pageok
pageok
pageok
Updating the Foreign Intelligence Surveillance Act:
I have just uploaded a draft of a new essay, Updating the Foreign Intelligence Surveillance Act, forthcoming in a symposium issue of the University of Chicago Law Review. It's a short article, about 22 pages. Here's the abstract:
This essay argues that the Foreign Intelligence Surveillance Act should be restructured to account for changes in communications technology and Fourth Amendment law since FISA's enactment in 1978. FISA reflects the person-focused assumptions of 1970s-era technology and constitutional law. At that time, foreign intelligence monitoring necessarily focused on subject identity and location. Although some modern investigations track this traditional approach, many do not; investigations involving packet-switched networks often start with data divorced from any known person or location. FISA should be amended to create two distinct authorities for surveillance: data-focused authorities when the identity and/or location of the subject are unknown, and person-focused authorities when the identity and/or location are known. A two-pronged approach can best implement the goals of foreign intelligence investigations given the realities of modern communications networks.
Crust (mail):
From the abstract, the argument sounds at least plausible. Why do you think the Bush administration did not request amendments along these lines to FISA, e.g. when they sought and obtained amendments to FISA as part of the Patriot Act in 2001?

By now trust in this administration is so undermined that there is very little chance they could get major amendments passed right now. But back in say late 2001 or in 2002, my sense is they could have got pretty much whatever they wanted. With memories of September 11 still fresh in people's minds and Bush still very popular, I suspect anything remotely plausible they requested would have passed.
7.13.2007 1:25pm
scote (mail):
There is absolutely no reason to update FISA during the reign of an Administration who refuses to obey the law as it is currently written. FISA, being a secret court, is especially subject to abuse by this secretive and authoritarian regime. I don't see how changing FISA will help that nor can I see any reason to put lipstick on a pig by updating FISA.
7.13.2007 3:16pm
OrinKerr:
Scote,

1) The Adminsitration is no longer operating the TSP outside FISA. The TSP is now being operated subject to FISA.

2) The gist of my proposal is to bring into the open a set of currently-secret practices. I would make Congress decide issues that right now are left up to the discretion of the executive branch. I'm curious, why do you oppose that?

Of course, crust may very well be right that no amendments are possible in the next year and a half. But this law review article will still be available on SSRN even after 2008.
7.13.2007 3:35pm
scote (mail):

The Adminsitration is no longer operating the TSP outside FISA. The TSP is now being operated subject to FISA.


The Administration hasn't admitted wrong doing, to my knowledge, or ever publicly admitted violating FISA. Previous statements by Bush and Gonzales that the Administration was operating under the law are now known to be false. I see no reason to trust their assurance to follow FISA as it is currently constructed nor any modified version.

I wasn't dismissing your proposal, I was dismissing the idea of enacting during the current Administration. Why modify the law for an administration which believes itself--by its own assertion in signing statements--to be above the law?

Granted, I'm not advocating the suspension of legislation based on that premise, but in areas of secrecy where the Administration does whatever it feels like I see no reason to embolden them even further by expanding the umbra of surveillance and secrecy even more and giving them more legal cover for their extra-legal activities.
7.13.2007 3:46pm
Constitutional Crisis (mail):
I suppose we have to wait for publication, but can you flesh this distinction out a bit: "data-focused authorities when the identity and/or location of the subject are unknown, and person-focused authorities when the identity and/or location are known."

Are you suggesting that if the surveillance simply begins with datapoints, rather than an individual person as its target, there should be a separate authority? What datapoints would it likely begin with? And what would the end objective of the surveillance be?
7.13.2007 3:58pm
Crust (mail):
OrinKerr in reply to scote:

The [Administration] is no longer operating the TSP outside FISA. The TSP is now being operated subject to FISA.

True, but I'm not sure that's fully responsive to scote for two reasons:

1. The Administration has said that they are currently voluntarily operating the TSP within FISA, but they have left open the possibility of reversing this practice.

2. Unless I missed something, the commitment only applies to the specific program known as the TSP not to surveillance as a general matter. So e.g. it would presumably not apply to the call detail database that may violate the pen register provisions of FISA. (This program was first reported by USA Today and I believe neither confirmed nor denied by the Administration.) And of course there may be other programs we have not heard about.

