Intelligence Under Law — Judiciary Testimony

I’ll be testifying tomorrow to the full House Judiciary Committee about FISA, NSA, and the Snowden flap. (Excerpts below. My prepared testimony is here: Download Pdf of Baker testimony to House Judiciary Committee on FISA .)

I used this opportunity to muse on the resemblance between today and the waning Clinton era:

To be blunt, one of the reasons I’m here is that I fear we may repeat some of the mistakes we made as a country in the years before September 11, 2001.  In those years, a Democratic President serving his second term seemed to inspire deepening suspicion of government and a rebirth of enthusiasm for civil liberties not just on the left but also on the right.  The Cato Institute criticized the Clinton Administration’s support of warrantless national security searches and expanded government wiretap authority as “dereliction of duty,” saying,“[i]f constitutional report cards were handed out to presidents, Bill Clinton would certainly receive an F–an appalling grade for any president–let alone a former professor of constitutional law.” The criticism rubbed off on the FISA court, whose chief judge felt obliged to give public interviews and speeches defending against the claim that the court was rubber-stamping the Clinton administration’s intercept requests.

This is where I should insert a joke about the movie “Groundhog Day.” But I don’t feel like joking, because I know how this movie ends.  Faced with civil liberties criticism all across the ideological spectrum, the FISA court imposed aggressive new civil liberties restrictions on government’s use of FISA information.  As part of its “minimization procedures” for FISA taps, the court required a “wall” between law enforcement and intelligence. And by early 2001, it was enforcing that wall with unprecedented fervor.  That was when the court’s chief judge harshly disciplined an FBI supervisor for not strictly observing the wall and demanded an investigation that seemed to put the well-regarded agent at risk of a perjury prosecution.  A chorus of civil liberties critics and a determined FISA court was sending the FBI a single clear message:  the wall must be observed at all costs.

And so, when a law enforcement task force of the FBI found out in August of 2001 that al Qaeda had sent two dangerous operatives to the United States, it did … nothing.  It was told to stand down; it could not go looking for the two al Qaeda operatives because it was on the wrong side of the wall.  I believe that FBI task force would have found the hijackers – who weren’t hiding – and that the attacks could have been stopped if not for a combination of bad judgment by the FISA court (whose minimization rules were later thrown out on appeal) and a climate in which national security concerns were discounted by civil liberties advocates on both sides of the aisle.

I realize that this story is not widely told, perhaps because it’s not an especially welcome story, not in the mainstream media and not on the Internet. But it is true; the parts of my book that describe it are well-grounded in recently declassified government reports.

More importantly, I lived it.  And I never want to live through that particular Groundhog Day again.  That’s why I’m here.

I then turn to the (surprisingly short) history of intelligence as a sphere for detailed law-making:

The problem we are discussing today has roots in a uniquely American and fairly recent experiment – writing detailed legal rules to govern the conduct of foreign intelligence.  This is new, even for a country that puts great faith in law.

The Americans who fought World War II had a different view; they thought that intelligence couldn’t be conducted under any but the most general legal constraints.  This may have been a reaction to a failure of law in the run-up to World War II, when U.S. codebreakers were forbidden to intercept Japan’s coded radio communications because section 605 of the Federal Communications Act made such intercepts illegal.   Finally, in 1939, Gen. George C. Marshall told Navy intelligence officers to ignore the law.[4]  The military successes that followed made the officers look like heroes, not felons.

That view held for nearly forty years, but it broke down in the wake of Watergate, when Congress took a close look at the intelligence community, found abuses, and in 1978 adopted the first detailed legal regulation of intelligence gathering in history – the Foreign Intelligence Surveillance Act. No other nation has ever tried to regulate intelligence so publicly and so precisely in law.

Forty years later, though, we’re still finding problems with this experiment.  One of them is that law changes slowly while technology changes quickly.  That usually means Congress has to change the law frequently to keep up. But in the context of intelligence, it’s often hard to explain why the law needs to be changed, let alone to write meaningful limits on collection without telling our intelligence targets a lot about our collection techniques.  A freewheeling and prolonged debate – and does Congress have any other kind? – will give them enough time and knowledge to move their communications away from technologies we’ve mastered and into technologies that thwart us. The result won’t be intelligence under law; it will be law without intelligence.

Much of what we’ve read in the newspapers lately about the NSA and FISA is the product of this tension.  Our intelligence capabilities – and our intelligence gaps – are mostly new since 1978, forcing the government, including Congress, to find ways to update the law without revealing how we gather intelligence.

