Tag: spying

What the Manual by DOJ’s Top Intelligence Lawyer Says About the FISA Amendments Act

By
Julian Sanchez

To a casual observer, debates about national security spying can seem like a hopeless game of he-said/she-said. Government officials and congressional surveillance hawks characterize the authorities provided by measures like the FISA Amendments Act of 2008 in one way, while paranoid civil libertarians like me tell a more unsettling story. Who can say who’s right?

Fortunately, there is an authoritative unclassified source that explains what the law means: the revised 2012 edition of National Security Investigations and Prosecutions by David S. Kris (who headed the Justice Department’s National Security Division from 2009–2011) and J. Douglas Wilson. As the definitive (unclassified) treatise on what foreign intelligence surveillance law says, means, and permits, it’s the same resource you’d expect the government attorneys who apply for surveillance authority to consult for guidance on what the law does and doesn’t allow spy agencies to do. Let’s see what it says about the scope of surveillance authorized by the FAA:

[The FAA’s] certification provision states that the government under Section 1881a is “not required to identify the specific facilities, places premises, or property at which an acquisition … will be directed or conducted.” This is a significant grant of authority, because it allows for authorized acquisition—surveillance or a search—directed at any facility or location. For example, an authorization targeting “al Qaeda”—which is a non-U.S. person located abroad—could allow the government to wiretap any telephone that it believes will yield information from or about al Qaeda, either because the telephone is registered to a person whom the government believes is affiliated with al Qaeda, or because the government believes that the person communicates with others who are affiliated with al Qaeda, regardless of the location of the telephone. Unless the FISC attempts to address the issue under the rubric of minimization, no judge will contemporaneously review the government’s choice of facilities or places at which to direct acquisition. [….] Review of the certification is limited to the question “whether [it] contains all the required elements”; the FISC does not look behind the government’s assertion’s. Thus, for example, the FISC could not second-guess the government’s foreign intelligence purpose of conducting the acquisition, as long as the certification in fact asserts such a purpose.

Got that? The requirement that surveillance have a foreign “target” is satisfied if the general purpose of a wiretap program is to gather information about a foreign group like al Qaeda, and it employs procedures designed for that purpose. It does not mean that the particular phone numbers or e-mail accounts or other “facilities” targeted for surveillance have to belong to a foreigner: those could very well belong to an American citizen located within the United States, and no court or judge is required to approve or review the choice of which individuals to tap.

Kris and Wilson elaborate in a discussion of surveillance under the Protect America Act, the stopgap legislation that preceded the FAA, explaining how the language of the law could be exploited to conduct what most of us would think of as domestic surveillance despite the nominal requirement of a “foreign” target:

The concern was that the government could be said to “direct” surveillance at the entity abroad, but still monitor communications on a facility used (or used exclusively) by an individual U.S. person in this country. Indeed, the government in the recent past had taken the position that surveillance of a U.S. person’s home and mobile telephones was “directed at” al Qaeda, not at the U.S. person himself. Applied to the PAA, this logic seemed to allow surveillance of Americans’ telephones and e-mail accounts, inside the United States, without adherence to traditional FISA, as long as the government could persuade itself that the surveillance was indeed “directed” at al Qaeda or another foreign power that was reasonably believed to be abroad. When confronted with these concerns the government explicitly equated the PAA’s “directed at” standard with FISA’s “targeting” standard, meaning that acquisition was “directed” at an entity when the government was trying to acquire information from or about that entity.

More importantly for present purposes, the government’s equation of the “targeting” and “directed at” standards meant that concerns raised about the PAA applied equally to the FAA, which (as discussed above) authorizes acquisition “targeting” a “person” reasonably believed to be abroad, and explicitly adopts traditional FISA’s broad definition of the term “person.” The concern was that the government could use Section 1881a for an acquisition “targeting” al Qaeda, but “directed” at a facility or place used (or used exclusively) by John Smith, a U.S. person located in the United States, for Smith’s domestic communications. [Emphasis added.]

As Kris and Wilson note, Congress ultimately added a further limitation designed to allay such concerns, but it did not do so by prohibiting any flagging of Americans’ e-mail accounts or phone lines for interception and recording without a warrant. That is still allowed—though “minimization procedures” are then supposed to limit the retention and use of such information.

What Congress prohibited instead was the use of FAA surveillance to “intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” But as Kris and Wilson point out, this restriction  “is imperfect because location is difficult to determine in the modern world of communications, and the restriction applies only when the government ‘knows’ that the communication is domestic.”

