December18,2015

1

USSurveillanceLaw,SafeHarbor,andReformsSince2013

PeterSwire1

ExecutiveSummary:

This White Paper is a submission to the Belgian Privacy Authority for itsDecember18,2015Forumon “TheConsequencesof the Judgment in theSchremsCase.”2 The Forum discusses the decision by the European Court of Justice inSchremsv.DataProtectionCommissioner3thattheEU/USSafeHarborwasunlawfulunder the EU Data Protection Directive, particularly due to concerns about USsurveillancelaw.

FortheForum,Ihavebeenaskedtocommentontwoissues:1) IsUSsurveillancelawfundamentallycompatiblewithEUdataprotection

law?2) What actions and reforms has the US taken since the Snowden

revelationsbeganinJune2013?

The White Paper draws on my background as a scholar of both EU dataprotectionlawandUSsurveillancelaw.ItaddressesseriousmisunderstandingsofUSnational security law, reflected inofficial statementsmade in theSchremscaseandelsewhere.Ithasthreechapters:

(1)ThefundamentalequivalenceoftheUnitedStatesandEUmemberStatesas

constitutionaldemocraciesundertheruleoflaw.IntheSchremsdecision,theUSwascriticizedforfailingtoensure“alevelofprotectionoffundamentalrightsessentiallyequivalent to that guaranteed in the EU legal order.” This chapter critiques thatfinding, insteadshowingthattheUnitedStateshasstrictruleof law,separationofpowers, and judicial oversight of law enforcement and national securitysurveillance,whichtogethermaketheUSlegalorder“essentiallyequivalent”totheEUlegalorder.1PeterSwireistheHuangProfessorofLawandEthicsattheGeorgiaTechSchellerCollegeofBusinessandaSeniorFellowoftheFutureofPrivacyForum.HeisSeniorCounselwiththelawfirmofAlston&Bird,LLP;nothinginthisdocumentshouldbeattributedtoanyclientofthefirm.FurtherbiographicalinformationandacknowledgmentsareattheendofthisWhitePaper.2https://www.privacycommission.be/en/events/forum-consequences-judgment-schrems-case.TheBelgianPrivacyCommissionisstudyingtheseissuesforthebroadergroupofEuropeanprivacyregulatorsintheArticle29WorkingParty.ThelevelofEUskepticismofUSsurveillancelawpracticesisreflectedinthetitleofmypanel:“LawintheEUandtheUS:impossiblecoexistence?”3TheECJopinioninMaximillianSchremsv.DataProtectionCommissioner,CaseC-362/14(October2015), available athttp://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=127557

December18,2015

2

(2)TheSection702PRISMandUpstreamprogramsarereasonableandlawful

responses tochanging technology. TheAdvocate General’s opinion in the SchremscasesaidthatthePRISMprogramgavetheNSA“unrestrictedaccesstomassdata”storedintheUS,andthatSection702enabledNSAaccess“inageneralisedmanner”for “allpersonsandallmeansofelectroniccommunications.”Thischapterrefutesthose claims, which appear to be based in part on incorrect stories in the press.Instead,theSection702programsoperatewithjudicialsupervisionandsubjecttonumerous safeguards and limitations. They examine the communications only oftargeted individuals, and only for listed foreign intelligence purposes. The totalnumber of individuals targeted under Section 702 in 2013 was 92,707, a tinyfractionofInternetusersintheEUorglobally.

(3)TheUSCongressandexecutivebranchhaveinstitutedtwodozensignificant

reformstosurveillancelawandpracticesince2013. TheSchremsdecisionsaidthatUSprivacyprotectionsmustbeevaluatedinthe“currentfactualandlegalcontext,”but didnot address thenumerous changesput in place since2013. This chapterprovidesareadableexplanationofeachoftheseactions,whichtogetherconstitutethe biggest set of pro-privacy actions inUS surveillance law since creation of theForeignIntelligenceSurveillanceActin1978.

December18,2015

3

Chapter1

TheFundamentalEquivalenceoftheUnitedStatesandEUMemberStatesasConstitutionalDemocraciesUndertheRuleofLaw

ThischapteraddressesthemostbasicrequirementoftheEuropeanCourtofJustice(ECJ)intheSchremsdecision,thattheUnitedStatesmustensure“alevelofprotectionoffundamentalrightsessentiallyequivalenttothatguaranteedintheEUlegalorder.”4InthewakeoftheSchremsdecision,therearenowseriousdebatesinthe EU aboutwhether any transfer of personal data to the US can be considered“adequate” under the requirements of the Data Protection Directive. 5 If theEuropean legal regime makes a firm finding that the United States lacks thenecessary legal order, then transfers of personal datamay be essentially blocked,affectinglargeportionsoftrans-Atlanticcommerceandcommunication. This chapter seeks to explain the US system of law and surveillance to aEuropeanaudience.Thechapterstressesthispoint:thefundamentalequivalenceoftheUnitedStatesandEUMemberStatesasconstitutionaldemocraciesundertheruleoflaw.TheUnitedStateshasitsConstitution,continuallyineffectsince1790.TheUShasdeeplyestablishedruleoflaw,separationofpowers,andjudicialoversightofbothlawenforcementandnationalsecuritysurveillance.ForEuropetodecidethattheUS“legalorder”isunacceptableanddeficient--requiringblockingofmostoralldatatransfers--wouldbeaconsequentialjudgment,andonenotsupportedbythefacts. Among the many problems with such a decision, Europe would have todeterminewhatothercountriesintheworldhaveaconstitutionallawandpracticethatisthesameas,orlessprotectivethan,theUnitedStates–suchcountrieswouldlogicallyalsobeineligibletoreceivedatatransfersfromtheEU. Thediscussionhereof“fundamentalequivalence”isdifferentthanacountry-by-country comparison of the details of US surveillance law compared to thesurveillance law of the 28 EU Member States. Others undoubtedly will presentreports about whether the details of US law are “essentially equivalent” to thedetailsofsurveillance in theMemberStates. Thediscussionhereof “fundamentalequivalence” gives a deeper meaning to the ECJ’s discussion of “essentialequivalence” – in its “essence” does the United States legal system provide4Paragraph96,98,and107oftheSchremsdecision,availableathttp://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=127557.5Forinstance,alongwithdoubtsaboutthevalidityoftheSafeHarbor,GermandataprotectionauthoritieshavequestionedthelegalityoftransfersofpersonaldatatotheUSundermodelcontractsorBindingCorporateRules.TheGermanDPApositionpaperisavailable,inGerman,athttps://www.datenschutzzentrum.de/artikel/967-Positionspapier-des-ULD-zum-Safe-Harbor-Urteil-des-Gerichtshofs-der-Europaeischen-Union-vom-6.-Oktober-2015,-C-36214.html.Asummaryofthepositionpaperislocatedathttp://www.dataprivacymonitor.com/enforcement/german-data-protection-authorities-limit-use-of-alternative-data-transfer-mechanisms-in-light-of-safe-harbor-decision/

December18,2015

4

protection for fundamental rights that is essentially equivalent to the MemberStates? At thebasic, fundamental,andconstitutive level,doestheUS legalsystemmeettheminimumstandardforprotectionofrightsunderthelegalsystemsofanyoftheMemberStates? AsalawprofessorwhohaslongstudiedbothUSandEUlaw,6myanswerisaclear yes. To explain the fundamental equivalence of the US legal system, thechapterprovidesabriefintroductiontotheUSasaconstitutionaldemocracyunderthe rule of law. It next explains the way that the Fourth Amendment to the USConstitution, governing searches and seizures, has been applied to wiretaps andchangingtechnologyovertimeinlawenforcementcases.Then,thediscussionturnsto the related regime for foreign intelligence and national security wiretaps andsurveillance. For both law enforcement and national security surveillance,independent judges with life tenure have thoroughly reviewed governmentsurveillance programs, and have assured that legal protections are updated tomatchchangingcommunicationstechnology. Some readers who are more familiar with the US legal system and itssurveillancelawsmaydecidetoskipaheadtoChapter2,concerningtheSection702PRISM and Upstream programs, and Chapter 3, listing 24 US actions and legalchanges in the surveillance sphere since theSnowdenstoriesbegan in June2013.ThischapterprovidessomebasicinformationonUSconstitutionalandsurveillancelaw, however, because the idea and the fact of fundamental equivalence has notbeenprominenttodateindiscussionsrelatedtotheSchremsSafeHarbordecision.A. TheUnitedStatesisaConstitutionalDemocracyUndertheRuleofLaw.

ReadersofthisWhitePaperwillgenerallyagree,Ihope,thattheUnitedSatesisaconstitutionaldemocracyundertheruleoflaw.TheUnitedStatesConstitution,whichwasratifiedin1790,createsthreebranchesofgovernment.Theseparationofthelegislative,executive,andjudicialbranchesmatchestheviewsofMontesquieuinhis1748treatiseon“TheSpiritoftheLaws”--dividedpoweramongthethreebranchesprotects“liberty”andguardsagainst“tyrannical”usesofpower.7Under6Forinstance,IwasastudentatL’Institutd’ÉtudesEuropéennesinBrusselsin1980-1981.IwastheleadauthorofabookonEUdataprotectionlawin1998.PeterSwire&RobertLitan,NoneofYourBusiness:WorldDataFlows,E-Commerce,andtheEuropeanPrivacyDirective(BrookingsInstitution,1998).SeealsoPeterSwire,“OfElephants,Mice,andPrivacy:InternationalChoiceofLawandtheInternet,”32TheInternationalLawyer991(1998)(analyzingchoiceoflawissuesundertheEUDataProtectionDirective),availableathttp://ssrn.com/abstract=121277;“PeterHustinxandThreeClichésAboutE.U.-U.S.DataPrivacy,”inDataProtectionAnno2014:HowtoRestoreTrust?(HielkeHijmans&HerkeKranenborged.)(Intersentia2014),availableathttp://ssrn.com/abstract=2404258.7“Whenlegislativepowerisunitedwithexecutivepowerinasinglepersonorinasinglebodyofthemagistracy,thereisnoliberty,becauseonecanfearthatthesamemonarchorsenatethatmakestyrannicallawswillexecutethemtyrannically.Noristherelibertyifthepowerofjudgingisnotseparatefromlegislativepowerandfromexecutivepower.Ifitwerejoinedtolegislativepower,thepoweroverthelifeandlibertyofthecitizenswouldbearbitrary,forthejudgewouldbethelegislator.

December18,2015

5

theUSConstitution,Congressiselectedbythepeople;thePresidentiselectedtonomorethantwofour-yearterms;andfederaljudgesarenominatedbytheexecutive,confirmedbythelegislature,andappointedforlifetoensuretheirindependence.

TheBillofRightstotheUnitedStatesConstitutionspecificallyenumerates

provisionstoprotectfreedomsandprivacyofindividuals.Mostimportantforsurveillanceissues,theFourthAmendmentlimitsthegovernment’sabilitytoconductsearchesandseizures,andwarrantscanissueonlywithindependentreviewbyajudge.TheFourthAmendmentgovernsmorethansimplyaperson’shomeorbody;itsprotectionsapplyspecificallytocommunications,coveringaperson’s“papersandeffects.”8OtherfundamentalrightsandsafeguardstheBillofRightsinclude:theFirstAmendment'sprotectionoffreedomofspeechandfreedomofassociation;9theThirdAmendment'sprotectionoftheprivacyofthehome,byprohibitingthequarteringofsoldierswithinaperson'shome;10andtheFifthAmendment'sprotectionoftheprivacyofaperson'sthoughts,specificallybyprohibitingthegovernmentfrommakingpersonstestifyabouttheirownthoughtstoincriminatethemselves.11

B. FundamentalProtectionsRelatedtoLawEnforcementSurveillance Toaddresschangingtechnology,judgeswithlifetenurehavedevelopeddetailedcaselawconcerningtheFourthAmendment,withsomewhatdifferentrulesforlawenforcementuses(crimes)andnationalsecurity(foreignintelligence).

Ifitwerejoinedtoexecutivepower,thejudgecouldhavetheforceofanoppressor.Allwouldbelostifthesamemanorthesamebodyofprincipalmen,eitherofnobles,orofthepeople,exercisedthesethreepowers:thatofmakingthelaws,thatofexecutingthelaws,thatofexecutingpublicresolutions,andthatofjudgingthecrimesorthedisputesofindividuals.”Montesquieu,Book11Chapter6–OntheConstitutionofEngland.http://oll.libertyfund.org/titles/8378TheFourthAmendmenttotheUnitedStatesConstitutionreads,“Therightofthepeopletobesecureintheirpersons,houses,papers,andeffects,againstunreasonablesearchesandseizures,shallnotbeviolated,andnowarrantsshallissue,butuponprobablecause,supportedbyoathoraffirmation,andparticularlydescribingtheplacetobesearched,andthepersonsorthingstobeseized.”https://www.law.cornell.edu/constitution/fourth_amendment(text);seehttp://www.uscourts.gov/about-federal-courts/educational-resources/about-educational-outreach/activity-resources/what-does-0(explanation)9TheFirstAmendmenttotheUnitedStatesConstitutionreads,“Congressshallmakenolawrespectinganestablishmentofreligion,orprohibitingthefreeexercisethereof;orabridgingthefreedomofspeech,orofthepress;ortherightofthepeoplepeaceablytoassemble,andtopetitionthegovernmentforaredressofgrievances.”https://www.law.cornell.edu/constitution/first_amendment(text)10TheThirdAmendmenttotheUnitedStatesConstitutionreads,“Nosoldiershall,intimeofpeacebequarteredinanyhouse,withouttheconsentoftheowner,norintimeofwar,butinamannertobeprescribedbylaw.”https://www.law.cornell.edu/constitution/third_amendment(text)11TheFifthAmendmenttotheUnitedStatesConstitutionreads,“Noperson...shallbecompelledinanycriminalcasetobeawitnessagainsthimself.”https://www.law.cornell.edu/constitution/fifth_amendment(text)

December18,2015

6

As many have described, the Supreme Court has announced strict rulesunder the Fourth Amendment forwiretaps.12 Initially, a closely divided SupremeCourtin1928heldthattheFourthAmendmentdidnotapply,becausethewiretapwasdone“inpublic”atthetelephonepoll.13Soonafter,theCongresspassedalawregulatingwiretaps.14Inthe1960’s,theSupremeCourtreversedthatdecisioninthefamous Katz and Berger cases, and set forth detailed requirements for lawenforcementwiretaps.15Congressenactedthoseprotections in1968inTitle IIIofthat year’s crime bill, including strict minimization requirements and therequirement thatwiretaps be used onlywhen other investigativemethodswouldnotsucceed.16 Asan importantpartof theoverallenforcementof theFourthAmendment,the Supreme Court developed the “exclusionary rule,” so evidence from an illegalsearchcouldnotbeusedincourt.17Inaddition,theCourtbarredevidencethatwas“the fruitofapoisonoustree”–additionalevidencesimilarlycouldnotbeused incourtifitwasderivedfromanillegalsearch.18 Inrecentyears, threeSupremeCourtcases illustratethecontinuingjudicialscrutinyofsurveillancepracticesinlightofchangingtechnology:

1. Rileyv.California(cellphones).19Thelongstandingrulehasbeenthatpolicecansearchaperson“incident toarrest”– theycango throughtheperson’spockets to spot possible weapons or evidence. The government took theposition that this rule applied to cell phones. In 2014, the SupremeCourtunanimously disagreed, holding that a judicial warrantwas needed beforepolice could search the contents of the cell phone. The Court said: “a cellphone searchwould typically expose to the government farmore than themostexhaustivesearchofahouse.”Inshort,theCourtupdatedfundamentalrightsprotectionstoadapttothechangingtechnologyofthecellphone.

2. UnitedStatesv.Jones (searchconducted inpublic).20The longstanding rulehasbeenthatpolicecan“tail”asuspectinpublic–theycanobservewhereasuspect goes. Police had also placed tracking devices on objects – theSupremeCourthadpreviouslyruled that the trackingdevicecouldn’tenter

12OnediscussionofthehistoryoflawenforcementandnationalsecuritywiretapsisinPeterSwire,“TheSystemofForeignIntelligenceSurveillanceLaw,”72Geo.Wash.L.Rev.1306(2004),availableathttp://ssrn.com/abstract=586616.13Olmsteadv.UnitedStates,277U.S.438(1928).JusticeBrandeiswroteafamousdissent,whichwasessentiallyadoptedbytheSupremeCourtinthe1968Katzcase.14CommunicationsActof1934,Pub.L.No.97---259(codifiedat47U.S.C.§307).15Katzv.UnitedStates,389U.S.347(1967);Bergerv.NewYork,388U.S.41(1967).16OmnibusCrimeControlandSafeStreetsActof1969,Pub.L.No.90-351,82Stat.197(1968)(codifiedat18U.S.C.§§2510-2521).17Mappv.Ohio,367U.S.643(1961).18WongSunv.U.S.,371U.S.471(1963).19Rileyv.California,(UnitedStatesSupremeCourtdecision,June2014)http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf.20UnitedStatesv.Jones,132S.Ct.945,565U.S.__(2012).

December18,2015

7

thehomewithoutawarrant,buthadneverprohibitedtrackingasuspectinpublic.In2012,theCourtunanimouslyheldthatawarrantwasrequiredforatrackingdeviceputonasuspect’scarfor30days. Oneproblemwasthatthe police were “trespassing” on the suspect’s car when they attached adevice. Justices wrote at length, however, about the constitutionalprotections that were needed to prevent long-term and widespreadsurveillanceinpublic,inlightofchangingtechnology.

3. Kyllo v. United States (search of house conducted from the street). 21Longstandingdoctrinehaspermittedthepolicetogatherevidencethatisin“plainview.” Inthis2001case,thepoliceusedathermalimagingdevicetodetectahighlevelofelectricityusageinahousewheremarijuanawasbeinggrown. The Court stated: “Where, as here, the Government uses a devicethat is not in general use, to explore details of the home that wouldpreviously have been unknowable without physical intrusion, thesurveillance is a ‘search’ and is presumptively unreasonable without awarrant.” This holding constrained police surveillance even when theevidencewasgatheredfromthestreetratherthanenteringthehome.

Inconclusionontherulesonlawenforcementsurveillance,theindependentjudiciary in the US has a long practice, as well as prominent recent examples, ofconstrainingsurveillanceconductedbynewtechnologies.C. FundamentalProtectionsRelatedtoNationalSecuritySurveillance The US rules applying to national security surveillance are different incertainwaysfromthelawenforcementrules,butmultiple,significantconstitutionalandstatutoryprotectionsapplyeveninthenationalsecuritysetting. TheSupremeCourt’sdiscussionofnationalsecuritywiretapsnotablybeganin the 1967 Katz case, where the Court announced Fourth Amendmentrequirements for law enforcementwiretaps.With regard to national security, theCourt stated: “Whether safeguards other thanprior authorizationby amagistratewouldsatisfytheFourthAmendmentinasituationinvolvingthenationalsecurityisaquestionnotpresentedinthiscase.” TheSupremeCourtaddressedthelawfulnessofnationalsecuritywiretapsin1972inUnitedStatesv.UnitedStatesDistrictCourt,generallyknownasthe“Keith”case after the name of the district court judge in the case. The defendant waschargedwiththedynamitebombingofanofficeoftheCentralIntelligenceAgency.Inwhat theNewYorkTimes referred to as a “stunning” victory for separation ofpowers,theSupremeCourtconcludedthat“FourthAmendmentfreedomscannotbeproperly guaranteed if domestic security surveillance may be conducted solely

21Kyllov.UnitedStates,533U.S.27(2001).

December18,2015

8

withinthediscretionoftheExecutiveBranch.”22TheCourtheldthat, forwiretapsor other electronic surveillance of domestic threats to national security, thegovernment must first receive a judicial warrant. The Court expressly withheldjudgment “on the scope of the President’s surveillance powerwith respect to theactivitiesofforeignpowers,withinorwithoutthiscountry.”23 The modern rules for national security surveillance were shaped byWatergate.Thebreak-intotheofficeintheWatergatebuildingwasanexampleofaclassicthreatfromuncheckedexecutivepower–anintrusionintotheofficeoftheopposing political party. Following the resignation of President Nixon in 1974,CongresspassedthePrivacyActof1974,creatingnewprotectionagainstmisuseofpersonal information by federal agencies. In 1978, Congress passed the ForeignIntelligenceSurveillanceAct (FISA),apath-breaking legalstructure toaddress theproblemofsecretsurveillanceinanopensociety. I have previouslywritten in detail about the numerous legal provisions inFISA.24A key point, for present purposes, is that the law created the ForeignIntelligence Surveillance Court (FISC), staffed by independent federal judgeswithlifetime tenure. Wiretaps and electronic surveillance for foreign intelligencepurposes, conducted within the US, could only be done with approval by a FISCjudge.Exceptforshort-termemergencyorders,thePresident,theAttorneyGeneral,andtheFBIcouldnolongerdonationalsecuritywiretapsontheirown–thejudgesserved as a crucial check on the executive branch. Safeguards for FISA ordersinclude:

• Requirementforhigh-levelapprovalwithintheDepartmentofJusticeforanyFISAorder;

• Minimization procedures to reduce the effects on persons other than thetargetsofsurveillance;

• Provisionforelectronicsurveillanceforalimitedtime,withtheopportunitytoextendthesurveillance;and

• Requirement for details to the judge concerning the targets of thesurveillance and the nature and location of the facilities placed undersurveillance.

Congress created institutional checks on the issuance of the secret FISAwiretaps. For instance, Congress created the Senate and House IntelligenceCommittees,whichreceiveclassifiedbriefingsabout intelligencesurveillance. The22Morrison,Trevor,“TheStoryoftheUnitedStatesv.UnitedStatesDistrictCourt(Keith):TheSurveillancePower”p.2(ColumbiaPolicyLaw&LegalTheoryWorkingPapers,2008),http://lsr.nellco.org/cgi/viewcontent.cgi?article=1047&context=columbiapllt23TheCourtspecificallyinvitedCongresstopasslegislationcreatingadifferentstandardforprobablecauseanddesignatingaspecialcourttohearthewiretapapplications.CongressacceptedthisinvitationinFISA.24PeterSwire,“TheSystemofForeignIntelligenceSurveillanceLaw,”72Geo.Wash.L.Rev.1306(2004),availableathttp://ssrn.com/abstract=586616.

December18,2015

9

Attorney General must report to these committees every six months about FISAelectronicsurveillance, includingadescriptionofeachcriminalcaseinwhichFISAinformation has been used for law enforcement purposes. The Attorney GeneralalsomustmakeanannualreporttoCongressandthepublicaboutthetotalnumberofapplicationsmadeforordersandextensionsoforders,aswellasthetotalnumberthatweregranted,modified,ordenied. Chapter2ofthisWhitePaperdiscussesthejudicialoversightandsafeguardsunder the Section 702 PRISM and Upstream programs. Chapter 3 discussesnumerous actions and reforms undertaken since 2013 to promote oversight,transparency,anddemocraticaccountabilityfornationalsecuritysurveillance.D. Conclusion UndertheDataProtectionDirective,transfersofpersonaldatacanbemadetothirdcountriesifthereis“adequate”protection,whichtheECJhasstatedmeans“essentially equivalent” protection. One aspect of this essential equivalencedetermination for SafeHarbor2.0will concern specific provisions of law, such asdata subject access rights or right to have investigation by an independent dataprotection authority in the data subject’s country. I leave that sort of essentialequivalenceanalysistootherauthors. The discussion here has instead focused on the Schrems discussion ofessential equivalence to the protections guaranteed in the “EU legal order.” Thatcomparison requires understanding of the “US legal order.” As discussed in thischapter, both theUSandEUMemberStates are constitutionaldemocraciesundertheruleoflaw.TheUShasalongtraditionof,andrecentexamplesof,independentjudges updating fundamental rights protections to adapt to changing technology.Thesystemforgoverningnationalsecuritysurveillancefeaturesthevitalprinciplesofoversight,transparency,anddemocraticaccountability.Thelatterwasillustratedin2015withpassageoftheUSAFreedomActlimitingnationalsecuritysurveillance. FundamentalrightsadvocatesintheEUandtheUSoftenproposewaysthatparticularrightscanbebetterprotected.ThereisnoclaimherethatthelegalorderineithertheEUorUSprotectshumanrightsinthebestpossibleway.Thekeypointinstead is that both legal orders are essentially equivalent in their method ofdemocratic governance with constitutional protections. Dismissing the US legalorder as fundamentally flawed would be contrary to the facts and would causemajordisruptionstocommerceandcommunicationsbetweenalliednations.

December18,2015

10

Chapter2

TheSection702PRISMandUpstreamProgramsareReasonableandLawfulResponsestoChangingTechnology.

ThischapterexplainsandanalyzesthePRISMandUpstreamprogramsunderSection702.Althoughtherearespecific issueswhere Ibelievecurrent lawshouldbe improved, Section 702 overall is a reasonable and lawful response totechnologicalchanges. This chapter explains the legal structure of Section 702 before providingmore detail about the PRISM and Upstream programs. Section 702 applies tocollections that take place within the US, and only authorizes access to thecommunications of targeted individuals, for listed foreign intelligence purposes.The independent Privacy and Civil Liberties Oversight Board, after receivingclassifiedbriefingsonSection702,cameto thisconclusionaspartof its196pagereport:“Overall,theBoardhasfoundthattheinformationtheprogramcollectshasbeenvaluableandeffectiveinprotectingthenation’ssecurityandproducingusefulforeign intelligence. The program has operated under a statute that was publiclydebated, and the text of the statute outlines the basic structure of the program.Operation of the Section 702 program has been subject to judicial oversight andextensiveinternalsupervision,andtheBoardhasfoundnoevidenceof intentionalabuse.”25

Wenowknow,basedondeclassifieddocuments,thattheForeignIntelligenceSurveillanceCourtcarefullyreviewsNSA’s implementationofSection702andhasrequiredthegovernmenttomodifyaspectsofitsprocedurestoaddresscomplianceincidents that have been reported by the Government to the Court. Inmy view,thesedeclassifiedopinionsshowthewillingnessandabilityof independent judgestoholdintelligenceagenciesaccountableiftheystrayfromthelaw. The Section 702 programs have received stern criticism from EuropeanofficialsintheSchremscase. Notably,theAdvocateGeneral’sOpinionincludedthefollowing statements (with emphasis supplied): “According to the Snowdenrevelations, the NSA established a programme called ‘PRISM’ under which itobtained unrestricted access to mass data stored on servers in the United StatesownedorcontrolledbyarangeofcompaniesactiveintheInternetandtechnologyfield,suchasFacebookUSA.”26Later,theOpinionstatesasfact:‘’Indeed,theaccessof the United States intelligence services to the data transferred covers, in acomprehensive manner, all persons using electronic communications services,withoutanyrequirementthatthepersonsconcernedrepresentathreattonationalsecurity.”TheOpinion says theaccess covers “inageneralisedmanner,allpersons

25PCLOBReport702,at2.26http://www.scl.org/site.aspx?i=ne44089.

December18,2015

11

andallmeansofelectroniccommunicationandallthedatatransferred,includingthecontentofthecommunications,withoutanydifferentiation,limitationorexceptionaccordingtotheobjectiveofgeneralinterestpursued.”Itaddsthat,forinformationtransferredbyacompanysuchasFacebooktotheU.S.,thereis“mass,indiscriminatesurveillance.” I quote the Advocate General’s Opinion in detail because of the large gapbetween these statements and how Section 702 actually operates. One difficulty,describedindetailhere,isthattheoriginalWashingtonPoststoryaboutPRISMwasinaccurateandsubsequentlycorrected.ObserversincludingtheFundamentalRightsAgencyoftheEuropeanUnionhavenowrecognizedthefactualmistakes.Basedonthecorrected facts, theFundamentalRightsAgency27and theUSPrivacyandCivilLibertiesOversightBoardhavefoundthatPRISMisnotabulkcollectionprogram,butinsteadisbasedontheuseoftargetedselectorssuchasemails. The Upstream program similarly acquires only targeted communications.FromarecentlydeclassifiedopinionoftheForeignIntelligenceSurveillanceCourt,we now know that the number of electronic communications acquired throughUpstreamin2011wasonlyabout10percentofthenumberacquiredbyPRISM.Wealsoknow,basedon thesameopinion, that theFISChascarefully reviewedNSA’simplementationofSection702andhasrequiredthegovernmenttomodifyaspectsof itsprocedures to address compliance incidents reportedby theGovernment totheCourt.Inmyview,thisandotherdeclassifiedopinionsshowthewillingnessandability of independent judges to hold US intelligence agencies accountable if theystrayfromthelaw. People of good will and intelligence can disagree on what constitutes areasonable approach to changing technology. Chapter 3 discusses Section 702reformsthathavebeenputinplacesince2013. PresidentObama’sReviewGroupon Intelligence and Communications Technology, on which I served, maderecommendations about Section 702 that have not been made to date, some ofwhichcanonlybemadebyCongress,whichwillreviewthelawwhenitsunsetsin2017.28IamnotsayingSection702isperfect,butitisperfectlyclearthattheruleoflawappliesunderstatutory,executive,andjudicialoversight,andSection702isnot“unrestrained.”A. TheLegalStructureofSection702.

27 European Union Agency for Fundamental Rights, “Surveillance by Intelligence Services:Fundamental Rights Safeguards and Remedies in the EU” (2015), at 17, available athttp://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf28ReviewGroupReport,Recommendation12,at145-150.

December18,2015

12

The rationale for what is commonly referred to as Section 702 of FISA29evolved from the changing nature of international communications. Prior to theInternet,surveillanceofcommunicationsbetweentwopeopleoutsideoftheUStookplaceoutsideoftheUS.Forinstance,aphonecallbetweensomeoneinFranceandsomeone in Pakistan could be collected either in France or Pakistan (or perhapssomewhere in between). Under US law, the Fourth Amendment of the USConstitutionclearlyapplies towiretaps thataremadewithin theUS. Bycontrast,theseconstitutionalprotectionsdonotapplytocommunicationsbetweenaFrenchpersoninFranceandaPakistani inPakistan–theyarenotpartofthecommunitythathasagreed to liveunder thegovernanceof theUSConstitution. Accordingly,collectionofthistypeofinformationhistoricallywasoutsideofFISA’sjurisdiction.Asdiscussed further inChapter3,EUandotherdemocracieshave similarlygiventhemselvesgreaterfreedomtodosurveillanceoutsideoftheirbordersthanwithin. With the rise of the Internet, the facts changed. Now, the samecommunication between France and Pakistan quite possibly did pass through theUnitedStates--muchoftheInternetbackbonehasbeenbuiltintheUS,andmanycommunicationsthusroutethroughtheUS.OnelegalquestionansweredbySection702 was how to govern foreign-foreign communications30 when the interceptoccurredwithintheUS.31ArelatedfactualchangeconcernedthegrowinguseofUS-based providers for webmail, social networks, and other services. This changemeant that communications between two non-US persons more often would bestoredwithintheUS.Inlightofthesefactualchanges,aswellastechnologicalissuesaffectingthepreviousstatutorytext,32CongresspassedSection702ofFISAin2008.

The basic structure of Section 702 is that the Foreign IntelligenceSurveillanceCourtmustannuallyapprovecertificationsbytheDirectorofNationalIntelligence and the Attorney General setting the terms for Section 702surveillance.33Totarget thecommunicationsofanyperson, thegovernmentmusthaveaforeignintelligencepurposetoconductthecollectionandareasonablebeliefthat the person is a non-US citizen located outside of the US.34 Section 702 can

29“Section702”referstoaprovisionintheForeignIntelligenceSurveillanceActAmendmentsActof2008, which revised the Foreign Intelligence Surveillance Act of 1978, available athttps://www.govtrack.us/congress/bills/110/hr6304/text.30 This type of communication was historically handled under E.O. 12,333, available athttp://www.archives.gov/federal-register/codification/executive-order/12333.html.31ThistypeofcommunicationwashistoricallygovernedbythestricterstandardsofFISA,availableathttps://it.ojp.gov/PrivacyLiberty/authorities/statutes/1286.32Laura K. Donohue, “Section 702 and the Collection of International Telephone and InternetContent,” 38 Harv. J. L. & Pub. Policy 117, 142 (2015) (discussing technical issues with FISA’sdefinitionof“electronicsurveillance”).33For discussion of the numerous specific requirements in Section 702, see Laura K. Donohue,“Section 702 and the Collection of International Telephone and Internet Content”, available athttp://scholarship.law.georgetown.edu/facpub/1355/; see alsoNSADirector of Civil Liberties andPrivacyOfficeReport, “NSA's ImplementationofForeign IntelligenceSurveillanceAct Section702”(April2014),https://www.nsa.gov/civil_liberties/_files/nsa_report_on_section_702_program.pdf.34ReviewGroupReport,AppendixA.

December18,2015

13

provide access to the full contents of communications, and not just to/frominformation. The court annually reviews and must approve targeting criteria,documenting how targeting of a particular person will lead to the acquisition offoreign intelligence information.Asdiscussed inChapter3, theadministrationhasagreed to strengthen the targeting rules.35 The court annually also approvesminimizationprocedures,tocovertheacquisition,retention,use,anddisseminationofnon-publiclyavailableinformationaboutUSpersons.36 TheReviewGroupdiscussedthefollowingsetofsafeguardsthataccompanyNSAaccesstoinformationunderSection702.Thesesafeguardsshowtheenormousdifference between “unrestricted access to mass data” and actual US law andpractice:

1) Targeting must be for a valid foreign intelligence purpose in response toNationalIntelligencePriorities;

2) Targeting must be under a Foreign Intelligence Surveillance Court (FISC)approvedSection702Certificationandtargetedatapersonoverseas;

3) AlltargetingisgovernedbyFISC-approvedtargetingprocedures;4) Specific communications identifiers (such as a phone number or email

address) are used to limit collections only to communications to, from, oraboutavalidforeignintelligencetarget;

5) Queries into collected data must be designed to return valid foreignintelligence (or, in the case of the FBI, foreign intelligence information orevidenceofacrime)andoverlybroadqueriesareprohibitedandsupervisedbytheFISC;

6) Disseminationstoexternalentities,includedselectforeignpartners(suchasE.U.memberstates)aremadeforvalidforeignintelligencepurposes;and

7) Raw data is destroyed after two years or five years, depending on thecollectionsource.37

ThePCLOB’sreportonSection702providesstep-by-stepexamplesabouthowthesesafeguardsapplyinpractice.38 To give perspective on Section 702, it provides more detailed legalrestrictionsthanappliedpreviouslytoforeign-foreigncommunications.Previously,iftheUSconductedsurveillanceoverseas,totargetforeigncommunications,theUS

35The changes include: (1) Revision of the NSA’s targeting procedures to specify criteria fordetermining the expected foreign intelligence value of a particular target; (2) Further revision torequire a detailed written explanation of the basis for the determination; (3) FISC review of therevisedtargetingproceduresandrequirementsofdocumentationoftheforeignintelligencefinding;(4)Othermeasurestoensurethat the“foreign intelligencepurpose”requirement inSection702 iscarefully met; (5) Submission of the draft targeting procedures for review by the PCLOB (anindependentagencywithprivacyresponsibilities);and(6)Compliance,training,andaudit.36https://www.nsa.gov/civil_liberties/_files/nsa_report_on_section_702_program.pdf37RGReport,atAppendixB.38PCLOB702Report,at46.

December18,2015

14

ConstitutionandotherlawsdidnotlimitUSgovernmentactivities.39Now,whenthesametwonon-USpersonscommunicate,andthecommunicationisaccessedwithintheUS,anyaccesstothecontentsmustbedoneunderafederalcourtorderandthemultiplesafeguardsoftheSection702regime.B. ThePRISMprogramisnotabulkcollectionprogram. ThePRISMprogrambecame famouswhen itwaspubliclynamed inoneofthefirststoriesbasedontheSnowdendocuments.Theinitialstorywasincorrectinimportantrespects,butthoseinaccuracieshavebeenwidelyrepeated.AsfoundbyindependentEuropeanandUSreviews,theactualPRISMprogramisnotevenabulkcollectionprogram,much less thebasis for“massand indiscriminatesurveillance”whendataistransferredfromtheEUtotheUS. The actual operation of PRISM is similar to data requests made in othersettingstoserviceproviders.InPRISMcollection,actingunderaSection702courtorder, thegovernmentsendsadirectiverequiringcollectionofcertain “selectors,”such as an email address. The directive goes to a United States-based serviceprovider.Thecompanylawyershavetheopportunitytochallengethegovernmentrequest. If there is no appeal to the court, the provider is compelled to give thecommunicationssenttoorfromthatselectortothegovernment.40

Widespreadmisunderstanding of PRISM traces to aWashington Post storythatledwiththisstatement:“TheNationalSecurityAgencyandtheFBIaretappingdirectly into thecentralserversofnine leadingU.S. Internet companies, extractingaudio, video, photographs, e-mails, documents, and connection logs that enableanalysts to track a person’smovements and contacts over time.”41Wenow knowthat the government does not have direct access under the PRISM program, butinstead serves legal process on the providers similar to other stored recordsrequests.39Access to those communications, acquired overseas, would typically be governed by ExecutiveOrder12,333,whichislessstrictthanSection702.40PCLOB702Report,at7.41BartonGellman, “U.S. intelligenceminingdata fromnineU.S. Internet companies inbroad secretprogram” Washington Post, June 6, 2013. (emphasis added), available athttps://fg3qua.dm2302.livefilestore.com/y3mKC7oGF-GpV3F7dq9wjirtfXMk8TIfCYCDL59yJI0k24j_SqPf2jTlZTcEq1ZtVFSOaCKrPOuYarNeNJ3Ykt_NSBD_ut-_9oMMOXLdcMb6Np6Bx78sjfzftnHDswYoKzQUeeC81zjcldDgZSy3rCY7g/WaPo%20NSA%20report%20-%20heavy%20editing.pdf?psid=1. When the original version of the article was withdrawnfromtheWashingtonPost’swebsiteonJune7,2013andreplacedwitharevisedversion,theheadlineofthearticlewasalsochanged,explanationathttps://pjmedia.com/blog/wapo-quietly-changes-key-details-in-nsa-story. The new headline read, “U.S,British intelligencemining data from nine U.S.Internet companies in broad secret program.” (emphasis added), athttps://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html.Gellmanfurtherassertedthat,“[f]rominsideacompany’sdatastreamtheNSAiscapableofpullingoutanythingitlikes.”

December18,2015

15

The inaccuracies in thenewsstory led to immediateresponses.Technology

companies named in the article42issued statements denying that the governmenthad direct access to their servers to collect user data.43Within 24 hours, theWashingtonPost itself heavily edited the original story, but left the lead sentenceintact.44 In reviewing the events, prominent media sources soon reported theWashingtonPostaccountwasinaccuratebecauseeachcompanyhadonlyrespondedtogovernmentrequestsforinformationafterreceivingadirectiverequiringthemtodoso.45 Ascaneasilyhappenwithpressstories,thecorrectionsnevercaughtupwiththeoriginalmistake. ThemistakeaboutdirectaccesstoserverswasquotedintheHighCourtofIreland’sdecisioninSchremsv.DataProtectionCommissioner:46

“According toareport inTheWashingtonPostpublishedon6th June2013, the NSA and the Federal Bureau of Investigation (“FBI”): ‘aretapping directly into the central servers of nine leading US internetcompanies, extracting audio and video chats, photographs, e-mails,documents and connection logs that enable analysts to track foreigntargets….’According to theWashingtonPost the programme is code-namedPRISM and it apparently enables theNSA to collect personaldata such as emails, photographs and videos from major internetproviderssuchMicrosoft,GoogleandFacebook.”47

The Advocate General to the European Court of Justice did not directly cite theWashington Post story, but relied on the mistaken view of the facts in saying:“According to those revelations, the NSA established a programme called ‘PRISM’underwhich it obtainedunrestrictedaccess tomassdata stored on servers in theUnitedStatesownedorcontrolledbyarangeofcompaniesactiveintheInternetandtechnologyfield,suchasFacebookUSA.”48Theopinionaddedthat,forinformation

42TheninecompaniesnamedwereAOL,Apple,Facebook,Google,Microsoft,PalTalk,Skype,Yahoo,andYouTube.43http://www.cbsnews.com/news/apple-google-facebook-yahoo-microsoft-paltalk-aol-issue-statements-of-denial-in-nsa-data-mining/44https://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html45 See http://www.engadget.com/2013/06/06/washington-post-nsa-fbi-tapping-directly-into-servers-of-9-lea/; http://www.cnet.com/news/no-evidence-of-nsas-direct-access-to-tech-companies/;http://www.businessinsider.com/washington-post-updates-spying-story-2013-646 Schrems v. Data Protection Commissioner, 2014 IEHC 310, available athttp://fra.europa.eu/en/caselaw-reference/ireland-high-court-ireland-2014-iehc-31047 Schrems v. Data Protection Commissioner, 2014 IEHC 310, available athttp://fra.europa.eu/en/caselaw-reference/ireland-high-court-ireland-2014-iehc-31048 Paragraph 26 of the Advocate General’s opinion in Maximillian Schrems v. Data ProtectionCommissioner, Case C-362/14 (September 2015), (emphasis added), available athttp://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&docid=168421

December18,2015

16

transferredbyacompanysuchasFacebooktotheUS,thereis“mass,indiscriminatesurveillance.”49 These sensational but incorrect factual assertions are a close fit with thecrucial statement by the EuropeanCourt of Justice that theUnited States lacks “alevelofprotectionoffundamentalrightsessentiallyequivalenttothatguaranteedintheEUlegalorder.”50 The correction has already been understood by leading European and USinstitutions.TheEuropeanUnionAgencyforFundamentalRightsrecentlyreleaseda major report about surveillance by intelligence services, at the request of theEuropeanParliament.51ThisreportrecognizedthecorrectedviewofPRISM.Itcitesan article by M. Cayford and others that stated: “The interpretation by TheWashington Post and The Guardian52was that this meant these companies werecollaborating with the NSA to give it a direct connection to their servers, to‘unilaterallyseize’allmannerofcommunicationsfromthem.Thisproved,however,to be incorrect.”53 The Agency for Fundamental Rights report agreed with theCayfordarticlestatementthatPRISMis“‘atargetedtechnologyusedtoaccesscourtorderedforeignInternetaccounts,”andnotmasssurveillance.54TheUSPrivacyandCivil Liberties Oversight Board, an independent agency that received classifiedinformation about the PRISM program, similarly concluded: “the Section 702program is not based on the indiscriminate collection of information in bulk.Insteadtheprogramconsistsentirelyoftargetingspecific[non-U.S.]personsaboutwhomanindividualizeddeterminationhasbeenmade.”5549Id.atParagraph200.50Paragraph96oftheECJopinioninSchrems51 http://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf52TheGuardianarticlerevealingthePRISMprogramalsoreportedthatthisprogramgavetheNSAdirectaccesstotheserversofmajorinternetproviderssuchasGoogle,Apple,Skye,andYahoo.Theslide speaks of PRISM “collection directly from the servers” of nineUS internet service providers.The article is entitled, “NSA Prism program taps in to user data of Apple, Google, and others,”availableathttp://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data53M.Cayford,etal.,“AllSweptUp:AnInitialClassificationofNSASurveillanceTechnology,”at645-46,availableathttp://www.crcnetbase.com/doi/abs/10.1201/b17399-9. TheEuropeanUnionAgencyfor Fundamental Rights report reviewed the PRISM program in light of the Cayford article, whichfoundthat“[t]he‘directaccess’described…isaccesstoaparticularforeignaccountthroughacourtorderforthatparticularaccount,notawholesalesuckingupofalltheinformationonthecompany'susers.” European Union Agency for Fundamental Rights , “Surveillance by Intelligence Services:Fundamental Rights Safeguards and Remedies in the EU” (2015), at 17, available athttp://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf54 European Union Agency for Fundamental Rights, “Surveillance by Intelligence Services:Fundamental Rights Safeguards and Remedies in the EU” (2015), at 17, available athttp://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf55Privacy and Civil Liberties Oversight Board, “Report on the Surveillance Program OperatedPursuanttoSection702oftheForeignIntelligenceSurveillanceAct(July2014)at111,availableathttps://www.pclob.gov/library/702-Report.pdf

December18,2015

17

The public also now has access to official statistics about the number ofindividuals targeted under Section 702. The US intelligence community nowreleases an annual Statistical Transparency Report,56with the statistics subject tooversightfromCongress,InspectorGenerals,theFISC,thePCLOB,andothers.57For2014,therewere92,707“targets”undertheSection702programs,manyofwhomaretargetedduetoevidencelinkingthemtoterrorism.58ThatisatinyfractionofUS,European, or global Internet users. It demonstrates the low likelihood of thecommunicationsbeingacquiredforordinarycitizens.59C. TheUpstreamprogramaccessesfewerelectroniccommunicationsthanPRISM TheUpstream program gains emails and other electronic communicationsfromtheInternetbackbone,andthustheEuropeanUnionAgencyforFundamentalRights noted that the same Cayford article that found PRISM not to be “masssurveillance” has called the Upstream program “mass surveillance.” 60 Uponexamination, IbelieveabetterviewisthatthelegalrulesthatauthorizeUpstreammeanthatitisatargetedprogramaswell. Indeed,thetargetingandminimizationproceduresforUpstreamcollectionarethesameasorstrongerthanthosethatareappliedtoPRISMcollection.AdeclassifiedFISCopinionfoundthatover90%oftheInternet communicationsobtainedby theNSA in2011underSection702actuallyresulted from PRISM, with less than 10% coming from Upstream.61 Upstreamcollection takes place with the same targeted selector process that is used forPRISM.Inshort,giventhepositivefindingsfromEuropeanexpertsaboutthePRISM

56 The first two have been released: Calendar Year 2014 Transparency Report; StatisticalTransparencyReportRegardingUseofNationalSecurityAuthorities-AnnualStatisticsforCalendarYear 2014 - April 22, 2015, athttp://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2014; 2013TransparencyReport;StatisticalTransparencyReportRegardingUseofNationalSecurityAuthorities- Annual Statistics for Calendar Year 2013 - June 26, 2014, athttp://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2013.57Foralistingofthemultipleoversightentities,seeReviewGroupReport,AppendixC.58The statistical reports define “target” in detail, and the number of individuals targeted is lowerthanthereportednumber,toavoidanypossibleunderstatementofthenumberoftargets.59The2014StatisticalTransparencyReportreiteratesthetargetednatureofthesurveillance:“Giventhe restrictions of Section 702, only selectors used by non-U.S. persons reasonably believed to belocated outside the United States andwho possess, or who are likely to communicate or receive,foreignintelligenceinformationthatiscoveredbyanapprovedcertificationmaybetasked.”60 European Union Agency for Fundamental Rights, “Surveillance by Intelligence Services:Fundamental Rights Safeguards and Remedies in the EU” (2015), at 17, available athttp://fra.europa.eu/sites/default/files/fra_uploads/fra-2015-surveillance-intelligence-services_en.pdf61TheanalysisofJudgeBates’opinionisinthePCLOBSection702report,at33-34.Iamnotawareofa similar quantitative comparison of PRISM and the Upstream program for telephonecommunications, but the discussion here of filtering and acquisition of targeted communicationsappliesinthesamewaytobothtelephoneandelectroniccommunications.

December18,2015

18

program,thereisastrongbasisforrejectingtheconclusionthatUpstreamis“masssurveillance,”givenitsmuchsmallerscale. 1. HowtheUpstreamTechnologyWorks TheUpstreamprogramisclearlyexplainedinthePCLOB’sreportonSection702.62The NSAmay target non-US persons by tasking specific selectors, such asemailaddressesortelephonenumbers,andmaynotusekeywordsorthenamesoftargetedindividuals.63 AsdiscussedatthestartofthisChapter,theUpstreamprogramisaresponseto changing technology. As the Internetdeveloped,a largeportionof the Internetbackbone passed through the United States, meaning that many foreign-foreigncommunicationscouldbeaccessedbysurveillancedone insidetheUS. Previously,foreign-foreigncommunicationswouldhavebeenaccessedoutsideoftheUS,wheretheUS Constitution and various laws are less strict than for access inside theUS.TheUpstreamprogram,likethePRISMprogram,wasauthorizedbytheFISCunderSection702asawaytoapplythestatute’ssafeguardstocommunicationsaccessedintheUS. The PCLOB report explained the key role of a filter under Section 702,includingfortheUpstreamprogram:“ToidentifyandacquireInternettransactionsassociatedwiththeSection702–taskedselectorsontheInternetbackbone,Internettransactionsarefirstfilteredtoeliminatepotentialdomestictransactions,andthenare screened to capture only transactions containing a tasked selector.”64UnderSection 702, the filter selects only the communications that match the approvedselectors,suchasemails.Thoseemailsmakeitthroughthefilters,andarestoredforaccessbytheNSA.Theinformationthatdoesn’tmakeitthroughthefiltersisneveraccessedbytheNSAoranyoneelse.6562PCLOBReporton702,at36-39.63The PCLOB writes: “The NSA may only target non-U.S. persons by tasking specific selectors toupstream Internet transaction collection. And, like other forms of Section 702 collection, selectorstasked for upstream Internet transaction collection must be specific selectors (such as an emailaddress),andmaynotbekeywordsorthenamesoftargetedindividuals.”PCLOBReporton702,at36.64PCLOBreporton702,at37.65Some readers may not believe the NSA follows the rules and gains access only to approvedcommunicationsthathavemadeitthroughthefilters.MyownviewisthattheNSAhasbuiltalargeandgenerallyeffectivecomplianceprograminrecentyears. Asdocumentedby theReviewGroup,multiple layers of oversight exist over theseNSA actions, including oversight by judges, Congress,andtheNSAInspectorGeneral. ReviewGroupReport,AppendicesBandC. SystematicviolationoftheSection702ruleswouldthusbehighlyriskyfortheNSAtoundertake.

December18,2015

19

Diagram2-2 is taken fromaUSNationalResearchCouncil report on “BulkSignalsAnalysis:TechnicalOptions.”Thediagramcanbeusedtoillustratetheroleof the filter in the Upstream program. At the left side of the diagram, signals gothroughtheInternetbackbone.Thesignalissplit(“extract”)andthengoesthroughthe filter. The filter only allows authorized messages to pass through, based on“discriminants”or“selectors”suchasemailaddress. Authorizedmessagesgo intostorage.Atthispoint,forthefirsttime,themessagescanbequeried.Thatis,underUpstream,onlyNSAemployeescanmakequeries,andtheyonlyhavetheabilitytomake queries onmessages that have reached storage after filtering. Put anotherway,theNSAaccessesonlytargetedcommunications,basedonapprovedselectors.

Basedonthesetechnologicalrealities, theNationalResearchCouncilreportnotedthattherearetwodifferingconceptionsofprivacyforwhendataisacquired.One view (taken for instance by Cayford66)posits thatviolation of privacy occurswhentheelectronicsignalisfirstcaptured,regardlessofwhathappenstothesignalafterthatpoint. Thesecondview,whichIshare, is thatprocessingthesignalonlyfor filtering purposes does not constitute mass surveillance. Access only to thefiltered results, under rules such as those in Section 702, means that thecommunicationsofanindividualareonlyretainedifthereisamatchwithaselectorsuchasanemailaddress. Theultimatequestion iswhether thissortof filtering,under law,shouldbepermittedasawaytoaccesscommunications flowingthroughthe Internet. If the

66M.Cayford,etal.,“AllSweptUp:AnInitialClassificationofNSASurveillanceTechnology,”at644-45.

December18,2015

20

US(oranally)hasthetechnicalabilitytoperformthefiltering,andfindhigh-valueintelligence communications, society must decide whether to do so. Changingtechnology means that potentially vital national security information may beavailable,underacourtorder,asdataflowsthroughthesystem. ThePCLOBhaswritten lengthyreports,basedonclassified information,onSection 215 telephone meta-data and on the Section 702 program, includingUpstream.ThePCLOBfoundtheformertobeunlawful,badpolicy,andnotvitalfornationalsecurity.Bycontrast,thePCLOBunanimouslycametoadifferentverdictonthe702program:(1)Section702“isnotbasedonthe indiscriminatecollectionofinformationinbulk”;67(2)Section702meetsthestandardforreasonablenessunderthe Fourth Amendment to the US Constitution;68; and (3) Section 702 has beeneffectiveataddressinginternationalterrorism.69 2. Judge Bates’ Declassified Opinion about Section 702 IllustratesJudicialOversightofNSASurveillance OnepersistentquestionaboutUSsurveillancelawhasbeenwhetherthereisindependent judicial oversight of NSA practices. Based on recently-declassifiedopinionsoftheForeignIntelligenceSurveillanceCourt, thegeneralpubliccannowseetheFISCholdingNSApracticesunlawful,andrefusingtocontinueasurveillanceprogramwithoutmodifications.AssomeonewhohasstudiedFISAformorethanadecade, the declassified opinions match my prior view, that the FISC has oftenprovidedstricteroversightofsurveillancepracticesthanmostontheoutsidehave

67ThePCLOBfound:“UnlikethetelephonerecordsprogramconductedbytheNSAunderSection215of theUSAPATRIOTAct, the Section702program isnotbasedon the indiscriminate collectionofinformationinbulk.Instead,theprogramconsistsentirelyoftargetingspecificpersonsaboutwhomanindividualizeddeterminationhasbeenmade.Oncethegovernmentconcludesthataspecificnon-U.S. person located outside the United States is likely to communicate certain types of foreignintelligenceinformation—andthatthispersonusesaparticularcommunications“selector,”suchasan email address or telephone number — the government acquires only those communicationsinvolvingthatparticularselector.”PCLOBSection702reportat111.68ThePCLOB“concludesthatthecoreoftheSection702program–acquiringthecommunicationsofspecifically targeted foreign personswho are located outside the United States, upon a belief thatthose persons are likely to communicate foreign intelligence, using specific communicationsidentifiers, subject to FISA court-approved targeting rules and multiple layers of oversight – fitswithinthe“totalityofthecircumstances”standardforreasonablenessundertheFourthAmendment,asthatstandardhasbeendefinedbythecourtstodate.”PCLOBSection702reportat9.69 “Presently, over a quarter of the NSA’s reports concerning international terrorism includeinformationbased inwholeor inpartonSection702collection,andthispercentagehas increasedevery year since the statute was enacted. Monitoring terrorist networks under Section 702 hasenabledthegovernmenttolearnhowtheyoperate,andtounderstandtheirpriorities,strategies,andtactics.Inaddition,theprogramhasledthegovernmenttoidentifypreviouslyunknownindividualswho are involved in international terrorism, and it has played a key role in discovering anddisruptingspecificterroristplotsaimedattheUnitedStatesandothercountries.”PCLOBSection702reportat10.

December18,2015

21

realized.70It isalwaysbeenclearthat judgesontheFISCwereindependentinthesensethattheyhavelifetenureandcannotberemovedfromofficeexceptforgoodcause.Insteadofthe“indiscriminatesurveillance”allegedbytheAdvocateGeneralin Schrems, the declassified opinions show the FISC to be independent in thebroadersenseofapplyingjudicialoversighttopracticesthejudgesfindunlawful.

A 2011 opinion by Judge Bates of the FISC found thatNSA’sminimization

procedureswerenotadequatetodealwithoneportionofUpstreamcollection,andtherefore required that those procedures be amended before he would authorizecontinuation of the program.71The controversy concerned NSA access to certainkindsofemails.72JudgeBatesfoundthattheUpstreamprogramatthattimedidnotsatisfy the requirements of either FISA or the Fourth Amendment. He thereforerefused to approve NSA’s continuing acquisition of this category of emails. 73Thereafter, the government substantially revised its procedures for handling theemails,andinNovember2011JudgeBatesapprovedthefutureacquisitionofthoseemails subject to the new minimization standards.74In addition, NSA took theadditionalstepofdeletingallpreviouslyacquiredupstreamcommunications.75 In my view, this and other declassified FISC decisions show vigorous andcriticalscrutinybyindependentjudgesofthedetailsofNSAsurveillance.D. Conclusion

The legal structure and implementation of PRISM and Upstream underSection 702 havebeen farmore targeted and subject to oversight than the initialpress reports claimed.Withdeclassificationof court orders, aswell asdocumentssuchasthePCLOBreportonSection702,thegeneralpublicandexpertsinEuropeandtheUnitedStateshaveafarstrongerfactualbasisthanpriorto2013todebatewhatreformsmaybeappropriatewhenthelawsunsetsin2017.

70Aswithany court, reasonablepeople candifferonparticular cases. I amcritical of someof thedeclassifiedopinions,especiallythoseupholdingthelawfulnessofthetelephonemeta-dataprogramunderSection215.71InreDNI/AG702(g),DocketNumber702(i)-11-01(FISCNovember30,2011)(Redactedversion),availableathttp://www.dni.gov/files/documents/1118/CLEANEDPRTT%202.pdf72 The problem arose where multiple emails were included in threads. For these “multi-communicationstransactions,” theminimizationprocedureswerenotbeingapplied in thewaytheJudgebelievedwerenecessary.Essentially,theJudgefoundthatinformationwasvisibleinthestringofemailsincludedwithinoneemail,inwayscontrarytotheminimizationrequirements.73Thecourt’sopinionisdiscussedindetailintheReviewGroup’sreport,at142.74ReportandRecommendationofthePresident’sReviewGrouponIntelligenceandCommunicationsTechnologies, “Liberty and Security in a Changing World,” at 142, available athttps://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf75 Report and Recommendation of the President’s Review Group on Intelligence andCommunications Technologies, “Liberty and Security in a Changing World,” at 142, available athttps://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf

December18,2015

22

A key point of this chapter is that NSA acquisition of people’s emails andother communications under Section 702 is not “pervasive” as has often beenclaimed. TheFundamentalRightsAgencyof theEuropeanUnionhasagreedwiththe PCLOB and others that the PRISM program is targeted rather than bulkcollection.WeknowfromdeclassifiedFISCdocumentsthatUpstreamacquiredlessthan10percentasmanyelectroniccommunicationsin2011asPRISM,andsoitisnot pervasively acquiring electronic communications. Taken together, the totalnumber of individuals targeted under Section 702 in 2013 was 92,707, a tinyfractionoftotalEUorglobalInternetusers.

December18,2015

23

Chapter3

TheUSHasTakenMultipleandSignificantActionstoReformSurveillanceLawsandProgramsSince2013

Since theSnowdendisclosures in2013, theUShasundertakenat least twodozen significant actions to reform surveillance laws and programs. To explainthesechanges,thisChaptercoversapproximately20pages,asignofthemany(anddetailed)reformsthathavebeenputinplace.Theactionsare:A. Independentreviewsofsurveillanceactivities

1) ReviewGrouponIntelligenceandCommunicationsTechnology;2) PrivacyandCivilLibertiesOversightBoard;

B. Legislativeactions

3) IncreasedfundingforthePCLOB;4) GreaterjudicialroleinSection215orders;5) ProhibitiononbulkcollectionunderSection215andotherlaws;6) Addressingtheproblemofsecretlaw–declassificationofFISCdecisions,

orders,andopinions;7) AppointmentofexpertstobrieftheFISConprivacyandcivilliberties;8) Transparencyreportsbycompaniessubjecttocourtorders;9) TransparencyreportsbytheUSGovernment;10) ImminentpassageoftheJudicialRedressAct;

C. Executivebranchactions

11) NewsurveillanceprincipletoprotectprivacyrightsoutsideoftheUS;12) Protectionofcivillibertiesinadditiontoprivacy;13) Safeguardsforthepersonalinformationofallindividuals,regardlessof

nationality;14) Retentionanddisseminationlimitsfornon-USpersonssimilartoUS

persons;15) Limitsonbulkcollectionofsignalsintelligence;16) Limitsonsurveillancetogaintradesecretsforcommercialadvantage;17) NewWhiteHouseoversightofsensitiveintelligencecollections,includingof

foreignleaders;18) NewWhiteHouseprocesstohelpfixsoftwareflawsratherthanusethem

forsurveillance;19) Greatertransparencybytheexecutivebranchaboutsurveillanceactivities;20) CreationofthefirstNSACivilLibertiesandPrivacyOffice;21) MultiplechangesunderSection215;

December18,2015

24

22) StricterdocumentationoftheforeignintelligencebasisfortargetingunderSection702;

23) OtherchangesunderSection702;and24) ReducedsecrecyaboutNationalSecurityLetters.

ThesereformsexemplifythedemocraticresponseoftheUSgovernmenttoconcernsraisedsurveillanceandshowalegalsystemrespondingtochangesintechnology.A. IndependentReviewsofSurveillanceActivitiesIssue: It isdifficulttoget informedandindependentcounselabouthowtoreformintelligence agencies. Many agency actions and programs are necessarily keptclassified,toavoidrevealingsourcesandmethodsforachievingtheirmissions.Tocreate one source of independent review, Congress established the Senate andHouseIntelligenceCommitteesinthe1970’s, inthewakeofWatergate.Withintheexecutive branch,76themost expert individuals generally haveworkedwithin theagencies that arebeing reviewed.That experienceprovides the expertise, but canalso establish loyalties that are not easily set aside for purposes of critique andreview.Action: Beginning soon after June 2013, President Obama worked with twoindependent review efforts, staffed by knowledgeable people and able to getbriefings at the TS/SCI level (Top Secret/Sensitive Compartmented Information),the highest level of security clearance. Reports have since been published, withdetailed recommendations, from both the Review Group on Intelligence andCommunicationsTechnology (“ReviewGroup”)and thePrivacyandCivilLibertiesOversightBoard(“PCLOB”). (1)ReviewGrouponIntelligenceandCommunicationsTechnology TheReviewGroupwasannouncedinAugust2013,publisheditsfinalreportin December, and met with the President to receive its mission and discuss itsrecommendations.77Thefivemembershavediverseexpertise:(1)RichardClarke,76Both houses of theUS Congress, the Senate and theHouse of Representatives, have intelligenceoversight committees. The mandate of these committees is to make continuing studies of theintelligenceactivitiesandtoprovidelegislativeoversightovertheintelligenceactivitiesoftheUStoassurethattheseactivitiesareinconformitywiththeUSConstitutionandlaws. Membersofthesecommittees have access to classified intelligence assessments, access to intelligence sources andmethods,programs,andbudgets.FordetailsontheUSSenateSelectCommitteeonIntelligence,seehttp://www.intelligence.senate.gov/about.InformationonUSHouseofRepresentativesPermanentSelectCommitteeonIntelligencecanbefoundat:http://intelligence.house.gov/.77“LibertyandSecurityinaChangingWorld:ReportandRecommendationsofthePresident’sReviewGroup on Intelligence and Communications Technology.,” available athttps://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdfTheReviewGroup’s task from thePresidentwas to find an approach “that optimally protects ournationalsecurityandadvancesour foreignpolicywhilerespectingourcommitmenttoprivacyand

December18,2015

25

former counter-terrorism and cybersecurity senior advisor to both PresidentClintonandGeorgeW.Bush;(2)MichaelMorrell,formerDeputyDirectoroftheCIA,with thirtyyearsof experience in the IntelligenceCommunity; (3)GeoffreyStone,eminentlegalscholaronconstitutionalissuesintimeofcrisis;(4)CassSunstein,themost-citedAmericanlegalscholar,andformerDirectoroftheOfficeofInformationandRegulatoryAffairsintheOfficeofManagementandBudget;and(5)myself,withexperienceinareasincludingcybersecurity,foreignintelligencelaw,andprivacy. TheReviewGroup’sreportwasover300pages,made46recommendations,and has been reprinted as a book by the Princeton University Press. WhenPresidentObamamade hismajor speech on surveillance reform in January 2014,the Review Group was told that 70 percent of its recommendations were beingadoptedinletterorspirit,andothershavebeenadoptedsince.TheReviewGroup’sreport received widespread attention in the press, especially this finding: “Ourreviewsuggests that the informationcontributedto terrorist investigationsbytheuseofSection215telephonymetadatawasnotessentialtopreventingattacksandcouldreadilyhavebeenobtainedinatimelymannerusingconventionalSection215orders.” (2)PrivacyandCivilLibertiesOversightBoard Bycoincidence, thechairof thePrivacyandCivilLibertiesOversightBoard(PCLOB)startedworktheweekthefirstSnowdenstorybroke.78ThePCLOBisthesortofindependentoversightagencythathasoftenbeenstressedbyEuropeandataprotection experts, with the same independent structure as the Federal TradeCommission.Therearefivemembers,nomorethanthreefromanypoliticalparty,who servea termof years. Membersof thePCLOBand their staff receiveTS/SCIsecurityclearancesandinvestigateandreportonthecounterterrorismactivitiesoftheUSintelligencecommunity.79 The PCLOB has distinguished members with relevant expertise: (1) DavidMedine,theChair,wasaseniorFTCprivacyofficialwhohelpednegotiatedtheSafeHarbor;(2)RachelBrandhasbeentheAssistantAttorneyGeneralforLegalPolicy,servingaschiefpolicyadvisortotheUSAttorneyGeneral;(3)BethCollinshasalsoservedasAssistantGeneralforLegalPolicyattheUSDepartmentofJustice;(4)JimDempsey isa leadingsurveillanceexpert inUScivilsociety,working formanyyears at the Center for Democracy and Technology; and (5) PatriciaWald was ajudge on the Court of Appeals for the D.C. Circuit for twenty years, and has alsoservedasaJudgeontheInternationalCriminalTribunalfortheformerYugoslavia.civil liberties, recognizing our need to maintain the public trust, and reducing the risk ofunauthorizeddisclosure.” Id. TheReporthasbeenrepublishedby thePrincetonUniversityPress,http://press.princeton.edu/titles/10296.html.78Ihavesympathy forDavidMedine, theChair, for trying togethisoffice furniture inplaceat thesametimethatthebiggestintelligencestoryindecadeshittheheadlines.79https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1283

December18,2015

26

Since2013,thePCLOBhasreleaseddetailedreportsontheSection21580andSection 70281surveillance programs, making numerous recommendations. Itscentral recommendations on the Section 215 telephonemeta-data programwereenacted in the USA Freedom Act, discussed below. Overall, PCLOB made 22recommendations in its Sections 215 and 702 reports and virtually all have beenacceptedandeitherimplementedorareintheprocessofbeingimplemented. InsummaryontheReviewGroupandthePCLOB,theoverallreformsoftheUS intelligence system since Snowden have been informed by detailed reports,based on top-secret briefings. These reports have been written by independentgroupswhopresentedthemtothePresident.B. LegislativeActions (3)IncreasedfundingforthePCLOB.Issue:AtthetimeoftheSnowdenrevelations,thePCLOBwasanewagencywhoseChairhadjustbeenswornintooffice.Theannualbudgetwastoolowtohiremuchstaff.Action:In2014,CongressincreasedthePCLOBfundingsubstantially,to$7.5millionand in 2015 to $10million, bringing total staff to 32 plus five Boardmembers.82This funding increase enables the PCLOB, going forward, to hire enough staff tocontinue to carry out its mandates and write detailed reports about intelligencecommunityactivities. (4)GreaterjudicialroleinSection215orders.Issue: Under the Section 215 statute, as enacted in 2001, Foreign IntelligenceSurveillanceCourtjudgesissuedageneralordertoauthorizethebulkcollectionoftelephonemeta-data. Thedecisionto lookattheinformation,however,wasmadebyNSA employees, subject to oversight by the Department of Justice, based on astandard of “reasonable, articulable suspicion” that a telephone number wasassociatedwithterrorism.Action: PresidentObamaannounced in2014 that judicial approvalwouldalsoberequired for an NSA employee to look at the information. This approach wascodifiedintheUSAAct,passedin2015,whichalsoprohibitedthebulkcollectionoftelephonemetadataandrequiredthequeriestobesubmittedwithcourtapprovaltotheproviders.83

80https://www.pclob.gov/library/215-Report_on_the_Telephone_Records_Program.pdf81https://www.pclob.gov/library/702-Report.pdf82ThestatisticsarebasedonaninterviewwiththePCLOB.83USA Freedom Act, Sec. 104, available at https://www.congress.gov/bill/114th-congress/house-bill/2048

December18,2015

27

Asaseparateamendment, thestatutealsorequired that judgeswill reviewtheminimizationproceduresunderSection215orders,toensurethatinformation,once accessed, is minimized to exclude records that are not foreign intelligenceinformation,whichpreviouslywereapprovedonlybytheAttorneyGeneral.84 (5)ProhibitiononbulkcollectionunderSection215andotherlaws.Issue:Congressreacted,intheUSAFreedomAct,toitsconcernthattherecouldbebulkcollectionunderanumberofforeignintelligenceauthorities.Action: The law prohibited bulk collection under three distinct authorities: (1)Section215,forcollectionof“tangiblethings”(includingphonerecords);85(2)FISApen register and trap and trace authorities (to/from information aboutcommunications);86and (3)National Security Letters (phone, financial, and credithistoryrecords).87ThelawwentbeyondSection215orderstopreventtheagenciesfrom using alternative statutory authorities for bulk collection. These clearstatements in lawfromtheCongressplainlystate the limitsonappropriateuseofSection215andotherauthorities.88 (6) Addressing the problem of secret law – declassification of FISCdecisions,orders,andopinions.Issue:Along-standingproblemintheforeignintelligenceareaishowtoavoidthedevelopmentofsecretlaw.Secretlawiscontrarytothebasictheoryofdemocracy,thatcitizensshouldgovernthemselves,andthusshouldknowthelawsthatapplytothemselves.TheForeignIntelligenceSurveillanceCourt(FISC)wascreatedin1978asa compromise, thatgeneralist federal judgeswouldoversee issuanceof foreignintelligenceordersbutkeeptheorderssecrettoprotectnationalsecurity.Theriskofsecretlawbecamemoreacuteafter2001,astheFISCfacedthequestionofwhetherentireprograms,suchasSection215telephonemeta-data,PRISM,andUpstream, were being carried out in compliance with statutory provisions. Incalling for greater transparency, PCLOB’s 215 report urged that, to themaximumextent consistent with national security, the government create and release withminimalredactionsdeclassifiedversionsofnewdecisions,ordersandopinionsbythe FISC in cases involving novel interpretations of FISA or other significantquestionsoflaw,technologyorcompliance.

84USAFreedomAct,Sec.104.85USAFreedomAct,Sec.103.86USAFreedomAct,Sec.201.87USAFreedomAct,Sec.501.88TheprogramendedinNovember2015.

December18,2015

28

Action: Although significant opinions of the FISC had always been provided tocongressional oversight committees, the Obama administration began systematicdeclassificationofFISCopinions,forthefirsttime,in2013.Thestatedgoalwastocarefully review each opinion, and disclose the actions of the FISC to the extentpossible.ByFebruary2015,theintelligencecommunityhadpostedmorethan250declassified documents comprising more than 4,500 pages. Many of thesedocumentsrelatedtoproceedingsoftheFISC.89 TheUSAFreedomAct codified this effort.90 Fromnowon, thegovernmentwillrevieweachdecision,order,andopinionoftheFISCorthecourtthatreviewsitthat includes “a significant construction or interpretation of any provision of thisAct.”Afterthereview,thefullorredactedopinionshallbemadepubliclyavailable“tothegreatestextentpracticable.”Ifacourtactioncannotbemadepublicduetonationalsecurity,thegovernmentmustsummarize“thesignificantconstructionorinterpretation”ofthelegalprovision.91 (7) Appointment of experts to brief the FISC on privacy and civilliberties.Issue:WhentheFISCwascreatedin1978,itsprincipaltaskwastodecidewhetheraphonewiretapforoneindividualmetthestatutorystandard.Thistaskisessentiallythesameasajudgedecidingtoissueawarrantorothercourtorderforatraditionallawenforcement case. UnderUS law, suchorders are issuedexparte, that is, thegovernment presents its evidence and the court makes its decision, withoutrepresentationfromthecriminaldefendant. After2001,alongwith these individualorders, theFISCwas facedwith thedecision whether to issue court orders for entire surveillance programs, such asSection215phonemeta-data,Section702PRISM,andSection702Upstream.Inmyview,theFISCwasactingsomewhatsimilarlytoaregulatoryagency–isthisoverallprogram operating under the correct procedures and safeguards? UnderUS law,regulatory decisions of this magnitude generally occur only after a judge hasreceivedbriefingfromoneormorenon-governmentviewpoints. BoththeReviewGroupandthePCLOBrecommendedthatapanelofadvocatesbeappointedsothattheFISCwouldhearindependentviewsonnovelandsignificantmatters.Action: TheUSA FreedomAct authorized the creation of a group of independentexperts,called“amicuscuriae”(friendoftheCourt),tobrieftheFISConimportantcases.92ThelawinstructstheFISCtoappointanamicuscuriaeforamatterthat,intheopinionofthecourt,“presentsanovelorsignificantinterpretationofthelaw.”89 http://icontherecord.tumblr.com/ppd-28/2015/enhancing-transparencywww.icontherecord.tumblr.com90The newly re-issued Intelligence Community Directive on the National Intelligence PrioritiesFramework,ICD204,codifiessomeoftheseissues.http://fas.org/irp/dni/icd/icd-204.pdf91USAFreedomAct,Sec.602.92USA_FreedomAct,Sec.401.

December18,2015

29

The court retains some discretion on when to appoint an amicus curiae, but theclearintentofthestatuteisthatindependentlawyerswithsecurityclearancesshallparticipatebeforetheFISCinimportantcases.ThisreformprovidestheopportunityforindependentviewstobeheardbytheFISCfor importantcases,so that theassertionsofgovernmentofficialscanbecarefullytestedbeforethe judge. Thestatutedoesnotpreciselystatewhatroletheamicuscuriae shouldplay,but the first criterion for selection is “expertise inprivacyandcivilliberties.”TheFISChasnamedfiveexpertlawyers,includingProfessorofLawLaura Donohue of Georgetown University, who has written extensively on civillibertiesandforeignintelligencelaw,aswellaslawyerswhohavebeeninvolvedinthesematterseitherinpriorgovernmentserviceorinprivatepractice.93 (8)TransparencyReportsbyCompaniesSubjecttoCourtOrdersIssue:AsdiscussedinChapter1,transparencyisacentralcomponentofgoverningsecretintelligenceagenciesinanopendemocracy.Historically,thecompanieswhoreceivenationalsecurity-relatedrequestshavebeenunderstrictlimitsaboutwhatthey could disclose. For instance, companies could not even confirm or denywhether they had ever received a National Security Letter. In the absence ofinformationaboutthescopeofrequests,skepticalpeopleoutsideoftheintelligenceagenciesfeared“massandindiscriminatesurveillance.”BoththeReviewGroupandthePCLOBrecommendedthatthegovernmentworkwithInternetserviceprovidersandothercompaniesthatregularlyreceiveFISCorderstodeveloprulespermittingthe companies to voluntarily disclose more detailed statistical informationconcerningthoseorders.Action:In2014,theUSDepartmentofJusticereachedagreementwithmajorserviceproviders (e.g., webmail and social network providers) that they could discloseconsiderably more detailed and extensive information about national securityrequests. Goingforward,theseserviceproviderscouldpublishthesedetailsintheannual or semi-annual Transparency Reports that a growing range of companieshavereleasedinrecentyears. Consistentwith the2014 agreement, theUSAFreedomAct guaranteed therightofthosesubjecttonationalsecurityorderstopublishdetailedstatistics.94Thecompanies can report statistics in a number of categories, such as content, non-content,andNationalSecurityLetters.Notably,thecompaniescanreport“thetotalnumber of all national security process received,” including National Security

93http://www.fisc.uscourts.gov.Forarecentreportonhowonesuchamicuscuriaecasehsworkedin practice, see https://www.techdirt.com/articles/20151210/08175733048/fisa-courts-appointed-advocate-not-allowing-governments-national-security-assertions-to-go-unchallenged.shtml]94USAFreedomAct,Sec.604.

December18,2015

30

LettersandordersunderFISA.Theycanalsoreport“thetotalnumberofcustomerselectorstargetedunderallnationalsecurityprocessreceived.” In my view, these statistics provide important evidence about the actualscope of national security investigations in the United States. The percentage ofuserswhoserecordsareaccessedinthemostrecentsix-monthperiodisvanishinglysmall. I have examined the most recent transparency reports of Facebook andGoogle, becauseEuropeanprivacy regulatorshave focusedparticular attentiononthem in recentyears. These statistics showwhataccountshavebeenaccessed inthe United States – the precise European concern about how individual data ishandled once it leaves Europe and goes to theUS. The statistics show farmoretargetedactivitythanthespeculationinthepopularpress.95 Ofthesixcategoriesreported,thehighestpercentageofusersaffectedisforcontentrequeststoGoogle,amaximumof.0014%,orabout1in100,000.Intotal,the number of customer accounts accessed by the US government for nationalsecurityinthemostrecenttimeperiodisapproximately10,00096forFacebook,outof approximately 1.55 billion97active users permonth. The number of customeraccountsaccessed isapproximately17,00098forGoogle,outofapproximately1.17billion99activeuserspermonth.95My understanding is that the company transparency reports clearly cover the PRISM program,wherespecificselectorsaremadeavailabletoserviceproviderssuchasFacebookandGoogleunderthe law. I do not know whether the statistics also include any government access under theUpstreamprogram,wherethegovernmentmaygainaccesstoanemail,forexample,withoutdirectlyrequestingthatinformationfromtheemailserviceprovider.Intermsofoverallvolume,however,itisrelevanttoconsiderChapter2,whichdiscussedthedeclassifiedFISCopinionin2011thatover90percentoftheelectroniccommunicationsacquiredunderSection702camefromthePRISMprogramratherthantheUpstreamprogram.EvenifUpstreamstatisticsarenotincludedinthetransparencyreports, thatwould shift one of the statistics here from roughly 1 in 1million subscribers to 1 in900,000subscribers.Themainpointwouldremainthesame–avanishinglysmallfractionofusers’communicationsareactuallyacquiredbytheNSA.96Forthemostrecentreportingperiod,companieswerepermittedtoreportaggregatenumbersofrequests received,duringa six-month timeperiod, fromthegovernment for intelligencepurposes;the number of requests are reported in increments of 1,000. For the time period from July –December2014,Facebookreceivedthefollowing:0-999non-contentrequests;7,000-7,999contentrequests; and 0-999 national security letters.https://govtrequests.facebook.com/country/United%20States/2014-H2/97 http://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/98Forthetimeperiod fromJanuary– June2014,Googlereceivedthe following:0-999non-contentrequests; 15,000-15,999 content requests; and 0-999 national security letters, available athttps://www.google.com/transparencyreport/userdatarequests/US/99 http://expandedramblings.com/index.php/by-the-numbers-a-gigantic-list-of-google-stats-and-facts

December18,2015

31

Facebook #ofUsersAccessed

in6monthsPercentagebasedonUsersPerMonth

Non-ContentRequests 0-999 .00006%ContentRequests 7,000-7,999 .00052%NationalSecurityLetters 0-999 .00006%Google #ofUsersAccessed

in6monthsPercentagebasedonUsersPerMonth

Non-ContentRequests 0-999 .00009%ContentRequests 15,000-15,999 .00137%NationalSecurityLetters 0-999 .00009% ThesestatisticsputinperspectiveconcernsthatUSintelligenceagenciesaremassively accessing the information held by US service providers when data istransferredtotheUS.BothFacebookandGooglearewidelyusedintheEU.Basedon the public reports, a maximum of 1 in 100,000 users has his or her contentaccessedinasix-monthperiod,withothercategoriesofrequestconsiderablylower.Fortheless-usedcategories,suchasnon-contentrequeststoFacebook,thatfigureisapproximately1in1millionusers–onepersoninacityofonemillionpeople. (9)TransparencyReportsbytheUSGovernmentIssue: the government has access to the classified information about nationalsecurity investigations, and so is in the best position to report accurately toCongress and the public. FISA in 1978 established some reporting to the public,particularlythenumberofordersissuedandthenumberdenied.Congress,throughtheSenateandHouseIntelligenceCommittees,receivedmoredetailedreportsandconductedclassifiedoversightinvestigationsintointelligencecommunityactivities.The required transparency reports, however, hadnot beenupdated after 2001 toreflectthebroadersetofintelligenceandnationalsecurityactivities.Action: TheUSA-FreedomoverhauledtheannualreportingbytheUSgovernmentabout its national security investigations.100 Going forward, the government eachyearwillreportstatisticspublicly foreachcategoryof investigation. For instance,forSection702,thegovernmentwillreportthetotalnumberofordersaswellastheestimated number of targets affected by such orders. The plain language of thestatute thus provides that the US governmentwill report annually on howmanytotal targets have been affected by the PRISM and upstream collection programs.This level of transparency is remarkable for the actions of secret intelligenceagencies. Aswith the transparency reports by companies, European officials andthegeneralpubliccanthusknowthemagnitudeofthesesurveillanceprogramsand

100USA-Freedom,Sec.603.

December18,2015

32

changesinsizeovertune,rebuttinginmyviewtheclaimof“massandunrestrainedsurveillance.” (10)ImminentpassageoftheJudicialRedressActIssue:ThePrivacyActof1974providesanumberofdataprotectionmeasuresthatapplyto“USpersons”–UScitizensandpermanentresidents.Foranumberofyears,European data protection authorities and other officials havemade reformof thePrivacyActapriority intrans-Atlanticprivacydiscussions. For instance,theissuewas highlighted by the European Commission and members of the EuropeanParliamentwhen they briefed the Review Group in 2013. The basic request hasbeentoprovidethesameprotectionstoEUcitizensasappliedtoUSpersons.Action: The US government took steps before 2013 to provide Privacy Actprotections in important respects. For instance, in 2007 the Department ofHomelandSecurityappliedthePrivacyActto“mixed”systemsofrecords(databasesthatcontainbothUSpersonsandnon-USpersons)totheextentpermittedbylaw.101The current version of the Privacy Act, however, does not enable an agency toprovideanappealfromanagencyactiontoajudge,andthishasbeenaconcerntoEuropeanofficials. TheJudicialRedressActhasbeenmovingthroughCongresstoaddressthistopic.102 InEU/USnegotiations related toprivacy,passageof the JudicialRedressActhasbecomeimportantbothfordiscussionsofarevisedSafeHarboragreementand for the “UmbrellaAgreement” concerning law enforcement information to gointofulleffect.103 The JudicialRedressAct104passed theHouseofRepresentatives inOctober2015withbipartisansupport,onavoicevote.ThebillisnowbeingconsideredbytheSenate. Myhopeandbelief is that thebillwillpass theSenate, inwhichcasePresidentObamawouldsignitintolaw.105C. ExecutiveBranchActions Asdiscussedinthesectiononlegislation,theexecutivebranchwasthefirstto take a number of actions that were subsequently codified into law byCongressional action. This part of the Chapter focuses on the numerous otherexecutivebranchactionssinceJune,2013.Manyoftheseactionsaresummarizedin101DepartmentofHomelandSecurity:PrivacyPolicyGuidanceMemorandumNo.2007-1(January7,2007)(amendedonJanuary19,2007),availableatDepartmentofHomelandSecurity:PrivacyPolicyGuidanceMemorandumNo.2007-1(January7,2007)102https://www.congress.gov/bill/114th-congress/house-bill/1428103http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm104https://www.govtrack.us/congress/bills/114/hr1428105Predictions about what will pass the Congress are necessarily uncertain. I am offering mypersonalestimationthatthebillwilllikelypasstheSenateinthecomingmonths.

