Hacker News new | comments | ask | show | jobs | submit login

After reading the amendment, my take on it is that the EFF article is stating that the whole program needs to be scrapped and criticizing Feinstein for not doing so. Feinstein is apparently of the opinion that the program could be useful and her tactic is instead to put additional oversight in place. Here is what this bill does specify:

- Codifies that no message content may be collected under this authority

- Specifies that any queries against this data must have documentation showing "reasonable articulable suspicion that the selector is associated with international terrorism or activities in preparation thereof" (note that military/political/counter-espionage/etc. is not listed)

- A person meeting the above criteria who travels into the US may continue to be targeted for up to 72 hours. The Attorney General may grant an extension as an "emergency authorization".

- A record is to be made for each search against the database of the phone number searched for, the person who searched for it, date and time it occurred and documentation as to why the search was performed.

- The documentation for each search must be given to the FISC. The FISC is explicitly granted the ability to terminate any collection if it finds that the search was unlawful.

- Directs the FISC to appoint additional personnel with access to classified information and expertise in "privacy and civil liberties, intelligence collection, telecommunications, or any other area that may lend legal or technical expertise to the court." An annual report must be submitted to Congress on the number of personnel appointed.

- Any individual who circumvents access to the phone records database will be fined or imprisoned for up to 10 years.

- A semiannual report needs to be made to the House and Senate Intelligence Subcommittees with information on all electronic surveillance, physical searches and use of pen registers/trap and trace devices conducted under this act. The report needs to include the total number of requests made to the court, how many were approved/denied/modified, the names of any targets within the United States, compliance incidents, any emergency authorizations, etc. That information, along with any of the documentation mentioned above must be made available on request to the NSA Inspector General, the Intelligence Community Inspector General, DoJ and the Privacy and Civil Liberties Oversight Board

- An unclassified summary of all of the above information needs to be made available to each member of Congress.




"Feinstein is apparently of the opinion that the program could be useful and her tactic is instead to put additional oversight in place."

In other words, oversight has failed, let's use oversight to fix it. The only real reform in that list is this:

"Any individual who circumvents access to the phone records database will be fined or imprisoned for up to 10 years"

Of course, without periodic public review of the NSA, we will never know if people are being punished for that sort of thing. At this point we have no reason whatsoever to trust any secret oversight or secret courts. We got into this mess because everything the NSA does is done in secret, and because the FISC operates in secret, and because when someone breaks the rules it is reported to people who are sworn to secrecy.

Of course, public review is conspicuously absent from that list. Only privileged members of Congress, long out of touch with the public, will be reviewing this -- it's business as usual.


It's worth noting that a month ago the EFF was calling for people with technical and civil liberties expertise to help provide more oversight [1].

The NSA exists solely for the purpose of gathering foreign intelligence - it's a spy agency. As a result, you'll never be able to get completely transparent public review of their activities without making them effectively useless. I see a few options on the table:

A) Go with the status quo, not change anything just trust the NSA to do its business under the existing oversight.

B) Strengthen the oversight to further ensure that the NSA is only conducting the work it's authorized to do against the targets it's authorized to spy on.

C) Assert that espionage just isn't worth it and just take the tools away from the NSA.

There are plenty of things that you can do under option B to address problems. Some of them are in this bill, and some of them can be made available to the public. Members of Congress have conflicting views on how much information they've been given by the NSA [2], which to me implies that some take their positions on the intelligence committees more seriously than others. If you look at the actual video of the hearing, Congressman Mike Rogers suggests that serving on the intelligence committee is a much bigger responsibility than serving on the other committees and they can't bring their staffers to assist [3]. If Congress isn't capable of providing the oversight they tasked themselves to do with the resources they have, then they need to either gather the resources they need or appoint another group to conduct oversight in a manner that can effectively ensure to the public that the NSA is gathering valid foreign intelligence and nothing else.

[1] https://www.eff.org/deeplinks/2013/10/47-prominent-technolog...

