Features, Online, Student Articles, Uncategorized — February 17, 2015 at 2:58 pm

Meaningful Transparency: The Missing Numbers the NSA and FISC Should Reveal

Julie Dickerson*

I. Introduction

In December 2013, the President’s NSA Review Group on Intelligence and Communications Technologies issued a report, Liberty and Security in a Changing World (“the Report”), that called for increased transparency of both the NSA’s intelligence gathering programs and the processes used by FISC to review them. Many Americans remain skeptical and disapproving of the NSA’s and FISC’s powers. To earn back the public’s trust, the government should issue an annual transparency report that (1) provides additional information regarding the NSA’s and FISC’s Section 215 orders, Section 702 orders, and surveillance orders, and (2) uses intuitive methods of representing the costs and benefits of each program.

II. Section 215

Section 215 of the USA-PATRIOT Act authorizes the FBI to request “tangible things” for the purposes of obtaining “foreign intelligence information not concerning a US person” or to “protect against international terrorism.” Pursuant to § 215, the NSA gathers 20–30% of all telephony metadata (grey box below) but only accesses a small percentage of it (white box below). According to Robert Litt, General Counsel of the Office of the Director of National Intelligence, “although [the intelligence community] collect[s] large volumes of metadata under this program, we only look at a tiny fraction of it.” The NSA should quantify Litt’s “tiny fraction.” To a skeptical public, non-quantified assurances sound like empty promises. Without substantive support, the public may wonder what stops the NSA from collecting 100% of metadata in the future or from looking at everything they collect. Before asking the public to trust the NSA’s discretion, the NSA should demonstrate its restraint with illustrations like the one below.

Figure 1: § 215 Communications

Figure 1

Moreover, FISC should reveal more information about its § 215 approval process. As shown in the graph below, FISC already publishes the number of standard § 215 requests it approves, as well as the number of requests that are modified before they are approved.

Figure 2: Standard and Modified § 215 Orders

Figure 2

FISC, however, does not specify the reasons why modification was required. Revealing these reasons would show the public how demanding the FISC review process truly is. For example, it is of greater concern if the majority of modifications were required to fix mere government failure to meet technical or formal requirements than if the modifications were required because the government failed to provide sufficient national security justifications for their § 215 requests or the scope of their requests were inappropriately large. The former suggests a cursory, or rubber-stamp review, while the latter two scenarios evidence major, substantive review. The chart below suggests how FISC could turn their existing bar graph into an additional pie-to-bar chart showing modification reasons.

Figure 3: Reasons for Modification

Figure 3

Viewing these charts together will demonstrate how thoughtful and careful the NSA and FISC are when exercising or approving § 215 powers.

III. Section 702

Under § 702 of the Foreign Intelligence Surveillance Act, the NSA uses information from U.S. electronic communication service providers to target non-Americans outside the United States for documented foreign intelligence purposes. The NSA collects more than 250 million internet communications under this power each year. While a large absolute number, it is unclear what percent of total internet communications these § 702 communications constitute. The NSA has revealed that the internet carries 1,826 Petabytes of information per day, the NSA touches 1.6% of that data in its foreign intelligence mission, and the NSA only selects 0.025% of that data for review. The net result is that NSA analysts look at a mere 0.00004% of the world’s traffic. These percentages of total data traffic, though indicative that the percent of § 702 communications collected is likely miniscule, do not map perfectly onto percentages of total communications.

Of the 250 million communications collected under § 702, 9% are collected via the NSA’s controversial “upstream collection” practice. Upstream collection refers to NSA’s interception of Internet communications as they flow through the Internet’s backbone of undersea cables. Despite the recent finding of the program to be constitutional by the Privacy and Civil Liberties Oversight Board (PCLOB), the upstream process has been criticized for picking up too many American (domestic) communications.

