Brittany May Johnson. Texas International Law Journal. Volume 51, Issue 2/3. Summer 2016.
In 2013, the Snowden revelations ignited a storm of international outrage over U.S. foreign intelligence activities. In response to mounting pressure, President Barack Obama announced in his January 2014 speech various intelligence gathering reforms, including Presidential Policy Directive 28 (PPD-28), which took the “unprecedented” step of extending certain privacy protections afforded to U.S. persons to those overseas. Under the directive, U.S. signals intelligence (SIGINT) activities “must take into account that all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and that all persons have legitimate privacy interests in the handling of their personal information.” On the global scale, such an announcement was the first of its kind. Domestically, PPD-28 demonstrated a progressive shift in U.S. policy. Upon close examination of the procedures guiding foreign intelligence collection, it appears these “novel” privacy protections were, generally speaking, current practice before National Security Agency (NSA) contractor Edward Snowden exposed the NSA’s surveillance programs to The Guardian in 2013.
Why then would the Obama Administration wait until January 2014 to disclose the existing privacy protections for foreign nationals to aggrieved allies and the international community? In short, the procedures governing foreign intelligence collection were not designed to safeguard foreign nationals’ privacy. Instead, these procedures-framed as protecting national security-were focused on efficiency. The NSA’s mission is to protect the nation by providing policymakers and military commanders with SIGINT, which has the inadvertent effect of protecting privacy when done efficiently. Despite their inadvertent nature, these procedural protections are not insubstantial. In the digital age, meaningful privacy protections are not necessarily at odds with large-scale foreign intelligence collection. Instead, in the face of rapidly changing technology, globalization, and the growth of non-State transnational threats (especially in the context of cyberspace), privacy and security are often one in the same.
Part I of this Note briefly summarizes the evolution of privacy protections under U.S. foreign intelligence law, starting with the first round of substantial reforms in the 1970s. Part II discusses the revolutionary technologies that have shaped the digital age and considers the impact of these technologies on the law, the Intelligence Community, and the definition of privacy. In light of these developments, Part II ends with the international community’s response to the Snowden leaks and the consequence of the leaks on the U.S. economy and national security. Part III focuses on what meaningful privacy protections look like in the digital age, highlighting current practice and potential reforms.
The United States is currently in a unique position. With the right response to the Snowden revelations, the United States can serve as a model for other nations by spearheading a movement to reform surveillance law. In the last two years, substantial changes have been made, and more reforms are on the horizon. Among the most crucial is the ongoing struggle to establish transparency. As Abraham Lincoln once said, “[P]ublic sentiment is everything. With public sentiment, nothing can fail; without it nothing can succeed.”” Maintaining public trust, both domestically and internationally, is a necessary component for continuing the collection of private information on a global scale. Transparency does not necessarily entail disclosing minute details of active surveillance programs to the detriment of U.S. national security. Rather, it means shaping the scope and procedures guiding intelligence collection in proportion to the threat and relying on soft powers to educate and persuade the relevant institutions and societies that such procedures are necessary in light of the current threat environment facing the United States and the nations of the world.
U.S. Foreign Intelligence Law; Evolution of Privacy Protections
Since the “dawn of our Republic,” the U.S. government has relied on foreign intelligence operations. Until the 1970s, these foreign intelligence operations were largely unregulated. With no statutory guidance from Congress, the President- relying on his Commander in Chief and foreign affairs powers under Article II of the U.S. Constitution-regulated these clandestine activities within the executive branch. This power structure changed in the early 1970s when public allegations of abuse prompted both Houses of Congress to form special committees to investigate the operations of intelligence and law enforcement agencies, as well as the U.S. military.
Leading up to the alleged abuse and subsequent congressional investigations were two Supreme Court decisions. In 1967, the Supreme Court ruled that government interception of an individual’s private electronic communications, pursuant to a criminal investigation, constitutes a search and seizure under the Fourth Amendment. Additionally, in 1972, the Supreme Court held that the Fourth Amendment protects U.S. persons against warrantless surveillance in domestic intelligence investigations. Both decisions, however, were silent as to warrantless surveillance conducted on U.S. persons for purposes of conducting foreign intelligence investigations. This void in privacy protection resulted in executive agencies conducting domestic surveillance of U.S. citizens under the guise of foreign intelligence collection. The Senate Select Committee leading the investigations, better known as the Church Committee, published and ultimately made public seven reports shedding light on the formation, operation, and abuses of the U.S. intelligence agencies, concluding that “broad domestic surveillance programs, conducted under the guise of foreign intelligence collection, had undermined the privacy rights of U.S. citizens.”
To regain the trust of the American people, recommendations for reform were debated in Congress. The debates resulted in the establishment of permanent congressional intelligence committees and eventually led to the enactment of the Foreign Intelligence Surveillance Act of 1978 (Traditional FISA). To put off further reform by Congress, the Ford Administration issued Executive Order 11,905, which addressed many issues raised by the investigations. This executive order was the predecessor of President Ronald Reagan’s Executive Order 12,333, the organizing document for U.S. intelligence operations.
To date, Executive Order 12,333 and FISA are the two sources of authority guiding the foreign intelligence collection. Pursuant to Executive Order 12,333, the NSA is authorized to conduct SIGINT activities only for the purposes of foreign intelligence, counterintelligence, and support for military operations. All SIGINT activities must be conducted in strict conformity with the Fourth Amendment, Traditional FISA, and the FISA of 1978 Amendments Act of 2008 (FAA). The Fourth Amendment protects all U.S. persons anywhere in the world and all persons within the United States from unreasonable searches and seizures by the U.S. government. To comply with the Fourth Amendment, the reforms implemented under both FISA and Executive Order 12,333 safeguard the privacy of U.S. persons and foreigners within U.S. territory.
