tv Hoover Institution Forum Considers the Future of FISA CSPAN June 15, 2017 2:55pm-3:34pm EDT
know anything about. yet he had a profound impact on our system of government. he's the guy who enabled benjamin franklin to learn about federalism. benjamin franklin was the conduit through which the rest of it flowed through our founders and made its way into the constitution. >> watch sunday night, 9:00 p.m. eastern, on c-span2's book tv. earlier this month stanford university held a conference to address the future of section 702 of the foreign intelligence surveillance act. we heard mostly about section 7 of the act, including section 702, which gives the government authority to monitor foreign citizens to gather foreign intelligence. this is about 40 minutes. >> good afternoon, everybody. i'll give you a quick welcome
and brief introduction of our first speaker. i'm mike franc, director of the washington, d.c. programs office for the hoover institution. welcome to sunrise or sunset, the future of section 702, the foreign intelligence surveillance act. our first speaker will be john villasenor, who is a visiting fellow here at the hoover institution. he wears a number of hats. he's also an affiliate at stanford center for international security and cooperation. he's a professor at ucla where he holds appointments in schools of engineering, public affairs, and governance. he's also a visiting professor in the ucla school of law. his research focuses on the intersection of technology, policy, business law, and the wider ramifications of key technological trends and developments. he's testified before congress, most recently on drones,
privacy, and intellectual property. john is going to go through the basics of section 702, sort of like a 101 introduction to it, and that will set up the rest of our program today. john, welcome. >> thank you very much. thank you all for coming today. so i realize there's probably -- probably some of the country's top experts on section 702 in the room. if you're one of those people, you will learn nothing in the next 25 or 30 minutes. but the goal of this portion of the talk is to make sure that we're all sort of starting from the same foundation. i'm not going to argue in favor or against any of the provisions of section 702. i'm simply going to lay out what it is so we're all starting from the same place. my understanding is
programmatically this will go to 12:45, then we've got lunch for you and we'll go back to the remainder of the program. section 702 is part section 7 of fisa. it allows monitoring communications of persons other than u.s. persons who are reasonably believed to be outside the united states to acquire foreign intelligence information. those are the three key requirements which relate to section 702. what i'm going to do in this presentation is give an historical context, talk about the act of 2008 which teed up the discussion they're having this year in congress, and go through the highlights, key points of section 702. apologies for quality, i downloaded this from -- this is
scanned 1978 legislation, but this is the original fisa. fisa was originatlly enacted in 1978 to authorize surveillance for foreign intelligence purposes. it was directed texclusively at foreign powers. another feature from the '78 legislation is there had to be no likelihood that the surveillance would contain communication in which a u.s. person is a party. from the earliest days of fisa we see this intention towards not interception u.s. person's communications if possible. the other thing notable in the original fisa is you see the creation of the foreign intelligence surveillance court. the chief justice shall publicly designate seven, today we had 11, that was increased to 11
under the patriot act of 2001. the foreign intelligence surveillance court was created under 1978 fisa. that same law also created the review, the foreign intelligence surveillance court review, which was very rarely used, so it's the appeal venue from fisc, but it has been used in several key rulings. that framework, even though section 702, in fact title vii didn't exist, that framework dates from the original enactment of fisa. unsurprisingly for legislation that was originally put on the books in 1978, at times over the years, here are some of the amendments that at least i was able to find. i'm going to give specific attention to some of these latter ones here, those latter amendments are the ones which created the section 702 that we
have today. so a precursor to title vii, section 702, was something called the protect america act of 2007. it was enacted in august of 2007. and this was specifically -- here is the first time we see language like what we have in section 702 today. having dni and the attorney general authorize the acquisition of foreign intelligence information concerning persons reasonably believed to be outside the united states. this protect america act of 2007 had a sunset built into it. and it basically was automatically going to expire 180 days after enactment, which it was enacted in august of 2007. so it then expired at sunset in february of 2008. so from february 2008 onward, there was this discussion in congress about what to do.
