Feb 03 2015

How the NSA Stole Your Privacy

FISA Court Rubberstamped NSA’s Questionable Legal Theories To Grant It Expanded Surveillance Powers

by Tim Cushing, Tech Dirt

Tue, Feb 3rd 2015

More documents have been yanked out of the NSA’s hands, thanks to a New York Times FOIA lawsuit. The documents are from 2007, and they further detail the agency’s warrantless surveillance program which swept up not only phone numbers but also email addresses and content. The program wasn’t actually legal at the time it rolled out. It took the FISA Amendments Act of 2008 to codify this. In the meantime, the agency used interim legislation (2007’s Protect America Act) and some hubris to enhance its haystacking business.

Rather than use the standard definition of a “facility” — that being a base of operations — the NSA chose to read it as an impossible combination of noun and verb. An email address is a “facility” because it “facilitates communications.” Vinson wasn’t too impressed with this, or the fact that the application didn’t contain much in the way of probable cause. As he noted, the NSA’s intention was to collect both sets of data in bulk, far from the targeted surveillance it attempted to portray in its application.

The May 2007 order (also by Roger Vinson) shows that the NSA found a way to get its aims accomplished, despite Vinson’s reluctance. A “new legal theory” was offered by the agency in an amended application and buttressed by Keith Alexander’s declaration that it was all totally legal.

Unfortunately, the order doesn’t detail the NSA’s legal theory, or at least not in any visible way. Vinson’s musings on the NSA’s Plan B turns out to be a bunch of wasted typing. His declaration that on the “basis of facts submitted by the applicant, there is probable cause to believe that…:” is followed by four completely redacted pages.

Following that, Vinson authorizes the NSA’s “roving, multipoint” surveillance, based on the opinion that Congress would have authorized that (and apparently pretty much anything else it may or may not have conceived of) considering the “Government’s national security interests are so great.” This rationale again. And again, presented by an agency whose livelihood depends on the depiction of security threats as perennially “great” and everlasting. Vinson also agreed to contact-chaining using these numbers and email addresses as selectors.

And so, the domestic surveillance that wasn’t (this order — and past ones — draws a very clear line between foreign targets and known US persons) becomes a handy tool for domestic surveillance. As the court notes earlier in the order, because of where the communications and data are collected, there’s no real way to separate US/non-US data without digging through the collection. When it’s discovered, minimization procedures are to apply — except, apparently, if it can hand the data/communications off to the FBI. (The CIA, on the other hand, gets everything, domestic or foreign, apparently only subject to the NSA’s discretion.)

Again, this entire line of surveillance still hadn’t been determined to be completely legal. It took the FISA Amendments Act to codify this particular program. Despite that, it was approved anyway, thanks to the NSA’s willingness to explore as many legal theories as necessary in order to secure the FISA judge’s approval.

That’s the problem with these two orders. We don’t get to see the NSA’s legal wranglings. Those are redacted. And what is actually revealed doesn’t explain much. The May 2007 order notes that the NSA’s arguments are still on shaky ground and the earlier (and much longer) April order handles the entirety of the agency’s legal discussions on its contact-chaining of unrelated “facilities” in a single paragraph.

Simply mentioning a targeted email in the body of an email message is enough “probable cause” for the FISA court, which goes on to note that it’s perfectly OK (in the search for supporting probable cause) for the agency to read nearly any communication that crosses its desk, provided it’s within a step or two of its selectors.

The NSA didn’t get to where it is today overnight. It took a decade of legal wrangling and the steadfast assertion that the terrorist threat to the US is just as strong as it was September 10, 2001. With the assistance of obliging courts and sympathetic legislators, the NSA has become a data and communications behemoth, sucking in vast quantities of both from all over the world.

1 ping

Comments have been disabled.