Obama’s Surveillance Reform Promises, One Year Later

In February, the Director of National Intelligence issued a report summarizing the changes that President Obama has implemented since pledging major surveillance reforms in January 2014. The report chronicles a dizzying number of developments and contains links to several hundreds of pages of supporting documentation. But does this impressive accumulation of activity translate to meaningful reform?

The report makes clear that the big picture has not changed. One year after President Obama promised to end the bulk collection of Americans’ phone records, the administration continues to apply for a FISA court order every three months directing American phone companies to turn all of their phone records over to the NSA. It also continues to exploit a surveillance program nominally targeted at foreigners to listen to Americans’ phone calls and read their e-mails without a warrant. Overseas, the administration collects communications that involve Americans on a truly massive scale with no judicial oversight or legislative restrictions. These activities constitute an existential threat to civil liberties that cannot be addressed by procedural tweaks.

It is tempting to cheer the administration’s changes simply because they happened – and because they improve the status quo, however incrementally. Context matters here: in the short period of time since 9/11, technological changes have exponentially increased the amount of personal information the government can collect, while the longstanding laws that would restrict such collection have been systematically gutted or tossed aside. Given this dizzying trajectory, any tap on the brakes is in some sense a major accomplishment.

But the surveillance explosion also means that small changes are not enough. Ultimately, we must measure the administration’s efforts against where we need to be, not where we have been going. By that measure, the administration’s reforms fall distressingly far from the mark.

• • •

For nearly fifteen years, the NSA has collected Americans’ telephone records in bulk. Originally, the Bush administration collected the records secretly and without seeking any court approval. Starting in 2006, the administration persuaded the FISA Court to endorse the program under a provision of the Patriot Act—Section 215—that allows the Justice Department to obtain a court order requiring companies to turn over business records that are “relevant” to an investigation. The FISA Court prohibited officials from searching the collected records without reasonable suspicion of a terrorist link. However, the Court allowed officials to make this determination, and to extend the search out three hops from the suspect—i.e., officials could search the suspects’ records, the records of those in contact with the suspects, and the records of those in contact with the suspect’s contacts. The legal justification for these activities was flimsy and the program remained secret until Snowden revealed it in 2013.

Since then, two independent review panels have concluded that bulk collection adds little or no counterterrorism value. The administration nevertheless refuses to simply end it, preferring for Congress to create a substitute program that is less intrusive while still permitting broader collection than a sensible reading of Section 215 would allow. In the meantime, the NSA continues to collect phone records in bulk. The most significant reform to the program in the past year is that the administration asked the FISA Court to pre-approve searches of the data and to limit the searches to two hops.

As the program stands, the potential for abuse remains enormous. Initial government claims that phone metadata is no more revealing than numbers in a phone book were swiftlydebunked. Sophisticated computer programs can parse this data to create intimate, detailed portraits of a person’s private life, including political and religious beliefs, associations, hobbies, and more. Because the NSA collects and holds this data, any limitations on how the data are searched or used necessarily rely on self-policing. A series of FISA Court opinionsshows that the NSA inadvertently but routinely violated court orders, and this shocking level of non-compliance went undetected and unreported for years. Imagine, then, how long it would take to uncover violations the NSA was actively trying to hide.

• • •

The DNI’s recent report also addresses the NSA’s collection of communications content. Beginning in 1978, if the government, acting inside the United States, wanted to eavesdrop on phone calls between foreign targets and Americans, it had to obtain an order from the FISA Court based on probable cause that the target was a foreign power (which includes terrorist groups) or its agent. Then the Bush administration’s warrantless wiretapping program was exposed, and rather than shutting down the program, Congress amended the law to legalize it.

Under the FISA Amendments Act of 2008 (FAA), the government needs no individualized court order to collect the communications of foreigners overseas, even if there is an American on the other end. The government must certify, however, that its interest lies in the foreigner, not in any American whose communications are “incidentally” swept up. It also must adopt procedures to “minimize” the retention and use of Americans’ information—basically, masking or deleting Americans’ digital data upon recognition.

Both the executive branch and the FISA Court originally interpreted the “minimization” requirement as prohibiting government officials from sifting through the collected communications for Americans’ information (so-called “U.S. person searches”). In 2011, however, the FISA Court allowed the government to drop this prohibition. In 2013, the NSA and CIA conducted nearly 2,000 U.S. person searches. The FBI makes no effort to count these searches, but the Privacy and Civil Liberties Oversight Board, an independent panel charged by Congress with overseeing counterterrorism policies, reported that the FBI searches FAA data every time it opens an investigation or “assessment”—a type of investigation that occurs when the FBI lacks any factual basis to suspect criminal activity.

