Intelligence Surveillance & Privacy

The NSA IG Draft Report: An Analysis, a Question, and a Possible Answer

Benjamin Wittes
Tuesday, July 16, 2013, 10:01 PM
One of the most illuminating documents Edward Snowden has disclosed is this draft 2009 report by the NSA inspector general, which the Guardian released late last month. The report, beyond the brief flurry of initial news coverage it generated, has received surprisingly little discussion.

Published by The Lawfare Institute
in Cooperation With
Brookings

One of the most illuminating documents Edward Snowden has disclosed is this draft 2009 report by the NSA inspector general, which the Guardian released late last month. The report, beyond the brief flurry of initial news coverage it generated, has received surprisingly little discussion. Much of the coverage it has gotten, moreover, has focused on what seems---the more I read it---like marginalia, details that are not at the core of the document's importance. For example, the Guardian as an initial matter used the report in support of a story about how, "The Obama administration for more than two years permitted the National Security Agency to continue collecting vast amounts of records detailing the email and internet usage of Americans, according to secret documents obtained by the Guardian." The importance of this document, to my mind, is that it answers a whole series of questions about the Bush administration's warrantless wiretapping program and its evolution---over time and in interaction with Congress and with the FISA Court into the modern FISA Amendments Act-based system of collection. It also poses what I think is an important question of its own---one I have been stewing about for the last few days but have been unable to resolve in my own mind conclusively. Much of the material in this document is not entirely new. But the IG report delivers it with a detail and precision that is new---and it's therefore interesting that the document has received as little discussion as it has. In this post, I want to lay out some---though by no means all---of what makes this document significant, lay out the question that it begs, and offer one possible answer to that question. As a preliminary matter, I want to emphasize that the following discussion of this document in no way reflects approval on my part at the decision to leak or publish it. Had I been the editor of the Guardian, this document would not have seen the light of day, though it may well have informed some reporting and been characterized in public. As I have said beforeLawfare is not in the business of exposing classified programs, and there's operational detail in this document that, at least in my view, simply should not be public. Unfortunately, however, that ship has sailed, and the question now is whether we are going to interpret material like this in a sensible or unhinged fashion. Here's my best effort at the former. The first important clarification in the report regards precisely what information the government collected under the program---known in the report as the President's Surveillance Program (PSP)---and pursuant to what standards. It included initially (See pp. 1, 7-8):

1) contents and associated metadata of telephony for which there was "probable cause to believe that one of the communicants was in Afghanistan";

2) contents and associated metadata of telephony for which there was probable cause to believe that one of the communicants was "engaged in or preparing for acts of international terrorism";

3) contents and associated metadata of internet communications  for which there was "probable cause to believe that one of the communicants was in Afghanistan";

4) contents and associated metadata of internet communications for which there was probable cause to believe that one of the communicants was "engaged in or preparing for acts of international terrorism";

5) telephony metadata for communications "with at least one communicant outside the United States";

6) telephony metadata for communications "for which no communicant was known to be a citizen of the United States";

7) internet metadata for communications "with at least one communicant outside the United States"; and

8) internet metadata for communications "for which no communicant was known to be a citizen of the United States."

