The Volokh Conspiracy

In March, Director of National Intelligence James Clapper told a Senate Committee that the National Security Agency does not “collect any type of data” on Americans, at least “not wittingly.”  Recent leaks about NSA surveillance activity suggest this was not true.  Here is Clapper’s exchange with Senator Wyden from the March hearing:

Senator Wyden: “Last summer the NSA director was at a conference and he was asked a question about the NSA surveillance of Americans. He replied, and I quote here, ‘... the story that we have millions or hundreds of millions of dossiers on people is completely false.’
“The reason I’m asking the question is, having served on the committee now for a dozen years, I don’t really know what a dossier is in this context. So what I wanted to see is if you could give me a yes or no answer to the question: Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?”

Clapper: “No, sir.”

Wyden: “It does not.”

Clapper: “Not wittingly. There are cases where they could inadvertently perhaps collect, but not wittingly.”

In a recent interview with NBC News (via Yahoo News), Clapper defended his response:

I have great respect for Sen. Wyden. I thought, though in retrospect, I was asked [a] ‘When are you going to stop beating your wife’ kind of question, which is ... not answerable necessarily by a simple yes or no,” Clapper said.

“So I responded in what I thought was the most truthful, or least untruthful, manner by saying ‘no,’” Clapper said, indicating that he did not consider it “collection” unless government officials actually reviewed the content of the communications. The NSA program, regarding phone records, scoops up “metadata”—phone numbers called, duration of calls, location and the like.

This is not much of an explanation. It’s hard to argue that the NSA has not been engaged in the “collection” of information. If members of Congress are looking for an Administration official who gave untruthful testimony, it sees to me Clapper is a better candidate than Eric Holder. There is an added wrinkle here, however, is that it is not clear to me whether Clapper could have given a direct (and truthful) answer in a public hearing, as such an answer would have required him to disclose the existence of a then-classified government program. Even a non-answer or evasion could have revealed the existence of operations the NSA was trying to keep secret. In such a situation I would think one response would be to correct the record with the committee after-the-fact. Yet according to Senator Wyden’s office, no such correction was forthcoming — even after the Senator’s office gave him an opportunity to amend his answer. Admittedly Clapper was in a difficult situation, but it’s nonetheless clear that he was not truthful to Congress.

Google argues that the answer is “yes,” in this oral argument today in the Ninth Circuit in Joffe v. Google.   It’s an interesting question as a matter of statutory interpretation, largely because Congress wasn’t thinking about wireless Internet networks when it was writing about “radio communications.”  The statute reflects different carve-outs from different eras that each reflected technologies of its era, all of which now are now barnacles on the hull of the statute that exist decades later when the technologies are very different. As a common sense matter, it would be surprising if the courts hold that anyone can intercept unencrypted wireless communications.  It would be the kind of surprising interpretation that I suspect Congress might revisit if the courts reach it.  But purely as a matter of statutory interpretation, it’s an interesting and difficult question.

For further reading, I offered a blog post related to this issue here.  I have also written at length on the Wiretap Act as a whole in Sections 4.5-4.6 of LaFave, et. al. Criminal Procedure.  Thanks to Howard Bashman for the link to the 9th Circuit oral argument.

UPDATE from the comment thread:  ”One thing that makes the issue interesting is that the norms surrounding the issue have changed pretty quickly. A decade ago, the default was to use the unsecured mode; use of the secured mode was uncommon. Today, the default is to use the secured mode; use of the unsecured mode is uncommon. As a result, a lot of people have a very different reaction to the issue today than they had a decade ago. Meanwhile, it’s the same statute.”

The Washington Post has an interesting new poll out about public reaction to the recent disclosures that the NSA is getting access to all domestic call records, or at least all records held by particular telephone providers. I thought I would ask the Post’s poll question to readers here, and then hide the result of the Washington Post’s poll below the break.

Here’s the Post’s question:

As you may know, it has been reported that the National Security Agency has been getting secret court orders to track telephone call records of MILLIONS of Americans in an effort to investigate terrorism. Would you consider this access to telephone call records an acceptable or unacceptable way for the federal government to investigate terrorism?