These “backdoor” searches—as Senator Ron Wyden labeled them—constitute a bald-faced end run around the Fourth Amendment. The law is clear: if government officials want access to Americans’ communications, they must obtain a warrant, or, if they are seeking foreign intelligence, an individualized order from the FISA Court. The legality of proceeding without such judicial authorization rests entirely on the government’s promise to target only foreigners overseas, and to redact or discard Americans’ information. Instead, the FBI routinely listens to Americans’ calls and reads their e-mails without even a factual basis to suspect wrongdoing, let alone probable cause of criminal activity.

The DNI’s report unveils two new reforms related to U.S. person searches. First, the NSA and CIA, when conducting U.S. person searches, will now be required to provide written statements showing that the search is reasonably likely to return “foreign intelligence information,” a term that is broadly defined under the law. Of course, internally documenting that a search is likely to yield information about foreign matters is a far cry from proving to a court that there is probable cause of a crime. More to the point, the new changes do not require the FBI to do either: the most prolific user of backdoor searches is exempt from this new limitation.

Second, going forward, information acquired under the FAA may be used as evidence against an American in a criminal case only if the case has national security implications or involves a serious crime. This reform could indeed reduce the damage that flows from using warrantless surveillance to prosecute Americans. But the fact remains: the Fourth Amendment contains no exception for Americans suspected of “serious crimes.” If anything, the prospect of lengthy sentences or even capital punishment raises the constitutional stakes.

• • •

The largest, least regulated, and least transparent set of surveillance activities operates under Executive Order 12333, which governs surveillance of foreign targets that takes place overseas. In theory, searches of foreigners conducted overseas do not implicate the Fourth Amendment. Accordingly, no courts oversee these activities, Congress has not constrained them, and—until Snowden—the executive branch saw little reason to make any information about them public.

In light of today’s communications technologies, the notion that overseas surveillance of foreigners’ communications does not implicate Americans’ privacy rights is pure fiction. Americans’ communications travel through fiber-optic cables overseas and reside on servers in other countries. By its own admission, the NSA could not filter out all of this traffic if it wanted to. Americans also routinely communicate with foreigners, and these communications are captured in massive numbers. Under one program code named “MYSTIC,” the U.S. hasengaged in the bulk collection of every phone call transiting in or out of particular countries—including every phone call to or from the United States.

In any event, the right to privacy is not limited to Americans. Under treaties signed by the United States, privacy is recognized as a fundamental human right. The United States has largely disregarded this legal constraint, but before the digital age, limits on data storage and analytical capacity served as a practical constraint, forcing the government to narrow its focus. Today, as programs like MYSTIC illustrate, there is little to stop the United States from sweeping up the data of ordinary private citizens across the globe and subjecting that data to computer analysis.

In January 2014, President Obama issued an order (Presidential Policy Directive 28, or “PPD-28”) requiring agencies to adopt new limits on electronic surveillance of foreign targets overseas. Most notably, agencies may retain or disseminate information about foreigners only if Executive Order 12333 would permit the retention or dissemination of “comparable information” about Americans.

There is tremendous symbolic importance in articulating the principle that foreigners have privacy rights and in requiring their data to be treated similarly to Americans’ data. Unfortunately, the retention and dissemination limitations that now apply to both Americans and foreigners offer little protection in practice.

In general, information about Americans may be retained for five years, and may not be disseminated, unless it constitutes “foreign intelligence information” or falls under a long list of other exceptions. The definition of “foreign intelligence information” in Executive Order 12333, however, encompasses almost any information about any foreign person, rendering the retention and dissemination limitations meaningless when applied to foreigners. Recognizing this issue, the DNI in July 2014 pledged that information would not be kept or shared “solely because of [a] person’s non-U.S. person status.” But the standards that will be used instead are classified. Moreover, any limits on retention may be waived if the DNI determines that “continued retention is in the national security interests of the United States.” It is easy to see how this exception might swallow the rule—indeed, it is difficult to see how it would not.

PPD-28 contains another notable limitation: when the government collects data in bulk, it may only use this data for six enumerated purposes. Whether these restrictions will have a significant effect on operations depends on how they are interpreted and applied, and history strongly suggests this will happen in secret. One of the permissible uses, for instance, is “detecting and countering . . . threats to the United States and its interests” from foreign powers or from terrorism. What will be the bar for considering something or someone a “threat to U.S. interests”—and how will we know?