and then finally, a couple of months later, in july of 2008, we have the passage into law of the fisa amendments act of 2008, which is the act that created the title vii that we have today. so this was the first time we had that in the form essentially the way we have it today. this is the legislation creating title vii. and you'll notice here, it's got a sunset, and -- actually i'm going to go back here. as originally created, it sunset on december 31st, 2012, so a little over four years after the original enactment. so the day before it was going to expire, so on december 30th, 2012, there was a reauthorization. it would be nice to think that in 2017, this will get resolved before december 30th, 2017. but if history is any guide, it might come down to the wire. so in 2012, there was at the
very end, the day before the original title vii was going to sunset, it was extended, and particularly it had this language here, striking december 31st, 2012, and inserting december 31st, 2017. and that's where we are today, right? this is the law we have on the books today, which is the reason we have so much press these days is because the issue is, you know, extending this either with or without modifications is something that's been discussed quite a bit. that's a kind of level setting, here we are. so i thought it would be helpful, because people sometimes use these terms, fisa, section 7, 702. fisa as it exists today has a number of these titles. i bolded title vii, which is where section 702 lives. title iii is business searches.
section 215 of the patriot act, that's not section 702. that lives in title v. we're talking about title vii. section 702 is a portion of title vii. we kind of push into title vii here, we get the sections within fisa, within title notably, these are other than u.s. persons, right? so section 702, as i suggested at the very beginning, is specifically designed in relation to people who are not u.s. persons. that contrasts with some of the other sections of title vii which actually address the u.s. persons. so section 702 is specifically non-u.s. persons. that's the historical context of
where section 702 sits within title vii, and more broadly within fisa. so now let's talk about what some of these mean. first of all, u.s. person, i'm not going to read the whole definition, but of course we mean a citizen of the united states. we also mean, as it says here, an alien admitted for lawful, permanent residence. this is actually a definition from title i of fisa. this definition is referred to in title vii as a definition of u.s. person. so let's take a look at what it allows. section 702 allows an authorization of collecting communications of persons reasonably believed to be located outside the united states. it doesn't mean they necessarily in every single case are. but they need to be reasonably believed to be outside the u.s. the goal needs to be to acquire foreign intelligence information. that's it. that's the goal of this thing. the authorization to do that is
basically the attorney general and dni jointly are able to give this authorization. but they can do so under two conditions. one is upon the issuance of an order by -- pursuant to an order issued by the foreign intelligence surveillance court, is sort of prong one. alternati alternatively, there is an exigent circumstances prong that allows dni and the attorney general to authorize, provided they go back within i believe it's seven days and file the appropriate paperwork with the foreign intelligence surveillance court. so that's the kind of key authorization language that you have in the statute. i'm going to take a detour here, and we're talking about section 702, but i'll take a brief two-minute detour and talk about section 704. the reason i wanted to do that is because in a lot of the discussion about section 702,
you hear people talk about the lack of probable cause. just to provide the context there, section 702, as we know, relates to non-u.s. persons. section 704 by contrast relates to acquisitions targeting u.s. persons outside the united states. and notably, this is the text, the statutory language from section 704, there is a probable cause prong in that. so people often contrast the probable cause requirement that must be satisfied for section 704 with the absence of such a requirement for collections under section 702. and then again in section 704 there is a definition which identifies some key features of what probable cause is. and again, that language is not in section 702. so let's return now to section 702. and we'll talk about what is foreign intelligence information, right? so there is a definition of that. there is sort of two-pronged definition there and sort of a
second prong i think sort of sob assumes the first. i'll talk about both those. foreign intelligence information, first of all, and this is one of two slides on this, it's information, and this is sort of what you would expect, right, addressing an actual or potential attack, sabotage, international terrorism, or clandestine intelligence activities by a foreign power. so those are -- that's foreign intelligence information. an additional portion of the definition is broader. and it's this right here. it's information with respect to a foreign power that relates to and concerning u.s. persons necessary to the national defense or the security of the united states or the conduct of the foreign affairs of the united states. so i think it's reasonable that everything in this slide, attacks and international terrorism and can did he slande intelligence, this to me is the thing that sort of defines the scope of this.
