AUSTIN, TX -- A good metaphor for the intersection of privacy and intelligence collection may not be a see-saw; that implies that a perfect balance can be struck between the two values. I picture a stork trying to balance on a Bosu ball. Occasionally, there will be moments of equilibrium, but the basic state is one of jitters and tension.
The Texas Law Review is holding a symposium here on privacy, technology and national security. Virtually everyone in the field, from academics to the Justice Department's senior national security prosecutor to investigative journalists like Michael Isikoff of Newsweek and Mark Mazzetti of the New York Times are all participating in some fashion.
Planners expect a frank debate on many significant issues; some of them are beyond the ken of a blog post. Others are too important to ignore. Today, two men shared a ride from the Austin airport to a downtown hotel. One was William C. Banks, the director of the Institute for National Security and Counterterrorism at Syracuse University. The other was Alexander Joel, the civil liberties protection officer of the Director of National Intelligence. Coincidentally, both men have published papers for this symposium; the subject is the same: the scope and limitations of technological intelligence collection. Their approaches illustrate the Bosu-ball metaphor quite profoundly.
Banks argues that the FISA Amendment Act of 2008 creates an over-broad executive power to collect the e-mails and telephone calls of Americans without sufficient legal safeguards and without due attention to the problems of minimization. Minimization, in essence, is the legal term for the constraints placed upon the government's ability to retain non-relevant private information collected legally. Here is the technical definition of "minimization," as supplied by 50 U.S.C. 1806 (A):
Information acquired from an electronic surveillance conducted pursuant to this subchapter concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures required by this subchapter. No otherwise privileged communication obtained in accordance with, or in violation of, the provisions of this subchapter shall lose its privileged character. No information acquired from an electronic surveillance pursuant to this subchapter may be used or disclosed by Federal officers or employees except for lawful purposes.
So -- the saving grace for civil liberties is the requirement that the government get rid of the information it accidentally or incidentally collects on people that isn't considered foreign intelligence information. But how graceful is this saving? As Banks writes, the nature of programmatic surveillance makes it extremely difficult for a lay person to figure out how minimization actually protects their information. He gives, as an example, a hypothetical FISA warrant that would authorize NSA intercepts of foreign telephone traffic and e-mails to and from the large, mostly Muslim neighborhoods of Detroit. Such a warrant could authorize long-term surveillance. And while the NSA has enormous computers and thousands of employees trying to hunt and peck through baskets of data in real time, a significant amount of innocuous and innocent communications will almost certainly be stored in a government cloud somewhere for later processing. All we know publicly about FISA minimization is that the government has to provide the FISA court with a blueprint for how it will go about minimizing whatever data it collects pursuant to a particular warrant. The specific minimization procedures are highly classified. And the government has wide latitude to determine what information to keep and what to discard, providing that it has some connection to "foreign intelligence information."
"By implication," Banks writes, "the government may compile databases containing foreign intelligence information from or about U.S. persons, retain the information indefinitely, and then search the databases for information about specific U.S. persons." If the goal of minimization is to prevent precisely such data storage and retrieval -- and by statute that seems to be the case -- then the concept of minimization has been "seriously compromised." As of today, the technology does not exist to minimize quickly; oversight is limited; Congress has little expertise in the matter (and often doesn't have the intellectual capacity to conduct oversight), and the watchers are watching themselves.
Realistically, what type of information could the government legally collect on...say...a blogger who writes about terrorism? If, say, the FISA court authorizes a warrant to monitor traffic to and from IP addresses in a certain part of Pakistan, one might assume that the blogger's email -- if it contains notes from a conversation with an academic or even from a book -- could trigger certain alarms in NSA data-mining programs. The absence of the ability to connect this innocent blogger to terrorism may not be evidence of absence; the connection might not be apparent yet. A blogger might just be a blogger, or she might be something else. It appears as if -- on the basis of current law -- that the NSA could legally keep e-mails to and from this blogger on the subject of terrorism -- even if the intention of the blogger -- a U.S. citizen -- is to write knowledgeably about terrorism. Indeed, former intelligence officials have a disturbing habit of assuming that their e-mails and telephone conversations are monitored -- not on purpose -- but because they, by dint of their post-career academic or consulting lives -- find themselves on the periphery of some basket warrant.
Mr. Joel has served as the DNI's chief privacy officer since the agency's beginning. In his paper, while not addressing minimization per se, he provides an explanation of sorts as to why the intelligence community struggles -- and why Americans are reasonably suspicious about the extent to which the folks at the CIA or NSA or FBI actually take seriously their privacy concerns. He notes that, for one thing, intelligence collection and retention procedures are necessarily classified, which means, firstly, that popular culture, not fact, will influence how Americans think about the subject. Most fictional portrayals of intelligence collection exaggerate the technological capabilities an agency has. That's good, in a way, for the IC -- let the bad guys think we can target them so precisely. But Joel suggests that the "fictional imagery of the IC's technological prowess may cause others to fear that such powerful capabilities could be abused and misued, and question how these types of capabilities could ever be controlled."
In essence, when the intelligence community publicly addresses privacy concerns, it is confronting the reality -- which it cannot talk about -- and the perception -- which it cannot defend. Joel is a technologist. He wants to set security and liberty baselines, and then, as security concerns warrant, add technological or human counterbalances to keep the stork on the Bosu ball balanced.
An example Joel does not give, but one that might be illustrative, would be the introduction of self-auditing technology to NSA data collection -- while collectors were analyzing the data for patterns relating to terrorism, the same technology could allow civil liberties protection officers to analyze the collectors' analysis for violations of civil rights.
Again, though, this solution is recursive. It relies only on quasi-independent overseers like inspectors general and general counsels and, at the top, the President's Intelligence Advisory Board, a panel appointed by...the president...to, among other things, make sure that the president isn't abusing executive power.
Joel concludes that "making technology choices at the intersections of privacy and security do not require tradeoffs." I wish this were self-evidently true, but since I do not know how quickly minimization occurs, or what it entails, or how many U.S. persons are subject to basket warrants, or what type of data is collected, or how it is collected, or how long it remains in storage, or whether Congress can provide appropriate oversight -- I -- speaking for the average American -- am going to be skeptical. And appropriately so. There are indications that the volume is the biggest problem, and not any nefarious Glenn Beck-ian government data collection scheme. The big secret is that the technology does not exist to handle all the data in a way that comports with our expectations; certainly, the intelligence community would love not to have to store the data; they'd love to mine it in real time; they'd love -- well, most of them, except for the occasional peckerheaded analyst -- nothing better than to not have to collect on US.. persons who have nothing to do with terrorism. On this I think both Banks and Joel would agree.