA’s data collection programs in light of the revelations of massive data collection on innocent Americans made by Edward Snowden.

While the President offered some limited reforms and even more limited public oversight, the main structures of the surveillance and intelligence apparatus remain in place.  The US government will still be collecting massive amounts of information on both US citizens and foreigners, although there may be some slight changes in how and why this data can be accessed.  The blanket of secrecy surrounding these programs essentially went from thick and opaque wool to a slightly less thick cotton.   While outlines may be discernible, the programs will remain secret, and the policy debates will still occur behind closed doors.  Mostly.

Spying is Good

After walking through the history of intelligence gathering in America (from Paul Revere and the Sons of Liberty to the post-9/11 world) the President lauded the efforts of the intelligence community in “preventing multiple attacks” and saving thousands of lives.  Obama went on to criticize President Bush’s “excesses” after 9-11 (including the euphemistic “enhanced interrogation” techniques) but went on to justify the collection of data by his own NSA – including the collection of “bulk data” which he called a “powerful tool” which creates a “potential for abuse.”

The President noted that “the legal safeguards that protect U.S. persons does not apply to foreigners overseas.  The whole point of intelligence is to gather information that is not otherwise available.  There are few technical limitations on what we can do.  That places special obligations on us to determine what we should do.”

The intelligence community, who the President referred to as “patriots” following the law, faced with an awesome responsibility of keeping the nation and the world safe, and with few technical limitations on data collection, has developed what the President called “an inevitable bias … to collect more information about what is going on in the world” under circumstances where the “danger of government overreach is acute.”

But in recommending reforms, President Obama noted that other countries are spying on us, and that is why we don’t have blackberries or other electronic devices in the situation room.  He noted, “the challenge is getting the details right … and that is not simple.”

The Specific Reforms

The President recommended several specific reforms – mostly cosmetic, some slightly structural, in his effort to “get the details right.”  By and large these “reforms” do not change the ability of the Intelligence Community to continue to do what it is doing, just reforms how they do it.  It creates no new rights of U.S. citizens.  It does not allow U.S. citizens to see more about what their government is doing, nor does it require the kind of public debate before the Intelligence Community acts which the President states is necessary.  The reforms announced were:

  1. SIGINT Directive

The President announced a new Presidential Directive requiring oversight by the executive branch in the collection of Signals Intelligence (SIGINT) directing the intelligence community in its collection of data, to “consider alliances, trade and investment, and our commitment to privacy.”

And this is a change to current policy?  If you are an NSA collector, dedicated to the preservation of the United States as a union, and you believe that the reason you are engaged in SIGINT in the first place is to prevent existential threats to the nation, haven’t you already considered and rejected the impact of “alliances, trade and investment, and our commitment to privacy?”

This kind of “cost benefit” analysis (is it worth it to do what we are doing, and can we do it in a less intrusive way) would be useful in the abstract.  But when “national security” writ large is on one end of the balance beam, it’s hard to imagine that anything on the other side will ever outweigh it.

Moreover, the review of SIGINT priorities is made by the President’s senior national security team with now participation by the Courts, Congress, the public, or privacy advocates.  Good rhetoric, but it’s hard to imagine that there will be much change here.

  1. FISC Reform

The President’s speech called for what he called “greater transparency” in the operations of the Foreign Intelligence Surveillance Court “to protect privacy of US Persons.”  He pointed to the fact that the administration declassified 40 FISC opinions (without mentioning the dozens of lawsuits filed to seek such declassification, and the government’s almost universal opposition to these lawsuits.)

Now to call the FISC a “Court” is something of a stretch.  Yes, it’s composed of representatives of the judicial branch, appointed by the President.  Yes, it has the authority to issue or refuse to issue order under both Section 702 and 215 of the USA PATRIOT Act for surveillance activities. But it is secret, its opinions are secret, the people impacted by its decisions have no rights and no representation, or even to know that they have been impacted.  It hears from one side and one side only.

In criminal cases, the government can, in secret get search or surveillance orders, but eventually these have to be disclosed unless there is a specific finding of a specific harm warranting the continued secrecy.  For the most part, we don’t allow the government to conduct “secret” searches.  Rule 41 F.R.Crim. P. requires the agents executing a search warrant not only to knock and announce their presence (mostly) but also to leave a copy of the warrant authorizing the search and an inventory of what was taken.  While the person whose privacy was invaded as a result of the search does not have a right to be present or heard when the government gets the warrant (otherwise they would clearly have an incentive to destroy evidence) they do get to challenge the legality and scope of the search in something we call a court of law.  Not so with FISC.

