Does the new FISA bill authorize wholesale interception of all communications to and from the US, or does it only authorize the interception of the communications of particular individuals?
In either case, the legislation affects Americans, because some of the intercepted communications of persons abroad will be with people in the United States. Also, in either case, the legislation dispenses with the normal Fourth Amendment standard of probable cause and FISA’s requirement that at least one party to the communication being monitored be a terrorist or spy or other “agent of a foreign power.” And, in either case, the legislation creates a unique procedure whereby a judge approves procedures for conducting surveillance, but Executive Branch officials authorize the surveillance itself and issue directives compelling communications carriers to assist. All these are huge departures from traditional surveillance practice.
But does the legislation authorize the vacuum cleaner approach (by which I mean the interception or recording on a wholesale basis for later analysis of any calls available from within the US where one of the parties is reasonably believed to be located outside the United States) or does it require a more targeted approach – the particularized interception of the communications of certain individuals (albeit with the particularity decision made by intelligence analysts, not judges, and on a very low standard of “reasonably believed to be located outside the US”)? In other words, are we talking about recording millions and billions of calls and emails or merely hundreds of thousands? The key language in the bill is found in three subsections:
“…the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 702(a). “An acquisition authorized under subsection (a) shall be conducted only in accordance with – (A) the targeting and minimization procedures adopted in accordance with subsections (d) and (e);” 702(c). [The targeting procedures must be] “reasonably designed to – (A) ensure that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and (B) prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.” 702(d).
Two key terms are undefined: “targeting” and “acquisition” (or “acquire”). For now, let’s assume that the latter means to copy or divert for analysis or recording. The word “targeting” seems to imply particularity and a focus on individuals. One might assume that a targeted collection process involves recording the communications of specific individuals or specific telephone numbers, email accounts, or IP (Internet Protocol) addresses.
The new law is clear that the persons whose communications can be recorded do not have to be suspected of being spies or terrorists (or “agents of foreign powers” in traditional FISA terms). So already we have come a very long way from what has been described by the Administration as the “Terrorist Surveillance Program,” the 2005 revelation of which started the current debate. According to the Justice Department’s own description, that program “target[ed] communications only where one party is outside the United States and there is probable cause to believe that at least one party to the communication is a member or agent of al Qaeda or an affiliated terrorist organization.” The new law will allow the government to intercept any communications between anyone in the US and anyone reasonably believed to abroad, so long as the government claims a foreign intelligence purpose and is not intentionally targeting a person known at the time of acquisition to be located in the US.
Even if the notion of “targeting” means a focus on individuals, the new law allows the government to put a lot of phone numbers and email addresses and other identifiers into its selection system and, with mandated carrier assistance, intercept the communications between those individualized “facilities” and persons in the US. The government probably has thousands or tens of thousands or hundreds of thousands of these numbers and email addresses of suspected al Qaeda members and their associates and the relatives of their associates and the people the associates contact and the people contacted by the people contacted by the associates. After all, the official Terrorist Watch List has 900,000 names and is growing at a rate of 20,000 names per month (most of whom unfortunately we don’t have phone numbers for, but the point is the rapidity with which the government can aggregate individual identifiers.)
One recent news story can be read as supporting this interpretation. Referring to orders issued under the Protect America Act, Eric Lichtblau of the New York Times wrote : “In some instances, the broad orders given to the companies starting last August cover tens of thousands of overseas phone numbers and e-mail addresses at one time, people with knowledge of the orders said.”
Most of the Administration’s statements in support of the bill have suggested that the intelligence agencies want to engage in this very broad but nevertheless particularized surveillance of communications between people in the US and people abroad. And there is no doubt that this is one means – in some ways the preferred means – of conducting intelligence surveillance. However, I’m not sure the Administration has ever said that such particularized surveillance was the only mode of surveillance it was seeking to codify. Moreover, several considerations point to authorization for a broader, less individualized form of surveillance.
The first has to do with the fact that “person” is defined in FISA as meaning not only an individual but also “any group, entity, association, corporation, or foreign power.” Thus, al Qaeda is a “person.” If al Qaeda is “reasonably believed to be located outside the United States,” the law can be read as authorizing “the targeting of [al Qaeda] to acquire foreign intelligence.” How does the government plan to “target” a “person” as amorphous and decentralized as al Qaeda? One the other hand, if al-Qaeda has 10,000 suspected members and even only a handful are believed to be in the US, can it be said that a program “targeting al Qaeda” is targeting a “person” reasonably believed to located outside the US? This is another way in which the new legislation differs from the TSP it is supposed to ratify: Under the TSP, the key determination was that the targeted “person” was a terrorist group or an agent of a terrorist group, regardless of where they were located. Under the new bill, it is not clear that the “target” can be said to be al Qaeda, since al Qaeda may not be a “person” reasonably believed to be outside the US. So maybe the definition of “person” does not give us much indication of the scope of surveillance that would be authorized under the new bill.
However, what if “targeting” does not imply a particularized focus on individuals? What if “targeting” simply means “selection”? One way to select is by telephone number, email address, and other identifiers specific to an individual. But could the government also select by area code? By country code? Targeting by geography does not seem a stretch; the police have used geographic selection domestically, asking cellular service providers to identify all phones that were in the vicinity of a particular cell tower at around the time of the commission of a crime.