I am sympathetic to the idea that FISA may not adequately accommodate data-mining oriented approaches that have been made feasible by advances in technology. But I would agree with scote that unless you have an administration that is committed to following the law, it is problematic to loosen the law.
7.13.2007 3:59pm
Just an Observer:
Interesting. Does not the technological shift to packet-switched networks theoretically affect Title III surveillance as well as FISA?

For that matter, I have always wondered what the rationale is for having two different definitions of electronic surveillance -- one for Title III and another for FISA -- since FISA is basically a carve-out from Title III in the first place. Why not apply basically the same definition of covered electronic surveillance from Title III, with the discriminating difference being that FISA covers surveillance for the purpose of gathering foreign intelligence? The "person-focused" definitions within FISA of who is a legitimate target could still apply.

(I suspect that the answer to my own question is that the FISA definitions were crafted to obfuscate the exemption for purely foreign intelligence-gathering, the traditional charter of the NSA. I see no reason why such an exemption could not be stated more straightforwardly. We no longer pretend that the NSA does not exist or that we don't eavesdrop abroad.)

Orin's proposal to layer on an additional regime of "data-focused" surveillance authority presumably could apply only to foreign-intelligence surveillance, since this kind of vacuum-cleaner sifting of data seems likely to run afoul of the Fourth Amendment where we know the Fourth applies under Keith and Katz.

This general idea does seem to go beyond what the Bush administration is asking for. I wonder if some variation of the concept -- probabilistic sampling of some class(es) of communications up-front, combined with expanded minimization -- is part of what the FISA court mysteriously approved in January under existing law.

Since the administration is not seeking such expanded statutory authority today, why assume it is needed? What the administration is asking for is a revised set of FISA definitions that are more purely focused on people as targets, with less specificity about technological platforms.
7.13.2007 3:59pm
Howard Gilbert (mail):
One omission in the article is a clear statement of the current state of the law. You enumerate the four categories that make up "electronic surveilliance" and are covered by FISA. Beyond that there are vague assumptions about what the Fourth Amendment covers. Consider a system where the NSA installs, somewhere outside the 12 mile limit, equipment that monitors all data and voice entering or leaving the US through Atlantic and Pacific fiber cables. If the point of the collection is outside the US and no specific identified US person is the target of the monitoring, then it appears that FISA does not apply and the Fourth Amendment doesn't extend outside the US. Now a lot of people find it surprising that it would be illegal to monitor one specific phone call from one person, but not be illegal to monitor all the data and voice traffic from eveyone in the country. That is certainly a policy question that the new technology introduces. However, my understanding of FISA as it stands (in '70s technology) is that it doesn't cover a program that monitors everything as long as it collects the data 13 miles offshore. It seems important to answer this question, or at least pose it, so the reader knows whether you are creating a new form of government surveilliance or are regulating for the first time something that today is wide open.
7.13.2007 3:59pm
OrinKerr:
JaO,

Great question. Title III is already data-focused. FISA was drafted in a person-focused way because it's trying to regulate a very wide range of different circumstances: people in the U.S. versus outside the U.S., and some people with Fourth Amendment rights and some without. Congress packed into the definition of "electronic surveillance" a set of policy choices as to which of those circumstances should be subject to oversight. In contrast, Title III is data focused already because it's assumed that everyone monitored is inside the U.S. and has Fouth Amendment rights (with the excepton of the computer trespasser exception.)

Howard,

Thanks for the comment, I'll think about that one. By way of background, FISA, like Title III, only applies to interception from inside the United States. Monitoring that occurs outside the U.S. is regulated by the Fourth Amendment and Executive Branch policy directives.
7.13.2007 4:19pm
MacGuffin:
While there are arguments to be made that FISA is based on outmoded technological assumptions, at best you err in the other direction, Orin. Your discussion of current technology is far too Internet and IP specific.

In present fact, only a portion of electronic communications use the higher level abstraction of the IP network. Indeed, I would not be at all surprised to learn that the majority of electronic communications eavesdropped on under the TSP were not and are not conducted over the IP network, but rather over non-IP-based voice networks -- i.e., typical wired and wireless telephone networks. In other words, it is my suspicion that a significant proportion of the electronic surveillance carried out under the TSP is of voice communications that are conveyed over more conventional landline and wireless telephone circuits, not over VOIP networks. While voice network technology has also migrated to its own forms of packet switching and various switched virtual circuits, your heavy emphasis on IP packets and IP routing is too narrow to encompass much new technology electronic surveillance.