For the results of the Washington Post poll, see below the break.

Continue reading ‘A Reader Poll on the NSA Call Records Program — and Public Opinion on the Same Question’ »

The Center for American Progress and its affiliated 501(c)(4) Center for American Progress Action Fund often attack conservative and libertarian organizations as tools of corporate interests.  The latter’s Think Progress blog, for instance, has often suggested corporate donations undermine the credibility of CAP’s ideological adversaries.  This makes a recent report and follow-up in The Nation on CAP’s own corporate support quite interesting.  CAP claims to not be influenced by its receipt of corporate money.  That may well be true, but it would be easier to credit such claims were CAP and its affiliates more willing to give others the same benefit of the doubt.

As he has for the past 30 days, Paul Caron rounds up the latest on the IRS scandal.  Among the key developments are claims by IRS employees in the Cincinnati office suggesting D.C. involvement in the targeting of conservative groups and renewed allegations that an IRS employee released confidential tax information of a conservative group.  Meanwhile, the IRS has been further embarrassed by reports of lavish conferences, including one in 2010 that cost over $4 million.

I will not be live blogging from the royal wedding here in Stockholm today; that simply would not be appropriate. For those who are interested, see Hello Magazine’s comprehensive coverage, here.

A reader e-mailed me about this story:

The family of a future Marine from New Hampshire is upset that his high school will not allow him to wear his uniform to graduation.

Brandon Garabrant will earn the title of [United] States Marine Friday after boot camp graduation. He will receive his diploma at ConVal Regional High School the following day. He’s able to do this because he had enough credits to graduate early.

Garabrant wants to wear his military uniform at his high school graduation, but the school’s principal says he must wear the cap and gown like everyone else, a move that has surprised some students....

Principal Brian Pickering didn’t make the decision alone. His graduation committee consists of a military wife, a military mother, a retired Army Special Forces member, and a retired Marine....

The committee tells FOX 25 high school graduation is for the students and just like the military, they want uniformity from those graduating. They say Brandon is welcome to wear his uniform under his gown and take the gown off once he gets his diploma.

I’m inclined to think that the school is right here. First, the purpose of a graduation is to mark the departure from school, not to indicate what one will be doing after school. Some might go to the military, some might go to college, some might become baseball players. But the point of the cap and gown is to focus on what all the graduates have accomplished, not on what some might be doing next.

Second, and more important, allowing one person to have distinctive dress draws undue attention to that person, at the expense of the others whom he will overshadow. The uniform cap and gown highlights the uniform accomplishment that is being honored at this event. There will be plenty of time to honor the Marine’s future individual accomplishments.

None of this, of course, in any way diminishes the importance of military service, or the courage that it requires. It’s just that this facet of Mr. Garabrant’s life ought to be celebrated on another occasion; this occasion is for celebrating a different facet of his life and his fellow graduates’ lives.

Some readers might think about what the rule ought to be when it comes to religious accommodations. I’m inclined to say that this matter is different for two reasons. First, religious accommodations are generally given in response to what people sincerely feel is their religious obligation, or at least what they feel strongly religiously encouraged to do. The sense is that we shouldn’t require people to violate their felt duty to God in order to enjoy their graduation ceremony. While Mr. Garabrant is naturally proud of being a Marine, I doubt that he feels a similarly strong sense of obligation to wear the military uniform everywhere.

Second, most religious accommodations tend to involve less obtrusive and distracting items than an entire uniform. Naturally students will not be entirely uniform — they’ll have individual faces, individual hairstyles, often minor bits of individual jewelry (such as earrings). A headscarf worn under the cap may be more noticeable, but not by a great deal; a turban worn instead of the cap may be still more noticeable, but still not as much as a full-on uniform. Now in theory there might be some requests for more obtrusive religious accommodations, such as someone asking to wear a nun’s habit or a saffron monk’s robe; but it’s not clear to me that such accommodation requests should be granted, and if they are granted, that should only be for the first reason given above (the sense that the people feel a religious obligation to wear the garments). In any event, these theoretical obtrusive accommodations aren’t what we generally think of when we envision the typical religious accommodation for headgear or jewelry. And a military uniform will stand out among the graduates considerably more than a headscarf would.

