Defense One Radio, Ep. 135: The uncertain future of an eavesdropping law

Google Play Apple Podcasts

Guests:

• Cindy Cohn is the Executive Director of the Electronic Frontier Foundation;
• And Joshua Geltzer is Deputy Assistant to President Joe Biden and Deputy Homeland Security Advisor at the National Security Council.

Read over a copy of the recent Privacy and Civil Liberties Oversight Board report on recommended changes to FISA Section 702 (PDF), here.

Find a transcript of this episode below.

In less than three months, a pretty obscure section of U.S. law with fairly enormous implications around the world could just quietly disappear. It’s a law that, at least to my way of thinking, highlights something that the U.S. Constitution promises each and every American citizen; and yet this same law also points to what that same Constitution can’t fully promise each and every American citizen. 

The law I’m referring to is all about spies and what people from another country might try to do to harm Americans. It’s called the Foreign Intelligence Surveillance Act, or FISA. And there’s just one part of it that we’re going to talk about today. That part is known as Section 702. 

Over the last several weeks, officials from the White House, Pentagon and FBI have been increasingly vocal about the future of Section 702. That’s largely because it’s so controversial that lawmakers have built in a mechanism whereby they have to reauthorize it every few years or let it expire; and the latest authorization window closes at the end of December. 

What’s so controversial about it?

Like I said, it’s all about spies and would-be terrorists. In fact, it’s about trying to stop those spies and would-be terrorists—folks who aren’t Americans and don’t enjoy the protections of the U.S. Constitution, like the Fourth Amendment’s ban on unlawful searches of our stuff. And that stuff includes digital stuff—like text messages, emails, and phone calls—anything that passes through U.S. telecom and internet companies. 

The big problem with Section 702—and what this episode is about today—is that sometimes people who aren’t spies and would-be terrorists get caught up in its net, too. Sometimes those people are Americans, and those Americans sometimes get their privacy violated by folks in the U.S. intelligence community, like the FBI, when they’re trying to stop those spies and terrorists. 

Is that ok? Is that an acceptable violation of the Constitution? 

Those are the questions lawmakers will grapple with over the coming weeks and months ahead of the December 31 deadline. 

But this episode, we’re going to explore those questions as well. And we’re going to do so featuring two experts with quite different opinions on the matter. One works inside the White House on the president’s National Security Council. The other has been watching this matter professionally since the turn of the century, before the September 11th terrorist attacks, which in many ways started this entire story of fighting spies and terrorists. 

Cohn: So EFF was founded in 1990. So we predate the World Wide Web.

That’s Cindy Cohen. She’s the executive director of the Electronic Frontier Foundation. From 2000 to 2015, she served as EFF’s Legal Director, as well as its general counsel. So she’s no stranger to the law, as it were. 

Cohn: When I joined, I was deeply involved in litigation to free up encryption technology from government control. So even before, you know, the September 11 attacks in the Patriot Act, I was engaged in the kind of conversation between national security interests and human rights and civil liberties, and security.

But it’s that Patriot Act that serves as a vital checkpoint in the story of Section 702. If you lived through the 9/11 attacks, you’re most likely familiar with the Patriot Act. 

Cohn: What happened after the attacks is that Congress really wanted to do something. And there were several proposals that had been, I think, dreams of a lot of the people at the Justice Department and in the national security infrastructure that had been rejected. Most recently, after the Oklahoma City bombings, President Clinton had vetoed a bunch of things that ended up in the Patriot Act that got rushed through and passed. Before, I think most members of Congress had even had a chance to read it.

A lot of things happened hastily after the 9/11 attacks. And that’s because, as Cindy pointed out, America’s leaders didn’t want to appear weak and unresponsive—after getting punched in the face the way the country was with those terrorist attacks that killed nearly 3,000 people in one day. And so, 45 days later, the Patriot Act was signed into law on October 26, 2011. 

Cohn: So I had just started actually not very long, full time at the EFF when the Patriot Act was passed. What happened after the Patriot Act is actually interesting, because the Patriot Act gave the government a lot of new powers to do surveillance in the United States. But it didn't give the government the authority to do what ultimately became authorized under Section 702, which is mass surveillance, tapping into the internet backbones doing massive collection of data on Americans in America, that wasn't actually part of the Patriot Act.