Moreover, courts don’t generally set or approve broad government policies, particularly with constitutional implications.  Courts are good at deciding whether there is “probable cause” to believe that Joey Bananas is committing racketeering (or whether Abu Nidal is committing terrorism) and whether it is appropriate to listen in on their phone calls or search their house.  Courts are not as good at deciding whether it is appropriate for police to photograph and retain records of every person walking down Congress Street in Boston, and match them to a facial recognition database.  The latter is best left to public discourse – whether the facial recognition program is “reasonable” is first left to the people and their representatives to decide.  Whether it is constitutional as applied waits for a “case and controversy.”  Mostly.

The President recommended slight FISC reforms – none structural.  The executive order requires the Director of National Intelligence to meet with the Attorney General to decide whether to declassify FISC opinions with “broad privacy implications” and report their findings to the President and Congress.  It also recommends that there be an “outside independent voice on “significant” FISC cases.”

Here the President could have, and should have gone further. He could have indicated that the presumption is that all FISC applications and order which are “purely legal” and not factual, and which raise legal policy and not factual issues are to be publicly disclosed, unless the Court finds (after consultation with the executive branch) that the release of that information would cause grave harm to the national security – the standard for Top Secret classification anyway. The same could be said about an advocate.  The presumption should be that, for legal issues (the creation of policy, not its application to a specific individual) an advocate will represent not the individual whose phones are sought to be tapped, but the privacy concerns inherent in conducting such taps.

Moreover, the President announced no sanctions for those found to have violated FISC orders or DCI privacy directives.  No stick.  All carrot.

  1. Section702 Oversight. 

The President recommended that the Attorney General and the Director of National Intelligence institute restrictions on United States government’s ability to collect, under Section 702 of the USA PATRIOT Act aimed at collecting information about foreigners, information on U.S. person’s communication which were “incidentally” collected.  The “reform” didn’t hint at what these “restrictions” might be.  And that’s a problem.

Here’s how it works.  During the course of a SIGINT operation aimed at some non-US person (whether the operation is conducted in the US or not) the intelligence community will invariably collect information about U.S. persons “incidentally.”  By the way, the “incidental” collection need not be “inadvertent” and there’s no measuring stick.  As long as the “target” of the collection is not a U.S. person, it doesn’t matter that 99.999% of the data collected relates to an actual U.S. person.  That would be “incidental” collection.  Oooops.  My bad.

But it goes from bad to worse.  Having “incidentally” obtained SIGINT relating to U.S. persons pursuant to a FISA surveillance or otherwise, the NSA can then provide that information pretty much without restriction to other government agencies (provided of course that they will protect sources and methods).

This means that the NSA can give information to the FBI, Homeland Security, the Customs and Border Patrol, or, if they want to, the Suffolk County (NY) Police Department, or the Douglas County (Nebraska) Sherriff’s Department, or the IRS, CID, OIG, or any of thousands of TLA’s (Three Letter Agencies.)

But remember, these agencies have to act on the data while protecting the classified source.  So the Sherriff in Omaha, having been alerted to some inadvertent intercept, finds an “excuse” to pull you over, or to search your house, car, luggage, etc.

Or the Sherriff applies for a search warrant, indicating that his information came from a “reliable informant” who has provided credible information in the past, without actually telling the Douglas County court that the information came from a wiretap which, if it had actually targeted a U.S. person, would have been illegal. The Court issuing the search warrant knows nothing about the legality of the NSA surveillance, and can never rule on it. The subject of search knows nothing about the NSA surveillance, and in fact is deliberately misled about the source. So nobody every discloses what really happened in a criminal case where the defendant is entitled to both discovery and a speedy and public trial.

Now there IS a legal way to deal with this – it’s called the graymail statute, and it allows classified information to be disclosed to the Court which can then substitute an unclassified version when the court finds that the classified information is not relevant and that the unclassified information provides enough of a relevant substitute.  But that’s not what really happens. The cops, the prosecutors, the NSA and the government just omit this information, and lead the courts and the defendants (and, by the way sometimes the prosecutors) to believe that the information came from some other, unclassified source.

So the President proposed a “review” with some unspecified “restrictions.”  How about an expansion of the Classified Information Procedures Act to allow the courts to have access to classified information to be relied upon in criminal cases?  That doesn’t seem to be part of the proposed solution.

  1. National Security Letter Review

The President’s speech also addressed the use of National Security Letters (NSL) in connection with espionage, terrorism, and national security related investigations.

NSL’s are demands for production of records issued not by a court, but by a government agency.  They require that the recipient – say an Internet Service Provider, a phone company, or your local library – pony up the demanded documents or records forthwith and post haste.  But there’s a catch.  You can’t tell anybody you got the demand.  In fact, as originally written (but later amended) you couldn’t even tell your lawyer you got the letter, and you might not have even been able to tell the Court that you got the letter.  The potential for abuse was rife, and FBI records showed that there was substantial overuse of NSL’s in non-terrorism cases, and substantial record keeping failures.

