Chapter Six

ORGANIZATIONAL REFORM IN LIGHT OF CHANGING COMMUNICATIONS TECHNOLOGY

A. Introduction

A CENTRAL THEME OF THIS Report is the importance of achieving multiple goals, including: (1) combating threats to the national security; (2) protecting other national security and foreign policy interests; (3) assuring fundamental rights to privacy; (4) preserving democracy, civil liberties, and the rule of law; (5) supporting a robust, innovative, and free Internet; and (6) protecting strategic relationships. This chapter identifies organizational structures designed to achieve these goals in light of changes in communications technology.

For reasons deeply rooted in the history of the intelligence enterprise, the current organizational structure has been overwhelmingly focused on the goal of combating threats to national security. NSA grew out of signals intelligence efforts during World War II. From then until the end of the Cold War, NSA targeted its efforts on nation-states, outside of the US, often in foreign combat zones that were distant from home.

By contrast, our intelligence efforts now target nonstate actors, including terrorist organizations for whom borders are often not an obstacle. As the section 215 program illustrates, the traditional distinction between foreign and domestic has become less clear. The distinction between military and civilian has also become less clear, now that the same communications devices, software, and networks are used both in war zones such as Iraq and Afghanistan and in the rest of the world. Similarly, the distinction between war and non-war is less clear, as the United States stays vigilant against daily cyber security attacks as well as other threats from abroad.

The organizational structure of the Intelligence Community should reflect these changes. Today, communications devices, software, and networks are often “dual-use”—used for both military and civilian purposes. Both military and civilian goals are thus implicated by signals intelligence and surveillance of communications systems. Chapter Five addressed the need for a new policy process to oversee sensitive intelligence collections, drawing on multiple federal agencies and multiple national goals. This chapter identifies key organizational changes, including:

B. The National Security Agency

We recommend major changes to the structure of the National Security Agency. There should be greater civilian control over the agency, including Senate confirmation for the Director and openness to having a civilian Director. NSA should refocus on its core function: the collection and use of foreign intelligence information. To distinguish the warfighting role from the intelligence role, the military Cyber Command should not be led by the NSA Director. Because the defense of both civilian and government cyber-systems has become more important in recent years, we recommend splitting the defensive mission of NSA’s Information Assurance Directorate into a separate organization.

Before discussing these recommendations, we offer some general observations. No other organization in the world has the breadth and depth of capabilities NSA possesses; its prowess in the realm of signals intelligence is extraordinary. Since World War II, NSA and its predecessors have worked to keep our nation and our allies safe from attack. SIGINT collected by NSA is used daily to support our warfighters and to combat terrorism, the proliferation of weapons of mass destruction, and international criminal and narcotics cartels. Its successes make it possible for the United States and our allies around the world to safeguard our citizens and prevent death, disaster, and destruction.

In addition to its leading-edge technological developments and operations, NSA employs large numbers of highly trained, qualified, and professional staff. The hard work and dedication to mission of NSA’s workforce is apparent. NSA has increased the staff in its compliance office and addressed many concerns expressed previously by the FISC and others.

After the terrorist acts in the United States of September 11, 2001, many people in both the Legislative and Executive Branches of government believed that substantial new measures were needed to protect our national security. We have noted that if a similar or worse incident or series of attacks were to occur in the future, many Americans, in the fear and heat of the moment, might support new restrictions on civil liberties and privacy. The powerful existing and potential capabilities of our intelligence and law enforcement agencies might be unleashed without adequate controls. Once unleashed, it could be difficult to roll back these sacrifices of freedom.

Our recommendations about NSA are designed in part to create checks and balances that would make it more difficult in the future to impose excessive government surveillance. Of course, no structural reforms create perfect safeguards. But it is possible to make restraint more likely. Vigilance is required in every age to maintain liberty.

1. “Dual-Use” Technologies: The Convergence of Civilian Communications and Intelligence Collection

Our recommended organizational changes are informed by the recent history of communications technologies. For the most part, signals intelligence during World War II and the Cold War did not involve collection and use on the equipment and networks used by ordinary Americans. Signals intelligence today, by contrast, pervasively involves the communications devices, software, and networks that are also used by ordinary Americans and citizens of other countries. When the equipment and networks were separate, there was relatively little reason for decisions about signals intelligence to be part of a wide-ranging policy inquiry into the interest of the United States. But when the devices, software, and networks are the same as those used by ordinary Americans (and ordinary citizens of other countries), then multiple and significant policy concerns come into play.

