Epstein on NSA (Again) Part I: PRISM & the FISA Amendments Act

I'm disappointed to see that renowned libertarian legal scholar Richard Epstein is persisting in his defense of the National Security Agency's surveillance programs. This time, he co-authors with the American Enterprise Institute's Mario Loyola in a Weekly Standard essay blasting the "Libertarians of LaMancha"—among whose ranks I have the dubious distinction of being named specifically. As with Epstein's previous op-ed on this topic, which I responded to here, there are both factual mistakes and some broader conceptual problems. So many, alas, that to prevent this from becoming unwieldy, it's better to divide my reply into two posts, each dealing with one of the NSA programs the authors discuss.

Epstein and Loyola begin with a defense of the FISA Amendments Act of 2008 (FAA), and in particular the use of FAA authority to collect Internet content via the PRISM program. That law scrapped the traditional requirement that a Foreign Intelligence Surveillance Act (FISA) warrant be obtained to intercept wire communications to which a U.S. person was a party, provided that the "target" of surveillance was a foreigner. Epstein and Loyola nevertheless characterize the new standard as having "unduly restricted" surveillance on the grounds that some limitations on that interception remain. Yet the authors get several of those limits wrong.

They claim, for instance, that FAA minimization procedures "require, among other things, the destruction of much potentially valuable information on U.S. persons, and anyone inside the United States, even before intelligence officials can determine its value." Since those minimization procedures have now been published by The Guardian, it is fairly easy to see that this is not accurate. Instead, destruction of U.S. person information is required only after intelligence officials have determined that it is not of value, which is to say that once a reviewer has identified a communication as "clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information) or as not containing evidence of a crime which may be disseminated under these procedures." When the communication "may be related" to an authorized purpose, it can be forwarded to an analyst for further scrutiny. As the secret FISA court has explained in a rare public ruling, FISA minimization procedures are "weighted heavily in favor of the government," with destruction required only when a communication is unambiguously irrelevant. Even wholly domestic communications—which are not supposed to be acquired under FAA authority at all—can be retained under a variety of exceptions. Among these: any communication that is encrypted or otherwise suspected to contain a "secret meaning" can be retained pending cryptanalysis.

They also claim that "[l]ike a wiretap, the target [of FAA surveillance] is always a specific suspect," and that this "system allows the U.S. government to target specific persons wherever they go (outside the United States)." This is not merely incorrect; it is precisely backwards. As Attorney General Eric Holder made explicit in a letter to Congress urging reauthorization of the FAA, the attorney general and director of national intelligence annually approve "intelligence collection targeting categories of non-U.S. persons abroad, without the need for a court order for each individual target." In other words, the whole point of the FAA is that the "target" of surveillance at the authorization level is essentially never a specific suspect. The language of the law, which describes the "target" as a "person," may have misled Epstein and Loyola on this point. But as the former head of the Justice Department's National Security Division explains in the definitive manual National Security Investigations and Prosecutions, the "person" who may be a "target" of FAA surveillance:

includes not only "any individual" human being, but also "any group, entity, association, corporation or foreign power," some of which are (in fact or by definition) located abroad, even if they have individual members or affiliates inside the United States... [The FAA] authorizes acquisition "targeting" a "person" reasonably believed to be abroad, and explicitly adopts traditional FISA's broad definition of the term "person."

Again, the minimization procedures which have now been published explicitly discuss situations in which a "person" for FAA purposes is either a "corporation" or an "unincorporated association." As the targeting procedures for FAA surveillance make clear, that leaves NSA analysts with the discretion to determine not merely which specific numbers and accounts are being used by a named individual target, but which individual "targets" fall within the ambit of sweeping surveillance authorizations covering broad categories of targets.

Finally, Epstein and Loyola rather uncritically repeat the claim that the PRISM program surveillance pursuant to FAA authorities "is responsible for foiling about 40 of the 50 terrorist plots which the administration recently disclosed to Congress in classified briefings." If we scrutinize the government's claims a bit more closely, we see that in fact NSA Director Keith Alexander claimed that PRISM intercepts had "contributed" to the disruption of 40 of 50 terrorist "events," mostly overseas, and judged this contribution to have been "critical" in 50 percent of these cases.

When we examine some of the specific "events" government officials have discussed, however, it becomes clear that not all of these are "plots" at all—many seem to have involved funding or other forms of "material support" for radical groups, though in at least one such case the government appears to have claimed a "plot" to bomb the New York Stock Exchange where none really existed. (FBI Deputy Sean Joyce further told Congress that the "plot" must have been serious given that a jury convicted the plotters. But federal prosecutors themselves emphasized that the men "had not been involved in an active plot" and there was no jury trial: they were charged with "material support" and pled guilty.)

Presumably at least some of these "events" did involve actual planned attacks, but knowing that PRISM surveillance was "critical" to disrupting half of them doesn't in itself tell us much. The question is whether the same surveillance could have been conducted in these cases using authorities that existed before the FISA Amendments Act, or under narrower amendments to FISA. Since the bulk of these "events" appear to have been overseas, the traditional authority to intercept purely foreign communications without a warrant would seem to have sufficed, or at most required a legal tweak to accommodate stored data on U.S. servers used by foreigners to communicate with other foreigners. There is no evidence to suggest that the actually controversial part of the FAA—the revocation of the warrant requirement for interception of U.S.-to-foreign wire communications—made a necessary contribution in these cases. Indeed, as national security expert Peter Bergen has documented, the public record in the overwhelming majority of terror plots we know about shows that they were "uncovered by traditional law enforcement methods, such as the use of informants, reliance on community tips about suspicious activity and other standard policing practices."

There is certainly such a thing as too much skepticism about government. But when officials make vague allusions to vital, secret successes in an effort to justify their own broad powers, there is also such a thing as too much credulity.

So much for PRISM and the FISA Amendments Act. I'll discuss what Epstein and Loyola say about the NSA's metadata dragnet in a separate post.