Tag Archives: FISA

Unprecedented and Unlawful: The NSA’s “Upstream” Surveillance - Just Security 20160919

Unprecedented and Unlawful: The NSA’s “Upstream” Surveillance

The FISA Amendments Act of 2008 (FAA) — the statute the government uses to engage in warrantless surveillance of Americans’ international communications — is scheduled to expire in December 2017. In anticipation of the coming legislative debate over reauthorization, Congress has already begun to hold hearings. While Congress must address many problems with the government’s use of this law to surveil and investigate Americans, the government’s use of “Upstream” surveillance to search Internet traffic deserves special attention. Indeed, Congress has never engaged in a meaningful public debate about Upstream surveillance — but it should.

First disclosed as part of the Snowden revelations, Upstream surveillance involves the NSA’s bulk interception and searching of Americans’ international Internet communications — including emails, chats, and web-browsing traffic —  as their communications travel the spine of the Internet between sender and receiver. If you send emails to friends abroad, message family members overseas, or browse websites hosted outside of the United States, the NSA has almost certainly searched through the contents of your communications — and it has done so without a warrant.

The executive branch contends that Upstream surveillance was authorized by the FAA; however, as others have noted, neither the text of the statute nor the legislative history support that claim. Moreover, as former Assistant Attorney General for National Security David Kris recently explained, Upstream raises “challenging” legal questions about the suspicionless searching of Americans’ Internet communications — questions that Congress must address before reauthorizing the FAA.

Because of how it operates, Upstream surveillance represents a new surveillance paradigm, one in which computers constantly scan our communications for information of interest to the government. As the legislative debate gets underway, it’s critical to frame the technological and legal issues that Congress and the public must consider — and to examine far more closely the less-intrusive alternatives available to the government.

Upstream Surveillance: An Overview

As we’ve learned from official government sources and media reports, Upstream surveillance consists of the mass copying and content-searching of Americans’ international Internet communications while those communications are in transit. The surveillance takes place on the Internet “backbone” — the network of high-capacity cables, switches, and routers that carry Americans’ domestic and international Internet communications.  With the compelled assistance of telecommunications providers like AT&T and Verizon, the NSA has installed surveillance equipment at dozens of points along the Internet backbone, allowing the agency to copy and then search vast quantities of Internet traffic as those communications flow past.

The NSA is searching Americans’ international communications for what it calls “selectors.” Selectors are, in essence, keywords. Under the FAA, they are typically email addresses, phone numbers, or other identifiers associated with the government’s targets. While this might sound like a narrow category, the reality is much different, as Jennifer Granick and Jadzia Butler recently explained. That’s because the NSA can target any foreigner located outside the United States who is believed to possess “foreign intelligence information” — including journalists, human rights researchers, and attorneys, not just suspected terrorists or foreign spies. At last count, the NSA was targeting more than 94,000 people, organizations, and groups under the FAA.

In practice, that means the NSA is examining the contents of each communication for the presence of tens of thousands of different search terms that are of interest to the government. And that list continues to grow, as the NSA adds new targets and entirely new categories of selectors to Upstream surveillance. Whenever the NSA finds a communication that contains a “hit” for any one of its many selectors, it stores that communication for the agency’s long-term use and analysis — and it may share those communications with the FBI for use in criminal investigations.

“About” Surveillance

Observers, including the Privacy and Civil Liberties Oversight Board (PCLOB), have singled out one feature of this surveillance as especially controversial: what’s often called “about” surveillance. This term refers to the fact that the government is not only intercepting communications to and from its targets, but is systematically examining the communications of third parties in order to identify those that simply mention a targeted selector. (In other words, the NSA is searching for and collecting communications that are merely “about” its targets.)

“About” surveillance has little precedent. To use a non-digital comparison: It’s as if the NSA sent agents to the U.S. Postal Service’s major processing centers to engage in continuous searches of everyone’s international mail. The agents would open, copy, and read each letter, and would keep a copy of any letter that mentioned specific items of interest — despite the fact that the government had no reason to suspect the letter’s sender or recipient beforehand. In the same way, Upstream involves general searches of Americans’ international Internet communications.

