Section 702 and the collection of international telephone and Internet content.

• Author: Donohue, Laura K.
• Position: Foreign Intelligence Surveillance Act Amendments Act of 2008 - II. Programmatic Collection C. Retention and Dissemination of Data through III. Foreign Intelligence and the Fourth Amendment B. Application of the Fourth Amendment Overseas, p. 199-236

3. Retention and Dissemination of Data

   One of the most concerning issues that arises in regard to the retention and dissemination of data obtained under Section 702 is that the NSA may indefinitely retain encrypted communications. In light of increasing public and private use of encryption, the exception may soon swallow the rule, resulting in fewer protections for individual and consumer privacy. In addition, the NSA's minimization procedures allow for incidental information to be kept, analyzed, and distributed if found relevant to the authorized purpose of the acquisition under one of two conditions: first, as containing foreign intelligence information, and, second, as containing evidence of a crime. (322) The former is anchored in traditional FISA and critical for U.S. national security. The latter is similarly consistent with traditional FISA; however, lacking the same procedural protections that attend searches under Titles I and II of the statute, use of information obtained under Section 702 for criminal prosecution raises important constitutional questions.

   1. Retention of Encrypted Communications

      For domestic communications, the NSA retains information that contains technical data base information and data necessary to assess communications security vulnerabilities. (323) The minimization procedures explain that in the context of cryptanalytics, "maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning." (324) Unlike unencrypted communications, which are retained for five years from the date of the certification authorizing the collection (unless the NSA decides otherwise), encrypted communications may be retained for "any period of time during which encrypted material is subject to, or of use in, cryptanalysis." (325)

      For foreign communications of or concerning U.S. persons, the NSA retains encrypted material "for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement." (326) There is no limit on the amount of time that encrypted information may be kept, as long as it continues to be subject to, or of use in, cryptanalysis. (327)

      The logic behind the default is that the government should not be forced to purge data merely because it does not hold the key or has been unable to break the code. Considering the likelihood that bad actors may try to use encryption to hide the contents of their communications, the intelligence community does not want to put itself at a disadvantage.

      The problem is that it is not just bad actors who encipher messages. U.S. citizens and private industry are increasingly using encryption to try to protect their materials and communications. Windows, for instance, has an Encrypting File System that can be used to store information in an encrypted format. Systems like Pretty Good Privacy (PGP) can be set up and installed using a Firefox plugin, making it easy to encrypt e-mail. In March 2014, Google announced that it is now using https encrypted communications whenever users log in to Gmail, regardless of which Internet connection they are using. (328) Nicolas Lidzborski, Gmail's Security Engineering Lead explained:

      Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers--no matter if you're using public WiFi or logging in from your computer, phone or tablet. In addition, every single email message you send or receive--100% of them--is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers--something we made a top priority after last summer's revelations. (329) The irony of Google's actions in light of the NSA's retention policies is hard to miss: in part because the NSA was intercepting Gmail and reading it (at which point the agency was required under minimization procedures to eliminate irrelevant information), the company now encrypts all communications, with the result that the NSA can still collect Gmail, but it can now keep it indefinitely, simply because it is encrypted at the front end. Assuming that the NSA has the tools to decrypt the communications, it is unclear how this provides greater protections for U.S. persons' privacy. Nevertheless, in light of Google's new policy, and calls from consumers for other companies to follow suit, (330) it seems that this practice may become standard.

      Not only are we seeing greater individual use of encryption, but companies generally are also looking for ways to ensure the security of their data. The cost of enabling hardware encryption capabilities is falling: from $100 in 2009, by 2012, the cost of enabling hardware encryption capabilities to hard disk drives had plummeted to $15. (331) Simultaneously, a series of data breaches and their enormous cost to companies (quite apart from questions related to international consumer confidence in U.S. companies post-June 2013), encouraged industry to make greater use of encryption. (332) According to a recent market research report, the hardware encryption market is expected to reach some $166.67 billion by 2018, growing at an incredible CAGR of 62.17% from 2013 to 2018. (333) These trends call attention to the NSA's back-end retention policies with regard to encrypted materials.

   2. Use of Section 702 Data in Criminal Prosecution

      NSA's minimization procedures place a duty on the NSA to turn over any information regarding the commission of a crime to law enforcement agencies, if the NSA would like to retain the information. (334) In light of front-end considerations (the inclusion of information "about" selectors/targets and the assumption of non-U.S. person and overseas status), U.S. persons' international and, at times, domestic communications can be monitored, collected, and used against them in a court of law, without law enforcement ever satisfying Title III requirements. Neither individualized suspicion nor insertion of a neutral, third-party magistrate characterizes Section 702 collection. U.S. persons may not themselves be in direct contact with any of the approved targets under Section 702. And query of databases using U.S. person identifiers may further implicate U.S. persons in criminal activity-even acts unrelated to national security. But no individualized judicial process is required. Courts have in the past found applications under traditional FISA sufficient. (335) But Section 702 includes none of these protections, giving rise to both statutory bypass and Fourth Amendment concerns.

      3. FOREIGN INTELLIGENCE AND THE FOURTH AMENDMENT

      The Fourth Amendment of the U.S. Constitution provides:

      The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. (336) What this language means, as a matter of criminal law, is that outside of a limited number of exceptions, (337) the search of an individual's home, office, or communications is presumptively "unreasonable" (and therefore unconstitutional), unless the government first obtains a warrant from a magistrate. The warrant must be based on a finding that the government has probable cause to believe that a crime has been, is being, or will be committed and that a search will uncover evidence relevant to the suspected crime. (338)

      In 1972 the Supreme Court recognized that domestic security may merit a different Fourth Amendment standard than criminal law. By signaling deference to the political branches, the Court acknowledged that in foreign intelligence, constitutional provisions enter into tension: those related to foreign affairs, and those involved in investigations. For the former, separation of powers considerations have a role to play. While the Fourth Amendment might set an outside limit with regard to reasonableness, actions of the legislature may be imbued with constitutional meaning.

      In 1972, United States v. U.S. District Court for the Eastern District of Michigan. (339) (commonly referred to as "Keith") left open the question of what would be constitutionally sufficient for the domestic surveillance of foreign powers or their agents. (340) In the absence of statutory guidance, lower courts began to recognize a foreign intelligence exception to the warrant requirement. These cases were rooted in U.S. foreign relations and the President's foreign affairs powers.

      But the President shares foreign affairs authority with the legislature, and in 1978, Congress answered the invitation extended in Keith by introducing FISA. It went beyond domestic security matters to include all surveillance of foreign powers or their agents, thus supplanting the exception that the courts had begun to articulate with a new standard. Congress crafted the legislation to ensure that domestic electronic foreign intelligence collection could not proceed absent prior judicial review, demonstration of probable cause, and particularity. FISA was to be the sole means via which domestic electronic intercepts could be conducted.

      In the intervening years, not a single court has articulated a domestic foreign intelligence exception to the warrant requirement. (341) FISA, as informed by separation of powers, is the de facto Fourth Amendment standard for the contours of the warrant clause for electronic intercepts on U.S. soil.

      As a matter of the interception of international communications, the Supreme Court has held that the Fourth Amendment does not apply to non-U.S. persons, who do not have a strong attachment to the United States. (342) The...