The Senate Intelligence Committee approved legislation last week to renew the National Security Agency’s internet surveillance program, currently authorized under the Foreign Intelligence Surveillance Act (FISA) Section 702, which is due to expire at the end of the year if Congress does not pass a new bill. The full Senate will now deliberate the bill, known as the FISA Amendments Reauthorization Act of 2017, as other proposals are competing to replace it, like the USA Rights Act and USA Liberty Act. The Cipher Brief’s Levi Maxey spoke with Rick Ledgett, the former Deputy Director of the NSA, about the significance of FISA Section 702 and how its authorities are being practically implemented by U.S. intelligence professionals everyday.

The Cipher Brief: Why are the authorities under FISA Section 702 so important to national security? What problems does it seek to solve?

Rick Ledgett: FISA Section 702 is a law that lets the United States take advantage of the fact that the it leads the world in the development of communications, applications and services that people all around the world use.

Up until a year or so ago, Google mail was the most popular email service used by terrorists. That is not because Google is evil, it is because it is a great service, it is ubiquitous, it is reliable, and it is robust – I have a Gmail account, for example.

So what Section 702 authorizes is legal ability to target foreign intelligence targets who we believe to be overseas, but who happen to be using U.S.-based providers. That applies to everything from terrorists – who are the iconic example – to cyber threats, counterintelligence threats and proliferators of weapons of mass destruction.

TCB: Section 702 allows for “upstream” and “downstream” collection. What are the differences between them?

Ledgett: Upstream refers to collection of communications in transit, using very specific selectors designed to get the communications of interest; that’s important both to minimize the likelihood of inadvertent collection of U.S. person information and to manage the volume of data brought in. The intent is content collection for specific targets. Collecting everything is not a strategy that is used.

Downstream refers to the collection of stored communications using specific selectors, e.g. from a target’s mailbox. The intent is to get the content of the target’s communications. In the event inadvertent collection of U.S. person info occurs, minimization procedures are applied that protect the identity of the U.S. person.

In neither case does the government directly interface with the communications media. These are all through providers. There is no case under 702 where the government goes and directly taps a server or a fiber. That doesn’t happen under these authorities.

TCB: As far as the utility of the intelligence collected under these authorities, is it primarily useful in preventing security incidents, such as a terrorist or cyber attack, or is more useful for retroactive digital forensics?

Ledgett: It is used for both. The principle purpose and the desired outcome is preventive – identify activity, identify people who are involved in planning some activity that we don’t know are involved in a terrorist attack and ideally being able to disrupt it in some way through police action or through another nation’s action or through military action. By the same token, it is also protecting our forces and our people overseas. We can use it to determine that someone is planning a suicide bombing attack or an ambush of some kind, and then we obviously get that information out as quickly as possible to try to prevent it.

It is also useful in forensics after the fact. But this is not just what happened in this particular event, but who were the people that they were working with, and are there other plots? Is this part of a larger plot? This then gets you back into the preventive. It works both ways.

TCB: What do you define as collection, and what are the steps needed to actually use these authorities?

Ledgett: Let’s start with the actual act of collection. An analyst finds a foreign intelligence target after doing a lot of research and behind the scenes digging through open source information and other intelligence sources. They determine the location of that target to see if it is overseas. Then they go through a process internal to NSA of nominating that foreign intelligence target through an analytic supervisor approval process for targeting. It has to fall under one of the three certifications that are signed by the Director of National Intelligence and the Attorney General for approval – one is for counterterrorism, one is for counter proliferation, and the third one has not been publically discussed so I am not going to do it here.

If the foreign intelligence that we are seeking to find falls into one of those three categories, then we go through the nomination and vetting process for the selector. It does not require a court order because it is a foreign intelligence target, and it is overseas as has been established through the nomination process. The target is then sent out to the relevant private sector providers, and they implement that collection and then provide information back to the government. Then the information resides in a database, and the analysts who initially tasked it and are looking to produce intelligence on it get the results of that collection and produce their intelligence by often merging with other information – it is rarely a stand-alone piece of collection that results in a report.

Then other analysts when doing their research can query against that collected data because the information is often responsive to multiple foreign intelligence topics and activities.

However, in collecting foreign intelligence that was deemed overseas, you will occasionally get what is called incidental collection of a U.S. person who happens to be a communicant with that foreign intelligence target or is in a CC line on an email, for example. Those persons are not U.S. foreign intelligence targets.

