What does it mean to "get FISA right"?
Published March 04, 2009 @ 08:04AM PT
As a member of "Get FISA Right", I find myself asking, "What does 'get it right' mean?" I don't have a definitive answer, but let me give a few thoughts as a basis for a discussion of the topic.
The Foreign Intelligence Surveillance Act (FISA) was originally passed in 1978 order to balance the legitimate need to spy on the nation's foreign enemies, with the Constitutional rights of her citizens, and especially to curb existing abuse. Technology has changed dramatically since it was written, and our enemies are different. Also, there has been a new round of abuse. All of these must be addressed.
To "get it right", let me suggest that we need:
- One law that covers all spying
- Require warrants when the US spies on
- Anyone in the US
- US persons (citizens and resident aliens) anywhere
- Allow the intelligence agencies to spy freely on foreigners oversees, even if the taps are in the US
- Require Executive, Judicial and Congressional oversight when protected and unprotected communications are entangled.
- Criminalize violation of the Constitution.
Item #4 is a knotty one. Since foreign and domestic traffic flows through the same "pipes" and is in the clear, and it is not easy to tell just from the content who the participants are, software that sorts what can legally be captured from what cannot can violate the Constitution and the law if it uses the wrong algorithm or has a bug. This is what the "targeting" and "minimization" procedures are all about. There must be diligent oversight, and it requires esoteric expertise. It requires nerds and Constitutional Law experts. And the jurisdiction to oversee.
#5 may seem superfluous, but is important. If your Constitutional rights are violated, you can sue, but only if you prove you have "standing". If the violation was done in secret, that can be hard to prove. If the criminal law is violated, the Department of Justice and Law Enforcement can and should investigate and prosecute.
That's my framework. What do you think?
For a longer discussion, let me recommend the following blogs from last summer (disclaimer: #3 is by me):
- David Kris's "A Guide to the New FISA Bill", Part I, Part II and Part III.
- Wes Walls' "Understanding Recent Changes to FISA -- A Visual Guide (Flowchart)"
- Jim Burrows' "I think I understand the FISA bill. Do I?" (at Blogspot. Also on Daily Kos, LiveJournal, MySpace, and Vox)
- Wes Walls' "FISA Revisited"
- Paul Russell's three-part "Figuring Out FISA"
Comments
Comments on Change.org are meant for further exploration and evaluation of the ideas covered in the posts. To that end, we welcome constructive comments. However, we reserve the right to delete comments that are offensive, abusive, or off-topic; that contain ad hominem attacks; or that are designed to subvert or hijack comment threads rather than contribute to them. Repeat offenders may be permanently removed from the site at our discretion.
Author
-
Jim Burrows
- Maynard, MA
Thanks for taking the lead on this, Jim, and framing things so well. It’s the best short overview of this complex issue I’ve seen — and the best short bibliography, too.
We’re looking for other people to post on “What does it mean to get FISA right”. The ideal format is a post of any length on your blog, and a 500ish word guest post here and on the ideas for change blog at change.org. If you’re interested, please leave your name here in a comment.
And if there’s somebody you think would be good, please leave their name here and send them the link so that they can get involved!
jon
Posted by Jon Pincus on 03/04/2009 @ 09:08AM PT
You must be signed in to report content.
I liked the fifth point, criminalizing Constitutional violations, at least until I read the next paragraph. "software that sorts what can legally be captured from what cannot can violate the Constitution and the law if it uses the wrong algorithm or has a bug" makes the criminalization less palatable. Who among us software devos would want criminal liability for bugs?
Actually I like the idea of criminalizing Constitutional violations in general. Another place it would make a powerful difference IMHO would be around police misconduct and illegal searches. Instead of suppressing illegal evidence and letting criminals walk because of police misconduct, allow the evidence but throw the cops that misbehave in jail. Seems similar in concept to this proposal.
Back to FISA, require Executive, judicial, and Congressional oversight. Period. Maybe raise the bar and increase the scrutiny when communications are intermingled.
One thing, there needs to be some provision for exceptional circumstances that require timely action without warrants being issued, subject to retrospective review. I'm thinking of a possible situation in which surveillance identifies a previously unknown actor involved in an operation in progress, and the time to obtain a warrant would significantly increase the likelihood of a successful attack. That's where aggravated criminal charges should result in the event of abuse, IMNSHO.
Posted by Bruce McCulley on 03/04/2009 @ 07:17PM PT
You must be signed in to report content.
Re: "Who among us software devos would want criminal liability for bugs?"
Makes a pretty compelling argument for a code review, now doesn't it?
And what are code and design reviews but another form of oversight? So, in addition to Executive, Judicial and Legislative oversight, perhaps we need to provide Technical oversight, at least when something as tricky as disentangling Constitutionally protected communications from legitimately targeted intelligence is involved.
I believe that this is what the whole notion of targeting and minimization procedures are. Congress or the court really cannot evaluate the technical soundness of software, so having them do technical oversight is foolish. What they might be able to oversee, though, is technical oversight. And so the technologists and the executive agencies that they report to design procedures that insure that the right people are targeted, and that as little untargeted protected communications is captured, and Congress (with the help of their technical advisers) review those procedures, and the statistics gathered and reported with regard to minimization failure rates etc.
The FISA amendment bill provided at least one cut of that approach. I'm not convinced that it was all that great an procedure, but it was in the ballpark. It's biggest failure, I think, is that it relied too strongly on the Congress and not enough on the Judiciary for oversight. But that is understandable. Congress trusts Congress.
