Tag: NSA

What We Can and Can’t Know About NSA Spying: A Reply to Prof. Cordero

Georgetown Law professor Carrie Cordero—who previously worked at the Department of Justice improving privacy procedures for monitoring under the Foreign Intelligence Surveillance Act—attended our event with Sen. Ron Wyden (D-OR) on the FISA Amendments Act last week.  Perhaps unsurprisingly, she’s rather more comfortable with the surveillance authorized by the law than our speakers were, and posted some critical commentary at the Lawfare blog (which is, incidentally, required reading for national security and intelligence buffs). Marcy Wheeler has already posted her own reply, but I’d like to hit a few points as well. Here’s Cordero:

Since at least the summer of 2011, [Wyden and Sen. Mark Udall] have been pushing the Intelligence Community to provide more public information about how the FAA works, and how it affects the privacy rights of Americans. In particular, they have, in a series of letters, requested that the Executive Branch provide an estimate of the number of Americans incidentally intercepted during the course of FAA surveillance. According to the exchanges of letters, the Executive Branch has repeatedly denied the request, on the basis that: i) it would be an unreasonable burden on the workforce (and, presumably, would take intelligence professionals off their national security mission); and ii) gathering the data the senators are requesting would, in and of itself, violate privacy rights of Americans.

The workforce argument, even if true, is, of course, a loser. The question of whether the data call itself would violate privacy rights is a more interesting one. Multiple oversight personnel independent of the operational and analytical wings of the Intelligence Community – including the Office of Management and Budget, the NSA Inspector General, and just last month, the Inspector General of the Intelligence Community, have all said that the data call requested by the senators is not feasible. The other members of the SSCI appear to accept this claim on its face. Meanwhile, Senator Wyden states he just finds the claim unbelievable. That there must be some way it can be done, he says, if even on a sample basis. Maintaining that position puts him in an interesting place, however: is the privacy advocate actually advocating for violating the privacy rules, to appease a Congressional request? Assuming that he would not actually want to advocate that the rules be waived at the request of a politician, a question then arises as to whether the Intelligence Community has adequately explained exactly how the data call would work and why it would conflict with existing privacy rules and protections, such as minimization procedures.

I’ll grant Cordero this point: as absurd as it sounds to say “we can’t tell you how many Americans we’re spying on, because it would violate their privacy,” this might well be a concern if those of us who follow these issues from the outside are correct in our surmises about what NSA is doing under FAA authority. The only real restriction the law places on the initial interception of communications is that the NSA use “targeting procedures” designed to capture traffic to or from overseas groups and individuals. There’s an enormous amount of circumstantial evidence to suggest that initial acquisition is therefore extremely broad, with a large percentage of international communications traffic being fed into NSA databases for later querying. If that’s the case, then naturally the tiny subset of communications later reviewed by a human analyst—because they match far narrower criteria for suspicion—is going to be highly unrepresentative. To get even a rough statistical sample of what’s in the larger database, then, one would have to “inspect”—possibly using software—a whole lot of the innocent communications that wouldn’t otherwise ever be analyzed. And possibly the rules currently in place don’t make any allowance for querying the database—even to analyze metadata for the purpose of generating aggregate statistics—unless it’s directly related to an intelligence purpose.

A few points about this.  First: assuming, for the moment, that  this is the case, why can’t NSA and DOJ say so clearly and publicly? Because it would somehow imperil national security to characterize the surveillance program even at this highest level of generality, without any mention of particular search parameters or targets? Would it “help the terrorists” if they answered a more recent query from a bipartisan group of senators, asking whether database searches (as opposed to initial “targeting”) had focused on specific American citizens?  Please.

A  more plausible hypothesis is that they recognize that an official, public acknowledgement that the government is routinely copying and warehousing millions of completely innocent communications—even if they’re only looking at the “suspicious” minority— would not go over entirely smoothly with the citizenry. There might even be a demand for some public debate about whether this is the kind of thing we’re willing to countenance. Legal scholars might become curious whether whatever arguments support the constitutionality of this practice hold up as well in the light of the day as they do when they’re made unopposed in closed chambers. Even without an actual estimate, any meaningful discussion of the workings of the program would be likely to undermine the whole pretense that it only “incidentally” involves the communications of innocent Americans, or that the constraints on “targeting”constitute a meaningful safeguard.  The desire to avoid the whole hornet’s nest using the pretext of national security is perhaps understandable, but it shouldn’t be acceptable in a democracy. Yet everyone knows overclassification is endemic—even the government’s own former “classification czar” has blasted the government’s use of inappropriate secrecy as a weapon against critics.

