Symposium on my cyber operations bookPosted: June 14, 2016 Filed under: Cyber, Miscellaneous, Terrorism, War Leave a comment
The online academic journal Questions of International Law has just published a symposium on my book Cyber Operations and the Use of Force in International Law (which is now available also in paperback). Two excellent scholars, Prof. Christian Henderson (Sussex University) and Dr. Emanuele Sommario (Scuola Superiore Sant’Anna – Pisa) discuss my analysis of the jus ad bellum and jus in bello issues arising from the use of cyber technologies. Their reviews are themselves very interesting contributions to the debate on cyber security and well worth reading.
Another excellent (and very positive!) review of my book has been written by Vincent Roobaert and has been published in the latest issue of the NATO Legal Gazette.
Is there a “cyber war” between Ukraine and Russia?Posted: March 31, 2014 Filed under: Cyber, War 1 Comment
I have just published a blog post addressing this question in the OUP Blog. In the post, I apply some of my book’s findings to the current Ukraine-Russia crisis. As always, comments are welcome.
My new book on cyber operations is outPosted: March 18, 2014 Filed under: Cyber, Intelligence, War 2 Comments
My book on Cyber Operations and the Use of Force in International Law has just been published by Oxford University Press. If you are interested in ordering a copy, please click here, or, if you prefer the US OUP website, here.
Here is the abstract:
The internet has changed the rules of many industries, and war is no exception. But can a computer virus be classed as an act of war? Does a Denial of Service attack count as an armed attack? And does a state have a right to self-defence when attacked in cyberspace? With the range and sophistication of cyber attacks against states showing a dramatic increase in recent times, this book investigates the traditional concepts of ‘use of force’, ‘armed attack’, and ‘armed conflict’ and asks whether existing laws created for analogue technologies can be applied to new digital developments.
The book provides a comprehensive analysis of primary documents and surrounding literature to establish whether and how existing rules on the use of force in international law apply to cyber operations. In particular, it assesses the rules of the jus ad bellum, the jus in bello, and the law of neutrality (whether based on treaty or custom), and analyses why each rule applies or does not apply in the context of cyber operations. Those rules which can be seen to apply are then discussed in relation to each specific type of cyber operation. The book addresses the key questions of whether a cyber operation amounts to a use of force and, if so, whether the victim state may exercise its right of self-defence; whether cyber operations trigger the application of international humanitarian law when they are not accompanied by traditional hostilities; what rules must be followed in the conduct of cyber hostilities; how neutrality is affected by cyber operations; and whether those conducting cyber operations are combatants, civilians, or civilians taking direct part in hostilities. The book is essential reading for everyone wanting a better understanding of how international law regulates cyber combat.
The book also contains a thought-provoking Foreword by Prof. Yoram Dinstein.
Cyber operations as a nuclear counterproliferation measurePosted: February 1, 2014 Filed under: Cyber, Intelligence, Nuclear 1 Comment
My article on ‘Cyber operations as a nuclear counterproliferation measure’ has just been published in the Advance Access section of the Journal of Conflict and Security Law. It will appear in print later in 2014.
Abstract: Focusing on recent malware that allegedly targeted Iran’s nuclear programme, the article discusses the legality of inter-state cyber operations as measures to prevent the proliferation of nuclear weapons approaching the problem from the perspective of the law of State responsibility, in particular the circumstances precluding wrongfulness. After examining the role that cyber attacks and cyber exploitation can play in preventing nuclear proliferation, the article explores whether cyber operations can be justified as countermeasures in response to a possible breach by Iran of its non-proliferation obligations. It then discusses whether counterproliferation cyber operations amounting to a use of force are submitted to a more lenient legal regime than other more traditional forms of the use of force in international relations. Finally, the article explores the legality of counterproliferation cyber operations from the perspective of Chapter VII of the UN Charter, and in particular of the resolutions adopted against Iran by the Security Council. The article concludes that the legality of counterproliferation cyber operations must be assessed in the light of the general primary and secondary rules of international law: neither the means used (cyber instead of kinetic) nor the aim pursued (the non-proliferation of nuclear weapons) justify a special legal regime.