Upstream Surveillance Is Bulk Searching

Although the government frequently contends otherwise, Upstream surveillance is a form of bulk surveillance. To put it plainly, the government is searching the contents of essentially everyone’s communications as they flow through the NSA’s surveillance devices, in order to determine which communications contain the information the NSA seeks. While the government has “targets,” its searches are not limited to those targets’ communications. Rather, in order to locate communications that are to, from, or “about” its targets, the government is first copying and searching Americans’ international communications in bulk.

There is no question that these searches are extraordinarily far-reaching. The leading treatise on national-security surveillance, co-authored by former Assistant Attorney General David Kris, explains that the “NSA’s machines scan the contents of all of the communications passing through the collection point, and the presence of the selector or other signature that justifies the collection is not known until after the scanning is complete.” Likewise, the Foreign Intelligence Surveillance Court (FISC) has made clear that the NSA is searching the full text of every communication flowing through the surveillance devices installed on certain international backbone links.

For technological reasons, Upstream surveillance — at least as it’s conducted today — necessarily ensnares vast quantities of communications. When an individual uses the Internet, whether to browse a webpage or send an email, his computer sends and receives information in the form of data “packets” that are transmitted separately across the Internet backbone. As Charlie Savage recently explained in Power Wars, “when an e-mail is transmitted over the Internet, it is broken apart like a puzzle. Each piece of the puzzle travels independently to a shared destination, where they converge and are reassembled. For this reason, interception equipment on a switch in the middle cannot grab only a target’s e-mail. Instead, the wiretapper has to make a copy of everything.” While the NSA may exclude certain types of irrelevant traffic — like Netflix videos — it can identify the communications it’s seeking only by copying and searching the remaining Internet traffic in bulk.

In court, the Department of Justice has resisted acknowledging the breadth of these bulk searches —preferring to say, euphemistically, that the NSA is “screening” or “filtering” communications. But it’s playing word games. The only way for the NSA to determine whether a communication contains one of its selectors is to search the contents of that communication. At scale, that means the NSA is searching the contents of trillions of Internet communications, without anything resembling a warrant.

Upstream Surveillance Is Unprecedented and Unlawful

Because it involves bulk searches, Upstream surveillance is very different from other forms of surveillance, and it should be debated with that in mind. As the Privacy and Civil Liberties Oversight Board (PCLOB) explained:

Nothing comparable is permitted as a legal matter or possible as a practical matter with respect to analogous but more traditional forms of communication. From a legal standpoint, under the Fourth Amendment the government may not, without a warrant, open and read letters sent through the mail in order to acquire those that contain particular information. Likewise, the government cannot listen to telephone conversations, without probable cause about one of the callers or about the telephone, in order to keep recordings of those conversations that contain particular content.

In short, the Fourth Amendment does not allow the government to conduct a general, suspicionless search in order to locate specific information or evidence. Instead, as the ACLU has explained at length elsewhere, the government is required to have probable cause — and a warrant — before it searches the contents of our communications. Upstream surveillance reverses this logic, using the end results of the NSA’s searches to justify the continuous, bulk review of Americans’ Internet traffic. The ODNI General Counsel has effectively called for rewriting the Fourth Amendment to permit these types of searches — which only underscores how novel and extreme the government’s legal theory really is.

Americans — and Congress — need to be concerned about what it means to have government computers monitoring our communications in real-time. As the PCLOB emphasized, one of the fundamental problems posed by Upstream surveillance is that “it permits the government to acquire communications exclusively between people about whom the government had no prior suspicion, or even knowledge of their existence, based entirely on what is contained within the contents of their communications.” David Krishighlighted a related problem, asking whether the government should be permitted to “review the contents of an unlimited number of e-mails from unrelated parties in its effort to find information ‘about’ the target.”

The PCLOB, in its report, expressed serious concern about Upstream surveillance, finding that the nature and breadth of this surveillance pushed it “close to the line” in terms of lawfulness. At the same time, however, the PCLOB expressed the view that “about” surveillance was unavoidable for technological reasons. While this is the subject for a separate post, that factual claim is doubtful. The NSA could, if it chose, do far more to isolate the communications of its targets based on metadata — such as email addressing information — rather than searching the entire contents of everyone’s communications using selectors. Indeed, “Next Generation Firewall” technology is capable of distinguishing metadata from content across many different types of communications. Moreover, the NSA has already shown that it can implement this capability on the Internet backbone — because its bulk Internet metadata program, which it operated for ten years, required very similar capabilities. Even with these modifications, significant questions about the lawfulness of the surveillance would remain; but there is no question that it would be more protective of Americans’ privacy than today’s Upstream surveillance.

