Julian Sanchez header image 2

photos by Lara Shipley

An Anatomy of Electronic Surveillance

March 18th, 2008 · 2 Comments

I have been (slowly but surely) plugging through David Kris and J. Douglas Wilson’s massive but absolutely invaluable National Security Investigations & Prosecutions—and let me give them a free plug here: It’s not a cheap tome, but anyone who wants to talk seriously about FISA really must have this book on their desk. The more I read, the more I’m vaguely embarrassed to have been writing on the topic when, despite having researched it quite a bit these past months, I’m still learning something new on every other page.

One thing that becomes very clear as I review Kris & Wilson’s explication of the byzantine FISA statue is that, while we’ve recently gotten confirmation that the much-discussed “intelligence gap” that kicked off the current debate was always about e-mails rather than phone calls, this really should have been obvious from the outset.  I was always dubious that the FISA court could have really imposed some kind of blanket warrant requirement on foreign-to-foreign intercepts, and said so, but I also should have seen just where the likely problem was.  Because while that FISC ruling may remain classified, all you need to know is right there in §1802, part (f).

That’s where FISA defines “electronic surveillance”—the range of activities (along with physical searches) covered by the law and subject to its procedures.  There are actually four overlapping definitions, which we can think of as four tripwires the government can cross, and thereby trigger FISA’s warrant requirements.  Very loosely, the government is engaged in “electronic surveillance” requiring court approval if they:

  1. Do wire or radio intercepts (conducted anywhere in the world) that target a U.S. person (citizen or resident alien) who is located in the U.S., if the intercept would require a warrant in a criminal investigation.
  2. Do a wire intercept in the U.S. where the person on one end of that wire is also in the U.S.
  3. Do a radio intercept (anywhere in the world) where both ends of the communication are in the U.S., if it’s the kind of intercept that would require a warrant for criminal investigation.
  4. Use—and this the tricky one—some kind of electronic monitoring device in the U.S. to collect information that is not either a wire or radio intercept, where someone enjoys a reasonable expectation of privacy in the information, and a warrant would be required for criminal purposes.

If that sounds a bit tangled, it is, though there are sound reasons for having done it this way. Still, right off the bat, a couple things should be clear. First, it seems pretty obvious that a foreign to foreign wire or radio intercept conducted in the U.S. just doesn’t hit any of the triggers; there’s really no way to read the definitions to cover that.  Second, there is a lot of wiggle room for such communications to fall under definition (4), because it’s the only one that doesn’t say anything about U.S. persons or persons in the U.S. being targeted or party to the communication. It just talks about anyone’s reasonable expectation of privacy, and in that sense goes beyond the requirements of the Fourth Amendment.

Here, presumably, is where the problem lies. That fourth definition was mainly intended to cover “bugs”—surveillance microphones and cameras and the like—but also acts as a catchall for other surveillance technologies, perhaps technologies not yet invented when FISA was written, that don’t fall under the rubric of either “wire” or “radio” intercepts. And one thing that falls under this heading is a computer search of someone’s stored data, which would include e-mails on a server.  You can see the logic in this framing, in some ways.  Tapping phone conversations or reading letters while a warrant is in effect is intrusive, but even more intrusive is getting access to a potentially massive archive of someone’s private data, perhaps including years worth of past correspondence.  So it makes sense that you’d have especially strong protections there.  And one can imagine that foreign businesses might be reluctant to store their private records in the U.S. if we announced that it was open season on their data, while Americans were entitled to the usual procedural safeguards. But it does create the tangle we’ve mentioned: Even a foreign-to-foreign e-mail is now covered once it comes to rest on a U.S. server.

No problem, we might think, because the feds can still always intercept the e-mail “in motion,” by pulling it off a wire. The trick here is that if you don’t know the ultimate recipient of that e-mail, it looks like the only candidate for the “person” on the other end of that wire is the U.S. firm to which the data is sent.  So there’s a bit of a catch-22: When it’s moving on the wire, it’s covered by one definition, and when it’s sitting on the server, it’s covered by another.  So it seems, at any rate—the details always matter in law, and we don’t know the details.

Supposing this is the problem, it might seem at first blush like you’ve got an easy solution: Exempt foreign-to-foreign e-mail from the (f)(4) definition. But even once an e-mail’s sitting on the server, you won’t necessarily know where the ultimate recipient is.

You can create a still-broader exemption, carving out intercepts of foreign-to-unknown e-mail.  But if that “unknown” category turns out to be large, you’ve just punched a huge hole in the protections Americans were clearly meant to enjoy, under the law, in their international communications. (Radio was a special case for technical and historical reasons we’ll leave aside for the moment.) So the solution they’ve gone with instead, in all of the legislation that’s been proposed recently, is to let the executive branch make a list of foreign target whose communications through the U.S. either don’t count as electronic surveillance, or do count as electronic surveillance but don’t require conventional FISA orders.

This solution, though, is broader in a different way. While in practice it presumably doesn’t end up covering all foreigners’ e-mails passing through the U.S., it ends up covering the targets’ e-mails even to known U.S. persons in the U.S., and furthermore, with respect to those targets, it ends up punching a hole in the (f)(2) definition, which was supposed to cover Americans’ wire communications with persons overseas. And that protection wasn’t part of any “problem” created by the FISC ruling last year; it was the plain intention of Congress when they passed FISA.

To sum up, what we’re currently seeing is a kind of bait and switch.  We’ve got a ruling which, given changing communications methods, created a genuine problem with definition (f)(4). But we’ve got a “fix” that both resolves the (f)(4) issue and seriously weakens the (f)(2) definition.  How these two definitions constrain surveillance, and how proposed legislation would change them, is at the core of the FISA debate—this is the issue under dispute, ultimately. But I can’t help but notice that most of the popular discussion and coverage of FISA don’t even mention these definitions. I mean, admittedly, this is some complicated legalese—but it’s not that complicated

Tags: Law · Privacy and Surveillance


       

 

2 responses so far ↓

  • 1 Ryan Singel // Mar 18, 2008 at 3:00 pm

    Julian,

    Why get into details when you can just get it wrong?

    And really, did you get Reason to drop $188 bucks on Kris’s book?

    RS

  • 2 Julian Sanchez // Mar 18, 2008 at 3:10 pm

    Get Reason to? Oh, how I wish.