The Latest Snowden Leak: NSA Isn't Spying on Lawyers

Unless the public is really tiring of matters Snowden, the New York Times’s latest is going to stir up the hornet’s nest. “Spying by N.S.A. Ally Entangled U.S. Law Firm,” blares the headline of the story by reporter James Risen and freelancer Laura Poitras---from whom the Times (which insists it never pays for information) sometimes procures Snowden-leaked documents and to whom it gives a byline when it does so.

[Clarification here on what the previous sentence is---and is not---meant to suggest about Poitras]

The story is rich with warnings about the threat to legal ethics (“The list of those caught up in the global surveillance net cast by the National Security Agency and its overseas partners, from social media users to foreign heads of state, now includes another entry: American lawyers.”). It’s rich as well with innuendo, including the suggestion that American lawyers are under scrutiny because of the work they do for their clients (“The disclosure offers a rare glimpse of a specific instance in which Americans were ensnared by the eavesdroppers, and is of particular interest because lawyers in the United States with clients overseas have expressed growing concern that their confidential communications could be compromised by such surveillance.”). And both it and a related story in the Guardian are also rich with technical details about U.S.-Australian cooperation in targeting Indonesian telecommunications infrastructure.

But while the facts the paper reports about the interception of lawyer communications are indeed remarkable, they are not remarkable for quite the reasons the Times has slapped this story on its front page.

For starters, it is important to emphasize that the Times story does not involve NSA spying. It doesn’t involve any remotely-plausible suggestion of illegality. It doesn’t involve any targeting of Americans. And it doesn’t involve any targeting of lawyers either.

• The surveillance in question was conducted by the Australian Signals Directorate (ASD), not NSA.
• The surveillance targeted Indonesian government officials engaged in trade talks with the United States.
• The surveillance apparently took place overseas. (There is no suggestion in the story that the surveillance took place inside the United States.)

In other words, a foreign intelligence service was conducting surveillance against another foreign government, which was in communication with a U.S. law firm.

Now there is something extraordinary about this picture, and it is a reflection of how close U.S.-Australian intelligence cooperation is. The extraordinary thing is what happened when the Australians realized that in the course of this surveillance, they might intercept the communications of U.S. lawyers. The Snowden-leaked document, in the Times’s words:

reports that the N.S.A.’s Australian counterpart, the Australian Signals Directorate, notified the agency that it was conducting surveillance of the talks, including communications between Indonesian officials and the American law firm, and offered to share the information.

The Australians told officials at an N.S.A. liaison office in Canberra, Australia, that “information covered by attorney-client privilege may be included” in the intelligence gathering, according to the document, a monthly bulletin from the Canberra office. . . .

On behalf of the Australians, the liaison officials asked the N.S.A. general counsel’s office for guidance about the spying. The bulletin notes only that the counsel’s office “provided clear guidance” and that the Australian agency “has been able to continue to cover the talks, providing highly useful intelligence for interested US customers.”

The Times actually gives no information on what is really the only interesting question the episode raises: What guidance did NSA give the Australians? For it would, indeed, be scandalous if NSA were using a foreign partner as a proxy for spying on Americans or for violating attorney-client privilege in ways that are off-limits to its own people. But there’s no hint of any of that in the story. In fact, there are at least some hints that NSA might have asked the Australians to follow U.S. rules and practice in anything they might want to share:

An N.S.A. spokeswoman said the agency’s Office of the General Counsel was consulted when issues of potential attorney-client privilege arose and could recommend steps to protect such information.

“Such steps could include requesting that collection or reporting by a foreign partner be limited, that intelligence reports be written so as to limit the inclusion of privileged material and to exclude U.S. identities, and that dissemination of such reports be limited and subject to appropriate warnings or restrictions on their use,” said Vanee M. Vines, the spokeswoman.

Later in the story, Risen and Poitras write:

In a statement, the Australian Defense Force public affairs office said that in gathering information to support Australia’s national interests, its intelligence agencies adhered strictly to their legal obligations, including when they engaged with foreign counterparts.

Piece all this together, and it sounds like NSA probably asked the Australians to observe practices similar to what would have been the rules had the surveillance been conducted by NSA itself, at least with respect to those materials the ASD meant to share with NSA. Judging from the fact that the Australians managed to share information in a “highly useful” fashion, it appears they complied with this request---which was presumably the reason they sought the guidance in the first place.

So what would those rules have been? The key is minimization. When the U.S. conducts this sort of surveillance under FISA Section 702 (the minimization rules under Executive Order 12333 probably differ somewhat), NSA cannot target anyone for Section 702 collection---not even foreign persons overseas---without a valid foreign intelligence purpose. Section 702 categorically forbids intentionally targeting any U.S. person---or any other person believed to be inside the U.S. And it requires NSA to follow procedures to minimize any information acquired in the course of targeting non-U.S. persons reasonably believed to be located outside the United States. So it would be legal to target Indonesian officials engaged in trade talks with the United States, but NSA would have to discard any communications they might have with US persons---lawyers or not---to the extent there was no foreign intelligence value in those communications. And NSA would have to discard and mask the US persons’ identities except to the extent that those identities themselves had foreign intelligence value.

According to section 4 of the declassified 2011 guidelines governing minimization, moreover, additional protections kick in when it becomes apparent that acquired communications are taking place between any person known to be under criminal indictment in the United States and an attorney representing that individual in the matter. Monitoring of that communication must halt, the communication must be segregated from other acquired information and special precautions must be taken through the DOJ’s National Security Division to ensure the communications play no part in any criminal prosecution. As an added precaution, the NSA Office of General Counsel is also required to review all proposed disseminations of U.S. person attorney-client privileged communications prior to dissemination.

The 2011 minimization guidelines aren't airtight; critics have pointed out that calls that fall under attorney-client privilege need not be minimized if the target has not been criminally charged under U.S. law. And they thus would not protect attorney-client communications in a civil matter like a trade negotiation at all.

Still, what appears to have happened here is that a foreign intelligence service conducting espionage against a foreign government asked for NSA’s guidance as to the incidental acquisition of material about U.S. persons, and NSA appears to have asked them to respect U.S. privacy rules that do not otherwise bind them.

Public relations really isn’t NSA’s thing. But if this is right, the agency should say so.