Friday, January 17, 2014

The White House seems to get a clue, but actually blows it again

Today, the Administration announced a number of substantial changes in NSA surveillance programs, what it calls "U.S. Signals Intelligence." Of particular note are those associated with the collection of so-called "metadata," a topic I've delved into substantially in the past. Back in June of last year, I discussed it in detail and explained what, exactly, the term represents:
Now, let's be clear on terminology here. "Metadata" is properly defined as data about data. It's data collected about specific groups of data. Thus for something like phone calls, the data would be all of the individual phone calls en toto, who made them, who was called, what was said, etc. But if we were to then look at this set of data from above (in a manner of speaking), we could collect a whole new set of data--times calls were made, locations made from, durations of calls, etc.--and compile that data with reference to those criteria alone. The internals of the calls wouldn't matter. That's metadata.
I also delved into the government's argument that the collection of metadata was not really on par with the collection of other sorts of data, that it lacked real significance for the individual, that it wasn't "personal" data as a matter of course and therefore was not an invasion of privacy of any sort. To that end, I cited Kieran Healy's excellent essay which demonstrates how metadata could easily have been used by the British in the eighteenth century to identify revolutionary leaders like Paul Revere.

Shorty after that piece, I explored the specifics of FISA, from noting why it was enacted into law to specifying what was explicitly required according to the legislation. With regard to the collection of data--meta or otherwise--by U.S. intelligence agencies, I spent a great deal of time explaining the concept of "minimization procedures," what they were, why they were required (by law), and how this requirement was not being met in the case of current NSA programs. Some details in this regard:
Still, the requirement for "minimization procedures" has once again come up (section (4)), so let's get a handle on what this means. 50 USC § 1801 provides all of the definitions for the terminology uses in Title 50. For "minimization procedures," it says the following:
(h) “Minimization procedures”, with respect to electronic surveillance, means—(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.
Why is this in here? Simple, when FISA was passed in 1978, Congress did not want the Act to become the basis for a nationwide and continuous surveillance program, nor did it want ancillary information obtained by federal agencies used for purely political purposes (again, the whole point of FISA). So in this regard, any program that collects data on U.S. citizens is supposed to be close-ended, not open-ended, and non-vital information is supposed to be dumped, forthwith. FISA is specifically about not creating a permanent database on things like phone records. It doesn't matter if the data is regular run-of-the-mill data or if it is "metadata," the federal government is not supposed to be holding on to it, period.
The last line sums things up: any data collected by the NSA--or any other agency--on U.S. citizens for intelligence purposes cannot be retained indefinitely. This is, again, one of the principle goals of the FISA legislation, to prevent a permanent database of what-should-be-private information on U.S citizens. And in December of last year, the DC Court of Appeals agreed. In Klayman v. Obama, Judge Richard Leon found that this collection of metadata was a likely violation of the Fourth Amendment and furthermore, that the NSA was repeatedly violating the minimization procedures that it had established. In other words, there basically were no minimization procedures being followed, in direct contradiction to FISA.

And it would seem the Administration has finally realized--or rather admitted to--this reality. For in the Fact Sheet released today by the White House, there is the following (my boldface):
Section 702 is a valuable program that allows the government to intercept the communications of foreign targets overseas who have information that’s important to our national security. The President believes that we can do more to ensure that the civil liberties of U.S. persons are not compromised in this program. To address incidental collection of communications between Americans and foreign citizens, the President has asked the Attorney General and DNI to initiate reforms that place additional restrictions on the government’s ability to retain, search, and use in criminal cases, communications between Americans and foreign citizens incidentally collected under Section 702.
The question now is: just what are these restrictions? Here is the President's "policy memorandum" (also released today) that addresses the issue. With respect to the retention of data it says the following (my boldface):
Minimization. The sharing of intelligence that contains personal information is necessary to protect our national security and advance our foreign policy interests, as it enables the United States to coordinate activities across our government. At the same time, however, by setting appropriate limits on such sharing, the United States takes legitimate privacy concerns into account and decreases the risks that personal information will be misused or mishandled. Relatedly, the significance to our national security of intelligence is not always apparent upon an initial review of information: intelligence must be retained for a sufficient period of time for the IC to understand its relevance and use it to meet our national security needs. However, long-term storage of personal information unnecessary to protect our national security is inefficient, unnecessary, and raises legitimate privacy concerns. Accordingly, IC elements shall establish policies and procedures reasonably designed to minimize the dissemination and retention of personal information collected from signals intelligence activities... 
Retention: Personal information shall be retained only if the retention of comparable information concerning U.S. persons would be permitted under section 2.3 of Executive Order 12333 and shall be subject to the same retention periods as applied to comparable information concerning U.S. persons. Information for which no such determination has been made shall not be retained for more than 5 years, unless the DNI expressly determines that continued retention is in the national security interests of the United States.
Here is Executive Order 12333, section 2.3. The relevant portion, with regard to the retention of information (my boldface):
Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order.
To sum up, the retention of data--including metadata--is limited only by the procedures established by agency heads! In the case of data not explicitly covered in Section 2.3. (you can read for yourself what is covered; it's pretty complete), there is a five year limit. This is no change at all, no improvement whatsoever. As I noted above, the ruling by the DC Court noted that the procedures established by the NSA were being ignored. The President is basically punting the ball here, he's leaving the authority to establish minimization procedures with the NSA, after it has repeatedly demonstrated it cannot be trusted to follow its own rules. Outrageous. Stupid. Shameful.

Cheers, all.

No comments:

Post a Comment