Specifically, under Executive Order 12,333, which governs the collection of intelligence on foreign nationals abroad, all SIGINT operations must be conducted pursuant to procedures that meet the Fourth Amendment “reasonableness” requirement. In determining whether operations are reasonable, the NSA balances the government’s need for foreign intelligence information and the privacy interests of persons protected by the Fourth Amendment. This requires special procedures, known as minimization procedures, for the handling of information on U.S. persons collected, processed, retained, or disseminated. “These minimization procedures implement the constitutional principle of ‘reasonableness’ by giving different categories of individuals and entities different levels of protection” ranging from “stringent protection accorded U.S. citizens and permanent resident aliens in the United States to provisions relating to foreign diplomats in the U.S.”
Unlike Executive Order 12,333, which governs the collection of pure foreign intelligence (i.e., communications between non-U.S. persons abroad), Traditional FISA governs collection when a U.S. person is knowingly implicated.3 Like Executive Order 12,333, Traditional FISA follows the same system of protection, affording privacy protections based on traditional concepts such as citizenship and national borders, and drawing a distinction between domestic and international communications. Accordingly, the Traditional FISA warrant requirement is limited to four scenarios that make up the definition of “electronic surveillance” under the Act.
Scenario 1: A warrant is required if the target of collection is a U.S. person within U.S. territory, regardless of where the collection occurs.
Scenario 2: A warrant is required if the communication is acquired by wire inside the United States and one party to the communication is located in U.S. territory, regardless of nationality.
Scenario 3: A warrant is required if a communication is acquired by radio and both the sender and receiver(s) of the communication are U.S. persons located within U.S. territory.
Scenario 4: A warrant is required for the installation of a surveillance device within U.S. territory.
Each of these scenarios turns on either the citizenship or resident status of the individual, whether the individual is within the borders of the United States at the time collection occurs, or whether collection is done domestically or internationally. In general, if the warrant requirement is not triggered by one of these four scenarios, then Executive Order 12,333 governs the collection of foreign intelligence.
Not surprisingly, under both governing authorities, no privacy interests were afforded to communications between two foreign nationals collected on foreign soil. This decision was not a mistake. Rather, it was a deliberate policy choice, and the norm for foreign intelligence programs worldwide. However, the tiered system of protection, a compromise struck by Congress and the President after the abuse of the 1970s, remained the basis for privacy protection under U.S. foreign surveillance law for more than three decades.44 And leading up to President Obama’s issuance of PPD-28, like most things that had remained unchanged since the late 1970s, this traditional policy was largely out of date.
Foreign Intelligence in the Digital Age
Advances in technology and globalization have transformed the modern world. The volume of information has increased exponentially, as the types of information available have expanded with digital technology. Today, supercomputers can aggregate and store massive volumes of data, and then, using algorithms and data mining techniques, analyze and link the information into data sets to identify patterns previously thought impossible. Simply put, technology has significantly evolved beyond the radio and wire communications contemplated under Traditional FISA. However, as the proliferation of ways to collect and use information about people continues, the 1978 definition of “electronic surveillance” remains unchanged. This is true even as the technology facilitating modern communication networks has rendered the traditional concepts on which U.S. foreign intelligence laws are based- distinguishing between citizenship, borders, and domestic versus international collection – untenable.
Moving forward, a more appropriate legal framework should begin with an assessment of the “technologies that… dominate the electronic communications sphere.” With this comes a familiar challenge. Sovereign nations, in the name of national security, must address emerging threats while maintaining democratic principles such as privacy interests. This is further complicated, however, when the technological solutions for addressing modern threats, such as fending off cyber attacks or disabling transnational terrorist networks, clash with the customary notions of privacy. To effectively analyze the possible range of meaningful privacy protections under such a legal framework, it first makes sense to look back at how the digital age has impacted these related concerns.
Effects on the Law
For the U.S. Intelligence Community, most of the applicable authorities and restrictions predate cyberspace. The NSA, for example, has operated in two distinct areas-one based on foreign intelligence collected abroad under 12,333 and the other based on foreign intelligence collected domestically under Traditional FISA-for nearly sixty years. In 1978, Congress explicitly exempted foreign-to-foreign wire communications from the Traditional FISA warrant requirement. This distinction made sense in the late 1970s, as an international phone call made between two foreign countries at no point crossed into U.S. territory. By drawing the line of regulation at the U.S. border, Congress was able to act “consistently with Fourth Amendment doctrine.” This reserved “the potential to act where U.S. persons’ privacy might be at stake,” while remaining sensitive to the President’s inherent Article II authority to collect foreign intelligence abroad. Accordingly, it would have been an infringement of the President’s Commander in Chief and foreign affairs authority if Congress had required the Intelligence Community to obtain a judicially issued warrant “for every interception of foreign intelligence between foreign nationals overseas.” However, with the rapid growth of the Internet and the invention of fiber-optic cables, it no longer makes sense to draw a sharp line “between domestic and international information flows, with heightened protections afforded the former.”
