Director of National Intelligence (DNI) James Clapper recently confirmed (in a letter to Sen. Ron Wyden (D-Ore.) that the National Security Agency (NSA) is using “U.S. person identifiers” to query its huge PRISM database of communications. This was treated as big news — though it should probably be noted that it is not news in the sense of being new. NSA use of this type of query within the database actually came to light last August, when a 2011 opinion by FISA Judge John Bates was declassified (see p. 22 of the opinion).
Still, Clapper’s official confirmation of it is welcome since it draws attention to other aspects of this troubling surveillance program.
What’s the big deal? Well, the PRISM database is composed of substantive U.S. international communications collected under the authority of Section 702 of FISA. This collection program targets “non-U.S. persons” reasonably believed to be outside the United States who are in telephone or Internet communication with someone inside the United States. The harvested communications go into the PRISM database so that they can be analyzed by the complicated equivalent of search engine queries for five years, at which point they are supposed to be purged from the system.
Now, here’s the catch: Since one end of these communications is inside the United States, the program collects roughly as many communications of “U.S. persons” – American citizens or residents – as it does of “non-U.S. persons” reasonably believed to be abroad. So, the government can run searches on the database that look for information on U.S. persons, even though it didn’t technically intend to collect those persons’ information in the first place: After all, it was looking for information on the non-U.S. persons they were communicating with.
Is this okay? Or a book-keeping trick that is too clever by half? In a joint statement reacting to Clapper’s confirmation of the practice, Wyden and Sen. Mark Udall (D-Colo.) condemned the use of “U.S. person identifiers.” They argued that such queries were in fact “warrantless searches of the content of Americans’ personal communications.” Therefore, these “back-door searches” raised “serious constitutional questions” and were “unacceptable.”
The NSA, not surprisingly, thinks otherwise. Since the NSA collects these communications by targeting non-U.S. persons who have no Fourth Amendment rights, no warrant is required for their collection; any “incidental” collection of U.S. persons’ communications is “reasonable” under the Fourth Amendment. (Remember, the Fourth Amendment only prohibits “unreasonable” searches or seizures.) Further, once the communications are placed into the PRISM database, the NSA argues that “querying” the database is not a “search” in any constitutional sense anyway, no matter who or what they are searching for.
At a recent hearing before the Privacy and Civil Liberties Oversight Board (PCLOB), Brad Wiegman, deputy assistant attorney general, elaborated on this. “I would say that the search occurs at the time that the collection occurs,” Wiegman argued. “Once you’ve lawfully collected that information, subsequently querying that information isn’t a search under the Fourth Amendment, [since] it’s information already in the government’s custody.” When, he asked, is “a warrant … required to search information already in your custody”? (See the transcript of the hearing here; the quoted extract is from pp. 27-8.)
To support his position, Wiegman referred to evidence “incidentally” collected under traditional FISA court orders that require probable cause that the target is a “foreign power or an agent of a foreign power.”
“Once we’ve collected it [the evidence],” he said, “we’ve gotten the necessary court approvals” … We do not have “to go back to court to query the same information that we’ve already collected lawfully.” We don’t have to go back “a second time to say is it okay to look at it. We’ve already gotten the conclusion that it’s legal to collect it.”
But Wiegman is comparing two types of collection programs that are targeted in qualitatively different ways. Traditional FISA court orders (as well as criminal warrants for wiretaps) involve a judge authorizing electronic surveillance directed at specific individuals. In contrast, the FISA 702 program that worries Wyden and Udall permits the attorney general and DNI to simply certify in writing “the categories of foreign actors that may be appropriately targeted.” There is no limit to the number of “categories” that the AG and the DNI can certify, except that the purpose of the collection has “to obtain foreign intelligence information.” In these cases, a FISA judge only confirms, on a yearly basis, that the AG and DNI have made the proper certification of a “category” of targets of surveillance. The judge does not review whether a particular non-U.S. person reasonably believed to be abroad fits into one of those categories. That judgment is instead made by an NSA analyst. (Officials at the Department of Justice and the Office of the DNI are supposed to review these judgments every 60 days.)
There is therefore an ongoing trade-off between (a) not tipping off NSA’s overseas targets that they are likely under NSA surveillance, and (b) the right of the American people to know how many of their international communications are “incidentally” collected by the NSA. As of now, the former is completely outweighing the latter. Keep in mind that, according to the 2011 Bates opinion noted above (see p. 29), the NSA collects 250 million Internet communications each year. If we assume 150 million international phone calls are also are collected annually, over a five-year period, the NSA’s database would consist of a tidy 2 billion international communications. Obviously, the number of “incidental” communications collected by traditional FISA court orders and criminal wiretap warrants is miniscule compared to this estimate of the size of the Section 702 database.
So although Clapper’s confirmation that the NSA uses “U.S. person identifiers” to query the PRISM database is not a brand-new revelation, it does give us a new opportunity to contemplate the huge number of U.S. communications contained in that database. We should remember, too, that such data are subject to numerous and sophisticated mining techniques, not just those involving “U.S. person identifiers.” In future posts, I hope to dig farther into that pile.