Given the true details, I have no fears that NSA officials are reading my email
Everyone thinks they know by now what the National Security Agency has been doing. Unfortunately, not many folks care enough to learn about the facts, particularly those that contradict their fully formed—yet uninformed—beliefs. And that has been reflected in some misleading news stories of late, including ones that should have been simple reports about public documents.
Take the recent reaction to a previously classified ruling by a court reviewing the NSA’s activities under the Foreign Intelligence Surveillance Act (FISA). The storyline about the opinion, written by Judge John D. Bates, certainly seemed shocking: The NSA has illegally and unconstitutionally collected tens of thousands of emails from Americans.
A report by Reuters was typical: ”The National Security Agency may have unintentionally collected as many as 56,000 emails of Americans per year between 2008 and 2011 in a program that a secret U.S. court subsequently said may have violated U.S. law and the Constitution, according to documents released on Wednesday.”
Yeah, well…not really. Although the FISA court’s ruling did pinpoint Fourth Amendment concerns about a part of the NSA program, on the whole it should relieve the ongoing hysteria that the agency is scooping up and reading Americans’ emails so that it can…I don’t know what. Whenever that second part of the story is told, it involves things like creating an American empire or dictatorship or other stuff that has about as much logic and evidence as the most recent Tea Party conspiracy theory. But either way, this ruling should convince the fair-minded that the idea that the NSA is spying on us is malarkey. That doesn’t mean the NSA is faultless, and I’ll get into that later.
(An aside: Whenever I’ve written about the NSA, trying to correct inaccurate beliefs, I’ve been attacked for carrying water for the agency or for the Obama White House, but no one ever says I’m kowtowing to the Bush administration, which put the NSA program in place. The paranoia of these folks is tiresome, so I will say up front: I am not, nor have I ever been, a member of the Communist Par…oops, wrong declaration. I am not, nor have I ever been, a member of the NSA, any other intelligence agency or the Obama administration, nor am I associated with any of those organizations outside of my job as a reporter. Nor have I consulted with the NSA or its representatives for this article, simply so I could say so. Satisfied? Yeah, I know…the conspiracy-minded aren’t. So be it.)
Back to the FISA court’s ruling. The controversial NSA activities were first adopted in November 2001 as part of the “Stellar Wind” program, which is best known for allowing warrantless wiretapping of phones linked to suspected terrorists. Bush went too far with this effort, originally determining that the administration did not need to inform anyone about what it was doing—not the courts, not even Congress.
By 2008, Congress knew about the program, which had been revised several times, and members were uncomfortable with the haphazard oversight in place even then. So that year, while Bush was still in office, the Congress debated and passed an amendment to FISA, called Section 702. That codified into law the requirements for obtaining and handling both telephonic and internet communications. The NSA could not do whatever it wanted—it was prohibited from intentionally collecting or maintaining communications involving anyone within the United States without a warrant from the FISA court.
The law states: ”[The NSA] (1) may not intentionally target any person known at the time of acquisition to be located in the United States; (2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States; (3) may not intentionally target a United States person reasonably believed to be located outside the United States; (4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and (5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.”
OK, so notice: The actions that virtually every scary story about the NSA has implied are taking place are directly contrary to the law. It’s easy to simply burble that this amounts to proof that the NSA is breaking the law. Except that it’s not. (Pay attention to the number of times the law says “intentionally” and “reasonably.” We’ll get back to that.)
To engage in these activities, the NSA has to put together a technical, rules-based operation, the specifics of which must be approved by a FISA court each year to ensure that they are in compliance with the law and the Fourth Amendment.
There are several types of communications that the NSA can intercept. Phone calls are the simplest, and the recent court ruling clearly states that the agency is handling that aspect of its duties correctly (in other words, not targeting any person known to be located in the United States, complying with the Fourth Amendment and all of the other requirements listed above).