[2] http://www.reuters.com/article/2013/10/29/us-usa-security-ns...

[3] http://www.c-span.org/Events/Intel-Officials-Discuss-Propose... (jump to about 01:34:00)


> The documentation for each search must be given to the FISC. The FISC is explicitly granted the ability to terminate any collection if it finds that the search was unlawful.

I thought they were already supposed to do that, and the reason they had a "Court" of judges in the first place. Why would I believe anything will change with regarding that Court, once this bill is passed?

Also, as Bruce Schneier says, "metadata is surveillance":

https://www.schneier.com/blog/archives/2013/09/metadata_equa...

They assassinate people with signature strikes based on metadata, so don't say "metadata isn't important". It's deadly so.

The solution isn't to allow them to only collect metadata (only in US, seems they will keep collecting everything on "foreigners"), it's to end "mass surveillance", whichever way it's done. Surveillance should only ever be targeted. As whistleblower and former NSA William Binney said recently, NSA used to do that - they didn't always do mass surveillance on every country's individuals.

And finally, Feinstein just can't be trusted. For all we know that bill was written by NSA itself, knowing full well how they could "interpret" some of the stuff in the bill.


> - Specifies that any queries against this data must have documentation showing "reasonable articulable suspicion that the selector is associated with international terrorism or activities in preparation thereof" (note that military/political/counter-espionage/etc. is not listed)

This language only modifies FISA section 501, which pertains to bulk collection of business records (i.e. Verizon phone call data), and not 702 [1].

The amendment adds language explicitly allowing searching of US communications under 702, despite the section being titled "[p]rocedures for targeting certain persons outside the United States other than United States persons" and starting with "limitations: may not intentionally target a United States person".

Although 702 has been used to target US citizens [2], the law doesn't reflect this usage -- yet.

Here is the addition [3]:

> A query of the contents of communications acquired under this section with a selector known to be used by a United States person may be conducted by ... the Intelligence Community only if the purpose of the query is to obtain foreign intelligence information or information necessary to understand foreign intelligence information or to assess its importance.

And the loophole (a 2nd one is omitted here):

> Nothing in this subsection may be construed to limit the authority of a law enforcement agency to conduct a query for law enforcement purposes of the contents of communications acquired under this section.

This is the only part of the amendment that I read, and it looks a lot like swiss cheese already.

1. Section 702: http://www.law.cornell.edu/uscode/text/50/1881a

2. http://www.theguardian.com/world/2013/aug/09/nsa-loophole-wa...

3. Section 6 of the amendment.


You're right - most of this bill focuses more section 501. That's where most of the debate in Congress has been, as it specifically collects on US citizens. You have a good reason for concern on the section 702 parts, but I disagree on why. The part on section 702 doesn't authorize collection against US persons - it's strangely worded. "A query of the contents of communications acquired under this section with a selector known to be used by a United States person" - in other words, the collection must already be acquired in the documented pursuit of a valid foreign intelligence target under section 702 (b) [1]. The analyst can then search the collection for selectors known to be used by a US person. (EDIT: reworded for clarification) The bill goes on to say that this may only be done for the purpose of gathering foreign intelligence information and must be documented and reported to Congress, DoJ, FISC, etc.

The concern here is that it may be a loophole to allow reverse targeting - collecting foreigner's communications not because the foreigner is interesting, but rather because the Americans that foreigner is in contact with are interesting. Personally, I'd like to see more language in the bill to address this.

Your second loophole doesn't apply to the NSA (they're not a law enforcement agency), but is a concern for the FBI. It doesn't make much sense to me why it would be worded this way in her bill, since the potential loophole is addressed in Section 704 of the existing law:

"No element of the intelligence community may intentionally target, for the purpose of acquiring foreign intelligence information, a United States person reasonably believed to be located outside the United States under circumstances in which the targeted United States person has a reasonable expectation of privacy and a warrant would be required if the acquisition were conducted inside the United States for law enforcement purposes, unless a judge of the Foreign Intelligence Surveillance Court has entered an order with respect to such targeted United States person or the Attorney General has authorized an emergency acquisition pursuant to subsection (c) or (d), respectively, or any other provision of this Act."