The Internet is a global system of interconnected computer networks that links several billion devices worldwide, and Internet traffic does not follow any one clear path. Instead, depending on a variety of factors, Internet traffic flows in small packets of information, potentially traveling the globe before reaching its final destination. For example, an email from one foreign national abroad may be routed and intercepted in the United States before landing in another foreign national’s inbox. This type of domestic collection of foreign communications was exacerbated with the invention of fiber-optic cables. Fiber-optic technology revolutionized and replaced international communications previously carried by radio wave, a form of communication largely exempted from FISA. At the time FISA was enacted, most international communications took place via satellite, so “Congress excluded international radio communications from the definition of electronic surveillance … even when the radio waves were intercepted in the United States, unless the target of the collection was a U.S. person in the United States.” Now, however, ninety-five percent of intercontinental communications pass through fiberoptic cables,” and there is a high probability that these intercontinental communications will be subject to domestic collection. Furthermore, with the invention of cloud technologies, U.S.-based Internet Service Providers or Email Service Providers may store customer emails on servers in the United States. Thus, a Pakistani foreign national accessing her email in Islamabad may actually pull the emails from a server within U.S territory. As a result of these technologies, much of the foreign intelligence collection that was once done abroad now takes place domestically, and the purely foreign-to-foreign wire communications, meant to be exempted under Traditional FISA, fall squarely within Scenario 2 mentioned above.”
Not only are territorial boundaries a weak distinction on which to base privacy protections, but so too is a distinction between U.S. persons and foreign nationals. Under Traditional FISA, to target a U.S. person’s electronic communications, the agency intending to conduct the surveillance must obtain a judicial warrant from the FISA Court (FISC) by establishing probable cause that the target is an agent of a foreign power using a particular facility (e.g., a phone number, email address, etc.). However, this standard assumes that the target’s identity is known. On a more basic level it is unlikely that an NSA analyst can determine an unidentified person’s citizenship based solely on her email address, Skype account, or other facility. This was evidenced in the declassified document released by the General Counsel of the NSA regarding intelligence sharing of raw SIGINT among agencies. The Office of the General Counsel noted that, “[a]s a practical matter, metadata from electronic communications such as email cannot be similarly shared … because it is not possible to determine what communications are to or from U.S. persons.” Additionally, it is not always the case that the targeted individual will be closely aligned with the facility, since “[n]ew technologies… allow for identity masking and anonymity.” In cyberspace, criminals and terrorists can hide behind aliases and proxy servers, or clandestinely enslave other computers to send communications, commit crimes, or plan attacks.
Despite modern technologies’ erosion of the law, Congress has yet to modernize Traditional FISA’s definition of electronic surveillance. Instead, the FAA, enacted in 2008, created a program for overriding Traditional FISA’s wire provision under Scenario 2. To date, all foreign intelligence programs-whether conducted under FISA or Executive Order 12,333-remain tied to three traditional concepts even as their relevance falls apart.
Effects on the Intelligence Community
The “NSA’s mission is to help protect national security by providing policy makers and military commanders with the intelligence information they need to do their jobs.” With this mission comes constant pressure. Every day, analysts sift through influxes of threat information, analyzing massive volumes of data, trying to connect the dots to prevent the next attack, predict what roads in hostile areas are laced with IEDs, or locate a top al Qaeda military commander for a special operations raid. In each of these scenarios, if the intelligence is wrong, American lives hang in the balance. After all, the intelligence to prevent 9/11 existed, but unequipped with the right tools and legal authority, the Intelligence Community missed it. Thus, in the digital age, keeping up with modern threats means using the most advanced technology and having the legal authority to use the technology effectively. This principle holds true in the traditional sense, where the attack comes from a sovereign nation, but it is even more necessary now that technology has “enable[d] individuals to wield the destructive power of states.”
In the past several years, the threat environment has shifted. Cyber threats have topped the list of the Worldwide Threat Assessment of the U.S. Intelligence Community for two years, highlighting the durability of such threats.” Instead, cyber threats are a risk that must be managed.” In the cyber world, individuals within the United States can potentially be attacked from anywhere in the world with impunity. On the national level, “[t]he inevitable greater reliance … on computerized systems for all important societal functions-ranging from national defense to electricity delivery and water distribution to transportation, banking, and just about everything else-makes the state and its inhabitants increasingly vulnerable to exploitation and attack.” As globalization continues to proliferate and the technology to perpetrate cyber attacks becomes cheaper, States in the global community are increasingly at risk.”
Exploiting such vulnerability may sound tempting to terrorist organizations, which is why experts have warned of the potential danger for a “cyber 9/11.” Al Qaeda affiliates already utilize cyberspace to accomplish “at least three discrete aspects of terrorist activity: (1) to propagandize and recruit; (2) to plot and plan attacks in the physical world; and (3) to launch attacks in the virtual world itself.”” And unlike the traditional wrirs of the past, planning attacks is not limited to those in areas of ongoing hostilities. Rather, “terrorists often rely on the global reach of the internet to communicate and plan from distributed sanctuaries throughout the world.”
As a result, while the international community is justifiably suspicious of the NSA’s complex and secretive spying programs, “the use of military cyber activities has become a critical part of the effort to protect U.S. and coalition forces and combat terrorism globally.” In fact, “[f]or more than a decade, cyber espionage has been the single most productive means of gathering information about the country’s adversaries-abroad and at home.” This was evidenced by the Iraq War in 2007, where SIGINT analysts cast a massive surveillance dragnet over Iraq’s communications. Using the intelligence collected, analysts created network diagrams of fighters in the area, using cell phone signals to connect them to one another and determine their locations. This ultimately led to “big picture” reports on the tribal makeups of the region, which was vital to strategic planning. Most significantly, in less than a year, thirty-five SIGINT analysts “had made possible the capture of 450 high-value targets,” dropping the number of attacks by ninety percent. This new intelligence dragnet was made for dismantling terrorist networks by tracking insurgents and terrorists hiding among civilian populations. As the war shifts, al Qaeda affiliates, a more dispersed threat, will find safe haven in the dark corners of failed States and the Internet. Adequate intelligence and cyber espionage will continue to play a crucial role in their demise.
