Cross-posted from Just Security.
As the December 31st expiration date for Section 702 of the Foreign Intelligence Surveillance Act (FISA) approaches, the debate over reauthorization is in full swing. Most of the controversy centers around “backdoor searches”—the government’s practice of sifting through communications, obtained without a warrant because the targets are ostensibly foreign, for the calls and e-mails of particular Americans. Civil liberties advocates argue that a warrant should be required to access Americans’ communications, while intelligence officials want to preserve their warrantless access. Against this backdrop, some lawmakers are desperately trying to find a compromise, an outcome that is sure to satisfy no one.
But backdoor searches are not the only aspect of Section 702 surveillance with major implications for Americans’ privacy. Almost entirely missing from the current debate is the critical question of who should be a permissible target in the first place—a decision that affects Americans every bit as much as foreigners.
Section 702 allows surveillance targeting any person reasonably believed to be a foreigner overseas. The lone substantive restriction is that a significant purpose of this surveillance must be the acquisition of “foreign intelligence information.” FISA defines this term as follows:
(1) information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against—
(A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power;
(B) sabotage, international terrorism, or the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power; or
(C) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or
(2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to—
(A) the national defense or the security of the United States; or
(B) the conduct of the foreign affairs of the United States.
The first paragraph of the definition encompasses information about specific threats to the United States. The second, however, subsumes information that could be entirely innocuous. A conversation between friends about whether President Trump should build a wall along the Mexican border, for instance, qualifies as “foreign intelligence information” because it is information “with respect to a foreign power” (Mexico) that “relates to . . . the conduct of the foreign affairs of the United States.”
In theory, the certifications that the government submits to the FISA Court for approval to conduct 702 surveillance could serve as an additional limitation on collection. These are lists of foreign intelligence topics on which the government might seek to obtain information. Although they are classified, reports indicate that there are certifications for foreign powers, counterterrorism, counterproliferation, and cybersecurity.
In practice, though, it’s not clear how much constraint these certifications provide. One of them—the 2010 certification that lists foreign governments about which the NSA can collect information—was leaked. It lists the governments of every country in the world. This is not a limitation; it’s a license. Anyone who ever discusses current events is likely to communicate information that “relates to” affairs between the United States and some other country (the U.S.-Mexico wall being only one of countless such examples). Indeed, under the 2010 certification, it would seem that most foreigners overseas are permissible targets.
The privacy implications of overbroad targeting
The implications for foreigners’ privacy are obvious. Although foreigners outside the United States might not be entitled to the protections of the Fourth Amendment, privacy is a fundamental human right, not a constitutional construct. It is recognized and protected in the United Nations’ Universal Declaration of Human Rights, the International Covenant for Civil and Political Rights, and other landmark agreements. The question of whether these treaties apply extraterritorially has not been definitively resolved. But if they do, the ability to spy on law-abiding private citizens of other countries almost certainly violates them.
The implications for Americans’ privacy are less obvious, but just as grave. Collection of Americans’ communications under Section 702 is “incidental,” meaning that it occurs when an American happens to be communicating with a foreign target. The wider the pool of permissible targets, the wider the pool of Americans whose communications may be “incidentally” collected.
More specifically, the selection of targets affects both the quantity and quality of “incidental” collection. If targets are limited to foreign powers, suspected terrorists, and the like, then the pool of Americans in contact with those targets will be smaller, and the conversations more likely to include information of legitimate national security interest.
But if targets can include ordinary individuals discussing current events, the surveillance could sweep in millions of everyday conversations between Americans and their friends, relatives, and business associates overseas. Lax standards for targeting thus open the floodgates to mass “incidental” collection of innocuous communications.
Minimization procedures—agency rules that provides some limits on the retention, sharing, and use of communications after collection—are not a sufficient response to this problem. The accumulation of large volumes of innocent Americans’ communications in the databases of intelligence and law enforcement agencies poses its own inherent risks, regardless of official restrictions on access and use. For instance, there is the risk of hacking or data theft, to which intelligence agencies like the NSA and CIA are no stranger. Systems containing Section 702 data might be particularly attractive targets for hostile foreign powers, given that there could be valuable foreign intelligence dispersed among the chaff.
There is also the possibility that some agency officials will violate privacy protections. Intelligence officials assert that all known violations have been inadvertent and that historical rates of non-compliance have been low. But accidental intrusions on privacy are still intrusions, and even a very low rate of non-compliance can translate into major impact when the volume of “incidentally” collected data is so high. A recent analysis by the Open Technology Institute, including a 68-page chart of government violations of FISA Court orders, gives a sobering picture of the extent of known problems to date.
Finally, there is the chilling effect on inquiry and expression when Americans believe their government may be listening. Following the Snowden revelations, people were less likely to google terms relating to national security, and even professional writers held back from addressing certain topics. This type of self-censorship represents a real cost, not just to individuals’ right to free expression, but to the health of our democracy, which relies on robust public discourse.
In short, the “incidental” collection of Americans’ communications carries risks and harms that can’t be mitigated by post-collection protections. They could, however, be mitigated by narrowing the pool of permissible targets. For instance, Congress could require the government to have a reasonable belief that its targets are foreign powers or agents of foreign powers (which would include international terrorists) or, alternatively, that they have information about any of the threats to national security identified in the first part of the “foreign intelligence information” definition.
Of course, intelligence officials will argue that the authority Section 702 currently provides is no broader than necessary for our national security interests. They should be required to prove it. The government has made public several examples of Section 702’s utility; in none of these cases was the original target of Section 702 surveillance a private citizen who was not suspected of terrorist ties. If such an example exists somewhere in classified form, lawmakers should insist on seeing it. And they should probe whether it justifies a standard that allows surveillance of almost any foreigner—including that foreigner’s communications with Americans.
Lawmakers have shown no interest in pursuing this line of inquiry. Most of them care little about the privacy rights of foreigners, and so they see no reason to change the law to protect innocent foreigners from NSA surveillance. They fail to understand that limiting the permissible pool of foreign targets is a critical protection for Americans. Until lawmakers make that basic connection, even the strongest reform proposals in Congress will leave Americans’ privacy vulnerable.
(Photo: Kevin McCoy)