Second, transparency at this level of generality is an essential component of privacy protection. To the extent that the rules governing  access to the database preclude any attempt to audit its aggregate contents—including by automated software tallying of identifiers such as area codes and IP addresses—then they should indeed be changed, not because a senator demanded it, but because they otherwise preclude adequate oversight. An online service that keeps no server logs would be somewhat more protective of its users privacy… if  its database were otherwise perfectly secure against intrusion or misuse. In the real world, where there’s no such thing as perfect security, such a service would be protecting user privacy extremely poorly, because it would lack the ability to detect and prevent breaches. If it is not possible to audit the NSA’s system in this way, then that system needs to be altered until it is possible. If giving Congress a rough sense of the extent of the agency’s surveillance of Americans falls outside the parameters of the intelligence mission (and therefore the permissible uses of the database), it’s time for a new mission statement.

Finally, Cordero closes by noting the SSCI has touted its own oversight as “extensive” and “robust,” which Cordero thinks “debunks” the  suggestion embedded in our event title that the FAA enables “mass spying without accountability.”  (Can I debunk the debunking by lauding the accuracy and thoroughness of my own analysis?)  Unfortunately, the consensus of most independent analysts of the intelligence committees’ performance is a good deal less sanguine—which makes me hesitant to take that self-assessment at face value.

As scholars frequently point out, the overseers are asked to process incredibly complex information with a limited cleared staff to assist them, and often forbidden to take notes at briefings or remove reports from secure facilities. When you read about those extensive reports, recall that in the run-up to the invasion of Iraq only six senators and a handful of representatives ever read past the executive summary of the National Intelligence Estimate on Iraq’s WMD programs to the far more qualified language of the  full 92-page report. You might think the intel committees would need to hold more hearings than their counterparts to compensate for these disadvantages, but UCLA’s Amy Zegart has found that they consistently rank at the bottom of the pack, year after year. Little wonder, then, that years of flagrant and systemic misuse of another controversial surveillance tool—National Security Letters—was not uncovered by the “extensive” and “robust” oversight of the intelligence committees, but by the Justice Department’s inspector general.

In any event, we seem to have at least 13 senators who don’t believe they’ve been provided with enough information to perform their oversight role adequately. Perhaps they’re setting the bar too high, but I find it more likely that their colleagues—who over time naturally grow to like and trust the intelligence officials upon whom they rely for their information—are a bit too easily satisfied. There are no  prizes for expending time, energy, and political capital on ferreting out civil liberties problems in covert intelligence programs, least of all in an election year. It’s far easier to be satisfied with whatever data the intelligence community deigns to dribble out—often with heroic indifference to statutory reporting deadlines—and take it on faith that everything’s running as smoothly as they say. That allows you to write, and even believe, that you’re conducting “robust” oversight without knowing (as Wyden’s letter suggests the committee members do not) roughly how many Americans are being captured in NSA’s database, how many purely-domestic communications have been intercepted,  whether warrantless “backdoor” targeting of Americans is being done via the selection of database queries. But the public need not be so easily satisfied, nor accept that meaningful “accountability” exists when all those extensive reports leave the overseers ignorant of so many basic facts.

Mass Tragedy Boilerplate and Rebuttal

On the road last week, and allergic to getting too heavily involved in the issue de l’heure, I only today saw Holman Jenkins’ Wall Street Journal commentary: “Can Data Mining Stop the Killing?

After the Aurora theater massacre, it might be fair to ask what kinds of things the NSA has programmed its algorithms to look for. Did it, or could it have, picked up on Mr. Holmes’s activities? And if not, what exactly are we getting for the money we spend on data mining?

Other than to collect it in a great mass along with data about all of us, the NSA could not have “picked up on” Mr. Holmes’s activities. As I wrote earlier this year about data mining’s potential for averting school shootings:

“[D]ata mining doesn’t have the capacity to predict rare events like terrorism or school shootings. The precursors of such events are not consistent the way, say, credit card fraud is. Data mining for campus violence would produce many false leads while missing real events. The costs in dollars and privacy would not be rewarded by gains in security and safety.