Between now and the sunset of the FAA in December 2017, it is crucial that Congress engage in an informed, public debate about whether it is constitutional — and whether it is prudent — to permit the executive branch to wield this incredibly invasive surveillance tool.

Editor’s note: The authors are staff attorneys with the ACLU’s National Security Project. Last year, the ACLU challenged Upstream surveillance on behalf of a broad group of educational, legal, human rights, and media organizations — including Wikimedia, the operator of one of the most-visited websites in the world — whose communications are swept up by this unprecedented dragnet. In October 2015, a federal district court in the District of Maryland held that the plaintiffs lacked “standing” to bring suit. The case is presently on appeal in the Fourth Circuit.

The Obama Administration Has Embraced Legal Theories Even Broader Than John Yoo’s - Just Security 20160407

The Obama Administration Has Embraced Legal Theories Even Broader Than John Yoo’s - Just Security 20160407

The Justice Department recently released another of the now-notorious Office of Legal Counsel memos written by John Yoo — memos that authorized torture, warrantless wiretapping, and indefinite detention. The new memo, written as a “letter” to then-presiding FISC Judge Colleen Kollar-Kotelly in May 2002, addresses the legal basis for the NSA’s warrantless wiretapping of Americans’ communications under the “Stellar Wind” program.

Unsurprisingly, Yoo’s memo is extremely broad and poorly reasoned — but we knew that much already, thanks to Jack Goldsmith and Jim Comey. Still, it would be a mistake to think of Yoo’s memo as just an historical artifact, full of long-repudiated legal arguments. In fact, many of the arguments Yoo made behind closed doors in 2002 continue to appear in the Obama administration’s briefs defending warrantless surveillance under Section 702 of FISA today. And, in at least one key respect, the Obama administration’s arguments are even broader than the ones that Yoo felt he could justify.

Americans’ Expectation of Privacy in Their International Communications

Like Yoo, the Obama administration has argued that Americans have a “greatly reduced” expectation of privacy in their international communications — so diminished, in fact, that no warrant is necessary for the government to intercept and search those communications. That might come as a surprise to the millions of Americans who regularly engage in personal or confidential communications with family, friends, business associates, and others overseas. When you pick up the phone to call a family member abroad, there is no reason to believe that your communication is any less private than calling a friend across town. The Supreme Court has certainly never said any such thing. Indeed, Yoo eventually admitted in his memo that the case law did not support the suspicionless interception of “the contents of telephone or other electronic communication[s]” — though he then proceeded to ignore his own conclusion.

But that has not stopped the government from making the same claims in the Section 702 cases now moving through the courts. The government has embraced Yoo’s position, arguing that the privacy interests of US persons in international communications are “significantly diminished, if not completely eliminated,” when those communications are sent to or from foreigners abroad.

On top of that, the government assumes that any communication entering or leaving the country has a foreigner on one end — and thus is eligible for warrantless searching. As the new Brennan Center report makes clear, the implications of this position are especially dire given the global structure of the Internet, where even Americans’ domestic communications may be routed or stored abroad without the parties to those communications even knowing. In short, it is the Obama administration’s view that Americans forfeit the core protection of the Fourth Amendment whenever their private communications cross an international border. And, in today’s globally connected world, that is happening more and more.

Foreign Intelligence Surveillance and the Warrant Requirement

The Obama administration has also followed Yoo in arguing that intelligence agencies may disregard the Fourth Amendment’s warrant requirement simply because they are conducting surveillance for a foreign intelligence purpose. But as Yoo ultimately acknowledged in his memo — and as the Privacy and Civil Liberties Oversight Board observed in its report on Section 702 — no court has ever endorsed such a sweeping exception to the warrant requirement. Instead, courts analyzing this question have limited the exception to surveillance of foreign powers and their agents (in addition to recognizing other requirements). That is a far cry from the warrantless surveillance the government is conducting under Section 702, which can be used to target almost any foreigner abroad, including individuals who are not suspected of any wrongdoing whatsoever — people like journalists, cryptography researchers, human rights advocates, and IT system administrators.