What’s worse, the recipients of these NSL’s – many of which had privacy policies that promised their customers that their data would be safe and secure, were frequently prohibited from even issuing “transparency reports” indicating how many times they had their records demanded, how many records were produced, and other information. So the President promised more “transparency.” He proposed to amend the law to terminate the secrecy presumption after a fixed period of time, unless the government can show a need for further secrecy.

A decent start, but not nearly enough.

First, under the NSL law, it is the applicant – the executive branch agency – that determines that the case involves national security and that therefore the demand must be kept secret.  But really, whether the case is actually about national security, and whether secrecy of what amounts to a court order compelling production is necessary is inherently a judicial function. This allows the FBI to be judge, jury (but not executioner – it still requires a court to find someone in contempt of an NSL).  It should be a trivial matter for the FBI to be able to demonstrate to a compliant court that both the documents demanded and the secrecy of the demand are necessary for national security, and that the demand does not impinge legitimate privacy, first amendment, privilege or other concerns.  Under current law, these determinations are left to the exclusive purview of the executive branch.  If we want transparency, let’s start with transparency within the government.

As to the termination of the secrecy of NSL’s, I propose that the government, to keep the demands secret, must demonstrate by a preponderance of the evidence, that disclosure of the fact of the NSL or its contents would likely result in severe harm to the national security (again, the standard set out for classifying the materials in the first place) and that the government would have to periodically recertify the fact that the harm would continue to occur every so often (30 days, 60 days, 90 days) or the documents would become public.  This would reverse the current presumption that all NSL’s are secret all the time and forever.  It allows the government to protect properly classified information, when it is properly classified information.

  1. Bulk Data Collection

OK.  Now for the elephant in the room.  The NSA’s “bulk metadata collection” program.  Well, actually only a small part of it.

The President addressed the so-called PRISM program: the NSA’s program to collect, store and analyze the telephone toll records of every call made in to, out of, and within the United States (other programs gather international records and content information).

As described by the President, the program collects the metadata  – not the content of calls or names of people making calls. Things like the phone numbers, times and lengths of calls.  Of course we all know how difficult it is to find the name of the subscriber when all you have is their telephone number. I guess “Caller ID” is a technology beyond the ability of the Director of National Intelligence.

The President described the program in a way that minimized the privacy concerns and maximized the supposed need for the program.  He indicated that this database of metadata could only be queried with “reasonable suspicion” of a link to a terrorist organization.

But this “showing” of reasonable suspicion never has to be made to a court, an oversight agency, or anyone but an NSA supervisor (maybe) and certainly not in advance of the search.  It also provides no sanction if the database is queried on less than “reasonable suspicion” or how the agency and the FISC reviews the results of the queries to see what the agency’s track record on “pings” might be.

If the agency made 10,000 “reasonable suspicion” pings and found evidence in one case, one might reasonably conclude that their suspicion was, shall we say, not so “reasonable?”  Again, you can’t judge the quality of the decision to ping the database based exclusively on the results of the outcome, but it is an indicator that maybe you guessed wrong?

The President brought up a specific case as being the legal and policy justification for the multi-billion dollar bulk data (or Consumer Proprietary Network Information) collection program.

He pointed to the case of an alleged terrorist in Yemen who received a telephone call which was intercepted by the NSA which was watching the Yemeni safe house.  Having intercepted the call, apparently the NSA couldn’t tell that the call originated from San Diego, and thus there was a potential terrorist sleeper cell operating within the United States.  Scary stuff.  Clearly the government should be able to find out where a call came from, and the nature of the person making such a call.

Guess what. They can. And always could. Even without the bulk data program. 

The government could always subpoena, demand or compel production of these records from the phone companies.  It might take hours to comply.  Maybe even a day.  Possible slightly longer.

What the President didn’t say was that delay in getting the records about the San Diego caller would have had any impact on that particular case.  What he did say was that, “If a bomb goes off in a US city, time is of the essence.”  He also noted that being able to “quickly review” phone connections are necessary.  Why?  What’s the difference between seconds, minutes and hours in these cases, especially if, in order to even “ping” the database, we already require layers of review at the NSA and DOJ?

Unless we don’t.  It is possible that, as Edward Snowden intimated, an individual NSA analyst can make their own real-time assessment that there was “reasonable suspicion” to ping the database without any oversight or review?  If “time is of the essence” then it seems likely that the analyst can do what they please.

The most recent findings, and at least one court has concluded that the “time is of the essence” argument doesn’t wash, and could find no cases where any terrorist case was prevented or even investigated as a result of the immediacy afforded by the bulk collection program (as opposed to being able to get the same records slightly later).

But there COULD be a case in the future – a ticking time bomb – where we want a Jack Bauer to be able to pull up a suspects call history and contacts while driving down the Baltimore-Washington Parkway at 95 miles an hour.

Possibly.

So the President proposed two reforms – both decent, neither good enough.