As a result of changing technology, key distinctions about intelligence and communications technology have eroded over time: state vs. nonstate, foreign vs. domestic, war vs. non-war, and military vs. civilian. As a result, many communications technologies today are “dual-use”—used for both civilian and military purposes. For ordinary civilians, this means that our daily communications get swept up into Intelligence Community databases. For the military, it means that what used to be purely military activities often now have important effects on private citizens.

1. FROM NATION-STATES TO WELL-HIDDEN TERRORISTS. During the Cold War, our intelligence efforts were directed against foreign powers, notably the Soviet Union, and agents of foreign powers, such as Soviet agents in the US who were placed under FISA wiretap orders. After the terrorist attacks of September 11, 2001, the emphasis shifted to fighting terrorism. In counterterrorism efforts, a major priority is to identify potential or actual terrorists, who seek to hide their communications in the vast sea of other communications.

The section 215 telephone database, for instance, was designed to find links between suspected terrorists and previously unknown threats. It is one of many databases created after the terrorist attacks of September 11, 2001, in order to “connect the dots” and discover terrorist threats. One result of the focus on counterterrorism has been that the Intelligence Community has broadened its focus from state actors to a large number of nonstate actors. Another result is that the communications of ordinary citizens are placed into intelligence databases, increasing the effects of SIGINT policy choices on individuals and businesses.

2. FROM DOMESTIC TO FOREIGN. For ordinary citizens, the distinction between domestic and foreign communications has eroded over time. As the Director of National Intelligence, General James Clapper, has testified before Congress,¹⁵⁹ much of the intelligence collection during the Cold War occurred in separate communications systems. Behind the Iron Curtain, the communications of the Soviet Union and its allies were largely separate from other nations. Direct communications from ordinary Americans to Communist nations were a tiny fraction of electronic communications. By contrast, the Internet is global. Terrorists and their allies use the same Internet as ordinary Americans.

During the Cold War, ordinary Americans used the telephone for many local calls, but they were cautious about expensive “long-distance” calls to other area codes and were even more cautious about the especially expensive “international” phone calls. Many people today, by contrast, treat the idea of “long-distance” or “international” calls as a relic of the past. We make international calls through purchases of inexpensive phone cards or free global video services. International e-mails are cost-free for users.

The pervasively international nature of communications today was the principal rationale for creating section 702 and other parts of the FISA Amendments Act of 2008. In addition, any communication on the Internet might be routed through a location outside of the United States, in which case FISA does not apply and collection is governed under broader authorities such as Executive Order 12333. Today, and unbeknownst to US users, websites and cloud servers may be located outside the United States. Even for a person in the US who never knowingly sends communications abroad, there may be collection by US intelligence agencies outside of the US.¹⁶⁰ The cross-border nature of today’s communications suggests that when decisions are made about foreign surveillance, there is a need for greater consideration of policy goals involving the protection of civilian commerce and individual privacy.

3. FROM WARTIME TO CONTINUOUS RESPONSES TO CYBER AND OTHER THREATS. In recent decades, the global nature of the Internet has enabled daily cyber attacks on the communications of government, business, and ordinary Americans by hackers, organized crime, terrorists, and nation-states. As a result, the development of high-quality defenses against such attacks has become a priority for civilian as well as military systems. In wartime, the military anticipates that the adversary will try to jam communications and take other measures to interfere with its ability to carry out operations. For this reason, the military has long required an effective defensive capability for its communications, called an “information assurance” capability. With cyber-attacks, often launched from overseas, information assurance now is needed outside the military context as well.

The convergence of military and civilian systems for cyber security has three implications. First, information assurance for the military relies increasingly on information assurance in the civilian sector. With the use of commercial off-the-shelf hardware and software, many military systems are now the same as or similar to civilian systems. The military and the US Government rely on a broad range of critical infrastructure, which is mostly owned and operated by the civilian sector. Effective defense of civilian-side hardware, software, and infrastructure is critical to military and other government functions.

Second, the military chain of command does not apply to the civilian sector. For traditional information assurance, the military could depend on its own personnel and systems to fix communications problems caused by the adversary—the military could secretly order its personnel how to respond to a problem. But that sort of chain of command does not work in the civilian sector, where patches and other defensive measures must be communicated to a multitude of civilian system owners. It is usually not possible to communicate effective defensive measures without also tipping off adversaries about our vulnerabilities and responses.

Third, these changes create a greater tension between offense and defense. When the military can keep secrets within the chain of command, then the offensive measures used in intelligence collection or cyber attacks can safely go forward. The offense remains useful, and the military can defend its own systems. Where there is no chain of command, however, there is no secret way for the defenders to patch their systems. Those charged with offensive responsibilities still seek to collect SIGINT or carry out cyber attacks. By contrast, those charged with information assurance have no effective way to protect the multitude of exposed systems from the attacks. The SIGINT function and the information assurance function conflict more fundamentally than before. This conclusion supports our recommendation to split the Information Assurance Directorate of NSA into a separate organization.