Incidentally, the military itself recognizes the importance of how obtrusive a religious deviation from the uniform rules would be — its rule as to accommodations of religious headgear and the like is that “items of religious apparel” are allowed if they are “discreet, tidy, and not dissonant or showy in style, size, design, brightness, or color.”

Readers of this blog may remember Brewington v. State, an Indiana Court of Appeals decision that I’ve argued is inconsistent with the First Amendment. Brewington asked the Indiana Supreme Court to review the case, and I filed (with the help of local counsel Jim Bopp and Justin McAdam) a pro bono amicus brief supporting that argument, on behalf of Eagle Forum, the Hoosier State Press Association Foundation, the Indianapolis Star, the Indiana Association Of Scholars, the Indiana Coalition for Open Government, the James Madison Center for Free Speech, Nuvo (Indy’s Alternative Voice), and Professors James W. Brown, Anthony Fargo, Sheila S. Kennedy (all Indiana professors of journalism or public policy). Today the Indiana Supreme Court announced that it will hear oral argument — likely on Sept. 12 — on the matter.

Here’s a quick summary of the intimidation charge on which our brief focused.

Daniel Brewington was involved in a contentious child custody dispute; Judge James D. Humphrey ruled against him in this dispute, giving sole custody to Brewington’s wife, limiting Brewington’s visitation, and finding Brewington “to be irrational, dangerous and in need of significant counseling.”

After this decision, Brewington posted various items online “discussing Judge Humphrey, in which he described the judge as ‘corrupt,’ and accused him of engaging in ‘unethical/illegal behavior.’ He also repeatedly referred to the judge as a child abuser.” Brewington was then prosecuted for, among other things, violating Indiana Code § 35-45-2-1, which (in relevant part) criminalizes as “intimidation”

communicat[ing] a threat to another person, with the intent ... that the other person be placed in fear of retaliation for a prior lawful act,

and defines “threat” to include threats of

expos[ing] the person threatened to hatred, contempt, disgrace, or ridicule.

Brewington was convicted, and the court of appeals affirmed, concluding that the speech was criminally punishable, even without any need for the state to prove that Humphrey’s criticisms of the judge were false:

At trial, the State alleged that Brewington communicated a threat to Judge Humphrey, with the intent of placing him in fear of retaliation for issuing the divorce decree in this case.... [T]he State argued that Brewington issued several different types of threats .... We focus our analysis on whether Brewington threatened Judge Humphrey by expressing an intent to expose him “to hatred, contempt, disgrace, or ridicule.” [According to the State’s appellate brief, this threat consisted of his posts calling Humphrey a “child abuser” after the decision, and not of any statement such as, “if you decide against me, I will publicly label you a child abuser." -EV] ...

[T]he offense of intimidation in Indiana shares common language with past statutes outlawing blackmail. See Meek v. State, 205 Ind. 102 (1933) (quoting a statute defining blackmail, in relevant part, as “accusing or threatening to accuse[ ] any person of any crime punishable by law, or of any immoral conduct which, if true, would tend to degrade and disgrace such person, or in any way subject him to the ridicule or contempt of society”).... [T]he crime consists of threatening the victim with the intention of placing the victim in fear for a prior lawful act. The truthfulness of the threatened disclosure is not necessarily relevant to prosecution because the harm, placing a victim in fear, occurs whether the publicized conduct is true or false....

[W]e conclude that it is irrelevant whether the conduct Brewington intended to disclose to the public actually occurred or was an outright fabrication.... [T]he State was not required to provide evidence that Brewington’s public statements about Judge Humphrey were knowingly false.

