You are using an outdated browser.
Please upgrade your browser
and improve your visit to our site.

A Tale of Two NSA Leaks

One is unsurprising, and damaging. The other is worth debating.

Former NSA contractor Edwards Snowden sure does know how to change the subject. Only a few days ago, everyone was talking about the excesses of leak investigations. But now, as a result of his set of disclosures to the Guardian and The Washington Post, we’re back on the surveillance state—and the dangers of the leaks themselves.

The New York Times complains in an editorial that “most lawmakers did not know the government was collecting records on almost every phone call made in the United States or was able to collect anyone’s e-mail messages and Internet chats.” The Washington Post describes President Barack Obama as facing “a rash of disclosures that have revealed the extent to which his administration . . . has [cast] a massive electronic surveillance net . . . within the United States that appears to have gathered data on almost anyone with a computer or phone.” Maureen Dowd, writing in the Times, asks with her characteristic snark, “Now that we are envisioning some guy in a National Security Agency warehouse in Fort Meade, Md., going through billions of cat videos and drunk-dialing records of teenagers, can the Ministries of Love and Truth be far behind?”

The first of Snowden’s bombs detonated in the Guardian, which started the ball rolling by disclosing that the FISA Court had ordered Verizon Business Services to produce all metadata—information about who is calling whom, when, and for how long, though not the contents of any call—for calls within or with one end in the United States. The Washington Post immediately followed with a story revealing the NSA’s PRISM system, which reportedly involves agreements between the government and an array of U.S.-based internet companies (like Google and Facebook) that enable the NSA to monitor the online communications of non-U.S. persons believed to be physically located outside the United States. Both stories made a tremendous splash, and they quickly blended together in the media’s mind.  

At a high-level of abstraction, it does make some sense to lump these stories together. They both concern the tension between privacy and the need to collect intelligence in the context of evolving technologies—and the leaks, of course, came from the same source.

But at another level, conflating these two stories is a big mistake. They are by no means of equal weight and importance when it comes to informing the public about the government’s data-collection and monitoring powers. The Post story actually tells us little we did not already know—other than operational details that may prove of considerable use to those seeking to avoid NSA surveillance. By contrast, the Guardian story reveals a genuinely surprising and significant government legal position—albeit one apparently accepted by the FISA Court and congressional oversight leaders for a number of years—with important implications for the future of big data in government collection, surveillance, and intelligence authorities.

Consider first The Washington Post story, which disclosed the existence of the highly-classified PRISM system. PRISM reportedly enables real-time surveillance of chat, voice, video, and other online communications across an array of platforms. The story made clear which systems are subject to this monitoring—naming Facebook, Skype, Google, and a number of others—and asserted that the monitoring occurs not just with the knowledge but also the active cooperation of the companies involved. Indeed, the Post claimed that the companies do not merely facilitate such monitoring upon request, but have established means by which the NSA can directly tap into their systems as needed (a point sharply contested by at least some of the companies involved, notably). The story concedes, however, that PRISM is focused on the communications of foreigners outside the United States who simply happen to be using an online platform owned by one of the cooperating companies, and that the arrangements exist pursuant to court approvals issued under the FISA Amendments Act of 2008.

While jarring to read about the powerful tools PRISM gives the government to capture communications in real time, the story is actually not at all surprising. It, or something very much like it, is exactly what the law and its history would have led a reasonable observer to expect the government and industry to be doing together. To understand this, you need to know something about the way intelligence collection law works—and its bifurcated nature.

When we think about wiretapping and other forms of electronic surveillance, we usually have in mind situations in which the government must go to court to get specific authorization to monitor a particular person using a particular device. That’s the baseline criminal law model, after all, and since 1978 it has also been the baseline model for collecting so-called “foreign intelligence” in limited circumstances involving communications taking place within the United States. By contrast, courts were never involved in the past when it came to situations such as an NSA satellite dish attempting to soak up Soviet military communications.  

Such overseas intelligence collection is a vacuum cleaner-like affair, with the government free to scoop up everything it can get, and then figure out what to make of it. It’s really more like journalism than it is like law enforcement—journalism, that is, with high-tech collection capabilities. This is foreign policy, and while snooping on one’s citizens has big civil liberties implications, spying on other countries is just a recognized fact of life in the international community. That said, real civil liberties issues still arise if and when the vacuum cleaner incidentally gobbles up the communications of those whose targeting would normally require a warrant.