In the future, voice and data networks may converge completely to use the IP network in all cases; but until such time, your discussion of current electronic communications technology strikes me as both incomplete and premature.
7.13.2007 4:22pm
Just an Observer:
Two minor quibbles:

1) If it is a good idea to authorize such "data-focused" surveillance, why limit it to terrorism? Would not the same logic apply to surveillance of foreign nation states and their agents?

2) I suspect there is a typo on Page 5, with one or more words dropped. Perhaps you meant to write "The technology and constitutional law of the day ..."
7.13.2007 4:25pm
Smokey:
Scote:
There is absolutely no reason to update FISA during the reign of an Administration who refuses to obey the law as it is currently written.
'Reign'?? Does that include primogeniture and entail? OK, maybe the first one.

Anyway, I was under the impression that the Administration was judged to be acting according to the law, and that the FISA panel of judges ruled unanimously in favor of the Administration.

If I'm off base on this, my apologies. But certainly, if the Administration had broken the FISA law, we'd still be hearing the shouting.
7.13.2007 7:56pm
scote (mail):

'Reign'?? Does that include primogeniture and entail? OK, maybe the first one.

Pretty sure entail applies as well, GW only made it as a "business man" because of the enormous wealth provided by the Bush Dynasty.

Anyway, I was under the impression that the Administration was judged to be acting according to the law, and that the FISA panel of judges ruled unanimously in favor of the Administration.

Ashcroft wouldn't even cofirm to a private Congressional hearing which program he thought was in violation of FISA and almost resigned over. I also still haven't heard anyone provide evidence that the Administration has ever publicly admitted to violating FISA, so the idea that we now "know" they aren't isn't justified.

If I'm off base on this, my apologies. But certainly, if the Administration had broken the FISA law, we'd still be hearing the shouting.

They did violate FISA law, according to the internal DOJ report and the people who were going to resign, but the Administration still publicly claims, to my knowledge, to never have violated the law. You literally cannot trust what the Administration claims to be true.
7.13.2007 8:21pm
Howard Gilbert (mail):
While it is true that telephone voice networks don't use internet protocol per se, they stuff the data into some record structure and transmit it over some digital protocol. Blocks of data have headers with identifers or addresses. Originally voice was transmitted uncompressed at 64K bits per second, but today there may be compression.

So there is no wire circuit between here and there. On the other hand, voice does require some reserved bandwidth to guarantee that chunks of the conversation don't drop out. However, the difference between ATM (which phone companies use for long haul networks) and IP protocol isn't particularly important to the argument. To correct the objection, I would remove specific references to "internet", "IP", and maybe replace "packet switched" which tends to be a specific technical term (the opposite of "circuit switched") with something more general like "routed packets" which has no special meaning at all.

However the data is framed, all voice and data is transmitted across the Atlantic as digital packets carried over fiber optic cables. Monitoring this traffic is basically the same problem no matter how the blocks of data are identifed and rerouted at the next switching center.
7.13.2007 9:16pm
Just an Observer:
Smokey: Anyway, I was under the impression that the Administration was judged to be acting according to the law, and that the FISA panel of judges ruled unanimously in favor of the Administration.

Wow. Your impression is very wrong. No FISA judge has ever ruled on the administration program, or even had its legality presented in a case as far as we know. A district court judge ruled that the program was illegal, but that ruling has been reversed on standing grounds unrelated to the merits of whether the TSP is legal or not.
7.13.2007 9:25pm
scote (mail):

No FISA judge has ever ruled on the administration program,

Indeed, one Administration proposal to change the law would have allowed the administration to voluntarily submit their program to a FISA review, and that review and the resisting decision would be secret, natch. And, of course, they weren't going to be required to submit to review.
7.13.2007 10:05pm
Smokey:
No FISA judge has ever ruled on the administration program, or even had its legality presented in a case as far as we know.

FISA judges say Bush within law

By Brian DeBose
THE WASHINGTON TIMES
March 29, 2006

A panel of former Foreign Intelligence Surveillance Court judges yesterday told members of the Senate Judiciary Committee that President Bush did not act illegally when he created by executive order a wiretapping program conducted by the National Security Agency (NSA).

The five judges testifying before the committee said they could not speak specifically to the NSA listening program without being briefed on it, but that a Foreign Intelligence Surveillance Act does not override the president's constitutional authority to spy on suspected international agents under executive order.

"If a court refuses a FISA application and there is not sufficient time for the president to go to the court of review, the president can under executive order act unilaterally, which he is doing now," said Judge Allan Kornblum, magistrate judge of the U.S. District Court for the Northern District of Florida and an author of the 1978 FISA Act. "I think that the president would be remiss exercising his constitutional authority by giving all of that power over to a statute."

