A brief, slightly confusing exchange between Rep. Jerrold Nadler and FBI director Robert Mueller at a hearing this week is stirring up a lot of fuss, as C-NET reports (and The Hill repeats) that it reveals an NSA admission that analysts sifting through metadata can, without further court authorization, listen to calls or read e-mails:
First, let me suggest that nobody go too nuts with this just yet: This is a two minute exchange referencing an earlier classified briefing, and the parties to it haven’t responded to requests for comment yet. That said, let’s try to figure out what’s going on.
One possibility is just that Rep. Nadler is talking about analysts having discretion to get the subscriber information on a suspicious number and blurring that with content. But those are two pretty different things, and it seems unlikely he’d make that error. So let’s assume for a moment that’s not it.
What seems more likely is that Nadler is saying analysts sifting through metadata have the discretion to determine (on the basis of what they’re seeing in the metadata) that a particular phone number or e-mail account satisfies the conditions of one of the broad authorizations for electronic surveillance under §702 of the FISA Amendments Act. Those authorizations allow the targeting of whole groups or “categories of intelligence targets,” as the administration puts it. Once the FISA Court approves targeting procedures, they have no further role in deciding which specific accounts can be spied on. This is, as those of us who wrote about the FAA during its recent reauthorization observed, kind of a problem.
Legally speaking, the analysts don’t have carte blanche. In other words, this isn’t “warrantless wiretapping” so much as “general warrant wiretapping.” They can’t just tap any old call or read any old e-mail they strikes them as “suspicious.” They’ve got to be flagging content for interception because they believe it’s covered by a particular §702 authorization, and observe whatever “targeting procedures” the FISA Court has established for the relevant authorization. They can’t “intentionally” intercept any calls or Internet communications that are “known at the time of acquisition” to be totally domestic. But then, what an analyst “knows at the time of acquisition” may be pretty hard to determine, unless they clearly should have been able to determine from the metadata that all ends were located in the United States. Often, especially for Internet communications, that won’t necessarily be so.
Also, the “target” of the acquisition has to be “believed to be” outside the United States. But there’s some ambiguity about exactly what that “targeting” limitation means. That is, it’s not clear whether the phone or e-mail user you’re spying on must be outside the United States, or whether it’s enough that you are seeking information about a group primarily located overseas. I’ll assume the former, more restrictive case for now: The analyst must believe that one end of the communication is outside the United States, and flag that account or phone line for collection. Note that even if the real target is the domestic phone number, an analyst working from the metadatabase wouldn’t have a name, just a number. That means there’s no “particular, known US person,” which ensures that the §702 ban on “reverse targeting” is, pretty much by definition, not violated.
None of that would be too surprising in principle: That’s the whole point of §702! It means analysts get discretion to decide what particular accounts fall under a very broad order. A key question, of course, is just what the checks in the process are. Can an analyst technically (if not legally) plug in any selector to start collecting on and just start getting material? Does anyone check their work before call and e-mail content starts flowing in? How closely are their error rates checked after it does? Again, legally, they don’t have a blank check, but it’s the details of the system architecture that determine whether you’d be able to tell the difference in practice.
Anyway, creepy as this all may sound, it’s not exactly a new revelation if Nadler is indeed talking about authority to collect content under §702, though the potential for error seems greater if the basis for acquisition is literally nothing more than a “suspicious pattern” culled from metadata. In theory, the system could be flagging calls and e-mails for interception almost automatically (like GMail deciding what to flag as “important’), with the analyst occasionally checking off an “OK” box.
Still, this is more or less what the FISA Amendments Act was designed to do. Shame people didn’t freak out to this extent at the end of 2012, when Congress voted for five more years of it.