Today, President Obama outlined steps his administration would take to address the controversial debate taking place concerning NSA surveillance activities disclosed by Edward Snowden. The New York Times reports that:
Mr. Obama announced the creation of a high-level task force of outside intelligence and civil liberties specialists to advise the government about how to balance security and privacy as computer technology makes it possible to gather ever more information about people’s private lives.
The president also threw his administration’s support behind a proposal to change the procedures of the secret court that approves electronic spying under the Foreign Intelligence Surveillance Act in order to make its deliberations more adversarial. The court, created in 1978, was initially envisioned to carry out a limited role of reviewing whether there was sufficient evidence to wiretap someone as a suspected foreign terrorist or spy.
. . .
The Obama administration is also planning to release a previously classified legal analysis explaining why the government believes it is lawful under a provision of the Patriot Act known as Section 215 for the N.S.A. to collect and store logs of every phone call dialed or received in the United States.
At the same time, the N.S.A. was expected to release a paper outlining its role and authorities, officials said. The six- to seven-page document was described as setting up a “foundation” to help people understand the legal framework for its activities. Next week, the agency will open a Web site designed to explain itself better to the public amid Mr. Snowden’s disclosures.
The “previously classified legal analysis” on the government’s interpretation of Section 215 is available now in a document entitled: Administration White Paper: Bulk Collection of Telephony Metadata Under Section 215 of the USA PATRIOT Act (August 9, 2013).
For the argument that the bulk telephony metadata program does not satisfy the requirements of Section 215, see this amicus brief filed with the US Supreme Court today by a group of professors expert in information privacy and surveillance law, a group that includes me. This amicus brief supports the petition filed in July with the Supreme Court by the Electronic Privacy Information Center against the bulk telephony metadata program.
Related to the President’s announcement, the NSA released a document today entitled The National Security Agency: Mission, Authorities, Oversight and Partnerships (August 9, 2013), which, among other things, describes NSA’s authorities to collect intelligence under Executive Order 12333 and the Foreign Intelligence Surveillance Act, including Section 702 of that Act (the legal basis for the PRISM program targeting non-US persons located outside the US).
Greg Austin of the EastWest Institute published a piece in China-US Focus on August 6th in which he identifies possible push-back against the US government’s race to achieve “cyber superiority” and the emergence of “the American cyber industrial complex” from people in the US military knowledgeable about US nuclear weapons and strategy. He argues that disclosures by Edward Snowden reveal a “lack of restraint” in US cyber behavior and:
This lack of restraint is especially important because the command and control of strategic nuclear weapons is a potential target both of cyber espionage and offensive cyber operations. The argument here is not to suggest a similarity between the weapons themselves, but to identify correctly the very close relationship between cyber operations and nuclear weapons planning. Thus the lack of restraint in cyber weapons might arguably affect (destabilize) pre-existing agreements that constrain nuclear weapons deployment and possible use.
The cyber superiority of the United States . . . is now a cause of strategic instability between nuclear armed powers. . . . [I]n the long run, the most influential voice to end the American quest for cyber military superiority may come from its own armed forces. There are military figures in the United States who have had responsibility for nuclear weapons command and control systems and who, in private, counsel caution. They advocate the need to abandon the quest for cyber dominance and pursue a strategy of “mutual security” in cyber space – though that has yet to be defined. They cite military exercises where the Blue team gets little or no warning of Red team disruptive cyber attack on systems that might affect critical nuclear command and control or wider war mobilization functions. Strategic nuclear stability may be at risk because of uncertainty about innovations in cyber attack capability. This question is worth much more attention.
Cybersecurity literature contains references and analogies to nuclear weapons and nuclear strategy, including attempts to draw on the nuclear experience to address what some perceive as a cyber arms race. However, Austin is talking about something different–concern among experts that what is happening with US cyber policy, strategy, and capabilities threatens US nuclear strategy and stability. I do not know how prominent such strategic introspection actually is, or whether it deserves the level of deliberation Austin advocates.