There are two types of domestic communications: wholly domestic (sent to and from a U.S. citizen) and one-end domestic (communications to, from, or concerning a U.S. citizen). Upstream acquisitions inadvertently sweep in tens of thousands, up to 56,000 wholly domestic communications (0.248% of all communications collected under § 702 upstream authorities). However, the number of one-end domestic communications remains unknown. The multiple categories – all Internet communications, communications collected under § 702, communications collected under the § 702 upstream program, and wholly domestic or one-end communications – combined with the mix of percentages and absolute numbers of both total data traffic and total communications can be difficult to keep straight. A simple chart placing the 56,000 wholly domestic communications (small black box below), in its greater context of all communications collected under the § 702 upstream program (the white box below) and all internet communications (big black box below), would demonstrates the NSA’s low margin of error.

Figure 4: All Internet Communications

Figure 4

The NSA should also reveal the number of Americans affected by the inadvertent collection of domestic communications. It is possible the wholly domestic and one-end domestic communications were the communications of just a few people, or 300 people, or perhaps 100,000 people. After noting how many Americans are implicated by the domestic collection, the NSA should:

  1. Contextualize the number of people affected (100,000 people, for example, is 0.031% of all Americans);
  2. Distinguish between wholly domestic and one-end domestic communications collected; and
  3. Define what it means to have one’s communications collected.

That is, along with any chart, the NSA should spell out what kinds of domestic communications it might intercept, how long it keeps them accessible on intelligence community servers, how many (if any) people look at them, and the minimization procedures for dealing with domestic communications. Currently, the NSA destroys communications “known to contain communications of or concerning United States persons” and all communications records are destroyed within five years.

The chart below exemplifies how the NSA could depict the number of Americans whose communications have been collected, the number of one-end domestic communications collected, and the number of wholly domestic communications collected.

Figure 5: § 702 Upstream Communications

Figure 5

Providing the public with this information would reveal the NSA’s high success in screening out domestic communications, the impact of its failures on the privacy of individual Americans, and the measures taken to correct those failures.

IV. Surveillance Orders

As in traditional criminal proceedings, the government may also ask FISC ex parte for electronic surveillance orders. The following table presents the number of surveillance order applications presented, approved, and rejected:

Table A: Traditional Surveillance Orders
Year Applications Presented Applications Approved Applications Rejected Percent Granted
2003 1727 1724 4 99.82%
2004 1758 1754 0 99.77%
2205 2074 2072 0 99.9%
2006 2181 2176 1 99.77%
2007 2371 2370 4 99.95%
2008 2082 2083 1 100%
2009 1329 1320 1 99.32%
2010 1579 1579 0 100%
2011 1745 1745 0 100%
2012 1856 1855 0 99.94%

 

Critics of FISC argue that the 99% approval rating indicates lax overview, but the statistic does “not reflect the fact that many applications are altered prior to final submission or even withheld from final submission entirely, often after an indication that a judge would not approve them.” To more accurately represent the nuance of FISC approval process, future tables should include columns for modified and withheld applications. FISC could also present the information in a graph form, showing how many applications were withheld, granted, and of those granted, how many were modified. A sample chart below shows how this might be done using the following hypothetical numbers: 100 applications withheld, 500 modified, and 1,727 granted total.

Figure 6: FISA Surveillance Orders

Figure 6

Moreover, FISC’s surveillance order approval percentages should be compared to an objective standard, such as search warrant approval percentages by traditional criminal courts. The 2012 Federal Wiretap Report contains a comprehensive set of publically available data regarding the number of warrants granted and denied under the Federal Wiretap Act. The report states, “3,395 wiretaps were reported as authorized in 2012 – 1,354 authorized by federal judges and 2,041 by state judges.” Of those authorized, only “two state wiretap applications were denied.” This amounts to a 99.9% approval rating within the state context and a 99.94% approval rating overall.

Not only do the similar approval percentages give the public a better perspective on FISC’s approval process, but so does a comparison of the absolute number orders granted. FISC authorized 1,856 orders in 2012 compared to the 3,395 orders authorized by federal and state courts that same year. Unlike the Wiretap Report, however, FISC does not clarify how many communications are intercepted as the result of approved orders, how many of those are incriminating, and the number of people affected by them. FISC should reveal similar numbers.

