The NSA's 702 Shutdown Is Good News, But There Are A Whole Lot Of Caveats

from the ALL-THE-ASTERISKS dept

The surprising shutdown of the NSA's email harvesting program -- one that operated "upstream" and grabbed not just communications to and from surveillance targets, but also those "about" surveillance targets -- is good news. Considering the NSA had done nothing but abuse this specific privilege, the shutdown is a welcome surprise. But it's not great news, for a variety of reasons.

First, the shutdown arrives on the heels of a yearlong denial of surveillance requests by the FISA court. This indicates the NSA was either still abusing its collection or the court no longer felt the program was constitutional, at least not the way the NSA was running it. The shutdown seems to reflect the NSA's inability or unwillingness to shift towards more targeted surveillance methods -- ones that won't sweep up lots of US persons' communications inadvertently.

It also suggests the program -- at least the upstream part of it -- is no longer as useful as it used to be. The rise in default encryption by email providers may be preventing the NSA from gathering as much info as it used to, as Julian Sanchez explains at Just Security.

[I]t is entirely possible that the change is driven in significant part by the broader post-Snowden adoption of STARTTLS encryption of communications between e-mail servers. That is, it is quite plausible that a large and growing percentage of transiting e-mail traffic is simply no longer visible to NSA, and must be accessed “downstream” at the e-mail server itself, rendering this form of collection less worth picking fights with the FISC over.

The NSA's statements about the shutdown mention that it will still be performing upstream collections but removing the "about" search variable. The agency notes this will decrease the amount of captured communications. But it's quite possible it was seeing fewer and fewer communications before it made this decision. The NSA shouldn't be too concerned about this loss (and it likely isn't), considering it has other options it can use to capture the communications it says it won't be capturing anymore.

[T]o the extent the traffic remains visible to NSA, they may simply have decided that it is easier to do the same “about” scans outside the borders of the United States, beyond the purview of either FISA or the FISC.

This is an option the NSA has deployed before. In 2011, the NSA killed off its bulk domestic collection of US persons' email metadata. Or so it said. In reality, it simply stopped gathering this data from domestic providers.

The [Inspector General's] report explained that there were two other legal ways to get such data. One was the collection of bulk data that had been gathered in other countries, where the N.S.A.’s activities are largely not subject to regulation by the Foreign Intelligence Surveillance Act and oversight by the intelligence court. Because of the way the Internet operates, domestic data is often found on fiber optic cables abroad.

This option is still viable and possibly of much more use to the NSA. If so, the NSA may be giving up part of its upstream collection in hopes of preventing its offshore and downstream collections from being scrutinized as thoroughly in the runup to the renewal of the FISA Amendments Act.

This is just what isn't being done upstream or under Section 702. The NSA still can gather plenty of US persons' communications -- incidentally or not -- under Executive Order 12333.

[T]he NSA’s authorities under executive order 12333 are vast, undisclosed and unconstrained by any need to explain its collections to the Fisa court. A former state department official who has warned Congress about 12333, John Napier Tye, has alleged that the NSA uses 12333 as a backup plan to route around legal restrictions on US surveillance. “To the extent US person information is either stored outside the United States, routed outside the United States, in transit outside the United States, it’s possible for it to be incidentally collected under 12333,” Tye told the Guardian in 2014.

Whatever the NSA might be losing, it can only be a small percentage of its total take. It also has the option of asking friendly foreign intelligence agencies to perform these searches for it -- again without having to notify the FISA court.

The final problem with the NSA's announcement is it's unmoored from legislation. Unlike the drastic modification of the Section 215 metadata program -- which was tied to statutory requirements laid down by the USA Freedom Act -- the voluntary shutdown of the "about" collection doesn't contain anything legally-binding. As the ACLU points out, without codification the NSA could start its collection up again without notice, provided it has found a way to comply with the FISA court's demands… or found a better way to look like it's in compliance.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 702, about collections, mass surveillance, nsa, surveillance