Published by The Lawfare Institute
in Cooperation With
Published by The Lawfare Institute
Yesterday evening, Jodie Liu and I summarized Sen. Leahy's new FISA reform bill---which represents a legislative compromise between many of the major stakeholders in the NSA debate. One question we did not treat is whether the bill is any good. Short answer: In my opinion, at least, it's mix---a proposal that will do some good but also carries real dangers---but it's a mix that leans positive. In this post, I want to lay out some thoughts on the merits of where we seem to be heading legislatively on FISA reform. I want to be clear about the point of view from which I'm writing: that of someone who believes in the signals intelligence activities of NSA, is not overly troubled by the civil liberties implications of current law and practice, and is quite troubled about the possibility of reining things in so far as to hobble activity I think of as salutary and important. Someone who starts with different priors may reasonably take a very different attitude towards the merits. Here is my view of the value and the risks of the Senate proposal. The positive side of the bill has several important elements we can sum up with the words "institutionalization" and "legitimization." The bill codifies a collection authority that is today contested and will next year---even under the government's current and controversial legal theory---expire: the authority to do contact chaining using telephony metadata. Yes, it will codify this authority under a different procedure than used by the current bulk metadata collection program, one that is far more palatable to civil libertarians. But that's actually a good thing, the goal being not to retain the current program but to preserve the current capability with a maximum of legal certainty and a minimum of controversy. In addition, the Leahy bill would get rid of the May 2015 sunset provision for Section 215, which unamended will cause the whole authority to turn into a pumpkin in less than a year anyway. Instead, it would make the revised metadata collection authority sunset along with the FISA Amendments Act authorities at the end of 2017. In other words, the Leahy bill would take an authority that currently rests on a contested legal theory based on a law that's soon to vanish and replace it with clear legal authority that is far less controversial and available for a longer period of time. That's pretty attractive---probably necessary if you believe that the contact chaining authority is important and you want to preserve access to it. Another important feature of the bill is something that isn't in it: Any significant change to the 702 authorities. While many people in the intelligence community regard the metadata authority as useful, it is actually a bit of a sideshow. And it is emphatically not one of the core authorities that makes up NSA's bread and butter. By contrast, 702 is part of the daily fabric of NSA collection. So a bill that focuses its reform efforts narrowly on the metadata program and the curtailing of bulk collection and leaves almost untouched the larger architecture of collection is arguably, from a civil libertarian perspective, missing the forest for a singular focus on a particular tree. From the perspective of someone who wants to preserve collection authorities, this focus is very attractive. As long as the focus in on the 215 tree, even if the result is bad, the forest itself is doing just fine. Finally, at least in general terms, the transparency and accountability provisions of the bill are salutary. Everyone wants more transparency in NSA operations where possible---though there's a fierce argument over how far that can or should go. So both requiring more disclosure and requiring more adversarial procedure in the FISA process will tend to enhance the legitimacy of decisions that will, at the end of the day, still allow a great deal. In other words, the basic formula here---putting metadata access on a solider, longer-term legal footing, protecting 702, and using transparency and FISA procedural reform to add legitimacy to a process under constant attack---is a sound one. This is why the government will support the bill and why I think that's the right move. But there will be some nose-holding, because the bill has a number of elements that are going to cause problems. First and most important, it contains no requirement that the telecommunications carriers maintain the call records data that it authorizes the government to access. The telecommunications companies drew a line in the sand on this point, and they prevailed. That means that the entire value of the compromise from an intelligence point of view will hinge on whether companies continue to maintain this data---something I am certain they will come under heavy political pressure not to do---or whether they stop maintaining it and thus cannot provide it when ordered to. Second, the procedure the Senate is contemplating for metadata access is cumbersome and burdensome. It's workable, but it will not be fast and nimble. And it's not clear to me that the program will have much value at the pace it will run under the Senate bill and subject to the limitations that bill will put in place. In other words, the metadata access could end up being useless. And if not useless, it could end up being highly inefficient. Third, while I support the idea of increasing disclosure, I am concerned that the magnitude of the disclosures required and allowed under the bill will have unintended consequences. Title VI of this bill will cause a lot of information about U.S. signals intelligence activities to become public---a huge amount more than any country has ever, to my knowledge, released about what it is doing in the way of electronic surveillance. I don't oppose any specific disclosure that would happen under this law, but I do fear that in the aggregate, this information will give a lot of insight to adversary intelligence services about what we're doing and how. In the end, I believe that this is a bill worth pursuing. But it will not be without costs.
When the Supreme Court first encountered the internet, the justices expressed wonder at its potential. “It is ‘no exaggeration to conclude that the content on the Internet is as diverse as human thought...
The court fight between Apple and FBI over access to a terrorist iPhone is just the latest chapter in the long-running tension between security professionals trying to get access to information and commu...
Although it is a close call, the decision of the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner may turn out to be the most important consequence of the Snowden ...