Jeff Jonas and I wrote about this in our 2006 Cato Policy Analysis, “Effective Counterterrorism and the Limited Role of Predictive Data Mining.”

If the NSA has data about the pathetic loser, Mr. Holmes, and if it were to let us know about it, all that would do is provide lenses for some pundit’s 20/20 hindsight. Data about past events always points to the future that occurred. But there is not enough commonality among rare and sporadic mass shootings to use their characteristics as predictors of future shootings.

Jenkins doesn’t drive hard toward concluding that data mining would have helped, but his inquiry is mass tragedy boilerplate. It’s been rebutted by me and others many times.

Three Lessons from the Increasingly Irrelevant Annual Wiretap Report

The 2011 Wiretap Report was released this weekend, providing an overview of how federal and state governments used wiretapping powers in criminal investigations. (Surveillance for intelligence purposes is covered in a separate, far less informative report.) There’s plenty of interesting detail, but here’s the bottom line:

After climbing 34 percent in 2010 the number of federal and state wiretaps reported in 2011 deceased 14 percent. A total of 2,732 wiretaps were reported as authorized in 2011, with 792 authorized by federal judges and 1,940 authorized by state judges…. Compared to the numbers approved during 2010 the number of applications reported as approved by federal judges declined 34 percent in 2011, and the number of applications approved by state judges fell 2 percent. The reduction in wiretaps resulted primarily from a drop in applications for narcotics.

So is the government really spying on us less? Is the drug war cooling off? Well, no, that’s lesson number one: Government surveillance is now almost entirely off the books.

The trouble, as Andy Greenberg of Forbes explains, is that we’ve got analog reporting requirements in a digital age. The courts have to keep a tally of how often they approve traditional intercepts that are primarily used to pick up realtime phone conversationse—96 percent of all wiretap orders. But phone conversations represent an ever-dwindling proportion of modern communication, and police almost never use a traditional wiretap order to pick up digital conversations in realtime. Why would they? Realtime wiretap orders require jumping all sorts of legal hurdles that don’t apply to court orders for stored data, which is more convenient anyway, since it enables investigators to get a whole array of data, often spanning weeks or month, all at once. But nobody is required to compile data on those types of information requests, even though they’re often at least as intrusive as traditional wiretaps.

From what information we do have, however, it seems clear that phone taps are small beer compared to other forms of modern surveillance. As Greenberg notes, Verizon reported fielding more than 88,000 requests for data in 2006 alone. These would have ranged from traditional wiretaps, to demands for stored text messages and photos, to “pen registers” revealing a target’s calling patterns, to location tracking orders, to simple requests for a subscriber’s address or billing information. Google, which is virtually unique among major Internet services in voluntarily disclosing this sort of information, fielded 12,271 government requests for data, and complied with 11,412 of them. In other words, just one large company reports far more demands for user information than all the wiretaps issued last year combined. And again, that is without even factoring in the vast amount of intelligence surveillance that occurs each year: the thousands of FISA wiretaps, the tens of thousands of National Security Letters (which Google is forbidden to include in its public count) and the uncountably vast quantities of data vacuumed up by the NSA. At what point does the wiretap report, with its minuscule piece of the larger surveillance picture, just become a ridiculous, irrelevant formality?

Lesson two: The drug war accounts for almost all criminal wiretaps. Wiretaps may be down a bit in 2011, but over the long term they’ve still increased massively. Since 1997, even as communication has migrated from telephone networks to the internet on a mass scale, the annual number of wiretaps has more than doubled. And as this handy chart assembled by security researcher Chris Soghoian shows, our hopeless War on Drugs is driving almost all of it: for fully 85 percent of wiretaps last year, a drug offense was the most serious offense listed on the warrant application—compared with “only” 73 percent of wiretaps in 1997. Little surprise there: when you try to criminalize a transaction between a willing seller and a willing buyer, enforcement tends to require invasions of privacy. Oddly, law enforcement officials tend to gloss over these figures when asking legislators for greater surveillance authority. Perhaps citizens wouldn’t be as enthusiastic about approving these intrusive and expensive spying powers if they realized they were used almost exclusively to catch dope peddlers rather than murderers or kidnappers.

