Published by The Lawfare Institute
in Cooperation With
As Bobby and others have already noted, the NSA announced Friday that it is ending “about” collection under Section 702’s upstream component. I won’t rehash the basics here; readers should consult Charlie Savage’s essential New York Times story, NSA’s statements (here and here), and Bobby’s analysis. Rather, I want to inject into the discussion a few issues that I haven’t yet seen broached elsewhere.
1) What is the net effect for 702’s intelligence and counterterrorism value?
As Bobby notes, dropping “about” collection means that NSA will also lose some upstream collection of communications to or from a target. It appears that this was the price of placating the FISC after NSA analysts apparently (per the NYT) erroneously queried upstream data seeking information about one or more U.S. persons. (Recall that, as the PCLOB’s 2014 report explained, under the NSA’s 702 minimization procedures “U.S. person identifiers are prohibited from being used to query the NSA’s Section 702 upstream collection of Internet transactions.”).
In isolation, that collateral reduction in “to/from” collection would be a bad thing for NSA’s foreign intelligence mission. Several caveats are in order here, however.
First, it’s possible that the decision to end “about” collection was made easier, at least in part, by escalating technical obstacles. Namely, Julian Sanchez and Nicholas Weaver have suggested that increasing encryption of email traffic has made it more difficult to scan the contents of email in transit.
Note, however, that the metadata of encrypted messages can still be captured in transit; this metadata could be very useful for mapping the contacts of 702 targets. [Edit: Nicholas Weaver helpfully points out that STARTTLS, the encryption protocol at issue here, hides the identity of the sender and recipient as well.]
Second, Sanchez raises the alternative possibility that some of what is lost by this move can be obtained through collection conducted overseas under Executive Order 12333. 12333 collection is subject to fewer legal constraints and does not require FISC approval or oversight.
Third, the NYT story notes that the FISC has now authorized NSA to use Americans’ identifiers to query the newly captured upstream internet messages, too, for future intelligence investigations.” That makes sense, because ending “about” collection greatly reduces the chance that upstream will capture wholly domestic collections that are neither to or from a target.
Given these three points, it’s possible that the cumulative effect of these changes may actually be a net gain, or at least a break even, for 702’s value for foreign intelligence, counterterrorism, and counterintelligence. NSA will now collect a narrower range of communications (although given the first two points above, perhaps not that much narrower), but have will greater latitude to query that which is collected. The new querying authority may be especially valuable for disciplines like counterterrorism and counterintelligence, in which identifying problematic foreign-domestic connections is vital.
2) NSA Transparency
Commenters seem to be taking it for granted that NSA would issue a press release announcing a change to its classified collection practices. Yet we should pause to consider how remarkable this is. In recent memory, NSA was so secretive that the “No Such Agency” cliché was a feature of every NSA-related news story (of which there weren’t many).
As we noted in a recent Center for a New American Security report, in the post-Snowden era, agencies accustomed to operating in the shadows have been forced to cope with heightened public awareness, widespread skepticism, and greater expectations of transparency. By any objective measure, NSA has adapted well to the unprecedented level of public scrutiny it has faced since 2013. NSA’s senior officials are now publicly known figures who venture forth to make the agency’s case to the American people. IC transparency reports have disclosed, in a responsible way, useful information about the agency’s practices. Statements like Friday’s offer, as our report put it, “greater transparency—albeit at [a] high-altitude level of detail—without compromising the effectiveness of intelligence operations.” This all helps strengthen the bond of trust between NSA and the public it protects.
3) Implications for Privacy Shield
With the Privacy Shield’s first annual review approaching, the European Commission (with European courts ultimately lurking in the background) will again cast judgment on whether U.S. surveillance practices measure up to the supposedly stringent level of privacy protection EU member states offer. To the extent that 702 is part of that review, this change should earn some credit. Ending “about” collection will reduce collection of the communications of people who are neither targets nor their correspondents. This will benefit Europeans as well as Americans.
Finally, in determining whether U.S. privacy protections measure up to Europe’s, the Commission’s reviewers will also want to consider these questions:
- Do European intelligence agencies submit to independent oversight as rigorous as the Foreign Intelligence Surveillance Court’s, as illustrated by this incident?
- Has a judge ever compelled such a significant change to an EU member state’s classified intelligence operations?
- Do European intelligence agencies provide a comparable level of transparency about their equivalent collection methods? (Germany, which last year enacted a statutory analogue to 702, comes the closest.)