JustSecurity: "Today we learned that those 2011 (Sec 702) safeguards did not work"

[Razer]

Author's "Wows" aside, there's no mention of the FBI's DIT unit's
grabbing all US citizen's metadataz gleaned while rummaging for targeted
'suspects' and turning it over to the NSA, unless it's buried in the
fine print somewhere (in a basement without lighting in another galaxy
perhaps)


Today’s ODNI and Section 702 News
By Jennifer Granick
Friday, April 28, 2017 at 7:16 PM

Today, the Office of the Director of National Intelligence (ODNI)
announced that it would stop some of the surveillance it conducts on the
telecommunications backbone under authority granted by section 702 of
the FISA Amendments Act. That announcement came in the form of a press
release, a statement, and was reported in a New York Times article by
reporter Charlie Savage.

Wow.

Here’s some background, and some questions Congress and the courts are
going to need to answer going forward. (For more information, check out
my book, American Spies, or this series of blog posts (one, two, three)
by Jadzia Butler and I on section 702.

When conducting surveillance of communications as they travel over fiber
optic cables (the “Upstream” program), the NSA has been collecting not
just communications to and from foreign intelligence targets, but also
about those targets. If the stream of internet packets contains a
selector associated with a foreign intelligence target, the NSA has been
acquiring the entire “internet transaction” containing that selector.
This “about” collection means collection takes place even when the
relationship between the communicants and the intended target is
attenuated—no one is talking to the target.

Further, about communications can pull unrelated messages into the NSA’s
coffers. Using this surveillance technique, the government “tasks” a
given selector (such as an email address or phone number) in the stream
of internet data flowing through particular network gateways (known as
the “internet backbone”). If the stream of internet packets contains the
selector, the Upstream program will acquire the entire “internet
transaction” containing that selector. Some transactions only include
one communication (Single Communications Transactions – SCT’s), while
others contain multiple discreet communications (Multiple Communications
Transactions – MCT’s). Because of the way the NSA conducts Upstream
collection, if any communication within an SCT or MCT is “to,” “from,”
or even “about” a tasked selector, the entire transaction is collected.
The collection of MCT’s further removes the nexus between the
communicants and the intended target because any communication that is
embedded within a transaction that happens to include a communication
that so much as mentions the targeted selector can get swept up.

Despite the fact that this type of surveillance has been taking place
since 2001, and that it was supposed to be regulated and overseen by the
Foreign Intelligence Surveillance Court (FISC) since 2008, it was only
in 2011 that the NSA acknowledged “about” collection and the MCT problem
to the FISC. (The public learned about it after revelations based on
documents from whistleblower Edward Snowden.) The FISC judge, John
Bates, allowed the collection to go forward despite his initial finding
that the collection violated the Fourth Amendment. Judge Bates accepted
NSA proposed post-collection usage rules, called minimization
procedures. The NSA adopted rules for Upstream surveillance that require
it to treat MCTs as a special category. The NSA was supposed to put
special procedures in place designed to identify when a communication
within an MCT is between American citizens.

MCTs were to be screened for irrelevant information, which must be
deleted. No agency but the NSA is supposed to have access to MCTs, not
the CIA or the FBI.

Judge Bates likely accepted this band aid despite the constitutional
problems because the NSA claimed it was not capable of breaking MCTs
down into individual messages, not capable of stopping “about”
collection, and insisted that this surveillance capability was
protecting the nation from terrorists.

ODNI reports that NSA will no longer collect certain internet
communications that merely mention a foreign intelligence target. The
NSA will delete the vast majority of its upstream internet data to
further protect the privacy of U.S. person communications. Further, the
changes in policy followed an in-house review of Section 702 activities
in which NSA discovered “several inadvertent compliance lapses.” The
public is now waiting for a declassified FISC opinion explaining these
issues in more detail.

In other words, today we learned that those 2011 safeguards did not
work, the NSA can stop about collection, and that our counterterrorism
efforts can live without this massive invasion of privacy.

In other words…Wow.

Here are some questions that the courts and Congress will need to
answer, especially since section 702 is due to expire at the end of this
year, and Americans must decide whether to renew the program, and if so,
with what safeguards in place.

The ODNI press release is unclear about whether or not NSA is ceasing
all “about” collection, or just that where one of the communicants is an
American. The press release says “the Agency will stop the practice to
reduce the chance that it would acquire communications of U.S. persons
or others who are not in direct contact with a foreign intelligence
target.” So, you could read that as both one end foreign and
international communication. Or, it could mean stopping collection of
only one end foreign, and the word “others” refers to those non-citizens
communicating with USPs but not with other foreigners. The statement
says “surveillance will now be limited to only those communications that
are directly “to” or “from” a foreign intelligence target.” That sounds
more comprehensive. However, if ODNI is using “surveillance” to mean
electronic surveillance as defined in the FISA then they may still be
doing “about” collection on foreign to foreign communications. Word
games can make it very hard to understand exactly what official
statements mean.

It appears that the NSA now has and maybe has always had a way to filter
out Americans’ international communications from Upstream, despite
multiple statements to the contrary.

If they can filter statements out, that suggests ODNI can count how many
communications in the take are to or from Americans.

You should read “several inadvertent compliance lapses” as “systematic
violations of the Fourth Amendment”. Remember that these minimization
procedures were required by Judge Bates to ameliorate constitutional
violations. Failure to follow those rules is a failure to comply with
the Fourth Amendment.

Given the problems that came to light in 2011 and then again now, has
section 702 ever been used lawfully?

ODNI admits today that they are using section 702 for “cybersecurity”.
That is a topic that the Privacy and Civil Liberties Oversight Board did
not study. We do not know anything about how selectors are chosen for
cybersecurity, or what the resulting database of information looks like.

While figuring out this problem, the FISC did not let section 702
collection lapse, but extended existing certifications beyond the year
expiration period. Under what authority could a FISC judge do this?

NSA is deleting the about collection data they have. That means that
they cannot find a way to use it in accordance with the 2011 Bates opinion.

I think this statement marks a change for the better in the way that the
ODNI talks about counterterrorism:

    NSA previously reported that, because of the limits of its current
technology, it is unable to completely eliminate “about” communications
from its upstream 702 collection without also excluding some of the
relevant communications directly “to or from” its foreign intelligence
targets. That limitation remains even today. Nonetheless, NSA has
determined that in light of the factors noted, this change is a
responsible and careful approach at this time.

Today, the NSA agrees that blindly Collecting It All is not necessarily
the right thing to do. Responsible surveillance takes into account civil
liberties as well. That is big news indeed.

Tags: FISA, FISC, Foreign Surveillance, Section 702


With links: https://www.justsecurity.org/40391/todays-odni-section-702-news/