Speaking of dubious claims, lesson three: The encryption apocalypse is not nigh. As those of you who are both extremely nerdy and over 30 may recall, back in the 1990s we had something called the “Crypto Wars.” As far as the U.S. government was concerned, strong encryption technology was essentially a military weapon—not the sort of thing you wanted to allow in private hands, and certainly not something you could allow to be exported around the world. Law enforcement officials (and a few skittish academics) warned of looming anarchy unless the state cracked down hard on so-called “cypherpunks.” The FBI’s Advanced Telephony Unit issued a dire prediction in 1992 that within three years, they’d be unable to decipher 40 percent of the communications they intercepted.

Fortunately, they lost, and strong encryption in private hands has become the indispensable foundation of a thriving digital economy—and a vital shield for dissidents in repressive regimes. Frankly, it would probably have been worth the tradeoff even if the dire predictions had been right. But as computer scientist Matt Blaze observed back when the 2010 wiretap report was released, Ragnarok never quite arrives. The latest numbers show that investigators encountered encryption exactly 12 times in all those thousands of wiretaps. And how many times did that encryption prevent them from accessing the communication in question? Zero. Not once.

Now, to be sure, precisely because police seldom use wiretap orders for e-mail, that’s also a highly incomplete picture of the cases where investigations run up against encryption walls. But as the FBI once again issues panicked warnings that they’re “going dark” and demands that online companies be requried to compromise security by building surveillance backdoors into their services, it’s worth recalling that we’ve heard this particular wolf cry before. It would have been a disastrous mistake to heed it back then, and on the conspicuously scanty evidence being offered during the encore, it would be crazy to approach these renewed demands with anything less than a metric ton of salt.

NSA Spying and the Illusion of Oversight

Last week, the House Judiciary Committee hurtled toward reauthorization of a controversial spying law with a loud-and-clear declaration: not only do we have no idea how many American citizens are caught in the NSA’s warrantless surveillance dragnet, we don’t care—so please don’t tell us! By a 20–11 majority, the panel rejected an amendment that would have required the agency’s inspector general to produce an estimate of the number of Americans whose calls and e-mails were vacuumed up pursuant to broad “authorizations” under the FISA Amendments Act.

The agency’s Inspector General has apparently claimed that producing such an estimate would be “beyond the capacity of his office” and (wait for it) “would itself violate the privacy of U.S. persons.” This is hard to swallow on its face: there might plausibly be difficulties identifying the parties to intercepted e-mail communications, but at least for traditional phone calls, it should be trivial to tally up the number of distinct phone lines with U.S. area codes that have been subject to interception.

If the claim is even partly accurate, however, this should in itself be quite troubling. In theory, the FAA is designed to permit algorithmic surveillance of overseas terror suspects—even when they communicate with Americans. (Traditionally, FISA left surveillance of wholly foreign communications unregulated, but required a warrant when at least one end of a wire communication was in the United States.) But FAA surveillance programs must be designed to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States”—a feature the law’s supporters tout to reassure us they haven’t opened the door to warrantless surveillance of purely domestic communications. The wording leaves a substantial loophole, though. “Persons” as defined under FISA covers groups and other corporate entities, so an interception algorithm could easily “target persons” abroad but still flag purely domestic communications—a concern pointedly raised by the former head of the Justice Department’s National Security Division. The “prevent the intentional acquisition” language is meant to prevent that. Attorney General Eric Holder has made it explicit that the point of the FAA is precisely to allow eavesdropping on broad “Categories” of surveillance targets, defined by general search criteria, without having to identify individual targets. But, of course, if the NSA routinely sweeps up communications in bulk without any way of knowing where the endpoints are located, then it never has to worry about violating the “known at the time of acquisition” clause. Indeed, we already know that “overcollection” of purely domestic communications occurred on a large scale, almost immediately after the law came into effect.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication? If this is done, even if only for the subset of communications reviewed by human analysts, why can’t that sample be used to generate a ballpark estimate for the broader pool of intercepted messages? How can the Senate report on the FAA extension seriously tout “extensive” oversight of the law’s implementation when it lacks even these elementary figures? If it is truly impossible to generate those figures, isn’t that a tacit admission that meaningful oversight of these incredible powers is also impossible?

