SECURITY STATES OCTOBER 29, 2013
What should we do about the NSA? Should we do anything at all? These question are on the forefront these days.
The right answer, of course, is complex. The perception of illegality at the NSA has outrun the reality by a fair bit. On the other hand, it seems quite clear that the NSA has often done things of which it is technically capable without considering whether or not they were wise in the context of a broader strategy. As Lisa Monaco the White Couse Counterterrorism advisor said the other day in USA Today: “Today’s world is highly interconnected, and the flow of large amounts of data is unprecedented. That’s why the president has directed us to review our surveillance capabilities, including with respect to our foreign partners. We want to ensure we are collecting information because we need it and not just because we can.”
Last week, I was scheduled to give some testimony on the very subject to the House Permanent Select Committee on Intelligence (the hearing was cancelled and rescheduled). Those who want to can review the entire testimony for an explanation of the theory that underlies much of what I proposed and a consideration of many more proposals. But for the curious, here’s a short summary, with footnote citations excised, of some of the reform proposals and their merits (or demerits, as the case may be):
- Congress should probably provide for an in-house advocate before the Foreign Intelligence Surveillance Court, to be called called at the court’s discretion. This would improve decision-making;
- Data retention rules and distributed databases (that is the idea of asking the telecommunications companies to hold the data on behalf of the NSA) will be ineffective and no more privacy protective than current rules;
- Post-collection judicial assessment of reasonable articulable suspicion is worth considering;
- We should reject the assertion that the FISA court is somehow either a rubberstamp or a packed court;
- The most effective reforms are likely structural rather than legislative; and
- Finally, our current system of intelligence oversight generally works. It is incumbent on this Committee and those in Congress with knowledge of how our intelligence apparatus operates to defend that system as effective and appropriate.
Here’s a deeper analysis:
First, we can’t with one breath condemn government access to vast quantities of data about individuals as a return of “Big Brother,” and at the same time criticize the government for its failure to “connect the dots” (as we did, for example, during the Christmas 2009 bomb plot attempted by Umar Farouk Abdulmutallab).
More to the point—large scale data analytical tools of the type the NSA is apparently using are of such great utility that governments will expand their use, as will the private sector. Old rules about collection and use limitations are no longer technologically relevant. If we value privacy at all, these ineffective protections must be replaced with new constructs. The goal then is the identification of a suitable legal and policy regime to regulate and manage the use of mass quantities of personal data.
We should therefore favor those reforms that create delegated or calibrated transparency (enough to enable oversight without eliminating essential capabilities) and respond to the new paradigm of data analytics and privacy (by controlling use rather than collection):
Adversarial Advocate: This proposal would create a standing team of attorneys to respond to and present a counter argument before the FISC to requests for permission to collect information against an individual or entity. Presumably, this team of attorneys would either be from within the government (such as the DNI’s Civil Liberties and Privacy Officer) or a cadre of non-government attorney’s with clearances.
There is much to be said in favor of this proposal. With regular criminal warrants the ex parte nature of the application for a warrant does not systematically create a lack of a check on overreaching because of the possibility for post-enforcement review during criminal prosecution with its adversarial process. By contrast, in intelligence investigations that post-execution checking function of adversarial contest is often missing—few if any intelligence collection cases wind up before the courts. As a result there is no systematic way of constraining the authority of the United States government in this context. Providing for an adversarial advocate would give us the general benefits of adversarial presentation and provide a useful checking function on the overarching broad effect of FISA law on the public.
To be sure, this would be a novel process. We don’t typically do pre-enforcement review of investigative techniques. And if poorly implemented, this sort of process risks slowing down critical time sensitive investigations. Perhaps most importantly, many worry (not without justification) that the adversarial advocate will in the end have an agenda that may distort legal developments.
On balance, this seems to be a positive idea — but only if it is implemented in a limited way for novel or unique questions of law. It should be is limited to situations where the FISA court itself requests adversarial presentation. That would limit the number or circumstances where the process was used to those few where new or seminal interpretations of law were being made. The adversarial advocate should not appear routinely and should not appear on his or her own motion. The court is, in my view, capable (and likely) to define when it can benefit from adversarial argument quite well.
