Intelligence Transparency and Yahoo Email Scanning

 

Today, President-elect Trump is scheduled to meet with U.S. intelligence agencies to discuss evidence of Russian interference in the U.S. elections.  Mr. Trump has said that if the intelligence community has evidence of Russian interference, it should make that evidence public.  Part of this story is new: a president-elect is casting doubt on intelligence he hasn’t seen.  And part is not: failure of intelligence agencies to be transparent about key information they have obtained has undermined trust in their conclusions and methodologies.

The need for intelligence transparency to build trust is a recurring theme in intelligence surveillance.  The need for this transparency was illustrated late last year when stories in Reuters and in the New York Times revealed that Yahoo received and complied with an order issued under the Foreign Intelligence Surveillance Act (FISA) that compelled it to scan the incoming email of all of its users, in real time, for a “signature” provided to it by an element of the Intelligence Community.   The demand was issued under “traditional FISA,” which means that the secret Foreign Intelligence Surveillance Court issued an order specifically authorizing the surveillance.

The Yahoo search is a useful case study to understand the troubling potential legal implications of this type of surveillance.  It also calls for disclosure of the legal basis for this surveillance and for Congress to fill gaps in FISA to ensure that surveillance is properly focused.  CDT joined a number of other civil society groups in calling for this disclosure in an Oct. 25, 2016 letter.

Background

The FISA Court may not issue an intelligence surveillance order that compels the disclosure of communications content to the government unless the government proves probable cause as to two things:

(i) that the surveillance “target” is a foreign power or an agent of a foreign power, such as a spy or a terrorist, and
(ii) that each of the “facilities” or places at which the surveillance is directed is being used or is about to be used by the foreign power or agent of a foreign power.

How could this relatively narrow authority be construed to permit an order that compels a search of the contents of the communications of all of Yahoo’s users?  If you guessed that it has something to do with the meaning of “target” and “facility,” you would be correct.

What Does “Targeting” Mean?  FISA does not define the noun, “target,” or the verb, “to target,” and this has led to much mischief.  The Intelligence Community, with the assent of the FISA Court, decided in the context of Section 702 surveillance (which, by law, is directed at non-U.S. persons outside the United States) that “to target” means to collect communications to, from, or about a particular person or entity.  That is, under Section 702 of FISA, the government can, without a court order, collect communications to which the target isn’t even a party, including communications involving Americans and people in the U.S.  The communication need only mention the target’s identifier, or selector, such as an email address or an IP address.  The congressional debate on the legislation that became Section 702 assumed that only communications to or from a target would be collected.  “About” collection can be more destructive of privacy because it involves scanning the communications of everyone (all Yahoo users), rather than only communications to and from the target. The “about” collection was decided by intelligence officials behind closed, classified doors, and the FISA Court secretly signed off.

There was no transparency as to that decision, no open Congressional debate, and no public knowledge.  When Snowden revealed it, public trust that Section 702 surveillance would be limited was undermined, and rightly so.

The IC and the FISA Court reached the conclusion that “about” collection was authorized for purposes of Section 702 not because of the text of Section 702 enacted in 2008, but because of language in a 38-year old report from a congressional committee that accompanied the original FISA.  The Privacy and Civil Liberties Oversight Board (PCLOB) called it out in its report on Section 702, on pp. 37-38.  A “target” of a traditional FISA electronic surveillance, the Congressional report said, “is the individual or entity . . . about whom or from whom the information is sought” [emphasis added].  The IC may be taking the position that this language permits “about” collection in traditional FISA surveillance of electronic communications directed at anyone, including Americans in the U.S.

Yahoo was ordered to collect communications associated with a target identified by a string of characters the IC has called a “signature.”  Yahoo did this by searching the communications of all of its users.  The IC never explained what constituted the “signature” for which Yahoo was compelled to search.  Without release of the FISA Court order and opinion in this case, the public cannot be sure about the scope of this search.

What Is a “Facility?” What about the FISA requirement that surveillance be directed at a “facility” that is about to be used by a foreign power? FISA does not define the term “facility” and this, too, has led to much mischief.  Traditionally, when FISA was enacted in 1978, the “facility” to be wiretapped was a telephone or a telephone line:  the government had to prove that the phone was being used or was about to be used by the agent of a foreign power.  That is consistent with the particularity requirements of the Fourth Amendment: it says that no warrants shall issue unless they are “. . . particularly describing the place to be searched and the persons or things to be seized.”  This was part of the framers’ effort to put an end to general warrants, which were already under attack in Great Britain.

But, as indicated on p. 41 of this draft Inspector General report leaked by Edward Snowden, the U.S. Department of Justice since 2006 has championed a much broader view of what constitutes a “facility.”  DOJ argued that a “facility” could be understood as a “general gateway” or “cable head” through which the communications of millions of people might flow.  After all, wiretaps in the modern age are not usually executed by physically attaching alligator clips to the telephone line; they are executed at the communications service provider’s “facility.”  Armed with this broad articulation of what constitutes a “facility” under FISA, intelligence officials could direct surveillance to any structure through which targeted communications were passing.  While the government has not disclosed its legal justification for the surveillance order served on Yahoo, it is reasonable to deduce that the FISA Court may have determined that Yahoo’s servers constitute a “facility” for purposes of FISA and that the government proved probable cause to believe that the targeted communications would come in over those servers.

