Chapter Four

REFORMING FOREIGN INTELLIGENCE SURVEILLANCE DIRECTED AT NON-UNITED STATES PERSONS

A. Introduction

TO WHAT EXTENT SHOULD the United States accord non-United States persons the same privacy protections it recognizes for United States persons? At one level, it is easy to say that “all persons are created equal” and that every nation should accord all persons the same rights, privileges, and immunities that it grants to its own citizens. But, of course, no nation follows such a policy. Nations see themselves as distinct communities with particular obligations to the members of their own community. On the other hand, there are certain fundamental rights and liberties that all nations should accord to all persons, such as the international prohibition on torture.

In this chapter, we explore the non-United States person issue in the specific context of foreign intelligence surveillance. International law recognizes the right of privacy as fundamental,¹²⁶ but the concrete meaning of that right must be defined. Certainly, a nation can choose to grant its own citizens a greater degree of privacy than international law requires.

We focus specifically on foreign intelligence collection under section 702 of FISA and Executive Order 12333. The central question we address is: What is the minimum degree of privacy protection the United States should grant to non-United States persons in the realm of foreign intelligence surveillance? We conclude that the United States should grant greater privacy protection to non-United States persons than we do today.

B. Foreign Intelligence Surveillance and Section 702

In general, the federal government is prohibited from intercepting the contents of private telephone calls and e-mails of any person, except in three circumstances. First, in the context of criminal investigations, Title III of the Electronic Communications Privacy Act authorizes the government to intercept such communications if a federal judge issues a warrant based on a finding that there is probable cause to believe that an individual is committing, has committed, or is about to commit a federal crime and that communications concerning that crime will be seized as a result of the proposed interception.¹²⁷

Second, as enacted in 1978, FISA authorized the federal government to intercept electronic communications if a judge of the FISC issues a warrant based on a finding that the purpose of the surveillance is to obtain foreign intelligence information, the interception takes place inside the United States, and there is probable cause to believe that the target of the surveillance is an agent of a foreign power (which includes, among other things, individuals engaged in international terrorism, the international proliferation of weapons of mass destruction, and clandestine intelligence activities).

Third, there is foreign intelligence surveillance that takes place outside the United States. At the time FISA was enacted, Congress expressly decided not to address the issue of electronic surveillance of persons located outside the United States, including American citizens, noting that the “standards and procedures for overseas surveillance may have to be different than those provided in this bill for electronic surveillance within the United States.”¹²⁸ It was apparently assumed that intelligence collection activities outside the United States would be conducted under the Executive Branch’s inherent constitutional authority and the statutory authorizations granted to each Intelligence Community agency by Congress, and that it would be governed by presidential Executive Orders and by procedures approved by the Attorney General. To that end, in 1981 President Ronald Reagan issued Executive Order 12333, discussed above, which (as amended) specifies the circumstances in which the nation’s intelligence agencies can engage in foreign intelligence surveillance outside the United States.¹²⁹

Although Congress did not take up this issue in the immediate aftermath of the terrorist attacks of September 11, 2001, several developments brought the question to the fore. First, technological advances between 1978 and the early 21st century complicated the implementation of the original FISA rules. The distinction FISA drew between electronic surveillance conducted inside the United States and electronic surveillance conducted outside the United States worked reasonably well in 1978, because then-existing methods of communication and collection made that distinction meaningful. But the development of a global Internet communications grid with linchpins located within the United States undermined the distinction.

By the early 21st century, a large percentage of the world’s electronic communications passed through the United States, and foreign intelligence collection against persons located outside the United States was therefore increasingly conducted with the assistance of service providers inside the United States. Unless the legislation was amended, this new state of affairs meant that the government would have to go to the FISC to obtain orders authorizing electronic surveillance for foreign intelligence purposes even of individuals who were in fact outside the United States, a state of affairs Congress had not anticipated at the time it enacted FISA in 1978.

Second, in late 2005 it came to light that, shortly after the attacks of September 11, President George W. Bush had secretly authorized NSA to conduct foreign intelligence surveillance of individuals who were inside the United States without complying with FISA. Specifically, the President authorized NSA to monitor electronic communications (e.g., telephone calls and e-mails) between people inside the United States and people outside the United States whenever NSA had “a reasonable basis to conclude that one party to the communication” was affiliated with or working in support of al-Qa’ida.