That brings us to internet communications. Within that group are different categories: discrete, individual communications (an email from one person to another, where both are overseas and one is a targeted person); single-communication transactions (known as SCTs); and multi-communication transactions (known as MCTs). One way of obtaining those communications is from an internet service provider through the computer system known as PRISM (this is what whistle-blower Edward Snowden brought public, setting off the wave of hysteria that the NSA is reading all of our emails). What is called “upstream collection” allows the NSA to obtain, among other things, emails about a target where the target is not participating in the communication. This is done by picking up emails from the systems that digital data travels along—rather than from the recipients themselves. Then, of course, there is scooping up email traffic overseas from those internet systems.
Like I said, this is complicated, but without knowing this information, you cannot understand what the NSA is really doing. So, I’ll deal with these one at a time. First, let’s address the PRISM computer system and its collection of emails and other data from internet service providers.
Start off with a reminder: The FISA court opinion that has been so widely reported did cite Fourth Amendment concerns about part of the program. It has been held up by some as proof that the NSA is out of control. So, presumably, it can be relied upon as a fair assessment of the NSA’s collection activities.
So, what does Judge Bates say about PRISM? “Meh.” Literally, the Fourth Amendment and legal concerns of how the PRISM computer system works are of such little consequence that the court dismisses the issue in a single sentence and a footnote: ”NSA acquires more than two hundred fifty million Internet transactions each year pursuant to Section 702, but the vast majority of these communications are obtained from Internet service providers and are not at issue…(continued at footnote) NSA refers to this non-upstream collection as ‘PRISM collection’…the Court understand that NSA does not acquire “Internet transactions” through its PRISM collection.”
Then, on to the issues of substance, the SCTs and MCTs: Under this portion of the program, the NSA obtains communications from domestic internet links in situations where at least one of the parties is overseas. But the targeted communications contain pre-designated “selectors,” suggesting that one of the party’s knows something about an individual already targeted by the NSA for surveillance. To make it simple, if I sent my boss an email a few years back telling him he can reach my friend at firstname.lastname@example.org (only it would be a real address being surveilled for foreign intelligence purposes), my email could be snapped up by the NSA, as would any similar text messages.
But there are technical problems with solely obtaining targeted emails. Among them, since emails are broken up into data packets that can be sent of multiple routes, there is the fact that information from Americans that do not involve a targeted individual can be scooped up inadvertently.
To explain this in a simplistic analogy, suppose you drop a vase on the floor. You want to collect the broken pieces—those, like the internet communications of suspected terrorists overseas—are your target. Yet, when you sweep them up you will—whether you want to or not—also collect dirt granules. That doesn’t mean you targeted the granules; they were just collected as a consequence of picking up the broken vase pieces.
The granules, of course, represent communications of innocent Americans that the NSA cannot lawfully target. Continuing our analogy, if you are particularly obsessive-compulsive, after finishing sweeping up, you can go through the dustpan carefully, pick out the granules of dirt and toss them in a water bucket where they can dissolve, leaving behind only the pieces of vase.
And that is exactly what happens in NSA collection of internet data, through a process known as minimization. Analysts comb through the emails, text messages and so on that have been picked up, looking for those pieces of dirt—domestic communications—and destroying them. Not filing them away for future review—destroying them.
This brings us back to the news articles and heavy breathing about “56,000 emails of Americans” collected upstream purportedly in violation of the law and the constitution. First, those numbers are little more than guesses, based on a sampling conducted by the NSA. Second, of those 56,000, about 46,000 involve single communication transactions. And the court found nothing wrong with the NSA’s collection and handling of those! Some journalists simply added SCTs to MCTs and wrote that the court condemned the collection of both. It didn’t. (And not to split hairs, but Judge Bates never said these involved solely Americans’ communications, but instead domestic communications; foreigners in America send emails, too, and are just as protected as citizens.)
The problem instead involves only the multi-communication transactions. Those entail data that contain an array of different information, all appearing together in ways that, at least for now, make it technically impossible to slice apart. It’s as if the broken vase pieces contained the dirt granules directly inside them. There would be no way to separate the dirt from the pieces.