4. FROM MILITARY COMBAT ZONES TO CIVILIAN COMMUNICATIONS. An important change, which has received relatively little attention, concerns the military significance of the communications devices, software, and networks used by ordinary Americans. In certain ways the military nature of signals intelligence is well known—NSA is part of the Department of Defense (DOD), the current Director of NSA is a general, and the military’s Cyber Command is led by the same general. Much less appreciated are (1) the possible effect that active combat operations in Iraq and Afghanistan have had on decisions about what intelligence activities are appropriate and (2) the increasing overlap between signals intelligence for military purposes and the communications of ordinary Americans and citizens of other countries.

The convergence of military and civilian communications is important in light of the drastically different expectations of government surveillance. In wartime, during active military operations, signals intelligence directed at the enemy must be highly aggressive and largely unrestrained. The United States and its allies gained vital military intelligence during World War II by breaking German and Japanese codes. During the Cold War, the United States established listening stations on the edges of the Soviet Union in order to intercept communications. More recently, there are powerful arguments for strong measures to intercept communications to prevent or detect attacks on American troops in Iraq and Afghanistan. During military operations, the goal is information dominance, to protect the lives and safety of US forces and to meet military objectives. The same rules do not apply on the home front.

A significant challenge today is that a wide and increasing range of communications technologies is used in both military and civilian settings. The same mobile phones, laptops, and other consumer goods used in combat zones are often used in the rest of the world. The same is true for software, such as operating systems, encryption protocols, and applications. Similarly, routers, fiber optic, and other networking features link combat zones with the rest of the global Internet. Today, no battlefield lines or Iron Curtain separates the communications in combat zones from the rest of the world. A vulnerability that can be exploited on the battlefield can also be exploited elsewhere. The policy challenge is how to achieve our military goals in combat zones without undermining the privacy and security of our communications elsewhere. In responding to this challenge, it remains vital to allow vigorous pursuit of military goals in combat zones and to avoid creating a chilling effect on the actions of our armed forces there.

The public debate has generally focused on the counterterrorism rationale for expanded surveillance since the terrorist attacks of September 11, 2001. We believe that the military missions in Iraq and Afghanistan have also had a large but difficult-to-measure impact on decisions about technical collection and communications technologies. Going forward, even where a military rationale exists for information collection and use, there increasingly will be countervailing reasons not to see the issue in purely military terms. The convergence of military and civilian communications supports our recommendations for greater civilian control of NSA as well as a separation of NSA from US Cyber Command. It is vital for our intelligence agencies to support our warfighters, but we must develop governance structures attuned to the multiple goals of US policy.

2. Specific Organizational Reforms

RECOMMENDATION 22

We recommend that:

The Director of NSA has not been a Senate-confirmed position; selection has been in the hands of the President alone. Because of the great impact of NSA actions, the need for public confidence in the Director, the value of public trust, and the importance of the traditional system of checks and balances, Senate confirmation is appropriate. Senate confirmation would increase both transparency and accountability.

When appointing the directors of other intelligence organizations, Presidents have exercised their discretion to choose from the ranks of both civilian and military personnel. Both active duty military officers and civilians have been selected to be the Director of the CIA and the Director of the National Reconnaissance (NRO). It is important to the future of NSA that it be understood by the American people to be acting under appropriate controls and supervision.

For this reason, civilians should be eligible for the position. The convergence of civilian and military communications technology makes it increasingly important to have civilian leadership to complement NSA’s military and intelligence missions. We believe that the President should seriously consider appointing a civilian to be the next Director of NSA, thus making it clear that NSA operates under civilian control. A senior (two- or three-star) military officer should be among the Deputy Directors.

RECOMMENDATION 23

We recommend that the National Security Agency should be clearly designated as a foreign intelligence organization; missions other than foreign intelligence collection should generally be reassigned elsewhere.

NSA now has multiple missions and mandates, some of which are blurred, inherently conflicting, or both. Fundamentally, NSA is and should be a foreign intelligence organization. It should not be a domestic security service, a military command, or an information assurance organization. Because of its extraordinary capabilities, effective oversight must exist outside of the Agency.

In some respects, NSA is now both a military and a civilian organization. It has always been led by a military flag rank officer, and its incumbent also serves as the head of a combatant command (US Cyber Command). As a matter of history, the evolution in the roles and missions of NSA is understandable; those roles have emerged as a result of a series of historical contingencies and perceived necessities and conveniences. But if the nation were writing on a blank slate, we believe it unlikely that we would create the current organization.