In the most general terms, Austin seeks reassessment of what he and others believe is an insufficiently restrained American quest for superiority in military and intelligence cyber capabilities–not because of perceived threats to privacy and other civil liberties at home, but because this path might create strategic problems for US national security down the road, including in the context of nuclear weapons. For Austin, this reassessment should include more scrutiny of permitting one military officer to lead both NSA and US Cyber Command, a situation Austin provocatively describes as “an unprecedented alignment of Praetorian political power in any major democracy in modern political history.”
A unrestrained cyber industrial complex led by a cyber Praetorian guard potentially causing strategic nuclear instability? Well, now, the “national conversation” is getting more interesting by the day . . .
This past week brought more discomfort in the United States produced by Edward Snowden’s disclosures about NSA surveillance activities:
- The House of Representatives narrowly defeated a proposal to restrict NSA authority to collect telephone metadata in the United States, a vote that caused intra-party clashes within both the Democratic and Republican parties;
- Legislators in Congress grilled NSA officials on the NSA’s collection of telephone metadata within the US, producing testimony that only heightened congressional concerns about the executive branch’s metadata surveillance activities and their legal justification;
- The NSA released previously classified documents related to the now infamous Verizon Order leaked by Snowden, an effort at transparency that, apparently, did not make anything more transparent;
- Courtesy of Snowden, The Guardian revealed another NSA program, called XKeyscore, which caused another round of national and international controversy about US surveillance policies and practices; and
- The Russian government granted Snowden asylum for one year, allowing him to leave his limbo-laden life at the Moscow airport, a development that perhaps guarantees Snowden’s place in history (and not Bradley Manning) as the Benedict Arnold of the cyber age and made already fraying US-Russian relations worse.
To have Congress close to over-turning a key law passed after 9/11, to deepen tensions between the legislative and executive branches, to provoke the masters of secrecy to try to be more transparent, to wrong-foot the NSA again with a new disclosure, to cause rifts within both major US political parties, and to exacerbate problems between great powers is, ladies and gentlemen, one hell of a week, in more ways than one.
Each development of this past week deserves its own scrutiny, but my objective here is to try to assess what the sum of these episodes means for the US. The initial disclosures from Snowden brought forth calls for a “national conversation” about the implications of the revelations of NSA surveillance activities and the policy and legal justifications for them. This conversation has been extremely awkward because a proudly open and free society found itself debating critical issues kept secret by its government and only revealed by a law-breaker who sought succor in the sovereignty of anti-American governments. To quote one of history’s great admirers of the US, not our finest hour.
But, this past week should signal that the “national conversation” requires decisions needed to shape post-Snowden American policy and law on issues ranging from the privacy of American citizens dependent on digital communications technologies to the impact of cyber espionage on the power and reputation of the US in geopolitics. No one should underestimate the gravity of these decisions because the questions to be answered go deep into what America means at home and abroad. In its main leader of its August 3rd issue, The Economist–hardly an American nemesis–embeds the Snowden affair along with other post-9/11 policies in what it calls “liberty’s lost decade.”
Provocative, to be sure, but The Economist is trying to piece together what it all means for the US, from Mohamed Atta to Edward Snowden, and is encouraging Americans to re-evaluate where their government has been–from detention cells in Guantanamo Bay to “collecting it all” in cyberspace–and whether and how they want the future to be different. We might not like the headlines, the harsh questions, and the flippant or cynical condemnations of American behavior as hysterical hypocrisy. But, when someone like Edward Snowden can affect this country’s domestic politics and foreign affairs as wrenchingly as he repeatedly has (see, this past week), we have serious work to do in crafting policies and laws less dependent on the fear secrecy breeds and more confident in the resilience openness brings when betrayal from within and enmity from without test our interests and values.
On July 13, 2013, Nicole Perlroth and David Sanger published a story entitled “Nations Buying as Hackers Sell Flaws in Computer Code” in the New York Times. Perlroth and Sanger wrote:
All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.
. . .
But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”
The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.
