ODNI: Counting Americans swept up in FISA Amendments Act surveillance could be impossible
Intelligence officials Wednesday said they oppose a law that would require them to disclose the number of Americans whose communications are swept up in surveillance of foreigners on the grounds that there's no reliable way to do so.
During a Nov. 13 Senate Judiciary subcommittee hearing, ODNI General Counsel Robert Litt said counting the number of affected Americans "is operationally very difficult, at least without an extraordinary investment of resources and maybe not even then."
Under section 702 of the FISA Amendments Act (codified at 50 USC § 1181a), the Justice Department and Office of the Director of National Intelligence can jointly authorize surveillance for up to a year of persons reasonably believed to be located outside the United States who also aren't U.S. persons (citizens and legal permanent residents). The law prohibits reverse targeting, i.e., authorizing the surveillance of a foreigner in contact with a U.S. person in order to actually surveil that U.S. person.
However, that section of the law has been controversial precisely for the degree that the communications of Americans become a part of intelligence community surveillance, although agencies are also supposed to have procedures in place to minimize the handling of Americans' data picked up that way.
"It's often not possible to determine whether a person who receives an email is a U.S. person. The email address says nothing about the citizenship or nationality of that person," Litt added.
Determining with certainty the status of each person involved in a communication would require further research that would actually result in further privacy intrusions, he said.
"If you impose upon them some sort of obligation to identify U.S. persons, they're going to take an email address that may be, you know, firstname.lastname@example.org and they're going to have to dig down and say, what else can we find out about email@example.com? And that's going to require learning more about that person than NSA otherwise would learn," he added.
Sen. Al Franken (D-Minn.), the subcommittee chairman, introduced a bill (S. 1621) that would require the attorney general to annually transmit a report that includes the number of U.S. persons whose electronic communications were subject to surveillance, with the caveat that if the number is fewer than 500, the report could simply say so.
Intelligence officials at the hearing also said they oppose a provision of the bill that would allow companies to report the number of surveillance orders they receive, categorized by the lawful authority. "Providing that information in that level of detail could provide our adversaries a detailed road map of which providers and which platforms to avoid in order to escape surveillance," Litt said.
Were a company that had few orders one year to introduce a new service and be shown to have more orders the next, terrorists and foreign intelligence agents would conclude it's a service to be avoided, he argued.
During the hearing's second panel, Kevin Bankston, senior counsel at the Center for Democracy & Technology, noted that it's already legal for companies that haven't received a national security order to say that they haven't received one.
Post-Snowden world requires new international consensus on surveillance, argues paper
NSA collects instant messaging buddy lists and webmail inboxes
NSA secretly taps Google, Yahoo data-center cables