NSA Disclosures Derail Cyber “Star Wars” Defense Strategy?Posted: August 13, 2013 Filed under: Cyber | Tags: cybersecurity, David Sanger, Edward Snowden, NSA, Surveillance 1 Comment
In today’s New York Times, David Sanger published an article that the damage caused by Edward Snowden’s disclosures of NSA surveillance might have killed what Sanger calls “the equivalent of a ‘Star Wars’ defense for America’s computer networks, designed to intercept cyber attacks before they could cripple power plants, banks or financial markets.” More specifically:
Under this proposal, the government would latch into the giant “data pipes” that feed the largest Internet service providers in the United States, companies like A.T.&T. and Verizon. The huge volume of traffic that runs through those pipes, particularly e-mails, would be scanned for signs of anything from computer servers known for attacks on the United States or for stealing information from American companies. Other “metadata” would be inspected for evidence of malicious software.
Whether this idea would have matured and proceeded without leaks about NSA surveillance is not clear because opposition within the US government existed:
Top officials of the Department of Homeland Security, which is responsible for domestic defense of the Internet, complained that N.S.A. monitoring would overly militarize America’s approach to defending the Internet, rather than making sure users took the primary responsibility for protecting their systems.
The deputy secretary of defense, Ashton B. Carter, described in speeches over the past year an alternative vision in which the government would step in to defend America’s networks only as a last line of defense. He compares the Pentagon’s proper role in defending cyberattacks to its “Noble Eagle” operation, in which it intercepts aircraft that appear threatening only after efforts by the airlines to identify the passengers and by the Transportation Safety Administration to search passengers and luggage have failed.
The disclosures about NSA surveillance and its scale have, however, altered the nature of discourse in Washington, D.C. about this debate on US cyber defense in ways that make progress in this area, for the near future, potentially very, very difficult.
President Obama Announces Steps to Address Concerns About NSA SurveillancePosted: August 9, 2013 Filed under: Cyber | Tags: cybersecurity, cyberspace, Edward Snowden, NSA, President Obama, Surveillance Leave a comment
Today, President Obama outlined steps his administration would take to address the controversial debate taking place concerning NSA surveillance activities disclosed by Edward Snowden. The New York Times reports that:
Mr. Obama announced the creation of a high-level task force of outside intelligence and civil liberties specialists to advise the government about how to balance security and privacy as computer technology makes it possible to gather ever more information about people’s private lives.
The president also threw his administration’s support behind a proposal to change the procedures of the secret court that approves electronic spying under the Foreign Intelligence Surveillance Act in order to make its deliberations more adversarial. The court, created in 1978, was initially envisioned to carry out a limited role of reviewing whether there was sufficient evidence to wiretap someone as a suspected foreign terrorist or spy.
. . .
The Obama administration is also planning to release a previously classified legal analysis explaining why the government believes it is lawful under a provision of the Patriot Act known as Section 215 for the N.S.A. to collect and store logs of every phone call dialed or received in the United States.
At the same time, the N.S.A. was expected to release a paper outlining its role and authorities, officials said. The six- to seven-page document was described as setting up a “foundation” to help people understand the legal framework for its activities. Next week, the agency will open a Web site designed to explain itself better to the public amid Mr. Snowden’s disclosures.
The “previously classified legal analysis” on the government’s interpretation of Section 215 is available now in a document entitled: Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act (August 9, 2013).
For the argument that the bulk telephony metadata program does not satisfy the requirements of Section 215, see this amicus brief filed with the US Supreme Court today by a group of professors expert in information privacy and surveillance law, a group that includes me. This amicus brief supports the petition filed in July with the Supreme Court by the Electronic Privacy Information Center against the bulk telephony metadata program.
Related to the President’s announcement, the NSA released a document today entitled The National Security Agency: Mission, Authorities, Oversight and Partnerships (August 9, 2013), which, among other things, describes NSA’s authorities to collect intelligence under Executive Order 12333 and the Foreign Intelligence Surveillance Act, including Section 702 of that Act (the legal basis for the PRISM program targeting non-US persons located outside the US).
