During the Obama years, the National Security Agency intentionally and routinely intercepted and reviewed communications of American citizens in violation of the Constitution and of court-ordered guidelines implemented pursuant to federal law.
The unlawful surveillance appears to have been a massive abuse of the government’s foreign-intelligence-collection authority, carried out for the purpose of monitoring the communications of Americans in the United States. While aware that it was going on for an extensive period of time, the administration failed to disclose its unlawful surveillance of Americans until late October 2016, when the administration was winding down and the NSA needed to meet a court deadline in order to renew various surveillance authorities under the Foreign Intelligence Surveillance Act (FISA).
The FISA-court opinion is now public, available here. The unlawful surveillance was first exposed in a report at Circa by John Solomon and Sara Carter, who have also gotten access to internal, classified reports. The story was also covered extensively Wednesday evening by James Rosen and Bret Baier on Fox News’s Special Report.
According to the internal reports reviewed by Solomon and Carter, the illegal surveillance may involve more than 5 percent of NSA searches of databases derived from what is called “upstream” collection of Internet communications.
Upstream collection is a vital tool for gathering intelligence against foreign threats to the United States. It is, of course, on foreign intelligence targets — non-U.S. persons situated outside the U.S. — that the NSA and CIA are supposed to focus. Foreign agents operating inside the U.S. are mainly the purview of the FBI, which conducts surveillance of their communications through warrants from the FISA court — individualized warrants based on probable cause that a specific person is acting as an agent of a foreign power.
The NSA conducts vacuum intelligence-collection under a different section of FISA — section 702. It is inevitable that these section 702 surveillance authorities will incidentally intercept the communications of Americans inside the United States if those Americans are communicating with the foreign target. This does not raise serious Fourth Amendment concerns; after all, non-targeted Americans are intercepted all the time in traditional criminal wiretaps because they call, or are called by, the target. But FISA surveillance is more controversial than criminal surveillance because the government does not have to show probable cause of a crime — and when the targets are foreigners outside the U.S., the government does not have to make any showing; it may target if it has a legitimate foreign-intelligence purpose, which is really not much of a hurdle at all.
So, as noted in coverage of the Obama administration’s monitoring of Trump-campaign officials, FISA section 702 provides some privacy protection for Americans: The FISA court orders “minimization” procedures, which require any incidentally intercepted American’s identity to be “masked.” That is, the NSA must sanitize the raw data by concealing the identity of the American. Only the “masked” version of the communication is provided to other U.S. intelligence agencies for purposes of generating reports and analyses. As I have previously explained, however, this system relies on the good faith of government officials in respecting privacy: There are gaping loopholes that permit American identities to be unmasked if, for example, the NSA or some other intelligence official decides doing so is necessary to understand the intelligence value of the communication.
While that kind of incidental collection raises the concerns of privacy advocates, it is a small problem compared to upstream collection, the technology of which poses profound Fourth Amendment challenges.
American communications are being seized and subjected to an inspection — however cursory — in the absence of any warrant, probable cause, or foreign-intelligence relevance.
In a nutshell, it is not possible to capture a single e-mail related to a single target as it transits the backbone routes (or “switches”) that connect networks. The NSA must instead capture packets of e-mail data — which include lots of e-mails beside the targeted e-mail. It sifts through these packets, finds and assembles the components of the email it was looking for, and then discards the rest. (A New York Times report by Charlie Savage earlier this week, in connection with a different FISA issue, provides a good explanation of this process. By contrast, the relevant discussion in the FISA court opinion of “multiple communications transactions,” or MCTs, is brief and heavily redacted — see the opinion at 15–16.) Even if the NSA does exactly what it is supposed to do (i.e., sift and discard), this means American communications are being seized and subjected to an inspection — however cursory — in the absence of any warrant, probable cause, or foreign-intelligence relevance.
