TAMI/End-to-End Semantic Accountability

Face-to-Face Meeting

Possible National Security Scenario for Discussion

K. Krasnow Waterman

Background

We have a research grant from IARPA -- Intelligence AdvancedResearch Projects Activity -- and we are to produce a privacy accountability scenario relevant to the Intelligence Community. Jim Hendler suggested we consider the current controversy surrounding NSA telephone surveillance practices during a six year period between 9/11 and August 2007. The exact details are not known because some of the relevant information is classified. The NSA has historically focused on "foreign intelligence" and the controversy is in response to the disclosure that the NSA surveilled telephone and internet communications to, from, or through the United States. Much of the controversy is about which rules applied to each situation and, therefore, whether the NSA was in compliance or in violation. Clearly, this controversy is both of interest to the IC and directly addresses the topic of privacy accountability.

For more information, see Wikipedia entry on NSA controversy.

Known Rules

• Foreign Intelligence Surveillance Act (FISA) of 1978 regulates physical and electronic surveillance for intelligence.
  • Protect America Act of 2007 amended FISA on August 5, 2007.
• Executive Order 12333 regulated US intelligence activities since 1981.
  • Executive Order 13355 amended the rules on August 27, 2004.

NSA webpage excerpts:

• "What do you mean by production of foreign intelligence information?

  NSA/CSS’s Signal Intelligence mission is to intercept and analyze foreign adversaries' communications signals, many of which are protected by codes and other complex countermeasures. We collect, process, and disseminate intelligence reports on foreign intelligence targets in response to intelligence requirements set at the highest levels of government.

  Executive Order 12333 authorizes agencies of the intelligence community to produce foreign intelligence and foreign counterintelligence consistent with applicable U.S. law and with full consideration of the rights of United States persons. The Order defines "foreign intelligence" and "counterintelligence" as follows:

  Foreign intelligence means information relating to the capabilities, intentions, and activities of foreign powers, organizations or persons.

  Counterintelligence means information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for or on international terrorist groups or activities."

• "Does NSA/CSS unconstitutionally spy on Americans?

  No. NSA/CSS performs SIGINT operations against foreign powers or agents of foreign powers. It strictly follows laws and regulations designed to preserve every American's privacy rights under the Fourth Amendment to the United States Constitution. The Fourth Amendment protects U.S. persons from unreasonable searches and seizures by the U.S. government or any person or agency acting on behalf of the U.S. government."

Possible Scenarios

• FISA Exclusivity: One of the issues in the controversy is which rules apply. We could build a scenario showing how the compliance findings change depending upon a Court's finding. For example, if a court finds that FISA is exclusive, there is one outcome and if the Constitution applies, there is a different outcome. This would provide a radical innovation for how to address court orders deciding which rule applies.
  
  
• FISA & US Constitution: Conversely, if FISA and the Constitution both apply, the reasoner will need to understand which has supremacy if it has a conflict (or have the ability to ask for supremacy while reasoning).
  
  
• US Persons: Another issue is whether data about US persons was obtained. A "US person" is a US citizen or a foreign national who has been granted permanent resident status. To determine compliance with the rule, the system would need to reach outside the transaction log (for example, to a DHS legal permanent resident database or a State Department US passport database).
  
  
• Communication Outside the US: The NSA asserted that one party to each conversation was outside the United States. As with the US Persons question, in order to determine compliance, the reasoner would likely to reach to outside the transaction log for data that provides information (conclusive or otherwise) about the source or terminus of a communication.
  
  
• Invalidating Other Outcomes: Some of the lawsuits arising from this controversy assert that information used in prosecution is "fruit of the poisonous tree". We could create a scenario in which, following a finding that a different rule applies crawls back to any log that called the rule.
  
  
• Classified/Unclassified Switch: The surveillance program was classified but a variety of information is in the public domain. Should we build a scenario that shows the ability to have a separate secured space to access for classified data and rules?