Upstream Surveillance: Too Far for Yoo?

Perhaps most remarkably, however, the Obama Justice Department has pressed legal theories even more expansive and extreme than Yoo himself was willing to embrace. Yoo rounded out his Stellar Wind memo with an effort to reassure Judge Kollar-Kotelly that the government’s legal interpretation had limits, saying: “Just to be clear in conclusion. We are not claiming that the government has an unrestricted right to examine the contents of all international letters and other forms of communication.” But that is essentially the power the NSA claims today when it conducts Upstream surveillance of Americans’ Internet communications. The NSA has installed surveillance equipment at numerous chokepoints on the Internet backbone, and it is using that equipment to search the contents of communications entering or leaving the country in bulk. As the ACLU recently explained in Wikimedia v. NSA, this surveillance is the digital analogue of having a government agent open every letter that comes through a mail processing center to read its contents before determining which letters to keep. In other words, today the Obama administration is defending surveillance that was a bridge too far for even John Yoo.

It is hard to explain how astonishing this is. Yoo was at the center of the Bush administration’s effort to radically expand executive power, opening the door to widespread electronic surveillance of Americans without any individualized judicial approval. His efforts are widely understood to have been extreme, analytically indefensible, and contrary to the basic values of our country. Yet many of the legal arguments that Yoo made nearly 15 years ago have now been endorsed by the Obama administration to continue and expand the warrantless surveillance of Americans — surveillance that is even more pervasive than the wiretapping Yoo felt comfortable defending in secret.

At the same time, the Obama administration has fought to keep the public courts from scrutinizing these legal arguments, relying on secrecy and standing doctrines to short circuit challenges to mass surveillance programs. Whether it is John Yoo’s OLC memos, expansive reinterpretations of the law in the FISC, or ex parte criminal proceedings, by now it should be clear that good law is not made in secret.

Questions Congress Should Ask About Section 702 - Just Security 20160204

Questions Congress Should Ask About Section 702 - Just Security 20160204

After passing a surveillance reform bill last year, Congress appears poised to turn to examine another controversial surveillance authority — Section 702 of FISA. Using Section 702, the government copies, searches, and retains vast quantities of Americans’ international communications, all without ever obtaining a warrant.

On Tuesday, the House Judiciary Committee held its first hearing, in what we hope is a series, on Section 702 this Congress. Unfortunately, because the hearing was closed to the public, we do not know what issues were raised. In the past, Congress has reauthorized Section 702 without key information. However, we hope that members of Congress made clear that they would not reauthorize Section 702 when it is set to expire in 2017 without,at a minimum, answering the following key questions:

1. How many Americans have had their private information collected?

The government’s Section 702 position is inherently contradictory: Officials insist that the surveillance does not violate Americans’ rights, yet claim they have no way of knowing how many Americans’ communications are even collected.

The demand for information about the number of Americans whose information is collected under Section 702 is not new. Sen. Wyden has repeatedly asked Director of National Intelligence James Clapper for this information. Indeed, the Privacy and Civil Liberties Oversight Board explicitly noted that it requested but was not able to get this information as part of its review of Section 702.

Despite these requests, the government has staunchly refused to provide an account of the number of Americans whose information is collected and searched under Section 702. The primary justifications for this refusal have been that calculating this information would not be possible and, ironically, would require the government to commit additional privacy intrusions (presumably because it would require review of communications that otherwise would not be searched).

These justifications simply don’t stand up to scrutiny. First, the government has yet to provide concrete, detailed information on the resources that would be needed to obtain this information. Second, in response to a Foreign Intelligence Surveillance Court inquiry regarding the number of wholly domestic communications collected under Section 702, the NSA conducted a sampling of thousands of communications to provide a rough estimate of this information. With appropriate privacy protections, the intelligence community could use a similar methodology to estimate the number of Americans whose information is collected.

2. What is the legal justification for using Section 702 to scan virtually all Americans’ international communications over the Internet?

Over the past three years, it has become clear that the government often performs legal acrobatics in order to justify surveillance that was never authorized by Congress in the first place. Such acrobatics appear to extend to the NSA’s “Upstream surveillance,” which it operates under Section 702.