Now, couple this problem with the way the NSA targets. The upstream communications it collects end up in databases. When the NSA has a target about whom it seeks intelligence, it runs a search through the databases using what is variously called an “identifier,” a “selection term,” or a “selector” — some e-mail address, phone number, or other identifying information related to the target. For years, U.S. intelligence agencies have not just sought any communications to or from this target; they have also sought any communications about this target — e.g., when the target merely appears to have been referred to. This means the communications of people, including Americans inside the United States, are far more likely to be accessed and analyzed — even though, again, there is no warrant or probable cause, there may be no direct communication with a proper intelligence target, and the Americans’ communications may be of no foreign-intelligence value.
So, to summarize, we have the communications of Americans inside the United States being incidentally intercepted, stored, sifted through, and in some instances analyzed, even though those Americans are not targets of foreign-intelligence collection. The minimization procedures are supposed to prevent the worst potential abuses, particularly, the pretextual use of foreign-intelligence-collection authority in order to conduct domestic spying. But even when complied with, there is a colorable argument that the minimization procedures do not eliminate the Fourth Amendment problem — i.e., they permit seizure and search without adequate cause.
Now we know the minimization procedures have not been complied with. The new scandal involves their flouting.
In 2011, it became clear to the FISA court that the minimization procedures were providing insufficient protection to Americans. Of special concern was the use of identifiers of American citizens as selection terms for database searches. While the activities of these Americans might have made them worthy foreign-intelligence targets, there are other ways to monitor them under FISA. Targeting them for section 702 searches increased the likelihood that wholly domestic communications between Americans would be collected.
Thus, the minimization procedures were ratcheted up. The most significant change, as the FISA court opinion relates, was that the revised “procedures categorically prohibited NSA analysts from using U.S.-person identifiers to query the results of upstream Internet collection” (emphasis added).
This meant the NSA was not supposed to use an American’s phone number, e-mail address, or other “identifier” in running searches through its upstream database.
It is this prohibition that the NSA routinely and extensively violated. Evidently, there was widespread use of American identifiers throughout the years after the 2011 revision of the minimization procedures. The violation was so broad that, at the time the Obama administration ended, its scope had still not been determined.
A salient question will be whether this new scandal is mainly a case of technology outpacing the capacity to formulate rules that bring its use into constitutional compliance.
The Trump Justice Department proposed new procedures in late March, which the FISA court has approved. These include the elimination of searches about a target — henceforth, searches are limited to communications in which the target is presumptively a participant (i.e., to or from). The new procedures redouble efforts to assure that the database collects only foreign communications (i.e., at least one end of the communication is outside the U.S.).
We should note that section 702 is due to lapse unless reauthorized later this year, so the new rules will obviously be subjected to close scrutiny. A salient question will be whether this new scandal is mainly a case of technology outpacing the capacity to formulate rules that bring its use into constitutional compliance.
I’m sure there is a good deal of that going on; that means the system is inadvertently inputting communications that should not be collected and stored. Plainly, though, something more insidious has also gone on. Even if the inputting has been inadvertently flawed, the outputs — what is actually accessed from the database and analyzed — would be less likely to violate American privacy if the minimization procedures were followed. The rules from 2011 forward were simple: Do not use American identifiers. Yet NSA used them — not once or twice because some new technician didn’t know better. This violation of law was routine and extensive, known and concealed.
Clearly, this new scandal must be considered in context.
The NSA says it does not share raw upstream collection data with any other intelligence agency. But that data is refined into reports. To the extent the data collected has increased the number of Americans whose activities make it into reports, it has simultaneously increased the opportunities for unmasking American identities. Other reporting indicates that there was a significant uptick in unmasking incidents in the latter years of the Obama administration. More officials were given unmasking authority. At the same time, President Obama loosened restrictions to allow wider access to raw intelligence collection and wider dissemination of intelligence reports.
This geometrically increased the likelihood that classified information would be leaked — as did the Obama administration’s encouragement to Congress to demand disclosure of intelligence related to the Trump campaign (the purported Trump–Russia connection). And of course, there has been a stunning amount of leaking of classified information to the media.
Enabling of domestic spying, contemptuous disregard of court-ordered minimization procedures (procedures the Obama administration itself proposed, then violated), and unlawful disclosure of classified intelligence to feed a media campaign against political adversaries. Quite the Obama legacy.
— Andrew C. McCarthy is a senior policy fellow at the National Review Institute and a contributing editor of National Review.