Nuclear Strategy Push-Back Against the “Cyber Industrial Complex”?Posted: August 7, 2013 Filed under: Cyber, Nuclear | Tags: cybersecurity, cyberspace, EastWest Institute, Edward Snowden, Greg Austin, nuclear security, nuclear weapons 6 Comments
Greg Austin of the EastWest Institute published a piece in China-US Focus on August 6th in which he identifies possible push-back against the US government’s race to achieve “cyber superiority” and the emergence of “the American cyber industrial complex” from people in the US military knowledgeable about US nuclear weapons and strategy. He argues that disclosures by Edward Snowden reveal a “lack of restraint” in US cyber behavior and:
This lack of restraint is especially important because the command and control of strategic nuclear weapons is a potential target both of cyber espionage and offensive cyber operations. The argument here is not to suggest a similarity between the weapons themselves, but to identify correctly the very close relationship between cyber operations and nuclear weapons planning. Thus the lack of restraint in cyber weapons might arguably affect (destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible use.
The cyber superiority of the United States . . . is now a cause of strategic instability between nuclear armed powers. . . . [I]n the long run, the most influential voice to end the American quest for cyber military superiority may come from its own armed forces. There are military figures in the United States who have had responsibility for nuclear weapons command and control systems and who, in private, counsel caution. They advocate the need to abandon the quest for cyber dominance and pursue a strategy of “mutual security” in cyber space – though that has yet to be defined. They cite military exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability. This question is worth much more attention.
Cybersecurity literature contains references and analogies to nuclear weapons and nuclear strategy, including attempts to draw on the nuclear experience to address what some perceive as a cyber arms race. However, Austin is talking about something different–concern among experts that what is happening with US cyber policy, strategy, and capabilities threatens US nuclear strategy and stability. I do not know how prominent such strategic introspection actually is, or whether it deserves the level of deliberation Austin advocates.
In the most general terms, Austin seeks reassessment of what he and others believe is an insufficiently restrained American quest for superiority in military and intelligence cyber capabilities–not because of perceived threats to privacy and other civil liberties at home, but because this path might create strategic problems for US national security down the road, including in the context of nuclear weapons. For Austin, this reassessment should include more scrutiny of permitting one military officer to lead both NSA and US Cyber Command, a situation Austin provocatively describes as “an unprecedented alignment of Praetorian political power in any major democracy in modern political history.”
A unrestrained cyber industrial complex led by a cyber Praetorian guard potentially causing strategic nuclear instability? Well, now, the “national conversation” is getting more interesting by the day . . .
Getting Beyond the Benedict Arnold of the Cyber Age: Crafting Post-Snowden American Policy and LawPosted: August 2, 2013 Filed under: Cyber, History, Terrorism | Tags: Benedict Arnold, Bradley Manning, cybersecurity, cyberspace, Edward Snowden, espionage, NSA, Russia, Surveillance 1 Comment
This past week brought more discomfort in the United States produced by Edward Snowden’s disclosures about NSA surveillance activities:
- The House of Representatives narrowly defeated a proposal to restrict NSA authority to collect telephone metadata in the United States, a vote that caused intra-party clashes within both the Democratic and Republican parties;
- Legislators in Congress grilled NSA officials on the NSA’s collection of telephone metadata within the US, producing testimony that only heightened congressional concerns about the executive branch’s metadata surveillance activities and their legal justification;
- The NSA released previously classified documents related to the now infamous Verizon Order leaked by Snowden, an effort at transparency that, apparently, did not make anything more transparent;
- Courtesy of Snowden, The Guardian revealed another NSA program, called XKeyscore, which caused another round of national and international controversy about US surveillance policies and practices; and
- The Russian government granted Snowden asylum for one year, allowing him to leave his limbo-laden life at the Moscow airport, a development that perhaps guarantees Snowden’s place in history (and not Bradley Manning) as the Benedict Arnold of the cyber age and made already fraying US-Russian relations worse.
