Did Broadband Deregulation Upend NSA Wiretapping?

One of the great mysteries of recent national security surveillance policy is exactly why the controversial FISA Amendments Act of 2008 was necessary. The Foreign Intelligence Surveillance Act had always defined the interception of the contents of a "wire communication" as "electronic surveillance" requiring a court order if and only if either the sender or the recipient of that communication was inside the United States. Intelligence surveillance of strictly foreign-to-foreign wire communications was always understood to be allowed, even if the interception was done domestically, when the communication happened to pass through a U.S. telecom switch.

But in early 2007, something changed. Then–House Minority Leader John Boehner (R-Ohio) publicly declared that a secret ruling by the (normally highly deferential) Foreign Intelligence Surveillance Court had found a problem with a National Security Agency surveillance program, and the Court's opinion was alleged to require a warrant for interception of even wholly foreign communications.  Supporters of broader spying powers characterized the decision as requiring a warrant for all interception of foreign-to-foreign communications, including phone calls, but that turns out not to have been quite accurate: Kenneth Wainstein, at the time a high-ranking Justice Department official, later clarified that the problem was specifically related to interception of e-mail, where the locations of both parties to the communication might not be known to NSA in advance.

Even this, however, was a little peculiar. E-mail was not exactly a new technology in 2007,  after all, so what had changed? Most of us at the time assumed that the issue had to do with the greatly increased breadth of the surveillance NSA was trying to conduct—but flipping through the latest edition of David Kris and Douglas Wilson's invaluable National Security Investigations and Prosecutions, I've just realized there's another possibility that fits the public facts extremely well.

To understand what might have happened, we need to understand a few things about both the complex structure of the FISA law and the specifics of how NSA's Internet surveillance worked. Thanks to whistleblower Mark Klein, formerly an engineer at AT&T, we know that the NSA maintained a series of secret rooms at the offices of major telecommunications companies, where the entire stream of Internet traffic was copied and diverted into a sophisticated piece of surveillance equipment: the Narus Semantic Traffic Analyzer. NSA could then program the device to filter out and record particular communications for human review according to selected criteria—such as e-mail or IP addresses, and perhaps even particular keywords in the e-mails themselves.

Initially, this almost certainly would have been classified as "electronic surveillance" of a "wire communication" under FISA—one of four somewhat complicated categories of "electronic surveillance" defined by the statute. Specifically, it would have been covered by 50 U.S.C. 1801(f)(2), which requires a warrant for the "acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States." Crucially, FISA's definition of a "wire communication" covered any communication—telephonic or digital—in transit over facilities operated by a "common carrier." This is actually a bit of an anachronistic holdover specific to FISA: The statutes governing criminal wiretap investigations were amended in 1986 to make a provider's "common carrier" status irrelevant, but the language in FISA remained.

Then, in 2005, came the Supreme Court's decision in National Cable & Telecommunications Services vs. Brand X Internet Services. On its face, the case had nothing to do with surveillance, but with the contentious debate over "net neutrality." In 2002, the FCC had issued a controversial ruling that broadband Internet over cable wires should be classified as an "information service," rather than a "telecommunications service" (like traditional telephone service). Small ISPs like Brand X, as well as advocates for government-enforced "net neutrality," believed that federal law required broadband to be classed as a "telecommunication service" subject to "common carrier" requirements, meaning that they had to make their infrastructure available at low cost to competitors. The Supreme Court ultimately rejected that argument, finding that the FCC had discretion to decide how cable broadband should be categorized. The FCC promptly acted on that ruling—but provided for a one-year transition period before those common carrier requirements entirely expired.

This gives us a conspicuous coincidence: The mysterious FISC decision described by Boehner would have happened shortly after broadband providers were freed of the last vestiges of "common carrier" status. At that point, interception of the Internet traffic flowing through those NSA Narus boxes would cease to be "electronic surveillance" of a "wire communication" for FISA purposes.  But then, what would it be?

The most likely answer, as Kris and Wilson argue, is that NSA's digital eavesdropping would now be covered by 50 U.S.C. 1801(f)(4), which was originally primarily intended to cover surveillance using hidden microphones or cameras. This definition explicitly excludes surveillance of a "wire communication," which means it would not have applied so long as Internet providers were considered "common carriers," but otherwise applies to "the installation or use" of a surveillance device "for monitoring to acquire information... under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes."

This definition is importantly different from the definition that applies to "wire communications" in several ways. Instead of specifically requiring a warrant to intercept the "contents" of a message, it covers any kind of "monitoring to acquire information." Instead of turning on the location of the senders or recipients of a communication, it applies whenever "a person"—not limited to the parties to the communication, and so potentially including also the provider itself—has some reasonable expectation of privacy. Finally, it depends on whether comparable surveillance for law enforcement purposes would require a warrant—and in many cases it's clear that the statutes governing both "live" interception and acquisition of stored communications would require a warrant, regardless of the user's location. In other words, a regulatory change having no obvious connection to NSA surveillance could have suddenly knocked out the legal basis for the NSA's ongoing Internet surveillance program—and left the telecoms with serious doubts about whether the law allowed them to continue providing technical assistance with that program.

So is this what happened in early 2007, leading to the supposed crisis that ultimately resulted in the passage of the FAA, with its broad authorization of programmatic spying? Those of us without security clearances can't know for sure, of course, but it should at least be suggestive that David Kris—probably the country's top expert on FISA law—devotes a fairly lengthy section of his book to an analysis of the "common carrier" question, specifically citing the Brand X decision. Following publication of the first edition of the book, Kris left the private sector to head the National Security Division of the Justice Department from 2009–2011, making him one of the few people who actually know for certain what the issue was. The just-published second edition contains a new section discussing the causes of the recent "modernization" of FISA, and specifically points to the problem of conducting international e-mail surveillance under the aegis of 1801(f)(4).  There, he writes that "everyone who understood this problem" agreed legislation was needed to ensure that foreign-to-foreign Internet traffic was treated in the same way as comparable telephone traffic—which is to say, as a "wire communication."

But then why not solve this problem in the obvious, narrow way: By bringing FISA in line with criminal wiretap statutes, discarding the "common carrier" language, and once again treating Internet traffic as a "wire communication"?

Kris suggests that the answer lies in the difficulty of determining when, in fact, the ultimate sender and recipient of an Internet communication are both foreign. A Pakistani might send an e-mail intended for a Gmail user in Yemen, but at the time the e-mail is sent, the only observable "wire communication" might be between the sender in Pakistan and the intermediary "recipient": Google's servers in California. But if the government's problem is an inability to reliably determine the location of parties to a communication, it's not clear why we should be confident that interception under this broad new authority can reliably avoid acquiring many purely domestic communications.

Perhaps Kris is correct that a narrower solution to the problem would have been unworkable. On the other hand, perhaps legislators would have tried a bit harder to craft a viable narrow solution if they—and the general public—had clearly understood exactly what the problem was. If the FISA court ruling limiting Internet surveillance was indeed an unintended side-effect of broadband deregulation, lawmakers and civil liberties groups might have been inspired to work on devising legislative changes that responded to that immediate issue. But because nobody outside the Intelligence Community understood the problem, spy agencies were able to present their extraordinarily broad solution—providing authority they had long sought quite independently of the "common carrier" issue—as the only alternative.