The judges, however, said Mr. Bush's choice to ignore established law regarding foreign intelligence gathering was made "at his own peril," because ultimately he will have to answer to Congress and the Supreme Court if the surveillance was found not to be in the best interests of national security.

Judge Kornblum said before the 1978 FISA law, foreign surveillance was done by executive order and the law itself was altered by the orders of Presidents Ford, Carter and Reagan.

It has been three months since President Bush said publicly that the NSA was listening to phone conversations between suspected terrorists abroad and domestically. The actions raised concerns from Congress and civil liberties groups about domestic spying, but the judges said that given new threats from terrorists and new communications technologies, the FISA law should be changed to give the president more latitude.

Sen. Arlen Specter, Pennsylvania Republican and committee chairman, called the hearing to get advice on his bill that would expand FISA to codify less stringent rules on wiretapping of domestic phone conversations with suspected foreign terrorists and include new technologies like the Internet and satellite communications.

Sen. Patrick J. Leahy, Vermont Democrat, said the Congress should pass new legislation to ease existing restrictions under FISA.

"However, we should not rush to give the administration new powers it has not deigned to request, based on concerns it has not articulated," Mr. Leahy said.

The panel of judges unanimously agreed that the law should have been changed before now to deal with new threats from terrorists and new communications technologies, a point made by Sen. Dianne Feinstein, California Democrat.

"It is confusing that if you take something off of a satellite it is legal, but if you take it off of a wiretap it's not," she said. "We need to include new technology."


Maybe 'ruled' was the wrong word. But if there was a ruling from the FISA panel, it's pretty clear which way it would go.
7.14.2007 10:17am
MacGuffin:
Blocks of data have headers with identifers or addresses.

That is not completely true. The switched virtual circuits that form various voice networks often do not contain endpoint address information that is recoverable at any intermediate network node or switch. Instead, they only have a virtual circuit identifier, which does not tell you who or where the intended receiver is, but only the immediate neighbor network devices that are part of the virtual circuit.

That is a difference that is particularly important to the argument. IP headers do allow for the recovery of information that is akin to that recovered in old-style pen registers and trap and trace devices without trespassing into the actual data contained in the packet. Voice network switched virtual circuits often do not.

Monitoring modern voice networks is a very different task from monitoring data traversing an IP network. Any new law or argument proposing a new law needs to be careful to maintain both the technical and legal distinctions.
7.14.2007 10:28am
Just an Observer:
Smokey,

That Washington Times article was one of the most egregrious examples of falacious reporting in the annals of modern journalism. I watched the hearing and read the transcript. The story is simply false.

Note that there are no quotes to support the reporter's assertion that five "former Foreign Intelligence Surveillance Court judges told members of the Senate Judiciary Committee that President Bush did not act illegally when he created by executive order a wiretapping program conducted by the National Security Agency (NSA)."

The only judge even quoted in the article, Magistrate Judge Kornblum, never was a FISA judge in his life! And his quote did not refer at all to President Bush's ongoing program of warrantless surveillance, but was a response to a question about some hypothetical case of a ticking-bomb scenario with exigent circumstances -- an altogether different issue.

There were several former FISA judges testifying at that Senate hearing about proposed legislation. But all declined to express an opinion about the legality of the President's program.

Judges do not rule on the law in congressional testimony, but in court. In fact, the only judges ever to reach the merits of the question of the TSP's legality in court -- a district court judge in a ruling and a circuit court judge in a dissent -- have said in those written opinions that it is illegal.

If you want to know what judges think about the law, read their cases, not the Washington Times.
7.14.2007 10:59am
Howard Gilbert (mail):
"they only have a virtual circuit identifier" which is why I said "identifier or address". Lest other readers be left out, more detail should be added:

There are two ways to communicate with binladen@alqaeda.org.pk. Using Internet protocol you resolve a computer name into an endpoint address and send a stream of packets. In theory, different packets can take different routes to Waziristan, or at least different fibers in the undersea cable. The data gets reassembled and checked at the other end.

However, telephone voice and a few other systems are more likely to use virtual circuit switching. A startup message passes through the network, chooses a particular route, and assigns a number at each end of the step by step progress from one switching center to the next. The conversation will have a number that identifes its New Jersey end which is unique only within the New Jersey switching center. Similiar ID numbers will be assigned in switching centers in Cornwall, Palermo, Alexandria, and Pakistan. Each switching center has tables. Palermo tables would say that say "all voice coming in with ID xxxxxx from Alexandria goes out with ID yyyyyy to Cornwall.