and so one of the things that people discuss is what is the scope of foreign intelligence information and how broadly should that be interpreted. but that's the statutory language there. these are the limitations here. i want to go through each one of these because it's important for at least me to remind myself, remind us all what you can't do under section 702. first of all, you're not allowed to target any person, u.s. person or not, if you know that that person is inside the united states. you also can't target a person outside the u.s. if the purpose is to target somebody -- is to get information about somebody who is inside the u.s. so for example, let's suppose i am, you know, communicating -- i am in the united states. i'm me. i'm communicating with somebody outside the u.s. if the government were to want to get my communications, they couldn't use section 702 to do an end run around normal war requirements and say, let's go
acquire the communications of this person outside the u.s. that john was talking to, because if we do that, we're going to get john's communications as well. this is specifically prohibited under section 702. section 702 by its definition, you're not allowed to go after u.s. persons. even if that person is outside the united states, that in no way leads to an obligation to -- c-span needs you to speak -- c-span needs you to speak from the podium. okay. sorry. c-span needs me to speak from the podium. okay. and then let's see, you're not -- number 4, you're not allowed to acquire communications where anyone is inside the united states. even if these people are non-u.s. persons and they're inside the united states and communicating with each other, section 702 can't be used for that. and everything has to be done in a manner consistent with the fourth amendment. those are some of what you can't
do under section 702. so what happens is, the attorney general and the dni basically provide to the foreign intelligence surveillance court, a certification explaining that they've made all the requirements and why they would want to get an order to target for an acquisition. there is an exception, this is the thing i mentioned before, there is the exigent circumstances type of exception. if that's invoked, then they have, you know,ge no later tha seven days after that they have to provide the paperwork for the court. these are the two sort of prongs on how you can proceed on this. let me just move this over so i can see this a little bit better. so one of the things that we talk about, you hear talked about a lot in association with 702 is targeting and minimization. so targeting refers to the set of procedures that are designed to make sure that the persons who are targeted do satisfy the requirements of section 702, for
example that they are located outside the united states. and they're explicitly subjected to judicial review by the foreign intelligence surveillance court. so the fisc will look at the targeting procedures and either reject them or accept them. another phrase that you see a lot is minimization. so minimization is, again, something that gets developed by each, you know, relevant unit of the intelligence community. and it also is subject to review by the foreign intelligence surveillance court. and what's interesting, if you look at -- what's interesting is the law doesn't say exactly what the minimization procedures are. what it says is what they must do, what they must satisfy. in other words, the details of the minutimization are not laid out here. basically it aims to protect, for example, dissemination of nonpublic -- acquisition and retention and dissemination of
nonpublicly available information about u.s. persons. again, i bold faced this, number two, protections against identifying u.s. persons, and then i have ttem 4. paragraph 3, evidence of a crime. it is being or is about to be committed. this is the only one of these prongs that doesn't explicitly have a u.s. person carve-out in it. those are the minimization procedures. what fisc does is looks like all this stuff and then it will, you know, look at targeting and look at the certification that's submitted by attorney general and dni and look at the minimization procedures. if all of those pass muster, then it can grant -- it can issue an order pursuant to which then dni and attorney general can authorize the collection. so this is the -- if the court finds that, you know, the certification has all the required elements, that an address
minimizati minimization, and the fourth amendment is satisfied. that's mechanically is how it works. how it happens is then you can compel an electronics communication service provider to provide the government with assistance to accomplish the acquisition. then the government would engage with one of the regular companies that provides the communications services that are the subject of potential acquisition, and the government will reimburse the company for having done so. and there's also a liability shield as well. so a company that receives an order or directive to then, you know, perform an acquisition, you know, can't then be sued by somebody claiming that their information was acquired without their consent because there is a liability shield associated with that.