If “facilities” are that broad, and “signatures” include communications with non-targets, the government could obtain an order compelling any communications service provider to search all of its users’ communications for communications that may not even be to or from the object of its surveillance.  This would cut the Fourth Amendment’s particularity requirement in half in the context of electronic surveillance: the “thing to be seized” would still have to be described with particularity, but particularity as to the “place to be searched” would no longer be a meaningful limiting factor.

What the Intelligence Community Can Do

The Intelligence Community should de-classify and disclose (with redactions to protect sources and methods) the FISA Court order and opinion in the Yahoo email scanning case.  It should also reveal its view of the extent to which, if any, “about” collection is permissible in the context of regular FISA surveillance targeting people in the U.S. or Americans abroad.

What Congress Can Do

Congress should fill the gaps in FISA that the government may have exploited to compel Yahoo to conduct a search of the communications of millions of people.  Defining “facility” might get tricky because defining it narrowly could unduly limit the places at which legitimate and narrowly-scoped surveillance could be conducted.  A more productive approach might be to amend the statute so it authorizes surveillance directed not at a “facility” but at a particular “account or personal communications device” used by a foreign power or an agent of a foreign power.  How to best fill this gap turns in part on what disclosure of the FISA Court order and opinion in the Yahoo email scanning case reveal.

Congress could also address the email scanning in the Yahoo case by filling another gap – by defining what it means “to target.”  In the context of regular FISA surveillance, a probable cause order is required when an American or a person in the U.S. is targeted for surveillance.  As a result, Congress could define “to target” as to endeavor to collect only communications that are to or from a person with respect to whom probable cause has been proven as evidence by an order from the FISA Court.  This should achieve the result of precluding a mass search of the communications of all of a provider’s users in the context of “traditional” FISA.   With slight modification to eliminate the reference to probable cause, a similar approach could also be used to address “about” collection under Section 702 – a needed reform to that provision of law that will be reconsidered later year, prior to the Dec. 31, 2017 sunset date for Section 702.

By filling these gaps in the law, Congress could help build trust that the surveillance the law authorizes is properly scoped.

What Providers Can Do

The law permits communications service providers to make limited disclosures about the intelligence surveillance demands they receive and intelligence agencies assert that further disclosures would unlawfully reveal classified information.  Ideally in this context, providers would report the number of accounts they searched in order to provide responsive communications, but the law does not clearly permit this.  However, providers can additionally disclose in their transparency reports the number of accounts from which they actually disclosed information to the government, as opposed to simply the number of customer selectors the government had specified.  Though it would not reveal whether a search of all of the provider’s customers’ communications had occurred, it would go some of the way toward building public trust that a search on a single “signature” ordered by the FISA Court did not return information on thousands of the provider’s customers.

The USA FREEDOM Act, passed in 2015, allows anyone who receives FISA orders to publicly report the “number of customer selectors targeted” in the orders.  The legislative history of USA FREEDOM suggests that companies are not limited to reporting on only the selectors specified in a government order. When the House Committee on the Judiciary reported the USA FREEDOM Act to the House, it defined the number of “customer selectors targeted” to include all customer accounts returned in response to a request:

By permitting companies to report the number of ‘‘customer selectors targeted’’ for each of the relevant authorities, this provision is intended to capture circumstances in which the government asks the company for information about a single identifier or selector, but the company returns multiple accounts associated with that identifier or selector, or the reverse situation where multiple identifiers or selectors are tied to a single account. In such a circumstance, the company is permitted to report the total number of accounts returned based on the identifiers and selectors specified in the government request, because all of those accounts have been targeted by the government’s process [emphasis added].

This means that if a company receives a FISA order to scan user emails for a single selector, it can report the total number of accounts from which information was provided to the government as a result of the scan.

Until October 2016, Yahoo’s transparency report said that it disclosed “the number of accounts specified in [a government] request.”  In October, Yahoo updated its transparency report to indicate that it is reporting on “the total number of accounts about which information was produced to the government in connection with [a] Government Data Request,” and indicated that it has always reported government requests in this way.  This kind of reporting provides users with a better understanding of what the reported numbers mean.

Other companies should follow suit and either report on the total number of accounts from which information is produced or, if they already do so (as we suspect is the case), reflect this in the definitional sections of their reports.

What the Public Can Do

President-elect Trump has demanded that intelligence agencies make public their evidence about Russian interference in the U.S. elections.  That type of disclosure would build trust in the conclusion that such interference had occurred.  In the same way, the public should demand transparency about the Yahoo email scanning case and other key interpretations of FISA.  That would build trust that an apparently limited surveillance authority is not being misused.  It would also inform the upcoming debate about reauthorization of Section 702.