The FISA Amendments Act (FAA), enacted in 2008, authorized the U.S. Government to compel providers of electronic communications services to assist the Government in acquiring foreign intelligence information concerning targeted persons located outside the United States. New sections were created in the Act to cover the surveillance of non-U.S. persons (§ 702; 50 U.S.C. § 1881a), U.S. persons reasonably believed to be abroad where the surveillance is conducted in the U.S. (§ 703; 50 U.S.C. § 1881b), and U.S. persons reasonably believed to be abroad where the surveillance is conducted abroad (§ 704; 50 U.S.C. § 1881c).
Section 702 provides that the government may authorize targeting non-U.S. persons reasonably believed to be abroad for up to one year in order to obtain foreign intelligence information, regardless of where the surveillance occurs, and without the probable cause requirements of traditional FISA. Under this authority, the Foreign Intelligence Surveillance Court annually reviews "certifications" jointly submitted by the U.S. Attorney General and Director of National Intelligence. These certifications define the categories of foreign actors that may be appropriately targeted, and by law must include specific targeting and minimization procedures adopted by the Attorney General in consultation with the Director of National Intelligence and approved by the Court as consistent with FISA and the Fourth Amendment.
This case is the first approval of such an FAA certification, in 2008. (In 2007, a similar process took place under the Protect American Act. It is described in NS-DC-0076
in this Clearinghouse.)
Subsection 702(i) provides for judicial review of the targeting procedures, minimization procedures, and certifications made by the AG and the DNI, by the FISA Court. Under subsection 702(i)(2)(A), the FISA Court reviews the certifications to ensure that they contain all the required statutory elements in subsection 702(g). In particular, the FISA Court reviews the targeting procedures to ensure that they are limited to targeting persons reasonably believed to be located outside the U.S. and to prevent acquisition of wholly domestic communications where the sender and recipient are known at the time of acquisition to be located in the U.S. § 702(i)(2)(B). The FISA Court also reviews the minimization procedures to ensure that they comply with the standards set out in subsection 702(e), 50 U.S.C. § 1801(h), and 50 U.S.C. § 1821(4).
If the FISA Court finds that the planned surveillance is lawful, under the statute and Constitution, it issues an order approving the surveillance under subsection 702(i)(3)(A). If the FISA Court finds fault in the certification, targeting procedures, or minimization procedures, however, it must issue an order directing the government either to correct the fault within 30 days of the order or to abandon the surveillance program in question at the government's choosing. FISA Court orders issued under subsection 702(i) are appealable to the FISA Court of Review and then to the Supreme Court under subsection 702(i)(4).
There is extensive discussion of this case in a "Summary Document" prepared by the NSA Office of General Counsel and leaked by Edward Snowden. That summary is in this Clearinghouse record (and is also available here
. It has not been declassified from its assigned Top Secret classification.
The summary explains that in 2008, NSA submitted a surveillance certification (2008-A) to the FISA Court. Under that certification, NSA would collect foreign intelligence information on foreign governments, factions, entities and foreign based political organizations. The certification allowed NSA to share unevaluated data with the CIA and the FBI, on the request of those organizations.
The summary discusses the targeting procedures the NSA would use. It first states that the determination of whether a person being targeted is outside the US, as required by § 702, would be made in light of the totality of the circumstances. It states that analysts will look at information from a combination of broad categories to make that determination. The summary further states that an analyst's reasonable belief that a targeted person is located outside the US will be used to presume that the target is a non-US person if there is no other specific information regarding the target's status.
Next, the summary discusses the NSA's procedure for ensuring that it detects when targets that have been determined to be outside the US enter the US. It states that NSA monitors cell phone registers, IP addresses, and the content of intercepted communications in order to make those determinations. Once a determination that a target has entered the US has been made, collection must be terminated and steps taken to ensure that no forbidden collection occurs.
Finally, the summary discusses the variance from the NSA's standard minimization procedures contained in the certification. It states that inadvertently acquired US communications cannot be retained for more than five years, the names of US persons cannot be used as computer selection terms, and that if NSA determines that a target is a US person, it must cease collecting that person's communications. It further contains exceptions for evidence of a crime and foreign communications of US persons if dissemination of the communications would be permissible with the US person's information or if they contain evidence of a crime.
The summary also discusses the 2008-B Certification, which authorizes targeting directed at groups "engaged in international terrorism or activities in preparation therefor." It states that the only difference from the 2008-A Certification is the target set.