Here’s a slightly cynical suggestion: Congress isn’t interested in demanding the data here because it might make it harder to maintain the pretense that the FAA is all about “foreign” surveillance, and therefore needn’t provoke any concern about domestic civil liberties. A cold hard figure confirming that large numbers of Americans are being spied on under the program would make such assurances harder to deliver with a straight face. The “overcollection” of domestic traffic by NSA reported in 2009 may have encompassed “millions” of communications, and still constituted only a small fraction of the total—which suggests that we could be dealing with a truly massive number.

In truth, the “foreign targeting” argument was profoundly misleading. FISA has never regulated surveillance of wholly foreign communications: if all you’re doing is listening in on calls between foreigners in Pakistan and Yemen, you don’t even need the broad authority provided by the FAA. FISA and the FAA only need to come into play when one end of the parties to the communication is a U.S. person—and perhaps for e-mails stored in the U.S. whose ultimate destination is unknown. Just as importantly, when you’re talking about large scale, algorithm-based surveillance, it’s a mistake to put too much weight on “targeting” in the initial broad acquisition stage. If the first stage of your acquisition algorithm says “intercept all calls and e-mails between New York and Pakistan,” that will be kosher for FAA purposes provided the nominal target is the Pakistan side, but will entail spying on just as many Americans as foreigners in practice. If we knew just how many Americans, the FAA might not enjoy such a quick, quiet ride to reauthorization.

Congress Has No Idea What the NSA Is Doing

Didja think that the legislative branch oversees the executive branch? Think again! Congress has no idea what the National Security Agency (NSA) is doing.

Spencer Ackerman at Wired’s Danger Room blog reports on a letter the inspector general of the intelligence community sent earlier this month to Senators Ron Wyden (D-OR) and Mark Udall (D-CO). They had asked how many people in the United States have had their communications collected or reviewed by the NSA.

The letter repeated the NSA IG’s conclusion that estimating this number was “beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission.” Not only that, figuring out the number of people in the United States that the NSA has snooped on “would itself violate the privacy of U.S. persons.”

A federal agency can write a tart, dry non-response like this because Congress is utterly supine before the security bureaucracy. The tough-talking politicians in both parties have no idea what is happening in the agencies they routinely defend as essential. And Congress still hasn’t approved nominations for the Privacy and Civil Liberties Oversight Board, weak sauce that it is, nearly five years since it was reconstituted with greater independence and subpoena power.

The letter concludes with a hopeful note: “I will continue to work with you and the Committee to identify ways that we can enhance our ability to conduct effective oversight.” That also serves as a confession: We have no idea what the NSA is doing.

The Country’s Biggest Spy Center

Under insufficiently sharp questioning, the head of the National Security Agency, Keith Alexander, has denied the substance of a Wired report on the agency’s massive new computer facility and the capabilities the government has to monitor our communications—even heavily encrypted communications.

If you want a sense of how Congress, still panicked by 9/11, has abdicated its responsibilities and permitted the construction of a “turnkey totalitarian state,” read the whole thing.

A Surveillance State Coda

The program of warrantless NSA wiretapping (and data mining) authorized by President George W. Bush shortly after the 9/11 attacks prompted a flurry of intense debate over its legality when it was disclosed by The New York Times back in 2005. Those arguments have, by now, been so thoroughly rehearsed that there’s not a whole lot new to say about it.

But like Monty Python’s Black Knight, some of those old arguments keep popping up — as evidenced by John Eastman’s contribution to the Cato Unbound roundtable on the digital surveillance state we held last month. So while the roundtable’s over, I thought it would be convenient to round up a compact version of the main arguments in one place, for the convenience of folks who might not want to slog through the many law review articles that have been written on the subject.

The touchstone for modern analysis of executive war powers is, by general consensus, the tripartite schema elaborated by Justice Jackson in his concurrence in the Youngstown steel seizure case :

1. When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate. In these circumstances, and in these only, may he be said (for what it may be worth) to personify the federal sovereignty. If his act is held unconstitutional under these circumstances, it usually means that the Federal Government, as an undivided whole, lacks power…

2. When the President acts in absence of either a congressional grant or denial of authority, he can only rely upon his own independent powers, but there is a zone of twilight in which he and Congress may have concurrent authority, or in which its distribution is uncertain…

3. When the President takes measures incompatible with the expressed or implied will of Congress, his power is at its lowest ebb, for then he can rely only upon his own constitutional powers minus any constitutional powers of Congress over the matter… Presidential claim to a power at once so conclusive and preclusive must be scrutinized with caution, for what is at stake is the equilibrium established by our constitutional system.

