[Ed. note -- We are pleased to feature a guest post today by Kit Walsh of the Harvard Law School Cyberlaw Clinic. More information on Kit and Kit's practice can be found here.]

In the midst of confusion over the NSA's spying powers, even members of Congress who voted for the applicable laws claim surprise at how they are playing out in practice. With defenders of spying saying to “read the statute” to understand its privacy protections, I thought I'd do just that.

Say I'm the NSA and I want to legally justify a court order giving me access to private emails of Occupy activists (so I can join in the FBI and DHS surveillance of peaceful protesters, for example). It's a domestic political movement, so that sounds as if it should be pretty hard, right? Let's see...

Just to challenge ourselves, we'll ignore the several statutory provisions and other doctrines that allow for spying without court oversight, such as urgent collection, gathering information not considered protected by the Fourth Amendment, the wartime spying provision, or the president's "inherent authority" for warrantless spying. Let's also ignore the fact that we have general wiretaps ala the Verizon order on phone metadata and Internet traffic that we can fish through in secret. Let's actually try to get this by the FISA Court under 50 U.S.C. §§ 1801-1805 for electronic surveillance or § 1861 for documents and records.

First Hurdle : I need "probable cause" to believe the "target" is a "foreign power" or "agent of a foreign power." This is great - I don't need probable cause of any crime, just something relating to the identity of the "target." And if the "target" of my investigation meets those criteria, I can slurp up all sorts of data about US people, subject only to toothless "minimization" requirements I'll discuss in step 2. To obtain stored records such as emails, it's even easier. The court is instructed to presume that I am entitled to an order to get those records if I can just show "reasonable grounds to believe" the records are "relevant to" investigating a foreign power or an agent of a foreign power or someone "known to" a suspected agent of a foreign power.

So, can I consider "Occupy" itself to be a foreign power? Believe it or not, any foreign-based political organization qualifies unless it is "substantially composed" of US persons. So all the Occupy branches in other parts of the world, and their agents, are valid "targets" for surveillance (as well as AdBusters, the Canadian organization that first called for an occupation of Wall Street). That's a great start. I bet a lot of the domestic Occupiers are within one or two links of a person directly communicating with a "foreign power" or one of their "agents," so I'll ask for their communications as part of my "targeting" the foreigners. Actually, some of the foreign-run banks and corporations they're protesting might qualify as valid foreign targets, too. I'll "target" them... by reading emails of people talking about their actions, and maybe their private intelligence about the protesters.

Second Hurdle : I'm going to have to "minimize" the data I collect about US persons. But wait! I don't have to minimize if it's evidence of a "crime" that has been or might be committed. All of Occupy's civil disobedience organizing is fair game for surveillance. I bet I can find evidence of drug crimes in here, too, and who knows what else? That'll give the state some leverage in case these uppity protesters get out of hand. I also have the general "national security" and "foreign affairs" exceptions to minimization, which might help if the protesters plan to demonstrate at sites relevant to national security or at diplomatic summits. Of course, the court can require me to minimize even in those circumstances, but they don't have to, and no one will ever know one way or the other. Besides, the secret "minimization" procedures may sound good to laypeople, but anyone who follows privacy research knows that it's really easy to re-identify people from anonymized records if you have other databases to correlate data against, and boy do we ever!

Third Hurdle : Maybe tech companies won't like it. But I have a court order, and I already beat Yahoo in court, so there's nothing they can do, and I'll pay them well for their time. They've already built me these nice PRISM systems to streamline the data acquisition process for me, so let's get spying!

Fourth Hurdle : Some Senators are whining about the invasive spying. Solution: Send in Director of National Intelligence James Clapper to lie to our Congressional overseers about what we do.

The most common form of lying that has been exposed is giving specialized meanings to English words that do not match their common meanings, then using those words misleadingly. The Electronic Frontier Foundation has summarized many such word games , and above I discussed some of the ambiguities in the "targeting" and "minimization" terms.

I didn't even have to break the letter of the law today to spy on these domestic political activists. (Breaking the law is for tomorrow, after the companies have handed over the data and there's no chance I'll ever have to justify myself in court, even one as favorable as the FISA Court.)

---

That's it. I spent just an hour and a half cooking up this analysis, while the intelligence/law enforcement apparatus has teams of lawyers who consider it part of their job to justify expansive surveillance and who have been doing this for years. The FISA Court has the power to reject the broad interpretations of statutory authority and close the “minimization” loopholes I outlined above. Given what we've seen in recent leaks, though, that doesn't seem to be the court's approach.

Kit Walsh is an attorney at the Cyberlaw Clinic at the Berkman Center for Internet and Society at Harvard University, with a practice that includes cybercrime and online privacy matters. Kit is not actually an anthropomorphic representation of the NSA, but would be willing to play one at creative protest events in the Boston area.

(Photo courtesy of Flickr user Chris Hardie pursuant to a Creative Commons CC BY-NC-SA 2.0 license.)