PRISM's Legal Basis: How We Got Here, and What We Can Do to Get Back

A privacy scholar explains the recent news about government surveillance.

The National Security Administration building and a copy of the U.S. Foreign Intelligence Surveillance Court order to Verizon (AP/Patrick Semansky and AP)

In the past two days, the press has provided unprecedented revelations of how pervasive the secret surveillance state has become. Leaks reveal that the FBI and NSA have received all Verizon Business Services telephone call records , including geolocation data; and the NSA uses a program called PRISM to access user content held by Google, Facebook, Microsoft, and Apple. How can a country that constitutionally protects privacy permit its government to spy on such a scale?

The Fourth Amendment prevents dragnet surveillance by requiring law enforcement to go to courts and show probable cause. These dual requirements of court oversight and a legitimate, targeted investigation ensure that people will not be subject to general searches by an abusive government. But intelligence-gathering that involves "the activities of foreign powers" is treated differently, whether it occurs inside or outside of the United States.

Foreign intelligence is the exception that has swallowed the Fourth Amendment whole. As my colleague Anjali Dalal points out, people probably believe that foreign intelligence law is " supposed to be going after foreign intelligence ," but its impact on Americans is surprisingly broad. In 1978, Congress set up a system governing foreign intelligence surveillance. The surveillance programs leaked in the past two days are the results of the post-9/11 version of this system. The Verizon call records, which include phone numbers, location data, and timestamps, were authorized as the collection of "business records" under the PATRIOT Act. And the PRISM program--which allows the NSA to access content such as emails, search histories, and audio chats-- is authorized as part of "foreign intelligence" gathering under the 2008 Amendments to the Foreign Intelligence Surveillance Act (FISA).

It is crucial to understand that the foreign intelligence system as it currently exists fails to require both adequate targeting and adequate oversight. The system allows intelligence agencies to gather an enormous amount of information "incidental" to any investigations. And it does so with minimal court and Congressional oversight. If the revelations of the past two days have taught us anything, it is that revision of our foreign intelligence surveillance system is a constitutional necessity. If the Fourth Amendment is to have any meaning, Congress must untangle the current web of broad authorizations and broad secrecy that allows the government to escape judicial accountability for its acts.

First, there is the question of whom the surveillance targets. PRISM spies on Americans. The Director of National Intelligence emphasized yesterday that PRISM targets only " non-U.S. persons located outside the United States ." But the press release also acknowledges that "information about U.S. persons" may be "incidentally acquired" in such pursuits. Targeting is not the same as collecting; the program may "target" foreign persons, but "acquire" information on Americans.

The current scope of this "incidental" surveillance will shock most Americans. Before 2008, the law limited "incidental" surveillance by limiting primary surveillance. The government had to show probable cause that its surveillance target was the agent of a foreign power, and that the facility being watched was about to be used by that target. You could be incidentally observed if you communicated with a targeted foreign agent, but otherwise foreign communications were likely to be unmonitored.

But in 2008, the FISA Amendments Act (FISAAA) changed this. The government now does not need to show probable cause that the target is a foreign agent. It need only have a "reasonable belief" that the target is located outside of the United States. The new version of FISA does not require the government to identify its targets; it does not require the government to identify the monitored facilities; and the purpose of foreign intelligence gathering attaches to the whole surveillance program, not the individual investigation. That is to say: the FISA Amendments Act permits the government to obtain a single court order through which it can monitor thousands, or even millions, of people. The scope of "incidental" surveillance thus vastly expanded as Congress lowered the requirements for spying on the primary target.

Such a system will inevitably sweep in untold numbers of Americans who communicate with foreigners. And because the government need have only a "reasonable belief" that the target is outside the United States--which it is interpreting according to the Washington Post as a 51% chance that the target is outside the U.S.--this system will undoubtedly sweep in purely domestic communications as well.

This brings us to the issue of oversight: who is watching the watchers? The Director of National Intelligence assures us that PRISM is "subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress." It is true that in December 2012 Congress renewed the law that allows PRISM to exist. But what kind of oversight did Congress actually provide? When Senators Ron Wyden and Mark Udall asked whether communications by Americans had been gathered under the law, the Director of National Intelligence responded that it was not possible to identify the number of people in the United States whose communications were reviewed. How effective can Congressional oversight be if Congress does not understand the scope and nature of the programs it has authorized?

At the core of the problem is that the Foreign Intelligence Surveillance Court (FISA Court), which meets in secret and does not publish its opinions, itself does not provide adequate oversight. When Congress changed the standard for targeting foreign individuals in 2008 , it abolished the ability of the FISA Court to evaluate whether the government had any real cause to target an individual or group of individuals. The Supreme Court itself disputes whether the FISA Court enforces the Fourth Amendment. The "minimization procedures" touted by the Director of National Intelligence as adequate privacy safeguards are established by the government, evaluated by the government, and are subject to review by a secret court--if review occurs at all. And as a general practice, FISA "minimization" hasnot been true minimization: it occurs after information is already acquired.

The existence of PRISM and the Verizon metadata program, both authorized by the FISA Court, confirms that a secret court broadly authorized by an uninformed Congress will not adequately protect the Fourth and First Amendment rights of American citizens on American soil.

So what can we do?

The first instinct might be to look to federal courts to protect our constitutional rights. But in February of this year, the Supreme Court effectively closed that avenue of recourse at least with respect to PRISM in Clapper v. Amnesty International. The majority of the Court found that the group of lawyers, journalists, and human rights advocates who challenged the constitutionality of the law that authorizes PRISM could not show that they had been injured by it. The Court explained that the alleged surveillance was too speculative; the group could not get into court unless it showed that surveillance of its members was "certainly impending."

One might think that a new lawsuit could show that surveillance is "certainly impending," because we now know that the PRISM program exists. But this is not clear. Any plaintiffs would probably still face the significant hurdle of showing that the government has spied on them in particular, or their foreign correspondents. And while the existence of a similarly pervasive spying program led the Ninth Circuit to find that a similar lawsuit could proceed, that case came down before the recent Supreme Court opinion.

The best solution, then, is Congress. Congress must repeal the FISA Amendments Act, which it regrettably reauthorized in 2012. Otherwise the revelation that the government can and does spy on Americans through Internet companies will chill expression, chill free association, and threaten our society's growing reliance on cloud computing for everything from intimate communications to business transactions. And Congress should reevaluate the secrecy surrounding our entire foreign intelligence-gathering system, because if the past two days have shown anything, it is that lack of oversight leads to extraordinary abuses.