Because this secret program did not require the government either to obtain a warrant from the FISC or to demonstrate that it had probable cause that the target of the surveillance was an agent of a foreign power—even when the target was inside the United States—it clearly exceeded the bounds of what Congress had authorized in FISA. The Bush administration maintained that this program was nonetheless lawful, invoking both Congress’s 2001 Authorization to Use Military Force and the President’s inherent constitutional authority as commander-in-chief.

In light of these developments, Congress decided to revisit FISA. In 2007, Congress amended FISA in the Protect America Act (PAA), which provided, among other things, that FISA was inapplicable to any electronic surveillance that was “directed at a person reasonably believed to be located outside the United States.”¹³⁰ In effect, the PAA excluded from the protections of FISA warrantless monitoring of international communications if the target of the surveillance was outside the United States, even if the target was an American citizen. The PAA was sharply criticized on the ground that it gave the government too much authority to target the international communications of American citizens.

The following year, Congress revised the law again in the FISA Amendments Act of 2008 (FAA). The FAA adopted different rules for international communications depending on whether the target of the surveillance was a “United States person” (a category that was defined to include both American citizens and non-citizens who are legal permanent residents of the United States)¹³¹ or a “non-United States person.”¹³² The FAA provides that if the government targets a United States person who is outside the United States, the surveillance must satisfy the traditional requirements of FISA. That is, the surveillance is permissible only if it is intended to acquire foreign intelligence information and the FISC issues a warrant based on a finding that there is probable cause to believe that the United States person is an agent of a foreign power, within the meaning of FISA. Thus, if the target of the surveillance is a United States person, the same FISA procedures apply—without regard to whether the target is inside or outside the United States.

On the other hand, the FAA provided in section 702 that if the target of foreign intelligence surveillance is a non-United States person who is “reasonably believed to be located outside the United States,” the government need not have probable cause to believe that the target is an agent of a foreign power and need not obtain an individual warrant from the FISC, even if the interception takes place inside the United States. Rather, section 702 authorized the FISC to approve annual certifications submitted by the Attorney General and the Director of National Intelligence (DNI) that identify certain categories of foreign intelligence targets whose communications may be collected, subject to FISC-approved targeting and minimization procedures. The categories of targets specified by these certifications typically consist of, for example, international terrorists and individuals involved in the proliferation of weapons of mass destruction.

Under section 702, the determination of which individuals to target pursuant to these FISC-approved certifications is made by NSA without any additional FISC approval. In implementing this authority, NSA identifies specific “identifiers” (for example, e-mail addresses or telephone numbers) that it reasonably believes are being used by non-United States persons located outside of the United States to communicate foreign intelligence information within the scope of the approved categories (e.g., international terrorism, nuclear proliferation, and hostile cyber activities). NSA then acquires the content of telephone calls, e-mails, text messages, photographs, and other Internet traffic using those identifiers from service providers in the United States.¹³³

Illustrative identifiers might be an e-mail account used by a suspected terrorist abroad or other means used by high-level terrorist leaders in two separate countries to pass messages. The number of identifiers for which NSA collects information under section 702 has gradually increased over time.

Section 702 requires that NSA’s certifications attest that a “significant purpose” of any acquisition is to obtain foreign intelligence information (i.e., directed at international terrorism, nuclear proliferation, or hostile cyber activities), that it does not intentionally target a United States person, that it does not intentionally target any person known at the time of acquisition to be in the United States, that it does not target any person outside the United States for the purpose of targeting a person inside the United States, and that it meets the requirements of the Fourth Amendment.¹³⁴ The annual certification provided to the FISC must attest that the Attorney General and the Director of National Intelligence have adopted guidelines to ensure compliance with these and other requirements under section 702, including that the government does not intentionally use section 702 authority to target United States persons, inside or outside the United States.¹³⁵ The FISC annually reviews the targeting and minimization procedures to ensure that they satisfy all statutory and constitutional requirements.

Other significant restrictions govern the use of section 702:

Section 702 imposes substantial reporting requirements on the government in order to enable both judicial and congressional oversight, in addition to the oversight conducted within the Executive Branch by the Department of Justice (DOJ), the Office of the Director of National Intelligence (ODNI), and the Inspectors General of the various agencies that make up the Intelligence Community:

In 2012, Senator Dianne Feinstein (D-CA), the Chair of the Senate Select Committee on Intelligence, reported that a review of the assessments, reports, and other information available to the Committee “demonstrate that the government implements [section 702] in a responsible manner with relatively few incidents of non-compliance. Where such incidents have arisen, they have been the inadvertent result of human error or technical defect and have been promptly reported and remedied.” Indeed, since the enactment of section 702, the Committee “has not identified a single case in which a government official engaged in a willful effort to circumvent or violate the law.”¹³⁶