So to review: under the FAA, a court approves general procedures for surveillance “targeting” a foreign group. But the court does not approve or (necessarily) review any intelligence agency’s own discretionary determination about which specific people’s e-mail addresses, phone lines, or online accounts should be flagged for interception in order to gather information about that foreign group. The government’s past arguments indicate that it believes it may spy on the accounts or phones of individual American citizens located in the United States under an authorization to gather information about a foreign “target.” All the law requires is that they not intentionally record the American’s calls and e-mails when they are are known in advance to be to or from another American.

Remember: this isn’t my interpretation of the law. This isn’t speculation from someone at the American Civil Liberties Union or the Electronic Frontier Foundation about how the government might try to read the statute. This a legal reference text written by the lawyer who, until quite recently, ran the show at DOJ when it came to FISA surveillance. The next time you hear a member of Congress declare that the FAA has nothing to do with eavesdropping on Americans, ask yourself who is more likely to have  an accurate understanding of what the law really says.

Topics: 
Foreign Policy and National Security, Law and Civil Liberties

NYPD Program Spied on Muslims for Six Years, Generated No Leads

By
Julian Sanchez

It turns out that a New York Police Department program that assembled large databases on the ordinary activities of  innocent Muslims, infiltrated student groups, and monitored sermons wasn’t just controversial—it was useless. As the Associated Press reports, the head of the NYPD’s Intelligence Division recently confirmed in a deposition that the Department’s “Demographics Unit”—a delightful euphemism for a team dedicated to spying predicated wholly on ethnicity, language, and religion—turned up no useful leads and gave rise to no terrorism investigations in its six years of operation.

At the risk of being a broken record, this is a reminder of how misleading it can be to discuss these topics under the rubric of “balancing liberty and security.” If government surveillance performs as advertised and yields a substantial security benefit, there’s a debate to be had over how much government intrusion we’re prepared to countenance as the price of that security. But that security benefit has to be proven, not assumed. If it can’t be demonstrated—and a fortiori, if all available evidence demonstrates there is no benefit—then it just should not be a serious question in a decent society whether it’s acceptable for police to keep tabs on all Urdu-speakers of Pakistani origin on the premise (endorsed by this official) that “most” of them are people “of concern” to the government. Just to put that “most” in context: There are some 15 million Pakistani Urdu-speakers worldwide, and about 50,000 legal residents of Pakistani descent in the New York metro area. Treating them all, by default, as potential terrorists who need to be watched would be offensive and ugly even if the policy occasionally yielded a useful piece of information. But to squander scarce law enforcement resources targeting a minority population without any useful results over six years?  How can that be anything but obscene?

Topics: 
Law and Civil Liberties, Telecom, Internet & Information Policy

NSA Spying and the Illusion of Oversight

By
Julian Sanchez

Last week, the House Judiciary Committee hurtled toward reauthorization of a controversial spying law with a loud-and-clear declaration: not only do we have no idea how many American citizens are caught in the NSA’s warrantless surveillance dragnet, we don’t care—so please don’t tell us! By a 20–11 majority, the panel rejected an amendment that would have required the agency’s inspector general to produce an estimate of the number of Americans whose calls and e-mails were vacuumed up pursuant to broad “authorizations” under the FISA Amendments Act.

The agency’s Inspector General has apparently claimed that producing such an estimate would be “beyond the capacity of his office” and (wait for it) “would itself violate the privacy of U.S. persons.” This is hard to swallow on its face: there might plausibly be difficulties identifying the parties to intercepted e-mail communications, but at least for traditional phone calls, it should be trivial to tally up the number of distinct phone lines with U.S. area codes that have been subject to interception.

If the claim is even partly accurate, however, this should in itself be quite troubling. In theory, the FAA is designed to permit algorithmic surveillance of overseas terror suspects—even when they communicate with Americans. (Traditionally, FISA left surveillance of wholly foreign communications unregulated, but required a warrant when at least one end of a wire communication was in the United States.) But FAA surveillance programs must be designed to “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States”—a feature the law’s supporters tout to reassure us they haven’t opened the door to warrantless surveillance of purely domestic communications. The wording leaves a substantial loophole, though. “Persons” as defined under FISA covers groups and other corporate entities, so an interception algorithm could easily “target persons” abroad but still flag purely domestic communications—a concern pointedly raised by the former head of the Justice Department’s National Security Division. The “prevent the intentional acquisition” language is meant to prevent that. Attorney General Eric Holder has made it explicit that the point of the FAA is precisely to allow eavesdropping on broad “Categories” of surveillance targets, defined by general search criteria, without having to identify individual targets. But, of course, if the NSA routinely sweeps up communications in bulk without any way of knowing where the endpoints are located, then it never has to worry about violating the “known at the time of acquisition” clause. Indeed, we already know that “overcollection” of purely domestic communications occurred on a large scale, almost immediately after the law came into effect.