The cybersecurity challenge created by the emerging global market in “zero day” exploits has been recognized before by experts (see, e.g., efforts by Christopher Soghoian of the ACLU to highlight this issue) and journalists (see, e.g., this story entitled “The Digital Arms Trade” from The Economist on March 30, 2013). But the Times article gives this problem heightened exposure and will increase political attention on it. With companies–such as Microsoft, Google, and Facebook–and countries–such as Brazil, Britain, China, India, Iran, Israel, Malaysia, North Korea, Russia, Singapore, South Africa, South Korea, and the US–willing to buy “zero day” exploits, Perlroth and Sanger report that “the market for information about computer vulnerabilities has turned into a gold rush.”
Among the many cybersecurity issues the development of this market creates is the question of whether to regulate it, and, if regulation is thought prudent, how to regulate the problem effectively. In its article, The Economist noted that:
Laws to ban the trade in exploits are being mooted. Marietje Schaake, a Dutch member of the European Parliament, is spearheading an effort to pass export-control laws for exploits. It is gathering support, she says, because they can be used as “digital weapons” by despotic regimes. For example, they could be used to monitor traffic on a dissident’s smartphone. However, for a handful of reasons, new laws are unlikely to be effective.
The effort to turn to export-control laws as a way to regulate the sale of “zero day” exploits or, more broadly, the development and sale of purpose-built malware, suggests that strategies and “soft” or “hard” regimes used in non-proliferation and arms control might serve as a basis for thinking about what to do about the market for “digital weapons,” including:
- National export-control laws with multinational coordination of such regimes among countries (a cyber version of something like the Wassenar Arrangement);
- Bans or limitations on development, transfer, and use of certain weaponized code intended to have specific purposes or effects considered illegitimate (a cyber version of something like the Protocol Banning Blinding Laser Weapons); or
- Confidence-building measures, including declaratory policy strategies, aiming for heightened transparency and trust (cyber versions of the CBMs used in the BWC or of “no first use” declaratory statements).
The attractiveness of drawing on ideas from non-proliferation and arms control experience in the realm of cyber weapons exists, as made clear by, among other things, a provision in the proposed National Defense Authorization Act for Fiscal Year 2014 for the President to “establish an interagency process to provide for the establishment of an integrated policy to control the proliferation of cyber weapons through unilateral and cooperative export controls, law enforcement activities, financial means, and diplomatic engagement, and such other means as the President considers appropriate” (Sec. 946, Control of the Proliferation of Cyber Weapons).
Without question, reasons why cyber versions of these approaches would not work can multiply rapidly, including arguments related to the questionable effectiveness of these strategies in their traditional non-proliferation and arms control contexts. In addition, as in many areas of cybersecurity policy and law, reasoning by analogy to policies and regimes designed for other challenges breaks down rather quickly because cyber presents such a different kind of problem attached to technologies unlike what non-proliferation and arms control efforts have addressed in the past.
These various reasons are often why cybersecurity experts exhibit skepticism about “arms control” in the cyber context. Here are Paul Rosenzweig’s thoughts on this question in his blog post on the Perlroth and Sanger article on “zero day” exploits:
In the physical world, the production of weaponry is restricted by the need for an industrial base. In cyberspace, weapons are bits and bytes and produced as intellectual property. With such an ease of manufacture (comparatively) and a global market, there seems to be precious little prospect for an arms-control type approach to eliminating the trade. The market for zero-day exploits will, I think, grow exponentially in the years to come.
Rosenzweig’s prediction might well prove accurate, but policy concerns with this uncontrolled global market for “zero day” exploits and other purpose-built malware are mounting, as illustrated by the ideas being floated in the European Parliament and (perhaps ironically given significant US government participation in this market) by proposed Section 946 of the National Defense Authorization Act for Fiscal Year 2014. As the market charges on, policy anxieties and demands for action will also increase, which will make efforts to control behavior amounting to “beggar thy neighbor’s software” one of the most interesting and difficult cybersecurity challenges governments and companies face.
