THE NATIONAL SECURITY AGENCY on Friday suddenly announced it is curtailing one of its major surveillance programs.
Under pressure from the secret court that oversees its practices, the NSA said its “upstream” program would no longer grab communications directly from the U.S. internet backbone “about” specific foreign targets — only communication to and from those targets.
This is a major change, essentially abandoning a bulk surveillance program that captured vast amounts of communications of innocent Americans – and turning instead to a still extensive but more targeted approach.
“This change ends a practice that could result in Americans’ communications being collected without a warrant merely for mentioning a foreign target,” Senator Ron Wyden said in a statement. “For years, I’ve repeatedly raised concerns that this amounted to an end run around the Fourth Amendment. This transparency should be commended. To permanently protect Americans’ rights, I intend to introduce legislation banning this kind of collection in the future.”
The “upstream” surveillance program is one of two controversial programs authorized by Section 702 of the Foreign Intelligence Surveillance Act, which is scheduled to expire in December unless it is reauthorized by Congress. It was among several programs whose existence was a secret until being revealed by NSA whistleblower Edward Snowden.
Until now, upstream was examining every Internet communication that traveled on the huge telecommunication cables going in and out of the U.S., searching through every word, grabbing sometimes very big chunks of data that included even a single mention of a specific target, and then putting everything into a database for NSA analysts to look through.
Communications between people, including Americans, was being captured and examined not because they were suspected of anything, but because of what they were saying. And the program wasn’t even efficient at limiting it to that.
The NSA statement on Friday said the move came “after a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation.”
But reading between the lines, it wasn’t voluntary.
In a companion statement, the NSA acknowledged that it had failed to follow the rules the FISA court established for “about” collection in 2011: “NSA discovered several inadvertent compliance lapses,” is how they put it.
“NSA self-reported the incidents to both Congress and the FISC, as it is required to do. Following these reports, the FISC issued two extensions as NSA worked to fix the problems before the government submitted a new application for continued Section 702 certification. The FISC recently approved the changes after an extensive review.”
In other words, after giving the NSA two extensions, the court refused to reauthorize the wider program until it stopped “about” searches entirely.
That is less surprising considering that the 2011 FISC decision establishing the new rules came after a judge was shocked to learn that the 702 program wasn’t just snatching communications to and from targets, but was in fact looking through everything. Judge John Bates wrote at the time:
Based upon the government’s descriptions of the proposed collection, the Court understood that the acquisition of Internet communications under Section 702 would be limited to discrete “to/from” communications between or among individual account users and to “about” communications falling within [redacted] specific categories that had been first described to the Court in prior proceedings.
The independent Privacy and Civil Liberties Oversight Board concluded in its 2014 report that “certain aspects of the Section 702 program push the program close to the line of constitutional reasonableness.” One of those aspects: “the use of ‘about’ collection to acquire Internet communications that are neither to nor from the target of surveillance.”
Laura K. Donahue, the director of the Center on Privacy and Technology at Georgetown University – and now an amicus for the FISC – wrote in a seminal 2015 law review article that the “about” collection “significantly expands the volume of Internet intercepts under Section 702.” She noted that “to obtain ‘about’ communications, because of how the Internet is constructed, the NSA must monitor large amounts of data” and was “not just considering envelope information (for example, messages in which the selector is sending, receiving, or copied on the communication) but the actual content of messages.”
And she said it was clearly unconstitutional. “While the targeting procedures and the interception of information to or from non-U.S. persons located outside the United States meet the Fourth Amendment’s standard of reasonableness, when looked at in relation to Section 702, the inclusion of communications ‘about’ targets or selectors and the knowing interception of entirely domestic conversations shift the program outside constitutional bounds.”
Privacy activists expressed delight over the change Friday, although they retained their mistrust of the NSA and their demand that Congress refuse to reauthorize Section 702 as is.
“The NSA should never have been vacuuming up all of these communications, many of which involved Americans, without a warrant. While we welcome the voluntary stopping of this practice, it’s clear that Section 702 must be reformed so that the government cannot collect this information in the future,” said Michelle Richardson, Deputy Director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, in a statement.
“As a baseline, this makes a statutory ban on ‘about’ collection much more feasible. It becomes much harder for the NSA to justify the necessity of something they’re not doing,” said Jake Laperruque, senior counsel at the Constitution Project.
The change does not affect the other major program that operates under Section 702, called Prism. That program warrantlessly harvests communications to and from foreign targets from major Internet companies like Facebook and Google. But like upstream, Prism “incidentally” sweeps up innocent Americans’ communications as well. Those are then entered into a master database that a Justice Department lawyer once described as the “FBI’s ‘Google’ of its lawfully acquired information.” Critics call those “backdoor searches” of warrantless surveillance.
Wyden and other members of Congress have been trying to understand the scope of 702 surveillance for years, but the government has refused to provide even a ballpark figure.
Security fences surround the National Security Agency’s Utah data collection center in Bluffdale, Utah near Salt Lake City on April 12, 2017