A really strong procedure would not only specify the basic roles of the three branches, but offer a sketch or outline of a rev zero of the procedures in order to illustrate the sort of targeting, minimizing and technical soundness reviews that are being envisioned.
Posted by Jim Burrows on 03/04/2009 @ 10:54PM PT
You must be signed in to report content.
Agreed that code reviews are a good thing, but I see problems in getting code implementing intelligence collection vetted in open forums. Something a lot of folks don't realize is that classification is about preventing the adversary from gaining detailed knowledge about capabilities, including intelligence collection capabilities.
So, if we have open vetting of algorithms that select calls for monitoring and exclude those calls deemed protected, does it enhance the adversaries' ability to camouflage their calls to evade monitoring?
How much does that impair intelligence collection?
How much does it enhance protection of constitutional rights?
Does the risk from impaired intelligence collection outweigh the protection of constitutional rights, or vice versa?
If the ability of adversaries to evade intelligence collection monitoring were to enable a successful attack, who would be blamed for the successful attack?
As long as the answer to that question is the folks who do intelligence collection, expect them to resist fetters on their ability to do their job.
Point is that there has to be a reasonable balance, and sometimes it falls short of the ideal. Intuitively I would feel that technical oversight would be a particularly difficult point to craft an appropriate balance.
Posted by Bruce McCulley on 03/05/2009 @ 08:41PM PT
You must be signed in to report content.
I'm not at all convinced that it is necessary for the code or algorithms to be open. They could, for instance be vetted using carefully defined vetting procedures and those procedures could be reviewed in an open process. I believe, in fact, that was in essence what last summer's FISA amendment attempted to do.
If you will recall, the bill requires the adoption of "targeting and minimization" procedures and defines the requirements for these procedures. It requires that these procedures be reviewed regularly through several mechanisms. The Attorney General and the DNI must review them semiannually and report to the FISA Court, the congressional intelligence and judiciary committees, per 702 (l) (1). The Inspector Generals of the DOJ and each intelligence agency, per 702 (l) (2), must also review the procedures, including the numbers of untargeted individuals who were hit and so on, and report their results to the AG, the DNI and the intelligence and judiciary committees. Finally, the head of each agency must, per 702 (l) (3), review each acquisition, compiling statistics and newly developed procedures and report them to the FISA Court, the AG, the DNI and the intelligence and judiciary committees.
I'm not convinced that these reviews will necessarily provide adequate technical oversight, given that what they require to be reviewed are administrative procedures and statistics, with little or no reference to any of the technical aspects. But it seems clear that they were attempting to make the intelligence agencies and the DOJ answerable to the Congress and to the FISA Court.
I'm further not convinced that these procedures result in enough transparency and openness to the citizenry, given our obvious need for increased accountability, but the layered model of review that they embody would seem to be the way that you balance the need to gather intelligence and to do so in a confidential way with the need to protect civil liberties and stay within the Constitution.
JimB.
Posted by Jim Burrows on 03/06/2009 @ 02:40PM PT
You must be signed in to report content.
Let me bring up an example of a technical issue that I think the Congress can address without themselves having a deep understanding of the technology involved.
If I were to design a system to tap Internet email, extracting only communications that are between foreign persons located overseas (who are not protected by the Constitution), I would split the feed at major access points in the internet and run the full stream through filters that looked for information of interested contained in messages whose to and from addresses passed requirements of being identifiable as non-US persons located outside the US or specific people contained in my warrants database.
This would result in several types of data: Communications of interest that the gov't has a right to (foreign or warranted), communications that the gov't is known to no right to, and information of indeterminate type. Obviously interesting communications that is legitimate to tap should be turned over to a human.
But what is my system allowed to do with the rest? Must it discard or destroy it? Or would it be reasonable to take some of it and without letting any human see it, save it for later processing. If a warrant is added, for instance, or an address is alter found to be associated with someone for whom there was already a warrant, or an address is discovered to be outside the US, the historical data could be searched again and information of interest could be delivered to a human.
How about communications known to be between non-US persons located out of the US, but not recognized as being of any interest. Could it be kept for future rescanning? Could it be made available to humans to scan?
These questions determine how the code can be written and how information is stored, but are basically legal questions.
Posted by Jim Burrows on 03/06/2009 @ 02:38PM PT
You must be signed in to report content.
One criticism thrown at the current FISA law is that it no longer requires a specific facility (a specific email address, phone number, IP address) to be given in a FISA address.
The obvious reason to drop this requirement is that warrants should be for people, not equipment, and in this day and age a temporary address can be picked up for one shot use. Prepaid phones are common, IP addresses are assigned by DHCP in coffee-shops. MAC addresses can be changed. You can sign up for a web-mail account in minutes.
Warrants tied to specific facilities can be easily rendered useless by a clever enemy who understands how you build a sleeper cell. The 9/11 guys knew how to build sleeper cells.
So, is there really any problem with not requiring specific facilities?
On the other hand, the new FISA depends upon where someone is and who they are. US persons are protected. Communications within the US is protected. non-US persons outside the US are not. How do you know who someone is and where when you grab an email? I have email accounts in the UK and Germany, and a phone number in the UK. How do you know I'm a US citizen located in the US when I use them? What about the reverse?
Posted by Jim Burrows on 03/07/2009 @ 12:11AM PT
You must be signed in to report content.