Surveillance Like a Cancer Grows? The Implications of NSA Intelligence Activities on the Non-Proliferation & Arms Control CommunitiesPosted: July 17, 2013
ELECTRONIC SURVEILLANCE AND THE COMMUNITIES INVOLVED IN NON-PROLIFERATION AND ARMS CONTROL
In a comment to Dan Joyner’s post on Lawyers, Guns, and Money, Yousaf Butt raised the need to link the disclosures being made about NSA surveillance to the work of people engaged on non-proliferation and arms control issues. In particular, he cited a July 6, 2013, New York Times article by Eric Lichtblau entitled “In Secret, Court Vastly Broadens Powers of N.S.A.” This article was widely read, as evidenced by The Economist basing a story on it. In the Times article, Lichtblau reported US intelligence officials obtaining “access to an e-mail attachment sent within the United States because they said they were worried that the e-mail contained a schematic drawing or a diagram possibly connected to Iran’s nuclear program.” Yousaf asked whether this example means anyone discussing nuclear proliferation could be subject to NSA surveillance. Or, more broadly, could electronic communications about WMD proliferation challenges to US national security be subject to NSA collection activities? Yousaf thought such surveillance could create a “chilling effect” that might adversely affect “free discourse” in the non-proliferation area. Dan asked me to share my thoughts on this issue, so here goes . . .
THE NUCLEAR PROLIFERATION CASE CITED IN THE TIMES ARTICLE
Section 702 of FISA
Let me start with the case reported in the Times and cited by Yousaf. Apparently, the e-mail communication that contained the attachment accessed by US intelligence officials was sent and received in the US, so, if accurately reported by the Times, this case does not involve the authority created in the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008 that permits the FISA Court to authorize “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information,” including communications involving US persons (Section 702, Foreign Intelligence Surveillance Act, 50 USC sec. 1881a(a)). Even though this case does not involve this authority, the free speech concerns raised by lawyers, journalists, and human rights activists in Clapper v. Amnesty International (decided on standing grounds, 133 S.Ct. 1138 (2013)) apply to persons engaged in electronic communications with foreign nationals located overseas on issues relating to US national security.
FISA defines “foreign intelligence” to include “information that relates to . . . the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power” (50 USC sec. 1801(e)(1)). As the challenge mounted in Clapper indicates, many communities of interest are concerned about the “chilling effect” of the surveillance authority created by the FISA Amendments Act. The inclusion of WMD proliferation in the definition of foreign intelligence means the non-proliferation and arms control communities have been on notice about this US government power since 2008.
However, Snowden’s disclosures of PRISM (the NSA program operated under Section 702 of FISA) revealed how the US government uses this power. People in communities of interest not previously nervous about Section 702 of FISA might now be concerned about their communications with foreign nationals, and perhaps, as Yousaf’s comment suggests, this includes persons working on non-proliferation and arms control questions. So, as with other interested persons and organizations, the non-proliferation and arms control communities should monitor what happens next with this controversy, including law suits already filed in federal court challenging PRISM.
US Communications, Metadata, and Access to the Content of Communications
However, the case reported in the Times involved an e-mail and its attachment sent and received in the US, meaning that different aspects of FISA applied to this surveillance activity. The Times article is not exactly clear what happened, when it happened, what the FISA court did, and why it did what it did (at least these things are not clear to me from the article). My point is not that the Times article is wrong; my point is that it raises more questions than it answers, and trying to answer some questions proves difficult because of a lack of information. As explained below, these questions require more scrutiny of the Times article’s claim that the FISA court “vastly broadens powers of the N.S.A.” In short, we should not jump to conclusions about the Times article and its implications. In what follows, I try to sort through what the article does contain.
Collecting Internet and E-Mail Metadata
US intelligence officials probably picked up information from collecting and analyzing “metadata” on e-mail traffic that triggered a desire to see the e-mail attachment in question. Part of Snowden’s disclosures included information about the US government’s collection of e-mail and other Internet metadata within the US after 9/11 through 2011, when this aspect of NSA surveillance was apparently terminated. Initially undertaken by the Bush administration outside FISA, the collection and analysis of e-mail and other Internet metadata came within FISA court review and approval in 2004, after which the FISA court reviewed and approved orders for such surveillance periodically until 2011, when the Obama administration stopped this particular metadata surveillance effort.
