(UPDATED July 5, 2017)
During his very first interview, former NSA contractor Edward Snowden pretended that he, sitting behind his desk "certainly had the authorities to wiretap anyone, from you, or your accountant, to a federal judge, or even the President if I had a personal e-mail".
Right from the beginning, intelligence experts doubted that individual NSA analysts would have such far-reaching powers. By looking at the legal authorities and procedures that regulate NSA's collection efforts, it becomes clear that it is highly unlikely that Snowden, or other analysts could have done that in a legitimate way.
Targeting US citizens under FISA authority
The National Security Agency (NSA) collects foreign signals intelligence outside the US, but in a few special cases, it is also allowed to collect data about US citizens or to collect data inside the US. This is shown in the following decision tree:
Diagram with a decision tree showing the various legal authorities
under which NSA can collect Signals Intelligence (SIGINT)
(click to enlarge)
> See also: NSA's Legal Authorities
In the interview, Snowden was talking about wiretapping ordinary US citizens as well as US government officials. According to the Foreign Intelligence Surveillance Act (FISA) from 1978, the NSA is only allowed to monitor the communications of such US citizens, US residents or US corporations when they are suspected of espionage or terrorism.
If NSA thinks that's the case, then they have to apply for an individual warrant from the Foreign Intelligence Surveillance Court (FISC) by showing that there is probable cause that the intended target is an agent of a foreign power (section 105 FISA/50 USC 1805), or associated with a group engaged in international terrorism. Depending on the type of surveillance, the FISC then issues a warrant for a period of 90 days, 120 days, or a year.
Acquiring an individual FISA warrant
So, when Snowden really had the authority to wiretap ordinary Americans and US government officials even up to the President, then he would have had to provide probable cause that these people were either foreign agents or related to terrorist groups.
For the President this would only be imaginable in films or television series, and it would only apply to very few other Americans. In other cases the NSA would and will not get a FISA warrant to eavesdrop on US citizens or residents.
Snowden often said that he sees the FISA Court as a mere "rubber stamp" because it approves almost all requests from the intelligence agencies. However that may be, obtaining an individual FISA warrant isn't easy: a request needs approval of an analyst's superior, the NSA's general counsel, and the Justice Department, before it is presented to the FISA judge.*
Collection under section 702 FAA
Maybe some people would ask: wouldn't it be easier to target US persons through the PRISM program, under which NSA collects data from major US internet companies like Facebook, Google, Yahoo, Microsoft?
The answer is no, despite the fact that PRISM is governed by section 702 of the FISA Amendments Act (FAA), which was designed to collect data faster and easier. As such, section 702 was enacted in 2008 to legalize the notorious warrantless wiretapping program, authorized by president George W. Bush right after the attacks of 9/11.
But what many people don't realize, is that the special authority of section 702 FAA can only be used to collect communications of non-US persons located outside the United States.
The NSA uses section 702 not only to gather data through the PRISM program, but also by filtering internet backbone cables operated by major US telecommunication providers, in order to grab the communications associated with specific e-mail addresses. This is called Upstream collection.
Section 702 FAA certifications
What makes section 702 FAA collection faster is that instead of an individual warrant from the FISA Court, NSA gets a general warrant for some specific topics, which is valid for one year.
For this, the US Attorney General and the Director of National Intelligence (DNI) annually certify that specific legal requirements for the collection of time-sensitive and higher volumes of data have been met and how these will be implemented.
These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like hiding names and addresses of US citizens when their communications come in unintended. The court then issues an order that approves the certification.
Until now, we know of section 702 FAA certifications for three topics:
- Foreign Governments (FG, Certification 2008-A, including cyber threats?)
- Counter-Terrorism (CT, Certification 2008-B)
- Counter-Proliferation (CP, Certification 2009-C)
These certifications include some general procedures and specific rules for minimizing US person identifiers. They do not contain lists of individual targets. Maybe this contributed to Snowden's idea that analysts are allowed to select targets all by themselves. But even then, this only applies to foreign targets and only to a few specific categories.