If all you are doing is scanning for some special phrase like "Climb Mount Mitaka" you may not worry about destinations until you see the phrase. To associate the circuit ID field containing interesting data with a particular endpoint, you have to have saved the circuit startup packet with the caller ID and destination info, although while the call is still active there may be phone company protocols to recover that information in real time.
7.14.2007 11:48am
MacGuffin:
If all you are doing is scanning for some special phrase like "Climb Mount Mitaka" you may not worry about destinations until you see the phrase.

Actually, you will probably be forced to care about network endpoints well before that. Using computers to scan for "Climb Mount Mitaka" in an e-mail or other essentially textual data format is a far simpler and far less computationally intensive task than is recognizing the words "Climb Mount Mitaka" spoken by an arbitrary speaker over a voice communication link. Even in the more tractable e-mail case, you'll likely be forced to restrict your data monitoring by location. Scanning all e-mails that transit any networks in the U.S. is likely too big a job to accomplish in real time even for the NSA, so geographical filters are almost certain. Instead of trying to read all e-mails transiting any network in the U.S., we'll try to read all e-mails originating from or terminating in Middle Eastern networks. If not a geography-based filter, then some other filters are likely to be used to restrict the search domain.

The point of this is that there really is no purely data-focused electronic surveillance. While technological advances make it feasible to monitor more communications channels, the choice of which channels to monitor is still based in considerations outside of the data. The key question raised by the new technologies would seem to me to be whether broader filters than the person and location specific filters of FISA should be accepted, or whether the mere technological fact that we can now listen in to more conversations doesn't fundamentally change anything with regard to whether we should do so.
7.14.2007 1:14pm
Terry Steichen (mail):
Orin, I suggest that what you refer to as 'data-focused' surveillance might more usefully and accurately referred to as 'pattern-based' surveillance. Though you mention packet-switching and other technologies several times in your paper ("Updating the Foreign Intelligence Surveillance Act), I don't believe that the technology per se is really relevant. Instead, what I believe you're referring to is searching communications based on patterns, not identities. The rest of my comment will be based on that (hopefully accurate) assumption.

There are two important factors that I didn't notice any mention of in your paper. One is the difference between information obtained from foreign intelligence surveillance, and that obtained from law enforcement surveillance. Of critical importance (to the 4th Amendment) is to prevent the former (typically obtained with a lesser standard of proof for actions that may or may not be crimes, and may or may not involve U.S. citizens) and the latter (based on the much stricter standard of probable cause, etc.).

Second is the difference between targeted surveillance and 'fishing expeditions.' It seems possible, even likely, that intelligence operations sweep the world 'fishing' for useful tidbits of foreign intelligence information. But domestically, particularly from a law enforcement perspective, such 'fishing' runs flat up against the 4th Amendment. For the 'gray area' at issue here (international communications to/from the U.S.), broad 'fishing' surveillance must have some curbs.

This is where your two-track warrant may come into play. If the government wants to conduct foreign intelligence surveillance not targeted on an individual but in a domestic setting, it seems reasonable to require that this be done with a specific pattern defined. The government must get a pattern-based warrant, and in doing so, must make some kind of showing that there's reason to believe that communications exhibiting this pattern will likely pull in valuable foreign intelligence and likely NOT pull in private, protected communications. (This second part is vitally important.)

People generally have a view of government that is benign, even benevolent (and in no small ways, incompetent). They naturally get this feeling because the people in government are that way - few if any are nasty, aggressive, let alone evil. What people almost always overlook (or fail to appreciate in the first place) is that these 'nice' people, when operating collectively, almost invariably adopt patterns of behavior that can easily lead the worst kinds of abuses. Nowhere is this more true than in activities that stem from secret surveillance.

I'm not sure that it's possible to develop meaningful standards so that patterns can be used as the basis for warrants that still protect civil liberties. It's worth exploring, I suppose. But unless and until we can demonstrate this, I would strongly argue against any change to the present law. I would certainly vigorously oppose any idea of conducing the pattern-based surveillance without regulation.

Note: I was very much involved in these matters prior to, during and after FISA. I'd be happy to discuss this further with you offline, if you'd like.
7.15.2007 11:58am