But it became part of what the U.S. intelligence community began doing to meet the intent of the Patriot Act—that is, to try through every means possible to stop the next terrorist attack on U.S. soil. 

Cohn: The idea was the National Security Agency was aimed outside the country and was not authorized to do any spying on Americans in America. And, and so what we learned was that that limitation was secretly ignored, or gotten around by the NSA, and in secret without any congressional authorization. They built what became the mass spying programs, the massive telephone records collection program, the upstream program that taps into the Internet backbone, a massive internet metadata collection. What we now know is prism, which is the ability to go to big companies like Google and make them search their entire corpus for information regardless of whether the people in there are Americans or not. So this all happened in secret. People may remember the, you know, it's kind of ancient history now, but people may remember a very dramatic scene in John Ashcroft hospital room where something had to be signed to reauthorize something secret. And some members of the Justice Department who were new finally said enough, this is something you can't do without congressional authorization, what that was about the mass spying a piece of the mass spying. So about 2006, which is, you know, five years after all of this had been rolled up and done in secret, it began to leak out and the New York Times got a story about it, and sat on it for a year until after President G.W. Bush was reelected, but then finally went public with the fact that the the NSA was doing this kind of spying on Americans in America. This caused a big scandal, again, kind of ancient history 2006. And at that time, EFF launched our very first case against this mass spying because we got direct evidence of a piece of it that was happening here in San Francisco, at the AT&T facility in downtown San Francisco. We have whistleblower evidence. And so we launched our first case, it was called Hepting versus AT&T, it was against the phone company for participating in mass spying on its customers, because there was a very specific statute that said that phone companies can't do that. It became a very big political issue. And ultimately, what happened was Congress passed an amendment to the FISA law, FISA Amendments Act Section 702, that effectively retroactively authorized all the things that the NSA had been doing in secret for five years, but did bring it under congressional control and gave the FISA court a kind of high level administrative oversight role over the spying programs, not not the kind of roll you think of as a judge, you know, say approving a specific warrant might have something much more high level and programmatic. But they did bring it under some kind of rule of law as a result of these leaks between 2006 and then the new law passed in 2008. So that's where 702 comes from.

Nakasone: Section 702 has been described as the most transparent surveillance authority in the world.

That’s Army Gen. Paul Nakasone. He happens to be in charge of the National Security Agency and U.S. Cyber Command. And here he is speaking in late September at the National Press Club in Washington, D.C.

Nakasone: Let me explain what 702 is. It is a legal approval for the U.S government to collect communications of individual foreign intelligence targets located outside of the United States who use U.S electronic communications services such as email and telephone. I believe 702 collection is the most important authority we use today, day in and day out, to protect our nation and the American people.

Nakasone isn’t the only official in Washington making the case publicly for reauthorizing FISA Section 702. He’s one of several who are working hard to convince Americans—and perhaps most importantly, lawmakers—that this program, in their opinion, must continue into 2024 and beyond. There have been White House officials, assistant directors in the FBI, civil liberty lawyers, think tankers and more all talking about this issue ahead of its sunset in late December. 

But there’s kind of a problem with many of these public cases being made at the National Press Club, in newspaper columns and op-eds, and of course podcasts just like these. And that problem, despite what General Nakasone said just a moment ago, is a problem with transparency. And I’ll explain what I mean in just a moment. 

Just since August, I’ve encountered nearly a half dozen different appearances from one key White House official in particular. And he’s been working overtime to make the case for reauthorizing Section 702. His name is Joshua Geltzer. His job is Deputy Assistant to the President and Deputy Homeland Security Adviser at the National Security Council.

I called up Josh in late September to get his thoughts on the status of 702, where things may have gone off the rails in the past, and what might lie ahead in the future. 

Watson: I’ll ask you in a moment why you think this program should be extended. That’s kind of why you’re here after all. But I would like to begin by getting your impressions about why perhaps a law abiding citizen might not want this program to be extended.

