The National Security Agency campus in Fort Meade, Md. (Patrick Semansky/Associated Press)
By John Napier Tye July 18, 2014
John
Napier Tye served as section chief for Internet freedom in the State
Department’s Bureau of Democracy, Human Rights and Labor from January
2011 to April 2014. He is now a legal director of Avaaz, a global advocacy organization.
In
March I received a call from the White House counsel’s office regarding
a speech I had prepared for my boss at the State Department. The
speech
was about the impact that the disclosure of National Security Agency
surveillance practices would have on U.S. Internet freedom policies. The
draft stated that “if U.S. citizens disagree with congressional and
executive branch determinations about the proper scope of signals
intelligence activities, they have the opportunity to change the policy
through our democratic process.”
But the
White House counsel’s office told me that no, that wasn’t true. I was
instructed to amend the line, making a general reference to “our laws
and policies,” rather than our intelligence practices. I did.
Even
after all the reforms President Obama has announced, some intelligence
practices remain so secret, even from members of Congress, that there is
no opportunity for our democracy to change them.
Public debate
about the bulk collection of U.S. citizens’ data by the NSA has focused
largely on Section 215 of the Patriot Act, through which the government
obtains court orders to compel American telecommunications companies to
turn over phone data. But Section 215 is a small part of the picture and
does not include the universe of collection and storage of
communications by U.S. persons authorized under Executive Order 12333.
From
2011 until April of this year, I worked on global Internet freedom
policy as a civil servant at the State Department. In that capacity, I
was cleared to receive top-secret and “sensitive compartmented”
information. Based in part on classified facts that I am prohibited by
law from publishing, I believe that Americans should be even more
concerned about the collection and storage of their communications under
Executive Order 12333 than under Section 215.
Bulk
data collection that occurs inside the United States contains built-in
protections for U.S. persons, defined as U.S. citizens, permanent
residents and companies. Such collection must be authorized by statute
and is subject to oversight from Congress and the Foreign Intelligence
Surveillance Court. The statutes set a high bar for collecting the
content of communications by U.S. persons. For example, Section 215
permits the bulk collection only of U.S. telephone metadata — lists of
incoming and outgoing phone numbers — but not audio of the calls.
Executive Order 12333
contains no such protections for U.S. persons if the collection occurs
outside U.S. borders. Issued by President Ronald Reagan in 1981 to
authorize foreign intelligence investigations, 12333 is not a statute
and has never been subject to meaningful oversight from Congress or any
court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select
Committee on Intelligence,
has said that the committee has not been able to “sufficiently” oversee activities conducted under 12333.
Unlike
Section 215, the executive order authorizes collection of the content
of communications, not just metadata, even for U.S. persons. Such
persons cannot be individually targeted under 12333 without a court
order. However, if the contents of a U.S. person’s communications are
“incidentally” collected (an
NSA term of art)
in the course of a lawful overseas foreign intelligence investigation,
then Section 2.3(c) of the executive order explicitly authorizes their
retention. It does not require that the affected U.S. persons be
suspected of wrongdoing and places no limits on the volume of
communications by U.S. persons that may be collected and retained.
“Incidental”
collection may sound insignificant, but it is a legal loophole that can
be stretched very wide. Remember that the NSA is building a data center
in Utah five times the size of the U.S. Capitol building, with its own
power plant that will reportedly burn $40 million a year in electricity.
“Incidental collection” might need its own power plant.
A
legal regime in which U.S. citizens’ data receives different levels of
privacy and oversight, depending on whether it is collected inside or
outside U.S. borders, may have made sense when most communications by
U.S. persons stayed inside the United States. But today, U.S.
communications increasingly travel across U.S. borders — or are stored
beyond them. For example, the Google and Yahoo e-mail systems rely on
networks of “mirror” servers located
throughout the world.
An e-mail from New York to New Jersey is likely to wind up on servers
in Brazil, Japan and Britain. The same is true for most purely domestic
communications.
Executive Order 12333 contains nothing
to prevent the NSA from collecting and storing all such communications —
content as well as metadata — provided that such collection occurs
outside the United States in the course of a lawful foreign intelligence
investigation. No warrant or court approval is required, and such
collection never need be reported to Congress. None of
the reforms that Obama announced earlier this year will affect such collection.