To have Congress close to over-turning a key law passed after 9/11, to deepen tensions between the legislative and executive branches, to provoke the masters of secrecy to try to be more transparent, to wrong-foot the NSA again with a new disclosure, to cause rifts within both major US political parties, and to exacerbate problems between great powers is, ladies and gentlemen, one hell of a week, in more ways than one.
Each development of this past week deserves its own scrutiny, but my objective here is to try to assess what the sum of these episodes means for the US. The initial disclosures from Snowden brought forth calls for a “national conversation” about the implications of the revelations of NSA surveillance activities and the policy and legal justifications for them. This conversation has been extremely awkward because a proudly open and free society found itself debating critical issues kept secret by its government and only revealed by a law-breaker who sought succor in the sovereignty of anti-American governments. To quote one of history’s great admirers of the US, not our finest hour.
But, this past week should signal that the “national conversation” requires decisions needed to shape post-Snowden American policy and law on issues ranging from the privacy of American citizens dependent on digital communications technologies to the impact of cyber espionage on the power and reputation of the US in geopolitics. No one should underestimate the gravity of these decisions because the questions to be answered go deep into what America means at home and abroad. In its main leader of its August 3rd issue, The Economist–hardly an American nemesis–embeds the Snowden affair along with other post-9/11 policies in what it calls “liberty’s lost decade.”
Provocative, to be sure, but The Economist is trying to piece together what it all means for the US, from Mohamed Atta to Edward Snowden, and is encouraging Americans to re-evaluate where their government has been–from detention cells in Guantanamo Bay to “collecting it all” in cyberspace–and whether and how they want the future to be different. We might not like the headlines, the harsh questions, and the flippant or cynical condemnations of American behavior as hysterical hypocrisy. But, when someone like Edward Snowden can affect this country’s domestic politics and foreign affairs as wrenchingly as he repeatedly has (see, this past week), we have serious work to do in crafting policies and laws less dependent on the fear secrecy breeds and more confident in the resilience openness brings when betrayal from within and enmity from without test our interests and values.
Zero-Sum Game: The Global Market for Software ExploitsPosted: July 18, 2013 Filed under: Cyber | Tags: Christopher Soghoian, confidence-building measures, cybersecurity, cyberspace, Paul Rosenzweig, zero day exploits 2 Comments
On July 13, 2013, Nicole Perlroth and David Sanger published a story entitled “Nations Buying as Hackers Sell Flaws in Computer Code” in the New York Times. Perlroth and Sanger wrote:
All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
. . .
But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”
The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.
The cybersecurity challenge created by the emerging global market in “zero day” exploits has been recognized before by experts (see, e.g., efforts by Christopher Soghoian of the ACLU to highlight this issue) and journalists (see, e.g., this story entitled “The Digital Arms Trade” from The Economist on March 30, 2013). But the Times article gives this problem heightened exposure and will increase political attention on it. With companies–such as Microsoft, Google, and Facebook–and countries–such as Brazil, Britain, China, India, Iran, Israel, Malaysia, North Korea, Russia, Singapore, South Africa, South Korea, and the US–willing to buy “zero day” exploits, Perlroth and Sanger report that “the market for information about computer vulnerabilities has turned into a gold rush.”
Among the many cybersecurity issues the development of this market creates is the question of whether to regulate it, and, if regulation is thought prudent, how to regulate the problem effectively. In its article, The Economist noted that:
Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.
The effort to turn to export-control laws as a way to regulate the sale of “zero day” exploits or, more broadly, the development and sale of purpose-built malware, suggests that strategies and “soft” or “hard” regimes used in non-proliferation and arms control might serve as a basis for thinking about what to do about the market for “digital weapons,” including:
- National export-control laws with multinational coordination of such regimes among countries (a cyber version of something like the Wassenar Arrangement);
- Bans or limitations on development, transfer, and use of certain weaponized code intended to have specific purposes or effects considered illegitimate (a cyber version of something like the Protocol Banning Blinding Laser Weapons); or
- Confidence-building measures, including declaratory policy strategies, aiming for heightened transparency and trust (cyber versions of the CBMs used in the BWC or of “no first use” declaratory statements).