Table B: Interceptions of Wire, Oral, or Electronic Communications January 1-December 31, 2012
Reporting Jurisdiction Number Authorized Orders for Which Intercepts Installed Average Number per Order When Installed
Persons Intercepted Intercepts Incriminating Intercepts
Total 3,395 2,501 104 3,584 703

 

Comparing incriminating intercepts to total intercepts might also prove useful. The federal and state ratio is approximately 1:5. If FISC’s success rate is far lower, it may signal to the public that FISC may be granting orders too freely. On the other hand, while a 1:5 ratio might be acceptable to fight drug trafficking, perhaps a lower ratio should be acceptable to stop terrorism.

Additionally, it is important to remember that the burden of proof necessary for receiving FISC surveillance orders differs from that required for a wiretap order. Under the Wiretap Act, the government must show probable cause that the person is committing an enumerated offence and exhaustion of other investigative techniques. Under FISA, the government must show probable cause that the “target of the surveillance is a foreign power or an agent of a foreign power.” These different burdens should be regarded as a factor that might account for differences between the two ratios.

Providing additional information about FISC’s approval of surveillance orders and comparing it to the processes of traditional criminal courts would give the public a more nuanced perspective on FISC’s operation.

V. Visualizing the Costs and Benefits of FISC-approved Programs

Lastly, the NSA should visually depict the costs and benefits of each program, as the New America Foundation did in a report. This report indicates that information gathered under § 702 helped initiate 4.4% of terrorist case investigations and information gathered under § 215 helped initiate 1.8%.

While these percentages may sound low, it is important to remember that after 9/11, the NSA was operating under the risk standard of “never again,” and the magnitude of life lost in that attack weighed heavily on their minds. Any plot prevented might have been deemed worth any cost – budgetary or otherwise – as long as it comported with the law. Now, however, it appears the public may not be as willing to grant the NSA such wide latitude, no matter how legal its activities, without knowing what they will be receiving and sacrificing in the bargain.

To visualize the costs and benefits of each of intelligence program, the NSA should place these programs into two stacked bar graphs: one of program “costs” and one of program “benefits.” The graphs could be displayed on a ten-point scale, such that costs would add up to ten (or 100%) and the benefits would likewise add up to ten (or 100%) to show how, within the closed system of the NSA, its programs rate in comparison to each other. One could imagine it would look something like the graph below, assuming that each program had equal costs but unequal benefits.

Defining and quantifying the costs and benefits of each program could be challenging. For the sake of simplicity, the costs on this chart will be noted as “privacy intrusions,” and the benefits will be noted as “terrorist case investigations initiated.” Of course, the NSA would have to develop a point system to weight the initiation of a case that discovers and helps prevent another 9/11 more heavily than, for example, the initiation of case that fails to unveil any worthwhile intelligence. Similarly, there would need to be a system for weighting different privacy intrusions. These intrusions, while perhaps legal or accepted as inevitable by applicable regulations, would encompass features of the intelligence programs that encroach, even if reasonably so, on information Americans would consider private. For instance, while § 702 may measure privacy intrusions in incidentally collected communications, § 215 would measure metadata retained. For legitimacy’s sake, it would likely be necessary for an entity such as PCLOB to quantify these privacy-related values. While quantification might be difficult, other agencies have successfully used various cost-benefit quantification techniques, such as contingent valuation, to place values on sensitive categories such as human life or environmental amenities. The NSA or PCLOB should also verbally articulate the exact nature of each privacy intrusion to help define the public’s risk tolerances.

Figure 7: Relative Costs and Benefits of Intelligence Programs

Figure 7

VI. Conclusion 

The NSA and FISC have a valuable opportunity to clarify and contextualize the confusing information currently available about their programs. Meaningful disclosure could help Americans process, evaluate, and effectively voice their opinions on the processes through which the NSA and FISC try to ensure both our privacy and security.

 

*Julie Dickerson is currently a 3L at Harvard Law School, and previously served as Senior Editor for the Harvard National Security Journal.

One Comment

  1. Pingback: Bibliography: Should the NSA increase its transparency? | BauschardDebate

Leave a Reply