In a report by The Washington Post from July 5, 2014, it was said that Snowden, in his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center, had "unusually broad, unescorted access to raw SIGINT under a special ‘Dual Authorities’ role", which reportedly refers to both section 702 FAA (for collection inside the US) and EO 12333 (for collection overseas).
Those two authorities allowed him to search stored content and initiate new collection without prior approval of his search terms. "If I had wanted to pull a copy of a judge’s or a senator’s e-mail, all I had to do was enter that selector into XKEYSCORE", so he did not need to circumvent [access] controls, Snowden said to the Post.
So, when Snowden apparently had the 702 FAA and EO 12333 authorities, this means he wasn't authorized to target American judges or senators, in the sense of initiating real-time wiretapping, because for that the traditional FISA authority and a warrant from the FISC is needed. It looks like he confirms this by saying "If I had wanted to pull a copy of a judge’s or a senator’s e-mail", which sounds more like pulling such an e-mail from a database.
This also seems to be confirmed by the fact that Snowden points to XKeyscore for getting such e-mails. XKeyscore is mainly used to search data that already have been collected in one way or another, particularly at access points outside the US. The common way to start new surveillances is through the Unified Targeting Tool (UTT, see below).
Indeed there's a legal way to search for communications of US persons in data that have already been collected: according to an entry in an NSA glossary published by The Guardian in August 2013, the FISA Court on October 3, 2011 allowed using certain US person names and identifiers as query terms on data already collected under 702 FAA:
This became known as "back-door searches". These queries might be questionable, but unlike the term "back-door" suggests, they are not illegal, as the practice was approved by the FISA Court. In a letter to senator Wyden from June 2014, DNI Clapper revealed that not only NSA, but also CIA and FBI are allowed to query already collected 702 FAA data in this way.
In August 2014, former State Department official John Napier Tye revealed that NSA is also allowed to use US person names to query data collected under EO 12333, but only those that have been approved by the Attorney General and for persons considered to be agents of a foreign power.
Backdoor search approvals
Clapper explained that these backdoor queries are subject to oversight and limited to cases where there is "a reasonable basis to expect the query will return foreign intelligence". Querying by using US person identifiers is only allowed for data from PRISM, not from Upstream collection. In 2013, NSA approved 198 US person identifiers to be queried against the results of PRISM collection.
The PCLOB report (pdf) about 702 FAA operations says that "content queries using U.S. person identifiers are not permitted unless the U.S. person identifiers have been pre-approved (i.e., added to a white list) through one of several processes, several of which incorporate other FISA processes".
The NSA's Minimization Procedures from October 2011 also say that US person identifiers may only be used as query terms after prior internal approval (as is the case with such queries under EO 12333).
For such searches, NSA for example approved identifiers of US persons for whom there were already individual warrants from the FISA Court under section 105 FISA or section 704 FAA. US person identifiers can also be approved by the NSA’s Office of General Counsel after showing that using that US person identifier would "reasonably likely return foreign intelligence information". All approvals to use US person identifiers to query content must be documented.
Circumventing official procedures
So far, we examined the legal options for analysts to get access to American e-mails, but in an interview from June 10, 2013, Glenn Greenwald explained that the "authority" Snowden was talking about, was not an authority in a legal sense.
According to Greenwald, Snowden meant that "NSA have given [analysts] the power to be able to go in and scrutinize the communications of any American; it may not be legal, but they have the power to do it".
So it may not be legally allowed that "any analyst at any time can target anyone, any selector, anywhere", but they may have the technical capability to do so. In other words, wiretapping anyone is only possible when analysts (intentionally) circumvent the official procedures and safeguards.
In this interpretation, Snowden apparently warned against the risk that individual analysts could misuse their power, which contradicts his claim earlier on in the interview, saying he that the whole agency "targets the communications of everyone" and then ingests, filters, analyses and stores them.