Although compliance issues under section 702 have been infrequent, they have been vexing when they arose. In one instance, the FISC held that, for technical reasons concerning the manner in which the collection occurred, the minimization procedures that applied to NSA’s upstream collection¹³⁷ of electronic communications did not satisfy the requirements of either FISA or the Fourth Amendment. This was so because NSA’s use of upstream collection often involves the inadvertent acquisition of multi-communication transactions (MCTs),¹³⁸ many of which do not fall within the parameters of section 702. Judge John Bates of the FISC noted that the “government’s revelations regarding the scope of NSA’s upstream collection implicate 50 U.S.C. § 1809(a), which makes it a crime (1) to ‘engage[]in electronic surveillance under color of law except as authorized’ by statute. …”¹³⁹

Judge Bates observed that “NSA acquires more than two hundred fifty million Internet communications each year pursuant to Section 702” and that the vast majority of those communications are “not at issue here.”¹⁴⁰ But, he added, the upstream collection represents “approximately 9 percent of the total Internet communications being acquired by NSA under Section 702,” and those acquisitions inadvertently sweep in “tens of thousands of wholly domestic communications” because they happen to be contained within an MCT that includes a targeted selector.¹⁴¹

In such circumstances, Judge Bates noted that the “fact that NSA’s technical measures cannot prevent NSA from acquiring transactions containing wholly domestic communications … does not render NSA’s acquisition of those transactions ‘unintentional.’”¹⁴² Judge Bates concluded that “NSA’s minimization procedures, as applied to MCTs,” did not meet the requirements of either FISA or the Fourth Amendment. He therefore refused to approve NSA’s continuing acquisition of MCTs.¹⁴³ Thereafter, the government substantially revised its procedures for handling MCTs, and in November 2011 Judge Bates approved the future acquisition of such communications subject to the new minimization standards.¹⁴⁴ In addition, NSA took the additional step of deleting all previously acquired upstream communications.

According to the NSA, section 702 “is the most significant tool in NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the US and around the world.” To cite just one example, collection under section 702 “was critical to the discovery and disruption” of a planned bomb attack in 2009 against the New York City subway system and led to the arrest and conviction of Najibullah Zazi and several of his co-conspirators.¹⁴⁵

According to the Department of Justice and the Office of the Director of National Intelligence in a 2012 report to Congress:

Section 702 enables the Government to collect information effectively and efficiently about foreign targets overseas and in a manner that protects the privacy and civil liberties of Americans. Through rigorous oversight, the Government is able to evaluate whether changes are needed to the procedures or guidelines, and what other steps may be appropriate to safeguard the privacy of personal information. In addition, the Department of Justice provides the joint assessments and other reports to the FISC. The FISC has been actively involved in the review of section 702 collection. Together, all of these mechanisms ensure thorough and continuous oversight of section 702 activities. …

Section 702 is vital to keeping the nation safe. It provides information about the plans and identities of terrorists, allowing us to glimpse inside terrorist organizations and obtain information about how those groups function and receive support. In addition, it lets us collect information about the intentions and capabilities of weapons proliferators and other foreign adversaries who threaten the United States.¹⁴⁶

In reauthorizing section 702 for an additional five years in 2012, the Senate Select Committee on Intelligence concluded:

[T]he authorities provided [under section 702] have greatly increased the government’s ability to collect information and act quickly against important foreign intelligence targets. The Committee has also found that [section 702] has been implemented with attention to protecting the privacy and civil liberties of US persons, and has been the subject of extensive oversight by the Executive branch, the FISC, as well as the Congress. … [The] failure to reauthorize [section 702] would “result in a loss of significant intelligence and impede the ability of the Intelligence Community to respond quickly to new threats and intelligence opportunities.”¹⁴⁷

Our own review is not inconsistent with this assessment. During the course of our analysis, NSA shared with the Review Group the details of 54 counterterrorism investigations since 2007 that resulted in the prevention of terrorist attacks in diverse nations and the United States. In all but one of these cases, information obtained under section 702 contributed in some degree to the success of the investigation. Although it is difficult to assess precisely how many of these investigations would have turned out differently without the information learned through section 702, we are persuaded that section 702 does in fact play an important role in the nation’s effort to prevent terrorist attacks across the globe.