The FISA Court (Judge Mary A. McLaughlin) issued an opinion finding that the 2008-A certification contained all the required statutory elements, and that the targeting and minimization procedures were consistent with the statutory requirements as well as the Fourth Amendment. The Court approved the certification and the use of the targeting and minimization procedures:Targeting Procedures
According to the FISC opinion, this certification request included two sets of targeting procedures, one for use by the NSA and one for use by the FBI. The procedures involve "tasking for acquisition a telephone number or electronic communications (generically referred to as 'selectors') believed to be used by a targeted person." Memorandum Opinion p. 8.
First, an analyst would have to "reasonably believe" that the targeted person was outside the United States "in light of the totality of the circumstances based on the information available..." Memorandum Opinion p. 8. Like earlier minimization procedures, the ones proposed here included a presumption that a person located outside the US was a non-US person. This presumption had a "due diligence" requirement, but seems to have applied "even in cases where 'the actual location of the target may be unknown."" Memorandum Opinion p. 10.
Second, the procedures required the NSA to conduct "post-targeting analysis". This process would be intended, first, 'to detect those occasions when a person who when targeting was reasonably believed to be located outside the United States has since entered the United States." Memorandum Opinion p. 10. It was also intended to enable the NSA to "take steps to prevent" acquiring communication between persons in the US, or targeting persons in the US. Id citing NSA Targeting Procedures at 6. This analysis was to happen at least once per year for each particular tasking. Memorandum Opinion p. 11.
Third, the targeting procedures included documentation and oversight provisions. These include citations for information that led the government to believe that a targeted person was located abroad, periodic review of implementation, and reporting of noncompliance incidence. Memorandum Opinion p. 12.
Finally, the NSA targeting procedures contained an emergency provision. The NSA was permitted to deviate from the targeting procedures "to protect against an immediate threat to national security," provided it adhered to the limitations of § 702(b). The Court understood this provision to relate primarily to documentation and oversight requirements, presumably because the statute would prohibit deviation from the other targeting procedures. Memorandum Opinion p. 13.
If the government wished to target an entity not named in Exhibit F, it was permitted to do so provided that it notified the AG and DNI within 5 days. Summary Doc p. 5. Minimization Procedures
The NSA, FBI, and CIA each proposed minimization procedures that were approved by the Order in this Certification.
The most significant innovation in the minimization procedures of this Certification was the use of "special retention provisions." These are an exception to the rule that US person communications should be destroyed: they authorize the head of an agency to "authorize retention of information from communications acquired when the government reasonably believed that the target was a non-U.S. person outside the United States, when in fact the target was a U.S. person or was inside the United States." Memorandum Opinion p. 24. The agency heads were permitted to authorize retention upon a finding "that such communication is reasonably believed to contain: significant foreign intelligence information; evidence of a crime that has been, is being, or is about to be committed; or infromation retained for cryptanalytic, traffic analytic, or signal exploitation purposes." Memorandum Opinion p. 25 citing CIA Minimization Procedures at 6. The Director of the NSA could also authorize retention upon a finding that "the communication contains information pertaining to a threat of serious harm to life or property" or "information necessary to understand or assess a communications security vulnerability." Memorandum Opinion p. 25 citing NSA Minimization Procedures at 5-6.
The NSA and CIA minimization procedures also provided for the sharing of raw data with foreign governments for "technical and linguistic assistance." Memorandum Opinion p. 28.
The NSA minimization procedures proposed in this Certification were "substantially the same as the Domestic Selector Procedures and the PAA Procedures." Memorandum Opinion p. 29. The PAA procedures are available as NS-DC-0068-0003
in this database. The NSA minimization procedures proposed in this Certification retain the five-year period of retention for "inadvertently acquired information," but extend the period of time for which NSA may retain technical data base information from one year to five years.
The FBI minimization procedures in this Certification were "the standard FBI minimization procedures for a non U.S. person agent of a foreign power, subject to certain modifications." Memorandum Opinion p. 31. The Court did not detail the "case-specific modifications" present in this Certification. Neither the minimization procedures proposed in this Certification nor earlier FBI minimization procedures is available. However, later FBI minimization procedures are available at the ODNI website
and the Electronic Frontier Foundation
The CIA minimization procedures proposed in this Certification, according to the Court, were similar to procedures previously approved by the FISC. See documents NS-DC-0068-0004
in this database. The difference noted by the Court was "a new category of U.S. person information expressly authorized for retention and dissemination: information that "concerns a U.S. Government official acting in an official capacity.'" Memorandum Opinion p. 32. The Court approved this "on the understanding that CIA will disseminate this category of information . . . consistent with Section 1801 (h)(2)," i.e. not "in a manner that identifies any United States person, without such person's consent, unless such person's identity is necessary to understand foreign intelligence information or assess its importance." Id.Edward Mroczkowski - 04/20/2015
Nadji Allan - 11/15/2015