Can NSA Drop "About" Collection Without Gutting "To/From" Collection?
The mystery as to why there was no Section 702 application or certification reported for 2016 has now been solved (I'm assuming readers know today's big 702 news, flagged by Quinta here, and as explored in detail by Charlie Savage in this article): NSA has been struggling to resolve a problem with "about" collection under the Upstream heading, including in particular a problem with analysts quering the fruits of that c
Published by The Lawfare Institute
in Cooperation With
The mystery as to why there was no Section 702 application or certification reported for 2016 has now been solved (I'm assuming readers know today's big 702 news, flagged by Quinta here, and as explored in detail by Charlie Savage in this article): NSA has been struggling to resolve a problem with "about" collection under the Upstream heading, including in particular a problem with analysts quering the fruits of that collection in a manner that departed from what the FISC had approved. As a result, we learned today, NSA has decided to abandon "about" collection altogether, and this appears to have been central to to getting the FISC to reissue a certification (and perhaps also will help avert a trainwreck when Section 702 comes up for renewal later this year).
But can NSA abandon "about" collection without also gutting "to/from" collection?
It has long been clear that "about" collection sometimes nets wholly-domestic communications, and that this presents a major Fourth Amendment problem. This inspired PCLOB to write (in its February 2016 update on the status of its 702-related recommendations):
In the upstream collection process, the NSA acquires not only Internet communications sent to and from the selector, such as an email address, used by a targeted person, but also communications that simply contain reference to the selector, sometimes in the body of the communication. These are termed “about” communications, because they are not to or from, but rather “about” the communication selectors of targeted persons. In addition, for technical reasons, “about” collection is needed even to acquire some communications that actually are to or from a target. Other types of “about” collection can result in the acquisition of communications between two non-targets, thereby implicating greater privacy concerns. Moreover, the permissible scope of targeting in the Section 702 program is broad enough that targets need not themselves be suspected terrorists or other bad actors. Thus, if the email address of a target appears in the body of a communication between two non-targets, it does not necessarily mean that either of the communicants is in touch with a suspected terrorist.
While “about” collection is valued by the government for its unique intelligence benefits, it is, to a large degree, an inevitable byproduct of the way the NSA conducts much of its upstream collection. At least some forms of “about” collection present novel and difficult issues regarding the balance between privacy and national security. But current technological limits make any debate about the proper balance somewhat academic, because it is largely unfeasible to limit “about” collection without also eliminating a substantial portion of upstream’s “to/from” collection, which would more drastically hinder the government’s counterterrorism efforts. We therefore recommend that the NSA work to develop technology that would enable it to identify and distinguish among the types of “about” collection at the acquisition stage, and then selectively limit or modify its “about” collection, as may later be deemed appropriate.
Discussion of Status: As with the previous recommendation, the NSA conducted a review based upon the Board’s recommendation and concluded that no changes are practical at this time. The NSA has advised the Board that it will periodically review whether the existing study remains accurate. If technology has changed sufficiently to make the existing study no longer accurate, the NSA will conduct a new study. [emphasis added]
The emphasized language above is pretty clear: As of February 2016, PCLOB understood that one could not simply drop "about" collection without gutting "to/from" collection that is very important to CT efforts. Has this changed? The NSA statements (linked to by Susan here) are not clear on this point. In relevant part:
NSA previously reported that, because of the limits of its current technology, it is unable to completely eliminate "about" communications from its upstream 702 collection without also excluding some of the relevant communications directly "to or from" its foreign intelligence targets. That limitation remains even today. Nonetheless, NSA has determined that in light of the factors noted, this change is a responsible and careful approach at this time.
And from NSA's other statement:
Even though NSA does not have the ability at this time to stop collecting "about" information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target.
These statements seem to acknowledge that the issue PCLOB identified remains in place at least to some extent. I suspect that if technological advances changed the balance of equities much, this would have been stated in NSA's two releases today. For now, I think, we can only conclude that it became necessary, in order to get FISC approval, to go ahead and abandon "about" collection even at the price of simultaneously "eliminating a substantial portion of upstream's "to/from" collection," in PCLOB's words from fourteen months ago. Hopefully that is wrong, though.