December18,2015

33

“Signals Intelligence Reform: 2015 Anniversary Report,”106which was publishednear the one-year anniversary of PresidentObama’smajor speech on intelligencereform.107 A similar report is due to be published in January, 2016. ThoseinterestedinUSsurveillancepracticeandreformshouldrefertothatreportwhenitisissued. The discussion here begins with broad conceptual reforms to US signalsintelligence(SIGINT)thatPresidentObamaannouncedin2014,andthenexaminesthemultipleotheractionssince2013.Issue:Historicalpractice,fortheUSandothernations,hasbeentoprovidegreaterlatitudeforsurveillanceoutsideofthecountrythanwithinthecountry.Simplyput,nationshavespiedoneachothersinceSunTzu’sclassicTheArtofWar inancientChina,andwellbeforethat.108ThatisconsistentwiththeIntelligenceCommunity’smission to conduct foreign intelligence activities. Spying on hostile actors isespecially understandable during time of war orwhen there is reason to believehostileactorsmayattack. The United States and the member states of the European Union have asharedlegaltraditionandstrongalliances.ManyintheEUhavestronglyobjectedtothe scope of US surveillance reported since 2013. One way to understand theobjectionsisthatEuropeansbelievethatEUcitizensdeservesimilartreatmenttoUScitizenswhenitcomestoUSsurveillanceactivities.Thelongstandinginternationalpractice–thegreaterlatitudetospyonnon-citizensoutsideofone’sowncountry–is,asappliedtoEuropeans,contrarytotheviewsofmanyinEuropeaboutwhatispropertodayforanallysuchastheUS.Action: In 2014 President Obama issued Presidential Policy Directive-28 (PPD-28),109whichIconsiderahistoricdocument.BindingonallUSintelligenceagenciesfortheirsignalsintelligenceactivities,thedirective:“articulatesprinciplestoguidewhy, whether, when, and how the United States conducts signals intelligenceactivities for authorized foreign intelligence and counterintelligence purposes.”PPD-28 sets forth a number of new anddistinct policies,with key items featuredhere.110 Inshort,PPD-28makesprotecting theprivacyandcivil libertiesrightsof

106http://icontherecord.tumblr.com/ppd-28/2015/factsheet107 https://www.whitehouse.gov/blog/2014/01/17/president-obama-discusses-us-intelligence-programs-department-justice108ForatranslationofthechapteronspiesinTheArtofWar,seehttp://suntzusaid.com/book/13.109https://www.whitehouse.gov/sites/default/files/docs/2014sigint_mem_ppd_rel.pdf110AnInterimProgressReportonImplementingPPD-28wasreleasedinOctober2014,availableathttp://icontherecord.tumblr.com/post/100240011473/interim-progress-report-on-implementing-ppd-28. Additional information is included in the 2015 Anniversary Report, athttp://icontherecord.tumblr.com/post/100240011473/interim-progress-report-on-implementing-ppd-28.

December18,2015

34

personsoutsidetheUSanintegralpartofUSsurveillancepolicy,andadirectorderfromthePresident,whoisalsoCommanderinChief.111 (11)NewsurveillanceprincipletoprotectprivacyrightsoutsideoftheUSIssue:LongstandinglawandpracticeintheUS(andallothernationsofwhichIamaware that follow the rule of law) is that greater legal protections are providedwithinanation’sbordersthanforsurveillanceconductedoutsidetheborders.Action:PPD-28announcedanewprinciplethatappliestoallintelligenceagenciesintheUSwhenconductingsignalsintelligence:“Oursignalsintelligenceactivitiesmusttake into account that all persons should be treated with dignity and respect,regardlessof theirnationalityorwherever theymightreside,and thatallpersonshave legitimateprivacy interests inthehandlingoftheirpersonal information.” Itadds:“Privacyandcivil libertiesshallbeintegralconsiderationsintheplanningofUS signals intelligence activities.” I am not aware of any other country havingannouncedandadoptedprinciplesofthissortintheirintelligenceactivities. (12)ProtectionofcivillibertiesinadditiontoprivacyIssue:TheEUtreatsprivacyasafundamentalright,amongotherfundamentalrightssuchasfreedomofexpression.Action: PPD-28protectscivil libertiesaswellasprivacy: “TheUnitedStatesshallnotcollectsignalsintelligenceforthepurposeofsuppressingorburdeningcriticismor dissent, or for disadvantaging persons based on their ethnicity, race, gender,sexualorientation,orreligion.”PPD-28clearlystatesthatsignalsintelligencemustbebasedonalegitimatepurpose:“Signalsintelligenceshallbecollectedexclusivelywhere there is a foreign intelligence or counterintelligence purpose to supportnationalanddepartmentalmissionsandnotforanyotherpurposes.” (13) Safeguards for the personal information of all individuals,regardlessofnationalityIssue:Forthegeneralprincipleofprotectingprivacyrightstomatterinpractice, itmustbebuiltintotheoperationsoftheagencies.Action: Section 4 of PPD-28 sets forth detailed safeguards for handling personalinformation. It instructs each agency to establishpolicies andprocedures, and to

111 As with any other US Executive Order or Presidential Policy Directive, the President’sannouncementcannotcreatearightofactionenforceableincourt.BasedonmyexperienceintheUSgovernment,however,agenciesgotogreat lengthstocomplywithdirectives fromthePresidentoftheUnited States. The PPD is binding upon executive branch agencies as an instruction from theheadoftheexecutivebranch,evenifitcannotbeenforcedbyoutsiders.

December18,2015

35

publish them to extent consistent with classification requirements. By 2015, allintelligenceagencieshadcompletednewpoliciesorrevisedexistingpoliciestomeetthePresident’smandates.112 The policies and procedures address topicsincluding: data security and access; data quality; and oversight, and “to themaximum extent feasible consistentwith the national security, these policies andprocedures are to be applied equally to the personal information of all persons,regardlessofnationality.” Oneof theover-archingprinciplesofPPD-28 isminimization,an importantissueoftenmentionedbyEUdataprotectionexperts. ThenewsafeguardsinPPD-28 include: “Signals intelligence activities shall be as tailored as feasible. Indeterminingwhethertocollectsignalsintelligence,theUnitedStatesshallconsidertheavailabilityofotherinformation, includingfromdiplomaticandpublicsources.Such appropriate and feasible alternatives to signals intelligence should beprioritized.” This quotation does notmentionwords fromEUdata protection lawsuch as “necessary” and “proportionate,” but being “as tailored as feasible” andprioritizingalternativestosignalsintelligencearetwoofmanyexamplesinUSlawwherespecificsafeguardsaddressthoseconcerns. (14)Retentionanddissemination limits fornon-USpersonssimilar toUSpersonsIssue: A frequent concern expressed by European data protection officials is thatstricterrulesapplytoUSpersonsthantonon-USpersons,suchasfortheretentionanddisseminationofpersonaldata.Action: Theagencyproceduresput inplacepursuant toSection4ofPPD-28havecreated new limits that address this concern.113The new retention requirementsanddisseminationlimitationsareconsistentacrossagenciesandsimilartothoseforUS persons.114 For retention, different intelligence agencies had previously haddifferent rules for how long information aboutnon-USpersons couldbe retained.Under the new procedures, agencies generally must delete non-US personinformationcollectedthroughsignalsintelligencefiveyearsaftercollection.115For

112TheNSApoliciesandprocedurestoprotectpersonalinformationcollectedthroughSIGINTcanbefoundat:https://www.nsa.gov/public_info/_files/nsacss_policies/PPD-28.pdf Linkstothepoliciesand procedures for the ODNI, the CIA, the FBI, and other agencies can be found at:http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-libertiesAdditional policies on the site include: National Reconnaissance Office, Department of HomelandSecurity,DrugEnforcementAdministration,StateDepartment,TreasuryDepartment,DepartmentofEnergy,USCoastGuard,andOtherICElementsintheDepartmentofDefense.113TheUSgovernmentwill not consider theactivitiesof foreignpersons tobe foreign intelligencejustbecausetheyareforeignpersons;theremustbesomeothervalidforeignintelligencepurpose.114Theagencyprocedurescreatenewlimitsondisseminationofinformationaboutnon-USpersons,andrequiretrainingintheserequirements.115Thereareexceptionstothefive-yearlimit,buttheycanonlyapplyaftertheDirectorofNationalIntelligence considers the views of Office of the Director of National Intelligence Civil Liberties

December18,2015

36

dissemination,thereisanimportantprovisionapplyingtonon-USpersonscollectedoutside of the US: “personal information shall be disseminated only if thedissemination of comparable information concerning U.S. persons would bepermitted.” The agency procedures make other changes for protection of non-USpersons, including new oversight, training, and compliance requirements: “Theoversightprogramincludesanewrequirementtoreportanysignificantcomplianceincident involving personal information, regardless of the person’s nationality, totheDirectorofNationalIntelligence.”116 (15)LimitsonbulkcollectionofsignalsintelligenceIssue: In thewake of the Snowden revelations, there has been particular concernaboutbulkcollectionbyUSintelligenceagencies.Action:Section2ofPPD-28createsnewlimitationsontheuseofsignalsintelligencecollected in bulk, where “bulk” is defined as “authorized collection of largequantities of signals intelligence data which, due to technical or operationalconsiderations, isacquiredwithout theuseofdiscriminants,” suchas theemailorotherselectorsdiscussedinChapter2.117 PPD-28announcespurpose limitations-- whentheUScollectsnonpubliclyavailable information inbulk, it shall use that data only forpurposes of detectingandcountering:

1) Espionage and other threats and activities directed by foreign powers ortheirintelligenceservicesagainsttheUnitedStatesanditsinterests;

2) ThreatstotheUnitedStatesanditsinterestsfromterrorism;3) Threats to the United States and its interests from the development,

possession,proliferation,oruseofweaponsofmassdestruction;4) Cybersecuritythreats;5) ThreatstoUSoralliedArmedForcesorotherU.Soralliedpersonnel;6) transnationalcriminalthreats,includingillicitfinanceandsanctionsevasion

relatedtotheotherpurposesnamedinthissection.If this is updated, it will be “made publicly available to the maximum extentfeasible.”

Protection officer and agency privacy and civil liberties officials.http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties116http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties#ppd-28117ConsistentwiththediscussioniffilteringinChapter2,PPD-28says:“Thelimitationscontainedinthissectiondonotapplytosignalsintelligencedatathatistemporarilyacquiredtofacilitatetargetedcollection.” The detailed rules governing targeted collection under Section 702 are discussed inChapter2.

December18,2015

37

(16) Limits on surveillance to gain trade secrets for commercialadvantageIssue:EuropeanandothernationshavelongexpressedconcernthatUSsurveillancecapabilities would be used for the advantage of US commercial interests. Theseconcerns, if true, would provide an economic reason to object to US signalsintelligence,inadditiontoprivacyandcivillibertiesconcerns.Action: The Review Group was briefed on this issue, and we reported that USpractice hasnot been to gain trade secrets for commercial advantage. There is asubtlety here that is sometimes overlooked. PPD-28 states that the “collection offoreignprivatecommercialinformationortradesecretsisauthorized,”butonly“toprotect the national security of the United States or its partners and allies.” Forinstance, the national security of the US and its EU allies justifies surveillance ofcompanies insomecircumstances,suchasevadingsanctionsandshippingnuclearmaterialstoIran,ormoneylaunderingtosupportinternationalterrorism.The distinction in PPD-28 is that “It is not an authorized foreign intelligence orcounterintelligence purpose to collect such information to afford a competitiveadvantagetoU.S.companiesandU.S.businesssectorscommercially.”Intheaboveexamples,itwouldnotbejustifiedtocollectinformationforthepurposeofassistingaUSnuclearequipmentmanufacturerorUSbanks. (17) New White House oversight of sensitive intelligence collection,includingofforeignleadersIssue:IntheaftermathoftheattacksofSeptember11,2001,theviewofintelligenceagencieswas that theyhada tendency to conduct surveillanceactivities to collectforeignintelligenceinformationagainstawiderangeoftargets,withoutnecessarilytakingintoaccountnon-intelligenceconsequencesofthattargeting.Action: To review sensitive intelligence collection more closely, there is now astricterproceduretoassesssensitiveintelligencecollection,aspartoftheNationalIntelligencePrioritiesFramework.118Theprocedureshavebeenrevisedtorequiremoreseniorpolicymakerparticipationincollectiondecisions.Inthefirstyear,thenew procedures applied to nearly one hundred countries and organizations,resulting in new collection restrictions.119 In addition, theNSA “has enhanced itsprocessestoensurethattargetsareregularlyreviewed,andthosetargetsthatareno longer providing valuable intelligence information in support of these seniorpolicy-makerapprovedprioritiesareremoved.”120

118http://icontherecord.tumblr.com/ppd-28/2015/limiting-sigint-collection119Id.120Id.