Upstream surveillance involves the mass copying and searching of virtually all Internet communications flowing into and out of the United States. With the help of companies like Verizon and AT&T, the NSA conducts this surveillance by tapping directly into the Internet backbone inside the United States — the physical infrastructure that carries the communications of hundreds of millions of Americans and others around the world. After copying nearly all of this traffic, the NSA searches the metadata and content for key terms, called “selectors,” that are associated with its thousands of foreign targets. Communications that contain these selectors can be retained and analyzed by the NSA with few restrictions.

The ACLU and other groups have challenged the mass searches and seizures of Americans’ internet communications under Upstream surveillance as both a violation of the Fourth Amendment and a violation of the restrictions that Congress wrote into Section 702 itself. Thus, it is critical that Congress press the intelligence community to disclose its legal analysis — and that Congress take steps to ensure that Section 702 is not used to justify illegal and unconstitutional mass surveillance of Americans’ international communications.

3. How many “backdoor searches” does the FBI conduct each year?

Members of Congress are rightfully concerned that the government performs “backdoor searches” — where analysts and investigators search Section 702 databases for information using US person identifiers (for example, a US person’s name or phone number). These searches are not authorized by the text of Section 702, and are contrary to the intent of the law, which explicitly prohibits the use of Section 702 to target US persons.

The surveillance reform bill passed last year, the USA Freedom Act, requires some reporting on the number of backdoor searches — but conspicuously excludes the FBI from this requirement. This is despite the fact that the Privacy and Civil Liberties Oversight Board reported that the FBI conducts backdoor searches in virtually every national security investigation and many other criminal investigations.

The FBI is clearly capable of tracking its use of backdoor searches. Other federal agencies, such as the CIA, account for the number of backdoor searches they perform. Given this, members of Congress should aggressively push the FBI to provide an accurate account of the number of backdoor searches it performs. Such information is essential to assess the impact that warrantless surveillance under Section 702 has on Americans.

4. What are the rules for using Section 702 information in criminal prosecutions and investigations?

Are there cases where information obtained or derived from Section 702 is used to assist in low-level drug investigations, tax-fraud investigations, or other investigations that have nothing to do with national security? These basic questions about how Section 702 is used in domestic criminal investigations remain unanswered.

Section 702 was not intended to be used to investigate and prosecute domestic crimes — yet internal procedures appear to permit just that. Intelligence officials have publicly confirmed that internal regulations permit Section 702 information to be used as evidence at trial in a variety of domestic criminal contexts, including transnational drug crimes, certain forms of battery, and crimes involving damage to critical infrastructure. Moreover, it appears that government regulations permit the use of Section 702 information during the investigation stage of any crime.

Concerns over the widespread use of this information are compounded by the fact that the government has historically failed to fulfill its obligations to notify individuals when it intends to use information “obtained or derived” from Section 702 in legal proceedings against them. Although the Justice Department began notifying criminal defendants of the use of Section 702-derived information in October 2013, it has done so in only five cases, and there has not been a single notification in 22 months. In addition, other federal agencies, such as the Treasury Department, have never provided Section 702 notifications, despite their reliance on this information.

These practices are at odds with the intent of the law and represent an end run around the Fourth Amendment’s warrant requirement. Given this, it is critical that the intelligence community be required to disclose more information about the use of Section 702 information in criminal investigations and prosecutions.

Many of these questions should have been answered before Section 702 was ever passed. Now, Congress should demand these answers as it considers how to reform Section 702 to protect the privacy rights of Americans and others.

Court Orders DOJ to Justify Withholding of FISA Reports in EPIC FOIA Suit - EPIC 20160204

Court Orders DOJ to Justify Withholding of FISA Reports in EPIC FOIA Suit - EPIC 20160204

A federal court in Washington, DC ruled today that the Justice Department's explanation for withholding information about the Foreign Intelligence Surveillance Court was "manifestly insufficient." In EPIC v. Department of Justice, EPIC is seeking release of FISA surveillance reports routinely provided to Congress. The court ordered the government to submit the reports for review, and to provide specific reasons for withholding the material sought by EPIC. For almost 20 years, EPIC has made available information about FISC orders and surveillance reports. As EPIC explained to the court, release of these materials is of the "utmost importance to the public."