First, he proposed to “end section 215 [of the USA PATRIOT Act] as it currently exists.”   He proposed to transition from a methodology where the government takes in an stores all of the metadata to a methodology where the companies themselves continue to store it, but the government finds a way to both collate and cross reference it, and ping it when approved.

As the President said, “this will not be simple.”  With private companies keeping and collating the data, there is a potential for abuse, misuse, and unauthorized use and disclosure (including by hackers and foreign governments).  The new approach may be more expensive, raise new legal issues, have less accountability, and decrease consumer confidence in data protection.  The President noted that “more work needs to be done to determine how the system will be work.”  So we would be trading a pig in a poke for a pig in a slightly different poke.  The devil is in the details.

But at least there will be some kind of public debate and Congressional consultation.  Which is a heck of a lot more than there was when the NSA reinterpreted its authority under Section 215 in the first place.

So it’s a start.

A small one.

Remember, this only addresses the telephony metadata program.  It does not address similar programs by the NSA to collect and store metadata related to text messages, SMS messages, web searches, e-mail headers, faxes, location data, or anything else.  That, as the Wizard of Oz might say, is a horse of a different color.

Hippity Hop

The President proposed to limit the authority of the NSA to ping the database for “three hops” from the suspect’s phone to only “two hops.”  It’s like the old shampoo commercial – “and she tells two people, and she tells two people, and so on, and so on…”

Here I actually think the President is unreasonably limiting the NSA.  Whether the NSA analyst searches one hop, two hops, three hops, or a thousand hops should be determined by the same “reasonable suspicion” standard, and should depend on what they find on the first, second and possibly third hop search.  There should be no presumption that three hops is, or is not reasonable.

Here Come the Judge

One very good proposed change is to allow the database to be queried only with judicial approval unless there is an emergency or exigent circumstance.  That’s very good.  The creation of the database of phone metadata protects privacy IF access is limited to those circumstance where the NSA can show reasonable suspicion to a court.

This need not be a formal application on paper, etc.  We can and should make it easy for the NSA to make the relevant inquiry of the Court and obtain approval.  We do this all the time for search warrants and other orders.  A court can take affidavits by fax, over the phone, by e-mail, and possibly by text, SMS or smoke signals.  A “warrant” or ping request can similarly be approved quickly.  There is something to be said for judicial approval of searches.  That’s kind of why they put it into the Constitution.  If we need more judges, well, so be it.

Those Darned Feriners

The President next addressed a matter that was more of a concern for foreign relations than for the legal proscriptions on privacy in the U.S.  He discovered that human beings exist all over the world.  That people’s privacy rights and interests don’t stop when you get to Fortuna, North Dakota or Grand Island, New York.

While the U.S. has legitimate interests in protecting national security and conducting surveillance for counterintelligence, counterterrorism, counter-proliferation, cybercrime and cyberwarfare prevention, and force protection, “Ordinary citizens [of other countries] must have confidence that United States respects their privacy too.”  This is necessary to maintain the trust and cooperation of these foreign governments.

Oh, and this includes Angela Merkel too.

There’s an old saying that the definition of a gentleman is a person who knows how to play the accordion, but doesn’t.

In this case, while the U.S. will retain the power and the legal authority to conduct surveillance on foreigners (and foreign leaders) we are going to exercise a bit (just a bit) of discretion in doing so.  We won’t collect information on foreign citizens’ actions related to  criticism, dissent, or to further discrimination. We won’t use data collected for competitive advantage to US companies or US commercial sectors.  We will limit (not sure how) what we collect and how long we hold it.  As the President noted, “people around the world should know we aren’t spying on ordinary people who don’t pose a threat to the United States.”

Small comfort, but comfort nonetheless.

Oh, and this includes Angela Merkel as well.  While the Intelligence Community will continue to gather intelligence about governments around the world, we won’t spy on our friends.  Well, not our close ones at least.  Well, not as much anyway.  Well, we won’t get caught.  Unless there is a compelling national security purpose.  So, as the President noted, if he wants to know what Angela Merkel is up to, well dammit, he’ll just have to call her and ask!

A Privacy Czaravitch?

Finally, the President noted that he was going to ask his counsel, John Podesta to review how the U.S. government collects, stores and uses “big data” and to reach out to the President’s science advisor, privacy experts, technologists, and the private sector to find out how we can establish international norms for big data while promoting the free flow of information.

‘bout freakin time.’

But, of course there is no indication that the Podesta commission (well, something less than a commission) will have any authority to actually do anything.

But that’s Washington for you.

So all in all, there’s a lot of awesome rhetoric about privacy and national security, a few minor changes, and a lot more study.  Imagine if Paul Revere was, instead of shouting “the British are coming” he quoted Walt Kelley’s Pogo and rode from Boston to Lexington shouting, “We have met the enemy, and he is us…”

Leave a Reply