A Reply to Charlie Savage—And His Reply to Me

I have been consumed for the past week with Lawfare’s relaunch, but I have not forgotten that I promised to address Charlie Savage’s response to my critique of his recent story on NSA cybersecurity surveillance under Section 702.

To hear Charlie describe his story, written with a team from ProPublica, you would think it a dispassionate, neutral account of a NSA’s activity—one that did not in any way imply impropriety or the targeting of Americans, much less imply illegality. To the extent there’s a policy issue raised by the story, Charlie argues, the critique “frames th[e] news via a transparency critique—from its opening clause, to its only quote by an analyst, to its closing quote from Obama.”

In particular, Charlie emphasizes that he at no time suggested that the program is directed at Americans and, indeed, stressed that it is directed at foreigners overseas: “Sincere question: can you articulate any defense for your claim that the story implies that the cyber surveillance is directed at Americans through the 13th graph?”

Sincere answer: Take a look at the headline: “Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border.” And more significantly, take a look at the lede: “Without public notice or debate, the Obama administration has expanded the National Security Agency's warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified N.S.A. documents” (emphasis added).

Yes, I know. the first sentence is worded carefully so as not to say that the program specifically targets Americans, but when you say up front the words “warrantless surveillance of Americans’ international Internet traffic” and you don’t unambiguosly clarify until 13 paragraphs later that you’re talking about incidental collection in the course of overseas targeting, a lot of people are going to get the wrong idea.

I also think Charlie misapprehends how the average reader consumes words like “warrantless surveillance.” Charlie seems to regard such phrases as a neutral descriptor of a specific program. But I don’t think that’s what the average reader takes from that phrase—or phrases like “warrantless wiretapping” eiher. The reason the Bush administration’s program was called the “warrantless wiretapping program” by critics—including me, by the way—was precisely to emphasize that the warrantless nature of the wiretapping created a legal question under the Foreign Intelligence Surveillance Act. We don’t call TSA screening at airports “warrantless surveillance,” because a warrant isn’t needed for that sort of surveillance. And to use Charlie’s own example, that’s also why we don’t use the phrase “warrantless wiretapping” to refer to collection under Executive Order 12333. To call something “warrantless wiretapping” is to suggest that it’s wiretapping that should be conducted only with a warrant but which is being conducted without one.

I floated this question by my non-lawyer Facebook friends to see if maybe people's sense of the phrase was more neutral than I expected. I wrote: "A question for you all: When you hear the words 'warrantless surveillance' or 'warrantless wiretapping,' do these phrases suggest illegality to you? The first respondent commented: "Yes. Those phrases suggest to me that in general warrants are required and that the practice is illegal. I presume there are broad exceptions." Another commented,

Well, from my intellectually shallow end of the social/culture pool, if we got a cop script in and some flatfoot says, "We got it on tape!" Then the next cop has to say, "Do you have a warrant?"

"No."

"Drat and double drat. It's inadmissible."

The suggestion of illegality is particularly strong when you then quote an expert saying that the intelligence agency’s activity is actually law enforcement, both because law enforcement wiretapping can almost never be warrantless and because the intelligence agencies in question have no law enforcement authorities to begin with. Charlie points out that the analyst he quotes does not allege illegality, and that is true as far as it goes. Here’s the quotation:

The N.S.A.’s activities run “smack into law enforcement land,” said Jonathan Mayer, a cybersecurity scholar at Stanford Law School who has researched privacy issues and who reviewed several of the documents. “That’s a major policy decision about how to structure cybersecurity in the U.S. and not a conversation that has been had in public.”

Charlie then helpfully notes in his own voice: "the N.S.A. is supposed to focus on foreign intelligence, not law enforcement."

When you say that an intelligence agency is conducting “warrantless surveillance of Americans’ international Internet traffic” in a fashion that a quoted expert declares to run “smack into law enforcement land”—and you don’t get to the key qualifier that this is all basic 702 collection until the 14^th paragraph—you shouldn’t be shocked when people think you’re suggesting that there’s a scandalous new surveillance program going on.

Charlie is on stronger ground on his final point. He writes:

Finally, you ho-hum the implications for this expansion on the existing debate over backdoor search rules. Specifically, you state that the privacy implications of using 702 for cyber turns out to involve “nothing more than incidental collection of the type that always takes place when NSA collects against foreigners abroad.” You are wrong.

The type of incidental USP collection the public has debated until now in the context of 702 has consisted almost exclusively of singular communications intercepted when an American talks to or about a targeted foreigner. But hacker victim incidental collection instead routinely involve gigabytes of USP private data looted from an American computer at a shot, copied as it flows back to the hacker’s IP address. It is, moreover, the information of Americans who have no link whatsoever to a foreigner who has been targeted for intelligence collection.

For example, had the NSA or FBI been targeting the Chinese hackers who apparently downloaded from OPM the personnel files of 4 million current and former government employees, that one single hack would have resulted in all those personnel files now also being queryable for unrelated foreign intelligence (NSA) and law enforcement (FBI) investigations for the next five years, under their standard rules for 702 upstream (NSA) and FISA Title I (FBI) minimization—rules that were not written with cyber-oriented surveillance in mind.

I agree that this is an interesting issue, one that makes this area potentially different volume-wise from some other incidental collection. How significant an issue it, however, depends on how routine incidental collection of large caches really is. Charlie's story does not offer much of an answer to that, and in his note to me, he described a hypothetical case, not an actual one.

So yes, if the agencies are routinely scooping up huge databases of stolen American data as an incidental matter, there’s something to talk about there.

It is also true, however, that police and the FBI sometimes come upon large caches of paper or physical materials or hard drives in the incidental course of doing their jobs—perhaps without a warrant but in compliance with the law—and some of those data caches can be pretty big too. We don’t tear up the rulebooks, or the incidentally collected material, just because the volume of information is large and the subjects of the records in question would not themselves be proper surveillance targets. Before we declare that there’s a big public policy problem there, we would want to know how often that is happening, how big the data captures are, and what precautions authorities were taking with them. So too, I would think, one would want to know the same with respect to this sort of material. Nothing I have seen in the underlying documents remotely addresses those key questions.

I sent the text of this post to Charlie and invited him to respond so that we could wrap up the conversation in a single posts. He writes:

Thank you for offering me an opportunity to see your post and append my response to it, to end the conversation together. My critique that your attack on our article was based on a straw man and misrepresentation stands, and I invite any readers who still care, a week later, to look back at what I wrote before. But let me add a few quick observations.

First, you attempt to defend your claim that our article implies, though its 13^th paragraph, that the surveillance is directed at Americans by pointing to what you see as an ambiguity in the headline and first sentence. It is telling that you do not acknowledge the five places I listed prior to the 14^th paragraph, starting with the second sentence, that repeatedly placed this activity in the context of hunting for foreign-based hackers.

Second, I don’t understand your objection to the phrase “Americans’ international Internet traffic.” The NSA's 702 upstream surveillance does not systematically sift through foreign Internet traffic nor domestic Internet traffic. It systematically sifts through cross-border Internet traffic with one terminus abroad and one terminus on American soil. That is, precisely Americans’ international Internet traffic.

Third, you maintain that it was illegitimate and misleading for our article to refer to the 702 program as the NSA’s warrantless surveillance program because, you point out, in FAA 702, Congress said the NSA does not need a warrant to do this. Your critique proves far too much, as pretty much every NYT article calls it the warrantless surveillance/wiretapping program. Indeed, Lawfare posts about the post-PAA/FAA-era program routinely call it “warrantless,” too.

Thanks again for letting me respond.