Fear vs. Facts: Exploring the Rules the NSA Operates Under

There is no doubt the Snowden disclosures have launched a debate that raises significant issues  regarding the extent of U.S. government national security surveillance authorities and activities. And Julian Sanchez’s essay Snowden: Year One raises a number of these issues, including whether the surveillance is too broad, with too few limits and too little oversight.  But an overarching theme of Sanchez’s essay is fear – and fear of what might be overshadows what actually is, or is even likely.  Indeed, he suggests that by just “tweaking a few lines of code” the NSA’s significant capabilities could be misdirected from targeting valid counterterrorism suspects to Americans involved in the Tea Party or Occupy movements.

So really, what would it take to turn NSA’s capabilities inward, to the dark corner of monitoring political activity and dissent? It turns out, quite a lot. So much, in fact, that after a considered review of the checks and balances in place, it may turn out to be not worth fearing much at all.  

First, a little history. Prior to 1978, NSA conducted surveillance activities for foreign intelligence purposes under Executive authority alone. In 1978, Congress passed the Foreign Intelligence Surveillance Act (FISA), which distinguished between surveillance that occurred here at home and that which occurred overseas. FISA requires that when electronic surveillance is conducted inside the United States, the government seek an order from the Foreign Intelligence Surveillance Court (FISC or the Court) based on probable cause. So, if the government wants to conduct surveillance targeting a foreign agent or foreign power here in the United States, it must obtain FISC approval to do so. By law, the Court may not issue an order targeting an American based solely on activities protected by the First Amendment to the Constitution.  The Attorney General is required to report on the full range of activities that take place under FISA to four congressional committees: both the intelligence and judiciary committees in Congress.  The law requires that the committees be “fully informed” twice each year.

There have been a number of amendments to FISA over the years. In 1994, the statute was amended to require that physical searches for national security purposes conducted inside the United States also happen by an order from the FISC. The USA-PATRIOT Act of 2001 amended several provisions of FISA, one of which enabled better sharing of information between terrorism and criminal investigators. And in 2008, FISA was amended to provide a statutory framework for certain approvals by the Attorney General, Director of National Intelligence, and FISC regarding the targeting of non-U.S. persons reasonably believed to be outside the United States for foreign intelligence purposes, when the cooperation of a U.S. communications service provider is needed.

So how do we know that this system of approvals is followed? Is the oversight over NSA’s activities meaningful, or “decorative,” as Sanchez suggests?

It is worth exploring. Here is how oversight of the Section 702 surveillance works, as one example, since it has been the subject of a significant part of the debate of the past year. Section 702 was added to FISA by the FISA Amendments Act of 2008. It authorizes the NSA to acquire the communications, for foreign intelligence purposes, of non-U.S. persons reasonably believed to be outside the United States. These are persons with no Constitutional protections, and yet, because the acquisition requires the assistance of a U.S. electronic communications provider, there is an extensive approval and oversight process. There is a statutory framework. Specifically, the Attorney General and Director of National Intelligence jointly approve certifications. According to declassified documents, the certifications are topical, meaning, the way the statute is being implemented, the certifications are not so specific that they identify individual targets; but they are not so broad that they cover any and everything that might be foreign intelligence information. The certifications are filed with the FISC, along with targeting and minimization procedures. Targeting procedures are the rules by which NSA selects valid foreign intelligence targets for collection. Minimization procedures are rules by which NSA handles information concerning U.S. persons. The FISC has to approve these procedures. If it does not approve them, the government has to fix them. The Court reviews these procedures and processes annually. The Court can request a hearing with government witnesses (like senior intelligence officials, even the NSA Director, if the judge wanted or needed to hear from him personally) or additional information in order to aid in its decisionmaking process. Information about the 702 certifications is reported to the Congressional intelligence committees.

Once the certifications are in effect, attorneys from the Department of Justice’s (DOJ) National Security Division and attorneys and civil liberties officials from the Office of the Director of National Intelligence (ODNI) review the NSA’s targeting decisions and compliance with the rules. They conduct reviews at least every 90 days. During that 90-day period, oversight personnel are in contact with NSA operational and compliance personnel. Compliance incidents can be discovered in one of at least two ways: the NSA can self-report them, which it does; or the DOJ and ODNI oversight personnel may discover them on their own.  Sometimes the NSA does not report a compliance incident in the required timeframe. Then the time lag in reporting may become an additional compliance incident. The DOJ and ODNI compliance teams write up semi-annual reports describing the results of their reviews. The reports are approved by the Attorney General and Director of National Intelligence and provided to the FISC and to Congress. According to the one report that has been declassified so far, in August 2013, for a six-month period in 2012, the rate of error for the NSA’s compliance under Section 702 collection was .49% - less than half of one percent. If we subtract the compliance incidents that were actually delays in reporting, then the noncompliance rate falls to between .15-.25% - less than one quarter of one percent. Hardly an agency run amok.