Turning to the programs Edward Snowden made famous, here’s the nut of my argument on section 215:

Still, the government is “seizing” millions of records without a warrant or probable cause, even if it’s not searching them.  “How can that be constitutional?” you might ask.

Very easily, as it happens.  The Supreme Court has held that such records are not protected by the Fourth Amendment, since they’ve already been given to a third party.

And even if the Fourth Amendment applied, at bottom it requires only that seizures be reasonable.  The Court has recognized more than half a dozen instances where searches and seizures are reasonable even in the absence of probable cause and a warrant.  They range from drug screening to border searches.  There can hardly be doubt that the need to protect national security fits within this doctrine as well, particularly when waiting to conduct a traditional search won’t work.  Call data doesn’t last.  If the government doesn’t preserve the data now, the government may not be able to search it later, when the need arises.

In short, there’s less difference between this “collection first” program and the usual law enforcement data search than first meets the eye. In the standard law enforcement search, the government establishes the relevance of its inquiry and is then allowed to collect and search the data. In the new collection-first model, the government collects the data and then must establish the relevance of each inquiry before it’s allowed to conduct a search.

I know it’s fashionable to say, “But what if I don’t trust the government to follow the rules? Isn’t it dangerous to let it collect all that data?”  The answer is that the risk of rule-breaking is pretty much the same whether the collection comes first or second.  Either way, you have to count on the government to tell the truth to the court, and you have to count on the court to apply the rules.  If you don’t trust them to do that, then neither model offers much protection against abuses.

But if in fact abuses were common, we’d know it by now. Today, law enforcement agencies collect several hundred thousand telephone billing records a year using nothing but a subpoena. That means you’re roughly a thousand times more likely to have your telephone calling patterns reviewed by a law enforcement agency than by NSA. (And the chance that law enforcement will look at your records is itself low, around 0.25% in the case of one carrier).  So it appears that law enforcement has been gaining access to our call metadata for as long as billing records have existed – nearly a century.  If this were the road to Orwell’s 1984, surely we’d be there by now, and without any help from NSA’s 300 searches.

On section 702, I think that there’s less to the story than meets the eye:

[T]he parts of the PRISM story that were true aren’t actually new and the parts that were new aren’t actually true. Let’s start with what’s true. Despite the noise around PRISM, the slides tell us very little that the law itself doesn’t tell us.  Section 702 says that the government may target non-U.S. persons “reasonably believed to be located outside the United States to acquire foreign intelligence information.” It covers activities with a connection to the United States and is therefore subject to greater oversight than foreign intelligence gathered outside the United States. Although the Attorney General and the Director of National Intelligence can authorize collection annually, the collection and use of the data is covered by strict targeting and minimization procedures that are subject to judicial review and aimed at protecting U.S. persons as well as other persons located inside the United States.

That’s what the law itself says, and the Snowden slides simply add voyeuristic details about the collection.  Everyone already knew that the government had the power to do this because, unlike many countries, we codify these things in law. It should come as no surprise then that the government has been using its power to protect all of us.

There was one surprise in those stories though.  That’s the part that was new but not true. When the story originally broke, reporters at the Guardian and the Washington Postmade it look as if the NSA had direct, unfettered access to private service providers’ networks and that they were downloading materials at will. To be fair, the slides were confusing on this point, talking about getting data “directly from the servers” of private companies.  But that phrase is at best ambiguous; it could easily mean that NSA serves a lawful order on the companies and the companies search for and provide the data from their servers. In fact, everyone with knowledge, from the DNI to the companies in question, has confirmed that interpretation while denying that NSA has unfettered access to directly search the private servers.  In short, it now looks as though the Washington Post and the Guardian hyped this aspect of their story to spur a public debate about NSA surveillance….

In short, in both section 215 and section 702, the government has found a reasonable way to square intelligence-gathering necessities with changing technology. Now that they’ve been exposed to the light of day, these programs are not at all hard to justify.  But we cannot go on exposing every collection technique to the light of day just to satisfy everyone that the programs are appropriate. The exposure itself will diminish their effectiveness.  Even a fair debate in the open will cause great harm.

And this was never meant to be a fair debate.  Snowden and his allies in the press had copies of the minimization and targeting guidelines; they surely knew that the guidelines made the programs look far more responsible.  So they suppressed them, waiting a full two weeks – while the controversy grew and took the shape they preferred – before releasing the documents.  Since no self-respecting reporter withholds relevant information from the public, it’s only fair to conclude that this was an act of advocacy, not journalism.  Perhaps the reporters lost their bearings; perhaps the timing was controlled by advocates. Either way, the public was manipulated, not informed.