For the NSA, “[t]he Internet seems to be a borderless battlefield,” with vast amounts of data containing the necessary intelligence needed to protect the nation “not only from terrorism, but from cyber attacks, weapons of mass destruction, and good old-fashioned espionage.” Yet, the NSA is bound by an outdated law, and the legal framework’s remaining utility will continue to fade if it “fails to evolve concurrently with fundamental changes in the institutions it purports to regulate.”
Effects on Privacy
The international community has insisted there is an inalienable right to privacy that all nations must respect, which, at first blush, seems like a profound challenge to the NSA’s mission. Adding to this complexity is an attempt to define privacy. Not only does the word have many meanings, but the definition has also evolved over time and differs from culture to culture. “More recently privacy has been identified with anonymity, while at the same time an increasing number of people … equate privacy with an asserted right to control information after we choose to release it.” The notion that individuals have a right to choose whom to be private from has stunned privacy implications from a legal perspective. And for the first time in history, individuals may be subject to persistent surveillance that is “cheap, easy, and ubiquitous.” Communication networks may be penetrated by any device that connects to the Internet, and “much more than content is now involved” as information is swept through these channels. Now the very act of communicating creates information.
Traditionally, the law categorizes communications as either content or metadata, affording more stringent protection to the former. As communication networks evolve, content is no longer easily distinguishable from metadata, and aggregated analysis of different forms of metadata may expose more sensitive information than content alone. On this premise, it makes sense to expand the types of information available into five categories: “personal, transactional, relational, locational, and content.”
The compilation of these various data points essentially creates a digital mosaic of an individual’s life-mapping his or her movements, relationships, consumer history, finances, and even his or her likes and dislikes. Privacy advocates agree that the digitization of information in such an analyzable form has only deepened privacy concerns. Currently, a quarter of the world’s population uses the Internet, and those who wish to participate in the exchange of information and ideas are obligated to use transnational digital communication technology. As a result, there is a strong “tendency to reduce privacy to a question of data control.”
International Community Reaction
After the Snowden revelations, the international community responded with outrage to the NSA’s sweeping surveillance programs. Invasive programs with unintuitive, complex regulations are understandably met with suspicion, but foreign nationals have never been afforded privacy interests under U.S. law before, so why rush to change the policy? In short, affording foreign nationals privacy interests under PPD-28 was not just a lofty policy ideal-it was a strategic foreign policy move in furtherance of national goals. With the proliferation of globalization, the world’s governments and economies are more intimately interconnected than at any point in history. In the wake of Snowden’s unauthorized disclosures, U.S. businesses that had previously cooperated with the Intelligence Community lost revenue that was instead picked up by non-U.S. firms. One example occurred in June 2014, when the German government announced it would end its contract with Verizon due to the company’s complicity in the NSA program. Fallout in the European Union alone was predicted by the European Commissioner for Digital Agenda, Neelie Kroes, to have “multibillion Euro consequences” for U.S. businesses.
Exposure of the NSA programs also undermined the United States’ position in trade negotiations with the European Union over the Transatlantic Trade and Investment Partnership (TTIP). Before negotiations commenced, the European Parliament passed a resolution regarding the impact of mass surveillance, claiming that the NSA programs had damaged the trust between the transatlantic partners. The resolution stressed that the European Union’s “consent… to the final TTIP agreement could be endangered as long as the blanket mass surveillance activities and the interception of communications in EU institutions and diplomatic representations are not completely abandoned and an adequate solution is found for the data privacy rights of EU citizens.” In addition to this, numerous countries have accelerated data localization initiatives, which restrict U.S. companies’ access to local markets. And, foreign governments have also “introduced new privacy protections, with implications for the future of Internet governance.”
All these changes have high-tech companies concerned. U.S. Representative Justin Amash, a Michigan Republican, stated “Businesses increasingly recognize that our government’s out-of-control surveillance hurts their bottom line and costs American jobs …. It violates the privacy of their customers and it erodes American businesses’ competitive edge.” The strained relationship with U.S tech giants not only impacts the national economy but also threatens U.S. national security. In a recent speech, John P. Carlin, Assistant Attorney General for National Security, noted:
[w]henever the public faces a threat, whether from terrorists, computer hackers, or pick-pockets on the Metro, people expect the government to protect them. But the government can’t do it alone. And that is particularly true in the context of cyber threats, given just how much of our nation’s most essential information is found online and, in particular, in the hands of private companies…. [Njearly all critical infrastructure in the United States is owned and managed by private companies. The fiberoptic cables that our communications transit; the servers that direct our Internet traffic; the software that allows us to communicate; and the energy we use to power our daily lives – all of these things, and so many more, are created and operated by private companies.
Ultimately, if companies lose business because of their compliance in the government’s mass surveillance programs, then tech giants like Apple, Google, and Microsoft will find ways around cooperating with the U.S. Intelligence Community. U.S. tech giants working to resist cooperating with the Intelligence Community could have crippling effects on U.S. national security, as evidenced by Apple’s announcing in September 2014 that the iPhone would come equipped with a unique digital key that can only be used by its owner. Now, even if Apple were presented with a warrant, “Apple could no longer unlock an iPhone that runs its latest operating system.” Additionally, in a pending case, Microsoft has objected to American authorities seizing a customer’s emails stored on servers in Ireland. Organizations including Amazon, Apple, CNN, Fox News, Verizon, The Washington Post, and almost two dozen other technology and media companies also filed briefs in support of Microsoft in the case, which is now pending appeal in the Second Circuit.