• • •

Assessing the privacy impact of surveillance activities depends on knowing what those activities are. In the so-called “information age,” intelligence agencies, backed by presidents and even congressional overseers, have been remarkably successful at keeping this information out of the public’s hands. Despite President Obama’s pledge to preside over the most transparent administration in history, his administration was, for several years, nearly as secretive as the previous one when it came to national security policy.

Snowden’s disclosures forced a change in this approach. To manage public opinion on particular programs and to win back the public’s trust and approval, the administration had to make disclosures of its own. The DNI thus created the website, “IC on the Record,” on which information about intelligence activities ranging from the DNI’s public speeches to declassified decisions of the FISA court are regularly posted. Although some disclosures were compelled by Freedom of Information Act litigation, the declassification and public posting of more than 4,500 pages over an 18-month time span is unprecedented.

Unfortunately, the disclosed documents are the tip of a massive iceberg of secret information. The unnecessary classification of information, or “overclassification,” is a universally recognized problem. There were 80 million decisions to classify information in 2013, and former national security officials have estimated that between 50 and 90 percent of classified information could safely be released. There is simply no way to assess how much of the relevant information the DNI has chosen to disclose, and how much remains locked away on a classified network.

What is certain is that the administration’s commitment to openness breaks down when transparency threatens to yield legal accountability. Despite having posted documents about the NSA’s so-called “upstream collection” program on the DNI’s website, the administration recently convinced a court to dismiss a legal challenge to this same program on the ground that the lawsuit would reveal “state secrets.” In another case alleging unlawful surveillance, the Justice Department accidentally sent the plaintiffs a classified document showing that the government had captured their data; demanded and obtained the document’s return; and then argued in court that the plaintiffs had no right to sue because they could not prove they had been surveilled. The administration has invoked such claims of secrecy in every civil lawsuit challenging unlawful surveillance.

Given the intense secrecy that permeates intelligence agencies, one of the only ways in which private citizens learn about surveillance activities that affect their rights is through whistleblowers like Edward Snowden. The DNI report notes that both the administration and Congress have extended protections to intelligence employees who disclose fraud, waste, or abuse through approved channels within government. These protections are helpful if an employee wishes to call attention to the rogue misdeeds of a supervisor. They are useless, however, if the activities the whistleblower seeks to disclose constitute the agency’s official policy and were most likely approved by the very people authorized to hear the whistleblower’s complaint.

When whistleblowers have found it necessary to go to the media, the Obama administration has come down on them with unprecedented ferocity. Under Attorney General Eric Holder, the Justice Department has used the Espionage Act – a criminal statute meant for spies and traitors—three times as often as all previous administrations combined to prosecute disclosures of information to the media. Many of these cases involved the disclosure of government wrongdoing; all involved information of significant public interest. In no case did the defendant display any intent to harm national security, nor was any harm to national security alleged. Indeed, the Justice Department was forced to argue that neither the intent nor the effect of the disclosures had any relevance. Regardless of whether this is a sound reading of the law, it begs the question: why is this administration so intent on jailing well-intentioned individuals whose disclosures caused no provable harm, but only embarrassment to government officials?

• • •

Ultimately, the most important piece of information to keep in mind when reading the DNI’s report is its author. No one who holds the office of DNI, and no one who heads any of the 17 intelligence agencies the DNI oversees, considers openness and the preservation of privacy to be among the agencies’ core missions. (Indeed, the current director defended giving false testimony before the Senate intelligence committee on the ground that it was “the least untruthful” answer he could give.) Their job is to gather intelligence, an undertaking that is by nature secretive and invasive of privacy. This goal shapes the ethos that pervades the intelligence establishment.

The job of tempering the intelligence establishment’s “collect it all” instinct falls to other governmental entities: the Privacy and Civil Liberties Oversight Board, the agencies’ Inspectors General, the congressional intelligence committees. All of these entities are handicapped by the fact that they rely on the intelligence agencies to keep them informed, and they don’t know what they don’t know. Moreover, they are simply outgunned. The intelligence establishment includes seventeen agencies, some of which employ tens of thousands of people, and a declared budget of 70 billion dollars. The Privacy and Civil Liberties Oversight Board—the only independent government body whose sole mission is to ensure that counterterrorism policies respect privacy and civil liberties – has five members, thirteen staffers, and a budget of under $8 million.

The DNI and the agencies he oversees are thus left to focus on their mission, and they, of course, see no problem with this. The “nothing to see here” tone of the DNI’s report is not an act; he is not concerned about our civil liberties. That is why we should be.