The specific linkage to Afghanistan was dropped after January 2002, when the Taliban government fell (p. 8). And other than a brief period in 2003 during which the program focused on the Iraqi Intelligence Service, as a practical matter, the collection authority subsequently focused on four basic categories of data: (1) telephony content where one side of the communication was linked to terrorism, (2) internet contents where one side of the communication was linked to terrorism, (3) telephony metadata with one end out of the U.S. or with no known citizen involved in the communication, and (4) internet metadata with one end out of the U.S. or with no known citizen involved in the communication. The report is also significant in identifying the specific purpose of the program, a matter that a lot of discussion of it skates over. On page 4, it identifies the "SIGINT Collection Gaps" the program was intended to fill, sourced to "An NSA Technical Director":
Here is NSA standing at the U.S. border looking outward for foreign threats. There is the FBI looking within the United States for domestic threats. But no one was looking at the foreign threats coming into the United States. That was a huge gap that NSA wanted to cover.
Later, on page 13, the report describes metadata analysis as pivotal in the creation of an early-warning system with respect to incoming terrorist threats. The program:
significantly increased the data available to NSA analysis and allowed them to create more thorough contact chaining. This gave NSA the key to an early warning system---the ability to identify individuals in the United States or individuals outside the U.S. using U.S. telecommunications structures in contact with a foreign target, a terrorist.
Importantly, however, the program did not result in widespread surveillance of the communications contents of U.S.-based targets. The chief impact of the program, rather, seems to have been that it allowed cleaner access to communications transiting U.S. servers, not that it permitted access to communications by U.S. persons (p. 15):
by allowing NSA access to links carrying communications with one end in the United States, NSA significantly increased its access to transiting foreign communications, i.e., with both communicants outside the United States. General Hayden described this as the "the real gold of the Program." And, by allowing the intercept of international communications, NSA was able to identify threats within the United States. From the start of the Program until January 2007, NSA issued 490 reports based on PSP-derived content information. Also . . . approximately 37,664 telephony and Internet selectors were tasked for PSP-authorized content collection during that time period. Only 8 percent were U.S. targets. The vast majority (92 percent) were foreign.
Perhaps most importantly, the draft report makes clear that the dispute that led to the famous hospital room scene in March 2004 was limited to the internet metadata component of the program. On page 37, the report notes that "In March 2004, OLC found three of the four types of collection authorized under the PSP to be legally supportable. However, it determined that, given the method of collection, bulk Internet metadata was prohibited by the terms of FISA and Title III." This aspect of the report clarifies something important about the scandal that later erupted when the New York Times disclosed the wiretapping program: The internal legal dispute within the executive branch was not about warrantless wiretapping. It was about metadata collection. And it was only about internet metadata collection. But that, in turn, raises what to my mind is a major question that the report does not seem to answer: Why did OLC conclude that FISA and Title III prohibited the bulk collection of internet metadata but not telephony metadata? The report does not go into the substance of the dispute or why OLC determined that the internet metadata collection was unsupportable legally (or, for that matter, why the other components of the program were legaly supportable). This is understandable bureaucratically; OLC, after all, is part of the Justice Department and therefore lies beyond the jurisdiction of the NSA's inspector general. But it does leave a bit of a puzzle. Why does some metadata trigger FISA and other metadata not? I have a couple of gauzy theories about the answer to this question, but I want to acknowledge at the outset that they may well be wrong. The rest of this post is speculative and could be either incomplete or incorrect. Reader be warned. The first possibility involves the statute's definition of communications "contents," which appears at 50 USC § 1801(n):
“Contents”, when used with respect to a communication, includes any information concerning the identity of the parties to such communication or the existence, substance, purport, or meaning of that communication.
Telephony metadata does not identity the person on the telephone; it shows only that a call was made between a given phone number and another identified number. By contrast, mere to-and-from information between email addresses might well be understood to reveal "the identity of the parties to such communication"---email addresses being generally specific to a given individual. And it likewise could be understood to reveal "the existence" of the communication between the two parties. This distinction is important because the word "contents" plays a huge role in the statute's definition of "electronic surveillance." The definition of "electronic surveillance" in FISA includes four distinct subsections. Three of them, 50 USC § 1801(f)(1)-(3), each deal only with communications "contents." This pretty clearly excludes telephony metadata. But if one understands "contents" to include internet metadata that reveals information identifying the parties to a communication or the fact of communication between two parties, those three subsections suddenly come into play. Most important, I suspect, is (f)(2), which defines as "electronic surveillance":
the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication to or from a person in the United States, without the consent of any party thereto, if such acquisition occurs in the United States,
I could imagine, depending on one's reading of "contents," applying (f)(2) to internet metadata but not to telephony metadata. Then there's the matter of the fourth component of the definition: 50 USC § 1801(f)(4) does not refer to communications contents at all but, rather, to:
the installation or use of an electronic, mechanical, or other surveillance device in the United States for monitoring to acquire information, other than from a wire or radio communication, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes. (emphasis added)
This provision, originally written to cover bugs, has notably been interpreted also to cover the acquisition of stored email communications. Are there circumstances under which this definition might include internet metadata but exclude telephony metadata? A possible such circumstance may lie in the words "given the method of collection" from the quotation above from page 34: "In March 2004, OLC found three of the four types of collection authorized under the PSP to be legally supportable. However, it determined that, given the method of collection, bulk Internet metadata was prohibited by the terms of FISA and Title III." On the previous page (p. 33), the report had made clear that the telephony metadata had come from the companies: "COMPANIES A and B provided Call Detail Records to NSA. . . . Providers generated Call Detail Records as a normal course of doing business (e.g. billing purposes and traffic engineering)." In other words, the acquisition of telephony metadata did not require, in the language of the statute, "the installation or use of an electronic, mechanical, or other surveillance device in the United States"---and thus may not have triggered the application of f(4). The companies collected this data on their own and simply turned it over. By contrast, on page 34, the report describes acquisition of internet metadata subtly differently:
The last category of private sector assistance was access to Internet Protocol (IP) metadata associated with communication of al Qaeda (and affiliates) from data links owned or operated by COMPANIES A, B, and C. . . . COMPANY A began providing PSP IP metadata collection as early as November 2001. Although COMPANY B began providing CD-ROMs of PSP IP metadata in October 2001, an automated transfer of data was not available until February-March 2002.
The wording here strikes me as potentially important. The companies, with the exception of Company B in the first few months of the program, are not providing the data itself. They are providing "access to" the data; Company A is providing NSA with "metadata collection"---not with metadata. In other words, with respect to internet metadata, the companies are giving the government access to systems in order to collect the data using its own resources.  Perhaps those resources included "the installation or use of an electronic, mechanical, or other surveillance device in the United States," thus triggering f(4)---and FISA's application. This reading is further suggested by the next couple of sentences:
The Presidential authority to collect IP metadata was terminated in March 2004. COMPANY A and COMPANY B IP metadata collection resumed after the FISC Pen Register/Trap & Trace (PR/TT) Order authorizing this activity was signed on 15 July 2004.
The reference to the "pen register and trap and trace" order again suggests the use of some kind of device for the collection of data. And unlike with telephony, internet metadata is not material the companies are routinely capturing on their own for billing purposes. In other words, the explanation may be---and I stress the word "may" here---that the specific mode of collection of internet metadata involved something much more device-like than for telephony metadata, which involved the simple transfer of records that the companies were already keeping. I would be very interested to hear from readers who have a different read on this question.

Benjamin Wittes is editor in chief of Lawfare and a Senior Fellow in Governance Studies at the Brookings Institution. He is the author of several books.

Subscribe to Lawfare