I'd also like to address your targeting US citizens argument:

Although 702 has been used to target US citizens [2], the law doesn't reflect this usage -- yet.

That's a bold claim, and the evidence you provide doesn't seem to support that. I'm not saying that is hasn't necessarily happened, but the evidence isn't there. From the article you cite:

"While the FAA 702 minimization procedures approved on 3 October 2011 now allow for use of certain United States person names and identifiers as query terms when reviewing collected FAA 702 data," the glossary states, "analysts may NOT/NOT [not repeat not] implement any USP [US persons] queries until an effective oversight process has been developed by NSA and agreed to by DOJ/ODNI [Office of the Director of National Intelligence]."

...

The document – which is undated, though metadata suggests this version was last updated in June 2012 – does not say whether the oversight process it mentions has been established or whether any searches against US person names have taken place.

I'd like to see a document showing specific examples of instances where 702 was used to target Americans and what the NSA's reason for doing so was. This shows a blurb saying that certain minimization procedures have been proposed, but have not been approved, so analysts are still not allowed to query against US persons.

The article goes on to cite leaked minimization procedures [2]. Those procedures talk a lot about what to do if the NSA comes across US communications, procedures standardizing how to determine whether or not a selector belongs to a US person, what to do if an analyst finds out that they've inadvertently targeted a US person, what to do if a foreign target comes to the US, etc.

There's a whole section in 702 detailing how minimization procedures are to established and updated (see section entitled "Judicial review of certifications and procedures") - the Attorney General and FISC both need to sign off. The blurb seems to fit with the bill that Feinstein is putting forward. It's anyone's guess as to whether the minimization procedures were approved by the courts and DoJ first and is being legitimized by the bill, or if the courts/DoJ said the law won't back up that interpretation and Feinstein is now trying to fill it in.

[1] https://www.govtrack.us/congress/bills/110/hr6304/text

[2] http://www.theguardian.com/world/2013/jun/20/fisa-court-nsa-...


> Your second loophole doesn't apply to the NSA (they're not a law enforcement agency), but is a concern for the FBI.

Good to know, thanks.

702 doesn't allow intentional collection of US communications - intentional being a key part, as they are only required to minimize the amount of US communications collected. For example, the leaked minimization procedures includes "[t]he communications that may be retained include electronic communications acquired because of limitations on NSA’s ability to filter communications."

The proposed amendment has no bearing on collection, but would allow querying of the data incidentally collected on US citizens under 702.

"Reverse targeting" is explicitly disallowed by 702(b)(2): "may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States."

From a 2012 Committee on Intelligence report:

"[D]ue to the nature of the collection and the limits of the technology involved, it is not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under Section 702 authority."

"Finally, on a related matter, the Committee considered whether querying information collected under Section 702 to find communications of a particular United States person should be prohibited or more robustly constrained. With respect to analyzing the information lawfully collected under Section 702, however, the Intelligence Community provided several examples in which it might have a legitimate foreign intelligence need to conduct queries in order to analyze data already in its possession."

http://www.emptywheel.net/2013/06/25/confirmed-nsa-does-sear...


Executive branch oversight of government programs has never been effective in protecting the citizenry from harm in the past, and there is no reason to believe this 'effort' would be any different.


FISC is part of the problem, so it cannot be a part of the solution.

Same is with the intelligence committees.


> ..."...associated with international terrorism..."...

Is "terrorism" defined? If not, everything will be stretched to fall under its meaning.


That wouldn't help either. If something as explicit as the Seventh Amendment's "twenty dollars" requirement can be argued away, anything can.

http://faculty.msb.edu/hasnasj/GTWebSite/MythWeb.htm




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: