FISA and eMail
One of the knottiest problems in "getting FISA right" is the question of precisely how to insure that our Constitutionally guaranteed rights are protected while any email is being spied upon. It's a purely technical problem in one sense, but one that has huge repercussions in the Constitutional and political areas. As a dedicated nerd and and civil libertarian, let me see if I can lay it out clearly.
In US legal theory, our rights are inherent in us as human beings. We are "endowed by our Creator" with them, as the Declaration of Independence says. They are not granted by a King or a piece of paper. Our Constitution is not a grant of rights to the people. It is a grant of power to the government. It lays out what constitutes that government, what it can legitimately do. It is very specific about what what the government may not do in the area of surveillance. It says:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
This means that the explicit search warrants based on probable cause and sworn testimony must be used for:
- Any surveillance by the government within the US
- Any surveillance by the US government upon "US persons" anywhere in the world.
On the other hand it is relatively well accepted that we allow the government to spy on the nation's foreign enemies, and that the US courts need not issue warrants for spying on foreigners outside the US.
Last year's FISA amendment clearly sought to bring the law into line with these principles regarding warrantless surveillance of foreigners in foreign places, US court warrants on US persons within the US and FISA Court warrants in the gray zone between. It is highly debatable whether it has succeeded, but these are clearly the goals.
The government's authority and responsibilities in the area of surveillance, search and seizure depend upon identifying "US persons" (US citizens and resident aliens) and on identifying where people are while being spied upon (within the US jurisdiction or without). But how do you identify such people and their location when dealing with email? The following diagrams and discussion will attempt to summarize the issues involved. Be warned: they are both gross over-simplifications and still rather complex.
First, let us consider three people and a handful of the computer process (both in terms of hardware and software) involved in someone spying on an email exchange.
The sender composes an email in some sort of mail client. This can either be a mail program such as Outlook, Thunderbird, or Apple's Mail.app on the user's own computer (or cell phone or other device), or a web application running on a server such as the GMail interface running at Google. The mail client packages the email in the electronic equivalent of an envelope and transmits it to a mail server which may be the same server used by the recipient, but which is more likely to be a different one which passes it on to the recipients server either directly or through one or more intermediaries. Eventually, the recipient's mail client program fetches the mail from the recipients's server and the recipient reads it. The recipient's mail client, like the sender's can be on the user's own computer or some remote server.
Messages are transmitted to the recipient's mail server by mail clients and intermediate mail servers using a protocol called SMTP (Simple Mail Transport Protocol), which is layered on top of the TCP/IP protocols that power the internet. At each level of the "stack" of protocols, the messages are broken into some form of source address, destination address and message content. In TCP/IP, the addresses consist of a set of four numbers, something like "220.127.116.11". In SMTP, the addresses are the the familiar email address format such as "John.Doe@XYZ.com"
Each of these forms of address carries with it some implication as to the identity and location of the person or the machine named. Yet, none of them is entirely reliable. Suppose, for instance, that we have an email addressed as follows:
Subj: Next Month's meeting
A quick glance suggests that it is being sent by a member of a group of interest to someone in the UK. Further, it is rather easy to find out that the domain name "alQaeda.org" is registered in South Korea, and "gmx.co.uk" is registered in the UK to a company, GMX AG, whose headquarters are in Munich, Germany. Unfortunately, as it turns out, "FISAexample@gmx.co.uk" is registered to a US citizen, namely me. It is one of several email addresses that I have in the UK and Germany. I have family in the UK and have been doing substantial genealogical research in Germany. I didn't want to attract a lot of spam to any of those addresses, so I created this one for this article.
The IP addresses used in the actual packets that transport the email around the internet are not that much more useful in determining either identity or location. To illustrate, suppose our spy has managed to tap the cloud in figure #1. They might see an SMTP packet that looks like this:
Received: by 10.224.89.80; ...
Received: from 18.104.22.168 by mx.google.com; ...
Subject: GMail to GMX example
In this example I've shown not only the To and From fields, but also, in abbreviated form, some of the "Received" fields. These are basically the equivalent of the postmark in electronic mail, mail servers are supposed to add them as they pass the mail along its route from sender to recipient. Not all servers do, and as a you may have read with regard to spam and "phishing" attacks, forged ones may be added by badly behaved programs. Nonetheless, they do offer some indication of how the mail has moved through the network.
The Source and Destination addresses show that the packet is being sent from 22.214.171.124, a server at Google, to 126.96.36.199, a server at GMX. The Received headers show that the Google server got it from another Google server using the private IP address 10.224.89.80, who in turn got it from 188.8.131.52, a machine using an IP address allocated to it by a DHCP server at Verizon. In this case, that machine is a router between my mail client running on my Mac and the mail server at Google.