The attractiveness of drawing on ideas from non-proliferation and arms control experience in the realm of cyber weapons exists, as made clear by, among other things, a provision in the proposed National Defense Authorization Act for Fiscal Year 2014 for the President to “establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, and diplomatic engagement, and such other means as the President considers appropriate” (Sec. 946, Control of the Proliferation of Cyber Weapons).
Without question, reasons why cyber versions of these approaches would not work can multiply rapidly, including arguments related to the questionable effectiveness of these strategies in their traditional non-proliferation and arms control contexts. In addition, as in many areas of cybersecurity policy and law, reasoning by analogy to policies and regimes designed for other challenges breaks down rather quickly because cyber presents such a different kind of problem attached to technologies unlike what non-proliferation and arms control efforts have addressed in the past.
These various reasons are often why cybersecurity experts exhibit skepticism about “arms control” in the cyber context. Here are Paul Rosenzweig’s thoughts on this question in his blog post on the Perlroth and Sanger article on “zero day” exploits:
In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property. With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.
Rosenzweig’s prediction might well prove accurate, but policy concerns with this uncontrolled global market for “zero day” exploits and other purpose-built malware are mounting, as illustrated by the ideas being floated in the European Parliament and (perhaps ironically given significant US government participation in this market) by proposed Section 946 of the National Defense Authorization Act for Fiscal Year 2014. As the market charges on, policy anxieties and demands for action will also increase, which will make efforts to control behavior amounting to “beggar thy neighbor’s software” one of the most interesting and difficult cybersecurity challenges governments and companies face.
Surveillance Like a Cancer Grows? The Implications of NSA Intelligence Activities on the Non-Proliferation & Arms Control CommunitiesPosted: July 17, 2013 Filed under: Biological, Chemical, Cyber, Nuclear, Terrorism | Tags: cyberspace, Edward Snowden, NSA, Surveillance, WMD 10 Comments
ELECTRONIC SURVEILLANCE AND THE COMMUNITIES INVOLVED IN NON-PROLIFERATION AND ARMS CONTROL
In a comment to Dan Joyner’s post on Lawyers, Guns, and Money, Yousaf Butt raised the need to link the disclosures being made about NSA surveillance to the work of people engaged on non-proliferation and arms control issues. In particular, he cited a July 6, 2013, New York Times article by Eric Lichtblau entitled “In Secret, Court Vastly Broadens Powers of N.S.A.” This article was widely read, as evidenced by The Economist basing a story on it. In the Times article, Lichtblau reported US intelligence officials obtaining “access to an e-mail attachment sent within the United States because they said they were worried that the e-mail contained a schematic drawing or a diagram possibly connected to Iran’s nuclear program.” Yousaf asked whether this example means anyone discussing nuclear proliferation could be subject to NSA surveillance. Or, more broadly, could electronic communications about WMD proliferation challenges to US national security be subject to NSA collection activities? Yousaf thought such surveillance could create a “chilling effect” that might adversely affect “free discourse” in the non-proliferation area. Dan asked me to share my thoughts on this issue, so here goes . . .
THE NUCLEAR PROLIFERATION CASE CITED IN THE TIMES ARTICLE
Section 702 of FISA
Let me start with the case reported in the Times and cited by Yousaf. Apparently, the e-mail communication that contained the attachment accessed by US intelligence officials was sent and received in the US, so, if accurately reported by the Times, this case does not involve the authority created in the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 that permits the FISA Court to authorize “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information,” including communications involving US persons (Section 702, Foreign Intelligence Surveillance Act, 50 USC sec. 1881a(a)). Even though this case does not involve this authority, the free speech concerns raised by lawyers, journalists, and human rights activists in Clapper v. Amnesty International (decided on standing grounds, 133 S.Ct. 1138 (2013)) apply to persons engaged in electronic communications with foreign nationals located overseas on issues relating to US national security.
