A Proposed Agenda for a New PCLOB

This piece originally appeared on Lawfare.

President Trump recently nominated Travis LeBlanc and Aditya Bamzai as members of the Privacy and Civil Liberties Oversight Board (PCLOB), placing a full set of five nominees before the Senate and creating the possibility that the inquorate body could soon be revived. (A quorum requires three members; since early 2017, the body’s only member has been Elisabeth Collins.) This would be a welcome change. The PCLOB provides vital oversight on major surveillance activities shrouded in secrecy and serves as an important liaison between the intelligence community and Congress.

In the event the PCLOB begins working again, it will have a wide array of potential issues to take on. The top priorities for its agenda should be an examination of the call detail record (CDR) program set to expire next year, lingering transparency problems with Section 702 of Foreign Intelligence Surveillance Act (FISA), and an examination of the disparate impact of counterterrorism surveillance.

1. Review the impact and value of, and potential reforms to, the call detail records program

Created by the USA Freedom Act in 2015, the National Security Agency’s CDR program collects communications records that are what NSA calls “two hops out” from a target—anyone who communicates with the people a target talks to. The “business records” provision of FISA—previously used for bulk collection and now the basis for the CDR program—is set to expire at the end of 2019. That may seem far off—but as the haphazard Section 702 reauthorization demonstrated, obtaining consensus on FISA surveillance can be complicated, and waiting until the month before a law expires to advance legislation can cause problems. Developing a consensus plan for the business-records provision’s sunset clause should be a priority in early 2019 for Congress, who may very well wish to adjust, narrow or even eliminate the CDR program. The PCLOB can serve as a critical resource both in providing information to Congress and suggesting what reforms are necessary.

To support an effective debate for next year’s reauthorization, the PCLOB should investigate several problems with the CDR program and examine whether reining in the program—or even ending it—is in the nation’s best interest. Notwithstanding the tremendous gains provided by the USA Freedom Act, significant issues still surround the business-records provision. In late June, the NSA deleted all call detail records obtained since 2015 because technical failures, apparently stemming from telecommunication providers, resulted in overcollection beyond the law’s authority. And despite having years to adjust to new circumstances since the USA Freedom Act’s passage, the agency has failed to provide a public estimate of the number of unique identifiers swept up by the program. This is especially important as the sunset date approaches, because it leaves Congress and the public unable to evaluate how broadly the CDR program impacts privacy. And at the same time, the intelligence community has offered no evidence that the program is of unique value.

It’s critical that the public learns more about the technical problems that led to unlawful overcollection and the NSA’s deletion of all call detail records collected since 2015. The overcollection may have involved broad violations of Americans’ privacy rights. Yet the public does not know why this problem occurred, how many people it affected, why it took the agency years to discover the issue, and how the intelligence community plans to ensure that it will not reoccur. The PCLOB can shine a light on these serious concerns.

For any effective debate on the CDR program, the public needs to be able to assess its harms and benefits. Unfortunately, right now there is little concrete data available on either. Transparency reports on how many Americans are affected by the program would be of considerable value. The PCLOB should investigate why this estimate of U.S. persons affected hasn’t been provided, and if doing so in the near future is feasible. If it isn’t, the board should provide a detailed description of the overall privacy impact of the CDR program. The PCLOB can also provide key insights into whether the program provides any unique security value. In assessing security value, the board should look both at the program as a whole, as well data obtained from “second hop,” given that this feature affects the broadest set of individuals and those most remotely connected to investigative targets.

Finally, the PCLOB should evaluate whether current retention schemes are necessary and the value of additional minimization rules. The fact that NSA was willing to delete all call detail records because an unknown portion were tainted reflects that broad retention may not be as important as the intelligence community initially believed during the USA Freedom Act debate. In light of this, Congress might consider stronger retention limits and minimization rules during the reauthorization debate, such as the “enhanced minimization” provision in the 2014 version of the USA Freedom Act, which required that records of individuals not believed to have knowledge of an investigative target be deleted. An examination of the subject by PCLOB would aid any consideration of new backend retention and minimization rules put forward during the reauthorization debate by providing more data on what, if any, value broadly retained data provides.

2. Reexamine the feasibility of transparency measures for Section 702

The government adopted many of the reforms the PCLOB recommended in its 2014 reports on FISA, such as ending bulk collection, creating a system to declassify novel FISA Court opinions, and release of Section 702 minimization procedures. Unfortunately, transparency about how many U.S. persons are affected by warrantless Section 702 surveillance stands out as a failure, with the intelligence community delivering inconsistent messages rather than the information that privacy advocates, the PCLOB and members of Congress desire.