in terms of oversight, there is a kind of a host of mechanisms that kind of range from mechanisms internal to an element of the intelligence community out to congressional committees and beyond. so the head of each element of the intelligence community conducts a review each year. the inspector general of the department of justice and the inspector general of each element of the intelligence community can review compliance. at least twice a year the attorney general and dni assess compliance with respect to targeting and mini -- minute minimization procedures. they publish a transparency report with the number of search terms, queries and so forth.
they just a month or so ago published that report for calendar year 2016. these are examples of some of the oversight mechanisms that are built into the law. another form of oversight or disclosure is that fisc rulings are redacted and then published by office of director of national intelligence. there's a tumbler.com, many of you may have seen this, i see on the record, where you can go and download rulings, significant rulings as well as other documents that dni has chosen to publish in relation to section 702. then in addition, the companies that receive the 702 directives are allowed to do reporting. and there is a complicated set of formulas for exactly what they are and are not allowed to report, how they round the numbers about -- how precisely they round the numbers. there is exclusive provision in
the law to enable those companies to report the directives of -- a number of directives rounded to some number that they've actually received. there's a kind of, like i said, a layered set of oversight mechanisms. i want to talk about -- that's the kind of statutory framework. i'm going to briefly talk about some of the operational things that inevitably happen and that sometimes lead to some of the discussion about section 702. just as the, you know, fundamental key point here, as i mentioned before, section 702 prohibits targeting of u.s. persons. nonetheless, it's just statistically inevitable, if you're conducting many, many acquisitions, if the number gets large enough, there was no express intent to acquire the communication of a u.s. person, just statistically that is going to happen on some instances. and that is sometimes used, identity using the term
incidental collection. another term you might see is mct which stands for either multiple communication transactions or sometimes multicommunications transactions. the idea is that you can have a lawful interception of a particular communication, but because that communication is bundled with other communications, you can then inadvertently or unintentionally sweep in communications that you wouldn't have necessarily been specifically trying to get. and so that is used, the phrase mct is used, the acronym mct is used to describe that. i'm going to talk now about downstream otherwise known as prism and upstream collection. i'll use nsa's own language to describe these things. so as nsa has said in press release just a month or so ago, under section 702, nsa collects internet communications in two ways, downstream, previously referred to as prism, and
upstream. communications to or from a section 702 selector such an an e-mail address. in other words, for example, a particular person's e-mail address might be then the subject of a directive, of a selector to get that communication. also according to the pclob is the privacy and civil liberties oversight board, you'll see that acronym a number of times. they wrote, in prison collection the government, specifically the fbi on behalf of the nsa, sends selectors such an e-mail address to a u.s.-based electronics communications provider such as an isp. and the privacy and civil liberties oversight board went on to say prison collection does not include acquisition of telephone calls. so we then contrast that with upstream collection, again, from
that same oversight board report. upstream collection is different from prison collection because the acquisition occurs not with the compelled assistance with the united states isps but with the compelled assistance of providers that control the telecommunications backbone over which communications transit. the telecommunications backbone is sort of these trunk lines that carry just massive amounts of aggregated information from all sorts of communications services. and that's the portion of the network which is addressed in upstream collection. again, from the same report, upstream collection also includes telephone calls in addition to internet communications. those are the two types of things. and then just a kind of statistic, and i don't know how current the statistic is anymore, but this is the only one i'm aware of that's publicly available. there is an october 11th fisc order. and in that order, the judge who wrote the order wrote that nsa's
upstream collection constitutes only 9% of the communications being monitored under section 702. at least as of the time when the judge reviewing it wrote this order, the overwhelming majority of the internet communications were actually not on the upstream side there, on the downstream side. another thing you'll see and probably have seen often is this about versus to/from distinction. upstream collection can include about and also to/from communications. nsa gives an example, an about is one that includes a targeted e-mail address even though the e-mail is between two persons who are not themselves targets. so if i am not a target and i'm sending an e-mail to somebody who is also not a target, and in the e-mail i say, you know, please reach out to, you know, xyz, you know, his or her e-mail address is whatever, and it turns out that person is a