Application of the “Special Needs” Exception to Collection of Internet and E-Mail Metadata under FISA
According to the Times article, the FISA court determined that such metadata surveillance did not violate the Fourth Amendment and relied, apparently, on the “special needs” exception to the Fourth Amendment’s warrant requirement. Generally, the “special needs” exception allows the government to undertake a search without a Fourth Amendment warrant to gather information unrelated to law enforcement purposes (e.g., drug tests of railway workers; passenger screening at airports). Referring to outside legal experts, the Times article commented that this application of this exception “is significant . . . because it uses a relatively narrow area of the law . . . and applies it much more broadly, in secret, to the wholesale collection of communications” for foreign intelligence purposes, including countering terrorism, WMD proliferation, espionage, and cyber attacks. This alleged expansive use of the “special needs” doctrine by the FISA court forms part of the Times article’s observation that this court is perhaps becoming “almost a parallel Supreme Court” because it regularly assesses “broad constitutional questions” and establishes judicial precedents for foreign intelligence surveillance.
Here is where the questions about the article begin to multiply. For starters, telephony and Internet metadata is not protected by the Fourth Amendment under existing jurisprudence, so, presumably, the FISA court does not need the “special needs” exception to the Fourth Amendment to review and approve collection of metadata. As Orin Kerr commented, if the FISA court “has ruled that all metadata is outside the Fourth Amendment, that’s not a surprise.”
Next, the “special needs” exception has long been associated with the gathering of foreign intelligence by the US government and with FISA itself. As Kris and Wilson put it, “Congress enacted FISA explicitly to serve as a special need not related to ordinary law enforcement: foreign intelligence and counter-intelligence. The courts have upheld FISA under a special-needs theory against multiple constitutional challenges” (David S. Kris and J. Douglas Wilson, National Security Investigations & Prosecutions (2007), sec. 11:12, p. 11-30). So, foreign intelligence activities subject to FISA fall under the “special need” exception for foreign intelligence gathering under existing law and jurisprudence. Again, Kerr commented that, if the FISA court has held that foreign intelligence efforts to locate terrorists fall under the “special needs” exception, then “that’s not noteworthy.” The same applies to foreign intelligence gathering for other serious national security threats, such as WMD proliferation.
These observations suggest that the FISA court is not vastly increasing the powers of the NSA or acting as a “parallel Supreme Court” but is operating within existing jurisprudence and statutory law. So, what’s going on here? I’m not sure based on what the Times article contains. Now, people might be worried about the powers existing jurisprudence and statutory law give the NSA and the FISA court–but the Times article claims something new, different, and secret is happening that does not track case precedents and legislation.
Accessing the E-Mail Attachment Related to Nuclear Proliferation
As noted above, the Times article reported that US intelligence officials went beyond metadata collection and accessed the content of an e-mail communication in the form of an attachment the officials feared “contained a schematic drawing or diagram possibly connected to Iran’s nuclear program.” The Times article is not clear how, and under what authority, the US intelligence officials accessed the content of this e-mail communication. The article states that gaining such access “[i]n the past . . . probably would have required a court warrant because the suspicious e-mail involved American communications.”
Well, if the US government wanted access to the e-mail attachment for foreign intelligence purposes, then FISA requirements for obtaining a FISA court order to undertake such content-based surveillance within the US apply. However, the Times article is not clear whether US intelligence officials obtained a FISA court order to access the content of the e-mail communication in question. Confusingly, the article follows up its statement about the probable need for a “court warrant” with a description of the broadening of the FISA definition of “foreign intelligence” in 2008 to include information related to WMD proliferation–information that is not helpful to understanding whether the US government obtained FISA court approval to access the e-mail attachment in question.
If the government obtained the FISA court’s specific approval for its access to the e-mail attachment, then the government complied with the relevant law–nothing new, then, legally speaking. However, if the FISA court has constructed some “special needs” exception to the FISA requirement to obtain a specific order for electronic surveillance in the US for foreign intelligence purposes, then we might have something new to ponder. But the Times article does not provide enough information to pursue this inquiry in any productive manner. We would have to be able to examine the FISA court decisions mentioned in the article, but those remain secret.