Here’s an example of an MCT: When you call up your email account, an image appears of an inbox showing all of the communications you received. Those images are transferred across the internet and the NSA can intercept them, but solely as a single picture—the agency does not obtain an operational use of the inbox that way. Now, let’s suppose again that I sent my boss Osama bin Laden’s email address a few years back, thus attracting the NSA’s attention. In obtaining my information, the NSA will collect a multi-communication transaction—the image of my email inbox. That will almost certainly show emails and subject lines from completely innocent people within the United States.
Hence, the problem. The NSA was collecting the email addresses and a few words on a subject line from people inside the United States. The agency wasn’t reading the emails—it didn’t even have the technical capacity to delve into this kind of multiple-communication transaction, since it was nothing more than a picture.
Perhaps to some that doesn’t sound like a big deal. But it is, because the NSA isn’t allowed to review such things if the information is intentionally collected. Before the judge’s ruling, the NSA argued that the collection of that prohibited material should be considered unintentional; using our example, it maintained that it obtained the data because of a technical inability to separate irrelevant information from potentially important details in the inbox image. But the court disagreed, ruling that, because the NSA knows some of the multi-communication transactions will contain domestic information of innocent people, the agency cannot claim obtaining it is unintentional.
First, the court recognized that the agency was not trying to collect information about innocent folks, writing, “The court has no reason to believe that NSA, by acquiring Internet transactions containing multiple communications, is targeting anyone other than the user of the tasked selector.” (In my example, the tasked selector would be bin Laden’s email address contained in my email to my boss.)
That, though, does not make the collection of that information unintentional, Judge Bates held: “The fact that the NSA’S technical measures cannot prevent NSA from acquiring transactions containing wholly domestic communications under certain circumstances does not render NSA’s acquisition of those transactions ‘unintentional.’ (Given it is aware that MCTs will contain domestic information from innocent parties) the government is knowingly acquiring Internet transactions that contain wholly domestic communications through its upstream collection.”
From here, things get even more complicated, but I’ll just shorthand it. The court found that, given that the targeting procedures are “reasonably designed” to prevent the acquisition of the prohibited information through MCTs, that collection was not in violation of the law, although it did violate the spirit.
However, the court held that the procedures for handling innocent emails involving or concerning a person in the United States—picking the dirt out of the dustpan—did not meet the statutory requirements in all regards.
The first step of that process—minimization, or removing references to people found to be within the United States in an MCT—was handled in compliance with the law, the court held. However, the NSA’s retention efforts for MCTs were not proper. This is because the NSA analyst was only expected to review the relevant portion of the information—again, using our example, my email in my boss’s inbox with the contact information for Osama bin Laden. An analyst was not required to determine whether any other information in the MCT was prohibited. If the analyst does recognize that the MCT contained even just one domestic communication, the entire document must be destroyed. So, failing to review all of the information of the MCT, rather than just the portions relevant to national security concerns, meant that domestic communications—in the inbox case, email addresses and subject lines—would likely end up kept by the NSA for five years.
As Judge Bates wrote: ”The net effect is that thousands of wholly domestic communications that are never reviewed and those not recognized by analysts as being wholly domestic, and thousands of other discrete communications that are not to or from a targeted selector but that are to, from or concerning a United States person, will be retained by the NSA.”
As for the final portion of the procedures to protect privacy of people within the United States—preventing the dissemination of domestic information involving prohibited data to the FBI, CIA or other intelligence agency with operational capabilities—the court concluded that the NSA had done a good job.
Finally, as required by FISA, the court ventured into an analysis of whether the NSA’s approach to MCTs violated the Fourth Amendment. And here, the court said yes. The extraneous information being collected—in our example, the email addresses and subject lines from people inside America—is protected by the Fourth Amendment, the court held, and did not serve a national security purpose. With the NSA failing to identify and destroy such data, thus in all likelihood retaining prohibited information, its program for MCTs was not in compliance with the Fourth Amendment.