Using this as our starting point, it becomes clear that an analysis of the NSA program entails answering a series of distinct (though related) questions. First, we need to determine which level of the Youngstown schema applies. If we’re in Youngstown’s Category I, then the NSA program was illegal only if it exceeded the constitutional constraints on government surveillance established by the Fourth Amendment. If, on the other hand, we’re in Category III, a constitutionally permissible surveillance program might nevertheless be illegal. So I’ll consider three questions in turn: Did the NSA program violate federal statute? If so, does the statute trump whatever inherent power the president might enjoy as commander in chief in this context? Finally, does the program, as it’s been publicly described, violate the Fourth Amendment? An affirmative answer to either the first pair of questions or the third will entail that the NSA program was illegal.

The AUMF

The statutory question may seem like something of a no-brainer: The Foreign Intelligence Surveillance Act of 1978 states explicitly that its procedures establish the “exclusive means” for domestic electronic surveillance for foreign intelligence purposes. In this case, the obvious answer is the right one. But the Justice Department has attempted to claim that Congress cleverly managed to repeal the “exclusive means” language without telling anyone about it back in 2001, when it passed the Authorization for the Use of Military Force against the perpetrators of the 9/11 attacks. Probably the most decisive demolition of that argument was offered by David Kris, who currently heads the National Security Division at the Department of Justice, but it’s worth reviewing briefly why this argument is so implausible.

The central problem with reliance on the AUMF is that FISA itself contains a provision providing a 15-day surveillance grace period following a declaration of war. As the legislative conference report explains, this was intended to provide time for Congress to consider whether any wartime modifications to the FISA structure were necessary. Plainly, then, Congress did not imagine or intend that a declaration of war (or “authorization of force”) would in itself implicitly loosen FISA’s fetters beyond that grace period.

Moreover, Congress has repeatedly amended FISA since the 9/11 attacks, both in the PATRIOT Act passed almost simultaneously with the AUMF, and in subsequent legislation over a period of years. As Glenn Greenwald recounted in his lead essay for the Cato roundtable, Congress has expanded government surveillance powers in a variety of ways, but none of these prior to the Protect America Act of 2007 (superseded by the FISA Amendments Act of 2008) approached the breadth of the NSA program, and even these establish at least a modicum of judicial oversight, however inadequate. Again, this history sits uneasily with the premise that Congress understood itself to have authorized such broad domestic surveillance when it passed the AUMF.

Indeed, as former Senate Majority Leader Tom Daschle explained in a Washington Post op-ed shortly after the revelation of the warrantless wiretap program, the Senate explicitly rejected language sought by the White House that would have extended the authorization to actions within the United States. Then–attorney general Alberto Gonzales has publicly acknowledged that the Bush administration contemplated asking for a more specific amendment to FISA authorizing something like the NSA program, but concluded that it would be “difficult, if not impossible” to get such an amendment adopted. We are being asked to believe, in other words, that Congress intended to implicitly grant authority that the administration was certain would be refused had it been requested overtly. It is, as Justice Frankfurter put it in Youngstown, “quite impossible … to find secreted in the interstices of legislation the very grant of power which Congress consciously withheld.”

Basic principles of statutory construction disfavor inferring implicit repeal of specific statutory language from more general authorizations, except in the face of “overwhelming evidence” of congressional intent — and the Court has accordingly rejected parallel arguments in several recent War on Terror cases, as in Hamdan v. Rumsfeld, where the court found “nothing in the text or legislative history of the AUMF even hinting that Congress intended to expand or alter the authorization” for military commissions spelled out in the Uniform Code of Military Justice.

The evidence here is indeed overwhelming, and it uniformly cuts against the fanciful proposition that Congress somehow enacted a kind of sub silentio repeal of FISA. I’m inclined to assume this argument was offered primarily because of an understandable reluctance to rely entirely on a radical theory of inherent and preclusive executive powers, to which I turn next.

The President’s Inherent Authority

The first thing to observe with respect to claims of inherent executive authority is that if we exclude non-binding dicta, the evidence for a constitutional power to conduct warrantless domestic surveillance for foreign intelligence purposes is almost wholly negative. That is to say, it turns on inferences from questions the Supreme Court has declined to directly address rather than on its affirmative holdings. As we’ll see, this is a thin reed on which to hang ambitious claims.