December18,2015

38

The new oversight process responds in part to the new principles ofrespecting privacy and civil liberties abroad.The rationale for careful oversight isbolsteredbyheightenedawarenessthat“USintelligencecollectionactivitiespresentthe potential for national security damage if improperly disclosed.”121 PotentialdamagecitedinPPD-28includescompromiseofintelligencesourcesandmethods,aswellasharmtodiplomaticrelationshipsandotherinterests. Thisprocessincludesreviewofcollectioneffortstargetedatforeignleaders.For many observers, it is reasonable for the US or another country to seek tomonitorthecommunicationsofforeignleadersintimeofwarorconcerningclearlyhostile nations. By contrast, the US was widely criticized for reported efforts tomonitor thecommunicationsofGermanChancellorAngelaMerkelandthe leadersofotheralliedcountries. Collectiontargetedatforeignleadersisnowreviewedaspart of the overall White House oversight of sensitive intelligence collection..PresidentObamastatedin2014:“Ihavemadecleartotheintelligencecommunitythatunlessthereisacompellingnationalsecuritypurpose,wewillnotmonitorthecommunications of heads of state and government of our close friends andallies.”122 (18) NewWhiteHouse process to help fix software flaws rather thanusethemforsurveillanceIssue:TheReviewGrouprecommendedanewprocesstoevaluatewhattodowithso-called “ZeroDay” attacks,where softwaredevelopers and systemownershavezero days to address and patch the vulnerability. 123 The Review GrouprecommendedthatthegovernmentshouldgenerallymovetoensurethatZeroDaysare quickly blocked, so that the underlying vulnerabilities are quickly patched ongovernmentandprivatenetworks.Action: Previously, the decision was made in the NSA about how to balance theequities between the usefulness of a Zero Day for offense (to penetrate someoneelse’s network for surveillance) vs. for defense (to patch our own networks). In2014theWhiteHouseannouncedwhat it calleda “disciplined, rigorousandhigh-leveldecision-makingprocessforvulnerabilitydisclosure.”124Inmyview,thisnewinter-agency process, chaired by the President’s Cybersecurity Coordinator,improves on the old system by bringing in perspectives frommore stakeholderswho emphasize the importance of defending networks. In otherwords, the newprocess creates a new and useful check on any intelligence agency temptation toemphasize surveillance capabilities at the expense of good cybersecurity andprotectionofthepersonaldataincomputersystems.121PPD-28,Sec.3122 https://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence123ReviewGroupReport,at219.124 https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities

December18,2015

39

(19)Greater transparencyby theexecutivebranchabout surveillanceactivitiesIssue: Item 10 in this Chapter discussed new government transparency reportsrequiredintheUSAFreedomAct.Action: Since 2013, the executive branch has gone well beyond these legislativerequirements in its transparency activities. In its January2015 report on SignalsIntelligence Reform, the government reported eight categories of greatertransparencythat ithadundertakentothatpoint,andIexpectadditional itemstobe listed in the next report in January 2016.125 Compared to the secrecy thathistoricallyhadappliedtosignalsintelligence,theshifttowardgreatertransparencyisremarkable,suchas:

• Thealready-mentioneddeclassificationofnumerousFISCdecisions;• A new website devoted to public access to intelligence community

information;126• The first “Principles of Intelligence Transparency for the Intelligence

Community;127• ThefirsttwoIntelligenceCommunityStatisticalTransparencyReports;128• UnclassifiedreportsonNSA’simplementationofSection702129andits“Civil

LibertiesandPrivacyProtectionsforTargetedSIGINTActivities;130and• Numerousspeechesandappearancesby intelligencecommunity leadership

toexplaingovernmentactivities,incontrasttothehistoricalpracticeofverylittlepublicdiscussionoftheseissues.131

(20)CreationofthefirstNSACivilLibertiesandPrivacyOfficeIssue: In a 2013 talk, President Obama said: “Just becausewe can do something,doesn’t mean we should do it.” 132 The NSA staffed up its already significantcompliance efforts after FISC criticism of its implementation of programs underFISA, includinghiringaDirectorofCompliance,andnowhasover300compliance

125http://icontherecord.tumblr.com/ppd-28/2015/enhancing-transparency126http://icontherecord.tumblr.com127 http://www.dni.gov/files/documents/ppd-28/FINAL%20Transparency_poster%20v1.pdfhttp://www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/Principles%20of%20Intelligence%20Transparency%20Implementation%20Plan.pdf128http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2014129https://www.nsa.gov/civil_liberties/_files/nsa_report_on_section_702_program.pdf130https://www.nsa.gov/civil_liberties/_files/nsa_clpo_report_targeted_EO12333.pdf131http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2014132 http://www.politico.com/story/2013/10/obama-surveillance-message-lost-in-translation-099003#ixzz3uLEoiGaW

December18,2015

40

employees.133 Simply complying with law, however, does not mean that there issufficientattentiontohowprivacyshouldbetreatedwithinanintelligenceagency.Action:NSAappointedaCivilLibertiesandPrivacyOfficerforthefirsttime,134andother agencies have similar positions.135 That office becomes a point of expertisewithintheagency,andapointofcontactforthoseoutsideoftheagencywhohaveprivacyconcerns.136 (21)MultiplechangesunderSection215Issue: In his 2014 speech, President Obama orderedmultiple changes to the bulktelephonymetadataprogramconductedunderSection215.137Action:Inresponse,theexecutivebranchchangeditspracticesunderSection215innumerousways.138Congressfaceda“sunset”oftheSection215authorityin2015–ifCongressdidnotact, then the legalauthorityas it currentlyexistedwouldhaveexpired. Theexistenceof thissunsetcreatedapowerful incentive forCongresstoconsidertheUSAFreedomAct,whichextendedSection215withthenumerouspro-privacychangesdescribedearlierinthischapter. (22) Stricter documentation of the foreign intelligence basis fortargetingunderSection702Issue: A prominent criticism of US surveillance law has been that it constitutes“indiscriminate”surveillance,includingunderthePRISMandupstreamprogramsofSection 702. Under the OECD Privacy Guidelines139and EU data protection law,there should be a clear purpose specification for the processing of personal data.

133https://www.nsa.gov/civil_liberties/_files/nsa_clpo_report_targeted_EO12333.pdf134President Obama issued PPD-28 on January 17, 2014. http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties#section-215The US government announced NSA’s first CLPO on January 29, 2014.http://icontherecord.tumblr.com/tagged/becky+richards135Sec4(c).136The Office of Director of National Intelligence similarly has a Civil Liberties Protection Officer,www.dni.gov/clpo. Other relevant agency positions include: Department of Homeland SecurityPrivacy Officer, http://www.dhs.gov/privacy-office,: Department of Homeland Security Office forCivil Rights and Civil Liberties - http://www.dhs.gov/office-civil-rights-and-civil-liberties.:DepartmentofJusticeOfficeofPrivacyandCivilLibertieshttp://www.justice.gov/opcl.;Departmentof Defense Oversight and Compliance Directoratehttp://dcmo.defense.gov/About/Organization/OCD.aspx, which includes the Defense Privacy andCivil Liberties Office http://dpcld.defense.gov/ and Department of Defense Intelligence Oversighthttp://dodsioo.defense.gov/Home.aspx.137 https://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence138 “New privacy protections for bulk telephony metadata collected under Section 215,”http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties#section-215139http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm

December18,2015

41

While collection under Section 702 has always been targeted rather thanindiscriminate, the executive branch has instituted measures to ensure that thetargetingisappropriatelydocumented.

Action: InitsdetailedreportonSection702in2014,thefirstrecommendationbythe PCLOB was to “Revise NSA Procedures to Better Document the ForeignIntelligenceReasonforTargetingDecisions.”140In2015,thePCLOBreported:“TheAdministrationhasagreedtoimplementthisrecommendation.”141

ThePCLOB’s2015assessmentprovidesdetailsaboutthechange,including:

• RevisionoftheNSA’stargetingprocedurestospecifycriteriafordeterminingtheexpectedforeignintelligencevalueofaparticulartarget;

• Furtherrevisiontorequireadetailedwrittenexplanationofthebasisforthedetermination;

• FISC review of the revised targeting procedures and requirements ofdocumentationoftheforeignintelligencefinding;

• Other measures to ensure that the “foreign intelligence purpose”requirementinSection702iscarefullymet;

• Submission of the draft targeting procedures for review by the PCLOB (anindependentagencywithprivacyresponsibilities);and

• Compliance,training,andaudit.142

(23)OtherchangesunderSection702Issue: Chapter 2 of this testimony discussed in detail Section 702’s PRISM andupstreamprograms. Section702 sunsets in 2017, soCongresswill face a similardebatetotheonein2015forSection215.Action:ThePCLOBissuedalengthyreportonSection702in2014,whichincludedrecommendations for reform by the executive branch.143 In 2015, the PCLOBassessedthegovernment’sresponse:“TheAdministrationhasacceptedvirtuallyallof the recommendations in the Board’s Section 702 report and has begunimplementingmany of them.”144 A number of the recommendations apply to USpersonsandthusarenotthefocushere.In addition to the new requirements for purpose specifications, the detailedassessmentbythePCLOBincludedthefollowing:145

140https://www.pclob.gov/library/702-Report.pdf141https://www.pclob.gov/library/Recommendations_Assessment-Report.pdf142PPD-28’s Section 2 also provides guidance for clearer purpose specification in connectionwithbulkcollection.143https://www.pclob.gov/library/702-Report.pdf144https://www.pclob.gov/library/Recommendations_Assessment-Report.pdf145AnumberoftherecommendationsapplytoUSpersonsandthusarenotthefocushere.

December18,2015

42

• Provide theFISCrandomsamplesof selectorsused for targetingunder the

Section702program,toenhancethecourt’sreviewoftheoverallprogram.Asofthetimeofthereport,thiswasbeingimplemented.

• Provide the FISC with consolidated documentation about Section 702.According to the PCLOB, the program had become so complex that thisdocumentationwasnecessary. Asof the timeof the report, thiswasbeingimplemented.

• Periodically assess upstream collection technology to ensure that onlyauthorizedcommunicationsareacquired. Theadministrationhasacceptedthisrecommendation.

• Examine the technical feasibility of limiting particular forms of “about”information. “About” information was discussed in Chapter 2 of thistestimony.TheNSAhasbeenassessinghowtoachievegreaterminimizationof“about”information.

• PubliclyreleasethecurrentSection702minimizationproceduresfortheCIA,FBI,andNSA.Thishasbeendone.

(24)ReducedsecrecyaboutNationalSecurityLettersIssue:Asenacted in2001,recipientsofaNationalSecurityLetterwere“gagged”–they were not allowed to tell anyone that they had received the NSL.146 In lawenforcement investigations, recipients of awiretap order are similarly prohibitedfromtellingthetargetaboutthewiretap,forobviousreasons–targetswillnotsayincriminatingthingsiftheyknowthepolicearelistening.Withinweeksoratmostmonths of the end of the investigation, however, targets are informed about thewiretap.ForNSLs,however,theprohibitionondisclosurecontinuedindefinitely.147Action: In his 2014 speech, President Obama announced the indefinite secrecywouldchange. Asof2015, theFBIwillnowpresumptivelyterminateNSLsecrecyforan individualorderwhenan investigationcloses,ornomore than threeyearsafter theopeningofa full investigation. Exceptionsarepermittedonly if a seniorofficialdetermines thatnational security requiresotherwise in theparticular caseandexplainsthebasisinwriting.148D. Conclusion

Since the first press disclosures from Snowden approximately 30 monthsago,theUSgovernmenthastakenthetwodozenactionsdiscussedinthischapter.

146I first wrote about problemswith this gag rule in 2004. Peter Swire, “The System of ForeignIntelligence Surveillance Law,” 72 Geo. Wash. L. Rev. 1306 (2004), available athttp://ssrn.com/abstract=586616.147ThestatisticalnumberofNSLsreceivedcanbereported in incrementsof1000byproviders,asdiscussedaboveconcerninggovernmenttransparencyreports.148http://icontherecord.tumblr.com/ppd-28/2015/privacy-civil-liberties

December18,2015

43

Asthischapterhasshown,thesereformsemergedfromatransparentandextensiveprocess, including extensive debate in the US Congress and hundreds of pages ofexpertreportsanddeclassifiedintelligencedocuments.

ThesereformswerenotmentionedintheEuropeanCourtofJusticedecision

inSchrems,orintheOpinionoftheAdvocateGeneral,despitethelatter’sstatementthatassessmentofUSpracticesmustbedone “by reference to thecurrent factualandlegalcontext.”

ThereformsshowthenatureoftheUS“legalorder”relatingtosurveillance

activities. They show a constitutional democracy under the rule of law, withindependent judicial oversight, transparency, and democratic accountability. AsdiscussedinChapter1,theyshowtheessentialandfundamentalequivalenceoftheUSandEUmemberstateswithrespecttosurveillanceactivities.

-/-

December18,2015

44

PeterSwireistheHuangProfessorofLawandEthicsattheGeorgiaTechSchellerCollege of Business and a Senior Fellow of the Future of Privacy Forum. He isSeniorCounselwith the law firmofAlston&Bird, LLP;nothing in thisdocumentshouldbeattributedtoanyclientofthefirm.SwirehaslongworkedonbothEUdataprotectionlawandUSsurveillancelaw.In1998,hewasleadauthorofthebook“NoneofYourBusiness:WorldDataFlows,E-Commerce, and the European Privacy Directive.” He was Chief Counselor forPrivacy in theUSOfficeofManagementandBudgetduringnegotiationof theSafeHarboragreement.Whileinthatposition,hechairedaWhiteHouseworkinggrouponhowtoupdateUSwiretaplawsfortheInternet.HewasoneoffivemembersofPresidentObama’sReviewGrouponIntelligenceandCommunicationsTechnology(the “NSA Review Group”), whose 2013 report has been republished by thePrincetonUniversityPress.Swire thanks DeBrae Kennedy-Mayo, Research Associate at the Georgia TechSchellerCollegeofBusiness, forherworkonthispaper. Furtherpublicationsandinformation atwww.peterswire.net. For corrections or comments, please email topeter.swire@scheller.gatech.edu.The Future of Privacy Forum (FPF) is aWashington, DC based think tank thatseeks to advance responsible data practices. The forum is led by Internet privacyexperts Jules Polonetsky and Christopher Wolf and includes an advisory boardcomprisedofleadingfiguresfromindustry,academia,lawandadvocacygroups.