target, that would be an about communication although not a to/from communication. as many of you are probably very aware, just back in april, so just, you know, five weeks or so ago, nsa issued a pair of press releases saying they were going to stop -- this is from nsa's -- there's actually two press releases. if you look at the bottom paragraph it says nsa will no longer collect internet communications that merely mention a foreign intelligence target. this information is referred to in the ic as about communications in section 702 upstream internet surveillance. instead, nsa will limit such collection to internet communications that are sent directly to or from a foreign target. so this is nsa specifically publishing, going on record saying they're no longer going to be collecting these about communications. and then this is the second or the other press release that nsa issued the same day. nsa stops certain section 702
upstream activities. the second page of this basically says, after considerable evaluation, available technology, nsa has decided section 702 activities will no longer include any upstream internet communications that are solely about the foreign intelligence target. so it goes on to say it will limit it to 201. in addition, as part of this curtailment, they will -- so again, recent changes from nsa on that. i'm going to show you a couple of examples from the transparency report. i mentioned that one of the oversight mechanisms is that annually dni publishes this transparency report. they published the report for calendar year 2016. zero orders issued. but they're still numbered
acquisitions that occurred, we'll talk about that for a minute. we'll take a side trip and talk about masking and unmasking. so masking, if you have a u.s. person, that person's identity will typically be masked, in the disseminated information that would go to a consumer of that information. unmasking refers to -- is the term used to basically say, you know, let's remove that anonymity and say who was that person whose identity was originally masked. that's what's meant by unmasking. so this is, again, from the transparency report. so total number of 702 reports containing usps, u.s. person identity, so 3,914. and then it says, of those, or containing u.s. person identities, the person was originally masked, in 2964 reports. there was 3900 containing u.s.
identities and then this is the number where the identity was originally masked. and then conversely, this row says the reports containing usp identities versus the number, the usp -- this is the number of reports with identity originally revealed, and if you look at these numbers, they don't actually quite add up. the reason is there could be more than one u.s. person in a particular report, which is why they don't add up. and then the final row of this table, it says that of those disseminated 702 reports containing u.s. person identities where the identities were originally masked, this is the number of u.s. person identities that nsa later released in response to a specific request. so in other words, in this case this means a consumer of this information received the report and said, hey, this is a masked identity here, i would like to unmask the identity and provide some reason for doing that. those are the statistics. this is, again, recently published there. the other thing i'll mention is
just a couple of weeks ago, there was a slate of documents published by the director of national intelligence, odni. there was a new order, april 26th, 2017, from the foreign intelligence surveillance court. and among other things, that order approved targeting and minimization procedures from nsa, from fbi, and minimization procedures cna and nctc. you can go to that dni website and download these. i also thought it was worth highlighting, a couple of very quick -- this is from the order on april 26th, 2017, fisc issued an order. and in that order, fisc reflected this understanding that the government was eliminating the about collection which will have the effect of
eliminating the acquisition of the more problematic type of multiple communication technology. these changes substantially reduce the acquisition of nonpertinent information concerning u.s. persons pursuant to section 702. nsa may continue to acquire mcts under the amended procedures only if we can ensure that the target is a party to the entire mct or in other words the target is the active user, right? it is an attempt in making sure through these mcts that you don't accidentally sweep in information regarding people who aren't targets. the other thing i thought was worth highlighting here, one of the footnotes in this order, but i thought it was interesting, the nsa minimization procedures take an approach in which any discrete communication is also subject to destruction in its entirety. if you have an mct and you've got, you know, ten
communications that are, you know, to or from a target but there's an 11th that's bundled in there that's not, then the entirety of that mct, according to this, is subject to destruction. and the court also said the court agrees that the removal of a balanced communication eliminates the types of communications presenting the court with the greatest level of constitutional and statutory concern. the court viewed the elimination of that as a beneficial thing. i'm going to close just with one or two minutes of just identifying some legal cases, unsurprisingly there have been various legal challenges over the years, some not for a while, some more recent. clapper v. amnesty international, the court ruled that amnesty international did not have standing in this case. wiki media foundation versus nsa is very active, it was remanded by the fourth circuit back to the federal district court for the district of maryland.
