Time to Permanently End NSA’s “About” Searches In Communications Content under FISA 702
Written by Michelle Richardson
Recently, the government released a significant FISA Court opinion discussing one of the NSA’s most controversial surveillance programs under FISA Section 702: the practice of searching the content of communications for references “about” a target instead of collecting communications that are just to or from a target. The court found egregious violations of the privacy rules designed to protect the information collected through this type of surveillance and signed an order for the coming year that prohibits the practice altogether. It’s a perfect example of how secret oversight mechanisms don’t always work, and a solid argument for why – during this year’s 702 reauthorization process – Congress should end “about” searches altogether.
Some background: Section 702 of FISA passed in 2008 and in many ways legalized President Bush’s warrantless wiretapping program. It allowed the government to collect both records and content, here in the United States, so long as the target was overseas and the purpose was to collect foreign intelligence. Foreign intelligence is broadly defined and includes some obvious targets like terrorists, representatives of foreign governments and those who proliferate weapons of mass destruction. It also includes, however, the incredibly broad catch-alls of information relevant to our “national defense” and “foreign affairs.” We now know from government reporting that there are approximately 100,000 targets under the 702 program, but how many US Persons end up in government data bases because they are in contact with these targets is still unknown.
Before the Snowden disclosures in 2013, the public was under the impression that 702 was used only to collect records and communications that were to or from a target. However, the FISA Court went further to permit searching communications for a reference “about” a target in its Upstream collection, which sifts through the internet backbone traffic as it enters the US. As the Privacy and Civil Liberties Oversight Board explains, this has two components. One is intentionally searching communications for a reference to a target, such as searching the body of an email to reference the name or email address of one of the 100,000 targets. The other is technical –searching through packets crossing the backbone of the internet –even just for the routing information to identify a target’s communications—essentially ends up searching content at the same time. This returns not just the communication of a target, but a whole “complement” of communications that may not have anything to do with a target at all. The FISA Court wrote in 2011 that the practice even collects purely domestic communications.
When the FISA Court learned of this practice in 2011, it held it to be not only a violation of the FISA statute itself, but unconstitutional without strict post-collection rules to limit its retention and use. Under new rules, Upstream data could only be retained for two years instead of the usual five and any purely domestic communications had to be destroyed upon recognition. About collection had to be segregated from the rest of the 702 data, and affirmatively found to not include purely domestic communications before it could be integrated into other information systems. If a US Person or a person in the United States was a party to a communication, it could not be used except to thwart an immediate threat to human life. And most importantly, the NSA could not query Upstream data with known US Person identifiers.
In October of last year, the government informed the FISA Court that these extra stringent rules had been violated. For six months the NSA sought to audit the breakdown and by April could not provide a full accounting of how analysts had access to this especially sensitive data. According to the court, it may in part have been due to the software interface which required analysts to “opt-out” of searching this data instead of “opting-in.” As a result, the new 702 order signed in April of this year prohibits the NSA from conducting “about” collection at all. The court predicts that “These changes should substantially reduce the acquisition of non-pertinent information concerning U.S. persons pursuant to Section 702.” A public statement from the NSA notes that, “These changes are designed to retain the upstream collection that provides the greatest value to national security while reducing the likelihood that NSA will acquire communications of U.S. persons or others who are not in direct contact with one of the Agency’s foreign intelligence targets.”
Since Congress has the opportunity to review Section 702 this year, it should statutorily prohibit “about” searches going forward. The Center for Democracy and Technology proposed this change last year because “about” searches 1) permitted content searching in the US, something that should always be protected by a true warrant, and 2) knowingly collected information that had nothing to do with a foreign intelligence investigation at all. This was a bad idea before we knew of these egregious and systemic compliance problems; it should not be resurrected, even if the NSA is able to find a technological solution to implement the court’s 2011 rules.
This would have sounded like quite a reach just a few months ago. But even Sen. Diane Feinstein (D-CA), the Ranking Member of the Judiciary Committee and former Chair of the Intelligence Committee, has called for a formal end to “about” searches. It’s time to put this practice to bed for good.