Senator Lindsey Graham (R-SC) had a lot of questions for intelligence agency officials at a June Senate Judiciary Committee hearing on the FISA Amendments Act, a key law authorizing major government surveillance programs. The law is set to expire in December 2017 unless reauthorized by Congress. FISA stands for the Foreign Intelligence Surveillance Act, a law originally passed in 1978.
“Is it possible to find out if I, Lindsey Graham, was incidentally collected talking to a foreign leader abroad?” the Senator asked a senior attorney with the National Security Agency (NSA). The attorney could not answer his question, which understandably appeared to frustrate Graham. Graham continued by asking if his conversations could be collected and his identity revealed if someone within the intelligence community asked, only to end up using it against him politically.
Intelligence community witnesses explained that if his conversations with targeted foreign leaders were indeed collected, his identity would be masked by default. One intelligence official added that unmasking the identity of any Member of Congress or their staff would require the approval of the Director of National Intelligence (DNI) under what are called “Gates Procedures,” named after former CIA Director Robert Gates. Furthermore, Congressional leadership is notified when there is an agency request to unmask the identity of a Member of Congress whose information is swept up during foreign surveillance. Declassified documents released two weeks after the hearing provide details on the Gates Procedures, which date back to 1992, and may help Graham in his quest to figure out if the spying program swept up his communications.
But while Graham’s line of questioning focused on his own privacy, there are also questions related to the privacy of the American public at large. For instance, to this day, a seemingly simple question remains unanswered: how many Americans have had their information collected during US surveillance operations targeting foreigners?
When the FISA Amendments Act went into effect in 2008, its Section 702 authorized the federal government to collect intelligence without individual warrants on foreign targets whose electronic communications passed through domestic US internet infrastructure. The law requires robust procedures—known as “minimization”—to shield identifying details about Americans whose information might be incidentally collected. Intelligence community officials say that Section 702 programs are a valuable tool, but critics have raised serious privacy concerns. That’s because while the program isn’t supposed to target Americans—either at home or abroad—their information can still end up in the government’s hands through incidental collection.
This incidental collection can occur when, for example, two foreign individuals abroad are targeted under Section 702 and they mention a US person by name, or when a targeted individual abroad comes in direct contact with a US person. The NSA’s minimization procedures are supposed to protect an incidentally collected US person’s information from disclosure “unless it is necessary to understand or assess the intelligence,” according to two former NSA attorneys.
Based on this, the NSA decides whether or not it keeps the person’s identity masked before being disseminated to other intelligence agencies. According to the DNI's 2016 Statistical Transparency Report, even after the US person’s identity is masked and disseminated, the receiving intelligence agency can request that the NSA unmask it if they have a “need to know.” The same report indicates that the NSA shared incidentally collected information relating to almost 4,000 Americans with other agencies. But that number only reflects how many US persons’ information were eventually disseminated to other agencies. It does not reflect the actual number of incidental collections by the NSA in total.
Senator Ron Wyden (D-OR) and then-Senator Mark Udall (D-CO) touched upon this very same issue back in 2011. Six years later, Wyden is still asking how many Americans have had their information collected by government surveillance programs. So have civil society groups—including the Project On Government Oversight, which in October 2015 signed on to a letter asking for an estimate of the number of Americans whose information is swept up in incidental collection.
Yet this estimate is still nowhere to be found.
Intelligence officials have indicated that they have looked into producing a number but have had difficulty doing so. For example, NSA Director Mike Rogers testified before the Senate Intelligence Committee indicating that “we're looking to see if we can quantify something that's of value” to lawmakers and groups asking how many Americans’ private conversations were collected. However, Rogers added that the intelligence community would need to infringe on those Americans’ privacy rights to acquire an estimate. In the same hearing, DNI Dan Coats was pressed by Wyden on when they could have an estimate. Coats argued that no date could be given, repeating what Rogers mentioned about infringing on Americans’ rights to acquire that number.
This was the same reasoning NSA provided last year to the Privacy and Civil Liberties Oversight Board (PCLOB), a key internal government watchdog that oversees the intelligence community. At the FISA Amendments Act hearing, Elisebeth Collins of PCLOB testified they had offered a number of recommendations to NSA in 2014, one of them being to count the number of telephone and internet communications coming from or going to the US that were incidentally collected. She also made note of a 2016 report, in which PCLOB indicates that NSA implemented all the other recommendations in part or in full. The NSA, the Board mentions, commented on the challenges of fully implementing the recommendation on publicly releasing information showing how many Americans’ communications get swept up, specifically by telephone or through the internet. The NSA added that they were still willing to cooperate with PCLOB, possibly by developing “alternative approaches” with them. But there is still no estimate.
Not everyone agrees that producing an estimate should be this challenging.
During the same hearing, Elizabeth Goitein of the Brennan Center for Justice stated that providing an estimate could be done without violating Americans’ privacy by, for example, “looking at the country code” to see if the telephone number is an American one. Collins argued that releasing estimates on incidentally collected telephone conversations is more feasible than doing so for internet communications. She stated that while she is sympathetic to the arguments made by the NSA that producing this number could violate privacy rights, she was adding her voice to those calling for the intelligence community to find a way to provide an estimate.
Collins’ presence at the hearing highlights another issue that should be fixed before Congress makes a decision about the future of Section 702: Collins is the lone remaining member of PCLOB’s five-person board—and without a quorum of at least three members, the agency can’t carry out much of its oversight mission, including starting new investigations. Thus, PCLOB is powerless to develop alternative approaches or other recommendations to the NSA. So until President Trump nominates new members and the Senate confirms them, Congress will miss out on a valuable source of expertise during a debate over some of the government’s sprawling surveillance programs.