Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (18 page)

Figure 4.2

Traditional intercept model and CALEA intercept model. Illustration by Nancy Snyder.

A few months after the Times story appeared, USA Today exposed a new
angle: the NSA was using the telephone companies' call databases to study
calling patterns. This involved hundreds of millions of records from three
of the four major long-distance providers: AT&T, BellSouth, and Verizon
(Quest refused to participate).13' This contradicted President Bush's claim
that the surveillance was directed solely toward international calls.

Call Detail Records (CDRs) detail which number was calling, when, for
how long, using which IP address (if an IP-based communication) and,
sometimes, URL (if a Voice over IP communication). CDR had previously
been purely internal telephone company records, used by the telecommunications companies for billing and business planning. Such records
are, however, protected by §222 of the 1996 Telecommunications Act,132
which says that the telephone companies should not disclose "information
contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier" except as required
by law. Yet the records were apparently given to the U.S. government
without a court order-and used without any court oversight.

As any intelligence operative knows, communication patterns are full
of information. From them one can discern organizational structure as
well as behavioral patterns. Who do you call when there is a change in
personnel at the company? Who do you let know when you discover
your wife will be working late and you are suddenly free for the evening?
Where do you call from after work-the office, a bar, a friend's apartment?133
This information can be remarkably revealing. While law enforcement
has long had access to the real-time transactional data of pen-register and
trap-and-trace information, the CDRs provide a long view into history.

A third strand to the story now appeared. A technician at the AT&T
switching office in San Francisco, Mark Klein, had come forward with a set
of documents that showed the government had a system fully capable of
performing massive spying on domestic communications.

After an NSA agent had visited the AT&T facility in 2002, the company
constructed a secure room within its switching offices. According to Klein,
only technicians cleared by NSA were allowed in this secured room.134 The
documents described a setup in which optical-fiber carrying communications was "split," with one signal going into this room. (Fiber is the communication medium of choice. The light pulses have low signal loss and
the wires are immune to electromagnetic interference. They are also hard
to tap.) There the signal was subject to analysis, with communications of
interest then being shipped off to a monitoring facility. Because the AT&T
office was a peering point-a place where administratively separate domains
such as different ISPs or telephone companies interconnect-the information being scanned represented almost all the communications exchanged
between AT&T and other major telecommunications providers in the San
Francisco Bay Area.135 There were similar collection points in other major
U.S. cities, including Seattle, San Jose, Los Angeles, San Diego, and Atlanta.136
It was not surprising that communications surveillance was occurring; the location of the interception, at an internal peering point within the
United States, was highly disturbing. Conducting eavesdropping at such a
location meant that many purely domestic calls were likely to be caught
in the snare.

The warrantless wiretapping and other forms of expanded surveillance,
together known as the President's Surveillance Program (PSP),137 occurred
against a backdrop of other FISA activities. The 2001 PATRIOT Act had
lowered the wall between FISA and Title III investigations, but the FISA
Court, the eleven-member set of judges who make the decisions about
foreign-intelligence surveillance, had grown increasingly dismayed over
FBI errors in foreign-intelligence and criminal cases. Their concern was
minimization, namely the reuse of information originally obtained through
FISA. This law gives the government "a powerful engine for the collection
of foreign intelligence information targeting U.S. persons," wrote the
court.138 The court noted that "the standard for retention of FISA-acquired
information is weighted heavily in favor of the governmenti139 and ruled
the government's minimization efforts were not in accord with the law.
The FISA Court ordered that the Department of Justice Office of Intelligence Policy and Review (OIPR) be invited to participate in meetings
between the FBI and the criminal division discussing coordination of
investigations.140

The Bush administration appealed the decision to the U.S. FISA Court
of Review, the first time in the twenty-five year history of the FISA Court
that a FISA review court had been convened. The review court agreed that
the FISA Court had "misinterpreted and misapplied minimization procedures," and it removed the OIPR reviewing requirement. 141

Yet things were not smooth sailing for the administration. Indeed, the
administration itself was not fully agreed on the legality of the PSP. Memos
supporting the program had been written by John Yoo, a deputy assistant
attorney general and a relatively young member of the department. At the
White House's insistence, the only DoJ officials "read into" the program
were the attorney general and the counsel for intelligence policy, James
Baker.142 That situation changed in 2003, when Yoo was replaced by Patrick
Philbin, and Yoo's boss was replaced by Jack Goldsmith. Both developed
serious concerns about the program.

Yoo had argued that because the monitoring was part of a "military
operation" the Fourth Amendment did not apply.143 He had completely
ignored the Youngstown Sheet & Tube Co. v. Sawyer144 case, which limited
presidential power, even during wartime. That omission, and the fact that
FISA provided clear bounds on the process by which the U.S. government could wiretap for national-security purposes-a process that the President's
Surveillance Program was disregarding-greatly worried Jack Goldsmith,
who had become head of DoJ's Office of Legal Counsel in 2003. Goldsmith
brought his concerns to the top: to Attorney General John Ashcroft and
Deputy Attorney General James Comey.14s

