Why These Leaks Hurt

[Editor's Note: Carrie Cordero is a frequent Lawfare guest poster, a former Justice Department official, and currently Director of National Security Studies at Georgetown University Law Center]  As someone who previously practiced before the FISA Court, my first reaction to seeing what appeared to be a leaked Top Secret FISA Court order containing the name of a telecommunications company on the Guardian website yesterday, was that I felt….sick. And I suspect that my reaction was shared by others who still work, day after day, behind the scenes on intelligence operations. But the sick feeling turned to disgust by the evening news, which reported what appeared to be a leaked Top Secret NSA PowerPoint presentation listing nine more companies alleged to cooperate with the Intelligence Community in a separate intelligence collection program. Without discussing the order or collection programs themselves—which were, and remain—classified, I would like to comment briefly on why these leaks could be potentially very damaging to the Intelligence Community’s ability to protect the country from terrorist and other national security threats. For the record, the official measure of how damaging a release of classified information is depends on the level of classification. So, for example, the unauthorized disclosure of just one Top Secret document is asserted by the government to cause “exceptionally grave damage to the national security.” (See, e.g., E.O. 13526)  But these types of blanket assertions can be unsatisfying. Why, I was asked yesterday, does this type of information really need to be kept secret? To put it plainly: the biggest, and perhaps obvious, reason is that the more information that is public about how we collect intelligence, the more the adversary will understand the United States’ capabilities, and therefore be able to thwart them.  If the adversary knows that we collect X type of data, and that we collect it when it travels through X service provider, and that we collect it in Y or Z format, and that we collect certain information pursuant to a Court order which requires a certain legal standard, then the adversary has the information, and therefore power, to adapt their own techniques and tradecraft to beat us. And when what they are beating us at is launching a terrorist attack, for example, then why in the world would we want to give them that advantage? More specifically, from a signals intelligence perspective, what bigger advantage is there than details of how the Intelligence Community collects communications for foreign intelligence purposes? This is why information about private sector partners is exceptionally sensitive information, and its disclosure can have extraordinarily harmful consequences. From the government’s perspective, private sector relationships are critical in conducting intelligence operations, both FISA-related and, other. In many circumstances, but for the cooperation of a communications provider, certain FISA collection activities could not take place. As a result, the government would be at a disadvantage in collecting intelligence regarding a particular threat to national security. Once a company is exposed publicly, a target may not use that particular service anymore. Sometimes, additional investigation may reveal the target’s other modes of communication. But in other circumstances, intelligence information about that target may be lost forever. From a company’s perspective, protection from legal liability is paramount. Accordingly, when a company complies with a valid FISA Court order, the company is protected. (See, e.g., 50 U.S.C. § 1861(e) (liability protection for the production of tangible things)   But there are additional financial risks to companies. Companies have investors, customers, perhaps international partners. These stakeholders may not like that the company is cooperating in U.S. government intelligence activities, even if they are lawful and pursuant to a court order. Technology or social media companies in particular, which have thrived by providing platforms for people to communicate and share ideas in new ways, may be particularly susceptible to angry stakeholder reactions. In the case of a company with international subsidiaries, or, international parent companies, the cooperation with the U.S. government could be at odds with the interests of other parts of the company.  The results of any of these scenarios may be that the next time the government arrives with a court order, the company may be more likely to explore ways to challenge it. Or, may not comply and face enforcement consequences. Or, may choose not to cooperate in intelligence activities that require voluntary, not compelled cooperation. These are some potential reactions by private sector entities whose existence and success depends not on the government, but on its investors, customers, owners and users. In light of these harms, I found the Administration’s response yesterday…lacking. It was unclear whether the Administration was caught off guard by the releases, but it appeared so. As Ritika noted late in the day, the President spoke through a Deputy Principal Press Secretary. The Director of National Intelligence issued two written statements: one, a short statement regarding collection under the FISA Amendments Act of 2008; and a two, a more forceful and informative response to the leaks that contained declassified information. Today, the President addressed concerns over the collection activities in careful and measured remarks. But given the gravity of these unauthorized releases, and the potential harms to national security, one wonders whether senior Administration officials will issue a stronger rebuke about the leaks themselves, in the coming days.  Perhaps not, as there is likely an open, and aggressive, investigation underway.