The court also concluded that Brewington’s statements were indeed false, and knowingly false:

Even if the State was required to prove that Brewington knew his internet postings and other communications about Judge Humphrey were false, there is ample evidence of Brewington’s knowledge. His public comments went well beyond hyperbole and were capable of being proven true or false. Over the course of at least a year, Brewington repeatedly called Judge Humphrey a “child abuser.” State’s Ex. 170; see also State’s Ex. 162 (“Judge Humphrey’s actions constitute child abuse”), State’s Ex. 168 (“abuser of children”), State’s Ex. 173 (Judge Humphrey “abuse[s] children who are part of the family court system”). Brewington also called Judge Humphrey “corrupt,” and accused him of engaging in “unethical/illegal behavior.”

Brewington argues he was merely stating his opinion that, in constraining his right to see his children, Judge Humphrey was essentially committing child abuse. However, it is clear from the divorce decree that Judge Humphrey, in the exercise of lawful judicial discretion and out of concern over Brewington’s history of “irrational behavior” imposed reasonable visitation restrictions upon Brewington out of a desire to protect the children’s well-being. Only by willfully misinterpreting the terms of the divorce decree in bad faith could one argue that Judge Humphrey’s conduct constituted an intentional act to harm Brewington’s children. Thus, even if the State was required to prove that Brewington knew his public statements about Judge Humphrey were false, there was ample evidence from which the jury could have concluded that Brewington accused Judge Humphrey of child abuse and professional misconduct while knowing that the accusations were false.

And here is the first part of our amicus brief:

Continue reading ‘Indiana Supreme Court Agrees to Hear Oral Arguments in Brewington’ »

In his post below, my co-blogger Stewart Baker points out DNI James Clapper’s statement about the FISC order requiring Verizon to turn over its entire call records database to the NSA. I was particularly interested in this paragraph:

By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.

So the FISC has a minimization order in place. I wonder, though, what’s the legal basis for that standard? The standard described here is a Terry standard, a Fourth Amendment standard for when the police can stop a person temporarily and subject them to questioning introduced by Terry v. Ohio. I’m not aware of anything in FISA that requires that standard. Nor is there anything in the Fourth Amendment that would seem to require it, as the call records are unprotected under Smith v. Maryland. Perhaps this is just the minimization standard that the FISC has imposed as a matter of policy?

I should add that the basic shift in surveillance practice to more emphasis on downstream use restrictions and minimization isn’t surprising. I wrote about that shift in this essay I wrote for Brookings in 2011:

The benefit of computer surveillance is that it can process information quickly and inexpensively to learn what would have been unknowable. Assembling and processing information may lead to plausible conclusions that are far more far- reaching than the information left separate. If so, data manipulation can have an amplifying effect, turning low impact information in isolation into high impact information when processed.

Reaping these benefits requires surveillance systems that allow the initial collection and processing. To reap those benefits, the best way to design surveillance systems is to allow the initial collection but then place sharp limits on the later stages such as disclosure.

The NSA call records program appears to be that idea on steroids: Collect everything, and then control access to the database created. But I’m left puzzled as to what the legal basis is for what appears to be happening. Where are they getting the Terry standard here?

The Director of National Intelligence issued a statement late last night about the NSA collection flap.  It’s the smartest thing the government has released so far, and its justification for the program in question seems to confirm my speculation in Foreign Policy yesterday.

First, large-scale collections give the government a way to screen for patterns in communications that will bring to light terrorists who are unknown to the government. As the DNI puts it,  ”The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism-related communications. Acquiring this information allows us to make connections related to terrorist activities over time.”

Second, the government justifies collecting a reservoir of data because it is only allowed to consume the data a spoonful at a time. Here’s the DNI:

• By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization. Only specially cleared counterterrorism personnel specifically trained in the Court-approved procedures may even access the records.
• All information that is acquired under this order is subject to strict restrictions on handling and is overseen by the Department of Justice and the FISA Court. Only a very small fraction of the records are ever reviewed because the vast majority of the data is not responsive to any terrorism-related query.

In short, there’s less difference between this “collection first” program and the usual law enforcement data search than first meets the eye.  In the standard law enforcement search, the government establishes the relevance of its inquiry and is then allowed to collect the data.  In the new collection-first model, the government collects the data and then must establish the relevance of each inquiry before it’s allowed to conduct a search.