FISA defines “foreign intelligence” to include “information that relates to . . . the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power” (50 USC sec. 1801(e)(1)). As the challenge mounted in Clapper indicates, many communities of interest are concerned about the “chilling effect” of the surveillance authority created by the FISA Amendments Act. The inclusion of WMD proliferation in the definition of foreign intelligence means the non-proliferation and arms control communities have been on notice about this US government power since 2008.
However, Snowden’s disclosures of PRISM (the NSA program operated under Section 702 of FISA) revealed how the US government uses this power. People in communities of interest not previously nervous about Section 702 of FISA might now be concerned about their communications with foreign nationals, and perhaps, as Yousaf’s comment suggests, this includes persons working on non-proliferation and arms control questions. So, as with other interested persons and organizations, the non-proliferation and arms control communities should monitor what happens next with this controversy, including law suits already filed in federal court challenging PRISM.
US Communications, Metadata, and Access to the Content of Communications
However, the case reported in the Times involved an e-mail and its attachment sent and received in the US, meaning that different aspects of FISA applied to this surveillance activity. The Times article is not exactly clear what happened, when it happened, what the FISA court did, and why it did what it did (at least these things are not clear to me from the article). My point is not that the Times article is wrong; my point is that it raises more questions than it answers, and trying to answer some questions proves difficult because of a lack of information. As explained below, these questions require more scrutiny of the Times article’s claim that the FISA court “vastly broadens powers of the N.S.A.” In short, we should not jump to conclusions about the Times article and its implications. In what follows, I try to sort through what the article does contain.
Collecting Internet and E-Mail Metadata
US intelligence officials probably picked up information from collecting and analyzing “metadata” on e-mail traffic that triggered a desire to see the e-mail attachment in question. Part of Snowden’s disclosures included information about the US government’s collection of e-mail and other Internet metadata within the US after 9/11 through 2011, when this aspect of NSA surveillance was apparently terminated. Initially undertaken by the Bush administration outside FISA, the collection and analysis of e-mail and other Internet metadata came within FISA court review and approval in 2004, after which the FISA court reviewed and approved orders for such surveillance periodically until 2011, when the Obama administration stopped this particular metadata surveillance effort.
Application of the “Special Needs” Exception to Collection of Internet and E-Mail Metadata under FISA
According to the Times article, the FISA court determined that such metadata surveillance did not violate the Fourth Amendment and relied, apparently, on the “special needs” exception to the Fourth Amendment’s warrant requirement. Generally, the “special needs” exception allows the government to undertake a search without a Fourth Amendment warrant to gather information unrelated to law enforcement purposes (e.g., drug tests of railway workers; passenger screening at airports). Referring to outside legal experts, the Times article commented that this application of this exception “is significant . . . because it uses a relatively narrow area of the law . . . and applies it much more broadly, in secret, to the wholesale collection of communications” for foreign intelligence purposes, including countering terrorism, WMD proliferation, espionage, and cyber attacks. This alleged expansive use of the “special needs” doctrine by the FISA court forms part of the Times article’s observation that this court is perhaps becoming “almost a parallel Supreme Court” because it regularly assesses “broad constitutional questions” and establishes judicial precedents for foreign intelligence surveillance.
Here is where the questions about the article begin to multiply. For starters, telephony and Internet metadata is not protected by the Fourth Amendment under existing jurisprudence, so, presumably, the FISA court does not need the “special needs” exception to the Fourth Amendment to review and approve collection of metadata. As Orin Kerr commented, if the FISA court “has ruled that all metadata is outside the Fourth Amendment, that’s not a surprise.”
