by considering the origins of the current programs and the relevant authorities — particularly the shift of the content portions of the President’s Surveillance Program, instituted just after 9/11, to the Foreign Intelligence Surveillance Act (FISA). It considers the brief operation of the Protect America Act, before its replacement in 2008 by the FISA Amendments Act.
The article then turns to statutory questions related to targeting, post-targeting analysis, and the retention and dissemination of information. It argues that the NSA has sidestepped the statutory restrictions with regard to targeting in three critical ways: by adopting procedures that allow analysts to acquire information not just to or from, but also "about" targets; by creating an assumption of non-U.S. person status; and by failing to construct procedures adequate to ascertain whether the target is located within domestic bounds.Donohue comments that
h&n On June 6, 2013, the Washington Post and The Guardian captured public attention with headlines claiming that the U.S. National Security Agency (NSA) was collecting large amounts of U.S. citizens’ information.1 The Post reported that the NSA and Federal Bureau of Investigation (FBI) were “tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e- mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.”
In conjunction with the articles, the press published a series of PowerPoint slides it claimed came from the NSA, describing a program called “PRISM” (also known by its SIGAD, US-984XN). The title slide referred to it as the most used NSA SIGAD. The documents explained that PRISM draws from Microsoft, Google, Yahoo!, Facebook, PalTalk, YouTube, Skype, AOL, and Apple—some of the largest email, social network, and communications providers—making the type of information that could be obtained substantial: email, video and voice chat, videos, photos, stored data, VoIP, file transfers, video conferencing, notifications of target activity (e.g., logins), social networking details, and special requests. The slides noted that the program started in September 2007, with just one partner (Microsoft), gradually expanding through to the most recent company (Apple, added October 2012), and that the total cost of the program was $20 million per year. As of 2011, most of the more than 250 million Internet communications obtained each year by the NSA under §702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act derived from PRISM.
A follow-up article two days later printed another slide depicting PRISM and “upstream” collection of communications on fiber cables and infrastructure—i.e., “[c]ollection directly from the servers of. . . U.S. Service Providers.” In contrast to PRISM, upstream collection allows the NSA to acquire Internet communications “as they transit the ‘internet backbone’ facilities.” The NSA could therefore potentially ollect all traffic crossing particular Internet cables—not just information specifically targeted at particular Internet Protocol (IP) addresses or telephone number. This form of interception provides the intelligence community access to information that may be moving outside of the corporate partners employed in PRISM. The slide urged analysts to use both methods to obtain information. The potential yield was substantial: in the first six months of 2011, the NSA acquired more than 13.25 million Internet transactions through its upstream collection.
Approximately two months after news of PRISM and upstream collection reached the public, the U.S. Director of National Intelligence, James Clapper, confirmed the existence of both collection programs, noting that PRISM had been in operation since Congress had passed the 2008 FISA Amendments Act. Clapper declassified eight documents providing more details: two memorandum opinions issued by the Foreign Intelligence Surveillance Court, communication between the Administration and Congress on the existence and operation of the programs, and the §702 minimization procedures. At the end of August 2013 Clapper announced that the intelligence community would release the total number of §702 orders issued, and targets thereby affected, on an annual basis.
Although much of the information about PRISM remains classified, from what has been made public, via the press as well as declassification, suggests that the program pushes the statutory language to its limit, even as it raises critical Fourth and First Amendment concerns. Very little scholarship, however, has yet to emerge since June 2013 on the history of the legislative provisions and the questions that accompany the manner in which the intelligence community is interpreting and applying the statute—much less the profound Constitutional questions raised by the same.
This Article fills the gap. It begins by considering the origins of the current programs and the relevant authorities—particularly the shift of the content portions of the President’s Surveillance Program, instituted just after 9/11, to the Foreign Intelligence Surveillance Act (FISA). It considers the brief operation of the Protect America Act, before its replacement in 2008 by the FISA Amendments Act.
The Article them turns to statutory questions related to targeting, post-targeting analysis, and the retention and dissemination of information. It argues that the NSA has sidestepped the statutory restrictions with regard to targeting in three critical ways: by adopting procedures that allow analysts to acquire information not just to or from, but also “about” targets; by creating an assumption of non-U.S. person status; and by failing to construct procedures adequate to ascertain whether the target is located within domestic bounds. These interpretations undermine Congress’ express inclusion of §§703 and 704 and open the door to the collection of U.S. persons’ communications within domestic bounds. Looking beyond the statutory language, to the extent that the FAA is vague or ambiguous, different methods of interpretation raise concern. Noscitur a sociis, in this regard, offers little insight, but the doctrine of ejusdem generis suggests that the NSA’s adherence to the to/from or about method goes beyond the authorities provided by Congress. Even if one rejects originalist interpretations as intellectually antediluvian, and assumes a more dynamic model, the recent passage of the statute places the NSA’s interpretation on shaky ground.