Mass surveillance has also endangered national security by damaging U.S. relations with allies and other foreign nations. Over the past decade, other nations have become “essential partners in a variety [of] U.S. national security endeavors … assisting in national security operations from Afghanistan to Libya, and perhaps most significantly, in anti-terrorism.” Intelligence sharing and cooperation between the United States and Western allies, as well as the United States and Middle Eastern countries, have been crucial in thwarting terrorist plots, and assisting in the arrest, rendition, and criminal convictions of terrorists. Intelligence sharing between countries is crucial not only for the United States but for allies as well. By working closely with other countries, the United States has helped ensure their common security. Robert Litt, General Counsel for Office of the Director of National Intelligence (ODNI), stated that the intelligence agencies provided Congress with a list of cases in which the bulk metadata and Section 702 authorities have … helped us understand potential terrorist activity and even disrupt it … Forty-one of these cases involved threats in other countries, including 25 in Europe.” Like U.S. businesses, if foreign governments are wary of U.S. foreign surveillance, they too will be hesitant to cooperate.
This distrust played out on the international stage, as critics of U.S. surveillance abroad denounced the United States for disregarding international law on privacy in the wake of the Snowden revelations. Article 17 of the International Covenant on Civil and Political Rights (ICCPR), to which 168 countries are parties, states that “[n]o one shall be subjected to arbitrary or unlawful interference with his privacy.” Furthermore, prompted by allegations that the United States was spying on their leaders, in November 2013 Brazil and Germany submitted a draft resolution to the Third Committee of the UN General Assembly entitled “The right to privacy in the digital age.” The Assembly adopted the resolution without a vote a few weeks later. The revisions included a subtle diplomatic reference to the longstanding U.S. view that the ICCPR does not apply extraterritorially, allowing the United States to support the resolution while not being bound by it. Even so, with the global reach of the controversy and distrust over NS A surveillance programs-causing adverse impacts on U.S. businesses, national security, and economic security-it is no surprise that the language used in PPD-28 extending certain privacy protections to foreign nationals mirrors the language of the U.N. resolution. The resolution itself is a major development. Firmly placing electronic surveillance within the framework of international human rights law, it begins the discussion of what potential customs and legal restraints might look like, lessening the risk for continued growth of such programs without any serious consideration as to implications on individual rights. With the Obama Administration’s issuance of PPD-28, America is now positioned to lead the debate.
The Obama Administration has made clear, however, that affording such privacy interests will not prohibit the United States from spying on its allies or other foreign governments. Obama plainly emphasized this point in his January 2014 speech when he said, “We know that the intelligence services of other countries-including some who feign surprise over the Snowden disclosures-are constantly probing our government and private sector networks, and accelerating programs to listen to our conversations, and intercept our emails, and compromise our systems. We know that.” Furthermore, Obama clearly stated that “[ujnless there is a compelling national security purpose, we will not monitor communications of heads of state and government of our close friends and allies” and that the United States “will continue to gather information about the intentions of governments .. . around the world.” While “spying operations against US allies are obvious betrayals of trust,” it is important to note, “they are standard practice in the espionage business.” Recently, the NSA’s loudest critic of such practices, Germany’s Chancellor Angela Merkel, proved this to be true. News articles reported that the German foreign intelligence service, the BND, has been accused of monitoring European companies and perhaps individuals in cooperation with NS A. Austria, a fellow EU member and close ally to Germany, is among the offended countries filing a legal complaint against the German and American intelligence agencies.
Spying on allies aside, from the perspective of individual privacy interests, America is in the best position to lead international reform of foreign surveillance law. In fact, a comprehensive analysis of worldwide surveillance laws undertaken by the Center for Democracy and Technology shows that all European countries have permissive regimes in comparison to the United States. Specifically, U.S. oversight and transparency of its intelligence collection is far more protective of privacy rights compared to other governments’ programs. According to former NSA lawyer Stewart Baker:
[Due to America’s] open debates and detailed legislative limits on intelligence gathering, Europeans know far more about U.S. intelligence programs than about their own. The same is true around the world.
As a result, it’s easy for European politicians to persuade their publics that the United States is uniquely intrusive in the way it conducts law enforcement and intelligence gathering from electronic communications providers. In fact, the reverse is true.
Practically every comparative study of law enforcement and security practice shows that the United States imposes more restriction on its agencies and protects its citizens’ privacy rights from government surveillance more carefully than Europe.
Because of the heightened awareness and distrust it fosters, the most fundamental challenge the United States faces with respect to soothing foreign relations is establishing adequate trust with the global community. One way of doing so is affording foreign nationals certain meaningful privacy protections under U.S. law and remaining transparent in the Intelligence Community’s mission. To succeed, the United States must engage in a new dialogue that allows the international community to understand the Intelligence Community’s mission in light of modern threats, because as the dangers of the cyber world grow, the definition of privacy will continue to evolve as well. After all, while the export of such technology can be regulated, it cannot be un-invented, nor can the sovereign nations of the world prevent others from inventing their own versions of it. More importantly, in the face of modern threats, privacy and security often no longer conflict. Rather, they are two sides of the same coin. In other words, good intelligence analysis discriminates between what is important and what is not, and “[p]rivacy is a values name [given] to a very similar form of discrimination-only framed from the point of view from the individual.” Moving forward, State power will represent a “critical line of defense for individual freedom and privacy.”
In the Digital Age, What Does Meaningful Privacy Protection Look Like?