A few caveats are in order. First, not all compliance matters are equal in terms of importance. While the declassified joint ODNI/DNI report describes the types of some compliance matters that may occur under Section 702 acquisition, technical errors in implementing a collection may be of greater significance than other types of errors that may occur due to human error.  Second, compliance is significantly affected by the people conducting it, both in terms of having the quantity of personnel assigned to the task, which can be an issue sometimes in the Executive Branch, and the quality of their work. It is worth noting that Sanchez’ piece highlighted the views of Congressman Jim Sensenbrenner, a former Chairman of the Judiciary Committee. Congressman Sensenbrenner has since taken on the charge of rolling back Section 215 of the USA-PATRIOT Act, pursuant to which the government has obtained court orders compelling the production of bulk telephone metadata for counterterrorism purposes. In his capacity on the Judiciary Committee, Chairman Sensenbrenner had access to extensive information regarding the implementation of FISA authorities. In remarks he made at Georgetown Law in November 2013, he stated that he “limited” his “participation in secret briefings.” In other words, he opted out of conducting meaningful oversight. Now he claims that he did not know how the law was being applied. No wonder.

Generally, however, Congressional committees charged with oversight of the Intelligence Community do their job. The Intelligence Committees of Congress have professional staff, often with deep experience in national security matters. The Committees conduct substantive hearings, although, due to the sensitive and operational nature of the topics discussed, often in classified session. Congressional staff also receive briefings. During the debate surrounding the passage of the FISA Amendments Act of 2008, many members of Congress and their staffs visited the NSA and received dozens of briefings regarding its details and subsequent implementation.

Decorative? Returning to the question implicitly posed by Sanchez’s argument: what would it take to turn this system inside out? Most likely, it would take either a conspiracy of the highest order, or the complete incompetence of everyone involved in the process – from operators to leadership inside the Intelligence Community, from lawyers to senior officials at the Justice Department, from legal advisors to judges of the FISC, from staff to members of Congress.

Here’s what happens in the real world: people make mistakes; technological implementation goes awry; bureaucracy gets in the way of getting down to the bottom line. The adequacy and rigor of Congressional oversight waxes and wanes based, at times, on the quality of the leadership of the various committees at any time. Government employees also sometimes do the wrong thing, such as the twelve cases in ten years that the NSA has explained to Congress, and then they are held accountable. Oversight and compliance systems sometimes fail, too, such as the delay in recognizing the problems in the technical implementation of the phone metadata program that was subsequently brought to the Court’s attention. These are all valid reasons to work on improving auditing, compliance, oversight and accountability mechanisms. They are not valid reasons for adopting reforms that would dramatically scale back important national security capabilities that keep the nation safe.

Also from this issue

Lead Essay

  • One year after the Edward Snowden NSA revelations, Julian Sanchez reviews what we know and where the public policy debate now stands. He finds that we know incomparably more about telephone and Internet surveillance, and that this knowledge has provoked a significant backlash: The American public, tech companies, and foreign publics and governments have all come increasingly to demand reform. A real debate is underway today, one as we have never seen before. In particular, we now ask the question: What are the consequences of misusing the system, and, if misuse ever arrives, will it then be too late to do anything about it?

Response Essays

  • Benjamin Wittes argues that the NSA is indeed powerful, perhaps disturbingly so. But what matters most are the legal restraints and authorizations for these programs’ use. Wittes rejects the idea that the United States should unilaterally disarm itself in an international cyber arms race; he would prefer to discuss the specific contours of the rules for digital surveillance. Much as the Fourth Amendment has successfully restrained conventional police, constitutional and legal safeguards should be adequate to protect us from the NSA.

  • Carrie Cordero reviews the legal safeguards under which the NSA acts. She finds that they are in general adequate, and that subverting them would require either a large-scale conspiracy or massive incompetence by our elected officials. The NSA’s programs target foreigners, who have no constitutional protections, and not U.S. citizens. The agency’s self-reported legal noncompliance rate is exceptionally low, and members of Congress, who have access to classified information about the NSA, have in general signaled their unconcern. While discussion of safeguards can be useful, these safeguards are well in place and generally functioning as they should be.

  • Marcy Wheeler describes how the overseas storage of U.S. persons’ data provides a means of conducting domestic surveillance: In general, the lack of clear national boundaries on the Internet profoundly compromises all those laws drafted with national boundaries in mind. In particular, the oversight that would ordinarily apply to domestic surveillance fails when U.S. persons’ data can be mined overseas. The fallout of this and other surveillance operations has been costly to the U.S. economy, which depends on the high-tech sector. Much damage has also been done to U.S. soft power abroad, in that foreigners are much less apt to trust either the U.S. government or U.S. corporations. Lastly, the security benefits so far appear to have been negligible.