FISC itself has confronted the problem of statutory language with regard to the FAA’s prohibition of knowingly collecting entirely domestic communications. Although the NSA freely admits to the Court that it does knowingly collect wholly domestic conversations, FISC has responded that because, in any one intercept, the NSA has not developed the technology to know the origins and destination of each packet intercepted, its actions are consistent with the FAA. This interpretation violates the plain language of the statute and calls into question how meaningful FISC’s role is with regard to FAA targeting procedures.
In the area of post-targeting analysis, the Article draws attention to four areas, asking, first, whether the aim of the analysis conducted by the NSA elucidates (and generates further concern in relation to) the scope of information included at the collection phase. Second, it notes the failure of the NSA’s prior minimization procedures to account for multi-communication transactions and raises question about the extent to which the statute adequately addresses situations in which the NSA collects information either in violation of FISC’s direction or in a manner later found by FISC to be inconsistent with the statutory requirements. Third, the Article addresses the use of U.S. person information to query data, noting Congress’s explicit prohibition of reverse targeting to prevent incursions into the use of §702 and asking whether then allowing such queries bypasses the statutory restrictions. Fourth, it looks at how what can be termed “recombinant” information changes the quality of information obtained under §702.
In regard to the retention and dissemination of data, the Article raises further concerns. Increasing consumer and industrial reliance on cryptography gives rise to questions about the NSA’s automatic retention of encrypted data. This policy may quickly become the exception that swallows the protections otherwise granted to U.S. persons’ information. In addition, as a matter of statutory language (and not NSA implementation), the retention of all information under §702 implicating “foreign intelligence”—in light of the breadth of the statutory definition of the same— underscores the danger of looking to retention policies to delimit the type of information kept by the intelligence community. Finally, the use of the information obtained under §702 for criminal prosecution, while consistent with provisions applied to information obtained under traditional FISA, is not, at any point, subject to equivalent procedural protections. This discussion leads naturally to Fourth Amendment considerations.
In the criminal realm, outside of narrowly circumscribed exceptions (discussed, infra), a search is presumptively unreasonable under the Fourth Amendment unless the government first obtains a warrant from a neutral, disinterested magistrate, based on a finding of probable cause of involvement in criminal activity. This applies to all criminal searches within the United States. It does not apply to non-U.S. persons without a significant attachment to the country and who are outside domestic bounds. Between these book-ends, Fourth Amendment doctrine presents in unique form, based on, e.g., whether the search centers on intelligence gathering or criminal prosecution, whether the target is a U.S. person or a non-U.S. person, where the search takes place, and the extent to which U.S. persons’ privacy is implicated. After briefly laying out the broader territory, the Article’s Fourth Amendment analysis focuses on the government’s contention that §702 collection takes place subject to a foreign intelligence exception to the warrant requirement. Noting that in nearly four decades that have elapsed since the Court raised the possibility of such an exception — and since Congress responded to this decision by enacting FISA — not a single case has found a domestic foreign intelligence exception. It points out that, as a matter of the international intercept of U.S. persons’ communications, practice and precedent prior to the FAA turned on a foreign intelligence exception to the warrant requirement that derived from the President’s foreign affairs powers. Criminal investigations overseas similarly did not require warrants. Nevertheless, the Courts required the search of U.S. persons overseas to be consistent with the Fourth Amendment requirement of reasonableness. Through §§703 and 704 of the FAA, Congress has since introduced stronger safeguards for U.S. persons targeted for foreign intelligence purposes. By defaulting to §702, however, and “incidentally” collecting U.S. persons’ international communications, the NSA is bypassing Congressional requirements. Acknowledging that the President and Congress share foreign affairs powers, the executive’s persistent use of §702 may be regarded in Justice Jackson’s third category under Youngstown Sheet & Tube Co. v. Sawyer.
Even if one takes the position that the Warrant Clause is inapposite to collection of U.S. persons’ information under §702, the FAA and NSA practice must still comport with the reasonableness requirements of the Fourth Amendment. To the extent that the target is a non-U.S. person based outside of domestic bounds, and the communications are to or from the target, the programs appear to be consistent with the constitutional mandate. But to the extent that the NSA interprets the statute to include information about such targets, in the process collecting the communications of wholly domestic communications, as well as conversations between U.S. persons, the practice fails to meet the totality of the circumstances test articulated by the Court with regard to reasonableness.
Although almost all of the public discussion of §702 has centered on the NSA’s use of its authorities under the statute (indeed, some of it questioning whether the NSA or the FBI has the authority to act), almost no attention has been drawn to the role of the Central Intelligence Agency. The Article concludes by highlighting how little is currently known about the CIA’s targeting, minimization, and retention and dissemination procedures—an omission which, in light of the significant statutory and constitutional questions accompanying the NSA’s use of the same, and restrictions on CIA collection of information about U.S. persons within the United States, raises further concern.