print


Here’s everything we’ve learned about how the NSA’s secret programs work

By Timothy B. Lee Updated: June 25, 2013 at 9:47 am

In the last few days, the press has focused on NSA leaker Edward Snowden and his efforts to evade capture by the U.S. government. But the more important story is what we've learned about National Security Agency surveillance programs thanks to his disclosures.

Any one of Snowden's revelations would have been a big story in its own right. But the news has been coming so rapidly that it's difficult to keep track of it all. So here's a handy guide to the recent revelations about what the NSA has been doing.

(Photo by Chris Campbell)

(Photo by Chris Campbell)

Phone records

The first revelation by Guardian reporter Glenn Greenwald remains the most significant. Under a controversial interpretation of the Patriot Act, the NSA is vacuuming up information about every domestic phone call of every Verizon customer in the United States.

What information is collected and how is it used?

Information collected includes the phone number dialed, the time and duration of the call, and information about the cell phone tower used to make each call. The NSA's request for tower information makes it a de facto location tracking program, as the government can use that information to figure out where the call came from. While Snowden's leak only pertained to Verizon, it's likely that other major telecommunications providers also participate in the program.

The NSA puts all this information in a vast database, but the agency claims that access to the database is strictly limited. The agency says that only 22 Obama administration officials have the authority to authorize searches of the database, and only about 300 Americans have had their phone numbers queried.

Is that legal?

The court order revealed by Snowden cites Section 215 of the Patriot Act, which gives the government the power to obtain any "tangible thing" from third parties relevant to a terrorist investigation. Rep. Jim Sensenbrenner (R-Wisc.), the lead sponsor of the Patriot Act, has denounced the Obama administration's interpretation of Section 215 as "a bunch of bunk." He argues that Section 215 orders were only intended to be used for information relevant to specific investigations.

What about constitutional?

The Fourth Amendment requires search warrants to be specific about who is to be searched and what information is to be seized. There's nothing specific about the Verizon order. However, the government is likely to cite a 1979 Supreme Court ruling holding that the Fourth Amendment doesn't apply when the government seeks calling records. At least one Supreme Court justice, Sonia Sotomayor, has suggested the high court should reconsider that holding. Perhaps the furor over the phone records program will spur the courts to revisit the issue.

What kind of oversight does the program have?

The Verizon order was good for three months, so presumably the Foreign Intelligence Surveillance Court reviews the orders periodically. But because one order covers everyone in the country, it doesn't contain the kind of details that would allow the courts to find specific abuses.

Members of the House and Senate Intelligence Committees have also been briefed on the programs. The chairmen of these programs have defended them. But two Senate Democrats, Mark Udall (D-Colo) and Ron Wyden (D-Ore), have denounced it. Months ago, they were saying that the American people would be "stunned" by the government's interpretation of the Patriot Act. But secrecy prevented them from sharing the details with the public.

(Image by Charles Smith)

(Image by Charles Smith)

PRISM

In 2007, Congress gave the government broad powers to engage in warrantless surveillance for intelligence purposes. But until this year, the details of how the government was using those powers was a closely held secret. We now know that the NSA has a program called PRISM, which allows the agency to obtain private information about users of Google, Facebook, Microsoft, Yahoo and other Internet companies.

What information is collected and how is it used?

Early reports suggested that the NSA had unmediated "direct access" to these companies' servers. But companies have flatly denied this, and more recent reporting suggests that PRISM is a system for expediting the delivery of private information after company lawyers have scrutinized a government request.

Last week, the Guardian revealed the procedures the NSA uses to decide who to target for surveillance as well as the "minimization" procedures the government uses to deal with information that's accidentally collected by Americans. This information is generally destroyed, but there are some important exceptions. For example, if an intercepted communication contains information about a crime being committed, the NSA may retain the information and turn it over the law enforcement.

Is that legal?

The government says PRISM is authorized by Section 702 of the FISA Amendments Act, and critics of the program generally haven't disputed that. The more controversial question is whether Section 702 itself is constitutional.