I cast doubt on the wisdom of trying to regulate intelligence use of big data tools:

We can pass laws turning the federal government into an Amish village, but big data is here to stay, and it will be used by everyone else. Every year, data gets cheaper to collect and cheaper to analyze.  You can be sure that corporate America is taking advantage of this remorseless trend. The same is true of the cyberspies in China’s Peoples’ Liberation Army.

Wrapping up, I lay out one of the newer problems caused by even the limited transparency we’ve created in this field and remark on the Europeans’ shocked, shocked discovery that there’s gambling in the house:

There’s a second reason why the American experiment in creating a detailed set of legal restraints on intelligence gathering is facing unexpected difficulties.  The purpose of those restraints is to protect Americans from the intelligence collection techniques we use on foreign governments and nationals.  At every turn, the laws and regulations reassure Americans that they will not be targeted by their own intelligence services.  This makes plenty of sense from a policy and civil liberties point of view.  Intelligence gathering isn’t pretty, and it isn’t patty cake.  On occasion, the survival of the country may depend on good intelligence.  Wars are won and lives are lost when intelligence succeeds or fails.  Nations do whatever they can to collect information that might affect their future so dramatically.  After a long era of national naïveté, when we thought that gentlemen didn’t read other gentlemen’s mail and when intercepting even diplomatic radio signals was illegal, the United States found itself thrust by World War II and the Cold War into the intelligence business, and now we play by the same rules as the rest of the world.

The purpose of much intelligence law and regulation is to make sure we do not apply those rules to our own citizens. On the whole, I’m confident that we have gone about as far in pursuit of that goal as we can without seriously compromising our ability to conduct foreign intelligence.  And we’ve spelled those assurances out in unprecedented detail.  All of that should – and largely has – left the majority of Americans satisfied that intelligence under law is working reasonably well.

The problem is that Americans aren’t the only people who read our laws or follow our debates.  So does the rest of the world.  And it doesn’t take much comfort from legal assurances that the privacy interests of Americans are well protected from our intelligence agencies’ reach.  So, while the debate over U.S. intelligence gathering is already beginning to recede in this country, the storm is still gathering abroad….

Some of this is just hypocrisy.  Shortly after President Hollande demanded that the U.S. “immediately stop” its intercepts and the French Interior Minister used his position as guest of honor at a July 4th celebration to chide the United States for its intercepts, Le Monde disclosed what both French officials well knew – that France has its own program for large-scale interception of international telecommunications traffic….

Practically every comparative study of law enforcement and security practice shows that the United States imposes more restriction on its agencies and protects its citizens’ privacy rights from government surveillance more carefully than Europe.

I’ve included a study done by the Max Planck Institute, estimating the number of surveillance orders per 100,000 people in several countries.  While the statistics in each are not exactly comparable, the chart published in that study shows an unmistakable overall trend.  The number of U.S. orders is practically invisible next to most European nations; indeed, an Italian or Dutch citizen is more than a hundred times more likely to be wiretapped by his government than an American….

One recent study showed that, out of a dozen advanced democracies, only two – the United States and Japan – impose serious limits on what electronic data private companies can give to the government without legal process.  In most other countries, and particularly in Europe,little or no process is required before a provider hands over information about subscribers. At most, European providers must have a good reason for sharing personal data, but assisting law enforcement investigations is highly likely to satisfy this requirement.  In the United States, such sharing is prohibited in the absence of legal process.

Despite the evidence, however, it is an article of faith in Europe that the United States lags Europe in respect for citizens’ rights when collecting data for security and law enforcement purposes.  Again, this is the unfortunate result of our commitment to regulating our intelligence services in a more open fashion than other countries.

The U. S. government has learned to live with Europe’s misplaced zeal for moral tutelage where data collection is concerned. Our government can ride out this storm as it has ridden out others. But the antagonism spawned by Snowden’s disclosures could have more serious consequences for our information technology companies.

Many countries around the world have launched investigations designed to punish American companies for complying with American law. Some of the politicians and data protection agencies pressing for sanctions are simply ignorant of their own nation’s aggressive use of surveillance, others are jumping at any opportunity to harm U.S. security interests.  But the fact remains that the price of obeying U.S. law could be very high for our information technology sector.

Foreign officials are seizing on the disclosures to fuel a new kind of information protectionism. During a French parliament hearing,  France’s Minister for the Digital Economy declared that, if the report about PRISM “turns out to be true, it makes [it] relatively relevant to locate datacenters and servers in [French] national territory in order to better ensure data security.” Germany’s Interior Minister was even more explicit, saying, “Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers.”  And Neelie Kroes, Vice President of the European Commission, said, “If European cloud customers cannot trust the United States government or their assurances, then maybe they won’t trust US cloud providers either. That is my guess. And if I am right then there are multi-billion euro consequences for American companies.”