there was an attempt, the government argued that wiki media foundation doesn't have standing. the fourth circuit said at least so far wiki media foundation does have standing. the aclu versus nsa, filed in new york last year. jewel versus nca was filed in 2008, that litigation has been ongoing for nine years now. another important source of court decisions is dni efforts and the web page i mentioned before, where dni publishes these redacted court decisions. the final page i'll mention, this is a set of rulings that if you look at the dates here, these long predate section 702. but they are nonetheless relevant because they're often cited. and so the top one is called the keith decision. there's three more here. these decisions, these
preceden precedents, with the extent of the exception to the requirement when you're dealing with foreign intelligence information, and again, we can spend half an hour on each one of these rulings. but then it would push off the rest of the program, i'm not going to do that. again, this is intended to be just a factual, foundational background. i'm sure there will be lots of spirited discussion later on about this. i hope this has been useful in terms of putting us all on the same page. i'm getting signs from the back that i should wrap things up and let us get lunch, i think. so thanks very much for your time and attention, and i don't know what the next step in our program is. okay. if there's any quick questions, two questions, i'm told. >> when you reference the court opinion or i guess memo and order on april 26, i think that there was some -- the judge mentioned i think incidental third parties that were unauthorized, having information
from the fbi as well as some of the congressional members of congress asking how many americans are accidentally included in this, and that number wasn't given. do you think this report will bear any waiting with this discussion going forward? >> i'm sorry, the report? >> the court order, i'm sorry, the memo and order that was released april 26th. do you think it will influence congress with their decision with section 702 going forward? >> i think it's important simply among other things because it's the latest snapshot of what the foreign intelligence surveillance court has said. your question is absolutely right, there were some concerns that had been raised. the reason this order that issued in late april was actually the kind of result of a process that had started much earlier when they had submitted back in the fall of last year, there were some inadequacies that the court had identified, and those were rectified, and then the court was then satisfied that they had been addressed, and then finally approved them a number of months
later. it's relevant because it's an addressing -- has addressed some of those issues and because it's so recent, it's the latest snapshot. absolutely, it's quite relevant. maybe the gentleman here, and then -- maybe the gentleman here and the gentleman here and then we probably have to go to lunch. >> do we have any indication of what is in the annual applicatio applications, other than technical rubrics, is there any -- do we have any sense if there is a geographical limitation that we're looking at areas, particular areas of the world? or is it, you know, these are the protocols we're going to have technically, and use these anywhere in the world, these are the minimization protocols? >> it's an interesting question.
image don i just don't know. certainly the statute doesn't require anything. >> could you refresh us or remind us, the previous renewals and new legislation covering this, how was the vote mix in terms of passage on those? >> on the december 30th, 2012, i don't remember the numbers. i have an idea but i'm afraid if i give you my idea, it will be wrong. i don't recall. okay. announcements. >> thank you, john. everyone, thank you. >> and we continue now with this conference on the future of the foreign intelligence surveillance act with remarks from matthew olson. he served as president obama's national counterintelligence center director. he spoke about what needs to be done to renew section 702 of the law which gives the government authority to monitor internet activity of non-u.s. citizens to gather foreign intelligence. this is about an hour.