Consider, for instance, the so-called Keith case. In addressing the scope of presidential power to authorize warrantless surveillance against domestic national security threats, the majority noted that they had “not addressed, and express no opinion as to, the issues which may be involved with respect to activities of foreign powers or their agents.” But in that very case, the unanimous majority held that a warrant was required in cases involving domestic national security threats, resolving a lacuna expressed in very similar language in a footnote to a previous ruling involving wiretaps:

Whether safeguards other than prior authorization by a magistrate would satisfy the Fourth Amendment in a situation involving the national security is a question not presented by this case.

The arguments deployed against unchecked executive discretion in Keith clearly have substantial cross-application to the War on Terror, which in many respects bears as much resemblance to those domestic threats as it does to traditional nation state–sponsored espionage and warfare. It will suffice to note, however, that declining to foreclose a power because the fact pattern under consideration provided no occasion to consider the distinct issues involved, as the Court did in both Katz and Keith, is not at all the same as affirmatively asserting it, let alone defining its scope — a point to which I’ll return in the next section.

Nevertheless, let’s suppose arguendo that there is some such inherent power, whether broad or narrow. Eastman and other defenders of the NSA program still err in conflating inherent power with preclusive or indefeasible power. As a simple conceptual matter, this cannot be right, or else the third Youngstown category would collapse into the second: If all “inherent” presidential powers were per se immune to Congressional limitation, Category III would be superfluous, since it would never yield a result different from analysis under Category II.

Fortunately, we need not restrict ourselves to conceptual analysis, because precedent and practice both speak directly to the question, and both support robust legislative power to constrain even those presidential powers grounded in Article II. The legislature has, from the founding era on, assumed that its Article I power to make “rules for the government of the land and naval forces” enabled it to cabin the discretion of the commander in chief, often in frankly picayune ways, by establishing general rules limiting the conduct of a conflict. Prior to the Truman administration there was little indication that presidents saw this as encroaching upon sacrosanct executive prerogatives. Even Lincoln — probably the most obvious early example of a wartime president acting without or contrary to statutory authority — did not claim some general constitutional power to defy Congress. Rather, he argued that when hostilities commenced during a congressional recess, he had acted as he thought necessary given the impracticality of securing advance approval, while acknowledging that it fell to the legislature to ratify or overrule his judgment once it reconvened.

In the few cases where the Supreme Court has had occasion to rule on the scope of executive power at “lowest ebb,” it has repeatedly confirmed that federal law binds the president even in war. In Little v. Barreme, during a conflict with France, the Court found that a specific congressional authorization for the seizure of ships bound to French ports rendered invalid an executive order that also permitted seizure of ships bound from those ports. And this was so, the Court noted, even though the president’s own commander-in-chief powers would have permitted him this discretion had Congress not spoken. Since the inauguration of the War on Terror, the Court has reaffirmed the validity of such statutory limits on executive discretion, as in Hamdan. Bush’s own Office of Legal Counsel ultimately repudiated a series of memos, penned by John Yoo, that had relied on a more expansive conception of executive power to justify the administration’s War on Terror programs, concluding that they were “not supported by convincing reasoning.”

There is, by general consensus, some “preclusive core” to the executive’s commander-in-chief authority. This includes, at the least, a prerogative of “superintendence”: Congress could not appoint Nancy Pelosi commander of U.S. forces in Afghanistan and forbid the president to remove her. Most commentators see it as similarly foreclosing efforts to achieve the same end by a series of micromanagerial statutes commanding specific tactics be employed at particular times. But the notion that this preclusive core encompasses discretion to unilaterally disregard a general statutory framework governing protracted electronic surveillance of U.S. persons on American soil is simply insupportable in the face of both history and precedent. The argument is, if anything, more absurd when it comes to the government’s illegal acquisition of the statutorily protected calling records of tens of millions of Americans, the vast majority of whom obviously have no ties to terrorism or Al Qaeda. Attempts to stitch together a countervailing line from desultory snatches of language about the president’s role as “sole organ” in foreign affairs are entertaining as a sort of exercise in experimental Burroughsian cut-up narrative, but as legal analysis they seem pretty desperate.

The Fourth Amendment

Finally, we turn to the Fourth Amendment. I will, for the most part, consider how the Fourth Amendment applies to the NSA surveillance program prior to the 2008 passage of the FISA Amendments Act.