So three big rules operate to protect Americans from the vacuum cleaner. First, Executive Order 12333 restricts the knowing collection against U.S. persons to specified categories of material—most importantly, to “information constituting foreign intelligence or counterintelligence, including such information concerning corporations or other commercial organizations.” Second, to target an American for foreign intelligence purposes anywhere in the world either by electronic surveillance or by physical search the intelligence community needs probable cause that the target is an agent of a foreign power; this assessment used to be made internally within the executive branch, but since 2008, the agencies also need a FISA order for this type of surveillance. Finally, both public law and internal rules—most notably, the Foreign Intelligence Surveillance Act (FISA)—require the government to adopt what are called “minimization procedures.” These are rules designed to ensure that the government does not retain materials the vacuum cleaner may scoop up incidentally that are not within the categories of material the intelligence community is allowed to collect. They also prevent the government from disseminating such materials inappropriately. In short, the law has long presumed that the government will, when operating overseas, gobble up a huge quantity of information and then retain, use, and disseminate only that portion of that information that is legitimate for it to possess.

All of which worked reasonably well for a time. The radical bifurcation of the rules between foreign and domestic intelligence collection was relatively easy to maintain as long as domestic and international communications traffic remained separate—with phone lines running within the United States and large trunk cables and satellite feeds running communications beyond the borders. But technological change has disrupted this model. Domestic and international traffic is now hopelessly intermixed, especially online. One consequence of this is that there is a huge amount of foreign-to-foreign communications online that happens to be routed through servers on U.S. territory, including, of course, communications occurring on sites like Facebook and Google. And thus, thanks to changes in the technology of communications, the warrant requirements of FISA began touching a rapidly-expanding set of circumstances that in the past would have been subject to the vacuum-cleaner model.  

This was the problem that led to the Bush administration’s warrantless wiretapping program. And it also led to the FISA Amendments Act (FAA) in 2008. Broadly speaking, the FAA sought to restore something close to the flexible status quo ante. It did this by permitting the government to obtain approval from the FISA Court to order companies to assist the intelligence community with broad programmatic collection so long as (i) the government was targeting only non-U.S. persons reasonably believed to be overseas and (ii) the government adopted court-approved minimization procedures to exclude material it was not entitled to collect.

This is exactly what Snowden’s leak to The Washington Post suggests has been going on using PRISM. To be sure, the Post story is interesting. It highlights the intimacy of the government-to-industry relationship, and it confirms the extraordinary technical capabilities the partnerships involve. But interesting is not the same thing as novel. There is nothing in the story that does not reflect exactly what someone who understands the law of this area would have predicted. As the DNI put it Saturday in a statement, “PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision…. The Government cannot target anyone under the court-approved procedures [under the FAA] unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation) and the foreign target is reasonably believed to be outside the United States. We cannot target even foreign persons overseas without a valid foreign intelligence purpose.”

Unfortunately, there is one novel element to the PRISM story. It makes clear—using the NSA’s own classified documents, which are conveniently provided on the Post’s website—precisely which online platforms are subject to monitoring under the FAA system. It is not hard to see how that might be damaging. First, adversaries who fear such surveillance now have confirmation which companies and services they should avoid. Second, and rather ironically given the first point, it will ensure that these companies face significant costs for their court-ordered cooperation. Yes, the FAA shields them from liability, but it hardly follows that they won’t be sued, and it most definitely does not follow that they bear no costs from protests, bad press, fearful customers, and—perhaps most significantly—investigations (with potential liaiblity) launched by other governments, particularly by the EU. These companies may have to continue cooperating at some level thanks to the FAA, but there is a spectrum of cooperation that runs from the eager to the grudging, and the exposure involved here is sure to move the needle significantly for at least some of these companies, not to mention for others who have not yet agreed to similar partnerships.

The bottom line is that this article represents, and the leak certainly faciliated, a harmful kind of national security voyeurism. Naming and implicitly shaming specific companies for their compliance with the law feeds public curiosity, but it does not significantly advance our understanding of the government’s authorities or policies, and its advance in our understanding of its technical capabilities comes at significant cost.

The leak to the Guardian about Verizon is a bit different. While it too names a company, the general understanding is that the Verizon order is just one order among many—effectively to all of the major telecommunications companies. Verizon here stands in for the telecommunications carriers, in general. So the story does not really tell terrorists which providers to avoid.