Phone Company Data Retention: Some have suggested that, instead of NSA collecting and retaining telephone call metadata, Congress should amend the law and impose a data retention requirement on phone companies and ISPs, requiring them to retain metadata for a fixed period of time, say five years. NSA and the FBI would, in turn, only be able to access this data set after a FISC court had passed on the validity of the request and determined that it met some evidentiary threshold, say, of relevance.
While the idea is attractive it is, in the end, more problematic than beneficial. To begin with, the FISC pre-access review would be more privacy protective–but it would achieve this protection in the old fashioned way of limiting access to the underlying data. More effective ways that focus on managing end uses rather than collection are to be preferred.
More to the point, this sort of system would be extremely cumbersome. Searching on multiple distributed databases is always more difficult than searching a single database. Worse, this architecture would require the disclosure of classified threat information to private actors, on a regular basis–a structure that we ought to try and avoid. And, of course, though we might begin by limiting use of this database to counter-terrorism activities, I have no doubt that political pressures will soon push us down the slippery slope to other attractive uses (e.g. combatting drug cartels or child pornography). In the end, we might fear that databases held by the private telecommunications companies would be the target of other legal process in the civil system.
Finally, at bottom, we cannot be sure that large commercial data bases are actually more privacy protective than government ones. As Stewart Baker has said in assessing a comparable set of laws in Europe: “Not only does the ‘data retention’ requirement in European law cover more personal information, it comes with far fewer safeguards. In Europe, unlike the United States, the authorities need only ask for stored data; companies can and do “volunteer” their data without any court order or other legal process.” We should be skeptical that any system we design for use here in American would not be subject to the same sorts of issues.
Non-NSA Determination of Reasonable Articulable Suspicion: One variant on the forgoing would break off a piece of the data retention proposal — namely the portion that requires external approval before NSA analysts access the Section 215 metadata database. Logically, this requirement could be implemented even if the database were housed in NSA rather than, as proposed above, in distributed databases at the telecommunications companies. In other words, Congress could add a requirement that every time the NSA determines that there is a reasonable articulable suspicion that a phone number is associated with terrorism, that the determination be promptly adjudicated before access is granted. The identity of “who” might adjudicate the reasonable articulable suspicion and “when” is capable of many variations–it might be the FISC, before access is granted; or it might be post-access review by the FISC. Or, it might even be pre-access review by some other portion of the Executive Branch, like DOJ’s NSSD.
In all its variants, this proposal has several positive aspects to it. First, by requiring external non-NSA approval, we enhance the credibility of the determination of reasonable articulable suspicion. Second, by invoking FISC jurisdiction or DOJ oversight we limit the likelihood that the database will be subject to mission creep and repurposed to non-counter-terrorism uses. Third, and most saliently from a theoretical viewpoint, this paradigm of review after collection and in a control of use is more consistent with what we see as the technological reality of data analytics today.
Regarding the modality of review, some argue that pre-use review by the FISC would be, in their judgment, too slow and cumbersome. This argument may not be persuasive—after all, many warrant applications are approved on an emergency basis. But if we were to reject pre-access judicial review the credibility of the section 215 program would be most enhanced by a combination of two other structures—pre-access approval outside of NSA within the Executive Branch (say at DOJ), followed by post-access approval by the FISC.
Reforming the FISA Court: A wide range of proposed reforms have been suggested for changing how the FISA court is staffed and operates. These include suggestions to add more FISC judges to the process (i.e. have decisions made by panels); mandating more diversity of views among judges; changing the appointment authority, and so on.
The grounds for these proposed reforms are a series of false and pernicious premises–ones that, regretfully, are fostered by our friends in the media. They suggest that the Chief Justice has been preferentially appointing pro-government judges to the FISC,and that the FISC is a rubber stamp for government action. While that Manichean view of justice is one that many liberal doubters of the court system espouse, it should be resisted with every fiber of our being.