…

Although section 702 has clearly served an important function in helping the United States to uncover and prevent terrorist attacks both in the United States and around the world (and thus helps protect our allies), the question remains whether it achieves that goal in a way that unnecessarily sacrifices individual privacy and damages foreign relations. Because the effect of section 702 on United States persons is different from its effect on non-United States persons, it is necessary to examine this question separately for each of these categories of persons.

C. Privacy Protections for United States Persons Whose Communications are Intercepted Under Section 702

RECOMMENDATION 12

We recommend that, if the government legally intercepts a communication under section 702, or under any other authority that justifies the interception of a communication on the ground that it is directed at a non-United States person who is located outside the United States, and if the communication either includes a United States person as a participant or reveals information about a United States person:

Section 702 affords United States persons the same protection against foreign intelligence surveillance when they are outside the United States that FISA affords them when they are inside the United States. That is, a United States person may not lawfully be targeted for foreign intelligence surveillance unless the FISC issues a warrant based on a finding that there is probable cause to believe that the targeted United States person is an agent of a foreign power (as defined in FISA).

Section 702 has a potentially troubling impact on the privacy of communications of United States persons because of the risk of inadvertent interception. The government cannot lawfully target the communications of a United States person, whether she is inside or outside the United States, without satisfying the probable cause requirements of both FISA and the Fourth Amendment. But in determining whether the target of any particular interception is a non-United States person who is located outside the United States, section 702 requires only that the government reasonably believe the target to be such a person. Because United States persons are appreciably more likely to have their constitutionally protected communications inadvertently intercepted under the reasonable belief standard than under the probable cause standard, the reasonable belief standard provides less protection to US persons than ordinarily would be the case.

Exacerbating that concern is the risk of incidental interception. This occurs when the government acquires the communications of a legally targeted individual under section 702 who is communicating with United States persons who cannot themselves be lawfully targeted for surveillance. The issue of incidental acquisition can arise whenever the government engages in electronic surveillance.

For example, if the government has probable cause to wiretap an individual’s phone because he is suspected of dealing drugs, it may incidentally intercept the suspect’s conversations with completely innocent persons who happen to speak with the suspect during the duration of the wiretap. In such circumstances, the standard practice in criminal law enforcement is for the government to purge from its records any reference to the innocent person unless it reveals evidence of criminal conduct by the innocent person or provides relevant information about the guilt or innocence of the suspect.¹⁴⁸

Following a similar approach, when incidental acquisition occurs in the course of section 702 surveillance, existing minimization procedures require that any intercepted communication with a United States person, and any information obtained about a United States person in the course of a section 702 acquisition, must be destroyed—unless it has foreign intelligence value, indicates an imminent threat of death or serious bodily harm, or is evidence of a crime.¹⁴⁹

In our view, this approach does not adequately protect the legitimate privacy interests of United States persons when their communications are incidentally acquired under section 702. This is so for three reasons. First, when a United States person (whether inside or outside the United States) communicates with a legally targeted non-United States person who is outside the United States, there is a significantly greater risk that his communication will be acquired under section 702 than (a) if they communicated with one another when they were both inside the United States or (b) if FISA treated non-United States persons outside the United States the same way it treats United States persons outside the United States. Thus, when an American in Chicago e-mails a foreign friend abroad, there is a significantly greater chance that his e-mail will be acquired under 702 than if he e-mails an American in Paris or a foreigner in New York. This is so because section 702 allows the government to target the foreign friend abroad under a lower standard than if the target was the American in Paris or the foreigner in New York. For this reason, incidental interception is significantly more likely to occur when the interception takes place under section 702 than in other circumstances.

Second, it is often difficult to determine whether the e-mail address, Internet communication, or telephone number of the non-targeted participant in a legally acquired communication belongs to a United States person, because that information often is not apparent on the face of the communication. In such circumstances, there is a significant risk that communications involving United States persons will not be purged and, instead, will be retained in a government database.

Third, the very concept of information of “foreign intelligence value” has a degree of vagueness and can easily lead to the preservation of private information about even known United States persons whose communications are incidentally intercepted in the course of a legal section 702 interception.

For all of these reasons, there is a risk that, after the government incidentally collects communications of or about United States persons in the course of legal section 702 acquisitions, it will later be able to search through its database of communications in a way that invades the legitimate privacy interests of United States persons. Because the underlying rationale of section 702 is that United States persons are entitled to the full protection of their privacy even when they communicate with non-United States persons who are outside the United States, they should not lose that protection merely because the government has legally targeted non-United States persons who are located outside the United States under a standard that could not legally be employed to target a United States person who participates in that communication. The privacy interests of United States persons in such circumstances should be accorded substantial protection, particularly because section 702 is not designed or intended to acquire the communications of United States persons.