Technology alone cannot protect privacy. Ensuring meaningful protection comes down to effectively using available technology in ways that minimize the impact to privacy. If wholesale surveillance is here to stay, then the architecture guiding foreign intelligence collection will need to evolve to twenty-first century standards. The system is far from perfect, but meaningful protections are not only achievable, they are currently taking place under U.S. law through front-end and back-end protections. For this Note, front-end protections relate to the safeguards put in place before collection occurs, limiting the government’s ability to collect, while back-end protections limit the government’s ability to use the information afterward. This Note asserts that with the proper mix of front-end and back-end protections, meaningful privacy protection that strikes the right balance between national security and privacy for both U.S. persons and foreign nationals alike is possible.
Front-end protections relate to the safeguards put in place before collection occurs, either by restricting the manner in which intelligence is collected or by requiring certain approval before collection takes place. In its broadest form, all SIGINT activity must be authorized either by statute or presidential authorization, consistent with the U.S. Constitution, and collection must be tailored as feasible. On a more meaningful level, SIGINT must be collected exclusively pursuant to a “valid foreign intelligence purpose.” According to PPD-28, a valid foreign intelligence purpose is limited to information “supporting] national and departmental missions.” This determination is made by the most senior-level policymakers pursuant to the provisions of Section 102 of the National Security Act of 1947 and Executive Order 12,333, under which the President, the national security team, federal departments and agencies, and their staff annually set the foreign intelligence requirements. Foreign intelligence requirements are categories and priorities reflecting the relative importance of various topics pertaining to foreign countries as they relate to U.S. policymaking, planning, and operations. For example, under this description, proliferation of weapons of mass destruction to Iran would rank high on the list.
For the Intelligence Community, these requirements serve as basic guidance, providing a “framework for both the current operations of collection, production, and supporting functions as well as for projecting mid- and longer range requirements and priorities.” Only after an extensive interagency process does the president set the highest foreign intelligence priorities, while the remaining foreign intelligence priorities are approved through another high-level interagency process. The Director of National Intelligence (DNI) then translates these requirements into the National Intelligence Priorities Framework (NIPF), which is the primary mechanism to establish and communicate national intelligence priorities.
Once the NIPF is published, the National Signals Intelligence Committee, or the SIGCOM, translates the foreign intelligence requirements into actual collection. According to Robert Litt, General Counsel for ODNI, the SIGCOM has representatives from all elements of the Intelligence Community, and as PPD-28 is implemented, the SIGCOM will add “representation from other departments and agencies with a policy interest in [SIGINT].”
The SIGCOM process of reviewing and approving SIGINT collection is also rather tedious. First, the SIGCOM receives requests for SIGINT collection from “consumers of intelligence,” which means agencies such as the NSA. The SIGCOM then reviews the requests, undertaking a detailed assessment of feasibility, values, and risks pertaining to the type of collection, and civil liberties considerations such as privacy interest, which now applies to all persons regardless of nationality. Additionally, “[t]he extent to which the requirements categories and priorities apply to an Intelligence Community component will depend on the scope of that component’s assigned mission and on the specific nature of its capabilities within its area of responsibility.” After completing the extensive review, and after determining that a request is consistent with the NIPF, the SIGCOM prioritizes the collection activity. Only then does the collection activity constitute a valid foreign intelligence purpose. With this, President Obama’s clarification that the United States does not collect SIGINT for purposes of suppressing or burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion, or to steal the trade secrets of foreign nations to give U.S. businesses a competitive edge, makes sense simply because these do not qualify as valid foreign intelligence purposes. Again, this is nothing new, but it still amounts to a substantial, front-end protection for privacy of all individuals, filtering out as unlawful any collection that does not meet this requirement.
Further front-end protections then vary from program to program. Depending on the scope, collection may be limited to a specific target, collected in bulk, or based on specific selection terms. Programs also generally distinguish between the types of data collected. Currently, programs are divided into either content or metadata, but with the advancement of modern technology, it makes sense to further divide metadata into the categories discussed above-personal, transactional, locational, and relational-heightening the privacy implications to the same stringency as content to further safeguard privacy interests.
Another traditional front-end protection considers the location of collection – whether done domestically or abroad. However, as mentioned in Part II of this Note, this distinction makes less sense in the digital age. In fact, with the unpredictable and easily manipulated flows of Internet traffic, the ability to tap fiber-optic cables carrying domestic communications internationally, and the invention of cloud technology, location of collection has become largely irrelevant.
One current front-end protection restricts which agencies are able to collect, obtain, or access the information. Some programs limit access to the NSA only, while others allow the FBI and the CIA access to run database queries. Another familiar front-end protection imposes various standards, which must be established for certain targeted programs, such as “probable cause to believe that… the target of the electronic surveillance is a foreign power or an agent of a foreign power” under Traditional FISA.
In the digital age, however, more meaningful front-end protections turn on the type of technology used to access the information-for instance, whether data is pulled from servers or cloud technologies, social media, or by using traditional communication technologies. Each has a different level of privacy intrusion and should be assessed accordingly. Also, front-end protections should distinguish between the source providing the information-whether it is the government agencies themselves, private companies, or international partners. To protect U.S. business, customers need to feel secure in their privacy, and more stringent front-end protections for programs compelling the cooperation of telecommunication companies or related inquires may be necessary. Finally, the process for program approval is a significant front-end protection. Generally this falls within the responsibility of high-level executive branch officials under Executive Order 12,333 or in the form of judicial approval from the FISC under FISA. Included in the approval process are considerations limiting the scope, duration, and renewal procedures of each program.