More importantly, the story, and the leak of the FISA Court order that underlies it, do reflect something significantly new concerning a claimed authority about which the public was not previously informed. Specifically, it reveals that the government was using a particular section of FISA—known as Section 215—as a way of accessing not just specific items about specific persons on a case-by-case basis, but also as a means to create giant datasets of telephony metadata that might later be queried on a case-by-case basis. As we move into the age of Big Data, it may not be surprising that the government would want to have authority to generate such a database; we all recall the Total Information Awareness initiative, after all. But it is surprising to learn both that the government thinks it already has this authority under Section 215, and still more so that the FISA Court agrees and that members of Congress know this as well.

Section 215 allows the government to seek and receive an order from the FISA court requiring third parties (like Verizon) to produce “tangible things” like business records, so long as the government can certify that the information sought is “relevant” to a national security investigation. It is the analog in the context of national security investigations to the grand jury subpoena in a criminal probe—the instrument by which the government can compel people to turn over material germane to the investigation. Most people assumed, prior to the Guardian story, that this provision was being used on discrete occasions to obtain individual collections of records about known counterintelligence or terrorist suspects—for records showing, say, that a certain person made certain purchases from a certain vendor or used a particular telephone to make specific calls. The government has, to some extent, encouraged this understanding, suggesting that Section 215 orders are comparatively rare and focused on specific business records.

There have been hints for some time that the government might be using Section 215 more aggressively. Senators Mark Udall and Ron Wyden, both members of the intelligence committee, have been warning for a while that the public would be shocked to know how government and the FISA Court had interpreted the provision. And Todd Hinnen, then acting head of the Justice Department’s National Security Division, testified in 2011 that “Section 215 has been used to obtain driver’s license records, hotel records, car rental records, apartment leasing records, credit card records, and the like. . . .  Some orders have also been used to support important and highly sensitive intelligence collection operations, on which this committee and others have been separately briefed. On average, we seek and obtain section 215 orders less than 40 times per year” (emphasis added).

That said, until the Guardian story, it was not clear to the public that the government and the court had read the words “tangible things” and “relevant” so broadly as to permit the bulk pre-collection of records—including in particular “telephony metadata,” which includes all the non-content information pertaining to phone calls, such as the numbers involved and the physical location of the phones as indicated by the cell towers—much less that the government had been collecting such data for all calls within the United States and doing so for the past seven years, according to the leaders of the Senate intelligence committee.

This revelation is important for two interrelated reasons. First, it is simply different and grander in scope and scale from anything we had thought the law meant. As Fourth Amendment expert Orin Kerr writes at the Volokh Conspiracy, the law:

says that the ‘things’ that are collected must be relevant to a national security investigation or threat assessment, but it says nothing about the scope of the things obtained. When dealing with a physical object, we naturally treat relevance on an object-by-object basis. Sets of records are different. If Verizon has a database containing records of billions of phone calls made by millions of customers, is that database a single thing, millions of things, or billions of things? Is relevance measured by each record, each customer, or the relevance of the entire database as a whole? If the entire massive database has a single record that is relevant, does that make the entire database relevant, too? The statute doesn’t directly answer that, it seems to me. But certainly it’s surprising—and troubling—if the Section [215] relevance standard is being interpreted at the database-by-database level.

Second, if the government is going to collect all metadata domestically—even if subject to minimization procedures and in a carefully-limited fashion—that authority should be the subject of public debate. The apparent government reading of Section 215 is not on its face implausible, and it may be that the best policy is to empower the government to do precisely what it has done here. That said, unlike the PRISM system—which implements the law that we understand Congress to have debated and passed—this reading goes beyond what the public understood their elected representatives to have done.

We live in extraordinary times when it comes to secrecy and national security. Classified information has never been more vigorously protected; witness the much-criticized efforts by the Obama administration to investigate and prosecute leaks. Yet secrets continue to erupt into the headlines on a regular basis. These fleeting glimpses into the shadow worlds of counterterrorism, counterespionage, and counterproliferation are not always a bad thing. Sometimes, they prompt needed debate; even the White House has said that the president “welcomes the discussion of the trade-off between security and civil liberties” that the Verizon disclosure will produce. Some secret activities may be especially unwise or even illegal, so the proper amount of leaking in a healthy democracy is surely not zero. But it is equally true that, in some cases, exposure of classified information achieves little, while risking much. Snowden’s disclosures so far offer vivid examples of both the good and the bad of national security oversight by individual acts of civil disobedience.