Intelligence Surveillance & Privacy Terrorism & Extremism

Why the 9th Circuit Was Right in Mohamed Mohamud, and a Startling Thing It May Have Gotten Wrong

April Doss
Friday, December 9, 2016, 2:03 PM

Earlier this week, the 9th Circuit Court of Appeals issued a long-awaited opinion in U.S. v.

Published by The Lawfare Institute
in Cooperation With
Brookings

Earlier this week, the 9th Circuit Court of Appeals issued a long-awaited opinion in U.S. v. Mohamed Mohamud. The opinion has gotten some bounce, with pieces by Orin Kerr in the Post and by Jennifer Daskal and Elizabeth Goitein in Just Security. Thus far, reviews have been largely critical. But the critics are mistaken: the Court got it right.

That said a few lines in the opinion, offer almost as a throw-away, are certainly worth commenting on.

For those not following the case, it details the evolution of an Oregon youth from apparently ordinary teenager to radicalized Islamist, a young man who wrote incendiary articles for Jihad Recollections magazine; who railed against his family’s refusal to allow him to study in Yemen, where he dreamed of training to wage war in Afghanistan; who exchanged views with radical clerics while attending engineering classes at Oregon State University; and who ultimately was arrested by the FBI for attempting to detonate a truck bomb at the annual lighting of the Christmas tree in downtown Portland, Oregon in November, 2010.

At issue was the question of how Mohamud came to the FBI’s attention, and in particular whether the use of emails collected under Section 702 of the FISA Amendments Act violated his Fourth Amendment rights. As the court explains, the government was targeting a non-U.S. person overseas under Section 702, relying on provider-assisted collection of the unnamed target’s emails. There were clearly no Fourth Amendment concerns in the initial collection, as this was classic FAA 702 targeting of a non-U.S. person outside the United States, and there are no allegations of improper targeting, retention, dissemination, or other use of the target’s communications.

The dispute is over the propriety of what occurred post-collection. The 702 target exchanged a limited number of emails with Mohamud. The information contained in those emails evidently crossed a significant threshold, as it resulted in the FISC issuing a warrant for surveillance of Mohamud under a separate provision of FISA–a decision which required a finding of probable cause to believe that he was an agent of a foreign power, most likely under the provisions governing international terrorists.

Undercover FBI agents then made contact with Mohamud and remained in contact with him up until his arrest. (Mohamud’s defense also raised claims of entrapment and violations of his First Amendment rights. Those claims were rejected by both the district court and court of appeals, and I don’t address them here.)

At the heart of the opinion is the question of whether the government can lawfully use information regarding U.S. persons in the U.S. if that information was obtained incidentally as part of otherwise-lawful 702 collection. The court correctly concluded that it is lawful. But understanding why this is the right conclusion requires an explanation of the applicable legal principles that apply and common-sense analogies illustrating why.

On the first point, it is important to remember that Congress was deliberate in its 2008 decision that, when it came to collecting communications for foreign intelligence purposes, the citizenship and location of the intelligence target were more relevant considerations than the location of the particular piece of equipment used to nab electrons as they circumnavigated the globe. This was, after all, the heart of the 2008 FAA reforms: recognizing that the 1970s-era FISA statute was so tied to decades-old technology that it had flipped the law’s intent on its head. Where the law had originally been drafted to allow greater latitude for collection of radio communications (the primary means for international long-distance calls at the time), it tightly circumscribed collection of wire communications (which were nearly always local, land-based telephone calls taking place within the U.S.). In other words, the original FISA was written to give the greatest protections to U.S. people and people in the U.S. Collection of one-end foreign calls was allowed if the call’s target was someone outside the U.S.

The evolution of telecommunications over the decades meant that by the 2000s, the reverse had become true: communications traveling through the air were more likely to be wireless local calls, and an enormous amount of international calls were traveling via fiber optic cable—aka, on a wire. In order to restore the law’s implementation to more closely align with its original purpose, Congress had to flip the paradigm. The law did nothing, after all, to enhance the protection of U.S. persons in the U.S. when it required the government to get individualized warrants based on probable cause for collecting the communications of non-U.S. persons outside the U.S.

The passage of Section 702 was intended to remedy that mismatch in part. It wasn’t a complete overhaul (which FISA could sorely use), but it was a politically viable compromise that undertook the difficult challenge of striking a balance between ratcheting back the overextension of Fourth Amendment-like protections to people in places that didn’t require them, while continuing to place significant and substantive restrictions on the government’s ability to carry out targeting of non-U.S. persons outside the U.S. and imposing comprehensive oversight mechanisms to ensure the authority was used only within specified limits.

The reflects the tension underlying the law (and the subsequent litigation surrounding it): Treating electronic communications as if they are tied to a physical location in the same way as hardcopy letters stored in a file drawer or safe (as the 2007-era FISA did) is not merely an imperfect analogy, it is a distorting one. It’s a false comparison that has the effect of driving courts, the government, and private litigants, down dead-end alleys in search of meaningful and realistic ways to apply rules that don’t serve the purpose for which they were intended.

