Chapter 23 & 25 – Programmatic Surveillance and Bulk Collection
The Terrorist Surveillance Program Pursuant to a still-secret executive order signed by the President in October 2001, the NSA had without warrants monitored the contents of telephone and Internet communications of thousands of persons inside the United States, where one end of the communication was outside the United States, in an effort to learn more about possible terrorist plots. There were various rationales for this, but all we care about are the FISA fixes in current use.
The FISA Problem FISA, as passed, is an analog world statute. While it does not require detail probable cause, it does anticipate specific targets, which is consistent with wiretapping in 1978. It does not apply to non-US persons outside of the US, because their communications would not have come inside the US.
Section 702 (from the ODNI Transparency Report)
Target Within the IC, the term “target” has multiple meanings. With respect to the statistics provided in this report, the term “target” is defined as the individual person, group, entity composed of multiple individuals, or foreign power that uses the selector such as a telephone number or email address.
U.S. Person As defined by Title I of FISA, a U.S. person is “a citizen of the United States , an alien lawfully admitted for permanent residence (as defined in section 101(a)(20) of the Immigration and Nationality Act), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in [50 U.S.C. § 1801(a)(1), (2), or (3)].” 50 U.S.C. § 1801(i). Section 602 of the USA FREEDOM Act, however, uses a narrower definition. Since the broader Title I definition governs how U.S. person queries are conducted pursuant to the relevant minimization procedures, it will be used throughout this report.
Dissemination In the most basic sense, dissemination refers to the sharing of minimized information. As it pertains to FISA (including Section 702), if an agency (in this instance NSA) lawfully collects information pursuant to FISA and wants to disseminate that information, the agency must first apply its minimization procedures to that information.
Title VII - FISA Amendments Act (FAA) Section 702 Title VII of FISA includes Section 702, which permits the Attorney General and the DNI to jointly authorize the targeting of (i) non-U.S. persons (ii) reasonably believed to be located outside the United States (iii) to acquire foreign intelligence information. See 50 U.S.C. § 1881a. All three elements must be met.
Section 702 Targets and “Tasking.” Under Section 702, the government “targets” a particular non-U.S. person, group, or entity reasonably believed to be located outside the United States and who possesses, or who is likely to communicate or receive, foreign intelligence information, by directing an acquisition at – i.e., “tasking” – selectors (e.g., telephone numbers and email addresses) that are assessed to be used by such non-U.S. person, group, or entity, pursuant to targeting procedures approved by the FISC.
What information do you need before you can use that email address as a selector? Next the NSA analyst must verify that there is a connection between the target and the selector and that the target is reasonably believed to be (a) a non-U.S. person and (b) located outside the U.S. This is not a 51% to 49% “foreignness” test.
What has to be documented? For each selector, the NSA analyst must document the following information: (1) the foreign intelligence information expected to be acquired, as authorized by a certification, (2) the information that would lead a reasonable person to conclude the selector is associated with a non-U.S. person, and (3) the information that would similarly lead a reasonable person to conclude that this non-U.S. person is located outside the U.S.
The FISC’s role. Under Section 702, the FISC determines whether certifications provided jointly by the Attorney General and the DNI meet all the requirements of Section 702. If the FISC determines that the government’s certifications its targeting, minimization, and, as described below, querying procedures meet the statutory requirements of Section 702 and are consistent with the Fourth Amendment, then the FISC issues an order and supporting statement approving the certifications.
Certifications. The certifications are jointly executed by the Attorney General and DNI and authorize the government to acquire foreign intelligence information under Section 702. Each annual certification application package must be submitted to the FISC for approval. The package includes the Attorney General and DNI’s certifications, affidavits by certain heads of intelligence agencies, targeting procedures, minimization procedures, and, as described below, querying procedures.
