Julian Sanchez header image 2

photos by Lara Shipley

A Few Further Questions About the FISA Bill

July 10th, 2008 · No Comments

Some things are clear about the FISA Amendments Act that President Bush signed into law today: Despite occasional attempts to persuade us otherwise, it licenses surveillance of Americans’ communications with overseas parties. But is that all it permits? Join me, if you will, on a short trip through the weeds of the foreign intelligence surveillance statutes.

A traditional FISA application—FISA Classic, if you will—required the government to provide judges on the Foreign Intelligence Surveillance Court with a fair amount of information. The application would give the name of the target, if it was known, or a description if it wasn’t. It would explain the evidence for thinking the target was an “agent of a foreign power,” the sort of information that surveillance was supposed to obtain, and—cruically for our purpose here—describe the locations or lines to be surveilled and provide a “nexus” between the target and the facility.

Now, despite the penchant of the administration for always describing FISA as “the 1978 FISA statute” to make it seem hopelessly outdated, the law has been amended many times before now, including by the PATRIOT Act, and again in 2006. Call this New FISA. And one of the improvements we made to New FISA, as you may recall, involved “roving wiretap” authority, of the sort that already existed for Title III domestic criminal investigations. And the idea here was that criminals and terrorists, being crafty, will take steps to evade surveillance. If you’ve watched The Wire, you know about “burners”—cheap pre-paid cell phones that are used a few times, then discarded. E-mail and IP addresses can be changed even more easily. And so the eminently reasonable idea here was that the government can’t always know in advance precisely what “facility” it needs to watch. It needs “roving” authority to intercept communications over whatever channel it has reason to believe the target may be using, since a smart terrorist would have switched to another by the time a new warrant went out for each particular account or phone number.

But Congress made a couple of important changes to the law when it did this. First, when a wiretap was “roving,” intelligence agencies would have to notify the FISC within ten days of the “nature and location” of any new “facility or place,” along with the “facts justifying a belief that the target is using, or about to use, that new facility or place.” Second, the unmooring of surveillance from a phone line, email address, or other communication channel specified in advance raised some concerns about the breadth of orders where a target was identified by description rather than name. So where FISA Classic had stipulated that a FISA application must include “the identity, if known, or a description of the target,” New FISA required “the identity, if known, or a description of the specific target.” And the idea here was to clarify that you must have a particular person or group in mind, whether or not you have a name, rather than just a set of criteria.

In philosophy, they call this the “de dicto / de re” distinction. That is, if I say “I would like to meet the mayor of New York some day,” you might mean two different things. If you mean it in the “de dicto” sense, you mean you would like to one day meet whoever happens to be holding the office of mayor in New York. If you mean it “de re,” you’re talking about the particular person who satisfies the description when you utter it: Mike Bloomberg. Obviously, a “de re” expression refers to exactly one entity in the world, while a “de dicto” expression refers to a much larger number—any bearers of the relevant properties.

Now, under the FAA, as I’m reading it, essentially all surveillance is “roving,” because the law explicitly says:

A certification made under this subsection is not required to identify the specific facilities, places, premises, or property at which an acquisition authorized under subsection (a) will be directed or conducted.

That means there’s no question of the court reviewing the “nexus” between the “target” of surveillance and the “facility” at which surveillance is directed. Presumably some kind of general “nexus” requirement will end up embedded in the “targeting procedures” that the court reviews, but I’m not seeing any process for ongoing scrutiny of the particular facilities surveilled. And that key word “specific” is conspicuously absent from the provision empowering the Attorney General to authorize the “targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” That suggests, as I’m scarcely the first to point out, an incredible degree of discretion and generality in those authorizations.

So what, exactly, can be “acquired” pursuant to these authorizations. Well, we know that it will at least include the international phone calls and e-mails of American citizens if they happen to be talking to an authorized “target”—and it looks like “target” here is at least potentially some kind of general description rather than some concrete person or group. But at the very least, we know strictly domestic communications are off-limits, right?  Well, maybe. Here are the restrictions the new law places on those surveillance authorizations:

    ‘(1) may not intentionally target any person known at the time of acquisition to be located in the United States;

    ‘(2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;

    ‘(3) may not intentionally target a United States person reasonably believed to be located outside the United States;

    ‘(4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and

    ‘(5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.

The court is also supposed to sign off on targeting procedures:

‘(1) REQUIREMENT TO ADOPT- The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to–

    ‘(A) ensure that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and

    ‘(B) prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.

Emphasis mine in both cases. It looks like purely domestic communications are ruled out decisively. But hang on a moment. The separate restriction imposed here would seem to imply that surveillance “targeting” a person outside the United States might otherwise encompass surveillance of communications to which the target is not a party. It might, in other words, include records or communications pertaining to the “target” person or group. Still, the restrictions above take care of that, don’t they? Again, maybe.

The key phrases in both instances here are “intentional” and “known at the time of acquisition.” Because a big part of the reason we’re told that the government needs these new powers—and it’s worth noting that this is an absolutely legitimate problem that deserves to be dealt with by a much more narrowly constructed statute—is that sender and recipient locations will often be unknown. If a target sends an e-mail that sits on Google’s server, there may be no way of knowing in advance where it will be downloaded. And there are all sorts of communications protocols that obscure the locations of the communicants: Tor is one well-known example. So the very reason we have this new law is precisely that there are many cases in which the locations of the recipient or sender is not “known at the time of acquisition.” So the government is not required to take measures to prevent the interception of entirely domestic communications, but only barred from intentionally acquiring communications that are known at the time to be wholly domestic.

Whether this translates into a danger of significant acquisition of domestic communication obviously depends in large part on what, exactly, they’re doing. And we don’t know that for certain. If we were talking about the traditional sort of wiretap where you pick a particular phone number, or e-mail account, or IP address to watch, that danger might still in practice be quite limited. But if, as many well-informed people seem to believe, they’re doing “vacuum cleaner” or “dragnet” surveillance, where the method of acquisition is to sift through the whole traffic stream looking for things like keywords or voiceprints, pulling out communications that way, the picture looks very different.

So, just as a hypothetical, suppose the “target” of surveillance is a foreign group not well known to the general public. (A group being a “person” for legal purposes.) And suppose the method being used—remember, targeting procedures are reviewed by the court, but the method of acquisition is explicitly outside the FISC’s purview—is to flag any communicaton containing (some threshhold number of) names or code words likely to be known to members of that group.

We can infer from a 2002 FISC opinion that the “targeting” rules under FISA are significantly looser than they are for Title III criminal surveillance, since that ruling tells us that frequently “large amounts of information are collected by automatic recording to be minimized after the fact.” So the kind of filtering described above might well pass muster for “targeting persons reasonably believed to be located outside the United States,” even if it scoops up a lot of stuff that proves not to be germane, provided the filter is at least reasonably well designed to gather information about the target foreign group. But if the trigger for the filter is content, then no acquisition, strictly speaking, will be an “intentional acquisition” of a communication whose parties are “known at the time of acquisition” to be outside the U.S., since the filter method isn’t necessarily keyed to the parties at all. And once acquired, even if it’s a conversation between two American citizens, the communication is subject to minimization rules which allow it to be retained or disseminated under a variety of conditions, including for domestic criminal investigation and prosecution.

Of course, this is all fairly speculative. Is the kind of scenario just described permissible under the new law? I’m not sure—I’m guessing very few people without intimate knowledge of secret surveillance practices and rules are in a position to be sure.  That’s the problem.

Tags: Law · Privacy and Surveillance