A selection process that intercepts only communications to and from individuals reasonably believed to be abroad is technologically quite feasible. Susan Landau and other communications experts wrote in an article last year, “International communications enter the US by satellite, terrestrial microwave, older copper cable, and newer fiber optic cable. There are roughly 25 cableheads in the US.” In other words, there are a relative handful of nodes where international calls enter the US; it is reasonable to believe that all communications passing through such gateways involve at least one overseas party. Under the new bill, by focusing on such gateways and intercepting all or many communications passing through such nodes, would the government be “targeting persons reasonably believed to be located outside the United States?”
Former DOJ lawyer David Kris articulated something like this over a year ago, talking about the TSP, but he was focusing on FISA’s traditional requirement that the surveillance focus on a particular “facility” and he was assuming that the government only recorded those conversations where there was probable cause to believe (in the judgment of an NSA analyst) that one of the parties was a member or associate of al Qaeda. (Kris summarized his theory in a recent blog post.) The new law goes much farther: it does not require the government to specify a particular facility, even one as large as an international gateway, and, as noted, it permits recording on the mere basis of reason to believe that one of the parties is overseas.
Intelligence officials will argue, correctly, that they are not interested in the vast majority of foreign-to-domestic communications and could not possibly digest all of the communications coming into and out of the country. It is true that, even with the biggest computers in the world, the intelligence agencies need to start the winnowing process at the recording stage, but it is also true that these agencies have a very imperfect idea of what communications to focus on at any given time. It is certainly logical to record many communications, using very porous filters, in case something comes to light an hour or a day or a year later that sends one back to re-analyze old communications. The only constraints would be storage and retrieval capacity, but those permit recordation of many more calls than would be intercepted under a particularized system.
Another factor pointing in the direction of wholesale monitoring is the Administration’s opposition to an amendment to the bill that would have prohibited “bulk collection.” Senator Russ Feingold sought such a clarification earlier this year. Administration officials opposed it, using the argument that the military may need to collect all communications coming into and out of an Iraqi city that the U.S. forces intended to enter in force.
Some might also argue that a vacuum cleaner approach would not be permitted because the bill requires that a “significant purpose” of the surveillance must be the collection of foreign intelligence information. However, a broad collection effort could have that purpose, even if it collected a lot of information that did not include foreign intelligence information. Intelligence officials would sort through it at the back end (employing “minimization” procedures), and maybe discard some of it, but a “significant purpose” of the up front collection would still be to collect foreign intelligence information.
There is yet a third possibility: That the intelligence agencies are using the “vacuum cleaner” on transactional data, but are intercepting content only on a more particularized basis, using leads generated by analysis (“data mining”) of the transactional data. There is some hint of this in Wall St. Journal reporter Siobhan Gorman’s March 10, 2008 article. One of the many unanswered questions surrounding the FISA debate concerns the treatment of transactional data or “meta-data” under current FISA, and FISA as it would be amended by this bill. There could be all kinds of legal theories built on the fact that, under current Supreme Court law, transactional data (even domestic-to-domestic) is not protected by the Constitution. Maybe the bill is supposed to allow wholesale interception of transactional data and only particularized interception of content.
The distinction between particularized surveillance and wholesale recording for later analysis may blur. Even with authorization for wholesale recording, the intelligence agencies are likely to engage in triage; under any standard, the challenges of analysis and translation force them to collect less they are legally authorized to. But the distinction does have some important implications. For one, if Americans talking to people overseas have Fourth Amendment rights, a program of wholesale recording would seem more constitutionally problematic than a particularized program. Even blanket warrants authorizing particularized surveillance upon the determination of an Executive Branch official push the farthest limits of the Fourth Amendment. The government may face some very unpleasant news if it tries to use in a criminal proceeding information collected by a wholesale program. Secondly, a program that involved wholesale recording for later analysis places a huge burden on the minimization rules, which are intended to define how the government can use what it has already collected. Yet the bill’s only guidance for the minimization rules is that they comply with traditional FISA standards, which assume a very different approach. Last year, CDT explained why the current minimization rules are inadequate to protect the rights of Americans.
And, as Georgetown law prof and former DOJ lawyer Marty Lederman has noted, the mere fact that people quite steeped in FISA don’t know whether the bill authorizes wholesale interception or only particularized interception is itself a commentary on how far we have departed from traditional standards of policymaking. Even among those inside the legislative drafting process with security clearances, I fear that there are a lot of divergent assumptions about what the bill does. The problem is that the Executive Branch’s interpretations (which so far are secret and are maybe unspoken even in the classified context) will control, at least in the short run.
The upcoming Senate debate offers one last opportunity on the public record to clarify what this bill means. I’m not sure I will like the answer, but the intelligence agencies who will implement the new law, the telecommunications carriers whose assistance will be mandated, and the American public deserve a clear answer: does the bill authorize wholesale interception of call content or transactional data? Both national security and civil liberties interests weigh in favor of clarity on this question.