The President should make it clear that NSA’s primary mission is the collection of foreign intelligence, including the support of our warfighters. Like other agencies, there are situations in which NSA does and should provide support to the Department of Justice, the Department of Homeland Security, and other law enforcement entities. But it should not assume the lead for programs that are primarily domestic in nature. Missions that do not involve the collection of foreign intelligence should generally be assigned elsewhere.

RECOMMENDATION 24

We recommend that the head of the military unit, US Cyber Command, and the Director of the National Security Agency should not be a single official.

As the Pentagon has recognized, it is essential for the United States military to have an effective combatant command for cyberspace activities. The importance of this command will likely grow over time, as specialized cyber capabilities become a growing part of both offense and defense. But the military organization created under Title 10 of the US Code (Defense and military organizations) should be separate from the foreign intelligence agencies created under Title 50 (Intelligence). Just as NSA has provided essential support to US Central Command in the recent wars in Iraq and Afghanistan, NSA should provide intelligence support to US Cyber Command. Nonetheless, there is a pressing need to clarify the distinction between the combat and intelligence collection missions. Standard military doctrine does not place the intelligence function in control of actual combat. Because the two roles are complementary but distinct, the Director of NSA and the Commander of US Cyber Command in the future should not be the same person. Now that Cyber Command has grown past its initial stages, the risk increases that a single commander will not be the best way to achieve the two distinct functions.

RECOMMENDATION 25

We recommend that the Information Assurance Directorate—a large component of the National Security Agency that is not engaged in activities related to foreign intelligence—should become a separate agency within the Department of Defense, reporting to the cyber policy element within the Office of the Secretary of Defense.

In keeping with the concept that NSA should be a foreign intelligence agency, the large and important Information Assurance Directorate (IAD) of NSA should be organizationally separate and have a different reporting structure. IAD’s primary mission is to ensure the security of the DOD’s communications systems. Over time, the importance has grown of its other missions and activities, such as providing support for the security of other US Government networks and making contributions to the overall field of cyber security, including for the vast bulk of US systems that are outside of the government. Those are not missions of a foreign intelligence agency. The historical mission of protecting the military’s communications is today a diminishing subset of overall cyber security efforts.

We are concerned that having IAD embedded in a foreign intelligence organization creates potential conflicts of interest. A chief goal of NSA is to access and decrypt SIGINT, an offensive capability. By contrast, IAD’s job is defense. When the offensive personnel find some way into a communications device, software system, or network, they may be reluctant to have a patch that blocks their own access. This conflict of interest has been a prominent feature of recent writings by technologists about surveillance issues.¹⁶¹

A related concern about keeping IAD in NSA is that there can be an asymmetry within a bureaucracy between offense and defense—a successful offensive effort provides new intelligence that is visible to senior management, while the steady day-to-day efforts on defense offer fewer opportunities for dramatic success.

Another reason to separate IAD from NSA is to foster better relations with the private sector, academic experts, and other cyber security stakeholders. Precisely because so much of cyber security exists in the private sector, including for critical infrastructure, it is vital to maintain public trust. Our discussions with a range of experts have highlighted a current lack of trust that NSA is committed to the defensive mission. Creating a new organizational structure would help rebuild that trust going forward.

There are, of course, strong technical reasons for information-sharing between the offense and defense for cyber security. Individual experts learn by having experience both in penetrating systems and in seeking to block penetration. Such collaboration could and must occur even if IAD is organizationally separate.

In an ideal world, IAD could form the core of the cyber capability of DHS. DHS has been designated as the lead cabinet department for cyber security defense. Any effort to transfer IAD out of the Defense Department budget, however, would likely meet with opposition in Congress.¹⁶² Thus, we suggest that IAD should become a Defense Agency, with status similar to that of the Defense Information Systems Agency (DISA) or the Defense Threat Reduction Agency (DTRA). Under this approach, the new and separate Defense Information Assurance Agency (DIAA) would no longer report through intelligence channels, but would be subject to oversight by the cyber security policy arm of the Office of the Secretary of Defense.

C. Reforming Organizations Dedicated to the Protection of Privacy and Civil Liberties

The Executive Branch should adopt structural reforms to protect privacy and civil liberties in connection with intelligence collection and the use of personal information. Specifically, the Executive Branch should improve its policies and procedures in the realms of policy clearance and development, compliance, oversight and investigations, and technology assessment.

A fundamental theme of this Report is that the fact that the intelligence community is able to collect personal information does not mean that it should do so. Similarly, the fact that collection is legal does not mean that it is good policy. The Intelligence Community’s ability to collect and use information has expanded exponentially with the increased use of electronic communications technologies. The priority placed on national security after the attacks of September 11, including large budget increases, has made possible an enormous range of new collection and sharing capabilities, both within and outside the United States, on scales greater than previously imagined.