Our recommended approach would leave the government free to use section 702 to obtain the type of information it is designed and intended to acquire—information about non-United States persons who are the legal targets of these investigations—while at the same time (a) more fully preserving the privacy of United States persons who are not the targets of these interceptions and (b) reducing the incentive the government might otherwise have to use section 702 in an effort to gather evidence against United States persons in a way that would circumvent the underlying values of both FISA and the Fourth Amendment.¹⁵⁰

D. Privacy Protections for Non-United States Persons

RECOMMENDATION 13

We recommend that, in implementing section 702, and any other authority that authorizes the surveillance of non-United States persons who are outside the United States, in addition to the safeguards and oversight mechanisms already in place, the US Government should reaffirm that such surveillance:

In addition, the US Government should make clear that such surveillance:

Because section 702 is directed specifically at non-United States persons, it raises the question whether it sufficiently respects the legitimate privacy interests of such persons. At the outset, it is important to note that, when non-citizens are inside the United States, our law accords them the full protection of the Fourth Amendment. They have the same right to be free of unreasonable searches and seizures as American citizens. Moreover, non-citizens who have made a commitment to our community by establishing legal residence in the United States are designated “United States persons” and, as such, are treated the same way as American citizens in terms of government surveillance—even when they are outside the United States. These are important protections for individuals who are not citizens of the United States.

What, though, of non-United States persons who are outside the United States? We begin by emphasizing that, contrary to some representations, section 702 does not authorize NSA to acquire the content of the communications of masses of ordinary people. To the contrary, section 702 authorizes NSA to intercept communications of non-United States persons who are outside the United States only if it reasonably believes that a particular “identifier” (for example, an e-mail address or a telephone number) is being used to communicate foreign intelligence information related to such matters as international terrorism, nuclear proliferation, or hostile cyber activities. NSA’s determinations are subjected to constant, ongoing, and independent review by all three branches of the federal government to ensure that NSA targets only identifiers that meet these criteria.

That still leaves the question, however, whether section 702 adequately respects the legitimate privacy interests of non-United States persons when they are in their home countries or otherwise outside the United States. If section 702 were designed to intercept the communications of United States persons, it would clearly violate the Fourth Amendment.¹⁵¹ Does it also violate the Fourth Amendment insofar as it is directed at non-United States persons who are located outside the United States? The Supreme Court has definitively answered this question in the negative.¹⁵²

Wholly apart from the Fourth Amendment, how should the United States treat non-United States persons when they are outside the United States? To understand the legal distinction between United States persons and non-United States persons, it is important to recognize that the special protections that FISA affords United States persons grew directly out of a distinct and troubling era in American history. In that era, the United States government improperly and sometimes unlawfully targeted American citizens for surveillance in a pervasive and dangerous effort to manipulate domestic political activity in a manner that threatened to undermine the core processes of American democracy. As we have seen, that concern was the driving force behind the enactment of FISA.

Against that background, FISA’s especially strict limitations on government surveillance of United States persons reflects not only a respect for individual privacy, but also—and fundamentally—a deep concern about potential government abuse within our own political system. The special protections for United States persons must therefore be understood as a crucial safeguard of democratic accountability and effective self-governance within the American political system. In light of that history and those concerns, there is good reason for every nation to enact special restrictions on government surveillance of those persons who participate directly in its own system of self-governance.

As an aside, we note that the very existence of these protections in the United States can help promote and preserve democratic accountability across the globe. In light of the global influence of the United States, any threat to effective democracy in the United States could have negative and far-reaching consequences in other nations as well. By helping to maintain an effective system of checks and balances within the United States, the special protections that FISA affords United States persons can therefore contribute to sustaining democratic ideals abroad.

That brings us back, however, to the question of how the United States should treat non-United States persons who are not themselves either a part of our community or physically located in the United States. As a general rule, nations quite understandably treat their own citizens differently than they treat the citizens of other nations. On the other hand, there are sound, indeed compelling, reasons to treat the citizens of other nations with dignity and respect. As President Franklin Delano Roosevelt observed, the United States should be a “good neighbor.” Sometimes this is simply a matter of national self-interest. If the United States wants other nations to treat our citizens well, we must treat their citizens well. But there are other reasons for being a “good neighbor.”

