As news of the government’s broad surveillance programs develops, a host of unanswered questions arise. This fact sheet answers many of those questions, examining the legal and practical steps the government may have taken to secretly collect data.
Q: What is the National Security Agency doing?
A: At least four major surveillance programs have been revealed so far. The first two programs described below collect metadata, while the third and fourth collect the content of communications:
Telephonic Metadata. Since 2006, the National Security Agency (NSA) has been secretly collecting the phone records of millions of Americans from some of the largest telecommunications providers in the United States, via a series of regularly renewed requests by the Federal Bureau of Investigation (FBI). Although the NSA is not collecting the contents of all phone calls, it is collecting records of who called whom, when and for how long. The government has acknowledged some aspects of this collection program, but claims that officials do not actually look at the collected data in more detail without reasonable suspicion that some element of it concerns a foreign terrorist organization.
Internet Metadata. On June 27, 2013, the Guardian newspaper released a 2009 draft report from the Inspector General of the NSA, which revealed that the Agency has also been collecting bulk Internet metadata for more than a decade through an array of clandestine programs. Although the Administration claims that such collection ended in 2011, the Guardian reports that programs to gather Internet metadata are continuing – with the number of records processed surpassing one trillion. The metadata collected does not include the content of intercepted communications, but does include the email addresses of the sender and recipients, as well as Internet Protocol (IP) addresses. These can then be used to track an individual’s identity and location as well as to monitor Internet activity.
Telephonic Content. The Washington Post has reported that the NSA captures the content of telephone calls and routes them to a system called NUCLEON. The 2009 NSA IG report does not directly acknowledge or discuss this program by name, but it refers to several unnamed programs that collect the content of electronic communications.
Internet Content. Over the past six years, the NSA obtained unprecedented access to the contents of electronic communications processed by nine leading U.S. internet companies. This access was facilitated by a computer network named PRISM. The companies involved include Google, Facebook, Skype, and Apple. According to reports, the program is targeted at foreigners abroad, but the government determines “foreignness” using search terms that have a wide margin of error. Recently released information shows that the NSA inputs search terms (known as selectors) into the PRISM system. An FBI interception unit located on the premises of private companies collects responses – which include e-mails, login credentials, metadata, saved files, as well as audio and video files – and passes them along to one or more government agencies.
Q: What are the legal justifications for the programs?
A: Telephonic Metadata. The government claims that the telephone records program that was the subject of the leaked Verizon court order is authorized under the so-called “business records” provision of the Foreign Intelligence Surveillance Act (FISA), first enacted in 1978. That provision was amended by Section 215 of the Patriot Act in 2001. Section 215 allows the government to obtain a secret court order requiring third parties, such as telephone companies, to hand over any records or other “tangible thing” if deemed “relevant” to an international terrorism, counterespionage, or foreign intelligence investigation.
Internet Metadata. According to the 2009 NSA IG report, the Bush administration sought and received FISA Court approval in 2004 for bulk Internet metadata collection under the pen register/trap and trace provisions of the Patriot Act. Pen registers are typically attached to a phone line to track outgoing phone calls; trap and trace devices perform the same function for incoming calls. While the information captured by the traditional use of pen/trap does not enjoy full Fourth Amendment protection, installing this type of device generally requires a court order. Section 216 of the Patriot Act extended the availability of pen/trap taps to intercept Internet communications. At the same time, Section 214 of the Patriot Act lowered the standard under which pen/trap taps could be used: for the collection of Internet metadata about Americans, the FBI only needs to certify that the information likely to be obtained is “relevant” to an ongoing investigation of international terrorism or clandestine intelligence activities.
Content of Communications. With respect to PRISM, the government cites Section 702 of the FISA Amendments Act, a law first passed in 2008 and reauthorized in 2012. Section 702 allows the government to acquire foreign intelligence by targeting non-U.S. persons “reasonably believed” to be outside U.S. borders. The law explicitly prohibits intentionally targeting U.S. persons or people known to be located inside the U.S. at the time the government acquires the data. It also requires the government to establish certain “targeting procedures” to ensure that the government is targeting people “reasonably believed” to be non-U.S. persons located outside the United States (which can be difficult to ascertain when dealing with internet or cell phone communications). The NSA may be running other content collection programs under Section 702 as well.
The July 2009 version of the targeting procedures (leaked by the Guardian) indicates that the NSA takes certain steps, depending on circumstances, to establish the identity and location of a target (e.g., examining initial information received by the Agency, searching various databases, and analyzing the facilities through which the target communicates). But where an analyst cannot conclude definitively that a target is a U.S. person, he or she may presume that the target is foreign so long as the target’s location either is not known or is presumed to be outside the United States.