OK, so what does all of this mean for communities interested in non-proliferation and arms control that communicate through e-mail and other electronic means with people inside and outside the US? Based on what’s in the Times article, here’s my answer:
- Since the FISA Amendments Act of 2008 added Section 702 to FISA, it has been clear that electronic communications by US persons with foreign nationals could be subject to broad, FISA court-approved surveillance to acquire foreign intelligence through targeting persons reasonably believed to be located outside the US. The Times article does not change what we have known for quite some time on this aspect of FISA.
- The Times article’s reference to the “special needs” exception creates more questions than answers, meaning that, in such a state of affairs, it is best not to rage first and ask legal questions later. We know enough to wonder whether the article is accurately describing what’s actually happened in the FISA court. But, given recent disclosures, we also know enough to worry that we don’t know everything we need to know to assess what’s going on.
- What exactly the FISA court has done in the rulings mentioned in the Times article remains unclear, and the rulings remain secret. For the time being, we don’t know what we don’t know concerning the legal reasoning used by the FISA court.
My intent is not to promote a “don’t worry, be happy” attitude about the implications of NSA surveillance programs disclosed in recent weeks either generally or specifically to work that you might do. Like many people, I worry about the scale of the surveillance the disclosures have revealed and about some legal justifications given for these secret programs. But I am also concerned that the incomplete information we are getting through leaks in dribs and drabs is creating and agitating fears that, like a toxic miasma, government surveillance is permeating everything, everywhere and affecting everybody without meaningful limits or oversight. To prevent actual and imagined surveillance from doing more damage to the body politic, more transparency is required politically and legally.
This past weekend brought more Snowden flakes about NSA spying. However, this time the alleged espionage targeted not American citizens, “foreign nationals reasonably believed to located outside the US,” or China but American allies–European Union (EU) officials, diplomatic facilities, and computer networks. If true (as seems likely from US government responses–see below), these leaks combine with the previous disclosures about NSA surveillance to inform people of the scale, capabilities, and audacity of US intelligence gathering activities.
European leaders expressed shock and took much umbrage, with some dredging up the dark spying days of the Cold War and others issuing threats of adverse consequences for upcoming US-EU negotiations on a transatlantic trade agreement. Responses from President Obama, the Director of National Intelligence, and Secretary of State made the same point–the US engages in espionage as all nations do in order to protect foreign policy and national security interests.
This response was simultaneously true and disingenuous. All countries spy in some form or another, and, European public displays of anger aside, the spying includes keeping an eye on allies. And that includes the intelligence agencies of European countries whose leaders were shocked–so shocked!–at the US gathering intelligence on their possible future actions. The response was disingenuous because the US has an intelligence capability that is unrivaled in the world and the political and economic power to pursue espionage without fear of serious consequences. See, for example, the US-EU transatlantic trade talks will start as scheduled despite lots of frothing Euro mouths.
However, not too long ago, it was American officials and politicians who were frothing about Chinese cyber spying against the US government and US-based companies. Snowden’s apparent disclosure of large-scale US cyber espionage against Chinese government, business, and academic targets and, now, allegations about US spying on European governments, makes the past few months of portraying Chinese cyber espionage as beyond the pale look, well, less impressive. Even the US attempt to distinguish economic espionage against companies from classical state-on-state spying gets lost in the growing perception–now directly re-enforced by the US government–that all countries engage in espionage against allies and rivals whenever and however they see fit. In this light, earnestly repeated assertions by China that it does not engage in cyber espionage against the US and other countries and that it is the innocent victim of American spying appear, strangely, rather unseemly for a rising world power.
Should the protagonists in these events stop whining about espionage and just get on with it? Or, do these revelations suggest that the Internet has turned “everybody does it” espionage into an out-of-control phenomenon that damages individual privacy, alliances, and great power politics and requires some re-thinking? Existing international law is permissive of spying, and the few international legal rules that contain limits do not constrain the practice in any effective way. As already indicated, Snowden’s leaks have derailed the US effort to portray Chinese cyber espionage as outside “norms of responsible behavior in cyberspace,” and the coordinated chorus from top US government officials to the latest leak that “all nations do it” might well have ended the willingness of other countries to consider American ideas about re-thinking international norms about espionage in light of the global importance of the Internet.