Hurting U.S. information technology firms this way is a kind of three-fer for European officials.  It boosts the local IT industry, it assures more data for Europe’s own surveillance systems, and it hurts U.S. intelligence.

The European Parliament has been particularly aggressive in condemning the program as a violation of European human rights.  Its resolution pulls out all the stops, threatening sanctions if the United States does not modify its intelligence programs to provide privacy protections for European nationals.  The resolution raises the prospect of suspending two anti-terror agreements with the United States on passenger and financial data, it “demands” U.S. security clearances for European officials so they can review all the documents about PRISM, and it threatens US-EU trade talks as well as the Safe Harbor that allows companies to move data freely across the Atlantic.

This may be the most egregious double standard to come out of Europe yet.  Unlike our section 215 program, the EU doesn’t have a big metadata database.  But that’s because Europe doesn’t need one.  Instead, the European Parliament passed a measure forcing all of its information technology providers to create their own metadata databases so that law enforcement and security agencies could conveniently search up to two years’ worth of logs. These databases are full of data about American citizens, and under EU law any database held anywhere in Europe is open to search (and quite likely to “voluntary” disclosure) at the request of any government agency anywhere between Bulgaria and Portugal.

I have seen this movie before, too.  During my tenure at Homeland Security, European officials tried to keep the United States from easily accessing travel reservation data to screen for terrorists hoping to blow up planes bound for the United States. In order to bring the United States to the table, European officials threatened to impose sanctions not on the government but on air carriers who cooperated with the data program.

Similarly, to limit U.S. access to terror finance information, European data protection authorities threatened the interbank transfer company, SWIFT, with criminal prosecution and fines for giving the U.S. access to transfer data. In the end, the threat of sanctions forced SWIFT to keep a large volume of its data in Europe and to deny U.S. authorities access to it.

Now, whenever Europe has a beef with U.S. use of data in counterterrorism programs, it threatens not the U.S. government but U.S. companies. The European Parliament is simply returning to that same playbook. There is every reason to believe that European governments, and probably some imitators in Latin America and elsewhere, will hold U.S. information technology companies hostage in order to show their unhappiness at the PRISM disclosures.

Finally, I suggest some solutions to the hostage problem:

We need to recognize that our government put them in this position.  Not just the executive branch that served those orders, but Congress too, which has debated and written intelligence laws as though the rest of the world wasn’t listening.

The U.S. government, all of it, has left U.S. companies seriously at risk for doing nothing more than their duty under U.S. law. And the U.S. government, all of it, has a responsibility to protect U.S. companies from the resulting foreign government attacks.

The executive branch has a responsibility to interpose itself between the companies and foreign governments.  The flap over Snowden’s disclosures is a dispute between governments, and it must be kept in those channels. Diplomatic, intelligence, and law enforcement partners in every other country should hear the same message:  “If you want to talk about U.S. intelligence programs, you can talk to us – but not to U.S. companies and individuals; they are prohibited by law from discussing those programs.”

Congress too needs to speak up on this question.  European politicians feel free to demand security clearances and a vote on U.S. data programs in part because they think Congress and the American public share their views. It’s time to make clear to other countries that we do not welcome foreign regulation of U.S. security arrangements.

There are many ways to convey that message.  Congress could – should – adopt its own resolution rejecting the European Parliament’s.

Congress could prohibit U.S. agencies from providing intelligence and law enforcement assistance or information to nations that have harassed or threatened U.S. companies for assisting their government – unless the agency head decides that providing a particular piece of information will also protect U.S. security.

It could require similar review procedures to make sure that Mutual Legal Assistance Treaties do not provide assistance to nations that try to punish U.S. companies for obeying U.S. law.

And it could match the European Parliament’s willingness to reopen the travel data and terror finance pacts with its own, prescribing in law that if the agreements are reopened they must be amended to include an anti-hypocrisy clause (“no privacy obligations may be imposed on U.S. agencies that have not already been imposed on European agencies”) as well as an anti-hostage-taking clause (“concerns about government conduct will be raised between governments and not by threatening private actors with inconsistent legal obligations”).

And, just to show that this particular road runs in both directions, perhaps Congress could mandate an investigation into how much data about individual Americans is being retained by European companies, how often it is accessed by European governments, and whether access meets our constitutional and legal standards.

NOTE: I don’t have time before the testimony to respond to comments, so I’ll turn them on when I’m back from testifying.