Without
any legal barriers to such collection, U.S. persons must increasingly
rely on the affected companies to implement security measures to keep
their communications private. The executive order does not require the
NSA to notify or obtain consent of a company before collecting its
users’ data.
The attorney general, rather than a court, must
approve “minimization procedures” for handling the data of U.S. persons
that is collected under 12333, to protect their rights. I do not know
the details of those procedures. But the director of national
intelligence recently
declassified a document (United States Signals Intelligence Directive 18) showing that U.S. agencies may retain such data for five years.
Before
I left the State Department, I filed a complaint with the department’s
inspector general, arguing that the current system of collection and
storage of communications by U.S. persons under Executive Order 12333
violates the Fourth Amendment, which prohibits unreasonable searches and
seizures. I have also brought my complaint to the House and Senate
intelligence committees and to the inspector general of the NSA.
I
am not the first person with knowledge of classified activities to
publicly voice concerns about the collection and retention of
communications by U.S. persons under 12333. The president’s own Review
Group on Intelligence and Communication Technologies, in Recommendation
12 of
its public report, addressed the matter. But the review group coded its references in a way that masked the true nature of the problem.
At
first glance, Recommendation 12 appears to concern Section 702 of the
FISA Amendments Act, which authorizes collection inside the United
States against foreign targets outside the United States. Although the
recommendation does not explicitly mention Executive Order 12333, it
does refer to “any other authority.” A member of the review group
confirmed to me that this reference was written deliberately to include
Executive Order 12333.
Recommendation 12 urges that all data of
U.S. persons incidentally collected under such authorities be
immediately purged unless it has foreign intelligence value or is
necessary to prevent serious harm. The review group further recommended
that a U.S. person’s incidentally collected data never be used in
criminal proceedings against that person, and that the government
refrain from searching communications by U.S. persons unless it obtains a
warrant or unless such searching is necessary to prevent serious harm.
The
White House understood that Recommendation 12 was intended to apply to
12333. That understanding was conveyed to me verbally by several White
House staffers, and was confirmed in an unclassified White House
document that I saw during my federal employment and that is now in the
possession of several congressional committees.
In that document,
the White House stated that adoption of Recommendation 12 would require
“significant changes” to current practice under Executive Order 12333
and indicated that it had no plans to make such changes.
All
of this calls into question some recent administration statements. Gen.
Keith Alexander, a former NSA director, has said publicly that for
years the NSA maintained a U.S. person e-mail metadata program similar
to the Section 215 telephone metadata program. And he has maintained
that the e-mail program was terminated in 2011 because
“we thought we could better protect civil liberties and privacy by doing away with it.”
Note, however, that Alexander never said that the NSA stopped
collecting such data — merely that the agency was no longer using the
Patriot Act to do so. I suggest that Americans dig deeper.
Consider
the possibility that Section 215 collection does not represent the
outer limits of collection on U.S. persons but rather is a mechanism to
backfill that portion of U.S. person data that cannot be collected
overseas under 12333.
Proposals
for replacing Section 215 collection are currently being debated in
Congress. We need a similar debate about Executive Order 12333. The
order as used today threatens our democracy. There is no good reason
that U.S. citizens should receive weaker privacy and oversight
protections simply because their communications are collected outside,
not inside, our borders.
I have never made
any unauthorized disclosures of classified information, nor would I
ever do so. I fully support keeping secret the targets, sources and
methods of U.S. intelligence as crucial elements of national security. I
was never a disgruntled federal employee; I loved my job at the State
Department. I left voluntarily and on good terms to take a job outside
of government. A draft of this article was reviewed and cleared by the
State Department and the NSA to ensure that it contained no classified
material.
When I started at the State Department, I took an oath
to protect the Constitution of the United States. I don’t believe that
there is any valid interpretation of the Fourth Amendment that could
permit the government to collect and store a large portion of U.S.
citizens’ online communications, without any court or congressional
oversight, and without any suspicion of wrongdoing. Such a legal regime
risks abuse in the long run, regardless of whether one trusts the
individuals in office at a particular moment.
I am coming forward
because I think Americans deserve an honest answer to the simple
question: What kind of data is the NSA collecting on millions, or
hundreds of millions, of Americans?
outlook@washpost.com
No comments:
Post a Comment