With that background in mind, I’ll return to the Court’s opinion. The Court explains the standard for targeting under 702, and then assesses Mohamud’s claim. First, it correctly notes that no warrant is required for searches of non-U.S. persons outside the U.S., and that the “incidental overhear” doctrine of U.S. v. Donovan is a relevant rule. Contrary to the implication of Goitein’s article, however, the court does not rely exclusively on Donovan. The Court also relies on the directly relevant precedent of the FISC Court of Review, when it notes that “incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.” The alternative would be intolerable: a lawful act of intelligence collection that doesn’t require a warrant could result in actionable information about live and present threats, and Amici would have that information suppressed—along, presumably, with all of its fruits—simply because the government lacked a priori knowledge of the fact that the lawful collection in that particular instance would include information to, from, or about a U.S. person. (Such a position would make it extremely straightforward for intelligence targets to avoid all collection: simply include a U.S. person in their contacts list, send or receive a few emails, and watch the government’s ability to surveil them magically dry up.)

After explaining why no warrant was necessary, the Court then assumes that Mohamud has a Fourth Amendment right in the incidentally acquired communications, and turns to the heart of the matter: how great was Mohamud’s privacy interest in the contents of the emails that he sent to the foreign target? Recall that the government did not set out to collect Mohamud’s emails.

From here, pick your analogies: The government searched the file drawers of the intelligence target and came across letters from Mohamud. But the file cabinet happened to be located in the U.S. (because the provider-assisted collection is effectuated in the U.S.). That seems to be the analogy that the Court settles on—not with any explicit reference to file drawers, but by direct analogy to letters, relying both on a FISC precedent and on U.S. v. Warshak (“Given the fundamental similarities between email and traditional forms of communication, it would defy common sense to afford emails lesser Fourth Amendment protection.”).

The Court then notes that the expectation of privacy is diminished in transmissions that have already arrived at the recipient. But neither the Court nor the commentators seem fully comfortable with this file-drawer analogy. As the Court states, “It is true that prior case law contemplates a diminished expectation of privacy due to the risk that the recipient will reveal the communications, not that the government will be monitoring the communication unbeknownst to the third party.”

Here, the trouble that the Court and commentators are wrestling with lies in the analogy: From the perspective of computer science, an unencrypted email isn’t really like a letter; it’s much more like a telegram. The email provider has the technical capacity to view the entire text—even before it’s sent, while the email is still in draft. Or during those nanoseconds when it’s in global transit. Or after it’s been read by the recipient. In other words, the email has been entrusted to the provider in the same way that Western Union used to directly convey the words of the sender of a telegram. This is what allows webmail providers to scan all their traffic (to and from their customers, and to and from the many random people that their customers communicate with) in order to serve up ads precisely tailored to customers’ interests. Not only is this commonly done, but users of unencrypted email know, and should know, that this is the case. In other words, every email-related ad displayed in a browser window is some proof that the communication lacks privacy. (An encrypted email is much more like a letter, with the encryption serving as the envelope.)

A strict reading of the third party doctrine would mean that all of this is fair game for providers to turn over, with or without a 702 directive or any kind of warrant. Of course, that raises difficult policy questions and there are good reasons to not take such an aggressive view. But we should be clear about the mechanics of how webmail communication works. We ought to stop saying that emails are like letters in terms of how well they conceal the substance of their text. We should instead make clear that although unencrypted emails can be readily scanned by webmail providers as well as many other third-party hangers-on (such as anyone who hijacks an unsecured wireless connection), we believe that there is special societal importance in preserving the privacy of unencrypted emails, and therefore those emails ought to be treated as if they are like letters, even though there are important respects in which their protections are quite different. Similarly, as the critics of the court’s opinion point out, the analogy to inadvertent overhearance of phone calls is also imperfect. By declaring this forthrightly, we can have a more direct conversation about what the substantive privacy interest should be—a conversation that’s informed by awkward analogies, but that isn’t tortured by making them force-fit.

Finally, a postscript on an important point where the Court may have gotten something startlingly wrong. The court writes that “Amici contend that surveillance of U.S. persons’ communications under Sec. 702 is not ‘incidental’ because the monitoring of communications between foreign targets and U.S. persons was specifically contemplated and to some degree desired.” One has to hope that the Court was merely restating Amici’s assertions, and wasn’t endorsing the proposition that “the monitoring of communications between foreign targets and U.S. persons was … to some degree desired.” It’s an important point, and one on which Amici couldn’t be more wrong.

The action described by Amici would constitute reverse targeting—that is to say, government interception of foreign communications for the purpose of gathering information about U.S. persons who have not been separately and appropriately authorized as targets of intelligence surveillance. (One can imagine scenarios in which a 702 target is in communication with a target under Section 704 or 705(b) of FISA who is a US person; in that case the FISC would have found probable cause to believe that the 704/705(b) target was an agent of a foreign power.)

As the Privacy and Civil Liberties Oversight Board noted in its exhaustive report on Section 702, both the statute and the FISC-approved targeting procedures prohibit the government from reverse targeting U.S. persons in this way. The PCLOB report goes on to explain how instances of reverse targeting are identified by government overseers. In other words, not only do the targeting procedures prohibit the government from acting on a “desire” to use Section 702 to collect communications between U.S. persons and foreign targets, but in practice such a targeting decision would be flagged almost immediately both within the agencies and by their external overseers, and viewed as a reportable compliance incident.

Again, it’s not clear whether the Court is advancing, or merely reciting, the Amici’s proposition regarding an alleged governmental desire to use Section 702 to collect the communications of US persons. But it’s important to restate that nothing in the Act allows that, there’s no evidence that this is a practice, and in fact the opposite is true, as documented by PCLOB’s discussion of reverse targeting throughout its report.


April Doss chairs the Cybersecurity and Privacy practice at Saul Ewing, and is the former Associate General Counsel for Intelligence Law at NSA. [The views expressed here are the author’s and not those of the NSA.]

Subscribe to Lawfare