If you trust the government to follow the rules, both models end up in much the same place.  I realize that some folks simply will not trust the government to follow those rules, but it’s hard to imagine a system with more checks and restrictions and doublechecks than one that includes all three branches and both parties looking over NSA’s shoulder.

In theory, you could add the check of exposing the system to the light of day, but that means wrecking much of its intelligence value. Or you could simply prohibit the collection-first model (and lose the ability to spot terrorism patterns by matching disparate bits of data). I doubt that those “solutions” are worth the price.

[This post is sheer speculation; I may be way off. Read accordingly.] Longtime readers will recall the dispute in 2005-2006 over the legality of the Bush Administration’s warrantless wiretapping program, aka the “Terrorist Surveillance Program,” which was revealed in December 2005 by the New York Times. Recall that several DOJ officials threatened to resign over the program as unlawful in 2004, but then changes to the program were made to satisfy them that the program was lawful. As best I can recall — it has been a few years — the leading theory for what changes were made to make the program legal was that program was changed to be based on the AUMF instead of the President’s Article II power. I thought of that dispute when I read this passage in today’s Post story on PRISM:

Between 2004 and 2007, Bush administration lawyers persuaded federal FISA judges to issue surveillance orders in a fundamentally new form. Until then the government had to show probable cause that a particular “target” and “facility” were both connected to terrorism or espionage.

In four new orders, which remain classified, the court defined massive data sets as “facilities” and agreed to certify periodically that the government had reasonable procedures in place to minimize collection of “U.S. persons” data without a warrant.

I’m probably way off on this, but I wonder: Is that what changed and allowed the TSP to continue? The timing would be right, as the changes from Goldsmith/Comey et. al. started in 2004 and the Protect America Act came around to formally approve the TSP program (at least in some form) in 2007. And recall yesterday’s post on the NSA call records program, and in particular the legal ambiguity that led to FISA court orders allowing it:

Section 1861 says that the “things” that are collected must be relevant to a national security investigation or threat assessment, but it says nothing about the scope of the things obtained. When dealing with a physical object, we naturally treat relevance on an object-by-object basis. Sets of records are different. If Verizon has a database containing records of billions of phone calls made by millions of customers, is that database a single thing, millions of things, or billions of things? Is relevance measured by each record, each customer, or the relevance of the entire database as a whole? If the entire massive database has a single record that is relevant, does that make the entire database relevant, too? The statute doesn’t directly answer that, it seems to me. But certainly it’s surprising — and troubling — if the Section 1861 relevance standard is being interpreted at the database-by-database level.

Maybe I’m just misreading the two paragraphs from today’s Post story, but it sounds like there was a similarly broad reinterpretation of FISA in 2004. By reading a massive data set as a “facility,” the government could get FISA court orders allowing massive-scale surveillance from the 2004-07 period.

Did that authorize the TSP, at least formally? Maybe. Although maybe I’m way off. Think about it: If that authorized the TSP, it would mean that the Bush Administration’s TSP actually did have a warrant — it’s just that it was a single warrant for the entire program. It seems hard to believe that the Bush Administration wouldn’t have let on about that if there were such an order from the FISA court. But then the order was and still is classified, so I suppose it’s possible that they didn’t acknowledge the existence of the warrant even though it existed.

Anyway, just some uninformed speculation on my part. I’m curious what readers think.

The leaked news about the PRISM surveillance program has been the big news story today. The details are murky, but one question that we should be asking is whether the program is legal. From what I’ve seen so far, it sounds like the program is the way the government is implementing the FISA Amendments Act of 2008 and the Protect America Act of 2007, which were enacted in response to the 2005 disclosure of the Bush Administration’s warrantless wiretapping program. Here’s what I wrote about the PAA of 2007 when it was going through Congress:

So what does the legislation do? A. . . The first change is a clarification that FISA warrants are not needed for “surveillance directed at a person reasonably believed to be located outside of the United States.” That is, if the government is monitoring someone outside the United States from a telecom switch in the U.S., it can listen in on the person’s calls and read their e-mails without obtaining a FISA warrant first. The Fourth Amendment may still require reasonableness in this setting when one or more people on the call of e-mail are inside the U.S. or are United States citizens, but there is no statutory warrant requirement.