With this expansion of capabilities, there should be an accompanying set of institutions, properly funded, to ensure that the overall national interest is achieved in connection with intelligence collection and use. We recommend institutional changes within the Executive Branch designed to strengthen (1) policy clearance and development; (2) compliance; (3) oversight; and (4) technology assessment.

RECOMMENDATION 26

We recommend the creation of a privacy and civil liberties policy official located both in the National Security Staff and the Office of Management and Budget.

In some recent periods, the NSS, reporting in the White House to the President’s National Security Advisor, has had a civil servant tasked with privacy issues. During that time, the Office of Management and Budget (OMB), which in its management role oversees privacy and cyber security, has similarly had a civil servant with privacy responsibilities. We recommend that the President name a policy official, who would sit within both the NSS and the OMB, to coordinate US Government policy on privacy, including issues within the Intelligence Community.

This position would resemble in some respects the position of Chief Counselor for Privacy in OMB under President Clinton, from 1999 until early 2001. There are several reasons for creating this position: First, the OMB-run clearance process is an efficient and effective way to ensure that privacy issues are considered by policymakers. Second, a political appointee is more likely to be effective than a civil servant. Third, identifying a single, publicly named official provides a focal point for outside experts, advocacy groups, industry, foreign governments, and others to inform the policy process. Fourth, this policy development role is distinct from that of ensuring compliance by the agencies.¹⁶³

RECOMMENDATION 27

We recommend that:

1. CREATING THE CLPP BOARD. The 9/11 Commission recommended creation of what is now the PCLOB, an independent agency in the Executive Branch designed to conduct oversight of Intelligence Community activities related to terrorism and to make recommendations to Congress and the Executive Branch about how to improve privacy and civil liberty protections. The statute that authorizes the PCLOB gives it jurisdiction only over information collected and used for anti-terrorism purposes. There are major privacy and civil liberties issues raised by Intelligence Community collections for other foreign intelligence purposes, including anti-proliferation, counter-intelligence, economic policy, and other foreign affairs purposes.

To match the scope of information collection and use, we recommend the creation of a new and strengthened Board that has authority to oversee the full range of foreign intelligence issues. We have considered whether changes should be made to the existing PCLOB, or whether instead it would be better to create an entirely new agency with augmented powers. An advantage of keeping the PCLOB as the organizational base is that a Chair and four Board members have already been confirmed by the Senate and are in place. On the other hand, the scope of responsibility that we contemplate for the agency is considerably broader than the existing PCLOB statute permits. There are also flaws with the current PCLOB statute. For those reasons, we recommend creation of a new independent agency in the Executive Branch. We refer to this new agency as the Civil Liberties and Privacy Protection Board, or CLPP Board.

Oversight should match the scope of the activity being reviewed. Having the new CLPP Board oversee “foreign intelligence” rather than “anti-terrorism” would match the scope of FISA. This broader scope would reduce any temptation Intelligence Community agencies might have to mischaracterize their activities as something other than anti-terrorism in order to avoid review by the current PCLOB.

We anticipate that this expanded scope would call for substantially increased funding and staff. With its current small staff, the PCLOB is limited in its ability to oversee intelligence agencies operating on the scale of tens of billions of dollars. This must be addressed. As with the PCLOB, the CLPP Board leadership and staff should have the clearances required to oversee this broader range of Intelligence Community activities. As under current statutes, the CLPP Board would make regular reports to Congress and the public, in a suitable mix of classified and unclassified forms.

2. THE CLPP BOARD AND WHISTLE-BLOWERS. We recommend enactment of a statute that creates a path for whistle-blowers to report their concerns directly to the CLPP Board. Various criticisms have been published about the effectiveness of current whistle-blower provisions in the Intelligence Community. Although we have not evaluated all of these criticisms, the oversight and investigations role of the CLPP Board is well matched to examining whistle-blower allegations.

3. A CLPP BOARD OFFICE OF TECHNOLOGY ASSESSMENT. Public policy is shaped in part by what is technically possible, and technology experts are essential to analyzing the range of the possible. An improved technology assessment function is essential to informing policymakers about the range of options, both for collection and use of personal information, and also about the cost and effectiveness of privacy-enhancing technologies.

