Is the PRISM Surveillance Program Legal?

The leaked news about the PRISM surveillance program has been the big news story today. The details are murky, but one question that we should be asking is whether the program is legal. From what I’ve seen so far, it sounds like the program is the way the government is implementing the FISA Amendments Act of 2008 and the Protect America Act of 2007, which were enacted in response to the 2005 disclosure of the Bush Administration’s warrantless wiretapping program. Here’s what I wrote about the PAA of 2007 when it was going through Congress:

So what does the legislation do? A. . . The first change is a clarification that FISA warrants are not needed for “surveillance directed at a person reasonably believed to be located outside of the United States.” That is, if the government is monitoring someone outside the United States from a telecom switch in the U.S., it can listen in on the person’s calls and read their e-mails without obtaining a FISA warrant first. The Fourth Amendment may still require reasonableness in this setting when one or more people on the call of e-mail are inside the U.S. or are United States citizens, but there is no statutory warrant requirement.

The second change is a requirement of a formal authorization of a program to do such monitoring. The Director of National Intelligence and the AG have to approve a program (for up to one year) reasonably designed to be limited to the monitoring of persons outside the United States. Those procedures have to be submitted to the FISA court, which then reviews whether the Executive’s conclusion that the procedures are reasonably designed to only pick up the communications of people reasonably believed to be outside the U.S. is “clearly erroneous.” If the conclusion is clearly erroneous, the court sends them back and tells the Executive to try again. The government can also appeal that determination to the FISA Court of Review and if needed the Supreme Court. I’m not exactly sure, but my sense is that this is a one-size-fits-all order; that is, the one authorization covers all the providers.

It sounds like the PRISM program is the way of implementing the statute, now codified at 50 U.S.C. 1881a. Recall this detail from the original Post story:

Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”

Presumably the bit about “selectors” that are “designed to produce at least 51 percent confidence in a target’s foreignness” are ones that have been approved by the DNI and AG and then approved by the FISA court to implement the authority to target “persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 50 U.S.C. 1881a(a).

Anyway, maybe this is obvious to everyone, but I thought I would add it just in case it wasn’t.