Et Tu, Charlie? The New York Times's Savage Blunder

"Without public notice or debate, the Obama administration has expanded the National Security Agency‘s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified N.S.A. documents," the New York Times breathlessly reported yesterday.

"In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad---including traffic that flows to suspicious Internet addresses or contains malware, the documents show."

Reporter Charlie Savage---writing with Julia Angwin, Jeff Larson, and Henrik Moltke of ProPublica---notes that "The Justice Department allowed the agency to monitor only addresses and 'cybersignatures'---patterns associated with computer intrusions---that it could tie to foreign governments. But the documents also note that the N.S.A. sought permission to target hackers even when it could not establish any links to foreign powers."

Wow. Yet another warrantless wiretapping program directed at Americans uncovered by Snowden leaks?

No, as it turns out.

You have to read pretty far down in Savage's story to figure this out---down to paragraph 14, to be precise. The reality comes only after the inevitable denunciation of the activity by a quotable commentator, and only after a lot of phrases like "warrantless wiretapping program" and "latest known expansion."

But if you get that far, you'll come to the following paragraphs:

In 2008, under the FISA Amendments Act, Congress legalized the surveillance program so long as the agency targeted only noncitizens abroad. A year later, the new Obama administration began crafting a new cybersecurity policy. That effort included weighing whether the Internet had made the distinction between a spy and a criminal obsolete.

. . .

About that time, the documents show, the N.S.A.---whose mission includes protecting military and intelligence networks against intruders---proposed using the warrantless surveillance program for cybersecurity purposes. The agency received “guidance on targeting using the signatures” from the Foreign Intelligence Surveillance Court, according to an internal newsletter.

Oh.

In other words, what Savage breathlessly calls a "warrantless wiretapping" of Americans' internet traffic is, in fact, a rather predictable application of Section 702 to overseas cybersecurity threats from foreign governments, one it would be frankly shocking if NSA were not doing.

It bears emphasis, as a background matter, that all 702 collection is warrantless. In fact, all NSA collection is warrantless---except when that collection specifically targets Americans. So for Savage repeatedly to stress the warrantless nature of NSA collection that targets foreign actors overseas---whether under 702 or under EO 12333---is a little like stressing the warrantless nature of Pentagon captures of enemy soldiers overseas. It's true, but it reflects a deep category error.

The authors go on:

In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the N.S.A. had to have some evidence for believing that the hackers were working for a specific foreign power.

Oh.

Now this is looking very nothing-burger indeed. So far, Savage has revealed only (a) that NSA applied its 702 authorities to cybersecurity-oriented traffic and that (b) the Justice Department limited this application to surveillance of the activities of foreign governments.

There's more:

That rule, the N.S.A. soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

So the N.S.A., in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of the “highest priorities” of the N.S.A. director, Gen. Keith B. Alexander. However, a former senior intelligence official said that the government never asked the court to grant that authority.

Oh.

So now add to Savage's story the facts that NSA perceived an important collection gap based on what the Justice Department had permitted, pushed to go back to the FISA court for broader authority, but that the agency never, in fact, did ask the court for broader authority. I don't think, by the way, that there would have been any reason in principle that NSA could not have received broader authority. Section 702, after all, requires certification that the material is being collected for intelligence purposes, not that it be linked to a foreign government---and not all foreign intelligence in the cybersecurity space involves foreign governments. So there's nothing remotely inappropriate, in my view, about NSA's contemplating the question of whether its current FISA orders and Justice Department guidance are unduly restrictive. It's notable, however, that it didn't get the additional authority Gen. Alexander wanted.

The authors go on:

Meanwhile, the F.B.I. in 2011 had obtained a new kind of wiretap order from the secret surveillance court for cybersecurity investigations, permitting it to target Internet data flowing to or from specific Internet addresses linked to certain governments.

To carry out the orders, the F.B.I. negotiated in 2012 to use the N.S.A.’s system for monitoring Internet traffic crossing “chokepoints operated by U.S. providers through which international communications enter and leave the United States,” according to a 2012 N.S.A. document. The N.S.A. would send the intercepted traffic to the bureau’s “cyberdata repository” in Quantico, Va.

Oh.

So the FBI also has some authorities in this space too---probably also under 702, since the collection appears to take place domestically and is being authorized by the FISA court. And NSA appears to be lending its capabilities to intelligence work by a partner agency that has been specifically authorized by a court. That's hardly a scandal.

So wait. How then exactly does Savage get to "the Obama administration" expanding warrantless surveillance of Americans' international internet traffic---as promised in his lede paragraph? What he and his partners on this story have actually described is authorized 702 collection directed at foreign governments and the rejection of the possibility of expanding that to non-governmental foreign threats.

You have to read almost to the bottom of the story to discern the answer to this question:

The disclosure that the N.S.A. and the F.B.I. have expanded their cybersurveillance adds a dimension to a recurring debate over the post-Sept. 11 expansion of government spying powers: Information about Americans sometimes gets swept up incidentally when foreigners are targeted, and prosecutors can use that information in criminal cases.

Oh.

So the promised scary "expansion" of collection on Americans is actually nothing more than incidental collection of the type that always takes place when NSA collects against foreigners abroad.

Look, I'm a fan of Charlie Savage, who has done a lot of great and careful work over the years. I'm also a fan, more generally, of much of the New York Times's national security reporting. My criticisms of the paper are almost always about the editorial page, not the reporting staff---for whom I have (with a few exceptions) very high regard.

But this story is an embarrassing blunder. It is not careful. And it is not good work.

A much more interesting take on the same set of documents comes from Shane Harris at the Daily Beast, who focuses on the strategic history of the FBI-NSA joint activity:

Ever since Edward Snowden’s files first began leaking out, public attention has been mostly focused on the NSA and its vast surveillance networks. But newly revealed Snowden documents show that the FBI, the law enforcement organization meant to combat domestic threats, has been keeping pace with the NSA, America’s biggest overseas intelligence agency. And when the two spying outfits decided to work together, it created a new surveillance campaign, geared towards keeping tabs on foreign hackers.

The FBI’s counter-hacking campaign was growing so fast that in 2011, bureau officials approached the NSA about teaming up and using the vast infrastructure that the spy agency had built since the 9/11 attacks to monitor terrorists’ communications. The bureau thought it could help locate hackers overseas.

. . .

Three former U.S. officials told The Daily Beast that the cooperation between the NSA and the FBI grew out of a mutual desire to combat foreign cyber espionage and that it was never aimed at hackers operating in the United States. Going after them is the FBI’s job.

Both the NSA and the FBI agreed that while the latter could monitor those communications chokepoints on its own, it would have to build a new infrastructure to do it, according to the document. Using the NSA’s, however, would be be easier and cheaper.

Against the backdrop of widening surveillance, the revelations of the FBI and the NSA joining forces may appear ominous. But former officials insisted that Americans would be appalled to learn that their government wasn’t trying to monitor foreign hackers who are stealing secrets from U.S. companies and money from American citizens. Based on the documents released by the news organizations and interviews with former U.S. officials, it appears that the FBI and the NSA’s work together didn’t violate any laws or regulations.

I'll have my own analysis of the documents in question in the coming days.