Prior to 1995, Congress had an Office of Technology Assessment that did significant studies on privacy and related issues. The OTA was then abolished, and no similar federal agency has existed since. Because the effectiveness of privacy and civil liberties protections depends heavily on the information technology used, a steady stream of new privacy and technology issues faces the Intelligence Community. For instance, the last few years have seen explosive growth in social networking, cloud computing, and big data analytics. Because the Intelligence Community pushes the state of the art to achieve military and other foreign policy objectives, assessment of the technological changes must be up-to-date.

We therefore recommend that the government should have an Office of Technology Assessment that does not report directly to the Intelligence Community but that has access to Intelligence Community activities. Congress is vital to oversight of the Intelligence Community, but it does not have an office to enable it to assess technological developments. The CLPP Board, with classified personnel and agency independence, is the logical place for this sort of independent assessment.

4. COMPLIANCE ACTIVITIES. Although the Compliance program at NSA is independent and professional, there may be a public impression that any internal oversight function, at any agency, is vulnerable to pressure from the agency’s leadership. To increase public trust and overcome even the perception of agency bias in the NSA Compliance program, some of the compliance function and the relevant staff should be transferred to the CLPP Board. This structure would be analogous to the complementary roles of internal and external auditors familiar in public corporations. Under this approach, NSA would retain the internal compliance function, with the external function shifting to the CLPP Board. Consideration should also be given to transferring elements of other agencies’ compliance functions to the CLPP Board.

5. TECHNICAL AMENDMENTS TO PCLOB STATUTE. The current PCLOB statute has a number of limitations that reduce its ability to operate effectively. If a new CLPP Board is not created, we recommend that several changes be made to the PCLOB statute. First, the four members of the Board other than the Chair are unpaid government employees who are permitted to work only a limited number of days per year on PCLOB matters. We recommend that these Board members should be paid for their service, and that they should not be restricted in the amount of service they provide in a year. Second, the current statute suggests that only the Chair can hire staff; any vacancy in the Chair position thus creates uncertainty about the legal basis for staff hiring. The statute should be amended to ensure smooth functioning of the Board even if the Chair position is vacant. Third, the Board should have the ability, held by other federal agencies, to subpoena records held in the private sector, without the current prior review of subpoena requests by the Attorney General. Fourth, the PCLOB needs better institutional assistance from the Intelligence Community to ensure administrative support for the Board’s efforts. For instance, Board members sometimes need access to a classified facility outside of the Washington, DC headquarters, and ODNI or other support would make it easier to gain that access.

D. Reforming the FISA Court

RECOMMENDATION 28

We recommend that:

As we have seen, the FISC was established by the Foreign Intelligence Surveillance Act of 1978. The FISC, which today consists of eleven federal district court judges serving staggered seven-year terms, was created as a result of recommendations of the Church Committee to enable judicial oversight of classified foreign intelligence investigations. Most often, the judges of the FISC rule on government applications for the issuance of (a) FISA warrants authorizing electronic surveillance, (b) orders for section 215 business records, and (c) orders for section 702 interceptions targeting non-United States persons who are outside the United States.

The FISC has a staff of five full-time legal assistants with expertise in foreign intelligence issues. When preparing to rule on applications for such orders, the FISC’s legal assistants often deal directly with the government’s attorneys. Sometimes the judge approves the application without a hearing, and sometimes the judge concludes that a hearing with the government’s attorneys is appropriate. FISA does not provide a mechanism for the FISC to invite the views of nongovernmental parties. Rather, the FISC’s proceedings are ex parte, as required by statute, and consistent with the procedures followed by other federal courts in ruling on applications for search warrants and wiretap orders.¹⁶⁴

Critics of the FISC have noted that the court grants more than 99 percent of all requested applications. In a recent letter to the Chairman of the Senate Judiciary Committee, FISC Presiding Judge Reggie Walton explained that this statistic is misleading, because that figure does “not reflect the fact that many applications are altered prior to final submission or even withheld from final submission entirely, often after an indication that a judge would not approve them.”¹⁶⁵ Judge Walton’s explanation seems quite credible. Moreover, this understanding of the FISC’s approach is reinforced by the FISC’s strong record in dealing with non-compliance issues when they are brought to its attention. As illustrated by the section 215 and section 702 non-compliance incidents discussed in Chapters Three and Four of this Report, the FISC takes seriously its responsibility to hold the government accountable for its errors.

We believe that reform of the FISC in the following areas will strengthen its ability to serve the national security interests of the United States while protecting privacy and civil liberties and promoting greater transparency.

(A) ESTABLISHING A PUBLIC INTEREST ADVOCATE. Our legal tradition is committed to the adversary system. When the government initiates a proceeding against a person, that person is usually entitled to representation by an advocate who is committed to protecting her interests. If it is functioning well, the adversary system is an engine of truth. It is built on the assumption that judges are in a better position to find the right answer on questions of law and fact when they hear competing views.