The second change is a requirement of a formal authorization of a program to do such monitoring. The Director of National Intelligence and the AG have to approve a program (for up to one year) reasonably designed to be limited to the monitoring of persons outside the United States. Those procedures have to be submitted to the FISA court, which then reviews whether the Executive’s conclusion that the procedures are reasonably designed to only pick up the communications of people reasonably believed to be outside the U.S. is “clearly erroneous.” If the conclusion is clearly erroneous, the court sends them back and tells the Executive to try again. The government can also appeal that determination to the FISA Court of Review and if needed the Supreme Court. I’m not exactly sure, but my sense is that this is a one-size-fits-all order; that is, the one authorization covers all the providers.

It sounds like the PRISM program is the way of implementing the statute, now codified at 50 U.S.C. 1881a. Recall this detail from the original Post story:

Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”

Presumably the bit about “selectors” that are “designed to produce at least 51 percent confidence in a target’s foreignness” are ones that have been approved by the DNI and AG and then approved by the FISA court to implement the authority to target “persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 50 U.S.C. 1881a(a).

Anyway, maybe this is obvious to everyone, but I thought I would add it just in case it wasn’t.

It turns out that the FISA court order disclosed yesterday — the one forcing Verizon to turn over all telephone metadata — was just the latest renewal of a court order that the government first obtained seven years ago. So I gather that every 90 days, they go back and say, “yes, getting the entire database of all call records is still relevant,” and they get a new 90-day order. Presumably this was the CYA move when the telcos balked at justifying such disclosures voluntarily, which was the initial legal ground by which the program was justified (and which was a pretty weak legal ground, as I blogged about here at orinkerr.com back in 2006). And it seems to confirm that the order was as broad as it appears.

Bart Gellman and Laura Poitras have a huge new story in the Washington Post:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.

The highly classified program, code-named PRISM, has not been disclosed publicly before. Its establishment in 2007 and six years of exponential growth took place beneath the surface of a roiling debate over the boundaries of surveillance and privacy. Even late last year, when critics of the foreign intelligence statute argued for changes, the only members of Congress who know about PRISM were bound by oaths of office to hold their tongues.

An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.

That is a remarkable figure in an agency that measures annual intake in the trillions of communications. It is all the more striking because the NSA, whose lawful mission is foreign intelligence, is reaching deep inside the machinery of American companies that host hundreds of millions of American-held accounts on American soil.

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

There’s an important caveat in the program that might get lost in coverage about it: the NSA only pulls out the data when there is a preponderance of the evidence indicates that the person is outside the United States:

Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”

It’s important to realize something that few people think much about: Most U.S. based Internet services actually serve a primarily foreign user base. Here’s an excerpt from a forthcoming article of mine (the one I mentioned yesterday, that I’ll be posting online soon):

The reality of global Internet access means that U.S.-based Internet services often have a heavily foreign customer base. Consider Gmail, the popular e-mail service provided by Google. Google is headquartered in California, and its servers currently reside there. But Gmail’s business is truly international, and slightly less than 30% of Gmail’s users reside in the United States. This chart shows the percentage of Gmail’s users that are in a handful of different countries as of 2012:

Country % of Gmail Users
United States 29.7%
India 8.9%
Japan 3.4%
Russia 3.3%
Brazil 3.2%
United Kingdom 2.9%
China 2.7%
Iran 2.6%

Facebook’s user base is even more heavily foreign than is Gmail’s user base. To be sure, using Facebook has become as American as apple pie: About 54% of Americans presently have a Facebook account. At the same time, only about 16% of Facebook’s users are located in the United States. The rest, about 84%, access Facebook from abroad. For United States-based services like Gmail and Facebook, United States users form a small subset of its global customer base.