FISA orders are not search warrants. But the government argues the Fourth Amendment doesn't apply because it is only spying on non-Americans. But critics disagree. They say the "targets" of NSA surveillance may be foreigners, but the surveillance may still collect information about Americans, and even use that information for non-intelligence purposes. They argue that doing that without a warrant violates the Constitution.

Can PRISM and other FISA programs be challenged in court?

Civil liberties groups have tried but they have not succeeded so far.

In February, before information about PRISM was made public, the Supreme Court ruled against plaintiffs who were challenging the FISA Amendments Act. The ruling did not reach the constitutional merits. Rather, the high court held that since the plaintiffs couldn't prove that they had personally been the targets of surveillance authorized by Section 702, they didn't have standing to challenge the law.

It's not clear if Snowden's leaks have created an opportunity to revisit that holding. His leaks only disclosed general features of the programs, not information about specific targets. So in principle, the revelations shouldn't change the legal outcome. But public outcry over PRISM could cause some justices to rethink the issue. It was a 5-4 decision, so only one justice would need to change his mind to get a different result.

One possible avenue for challenging Section 702 is a Chicago terrorism case. Late last year, Sen. Dianenne Feinstein (D-Calif.) cited the case as a successful use of the powers granted by the FISA Amendments Act. But when the suspect sought details about how the evidence against him had been collected, he was told that information was secret. His lawyers argue that the government is hiding behind secrecy to avoid a constitutional challenge to the FISA law.

What kind of oversight does the program have?

The program's targeting and minimization procedures are submitted to the FISC for review. But these documents, which were released by the Guardian last week, do not name the specific individuals whose communications will be intercepted. Instead, they give general criteria to be applied by the NSA. Members of the House and Senate Intelligence Committees have also been briefed on the program.

(Photo by Kenny Holston)

(Photo by Kenny Holston)

Fiber optic eavesdropping

In 2006, Mark Klein, an AT&T technician turned whistleblower, told the Electronic Frontier Foundation about a secret, NSA-controlled room in a San Francisco facility. He testified that optical splitters were being used to copy data flowing through AT&T's network and send it to the secret room.

At the time, most observers assumed this room was part of a broader surveillance program, but they couldn't prove it. But one of the slides from the PRISM presentation provides confirmation that the NSA has a broad program (actually, several of them) to sweep up Internet traffic from fiber optic cables.

What information is collected and how is it used?

We don't know the extent of these programs, but in principle, this kind of fiber optic tap should make it possible to collect almost all Internet traffic. The question is which cables the NSA has tapped into. The fact that the Internet developed first in the United States gives the spy agency a big advantage because it means that a lot of foreign traffic passes through major interconnection points in the United States. The nuclear submarine Jimmy Carter is also rumored to have the capability to tap directly into undersea fiber optic cables.

But even if the NSA tapped into every fiber optic cable in the world, it would only be able to read unencrypted traffic. And the most popular Internet services (including high-value sites like webmail providers) are increasingly using encryption. For those kinds of sites, the NSA needs a program like PRISM to get the data directly from the site operator.

The NSA isn't the only spy agency tapping into communication lines. The agency's British counterpart, the General Communications Headquarters (GCHQ), also taps fiber optic cables too, according to a Friday Guardian report based on documents provided by Snowden.

Is that legal?

That's still being litigated. The Electronic Frontier Foundation sued to stop the program revealed by Klein's disclosures in 2008. That case is ongoing. The government has argued that the state secrets privilege protects it from having to respond to EFF's lawsuit.

The Snowden slide suggests the government believes its fiber-tapping program are, like PRISM, legal under Section 702 of FISA.

What kind of oversight does the program have?

We don't know. If the program is based on FISA, then the government presumably has submitted a general description of the program to the FISC court for review, but those documents have not been leaked to the public. The government also likely briefs the House and Senate Intelligence Committees on the programs.