A sufficiently well informed filtering agent could perhaps associate the Verizon address with its various DNS aliases and dynamic DNS addresses and the name I used in creating them with the name I gave when I created one or both of the email accounts, and by that means infer that I was at home at the time that the email was sent. However, the mail could have been queued earlier or sent by someone else in my household. Knowing for sure that the sender or the recipient is me and that I was in the US and not the UK at the time the email was sent is very difficult, even though I used my own name for all of the various registrations.
According to the FISA act as amended in 2008, email and other electronic surveillance must be targeted at non-US persons outside the US, or must have a warrant. In somewhat greater detail, the following rules apply. The parenthetical notes are the section numbers from the US Code excerpts at the bottom of this article.
- Surveillance may target persons outside the US (a), but not people known to be in the US (b.1), or US persons reasonably believed to be outside the US (b.3), or communications involving only people known to be in the US (b.4), and may not be used to indirectly target people believed to be in the US (b.2), nor violate the Fourth Amendment (b.5).
- Further, the targeting procedures must be designed to insure that only persons believed to be outside the US are targeted (d.1.A) and to prevent the intentional targeting of communications involving only people known to be in the US (d.1.B)
- Finally, there must be procedures to minimize the acquisition and retention and prevent the dissemination of private information about US persons without their consent, and to guarantee that the identities of uninvolved US persons not be revealed when information is disseminated.
The LawThe key passages in defining what traffic can be targeted are as follows. The full text of the 2008 amendment to the FISA act from which these were taken can be found at depublican.org.
The "section 101(h)" referred to above is as follows:
- [...] the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.
- Limitations- An acquisition authorized under subsection (a)
- may not intentionally target any person known at the time of acquisition to be located in the United States;
- may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States;
- may not intentionally target a United States person reasonably believed to be located outside the United States;
- may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and
- shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.
- Targeting Procedures-
- REQUIREMENT TO ADOPT- The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to
- ensure that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
- prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.
- Minimization Procedures-
- REQUIREMENT TO ADOPT- The Attorney General, in consultation with the Director of National Intelligence, shall adopt minimization procedures that meet the definition of minimization procedures under section 101(h) or 301(4), as appropriate, for acquisitions authorized under subsection (a).
- “Minimization procedures”, with respect to electronic surveillance, means—
- specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
- procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person's consent, unless such person's identity is necessary to understand foreign intelligence information or assess its importance;
- notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and
- notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.
The law, then, does make serious attempts to insure that the principles stated above are followed. The surveillance allowed here is supposed to be targeted at non-US persons outside the US. US persons and anyone in the US is supposed to have their rights protected, and failure to do so is a crime as well as a violation of Constitutionally protected rights.
That's what is supposed to happen. But, exactly how is that to be implemented, given the technicalities listed above? Aye, there's the rub. What slips may there be 'twixt cup and lip? How is a computer program to know that an email message being delivered between two specific IP addresses with a given set of sender and recipient email addresses represents Constitutionally protected communication or the target of legitimate surveillance? If it spreads its net too wide, who has committed the crime? Was the error intentional? Or was it just a bug? Is being a bug a mitigating circumstance? Is an overzealous program that was "just obeying orders" innocent? Or, regardless of whether it was a bug or intentional, is it a crime?
The law as seen here is very clear about what the Attorney General and the Director of National Intelligence must do. It specifies the reviews to be conducted by them, the FISA Court, the Intelligence and Judiciary Committees, and even the agency heads. However, as one gets closer to the actual technology of spying, it becomes less and less clear.
Recent RevelationsIt should not be surprising, then, that word has begun to leak out that the first NSA review shows that the targeting and minimization procedures have failed to an unacceptable degree. The first of the semi-annual reviews shows, we are told by reliable sources, that surveillance has been too broadly targeted and the abrogation of rights has been insufficiently minimized. Please note that the NSA themselves are finding this. Their own review, being conducted in keeping with the law, and not some outside agency, is showing that there is a problem.
In a sense, this means that the law is working. An attempt has been made to implement the law, and to monitor the success of the targeting and minimization procedures. Problems are being found and reported. Presumably attempts will be made to correct these problems. But in just as true a sense, it means that the law has failed, at least this first test. The NSA has proven unable (in the first round) to carry out its mission while protecting the rights of US citizens. They have violated the Constitution and quite probably committed a crime. That they were trying to avoid that, but failed makes it all that much worse. By all accounts the folk at NSA are highly competent, and they are failing to follow rules that they knew.
And so, here we are: face to face with a snarly, nasty technical problem of the question of how to, or even if it is possible to create software procedures that implement the current law, or the Constitutional requirements and principles upon which that law is based. What, exactly, in the precise terms that computers and technology require, does it mean to "get FISA right"?