Front-end protections remain important safeguards to privacy, especially for targeted collection since they act as a barricade, ensuring that necessity is demonstrated before permitting collection of a specific individual’s communications. This is less so for bulk collection programs and collection based on specific selection terms, which pull in large volumes of information, the majority of which has nothing to do with foreign intelligence. With the advancement of technology and the sheer mass of collection taking place at the global level-as a matter of efficiency and for a better intelligence product-a shift is taking place toward reliance on back-end protections. After all, in the modern age (at least in American culture), it is not the automated collection of raw data by computers that infringes on privacy interests. Instead, whether such collection infringes on an individual’s privacy depends on what is done with the information after collection takes place. Thus, surveillance reform and policy should focus on whether specific uses of information adversely affect privacy.
After collection, back-end privacy protections take place in four primary ways: use, analysis, retention, and dissemination. Such protections “allow the Intelligence Community to acquire necessary foreign intelligence, while providing privacy protections that take account of modern technology.” Addressed below is a quick assessment of current practice and suggestions to further bolster privacy safeguards.
1. Use, Analysis, Retention, and Dissemination
Back-end protection starts with storage. Once collection occurs, the raw data is stored in repositories with secure networks and marked to identify its unique program or purpose. Regardless of how the information is collected, the analysis of raw data should be restricted to a number of specially trained analysts, who have received appropriate and adequate training on handling the information.
Going forward, if wide-scale bulk collection continues, or even if it is replaced by selection-term collection, a crucial back-end protection will be developing stringent standards for running database searches, or “queries.” Under Section 215 of the PATRIOT Act, as an example, before NSA analysts can query the bulk records stored in the raw database, “[the analysts] must have reasonable articulable suspicion – referred to as ‘RAS’ – that the number or e-mail address they submit is associated” with a particular terrorist organization. This suspicion must also be documented in writing and approved by a supervisor. In addition, after an analyst queries the database, that query is automatically saved and used for compliance evaluations.
While front-end protections limit what data can be collected, narrowly tailored query standards limit what data can be accessed. And similar to the front-end protections, query standards can vary in stringency depending on the program’s purpose and the privacy interests at stake, taking into account the relevant considerations highlighted in the previous section. This includes the technology used (cloud technology, social media, etc.), the type of information collected (content, relational, transactional, locational, or personal), the source of information (private business, foreign nation, etc ), and so on. If adequate query standards are applied to every database search, then the vast majority of information collected is inaccessible to even the highest-level analyst.
The next phase of back-end protection occurs as the analysts run queries. In short, when an analyst comes across information that is not foreign intelligence, minimization procedures kick in. As mentioned in Part I, minimization procedures apply to all collection and are meant to limit the retention and dissemination of information collected. Depending on the purpose of the surveillance and the technique used to implement it, minimization procedures may differ. Prior to the Snowden leaks, only the FISA minimization procedures for information collected under Traditional FISA had been declassified. Over the last year, however, the government has made an effort to disclose the minimization procedures for other exposed programs. And with the issuance of PPD-28, U.S. policy now extends minimization to all foreign nationals. As of this year, all elements of the Intelligence Community have reviewed and updated their policies and procedures in accordance with PPD-28 and this now current practice.
Under PPD-28, a foreign national’s intercepted personal information is now subject to the same retention periods that apply to comparable information concerning a U.S. person. If no foreign intelligence determination is made within five years, the information is destroyed. Additionally, a foreign national’s intercepted personal information may be disseminated or retained only if retention or dissemination of comparable information concerning U.S. persons would be permitted under Section 2.3 of Executive Order 12,333. Section 2.3, known as the “safe harbors” provision, outlines ten instances in which retention and dissemination of personal information is permissible. A few of the provisions are rather broad, and while some experts have referred to them as adequate protections, others have viewed them as meager. Whether these provisions are adequate, however, depends on how they are implemented in practice. This is currently unknown, mostly due to the classified nature of analyzing intelligence. Or, at a more basic level, it is because the government has not yet disclosed the procedures that analysts follow for determining whether personal information falls under these provisions. This, however, is an issue of transparency, addressed infra.
The most important back-end protection turns on how the information is used after the analyst decides to keep it. Broadly speaking, for data collected in bulk, Section 2 of PPD-28 limits the use of such information to detecting and countering six topics: Espionage, terrorism, counter-proliferation of weapons of mass destruction, cybersecurity threats, threats to U.S. troops and allies, and transnational crime. All other uses are prohibited. While most people associate bulk collection with Section 215 of the PATRIOT Act, bulk collection also takes place under Executive Order 12,333, the FBI’s National Security Letters, FISA pen register authority, and other agencies’ administrative subpoena authorities. It is important to note, however, that the six specified uses outlined in PPD-28 do not apply to collection based on selection terms, which may be as broad as collecting data using search terms such as “nuclear proliferation,” “oil sales,” and “economics.” While collection based on selection terms may be more limited than bulk collection, the volume of collection obtained using a term like “economics” is still sweeping and should be subject to similar, though not necessarily identical, restrictions.
Furthermore, use restrictions can be narrowly tailored to a specific program’s purpose. For example, information collected in bulk under Section 215 is used strictly for counterterrorism purposes (broad purposes), and analysts may only use the telephony metadata for purposes of contact chaining, or mapping a network of telephone numbers calling other telephone numbers (tailored purpose). All other use is prohibited.
In theory, if the use of data collected is restricted to the specific purpose of each program, and heightened query standards limit analysts’ ability to run database searches, then even though a raw copy of the data is stored on the secure sever, only a minuscule fraction of information collected will be accessible. All other data remains untouched on the secure server until it is destroyed at the end of the retention period. However, achieving this goal hinges on the strength of agency compliance.
2. Oversight and Transparency
The Intelligence Community follows a robust set of oversight procedures. The NSA’s General Counsel, Rajesh De, has described the oversight architecture as extremely thorough, stating “[i]t is evident to me that I am the General Counsel for one of the most highly regulated entities in the world.” And while procedural mechanisms are no substitute for true policy considerations, the end result of proper oversight, paired with adequate collection, is enforcement of privacy protections by preventing improper use of the information collected.