When the FISC was created, it was assumed that it would resolve routine and individualized questions of fact, akin to those involved when the government seeks a search warrant. It was not anticipated that the FISC would address the kinds of questions that benefit from, or require, an adversary presentation. When the government applies for a warrant, it must establish “probable cause,” but an adversary proceeding is not involved. As both technology and the law have evolved over time, however, the FISC is sometimes presented with novel and complex issues of law. The resolution of such issues would benefit from an adversary proceeding.

A good example is the question whether section 215 authorized the bulk telephony meta-data program. That question posed serious and difficult questions of statutory and constitutional interpretation about which reasonable lawyers and judges could certainly differ. On such a question, an adversary presentation of the competing arguments is likely to result in a better decision. Hearing only the government’s side of the question leaves the judge without a researched and informed presentation of an opposing view.

We recommend that Congress should create a Public Interest Advocate, who would have the authority to intervene in matters that raise such issues. The central task of the Public Interest Advocate would be to represent the interests of those whose rights of privacy or civil liberties might be at stake. The Advocate might be invited to participate by a FISC judge. In addition, and because a judge might not always appreciate the importance of an adversary proceeding in advance, we recommend that the Advocate should receive docketing information about applications to the FISC, enabling her to intervene on her own initiative (that is, without an invitation from a FISC judge).

One difficult issue is where the Advocate should be housed. Because the number of FISA applications that raise novel or contentious issues is probably small, the Advocate might find herself with relatively little to do. It might therefore be sensible for the Advocate to have other responsibilities. One possibility would be for the Public Advocate to be on the staff of the CLPP Board, thus giving her other responsibilities and providing knowledge about the workings of the intelligence agencies. A drawback of this approach is that the Board has multiple roles, and it is possible that the presence of the Public Advocate in that setting might create conflicts of interest. Another possibility is to outsource the Public Advocate responsibility either to a law firm or a public interest group for a sufficiently long period that its lawyers could obtain the necessary clearances and have continuity of knowledge about the intelligence agencies.¹⁶⁶ Under the former approach, the Advocate would be designated by the CLPP Board from among its employees; under the latter, the CLPP Board could oversee a procurement process to appoint the outside group of lawyers.

(B) BOLSTER TECHNOLOGICAL CAPACITY. The recently published opinions of the FISC make evident the technological complexity of many of the issues that now come before it. The compliance issues involving sections 215 and 702 illustrate this reality and the extent to which it is important for the FISC to have the expertise available to it to oversee such issues.

Rather than relying predominantly on staff lawyers in its efforts to address these matters, the FISC should be able to call on independent technologists, with appropriate clearances, who do not report to NSA or Department of Justice. One approach would be for the FISC to use the court-appointed experts; another would be for the FISC to draw upon technologists who work with the CLPP Board.

(C) TRANSPARENCY. The US Government should re-examine the process by which decisions issued by the FISC and its appellate body, the Foreign Intelligence Surveillance Court of Review (FISC-R), are reviewed for declassification and determine whether it ought to implement a more robust and regimented process of declassification of decisions to improve transparency.

The majority of the FISC’s orders and filings are classified “Secret” or “Top Secret” using the standards set forth in section 1 of Executive Order 13526 issued by President Obama on December 29, 2009. Under this Executive Order, classified national security information is subject to automatic declassification review upon passage of 25 years.

Pursuant to the Department of Justice’s Automatic Classification Guide dated November 2012, “FISA Files”¹⁶⁷ are exempted from automatic declassification review at 25 years under a “File Series Exemption” granted by the Assistant to the President for National Security Affairs on October 5, 2006. These records are not subject to automatic declassification review until they reach 50 years in age from the date they were created. Consequently, the public is left uninformed as to decisions that may have far-reaching implications in terms of how the FISC interpreted the law.

The very idea of the rule of law requires a high degree of transparency. Transparency promotes accountability. As Justice Louis Brandeis once observed, sunlight can be “the best of disinfectants.”¹⁶⁸ A lack of transparency can also breed confusion, suspicion, and distrust. In our system, judicial proceedings are generally open to the public, and judicial opinions are made available for public scrutiny and inspection. Indeed, the ODNI has declassified a considerable number of FISC opinions in 2013, making the determination that the gains from transparency outweighed the risk to national security.

There can, of course, be a genuine need for confidentiality, especially when classified material is involved. When the FISC is dealing with such material, there are legitimate limits on disclosure. But in order to further the rule of law, FISC opinions or, when appropriate, redacted versions of FISC opinions, should be made public in a timely manner, unless secrecy of the opinion is essential to the effectiveness of a properly classified program.

