In an effort to allay concerns about its collection of data on Americans, the National Security Agency released a fact sheet detailing the standards it uses. All well and good. Except, apparently, for the fact that the sheet contains a "significant inaccuracy," according to two senators who've asked that it be fixed. So, which "fact" is it?
Senators Ron Wyden of Oregon and Mark Udall of Colorado — two longtime foils to the NSA's surveillance activity, including that episode in March when the national intelligence director lied to Wyden under oath — wrote a letter to NSA chief Keith Alexander yesterday afternoon noting the no-doubt-inadvertent error. It pertains to section 702 of the Foreign Intelligence Surveillance Act, an addition made in 2008 that has been used as the justification for the NSA's collection of electronic data on foreign nationals (and, in some cases, Americans). The letter reads, in part:
We were disappointed to see that this fact sheet contains an inaccurate statement about how the section 702 authority has been interpreted by the US government. In our judgment this inaccuracy is significant, as it portrays protections for Americans' privacy as being significantly stronger than they actually are. We have identified this inaccurate statement in the classified attachment to this letter.
You'll note that the senators don't use the words "deception" or "lie." They merely point out a factually inaccurate statement that portrays the NSA in a better light than might be warranted.
The classified attachment is not public, of course. But Wyden and Udall provide a copy of the fact sheet, allowing us to consider where the "inaccuracy" might lie. (It used to be on the NSA's website, but doesn't appear to be at this point. A cached version of what used to be at the agency's site doesn't differ from the version offered by Wyden.)
(Update: We also asked the EFF if it could spot the inaccuracy. See their response, below.)
- This authority allows only the targeting, for foreign intelligence purposes, of communications of foreign persons who are located abroad.
- The government may not target any U.S. person anywhere in the world under this authority, nor may it target a person outside of the U.S. if the purpose is to acquire information from a particular, known person inside the U.S.
As part of the Edward Snowden leak, the Guardian published the internal document presented by the Department of Justice to the Foreign Intelligence Surveillance Court (FISC) describing the government's "minimization procedures" — the rules under which it minimizes (not eliminates) collecting data on Americans. Intentionally collecting such information is, as stated, not allowed. These two points are probably accurate.
- Under this authority, the Foreign Intelligence Surveillance Court annually reviews "certifications" jointly submitted by the U.S. Attorney General and Director of National Intelligence.
- These certifications define the categories of foreign actors that may be appropriately targeted, and by law, must include specific targeting and minimization procedures adopted by the Attorney General in consultation with the Director of National Intelligence and approved by the Court as consistent with the law and 4th Amendment to the Constitution.
The certifications at issue appear to be those referred to above, published by the Guardian last week. We'll note, as we have many times before, that the FISC has determined that on at least one occasion in the past, the NSA's surveillance has violated the Fourth Amendment.
- There must be a valid, documented foreign intelligence purpose, such as counterterrorism, for each use of this authority. All targeting decisions must be documented in advance.
This one is a maybe. The text of the law outlines only that a "significant purpose of the acquisition is to obtain foreign intelligence information."
- The Department of Justice and the Office of the Director of National Intelligence conduct on-site reviews of targeting, minimization, and dissemination decisions at least every 60 days.
- The Foreign Intelligence Surveillance Court must approve the targeting and minimization procedures, which helps ensure the protection of privacy and civil liberties.
- These procedures require that the acquisition of information is conducted, to the greatest extent reasonably feasible, to minimize the acquisition of information not relevant to the authorized foreign intelligence purpose.
These points again deal with the review process, which seem unlikely to be the points that caused Wyden and Udall such concern. Inaccuracies representing after-the-fact clean-up are far less severe than misrepresentations of the NSA's authority to conduct investigations.
- Any inadvertently acquired communication of or concerning a U.S. person must be promptly destroyed if it is neither relevant to the authorized purpose nor evidence of a crime.
We know that Udall and Wyden consider this point inaccurate; they say so explicitly in the letter.
We believe that this statement is somewhat misleading, in that it implies that the NSA has the ability to determine how many American communications it has collected under section 702, or that the law does not allow the NSA to deliberately search for the records of particular Americans. In fact, the intelligence community has told us repeatedly that it is ''not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority'" of the FISA Amendments Act.
But this is therefore not the secret inaccuaracy.
- If a target who was reasonably believed to be a non-U.S. person outside of the U.S. either enters the U.S. or was in fact a U.S. person at the time of acquisition, targeting must be immediately terminated.
- Any information collected after a foreign target enters the U.S. — or prior to a discovery that any target erroneously believed to be foreign was in fact a U.S. person — must be promptly destroyed unless that information meets specific, limited criteria approved by the Foreign Intelligence Surveillance Court.
This last point is a decent bet. As the leaked minimization procedures make clear, the NSA can and does keep records of Americans' phone numbers and emails in order to better determine if targets are or are not Americans. But that collection may also be one of the "limited criteria," since it was approved by the FISC in 2009.
- The dissemination of any information about U.S. persons is expressly prohibited unless it is necessary to understand foreign intelligence or assess its importance; is evidence of a crime; or indicates a threat of death or serious bodily harm.
The NSA is clear that there are occasions in which it does share information with other agencies; specifically, the FBI. The guidelines under which that happens aren't clear, but would presumably fall under the "evidence of a crime" stipulation.
- The FISC rules of procedure require immediate reporting of any compliance incident. In addition, the government reports quarterly to the FISC regarding any compliance issues that have arisen during the reporting period, including updates of previously reported incidents.
- The Department of Justice and Office of the Director of National Intelligence provide a semiannual assessment to the Court and Congress assessing compliance with the targeting and minimization procedures. In addition, the Department of Justice provides semi-annual reports to the Court and Congress concerning implementation of Section 702.
- An annual Inspector General assessment is provided to Congress, reporting on compliance with procedural requirements, the number of disseminations relating to U.S. persons, and the number of targets later found to be located inside the U.S.
Again, these are mostly after-the-fact measures, suggesting that they are probably not the focus of the senators' letter.
How the NSA responds to the letter remains to be seen. Obviously, the agency cannot simply update the fact sheet without everyone immediately knowing which point was false. Though, as the senators note, that may be the best strategy. "[W]hen the NSA makes inaccurate statements about government surveillance and fails to correct the public record," they write, "it can decrease public confidence in the NSA 's openness and its commitment to protecting Americans' constitutional rights. Rebuilding this confidence will require a willingness to correct misstatements and a willingness to make reforms where appropriate."
So far, such willingness has been slow in coming.
Update, 3:16 p.m.: We reached out to Trevor Timm from the Electronic Frontier Foundation to see if he might have any better luck spotting the inaccuracy. He didn't.
I can't really tell which statement Wyden and Udall think is inaccurate. Many of the statements are written to downplay the true scope of what the NSA does and how it affects Americans' privacy. For example, they say nothing about how they can hold onto communications forever if the communication is encrypted. Essentially they're saying, if you value privacy, you are suspicious. But I doubt this is what Wyden and Udall are talking about. This is exactly problem with keeping such sweeping surveillance powers behind the veil of secrecy - the public has no way of knowing if what the government says is true or not.
But I have no doubt Wyden and Udall are correct. They originally said Americans would be "stunned" to learn how the government was interpreting the Patriot Act, and they were proven right when the Verizon court order was published. Wyden also alleged the NSA could conduct "backdoor searches" of US persons data after targeting foreigners under the FISA Amendments Act, and it's becoming increasingly clear, judging by the latest report from the Guardian, that he was right about that too.
Photo: NSA head Keith Alexander. (AP)