If we are too aggressive in our surveillance policies under section 702, we might trigger serious economic repercussions for American businesses, which might lose their share of the world’s communications market because of a growing distrust of their capacity to guarantee the privacy of their international users. Recent disclosures have generated considerable concern along these lines.

Similarly, unrestrained American surveillance of non-United States persons might alienate other nations, fracture the unity of the Internet, and undermine the free flow of information across national boundaries. This, too, is a serious concern that cuts in favor of restraint.

Perhaps most important, however, is the simple and fundamental issue of respect for personal privacy and human dignity—wherever people may reside. The right of privacy has been recognized as a basic human right that all nations should respect. Both Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights proclaim that “No one shall be subjected to arbitrary or unlawful interference with his privacy. …” Although that declaration provides little guidance about what is meant by “arbitrary or unlawful interference,” the aspiration is clear. The United States should be a leader in championing the protection by all nations of fundamental human rights, including the right of privacy, which is central to human dignity.

At this moment in history, one of the gravest dangers to our national security is international terrorism. Faced with that continuing and grave threat, the United States must find effective ways to identify would-be terrorists who are not located in the United States, who move freely across national borders, and who do everything in their power to mask their identities, intentions, and plans. In such circumstances, the challenge of striking a sound balance between protecting the safety and security of our own citizens and respecting the legitimate interests of the citizens of other nations is especially daunting. Our recommendations have been designed to achieve that balance.

With our recommendations in place, there would be three primary differences between the standards governing the acquisition of communications of United States persons and non-United States persons under section 702 when they are outside the United States. First, United States persons can be targeted only upon a showing of probable cause, whereas non-United States persons can be targeted upon a showing of reasonable belief. Second, United States persons can be targeted only if there is a judicial warrant from the FISC, whereas non-United States persons can be targeted without such a warrant, but with careful after-the-fact review and oversight. Third, the minimization requirements for communications of United States persons would not extend fully to non-United States persons located outside the United States, but importantly, information collected about such persons would not be disseminated unless it is relevant to the national security of the United States or our allies.

In our judgment, these differences are warranted by the special obligation the United States Government owes to “the people” of the United States, while at the same time more than upholding our international obligation to ensure that no person “shall be subjected to arbitrary or unlawful interference with his privacy.” We encourage all nations to abide by these same limitations.¹⁵³

RECOMMENDATION 14

We recommend that, in the absence of a specific and compelling showing, the US Government should follow the model of the Department of Homeland Security, and apply the Privacy Act of 1974 in the same way to both US persons and non-US persons. The Privacy Act of 1974¹⁵⁴ provides what are known as “privacy fair information practices” for systems of records held by federal agencies. These practices, designed to safeguard personal privacy, include a set of legal requirements meant to ensure both the accuracy and the security of personally identifiable information in a system of records. Perhaps most important, individuals have the right to have access to those records and to make corrections, if needed.

Since its enactment, the Act has applied only to United States persons. In 2009, the Department of Homeland Security (DHS) updated its 2007 “Privacy Policy Guidance Memorandum.”¹⁵⁵ This memorandum governs privacy protections for “mixed systems” of records—systems that collect or use information in an identifiable form and that contain information about both United States and non-United States persons.¹⁵⁶

Today, DHS policy applies the Privacy Act in the same way to both US persons and non-US persons. As stated in the Memorandum, “As a matter of law the Privacy Act … does not cover visitors or aliens. As a matter of DHS policy, any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system by DHS shall be treated as a System of Records subject to the Privacy Act regardless of whether the information pertains to a US citizen, legal permanent resident, visitor, or alien.”¹⁵⁷

The consequence of this policy is that DHS now handles non-US person PII held in mixed systems in accordance with the fair information practices set forth in the Privacy Act. Non-US persons have the right of access to their PII and the right to amend their records, absent an exemption under the Privacy Act. Because of statutory limitations, the policy does not extend or create a right of judicial review for non-US persons.

Intelligence agencies today are covered by the Privacy Act, with exemptions to accommodate the need to protect matters that are properly classified or law-enforcement sensitive/investigatory in nature. For instance, NSA has filed twenty-six systems of records notices advising the public about data collections, including from applicants seeking employment, contractors doing business with the agency, and in order to conduct background investigations.