(D) SELECTION AND COMPOSITION OF THE FISC. Under FISA, the judges on the FISC are selected by the Chief Justice of the United States. In theory, this method of selection has significant advantages. Concentration of the power of appointment in one person can make the process more orderly and organized. But that approach has drawn two legitimate criticisms.

The first involves the potential risks associated with giving a single person, even the Chief Justice, the authority to select all of the members of an important court. The second involves the fact that ten of the eleven current FISC judges, all of whom were appointed by the current Chief Justice, were appointed to the federal bench by Republican presidents. Although the role of a judge is to follow the law and not to make political judgments, Republican-appointed and Democratic-appointed judges sometimes have divergent views, including on issues involving privacy, civil liberties, and claims of national security. There is therefore a legitimate reason for concern if, as is now the case, the judges on the FISC turn out to come disproportionately from either Republican or Democratic appointees.

There are several ways to respond to this concern. We recommend allocating the appointment authority to the Circuit Justices. Under this approach, each member of the Supreme Court would have the authority to select one or two members of the FISC from within the Circuit(s) over which she or he has jurisdiction. This approach would have the advantage of dividing appointment authority among the Court’s nine members and reducing the risks associated with concentrating the appointment power in a single person.

¹⁵⁹ Potential Changes to the Foreign Intelligence Surveillance Act: Open Hearing Before the H.P. Select Comm. on Intelligence, 113 Cong. (October 29, 2013) (Statement of James R. Clapper, Director of National Intelligence).

¹⁶⁰ See Jonathan Mayer, “The Web Is Flat” Oct. 30, 2013 (study showing “pervasive” flow of web browsing data outside of the US for US individuals using US-based websites), available at http://webpolicy.org/2013/10/30/the-web-is-flat/.

¹⁶¹ Susan Landau, Surveillance or Security: The Risks Posed by New Wiretapping Technologies (MIT Press 2011); Jon M. Peha, The Dangerous Policy of Weakening Security to Facilitate Surveillance, Oct. 4, 2013, available at http://ssrn.com/abstract=2350929.

¹⁶² Although DHS was created ten years ago, Congress has yet to readjust its committees of jurisdiction.

¹⁶³ See Peter Swire, “The Administration Response to the Challenges of Protecting Privacy,” Jan. 8, 2000, available at www.peterswire.net/pubs. Peter Swire is one of the five members of the Review Group; the comments in text are made here on behalf of the entire Review Group.

¹⁶⁴ In one instance, the FISC heard arguments from a non-governmental party that sought to contest a directive from the government. In 2007, Yahoo declined to comply with a directive from the government. The government then filed a motion with the FISC to compel compliance. The FISC received briefings from both Yahoo and the government, and then rendered its decision in 2008 in favor of the government. Yahoo then appealed unsuccessfully to the FISA Court of Review. See In re Directives [Redacted Version] Pursuant to Section 105b of the Foreign Intelligence Surveillance Act, 551 F.3d 1004 (FISA Ct. Rev. 2008). In several other instances, private parties, including the American Civil Liberties Union and the Electronic Frontier Foundation, Google, Inc., Microsoft Corporation, and the Media Freedom and Information Access Clinic, filed motions with the FISC seeking the release or disclosure of certain records. See Letter from Chief Judge Reggie Walton to Honorable Patrick Leahy (July 29, 2013); In re Motion for Release of Court Records, 526 F. Supp. 484 (FISA Ct. 2007).

¹⁶⁵ Letter from Chief Judge Reggie Walton to Honorable Patrick Leahy (July 29, 2013).

¹⁶⁶ Other possible institutional homes for the Advocate appear to have serious shortcomings. Housing the Public Advocate with the FISC would run the risk of the Advocate often having little or nothing to do. Housing the Advocate within the Department of Justice would undermine the independence of the Advocate from the opposing brief writers in the case, who would also be in the same Department. Using a rotating panel of outside lawyers would risk a loss of continuity and knowledge about classified programs.

¹⁶⁷ “FISA Files” are files relating to the Foreign Intelligence Surveillance Act (FISA). These “FISA Files” may include the following: a request to initiate collection activity; an application; court order or authorization by the Attorney General; draft documents; related memoranda; motions, affidavits, filings, correspondence, and electronic communications; and other related documents or records. See p. 8 of United States Department of Justice “Automatic Declassification Guide—FOR USE AND REVIEW AND DECLASSIFICATION OF RECORDS UNDER EXECUTIVE ORDER 13526, “CLASSIFIED NATIONAL SECURITY INFORMATION.”

¹⁶⁸ Louis Brandeis, Other People’s Money—And How Bankers Use It, Chapter 5 (1914).