In the first place, it simply isn’t true. As anyone who has read the recent FISC opinions recognizes, the judges of that court have been vigilant (some critics even say too vigilant) in overseeing the NSA’s activities, having called large scale programs into question on at least three occasions that are publicly known and having declared at least one aspect of one program unconstitutional. More to the point, we now know (and this is actually one of the few good results stemming from the Snowden disclosures) that the FISC requires substantive modification to roughly one-quarter of all FISA warrant applications. We don’t know what the comparable figures are for traditional criminal investigations (and I don’t think they are collected) but my own experience as a prosecutor suggests that the rate of substantive amendment is far lower in that context.
And, of course, the premise of the entire argument is the ipse dixit that judges reflect their political views. As a society we must reject that premise, lest law become nothing more than politics by other means. It says everything you need to know about the validity of that premise that the original Section 215 order, authorizing metadata collection was (according to public reports–though it has not been declassified itself) issued in 2006 by Judge Colleen Kollar-Kotelly. Judge Kollar-Kotelly was appointed to the FISC by Chief Justice Rehnquist (i.e. before Chief Justice Roberts’ tenure) and appointed to the bench by President Clinton. If the most controversial decision of which we are aware is a counter-factual to the general charge, we should doubt the charge itself.
Worse yet, the cure would be worse than the disease. Imagine, if you will, subjecting FISC appointments to Senate confirmation. Nothing would be more likely to politicize the process. Likewise, attempting to democratize the process by spreading it across the circuits would be impractical (since most FISC matters occur here in Washington) and would simply devolve the criticism one step lower. The problem isn’t with the FISC so much as its critics.
Structural Changes: Finally, most of the more effective possible changes lie not in significant legislative tinkering, but rather in interstitial structural and operational reforms that improve the audit and oversight process without fundamentally altering the capabilities of NSA or the IC organizations. Here are a few, listed just in bullet point form, that might be worth thinking about:
- Make the NSA Inspector General, a presidential appointment, with Senate confirmation;
- Require statutorily, the appointment of an NSA Civil Liberties & Privacy Officer;
- Change the jurisdiction of the Privacy and Civil Liberties Oversight Board to include all intelligence activities, not just those with a counter-terrorism focus;
- Create panels of cleared external reviewers for consultation by the DNI regarding new programs;
- Institutionalize privacy and civil liberties concerns by making it a factor in performance reviews; and
- Have the DNI annually report in a public forum on privacy and civil liberties matters.
One final point, more about Congress and its role than the NSA. Since the mid-1970s, with the reforms prompted by the Church and Pike Committee investigations we in America have been engaged in an experiment — an experiment to see whether it is possible for a country like America to have covert operations under law—or, to coin a phrase, whether we can have intelligence collections within the bounds of democracy.
To my mind the system of delegated transparency, where Congress stands in for the general public, has worked reasonably well–allowing us to use intelligence capabilities while minimizing the risks of abuse of law. Today, however, thanks to the Snowden disclosures, that system is under assault. Most who challenge the system do so from the best of motives. But there are some whose calls for transparency mask the intention of diminishing American capabilities.
And that means that in this post-Snowden era, this House Intelligence Committee (and its Senate counterpart) bear a great responsibility. To them falls the task of defending the integrity of our current system of intelligence oversight. While we have discussed possible reforms to the NSA’s programs, both legislative and structural, the critical insight is that, despite the hue and cry, the system is not badly broken. In can be improved, but in the main it has produced a reasonably effective system of oversight that, if the public record is an accurate reflection, resulted in precious little abuse of the sort we ought to fear.
Congress should be proud of that record and of your role in creating it. Can the Intelligence Committees, perhaps, do a better job of oversight? No doubt. But in the end, notwithstanding the calls for reform and the many plausible reforms you might consider, this Committee should defend the essential structure of our current system. And that, in the end, means rejecting most calls for wholesale reform and complete transparency, and, instead, defending the role of graduated or delegated oversight.