The PCLOB should investigate the feasibility of developing an estimate of how many U.S. persons’ communications are collected with Section 702 surveillance—critical information requested by members of Congress for seven years. In December 2016, then-Director of National Intelligence James Clapper promised Congress that his office would provide this estimate in early 2017, well before the law’s reauthorization at the end of that year. Unfortunately, ODNI recanted that promise soon afterwards, with Clapper’s successor, Dan Coats, vaguely justifying this about-face under privacy and accuracy concerns. However, privacy advocates long ago expressed disagreement that the estimate would pose insurmountable privacy concerns. And while accuracy is essential, it is difficult to imagine that insurmountable obstacles to achieving it emerged in the six months between former Clapper and Coats’ statements. The PCLOB should investigate what caused this dramatic shift in ODNI’s commitment, and set out the necessary steps to obtaining an estimate.

Another area of failed Section 702 transparency involves queries of U.S. persons. The USA Freedom Act requires the NSA and CIA to report how often it queries for U.S. persons’ communications from Section 702 databases—a critical transparency provision, given that these queries involve deliberately seeking out Americans’ communications absent a warrant or court approval. However, this requirement does not apply to the FBI. This is a major carve-out, given the agency’s dual intelligence and law-enforcement functions.

In its 2014 report on Section 702, the PCLOB explained that accurately reporting how often the FBI queries for U.S. persons’ communications from Section 702 databases would be highly difficult because the bureau has commingled databases. However, the board failed to follow up to examine an alternative that would achieve the transparency the PCLOB desired: a report on how often an FBI query for a U.S. person returns Section 702 data. In fact, pursuant to FISA Court requirements, the FBI already reports this for queries conducted solely for law enforcement purposes. The PCLOB should examine whether any obstacles exist to conducting a full count of U.S. person queries by the FBI that return Section 702 data, and if so, how those obstacles could be overcome.

3. Investigate and report on targeting of and disproportionate impact of surveillance on religious minorities and people of color

Civil rights are naturally entwined with civil liberties, and surveillance is no exception. The PCLOB has provided significant insight into the breadth and impact of counterterrorism surveillance, but it has not specifically focused on the disparate impact of this surveillance on certain communities.

Such examination is long overdue.

The Section 215 telephony metadata bulk collection program was preceded by a similar program run by the DEA and focused on international calls to 116 countries, including most of Central and South America, which disproportionately affected Hispanic-Americans. After 9/11, with the intelligence community’s support, the NYPD developeda sweeping surveillance program targeting Muslim communities that operated for over a decade, resulting in mistrust toward law enforcement and serious harm to these communities’ exercise of constitutional rights. According to a June report by the Brennan Center, in 85 percent of grants from the Countering Violent Extremism program, which many civil rights and civil liberties advocates have condemned as a form of pervasive surveillance, “Muslims and other minority groups are explicitly targeted.”.

The public has practically no information on the FBI Counterterrorism Division’s actions, if any, focused on what an FBI report termed “Black Identity Extremists.” We have no knowledge of whether or the extent to which the CDR program and Section 702 surveillance might disproportionately impact religious minorities or people of color. No public information exists on why the Department of Homeland Security has engaged in surveillance of Black Lives Matter activists, or if these actions are ostensibly connected to its counterterrorism mission. Privacy advocates, and the public generally, need to shine a light on these issues and activities, both to provide direct oversight and accountability and to reduce the chilling effect that communities experience when they feel the government is constantly looking over their shoulders. The mistrust that such surveillance breeds also severs important relationships between law enforcement and these communities, which in turn hampers law enforcement efforts in a variety of ways.

The PCLOB has thus far framed its investigations around specific surveillance programs and legal authorities—a useful service as Congress evaluates potential changes to those authorities. But the litany of potential harms to certain communities stemming from surveillance demonstrates that there would be significant value in centering some of the Board’s activities on who that surveillance impacts.

There is a huge array of issues the new PCLOB could take on, and the variety of priorities discussed above would give the PCLOB the chance to have a positive impact in a several of ways. By looking forward to the 2019 sunset, the PCLOB can aid Congress and the public in ongoing policy decisions. By looking back to unanswered questions on Section 702, it can ensure that previous failures do not end the debate on important transparency issues. And by looking in a new direction towards questions of civil rights and disparate impact, the PCLOB can facilitate a broader discussion within the intelligence community and national security circles regarding critical issues to consider in policymaking. It is a broad and ambitious agenda—but one well worth pursuing.