Patrick, Orin, and Marty,
Patrick asked me in his initial post about how the Protect America Act might give the government more power than people realized, and I promised to respond. In the meantime, Marty and Orin have weighed in with some interesting related ideas. Marty discussed how the new law expands the government's power to wiretap Americans without a court order, and how the NSA may use machine filters to mine metadata and select communications worthy of review by human beings. Indeed, Orin has said that in the modern era, it's all about the filters, and that the law, by its terms, requires only "reasonable" filters to ensure that wiretapped communications involve a person located abroad.
I agree with Marty and Orin that in a world of Web-based communications, mobile devices, and packet-switched networks, some of the old categories are breaking down. The widely accepted FISA exemption for foreign-to-foreign communications, for example, doesn't work very well when the parties to an e-mail message can be anywhere, and especially when the government may be acquiring the message before the recipient does. Whatever magic the folks at Fort Meade can muster, it has to be hard for them to rely on a "foreign-to-foreign" exemption when the "to-foreign" part of the communication hasn't yet and might never occur.
I also agree that filtering metadata doesn't violate the Fourth Amendment. Carnivore, the old FBI packet-sniffer that was later renamed DCS-1000, could monitor the noncontent portions of communications moving through a fat Internet pipe and copy only the ones that matched its instructions, set according to court order—e.g., all messages sent to or from a particular e-mail address. The government appears to have persuaded the FISA court that Carnivore "intercepts" or "acquires" only the communications that get caught by the filter, not those that pass through. Similarly, the public version of the Defense Department's internal regulations provides that information is deemed "collected" only when it has been "received for use by an employee of a DoD intelligence component" and is "processed into intelligible form."
Having said that, however, I don't think it's all about the filters. Filters are tools: They are designed to help implement a search so that it remains within its authorized scope; they're like what FISA calls "minimization procedures." They're tremendously important. But filters don't determine the authorized scope of a search in the first instance. And I don't think that we all agree on what is, or should be, the authorized scope of the government's power to search, at least without a prior court order. In other words, even if we had perfect filters—protocols or selection terms that always retrieved all of what was being sought, and nothing else—I think we'd still be having some version of this discussion. Moreover, the fact that we don't have perfect filters gives rise to debates about where the legal lines should be drawn. For example, as explained above, I doubt we can create perfect filters for foreign-to-foreign e-mail in real time; the Protect America Act is one possible response to this problem, and maybe it's a good response, but it's certainly not the only possible one.
So let me segue to my concerns about how the Protect America Act may give the government both more and less power than is initially evident. The key is that FISA defines a "person" to be not only an "individual" human being, but also "any group, entity, association, corporation, or foreign power."
Marty is worried that under the new law, NSA could wiretap Americans by doing surveillance "directed at" individuals abroad with whom they communicate. I think the new law is potentially even broader, because FISA defines "persons" to include al-Qaida (and other international terrorist groups). Surveillance "directed at" such groups is covered by the Protect America Act—and exempted from FISA's traditional requirements—if the terrorist groups are (reasonably believed to be) "located outside the United States." If these groups are "located" anywhere, it's pretty clearly outside the United States, even if they do have personnel in this country. As a result, I think the government has a good argument that surveillance "directed at" al-Qaida is covered by the new law.
Moreover, the government could also argue that surveillance is "directed at" al-Qaida even if it involves purely domestic communications. This is a harder argument to make, because there's some law that's not in the government's favor. For example, in United States v. Bin Laden, a federal judge in Manhattan ruled that surveillance of phones registered to an American who lived in Africa, and whose home was used by al-Qaida as a safe house, was "directed at" both al-Qaida and the American, and had to satisfy the stricter rules governing surveillance of the American. Following that logic, surveillance of an American citizen's home phone would be "directed at" him, as well as al-Qaida, and therefore wouldn't be exempt from a warrant under the new law. I am not sure this settles the question, but it is at least relevant (maybe I'll change my mind if I think about it longer).
If the government cannot wiretap an individual domestic phone or e-mail account under the new law, however, what about surveillance of a larger facility, like an international gateway switch, or a domestic switch, or some of the other possibilities I mentioned in my first posting? These are not registered to, or used exclusively by, any individual. As a result, it seems easier to argue that surveillance of these facilities is exclusively "directed at" al-Qaida. At some level, this shouldn't be too surprising—the Protect America Act was pretty clearly meant to expand the government's power and authorize the TSP. But again, according to this theory the new law seems to extend even to purely domestic communications, and curiously, if you run with it, the theory becomes more plausible (at least as a statutory matter) as the surveillance becomes broader. Of course, that doesn't mean that any wildly expansive application of the Protect America Act would work in real life, either as a practical or as a constitutional matter; I don't want to be silly, or alarmist, or branded a Chicken Little. But hypotheticals—even extreme ones—can sometimes help tease out the meaning of a new legal provision.
The flip side of the coin—that the new law diminishes the government's power—involves a provision of FISA, 50 U.S.C. § 1802. This important if obscure section of the law under certain circumstances allows the attorney general to authorize "electronic surveillance"—without a court order—of communications systems used exclusively by foreign powers. Essentially, as I explain in my book, this provision covers surveillance directed at foreign embassies in the United States, or at communications systems used between foreign governments and their embassies here. There's not much that can be said about Section 1802 publicly, but the drafters of FISA understood that it authorized "some of the most sensitive surveillances which [the] government conducts in the United States."
Once again, a "person" in FISA is not only an "individual," but also a foreign government, and foreign governments are, by definition, located outside the United States. As a result, in light of the new law, surveillance "directed at" a foreign government is no longer "electronic surveillance" as defined by FISA, and cannot be authorized under 50 U.S.C. § 1802.
If Section 1802 is no longer available—because, as seems likely, surveillance of an embassy is deemed to be "directed at" the foreign government, rather than the embassy—the U.S. government would have to fall back to the new Protect America Act, or to traditional FISA applications. Neither approach is entirely satisfactory. The new law seems to exclude any form of "self-help" surveillance, such as old-fashioned microphone bugging, because it applies only when the government has "the assistance of" someone with access to the communications or communications equipment. Maybe the government could solve this problem by simply bringing along a representative of the phone company when it sets up surveillance, but I kind of doubt it.
Apparently anticipating similar problems, the Protect America Act has a clever transition clause. It provides that the government may renew existing authorization orders, and file new applications for new orders, under the prior version of the statute. This essentially makes the Protect America Act optional with respect to FISA applications. The problem, though, is that the transition clause has no obvious application to Section 1802.
Even if I am right, this is not the end of the world, although it might mean that some or all of the attorney general's authorizations under Section 1802 became null and void when the president signed the Protect America Act. We're not talking about anyone being prosecuted for Section 1802 surveillance that continued. (FISA's penalty provisions are limited to unauthorized "electronic surveillance," and therefore do not apply here. The criminal wiretapping statute might apply—I haven't even tried to analyze that question—but it's almost impossible to imagine the government bringing such a case against its own personnel.) Still, it is all a little awkward. Going forward, I think, the government can obtain traditional FISA applications in these cases thanks to the new law's transition clause. But that means more, rather than less, paperwork and effort, which is not what anyone had in mind when the act was passed.
This may be an illustration of what can happen when statutes as complex as FISA get amended in a hurry. If more legislation is considered this fall, it probably makes sense for us all to slow down a little.