It sounds like the PRISM program takes advantage of that by giving the NSA access to the computers of the major U.S. based providers so it can search for the information of non-U.S. persons — subject to the NSA’s judgment of who is a non-U.S. person — and monitor them in realtime.

A huge story.

There may be a lot less to the NSA “scandal” than meets the eye.  In an article for Foreign Policy, I explain why I am quite confident that the program underlying the FISA court order is lawful:

[T]his is not some warrantless or extra-statutory surveillance program.  The government had to persuade up to a dozen life-tenured members of the federal judiciary that the order is lawful. You may not like the legal interpretation that produced this order, but you can’t say it’s lawless.

In fact, it’s a near certainty that the underlying program has been carefully examined by all three branches of government and by both parties.  As the Guardian story makes clear, Senator Ron Wyden has been agitating for years about what he called an interpretation of national security law that seems goes beyond anything the American people understood or would support.  He could easily have been talking about orders like this. So it’s  highly likely that the law behind this order was carefully vetted by both intelligence committees, Democrat-led in the Senate and Republican-led in the House. (Indeed, today the leaders of both committees gave interviews defending the order.) And in the executive branch, any legal interpretations adopted by the Bush administration would have been carefully scrubbed by President Obama’s Justice Department.

The two other questions about the program are why such a sweeping collection and how can something that broad be lawful.  Here’s my guess about answers to the first question:

Imagine that the United States is intercepting al Qaeda communications in Yemen.  Its leader there calls his weapons expert and says, “Our agent in the U.S. needs technical assistance constructing a weapon for an imminent operation.  I’ve told him to use a throw-away cell phone to call you tomorrow at 11 a.m. on your throw-away phone.  When you answer, he’ll give you the number of a second phone. You will buy a phone in the bazaar, and call him back on the second number at 2 p.m.”

Now, this is pretty good improvised tradecraft, and it would leave the government with no idea where or who the U.S.-based operative is or what phone numbers to monitor. It doesn’t have probable cause to investigate any particular American.  But it surely does have probable cause to investigate any American who makes a call to Yemen at 11 a.m., Sanaa time, hangs up after a few seconds, and then gets a call from a different Yemeni number three hours later. Finding that person, however, isn’t easy, because the government can only identify the suspect by his calling patterns, not by his name.

So how does the NSA go about finding the one person in the United States whose calling pattern matches the terrorists’ plan?  Well, it could ask every carrier to develop the capability to store all of their calls and to search them for patterns like this. But that would be very expensive, and its effectiveness is really only as good as the weakest, least cooperative carrier.  And even then it wouldn’t work without massive, real-time information sharing — any reasonably intelligent U.S.-based terrorist would just buy his first throwaway phone from one carrier and his second phone from a different carrier.

The only way to make the system work, and the only way to identify and monitor the one American who is plotting with al Qaeda’s operatives in Yemen, is to pool all the carriers’ data on U.S. calls to and from Yemen and to search it all together — and for the costs to be borne by all of us, not by the carriers.

In short, the government has to do it.

And here’s my guess about how to answer the second question:

The technique that squares that circle is minimization.  As long as the minimization rules require that all searches of the collected data must be justified by probable cause, Americans are protected from arbitrary searches.  In the standard law enforcement model that we’re all familiar with, , privacy is protected because the government doesn’t get access to the information until it presents evidence to the court sufficient to identify the suspects. In the alternative model,  the government gets possession of the data but but is prohibited by the court and the minimization rules from searching it until it has enough evidence to identify terror suspects based on their patterns of behavior.

That’s a real difference. Plenty of people will say that they don’t trust the government with such a large amount of data, that there’s too much risk that it will break the rules, even reules enforced by a two-party, three-branch system of checks and balances. Even I, when I first read the order, had a moment of chagrin and disbelief at its sweep. 

But for those who don’t like the alternative model, the real question is “compared to what?”   Those who want to push the government back into the standard law enforcement approach will have to explain how it will allow us to catch terrorists who use half-way decent tradecraft — or why sticking with the standard approach is  so fundamentally important that we should do so even if it means more acts of terror at home.