NSA also completes privacy impact assessments under the E-Government Act of 2002¹⁵⁸ for its non-National Security systems that collect, maintain, use, or disseminate PII about members of the public. The CIA provides protections under the Privacy Act in contexts including collection directly from the individual; records describing individuals’ exercise of First Amendment rights; and the Act’s general prohibition on disclosure absent express written consent of the individual. The FBI applies the Privacy Act in the same manner for national security investigations as it does for other records covered by the Act.

Unless the agencies provide specific and persuasive reasons not to do so, we recommend that the DHS policy should be extended to the mixed systems held in intelligence and other federal agencies. DHS policy has existed for several years for major systems of records, including passenger name records and immigration records, and implementation experience from DHS can guide similar privacy protections for PII held in intelligence and other federal agencies.

Appropriate exception authority appears to exist under the Act, including for National Security Systems and law enforcement investigatory purposes. The previous lack of Privacy Act protections has been a recurring complaint from European and other allies. This reform is manageable based on the DHS experience. It will both affirm the legitimate privacy rights of citizens of other nations and strengthen our relations with allies.

RECOMMENDATION 15

We recommend that the National Security Agency should have a limited statutory emergency authority to continue to track known targets of counterterrorism surveillance when they first enter the United States, until the Foreign Intelligence Surveillance Court has time to issue an order authorizing continuing surveillance inside the United States.

Under current law, a problem arises when known targets of counterterrorism surveillance enter the United States. Surveillance of a target has been legally authorized under the standards that apply overseas, under section 702 or Executive Order 12333. Suddenly, the target is found to be in the United States, where surveillance is permitted only under stricter legal standards. Under current law, NSA must cease collecting information as soon as it determines that the individual is within the United States. The surveillance can begin again only once there is new authorization under FISA. The irony of this outcome is that surveillance must cease at precisely the moment when the target has entered the United States and thus is in position to take hostile action. Colloquially, there can be a costly fumble in the hand-off from overseas to domestic surveillance.

To address this gap in coverage, legislation has been proposed that would amend 50 U.S.C. § 1805 to give the Director of NSA emergency authority to acquire foreign intelligence information in such circumstances for up to 72 hours. We believe that some such authority is appropriate. A similar gap occurs where the target of surveillance overseas was originally thought to be a non-US person and then is found actually to be a US person. At the moment the target is being investigated for counterterrorism purposes, the authorities that permitted the surveillance no longer apply.

The gap in coverage arises due to the different legal standards that apply at home and abroad. Surveillance under section 702 is permitted if there is a reasonable belief that the person is not a US person and is located outside of the US, and if the purpose is to acquire foreign intelligence information subject to an existing certification. Surveillance under Executive Order 12333 is done so long as it is related to foreign intelligence. By contrast, a traditional FISA order for surveillance within the US requires probable cause that the person is an agent of a foreign power. In order to target a US person who is outside of the US under FISA section 704, the government must show facts for reasonably believing that the person is outside of the US and is an agent of a foreign power. It can take time and effort to upgrade the factual findings from what enabled the surveillance within NSA under section 702 or Executive Order 12333 to the findings that the Department of Justice needs to meet under a traditional FISA order or one under section 704.

The precise scope of this hand-off authority deserves careful thought. The proposed legislation would allow seventy-two hours for surveillance on order of the NSA Director, followed by additional days of emergency authority by authorization of the Attorney General. There has been discussion of whether to limit the scope to situations where there is an imminent threat of death or serious bodily harm, or to go somewhat broader and allow the hand-off authority for any counterterrorism investigation. Additional facts and public discussion would be helpful to assessing such questions.

However these questions of scope are resolved, it can be difficult in our era of mobile phones and e-mail addresses to determine when a communication is made within the United States. Where the communication unexpectedly is within our borders, or someone thought to be a non-US person is found to be a US person, there should be a capacity to respond to an emergency situation.

 

 

¹²⁶ The Universal Declaration of Human Rights, Art. 12, states, “No one shall be subjected to arbitrary interference with his privacy. …”

¹²⁷ See 18 U.S.C. § 2518(3).

¹²⁸ H. Rep. No. 95–1283 (I) at 50–51 (June 5, 1978).

¹²⁹ Executive Order 12333, which governs the use of electronic surveillance by the Intelligence Community outside the United States, provides that “timely, accurate, and insightful information about the activities, capabilities, plans, and intentions of foreign powers, organizations, persons, and their agents, is essential to the national security of the United States.” It declares that “special emphasis should be given to detecting and countering” espionage, terrorism, and the development, possession, proliferation, or use of weapons of mass destruction. The executive order directs that “such techniques as electronic surveillance” may not be used “unless they are in accordance with procedures … approved by the Attorney General” and that “such procedures shall protect constitutional and other legal rights and limit use of such information to lawful governmental purposes.”