Next, the “special needs” exception has long been associated with the gathering of foreign intelligence by the US government and with FISA itself. As Kris and Wilson put it, “Congress enacted FISA explicitly to serve as a special need not related to ordinary law enforcement: foreign intelligence and counter-intelligence. The courts have upheld FISA under a special-needs theory against multiple constitutional challenges” (David S. Kris and J. Douglas Wilson, National Security Investigations & Prosecutions (2007), sec. 11:12, p. 11-30). So, foreign intelligence activities subject to FISA fall under the “special need” exception for foreign intelligence gathering under existing law and jurisprudence. Again, Kerr commented that, if the FISA court has held that foreign intelligence efforts to locate terrorists fall under the “special needs” exception, then “that’s not noteworthy.” The same applies to foreign intelligence gathering for other serious national security threats, such as WMD proliferation.
These observations suggest that the FISA court is not vastly increasing the powers of the NSA or acting as a “parallel Supreme Court” but is operating within existing jurisprudence and statutory law. So, what’s going on here? I’m not sure based on what the Times article contains. Now, people might be worried about the powers existing jurisprudence and statutory law give the NSA and the FISA court–but the Times article claims something new, different, and secret is happening that does not track case precedents and legislation.
Accessing the E-Mail Attachment Related to Nuclear Proliferation
As noted above, the Times article reported that US intelligence officials went beyond metadata collection and accessed the content of an e-mail communication in the form of an attachment the officials feared “contained a schematic drawing or diagram possibly connected to Iran’s nuclear program.” The Times article is not clear how, and under what authority, the US intelligence officials accessed the content of this e-mail communication. The article states that gaining such access “[i]n the past . . . probably would have required a court warrant because the suspicious e-mail involved American communications.”
Well, if the US government wanted access to the e-mail attachment for foreign intelligence purposes, then FISA requirements for obtaining a FISA court order to undertake such content-based surveillance within the US apply. However, the Times article is not clear whether US intelligence officials obtained a FISA court order to access the content of the e-mail communication in question. Confusingly, the article follows up its statement about the probable need for a “court warrant” with a description of the broadening of the FISA definition of “foreign intelligence” in 2008 to include information related to WMD proliferation–information that is not helpful to understanding whether the US government obtained FISA court approval to access the e-mail attachment in question.
If the government obtained the FISA court’s specific approval for its access to the e-mail attachment, then the government complied with the relevant law–nothing new, then, legally speaking. However, if the FISA court has constructed some “special needs” exception to the FISA requirement to obtain a specific order for electronic surveillance in the US for foreign intelligence purposes, then we might have something new to ponder. But the Times article does not provide enough information to pursue this inquiry in any productive manner. We would have to be able to examine the FISA court decisions mentioned in the article, but those remain secret.
OK, so what does all of this mean for communities interested in non-proliferation and arms control that communicate through e-mail and other electronic means with people inside and outside the US? Based on what’s in the Times article, here’s my answer:
- Since the FISA Amendments Act of 2008 added Section 702 to FISA, it has been clear that electronic communications by US persons with foreign nationals could be subject to broad, FISA court-approved surveillance to acquire foreign intelligence through targeting persons reasonably believed to be located outside the US. The Times article does not change what we have known for quite some time on this aspect of FISA.
- The Times article’s reference to the “special needs” exception creates more questions than answers, meaning that, in such a state of affairs, it is best not to rage first and ask legal questions later. We know enough to wonder whether the article is accurately describing what’s actually happened in the FISA court. But, given recent disclosures, we also know enough to worry that we don’t know everything we need to know to assess what’s going on.
- What exactly the FISA court has done in the rulings mentioned in the Times article remains unclear, and the rulings remain secret. For the time being, we don’t know what we don’t know concerning the legal reasoning used by the FISA court.
My intent is not to promote a “don’t worry, be happy” attitude about the implications of NSA surveillance programs disclosed in recent weeks either generally or specifically to work that you might do. Like many people, I worry about the scale of the surveillance the disclosures have revealed and about some legal justifications given for these secret programs. But I am also concerned that the incomplete information we are getting through leaks in dribs and drabs is creating and agitating fears that, like a toxic miasma, government surveillance is permeating everything, everywhere and affecting everybody without meaningful limits or oversight. To prevent actual and imagined surveillance from doing more damage to the body politic, more transparency is required politically and legally.