Q: Is there any oversight?
A: To collect the kind of phone records it did from Verizon, the government must obtain a Section 215 order from the Foreign Intelligence Surveillance Court (FISA court) — a federal court established under FISA which oversees government applications to conduct surveillance for the purposes of obtaining foreign intelligence. The request for the order, and the court’s ruling, are classified. The number of Section 215 orders has soared in recent years, from just 21 applications in 2009 to 212 applications in 2012. None of the applications in 2012 were denied by the FISA court. Classified reports about these applications are submitted to Congress’s intelligence and judiciary committees. Unclassified aggregate numbers, such as the above, are sent to Congress annually.
When it comes to Section 702, the law cited for PRISM, the FISA court’s role is more limited. Even though Section 702 does not allow the intentional surveillance of U.S. persons, the government is not required to go before the court to obtain individual surveillance orders. Instead, the court approves the “targeting” and “minimization” procedures described above to limit the amount of information about law-abiding Americans that is intercepted, retained, and disseminated. In deciding whether to approve the procedures, the court reviews whether they are consistent with the Fourth Amendment to the Constitution. But it has no ongoing authority to determine if the government is complying with these procedures, and both the procedures and the court orders relating to them are classified. Some information about Section 702 programs must be reported to Congress’s intelligence and judiciary committees, including significant legal opinions of the FISA court. However, these reports are generally classified and not shared.
Q: Do communications providers have a say?
A: Theoretically, yes. If served with an order under Section 215 or Section 702 demanding records, a communications provider can challenge it. Yet like all proceedings before the FISA court, such a challenge would be secret. In addition, companies are prohibited from disclosing information about the government’s requests to the public through so-called “gag orders.” Companies may challenge these gag orders in court, but the secrecy of the court’s proceedings makes it impossible to know whether any company has mounted such a challenge.
Q: What about individuals?
A: Persons whose records are targeted do not have the right to appear before the FISA court. Moreover, since the surveillance programs are classified, targeted persons generally have no way of knowing that their records are the subject of specific government scrutiny. Although individuals or organizations can submit requests under the Freedom of Information Act or the Privacy Act asking for information about whether the government has been spying on them or others, these requests are likely to be denied.
Q: If these laws were passed by Congress, and the FBI and NSA are securing the required court approval and making the required disclosures to Congress, what’s the problem? Isn’t everything working the way it’s supposed to?
A: It is highly unlikely that Congress intended the sort of dragnet information collection of phone records that the FISA court has approved under Section 215. Section 215 is exceedingly broad, but its plain language does not permit wide-scale surveillance on an ongoing basis. Under the provision, the government is allowed to collect only records that are “relevant” to an authorized investigation. It is difficult to believe that the phone records of millions of Americans are actually “relevant” to a specific terrorist or foreign intelligence investigation. Nor does Section 215 appear to allow the government to collect first and determine relevance later, which is what the government claims it is doing.
Even if the government’s actions are consistent with Section 215, the constitutionality of the statute itself is questionable. Some courts have held that the Fourth Amendment’s restriction on searches and seizures means the government must get a warrant to obtain certain types of records, such as cell phone location data. These rulings are at odds with the wide-ranging, warrantless surveillance program that has been allowed under Section 215.
Similar questions can be raised about the bulk collection of Internet metadata under the pen/trap authority. Even under the extremely low standard of Section 214 of the Patriot Act, it is difficult to conceive how Internet metadata relating to all Americans could be considered relevant to an ongoing investigation without making the concept of relevance so elastic as to be meaningless. In addition, based on the definition in the Patriot Act, pen/trap taps were understood to be available for specific persons or phone lines, not for bulk collection.
Section 702 – which is the basis of the NSA’s collection of content information – is also remarkably broad, allowing the government to target non-U.S. persons “reasonably believed to be outside the United States.” As noted above, the NSA has to take steps to ascertain whether a target is foreign; it has been reported, however, the NSA interprets that to mean that it need only ensure “51 percent confidence of the target’s ‘foreignness.’” Even if the process works as advertised, it could be wrong nearly half the time. Consequently, one of every two people targeted by the NSA may be an American citizen or located in the U.S. The NSA’s training materials call such collection “nothing to worry about.” In fact, it is difficult to see how this approach to collection comports with the Fourth Amendment, which requires the government to obtain a warrant for much of the information about U.S. persons that is being “inadvertently” collected.