When we see incidentally collected U.S. persons, we do what is called minimize the information – when we write foreign intelligence reports on the foreign intelligence targets, we either won’t refer to the U.S. person at all, or if we do, we refer to them as “U.S. Person 1” or “U.S. Person 2.”

Then the report goes out, and if a recipient of that report says that in order to really understand that report, they need to know who “U.S. Person 1” is, then they can come back and request what is called an “ident,” or identity request, to learn the identity of that U.S. person. There are only a certain number of valid reasons to do that, and if that is approved by the 20 or so people at NSA who are authorized to approve that, then that ident goes back to just the requester. This is what has been called in the press “unmasking,” and it is something that is done on a fairly regular basis, and it is documented who asked for it and why.

TCB: Some have expressed concern that the FBI could query NSA collected foreign intelligence data for information on U.S. persons committing crimes, rather than national security threats such as terrorism. How does this work?

Ledgett: A House Judiciary Committee proposed bill, the USA Liberty Act, proposes limiting the ability of the FBI to query using U.S. persons’ identifiers. So, for example, if the FBI has an email address for a person that they think is involved in a terrorist attack – national security sorts of things – then the FBI would be allowed to use that selector to query the collected data. If it were a criminal case, the proposal is that FBI would be allowed to query to get metadata only to see if there is anything there, and then if they wanted to get the actual content, they would have to go to court and show probable cause to get a warrant to do that.

As an American, I think that is an okay solution. The danger there is how that is going to be written, because if it is written poorly, it can completely lock the system up and implicate national security as well as criminal sorts of things. So if that is the route that the Congress goes, then that law needs to be written in conjunction with the people that are going to have to implement it. Otherwise, we will have unintended consequences, and something that is designed to protect people from one sort of government activity will actually expose them from a national security point of view.

TCB: Earlier this year, the NSA decided that it would end “about” collection, or collection where the foreign intelligence target is merely mentioned within a communication, due to compliance issues when querying databases. Could you explain what those compliance issues were and whether they were willful abuse or not?

Ledgett: The issue you are talking about was the fact that the database that held collected traffic did not allow people to exclude “about” collection when they launched a query. Now the controls on this are all very fine grained, so in some cases whether something is allowed or not is the analyst’s intent when they launch a query. The database in question, we found after the fact, did not allow the individual to opt out of “about” collection, and it didn’t tell them that they were querying “about” collected data. So there was a very small number of analysts who on a few occasions launched a query that was in violation of the Foreign Intelligence Surveillance Court (FISC) rules that determine NSA compliance procedures and did not know about it till after the fact. They didn’t realize they were doing something they weren’t suppose to do because the database wasn’t set up right.

The USA Liberty Act also includes provision in the law that targets things that are currently in “policy and procedures.” The danger of codifying the end of “about” collection in law – again, this where there has been no willful abuse of the system – rather then putting it in policies and procedures, is that it makes it so that every little mistake that happens is a violation of law. That is a dangerous place to be.

What it does is take what is a political risk and turns it into an operational risk – in their intent to follow the law, people will be even more cautious in what they do, and they will back away from the legal authorities they have out of an abundance of caution for the law. That is a dangerous place in the nation to be. You can accomplish the same issues of trust by having robust reporting requirements to the Congress in there.

TCB: In the USA Liberty Act there is also a provision for the NSA to provide a good faith estimate for the number of U.S. persons they collect. Is this realistic to achieve, or even desirable, with any kind of accuracy?

Ledgett: The problem is that email addresses don’t identify whether it is a U.S. person or not. Is [email protected] a U.S. person? There is no way to tell short of them telling you somehow or doing a pretty high-level analysis on that. The effort to do that is unbelievably complex.

Now that is a different thing than saying tell me about every U.S. person that you happen to identify in your collection – such as if they say in an email, “Hey, this is Joe in Cincinnati.” Then you can count that. But if it requires them to look through all the data and try to tell me all the U.S. persons, that is extraordinarily difficult and imprecise.

TCB: Last thoughts?

Ledgett: Section 702 is an extraordinarily important authority for the nation. It is the major contributor to the counterterrorism intelligence mission, and it is a major contributor to other intelligence topics as well, such as cybersecurity, counterintelligence, counter proliferation and some other missions. It is critical that the Congress renews this and, again, over legislating things is extraordinarily dangerous, and so Congress should work with people who have to implement the legislation as it was intended without the bad second and third order effects.