Geltzer: It's a great place to start because you've cut to the heart, the core of the debate that's happening in Congress and in the public and that we hope to foster with conversations like this. Look, fundamentally, I think there's a lot of agreement on the value of this particular collection authority. We have worked hard to declassify a number of very specific vignettes that show that this is a valuable authority, if you care about cutting off fentanyl supply, if you care about uncovering gruesome atrocities committed by the Russians in Ukraine, if you care about counterterrorism, but what critics point to is the fact that there have been some compliance incidents, which is another way of saying the court approved rules, and in particular, the court approved rules for how the FBI, which gets only a small piece of 702 collected information, but how they queried that piece with information associated with U.S. persons. Those rules at times have not been followed. And that's not okay.

What he’s talking about there are called USPERs, or searches that wind up including the communications of U.S. citizens, or persons. And it’s not the only way to describe it, because frankly this particular activity within the authorities of Section 702 has a few different names. They include “USPER queries,” as I mentioned; there’s also “backdoor searches” and “incidental collection.” And to some of the toughest critics, it’s called a “domestic surveillance program,” or “spying on millions of Americans without a warrant.”

Geltzer: So let me step back. There are four parts of our government to get access to raw 702 information. In other words, the collection itself, rather than let's say, let's say finished analysis, based on that information. Those four parts of our government are CIA, NSA, the NCTC, National Counterterrorism Center and the FBI, the FBI gets less than 4% of the 702 collected information, only information that relates to a predicated FBI investigation. The idea is this is information that has a connection to some investigation underway already, as the FBI does its critical mission of protecting the homeland from a wide array of threats. Now, at times, the FBI queries that already lawfully collected and now limited set of information, using identifiers, let's say an email address associated with U.S. persons, that might actually that might not actually be a living breathing us person, it could also be a U.S. company, but that counts for these purposes as a U.S. person. And given the privacy interest that all of us maintain in U.S. persons in particular, there are particular rules that apply to that. And in the past, there were times when overwhelmingly, overwhelmingly, inadvertently 702 information was queried by those sorts of identifiers in a way that shouldn't have been.

These are what’s often called “noncompliant queries.” And one of the problems around discussing 702 is we don’t really know exactly how many times the intelligence agencies have accessed the data of U.S. citizens since 702 collection began. We just have chunks of data. Like this one from a recent watchdog panel of experts: “In the three years spanning January 1, 2020 through December 31, 2022, FBI alone has queried Section 702 databases for U.S. person information nearly 5 million times.”

America’s spy agencies self-reported this past April that they tracked more than 246,000 different foreign targets under the 702 program in 2022; that was up from 232,000 foreigners the year before. It was also a new high, according to the New York Times. 

But as for those noncompliant queries, we seem to similarly only have snippets of data—like when we learned this past May that FBI agents improperly accessed Americans’ data about 278,000 times during a one-year period ending in late March 2021. So they broke the rules to get to the data. That reportedly included victims of crimes, according to the Washington Post. 

Here’s Geltzer again. 

Geltzer: It's worth saying that there's no debate about that. It's not okay to have compliance errors. But what we then say to that is, we have worked very hard to address that. We have changed fundamentally how an analyst and agents sitting at the FBI interacts with 702-collected information they need to opt-in when they want to query they need to give a written justification as to why it fits into the type of query that should be conducted. And so for those who hold that up and say, look at the past compliance incidents when rules haven't been followed, our answer is, we have strengthened compliance, we've seen a massive drop in the number of the queries conducted in the first place of this type as well as an increase in the compliance rate. And so that's our answer to that line of criticism.

Cohn: This history should make us very skeptical, I think, of the assurances that we keep getting out of various agencies, that everything is fine here. It's all following the rule of law, [and that] nothing's wrong. 

Cindy Cohn again.

Cohn: Not only because of this history, but because we keep seeing FISA court rulings and congressional reports that this is not actually how this thing is process is working, that there are constant problems, there are constant violations of even the most, you know, very wide ranging rules that this thing is coming under. And I I think that's not because there's people of ill will in there. I actually think most people have goodwill, I think it's because it's actually really hard to spy on the entire world and do it within the rule of law in a way that never allows any misuse. It's a hard and expensive thing to do, and they're not doing it very well.

Geltzer would probably argue otherwise. After all, he told me—

Geltzer: The broader Justice Department has fundamentally overhauled the way in which an agent or analyst can access and then interacts with 702 collected information. It used to be and this may sound foolish, as you describe it now that an FBI agent or analyst had to opt out, if they were doing a query, they had to opt out of information collected under 702. Sometimes they would forget to send me they wouldn't understand to, it would lead to a non compliant query and some queries, which can actually have multiple terms, those are called batch queries. If you got it wrong once so to speak, it actually counted as getting it wrong quite a lot of times. Now, a number of things have been overhauled and changed to address these compliance areas. One is you need to opt in, and I've sat in the Hoover Building, you literally need to click in and you're warned about what the rules are, you need to click again. And then you need to provide a case specific written justification as to why it fits within the court approved rules, to query 702 collected information. What's more batch queries, those queries that actually have multiple query terms in a single query? Those now need to get higher level approval within FBI. FBI has also done other things; they've instituted new training, they stood up and dedicated audit office just for 702. They've made it such that if you make a mistake with how you handle 702, you can’t query 702 information, at least until getting remedial training. And so all of these steps have combined to show real results. From 2021 to 2022, there was a drop of 93% just in the U.S. persons queries conducted by FBI; and then within that much smaller number that were still conducted, the compliance rate went up.

And that’s largely the message you’ll encounter most recently from U.S. officials about all this. “Those problems are in the past. We’ve changed. We’re different now.” Many of the FBI’s changes to 702 processes were implemented in the summer of 2021, months after they had improperly accessed Americans’ private data more than 278,000 times the year before. 

But as I sifted through various content on the web that had to do with reauthorizing Section 702, I encountered one kind of hesitation several times. I decided to ask Josh his thoughts.  

Watson: One of the big fears of skeptics of this law is that the incidental collection could lead to charges for Americans suspected of engaging in criminal activity. But as far as I've been able to tell this has never happened. To your knowledge has this ever happened?

Geltzer: It's a great question. 702 collected or derived information has been used to the best of our knowledge in only nine criminal prosecutions—all for national security related crimes; none for ordinary or non-national-security related crimes. And so we think it is quite defensible to have utilized it in, let's say, counterterrorism related prosecutions. And the answer so far as we know, is zero that it's ever been used in a non-national-security oriented criminal prosecution.

Just nine times. I wondered what Cindy had to say about that. 

Cohn: First of all, I would highly doubt those numbers. I think that as far as we can tell from the FISA court rulings that have come out, we know that it's not just the NSA that has access to the information but the FBI has access to the information and that they can and have used it for these kind of backdoor searches millions of times, millions of times, they finally admitted. They still won't give us a number. But I think that without more information, it's not a number you should trust. Because I don't know if that includes the FBI as uses of the information. The FBI has refused to give numbers about what they're doing. If that's the, you know, NSA handing to the Justice Department? Like, what is that number in terms of the overall scope of things, I think, is very unclear. And, you know, sadly, in this context, we have discovered over and over again, the government kind of cherry picking information that isn't wrong, but isn't complete in order to give Americans you know, a real understanding of what's going on. This happened under the section 215 program, when it was first revealed, that's the mass telephone records collection program. That program, the government started off by talking about you know, a whole lot of crime that they had stopped with it., All of those stories, except one fell apart, and then ended up being a guy who sent money to the Sudanese militias. So it wasn't an issue involving threats to Americans, it was, you know, an issue about money going to a sanctioned organization very far away from the United States. And that was the only one that ultimately held up under a microscope—of name and a microscope. So, you know, sadly, unless you've got a number from the FBI about prosecutions that were supported by section 702, I don't think you have anything like a very clear picture of how this could happen. 

I had asked Geltzer afterward if he could share anything about those nine prosecutions. The answer was no. Except for one, and it made news when it happened back in 2009. 

He described it as “one of the most significant terrorist disruptions on U.S. soil post-9/11.” It was the case of Najibullah Zazi, who was an Afghan-American who was arrested in September 2009 trying to plan suicide attacks on the New York City subway system. The following February he pleaded guilty to conspiring to use weapons of mass destruction; part of his prosecution involved information gathered through FISA Section 702.

But he points elsewhere for successes of 702. 

Geltzer: For us, if we were to go blind at this time to information about fentanyl supply, about Russian atrocities in Ukraine, about the [People's Republic of China], about terrorist threats, like the one posed by al-Qaeda and Ayman al-Zawahiri, the global head, who's identification and location and elimination last year was thanks in part to 702-collected information. If we were to go blind to all of that and more at this moment, with all the evolving challenges facing this nation, it would be a real step backward in us being able to do our job, which is fundamentally to protect the American people and to protect US national security.

Cohn: I will say that at this point, you know, in terms of justifying section 702, the government's going in a very different direction. They're talking about all the things that it could be used for, they're talking about, you know, disrupting fentanyl tracking, mitigating ransomware attacks, vetting immigrants. Is this an amazing tool that will help us with all sorts of things far beyond national security? Or is this something that we so rarely use, that we only have crime, you know, nine criminal justifications? It's hard to imagine that both of those things could be true at the same time. So I think the secrecy is really getting in the way. You know, the answer to this is sunshine, right? Well, you know, that it's not like, there isn't a way to protect like true national security interests, and still give the American people enough information about how these programs are being used, and how where the information is going once it's collected inside the government, whether that's to the FBI or elsewhere, so that we can decide do we want our taxpayer dollars spent on this, and for us as citizens if we're, you know, we really believe in rule of law in a democracy to decide, is this where we want our money going? Or do we want our money, maybe going to something else that might have a more, less problematic pedigree and execution?

I asked Cindy what would you like to see changed about Section 702. The first thing she told me was this.

Cohn: EFF believes strongly that this should not be reauthorized, [and] that there is not a justification for mass spying on Americans, and that the NSA needs to stop doing that. 

The second thing she told me was this.

Cohn:  I think a warrant requirement for the FBI would be the most minimum thing that we could do to try to stop some of the, you know, ongoing parade of excesses and abuses that has been going on, frankly from before 702 was passed. So, there's other things that we think as well, there's a list that the EFF and the ACLU have put together, I think scaling back on some of the secrecy here so that we so the Congress and the American people can see what's going on, are the kinds of reforms that would be very helpful. We're in an interesting moment, politically. There are a lot of people on the Republican side of the aisle who who are very concerned because they've, they've seen some of these abuses, the the Carter Page investigation has really upset a lot of people on the right, because the FBI lied in the, you know, in, in seeking the authority to surveil Mr. page now was actually under a slightly different authority. I don't think it was 702. But I think this is awakened. Some folks who otherwise might be willing to take the national security infrastructure at face value when they say, Don't worry, everything's fine here. You don't need to look. And it might be an opportunity to try to get some common sense reforms through. But you know, to be clear, EFF thinks 702 has been wrong from the get go in terms of people's rights, and that we would be better off if we forced the NSA to use other tactics other than mass surveillance in order to try to move national security forward.

Geltzer: Look, we see this as critical, too important to fail, in a sense, and we have made that clear for months now to those on the hill. We need to act before this otherwise would expire at the end of the year.

One last thing before we end our episode. 

Just a few days ago, a key government panel of legal experts announced their positions on some of the most contentious issues surrounding Section 702. The panel is known as the Privacy and Civil Liberties Oversight Board, and they’re seen as a sort of bipartisan government watchdog. 

For one thing, the experts did not support direct authorization, also known as a clean authorization. In fact, they recommended 19 different changes. And one of those (recommendation number three) would require court authorization before the FBI can access the results of a query involving U.S. citizens. They would still be able to search Americans’ data looking for a link to a suspected terrorist or spy; but the FBI wouldn’t be able to access the results of that search without the approval of a specialized FISA court. 

There are also recommended changes to batch searching, like Josh mentioned earlier. The panel also called for annual transparency reports and more rigorous compliance reviews at every FBI field office. You can read over the full report, which we’ll link to in our show notes.   

What are your thoughts on Section 702? Let us know by sending us an email to production@defenseone.com

That’s it for us this episode. 

Thanks for listening. And until next time.