How did the FAA change the certifications to the FISC for a FISA warrant? … the FISC need not find probable cause of foreign agency or otherwise review individualized surveillance applications under the FAA. Id. §1881a(c)(4). Instead, the Attorney General and DNI merely certify to the FISC that acquisitions under the program will meet the targeting objectives and limitations set out above, and that they will satisfy traditional FISA minimization procedures.
How does the FAA change the standards for warrants for US persons outside of the US? In addition to programmatic collection, the FAA provided for the first time that if the government wants to target the communications of a U.S. person outside the United States, it must now apply for a traditional FISA order based on probable cause to believe that the target has knowingly engaged in international terrorism activities or certain other activities that involve and are about to involve criminal violations. 50 U.S.C. §§1881b, 1881c.
Targeting procedures. The targeting procedures detail the steps that the government must take before tasking a selector, as well as verification steps after tasking, to ensure that the user of the tasked selector is being targeted appropriately – specifically, that the user is a non-U.S. person, located outside the United States, who is being tasked to acquire foreign intelligence information. The IC must make individual determinations that each tasked selector meets the requirements of the targeting procedures.
Minimization procedures. The minimization procedures detail requirements the government must meet to use, retain, and disseminate Section 702 data, which include specific restrictions on how the IC handles non-publicly available U.S. person information acquired from Section 702 collection of non-U.S. person targets, consistent with the needs of the government to obtain, produce, and disseminate foreign intelligence information.
Masked U.S. Person Information. Agency minimization procedures generally provide for the substitution of a U.S. person identity with a generic phrase or term if the identity otherwise does not meet the dissemination criteria; this is informally referred to as “masking” the identity of the U.S. person. For example, instead of reporting that Section 702- acquired information revealed that non-U.S. person “Bad Guy” communicated with U.S. person “John Doe” (i.e., the actual name of the U.S. person), the report would mask “John Doe’s” identity, and would state that “Bad Guy” communicated with “an identified U.S. person,” “a named U.S. person,” or “a U.S. person.”
Unmasking U.S. Person Information. Recipients of NSA‘s classified reports, such as other federal agencies, may request that NSA provide the U.S. person identity that was masked in an intelligence report. The requested identity information is released only if the requesting recipient has a “need to know” the identity of the U.S. person and if the dissemination of the U.S. person’s identity would be consistent with NSA’s minimization procedures (e.g., the identity is necessary to understand foreign intelligence information or assess its importance), and additional approval has been provided by a designated NSA official.
Querying procedures. With the reauthorized FAA of 2017, Congress amended Section 702 to require that querying procedures be adopted by the Attorney General, in consultation with the DNI. Section 702(f) requires that a record of each U.S. person query term be kept.
What is PRISM collection? In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (“NSA”) receives all data collected through PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of Investigation (“FBI”) each receive a select portion of PRISM collection.
Upstream collection First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies. Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data.
Upstream v. Prisim Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”).
“About” Communications An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being “to” or “from” the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be “about” the selector.
“Multiple communications transactions” (“MCTs”). An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.
Where is the data? Originally, the NSA had possession of all the traffic and searched it on its own servers. After the amendments to FISA, the date was left on the servers of the telcom and phone companies, who were required to keep it for a set period. Retained data is mostly metadata and email/text, not MCTs and phone call voice.
Querying 702 Information in Government Databases: The NSA, CIA, and FBI are permitted to query 702-acquired information by using a variety of search terms. Each individual agency’s own minimization procedures and statutory warrant requirements limit the search terms that analysts can use.
Use in Criminal Court: Section 102(A) restricts the use of U.S. person information obtained under Section 702 as evidence in a criminal proceeding. Such information may only be used if (1) the FBI obtained a court order as described in Section 101; or (2) the criminal proceeding involves one of an enumerated list of conduct, including death, kidnapping, serious bodily injury, crimes against minors, incapacitation of critical infrastructure, cybersecurity, and transnational crime. In essence, this section codifies Justice Department guidelines concerning the use of collected information in criminal proceedings. A determination that the proceeding qualifies as related to or involving one of these categories of serious crimes is not judicially reviewable.