¹³⁰ The Protect America Act of 2007, Pub. L. 111–55 (Aug. 5, 2007), which amended 50 U.S.C. § 1803 et. seq., by adding §§ 1803 a–c.

¹³¹ See 50 U.S.C. § 1881(c).

¹³² See 50 U.S.C. § 1881(a).

¹³³ See 50 U.S.C. §1881. Service providers who are subject to these orders are entitled to compensation and are immune from suit for their assistance. They may petition the FISC to set aside or modify the directive if they think that it is unlawful. If a provider is uncooperative, the Attorney General may petition the FISC for an order to enforce the directive.

¹³⁴ See generally 50 U.S.C. 1881a.

¹³⁵ Id.

¹³⁶ S. Rep. 112–174 (June 7, 2012).

¹³⁷ The term “upstream collection” refers to NSA’s interception of Internet communications as they transit the facilities of an Internet backbone carrier.

¹³⁸ MCTs arise in situations in which many communications are bundled together within a single Internet transmission and when the lawful interception of one communication in the bundle results in the interception of them all.

¹³⁹ In Re DNI/AG 702(g), Docket Number 702(i)-11–01 (FISC October 3, 2011) (hereinafter cited as FISC Oct. 3, 2011 opinion).

¹⁴⁰ Id.

¹⁴¹ Id.

¹⁴² Id.

¹⁴³ Id.

¹⁴⁴ In re DNI/AG 702(g), Docket Number 702(i)-11–01 (FISC November 30, 2011) (Redacted version).

¹⁴⁵ National Security Agency, The National Security Agency: Missions, Authorities, Oversight and Partnerships (August 9, 2013).

¹⁴⁶ Background Paper on Title VII of FISA Prepared by the Department of Justice and the Office of the Director of National Intelligence (ODNI), Appendix to Senate Select Committee on Intelligence, Report on FAA Sunsets Extension Act of 2012, 112th Congress, Cong., 2d Session (June 7, 2012).

¹⁴⁷ Senate Select Committee on Intelligence, Report on FAA Sunsets Extension Act of 2012, 112th Congress, 2d Session (June 7, 2012).

¹⁴⁸ 28 C.F.R. ch. I, Part 23.

¹⁴⁹ NSA’s Section 702 Minimization Procedures.

¹⁵⁰ Recommendation 12(2) is designed to address this latter concern. If the government cannot use the evidence in any legal proceeding against the US person, it is less likely to use section 702 in an effort to obtain such information. On the other hand, we do not recommend prohibiting the use of the “fruits” of such interceptions. We draw the line as we do because, unlike most “fruit of the poisonous tree” situations, the interception in this situation is not itself unlawful unless it was actually motivated by a desire to obtain information about the US person.

¹⁵¹ Although the Supreme Court has never directly addressed this question, “every court of appeals to have considered the question” has held “that the Fourth Amendment applies to searches conducted by the United States Government against United States citizens abroad.” United States v. Verdugo-Urquidez, 494 US 259, 283 n.7 (1990) (Brennan, J., dissenting). See In re Terrorist Bombings of US. Embassies in East Africa, 552 F.3d 157 (2010); United States v. Bin Laden, 126 F. Supp. 2d 264, 270–271 (S.D.N.Y. 2000), aff’d, 552 F.3d 157 (2d Cir. 2008); David S. Kris & J. Douglas Wilson, I, National Security Investigations and Prosecutions 2d at 596–597 (West 2012).

¹⁵² See United States v. Verdugo-Urquidez, 494 US. 259, 265–266 (1990). Noting that the Fourth Amendment protects the right of “the people,” the Court held that this “refers to a class of persons who are part of a national community or who have otherwise developed sufficient connection with this country to be considered part of that community.”

¹⁵³ It is important to note that although the government should not target a non-US person outside the United States for surveillance solely because of his political or religious activity or expression, it may target such an individual for surveillance if it has reason to believe that he poses a threat to US national security.

¹⁵⁴ 5 U.S.C. § 552(a).

¹⁵⁵ Department of Homeland Security: Privacy Policy Guidance Memorandum No. 2007–1 (January 7, 2007) (amended on January 19, 2007).

¹⁵⁶ Id.

¹⁵⁷ Id.

¹⁵⁸ 44 U.S.C. § 101.