Unified Targeting Tool
Illegally intercepting American e-mails by circumventing official procedures could be conducted by manipulating targeting instructions given through the Unified Targeting Tool (UTT), which is a webbased tool that is used to start the actual collection of data.
A rogue analyst could for example confirm that there's a FISA warrant, when there's not, or provide a fake foreigness indicator, so someone could be targeted under the authority of Executive Order 12333, which doesn't require the procedure of acquiring a FISA court approval.
A rare screenshot of the Unified Targeting Tool (UTT), which shows some of the
fields that have to be filled in. We see that data about a "FAA Foreign
Governments Cert." is missing and therefore not valid to task (see below),
and also a drop down menu with various Foreigness Factors.
Unfortunately no manual for this tool has been disclosed, although that would have been useful to learn more about internal safeguards to prevent misuse. The NSA itself also didn't release such documents, which could have contributed to more trust in the way they actually operate.
We have no details about the NSA's internal procedure for intercepting individual US citizens, but we do know about the process for collection under the PRISM program.
As PRISM is used for collecting data about foreigners, it can be considered somewhat less restrictive than collecting data about US persons, for which there may be some extra safeguards and checks. The PRISM tasking process is shown in this slide:
We see that after the analyst has entered the selectors (like a target's phone number or e-mail address) into the UTT, this has to be reviewed and validated by (in this case) either the FAA adjudicators in the S2 Product Line, or the Special FISA Oversight unit.
A final review of the targeting request is conducted by the Targeting and Mission Management unit. Only then the selectors are released and put on lists which the FBI presents to the various internet companies, who will then pull the associated communications from their servers and systems.
For targeting foreigners on collection systems outside the US (which is governed by EO 12333), there are less restrictions, but also this is still not completely at the will of individual analysts. At least every eavesdropping operation has to be in accordance with the goals set in the NSA's Strategic Mission List and other policy documents.
Nonetheless, recently declassified NSA reports to the president's Intelligence Oversight Board (IOB) show that there have been cases in which there was an abuse of the collection system, either wilfully or accidentally. The majority of incidents both under FISA and EO 12333 authority occured because of human error.
It shows that despite the safeguards, some unauthorized targeting and querying can still happen, but also that the internal oversight mechanisms detected them afterwards, with the selectors involved being detasked, the non-compliant data being deleted and the analysts being counseled.
Snowden talked as if it would be easy for NSA analysts to wiretap anyone, but as we have seen, the official procedures do not authorize targeting US persons. He apparently did have the authority to use US person identifiers for querying data that were already collected.
But contrary to what Snowden said, these queries are only allowed after prior approval, which makes it highly unlikely that e-mail addresses from American judges or senators, let alone from the President would make it through.
Without an easy legal way, Glenn Greenwald tried to rescue Snowden's claim by saying that it wasn't about legal authorities, but about the technical capabilities that enable NSA analysts to access American e-mails, whether that would be legal or not.
Internal NSA reports do show that it is possible to enter incorrect or unapproved e-mail addresses into the collection system, but also that most of these cases are (afterwards) detected by oversight systems.
(Edited after adding Greenwald's interpretation of Snowden's words and adding the non-compliance incidents. Also added an addendum about Snowden's authorities based upon a 2014 report by The Washington Post, and added an explanation about the back-door searches)
Links and Sources
- Privacy and Civil Liberties Oversight Board: Section 702 Program Report (pdf)
- Webpolicy.org: Executive Order 12333 on American Soil, and Other Tales from the FISA Frontier
- Stanford Law Review: Is the Foreign Intelligence Surveillance Court Really a Rubber Stamp?
- The Guardian: The top secret rules that allow NSA to use US data without a warrant
- EmptyWheel.net: Postings about section 702 FAA
- Robert S. Litt, ODNI General Counsel: An Overview of Intelligence Collection
- Related documents:
- President Policy Direction (PPD) 28 Section 4 Procedures (pdf) (2015)
- Foreign Intelligence Surveillance Act - Summary Document (2008)