In March 2004 Ashcroft was incapacitated due to surgery. Comey, who
was acting attorney general, was asked to sign off on a PSP recertification,
a process that DoJ had been required to do every forty-five days. Comey
refused. In a scene out of a Grade B movie, the president called Ashcroft's
hospital room to say that White House counsel Alberto Gonzales and the
president's chief of staff, Andrew Card, would be on their way. Ashcroft
was gravely ill, and visitors had been banned. Ashcroft's wife informed
Comey of this odd visit. The acting attorney general raced to the hospital,
arriving before the president's staff. When Gonzales came to the room, he
ignored Comey and asked Ashcroft to reauthorize the program. Though
very ill, Ashcroft cogently expressed his doubts about the program's legality and then pointed out that Comey was acting attorney general. Comey
again refused to sign. The White House was not deterred: the next day it
continued the program even though PSP had not received the DoJ
approval .141

Things grew worse for the administration. The FISA Court, which had
had an almost 100 percent record on authorizing wiretap applications for
a quarter century, now began asking for substantive changes in about 5
percent of the submissions.147 This cost a substantial amount of time from
NSA lawyers. After the appearance of the New York Times article reporting
the warrantless wiretapping, one member of the FISA Court resigned in
protest.148

Meanwhile the claims made about the PSP's effectiveness did not
stand up. The Faris and fertilizer-bomb cases were already known from
other sources. In another case, it appears that the targets of an FBI
sting operation involving money laundering for terrorist purposes came to
the attention of law-enforcement not through wiretaps (as had been
originally believed) but through information from a notebook found in a
terrorist camp in northern Iraq in 2003.149 And many of the tips produced
by the program had investigators spending time on chases that led
nowhere.15°

There was another problem. In the years after the PSP was established,
some applications before the FISA Court had evidence that came from the
program.151 If a court case resulted from evidence from a FISA warrant that
was based on information obtained from the PSP warrantless wiretapping, then the case itself would be tainted and inadmissible. James Baker was in
charge of all FISA applications that were sent to the FISA Court, and he
believed that FISA worked well.152 He did not want to see the 1978 surveillance law irremediably undermined. So in 2002 Baker set up a program
with the head of the FISA Court, Royce Lamberth, to ensure that any FISA
wiretap application containing information that came from the PSP was
flagged. Only Lamberth, and then later, his successor, Colleen KollarKotelly, would see the FISA application. The judge would ensure that the
application could stand on the non-PSP evidence. In 2004 this effort ran
into difficulties: NSA was not telling Baker about all the people it was listening to. Consequently Baker was not properly flagging the FISA applications for Kollar-Kotelly, who had taken over as presiding judge.153 Angry
and concerned that the applications using PSP information would affect
the integrity of the FISA Court rulings, the judge had DoJ suspend using
information provided by NSA for FISA Court applications until the problem
was resolved; this took a few weeks.154

Civil liberties groups and others filed suit against the government. The
government lost round one: in August 2006 a federal judge in Michigan
ruled that the PSP violated FISA and the Fourth Amendment.155 Then the
government won round two: in 2007 the Sixth Court of Appeals dismissed
the case on lack of standing.156 Naturally the plaintiffs could not prove
they had been wiretapped by the government; the surveillance was secret.157
The Supreme Court chose not to hear an appeal by the ACLU.

Another case caused particular worries for the government. An Oregonbased Islamic charity, al-Haramain, had been wiretapped under the PSP.
This was revealed by the government, which had inadvertently sent classified documents describing the surveillance to al-Haramain's lawyers. The
charity filed a lawsuit against the government, and the government sought
dismissal, arguing that a trial would release "state secrets." (The statesecrets privilege permits halting a trial if public disclosures during the trial
would endanger national security.158) While the classified documents were
not accepted as evidence, the fact that the government was wiretapping
the charity was discussed in a 2007 speech by FBI Deputy Director John
Pistole; this gave al-Haramain legal standing to pursue the case.

The situation did not provide an all clear for the Bush administration.
In conjunction with others, the Electronic Frontier Foundation (EFF) had
filed suit159 against AT&T over "illegal spying of telephone and Internet
communications." AT&T acknowledged that the documents describing the
layout and configuration for the secure room were genuine. This civil case,
known as Hepting, was of great concern to the government. The phone company feared its liability, the risk resulting from the warrantless nature
of the wiretaps, while the White House feared the release of details surrounding the program.

The administration argued that the PSP was legal under the Authorization for Use of Military Force (AUMF).16o Passed a week after the September
11 attacks, the AUMF granted the president the right to "use all necessary
and appropriate force against those nations, organizations, or persons he
determines planned, authorized, committed, or aided the terrorist attacks
that occurred on September 11, 2001, or harbored such organizations."
Such a broad expansion of executive authority was a controversial claim,
and Congress did not buy it. In the summer of 2006 the administration
agreed to submit the PSP to FISA Court review.161

In 2007, after the furor created by the Times and USA Today revelations
had somewhat died down, the White House argued that the legal procedures required by the FISA Court were unreasonably delaying necessary
wiretaps and posing a threat to national security. The Bush administration
pushed for legalizing the PSP. In July 2007, Congress did so, passing the
Protect America Act.162 The law provided that communications "reasonably
believed to have a participant outside the U.S." could be intercepted
without a warrant. Congress handled its unease about the statute by
making the law valid for only a six-month period. In January 2008 Congress extended the law an additional two weeks, and then it lapsed. At
issue was a Bush administration demand for protection of the telephone
companies that had permitted the warrantless wiretapping.