The first safeguard comes in the form of technology. “Audit trail tracking” records which analysts are using each database, and how these databases are being used. This technology records each query, allowing for identification of misuse. According to Robert Litt, General Counsel for ODNI, “there’s no indication so far that anyone has defeated those technological controls and improperly gained access to the databases containing people’s communications.”
Outside of technology, oversight comes down to compliance reporting. Considerations that must be taken into account are: “(1) who reports, (2) what is reported, (3) to whom such reports are made, [and] (4) penalties for violations.” At the first level, the NSA has an “internal compliance officer, whose job includes developing processes that all NSA personnel must follow to ensure that NSA is complying with the law.” At the next level of oversight, like back-end protections, compliance reporting may differ depending on the program. In general, the NSA internally reviews decisions regarding how and what to query, which is subsequently reviewed by the Department of Justice, and then again by ODNI. Additional reviews are conducted to “ensure information collected is used and disseminated in accordance with the court-approved minimization procedures.” At the next level of oversight, Inspectors General review the overall operations of each program. And in addition to the executive branch oversight, there is considerable oversight by both the FISC and Congress.
For collection falling under FISA, the FISC must review and approve the procedures by which intelligence is collected, ensuring compliance with the minimization procedures. More recently, approvals of query searches, at least under Section 215, are subject to FISC approval. All compliance issues must also be reported to the FISA Court where improperly collected information is deleted (unless an exception applies), and once corrective measures are taken, the FISC is notified. Additionally, pursuant to PPD-28, new oversight and compliance programs now include the following reporting requirement: “When a significant compliance issue occurs involving personal information of any person, regardless of nationality, collected as a result of signals intelligence activities, the issue shall, in addition to any existing reporting requirements, be reported promptly to the DNI, who shall determine what, if any, corrective actions are necessary.” Finally, Privacy and Civil Liberties Oversight Board (PCLOB), the independent oversight body, has been conducting and continues to conduct reviews of certain surveillance programs within its mandate. Moving forward, to further transparency efforts, compliance reporting should be made public on a routine basis-“or at least summarized for the public.” If there is a lack of abuse or a lack of analysts failing to follow the rules-which declassified documents seem to show-then there is little reason not to make this public.
Despite this robust oversight apparatus, when it comes to regaining the trust of foreign nations, the largest hurdle falls under the classified and highly secretive programs operated under Executive Order 12,333. These activities take place abroad, operating on the soil of foreign nations. In addition, these programs are developed wholly by executive branch agencies and are subject to no judicial oversight and slight congressional interference. Little is known as to who proposes such activities, approves them, monitors how they are conducted, and ensures compliance with civil liberties. While there is no doubt that such surveillance is vital to national security and is sanctioned by the Constitution under the President’s inherent Commander in Chief powers and as the “sole organ” of foreign affairs, these powers are not meant to operate as a blank check for unrestrained executive power. Even though the details of these programs remain classified, it would benefit the U.S. government to adopt a policy of greater transparency as to the internal operations and oversight procedures guiding these classified programs. If the executive branch has chains of command for effectively governing compliance and safeguards to privacy, then this should be communicated clearly to the public. Transparency is an ongoing effort, but it is the key to legitimizing the U.S. foreign surveillance effort and key to gaining public support both domestically and internationally.
In the digital age, robust intelligence capabilities are necessary to defend against modern threats. These include confronting challenges of traditional State actors such as Iran’s nuclear program, cyber intrusions from China, North Korea, and Russia, and terrorism from the Islamic State. But it also includes more dispersed and transnational, non-State actors that have a deep understanding of dangerous technology, empowering them to exert the destructive power of States. Each of these threats requires robust intelligence capabilities, and yet the path forward is replete with challenges.
Foreign nations and their citizens remain skeptical, U.S. businesses remain caught in the international crossfire, and U.S. national and economic security depends on the cooperation of foreign nations, allies, and private companies alike. Invasive spying programs with unintuitive, complex regulations are understandably met with suspicion, but the cure for suspicion is knowledge.
Some substantial privacy protections predate Snowden’s unlawful disclosures, and with Obama’s issuance of PPD-28 and other various reforms, meaningful steps have been taken with respect to reforming U.S. foreign intelligence law. Moving forward, the law should be amended in a way that evolves concurrently with the institutions it purports to regulate. This includes basing protections not on national borders, citizenship, and domestic versus international collection, but on fine-tuning front-end and back-end protections to the source of collection and type of technology used, as well as expanding the types of communications in a way that reflects current privacy interests. With this, even wholesale collection programs can adequately safeguard the privacy of all people, regardless of nationality.
Even so, for such reforms to succeed at the international level, the United States must engage in a new dialogue that allows the international community to understand the Intelligence Community ‘s mission in light of these modern threats. Such risks can only be managed-not uninvented-and due to globalization, these threats transcend borders and are better managed when nations work in coalition. However, international cooperation cannot be maintained without trust, which is best done through transparency-especially in the realm of collection done pursuant to Executive Order 12,333. Shedding more light on the Intelligence Community’s actions does not entail disclosing minute details of surveillance programs to the detriment of U.S. national security. Rather, it means shaping the scope and procedures governing intelligence collection in proportion to the threat, and utilizing soft powers to educate and persuade the relevant institutions and societies that such procedures are necessary in light of the current threat environment facing the world. The United States is in a unique position. With the right response, the nation can adequately reform surveillance law and spearhead the movement, serving as a model for others to follow.