And that’s it. No one was reading American’s emails. No one was breaking the law. The issues were largely ones involving the technical impossibility of breaking up an image into disparate parts and the failure of the NSA to take that into account in its handling of a narrowly defined type of information that travels across the internet.
Now, there were some failures by the NSA that point to some sort of broader problem, either through a lack of technical specificity in its communications with the court or an intentional effort to deceive. That is, the NSA had been engaged in the upstream collection of MCTs for years and had never informed the court in its application for approval of its surveillance program. And apparently, that wasn’t the first time that the NSA’s disclosures to the court were inadequate.
That clearly angered Judge Bates: ”The Court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.”
So, where does that leave us? The NSA has not done a good job of disclosing information to the FISA courts about all the elements of its collection programs, and that is something that is truly worthy of both concern and hearings before Congressional intelligence committees. But the FISA court, which has been held up by critics of the system as simply being a rubber stamp, engages in significant and detailed examination of the NSA programs to make sure they comply with the laws and the Constitution, and is willing to reject the agency’s proposals and methods of operation.
So, let’s weigh this: The critics contend that the NSA is reading vast quantities of emails sent and received by Americans. And the FISA court goes nuts because the NSA is obtaining images that might have the email address and subject line of domestic people—not because the agency analysts are reviewing them, but because they aren’t. And the court doesn’t want the analysts to review them so they can learn more about the domestic senders. Instead, it is fearful that communications from those people aren’t being destroyed because no one is trying to figure out if they have been sent domestically.
Now, if people want to say that constitutes NSA abuse, OK, let’s engage in that discussion. But that is the real discussion, not this fantasy about the NSA intercepting 56,000 emails in violation of the law and the Constitution.
But it’s also important to see what the NSA did in response to the court’s Oct. 3, 2011 ruling. By the end of the month, on Oct. 31, the administration had revised its procedures to address Judge Bates’ concerns, according to recently declassified testimony before the House Intelligence Committee. After hearings on the matter, the court ruled on Nov. 30 that “the government has adequately corrected the deficiencies identified in the October 3 opinion” and that the amended procedures “when viewed as a whole meet the applicable statutory and constitutional requirements.”
So let’s follow the trail: Oversight detects a very technical and narrowly tailored problem, disclosed by the NSA years after it should have. Not a single domestic email has been read because of the problem identified by the court. New procedures are put in place, which the court approves as meeting the appropriate legal standards about 60 days later.
And don’t think this is the only time that reporting about documents has set off undeserved hysteria. Earlier this month, the Washington Post reported that an internal audit by the NSA had detected that the agency had violated privacy rights 2,776 times. Even if that is out of hundreds of millions of intercepted communications, the aggregate number would be of concern.
Except…let’s dig a little deeper. Of that group, the largest number of violations—1,904, or about 70 percent of the instances—involve foreigners in foreign countries with foreign cell phones that are being surveilled by the NSA. That’s fine, except, the NSA failed to detect that those individuals, at one point or another, had traveled to the United States, and surveillance had continued. In other words, legitimate surveillance wasn’t cut off when these foreign targets landed at on domestic soil. The majority of these instances involved residents of China visiting friends and family for the Chinese Lunar New Year holiday, the report said. Implications for Americans: nothing.
Of the remaining 872, the report found that they were the consequence of a variety of errors, all of which were detected by the NSA itself, including through a system that automatically highlights a problem. And, of course, those 872 fell into the requirements for minimization—in other words, the records were destroyed.
I am not saying we should trust everything the American intelligence agencies do. We certainly learned in the 1970s through the hearings of the Church Committee of the possibilities of abuse. And it could be that the NSA is abusing its authority. But we don’t have any reasonable proof of that. This debate must stay confined to the facts we know, and not invented scenarios straight out of a Jerry Bruckheimer movie based on misreadings or misrepresentations.
The bottom line: Given the true details out of these disclosed reports, I have no fears that NSA officials are reading my email. Hell, I have doubts that they’ll even read this column.