If we care about the spirit as well as the letter of that constraint being respected, it ought to be a little disturbing that the NSA has admitted it doesn’t have any systematic mechanism for identifying communications with U.S. endpoints. Similar considerations apply to the “minimization procedures” which are supposed to limit the retention and dissemination of information about U.S. persons: How meaningfully can these be applied if there’s no systematic effort to detect when a U.S. person is party to a communication? If this is done, even if only for the subset of communications reviewed by human analysts, why can’t that sample be used to generate a ballpark estimate for the broader pool of intercepted messages? How can the Senate report on the FAA extension seriously tout “extensive” oversight of the law’s implementation when it lacks even these elementary figures? If it is truly impossible to generate those figures, isn’t that a tacit admission that meaningful oversight of these incredible powers is also impossible?

Here’s a slightly cynical suggestion: Congress isn’t interested in demanding the data here because it might make it harder to maintain the pretense that the FAA is all about “foreign” surveillance, and therefore needn’t provoke any concern about domestic civil liberties. A cold hard figure confirming that large numbers of Americans are being spied on under the program would make such assurances harder to deliver with a straight face. The “overcollection” of domestic traffic by NSA reported in 2009 may have encompassed “millions” of communications, and still constituted only a small fraction of the total—which suggests that we could be dealing with a truly massive number.

In truth, the “foreign targeting” argument was profoundly misleading. FISA has never regulated surveillance of wholly foreign communications: if all you’re doing is listening in on calls between foreigners in Pakistan and Yemen, you don’t even need the broad authority provided by the FAA. FISA and the FAA only need to come into play when one end of the parties to the communication is a U.S. person—and perhaps for e-mails stored in the U.S. whose ultimate destination is unknown. Just as importantly, when you’re talking about large scale, algorithm-based surveillance, it’s a mistake to put too much weight on “targeting” in the initial broad acquisition stage. If the first stage of your acquisition algorithm says “intercept all calls and e-mails between New York and Pakistan,” that will be kosher for FAA purposes provided the nominal target is the Pakistan side, but will entail spying on just as many Americans as foreigners in practice. If we knew just how many Americans, the FAA might not enjoy such a quick, quiet ride to reauthorization.

Topics: 
General, Law and Civil Liberties

The Lives of Others 2.0

By
Julian Sanchez

Tattoo it on your forearm—or better, that of your favorite legislator—for easy reference in the next debate over wiretapping: government surveillance is a security breach—by definition and by design. The latest evidence of this comes from Germany, where there’s growing furor over a hacker group’s allegations that government-designed Trojan Horse spyware is not only insecure, but packed with functions that exceed the limits of German law:

On Saturday, the CCC (the hacker group) announced that it had been given hard drives containing “state spying software,” which had allegedly been used by German investigators to carry out surveillance of Internet communication. The organization had analyzed the software and found it to be full of defects. They also found that it transmitted information via a server located in the United States. As well as its surveillance functions, it could be used to plant files on an individual’s computer. It was also not sufficiently protected, so that third parties with the necessary technical skills could hijack the Trojan horse’s functions for their own ends. The software possibly violated German law, the organization said.

Back in 2004–2005, software designed to facilitate police wiretaps was exploited by unknown parties to intercept the communications of dozens of top political officials in Greece. And just last year, we saw an attack on Google’s e-mail system targeting Chinese dissidents, which some sources have claimed was carried out by compromising a backend interface designed for law enforcement.

Any communications architecture that is designed to facilitate outsider access to communications—for all the most noble reasons—is necessarily more vulnerable to malicious interception as a result. That’s why technologists have looked with justified skepticism on periodic calls from intelligence agencies to redesign data networks for their convenience. At least in this case, the vulnerability is limited to specific target computers on which the malware has been installed. Increasingly, governments want their spyware installed at the switches—making for a more attractive target, and more catastrophic harm in the event of a successful attack.

Topics: 
Law and Civil Liberties, Telecom, Internet & Information Policy