As Eastman notes, while in most contexts the prohibition on “unreasonable searches and seizures” requires surveillance to be authorized by a probable cause warrant based on individualized suspicion, there are a variety of circumstances in which warrantless searches may nevertheless be reasonable. While this is not the place to conduct a detailed survey of such “special needs” exemptions, such exceptions tend to involve cases in which the subjects of the search are already understood to enjoy a diminished expectation of privacy (students in school), where the searches are standardized and minimally intrusive, where the targets are in a position to raise challenges before a neutral magistrate if necessary, and where prior court authorization would be highly impractical. No exception that I am aware of can plausibly be stretched so far as to permit sustained, discretionary, warrantless electronic surveillance of members of the general population — a method recognized to be so intrusive that in the criminal context, federal statute requires investigators to meet a higher standard than applies to ordinary physical search warrants.

It’s worth noting in passing that the existence of the statutory FISA framework is at least arguably relevant to the Fourth Amendment analysis here. What measures are “reasonable” will often depend on context, and upon the available alternatives: The use of lethal force in self-defense might be found reasonable as a last resort, but not when the victim has an easy avenue of escape or a taser handy. Similarly, if the only alternative to conventional criminal courts were warrantless surveillance — if Congress had made no provision for a highly secretive court to consider classified applications under secure conditions, with ample flexibility in cases of emergency — one might be more inclined to sympathize with some degree of executive improvisation. In light of the elaborate mechanisms Congress has provided, an appeal to impracticality is considerably less compelling.

But let’s bracket that for the moment, and again suppose for the sake of argument that the president has some inherent authority to conduct warrantless domestic wartime surveillance. Let’s further assume away any statutory problems. Can the NSA program be squared with the Fourth Amendment injunction that searches be reasonable, based on what little we know of it? It seems highly unlikely.

Multiple accounts suggest that the NSA program involved algorithmic selection of surveillance targets, possibly triggered by keywords within the communications themselves, almost certainly based on pattern analysis of calling records or other transactional data. The result, according to the Bush administration, was that the international communications of approximately 500 persons within the United States were being intercepted at any given time. Since the program operated for several years, both before and after being disclosed, a conservative estimate would place the total number of persons subject to surveillance in the thousands, and most likely in the tens of thousands.

What did all this spying yield? In 2006, under the headline “Surveillance Net Yields Few Suspects,” the Washington Post reported:

Fewer than 10 U.S. citizens or residents a year, according to an authoritative account, have aroused enough suspicion during warrantless eavesdropping to justify interception of their domestic calls, as well.

Nearly all the “leads” produced by the program appear to have been dead ends. Indeed, despite the assurances of the Bush administration that the NSA program had saved thousands of lives, a postmortem review by the intelligence community’s inspectors general found that officials they spoke to “had difficulty citing specific instances where [NSA program] reporting had directly contributed to counterterrorism successes,” though a classified version of the report apparently cites a handful of instances in which the program “may have contributed.”

As a point of reference, the government’s reporting suggests that under criminal wiretap orders, about 30 percent of intercepted communications contain incriminating content. Since “minimization” of innocent communications is necessarily imperfect, and since even the most hardened criminals presumably spend most of their time conversing about more mundane matters, the number of targets engaged in at least some incriminating communication is clearly far higher. That’s what one would expect when evidence establishing “probable cause” must justify surveillance — and Bush officials have claimed the NSA program’s targeting met the same standards. The evidence suggests otherwise.

I’m happy to grant that we should accept a somewhat lower “hit rate” when interception is geared toward protecting the nation from major terror attacks. But if the requirement that searches be “reasonable” is not to be rendered completely vacuous or totally severed from even a diluted standard of “probable cause,” then there must be some substantive test of whether such highly intrusive techniques are actually in service of that vital state interest. It cannot possibly be enough to simply observe that the president has uttered the magical incantation “War on Terror.” And it cannot possibly be enough that a program involving interception of the private conversations of thousands or tens of thousands of U.S. persons “may have contributed” to a handful of successful investigations. The question is closer with respect to post-FISAAA programs of interception, which are at least subject to some modicum of independent oversight, but unless we have gotten vastly better at sifting the guilty from the innocent, grave constitutional doubts should remain.