The Republican chair of the House Intelligence Committee, Devin Nunes has just said that Donald Trump’s communications were likely picked up by US intelligence agencies through “incidental collection.” Before Nunes’ statement, I interviewed Jennifer Stisa Granick, the director of civil liberties at Stanford University’s Center for the Internet and Society, about her new Cambridge University Press book, “American Spies: Modern Surveillance, Why You Should Care and What to Do About It,” which was just published by Cambridge University Press. The interview discusses incidental collection, describing both how Nunes’ previous concerns about the incidental collection of communications involving former Trump National Security Adviser Michael Flynn were misplaced, and how incidental collection of information on US citizens raises broader issues.
HF: There is a big debate about reauthorizing key electronic surveillance programs. What are they, and why are they controversial?
JSG: The government has two programs to gather the contents of Americans’ communications with foreigners from inside the United States — without first going to a judge and getting a search warrant. PRISM involves obtaining the information from major Internet providers such as Google, Apple, Yahoo and Skype. Upstream involves tapping the Internet backbone and searching for “selectors” associated with foreign intelligence targets. These are not counterterrorism programs. The statute allowing PRISM and Upstream to take place authorizes surveillance for any “foreign intelligence” purpose, including the collection of information about a foreign power or territory that is related to “the conduct of the foreign affairs of the United States” (a phrase that could include just about anything).
Even though the targets of surveillance must be foreigners believed to be outside the country, these controversial programs suck massive amounts of private data — including data on U.S. persons into government databases. The FBI can then search some of the data about U.S. persons without a warrant or finding of “probable cause.” This is called the “backdoor search loophole.” Agents could use this information to learn about a person’s religious beliefs, contacts with the press, sexual behavior and medical situation.
The statute authorizing PRISM and Upstream collection — section 702 of the FISA Amendments Act — will expire at the end of the year, unless Congress reforms or reauthorizes it.
HF: Your book talks about how the intelligence community uses terms such as “bulk,” “surveillance” and so on in ways that are hard for outsiders to understand. What consequences does this have in practice for debates over intelligence?
JSG: Code words like “collect,” “target,” “in bulk,” “surveillance” make it hard for experts and nonexperts alike to learn the truth about surveillance policy. They don’t mean what common sense would suggest, but have concocted meanings for intelligence gathering. They make it hard to understand what surveillance is being conducted, making real democratic oversight impossible.
HF: You argue that “intelligence collection aimed at foreigners captures Americans too.” Why is this so, and what consequences does it have for privacy in the United States?
JSG: Americans are surveilled when we talk to foreign targets. However, this “incidental collection” doesn’t just involve national security questions and can sweep up information about bystanders. For example, if you are in a conversation with many others in an Internet chat room or social network, and only one of those others is foreign, your and everyone else’s communications are considered fair game for foreign intelligence surveillance. Just one foreign target can justify surveillance of tens or hundreds of other people, some of whom may be U.S. persons on U.S. soil.
Americans’ communications are also collected as part of surveillance that takes place on the “backbone” of communications networks that together comprise the Internet. The National Security Agency can gather communications in bulk from outside the U.S., so that Americans get caught in the net. Inside the U.S., if a communication is “to,” “from,” or even “about” an email address or phone number associated with a foreigner that the government is interested in, the entire transaction is collected.
Once collected, the information can be used in accordance with internal “minimization” policies that are changeable and classified or partially classified. The procedures generally say that Americans’ names must be blacked out, but these procedures are rife with exceptions, plus some of the data the NSA, FBI and CIA share in “raw” version — without masked American identifiers.
If someone ignores these procedures, there’s no reason to believe that they will be found out or punished.
HF: What are the procedures for internal and external oversight of U.S. intelligence agencies, and how well or poorly have they worked over the past 15 or so years?
JSG: Oversight is crucial — but insufficient. Internal oversight is inherently compromised because it is done by government employees who ultimately report to the same bosses who are ordering and conducting the surveillance. For example, the Bush administration got away with illegal warrantless wiretapping of Americans’ calls with foreigners. When President Bush said, this is how we are going to spy, everyone fell in line, even though it was illegal. After all, he was the president. Under the Obama administration, we saw internal watchdogs take a legalistic approach to surveillance oversight, which is ineffective when the legal rules are vague and easily manipulated.
Under the Trump administration, there’s no reason to believe that internal oversight will work any better, especially if the executive branch agencies are understaffed and underfunded, and American spies are ordered to identify undocumented immigrants, create a Muslim registry, identify people hostile to the administration, and more.
Congress might provide some oversight, but many members of Congress fear casting a vote against surveillance or torture, thereby endangering their career if a cataclysmic attack happens. As President Trump said of the judge who enjoined the executive order banning people from seven predominantly Muslim countries, “If something happens, blame him.” Until lawmakers understand and feel responsible for the dangers of surveillance, they aren’t going to take a stand.
Judicial oversight hasn’t worked well, either. The Foreign Intelligence Surveillance Court (FISC) is supposed to be a check on spying, but it has never discovered surveillance abuses on its own initiative, and when it has found out about legal surveillance, its judges have gone out of their way to ensure that the practices would continue. Civilian courts have a hard time ruling on surveillance programs, since to sue the government, the plaintiff first has to show she has been spied on under a secret program. In addition, the government can argue that the case ought to be dismissed because it will reveal state secrets, and law enforcement may hide the fact that they have used controversial surveillance against suspects.
HF: Your book was written before Trump’s election. After the election, we have seen running warfare between Trump and some parts of the intelligence community. How is this likely to affect the politics of spying domestically and internationally?
JSG: I honestly don’t know. Some might say that the presidency has little power to affect the intelligence bureaucracy, and things will go on as usual. Bureaucratic stagnation sounded pessimistic some months ago but is an optimistic view today. The Trump administration might expand information gathering and use it to enable deportations, registries and “tough on crime” approaches. In this context, many people might welcome some foot dragging — but it might also be that when the intelligence community’s leadership is replaced by Trump loyalists, the rest of the community will just go along.
Still, the Trump administration’s battle with the intelligence community may be making surveillance hawks more likely to agree with civil libertarians than they had in the past. When Michael Flynn stepped down after intelligence reports that he had talked to the Russian ambassador, House Permanent Select Committee on Intelligence Chairman Devin Nunes (R-Calif.) said, “The big problem I see here is that you have an American citizen who had his phone calls recorded.”
Nunes’s concern for Flynn is misplaced. The Russian ambassador, Sergey Kislyak, is an obvious foreign intelligence target. If Flynn was talking to him, he would almost certainly be recorded as part of “incidental collection.” But Nunes is broadly correct that minimization rules are not robust enough to protect American privacy. Many of Trump’s officials, with their international business activities, are probably well-represented in foreign intelligence intercepts, and vulnerable to having their materials searched for political purposes. Rep. Trey Gowdy (R-S.C.) has been a stalwart advocate of increased surveillance powers. But as he pointed out in a House Intelligence Committee hearing on Monday, the American people aren’t going to trust the government with spying capabilities if they think their names are going to be accessible to investigators and potentially leaked to the public for political reasons. Perhaps Trump loyalists’ mistrust of the intelligence community will strengthen the coalition of lawmakers seeking substantive statutory surveillance reform.