On Thursday, The Guardian and The Washington Post laid out the latest cards dealt to them by NSA leaker Edward Snowden. And this hand seems particularly useful. The two main documents (read below) spell out in detail the rules the National Security Agency must adhere to when eavesdropping on foreigners "reasonably believed" to be outside of the U.S., and how NSA analysts deal with the data of Americans inadvertently swept up while targeting foreign communications.
The documents cover NSA surveillance under Section 702 of the FISA Amendments Act. The Guardian and Washington Post's analyses of the documents focus on the "wide range of circumstances" under which NSA analysts can retain, process, and disseminate data incidentally collected from Americans, and the broad discretion the analysts appear to have to determine which data is eligible for retention.
The documents, marked "Secret," also "offer a glimpse of a rule-bound intelligence bureaucracy that is highly sensitive to the distinction between foreigners and 'U.S. persons,'" says Scott Shane at The New York Times. In fact, the two rulebooks "belie the image of a rogue intelligence agency recklessly violating Americans' privacy." But since their very existence is evidence that Americans routinely fall into the intelligence dragnet, Shane says, "they are likely to add fuel for both sides of the debate over the proper limits of the government's surveillance programs."
The documents themselves, signed off on by a Foreign Intelligence Surveillance Court (FISC) judge, make for pretty dry reading. Here is a brief summary of what it all means for your emails, text messages, and phone conversations:
The NSA has to immediately destroy your information if:
♦ The NSA analyst determines that you are a "U.S. person" — a category that covers U.S. citizens, legal residents, corporations, and nonprofits — based on a "totality of the circumstances." The analyst can determine if you're in the U.S. via IP address, matching your phone number or email address to a database, statements you've made, or other kinds of research.
The Guardian reprints part of the NSA general counsel's briefing to analysts in 2008:
Once again, the standard here is a reasonable belief that your target is outside the United States. What does that mean when you get information that might lead you to believe the contrary? It means you can't ignore it. You can't turn a blind eye to somebody saying: "Hey, I think so and so is in the United States." You can't ignore that. [The Guardian]
The NSA can retain your information for up to five years if:
♦ The analyst can't determine where you are. "In the absence of specific information regarding whether a target is a United States person," the document says, "a person reasonably believed to be located outside the United States or whose location is not known will be presumed to be a non-United States person unless such person can be positively identified as a United States person." Once it's determined you are, in fact, a U.S. person, the fun stops.
♦ Your data is "enciphered or reasonably believed to contain secret meaning." That's a real problem for people "using online anonymity services such as Tor or sending encrypted email and instant messages," says Dan Goodin at Ars Technica. And that's especially sketchy because "Tor is a staple of many human rights advocates who want to prevent repressive governments from tracking their location or intercepting and reading their email and instant messages. Encrypted email, while by no means easy to use, remains a core practice among lawyers, corporate executives, and privacy advocates."
♦ Your information contains "significant foreign intelligence information," "evidence of a crime," or "information pertaining to a threat of serious harm to life or property." Retaining this information requires approval of the NSA director. "If there's a terrorist attack planned or a threat of a cyberattack, I think Americans want us to pay attention to it," an unidentified senior U.S. intelligence official tells The New York Times.
♦ You're a lawyer or client whose communication contains useful foreign intelligence. This is an exception to the general rule that all communications between an attorney and U.S. client facing criminal charges be destroyed, and there are special rules for handling the information: "The relevant portion of the communication containing that conversation will be segregated and the National Security Division of the Department of Justice will be notified so that appropriate procedures may be established to protect such communications from review or use in any criminal prosecution, while preserving foreign intelligence information contained therein."
The NSA can collect and use your information if:
♦ You are a foreigner outside U.S. territory. Once you enter U.S. territory, the surveillance has to stop immediately.
Here are the documents: