Patrick, Marty, and Orin,
First, thanks for the opportunity to participate in this discussion. I'm not a blogger, and I've never done something like this, but I anticipate that it will be interesting and fun. I want to apologize for the slight delay in submitting my comments; I had to have them pre-cleared by the Department of Justice, and while the DoJ did its best to expedite that process, these things can take time. As the discussion continues, I may try to draw on material from a book that I co-wrote (with Assistant U.S. Attorney Doug Wilson) and the DoJ recently cleared, National Security Investigations and Prosecutions, which I hope will speed things up.
Patrick, I agree with you that the "statutory nuances of FISA" and related constitutional questions tend to "leave a lot of Americans cold"—if they don't provoke outright vertigo and nausea. The problem is compounded by a backdrop of secrecy: National security law is very hard to understand when divorced from its historical, organizational, and (often classified) operational context. If you add politics to the mix, it further decreases the signal-to-noise ratio and creates the risk of statements that mislead (intentionally or not).
In an effort to overcome those limits, I'd like to begin with what I believe is the key question we face today: When, and under what circumstances and conditions, should the government be allowed to conduct large numbers of national security wiretaps, for long periods of time (more than 72 hours), without individualized findings of probable cause made in advance by a judge? This question finds expression in at least three related areas: the version of the TSP that began shortly after the Sept. 11 attacks; the January 2007 court orders that apparently authorized the TSP under FISA; and the Protect America Act that became law earlier this summer.
Let me start with the Protect America Act. At an open hearing of the Senate intelligence committee in May, Director of National Intelligence Michael McConnell explained why he needed Congress to pass this law. He testified that because of changing technology, "there are circumstances under which, when the Government seeks to monitor … the communications of foreignpersons, who are physically located in foreign countries, the Government is required under FISA to get a court order." (Emphasis in original.) McConnell did not describe any more precisely the circumstances underlying his complaint, but I think that there are only two scenarios he could have been talking about.
The first, as Marty explained, concerns e-mail messages between persons who are located abroad—e.g., messages between someone in Paris and someone in London—if the government acquires the e-mail messages inside the United States. If you travel to Paris and check your Hotmail account from a cybercafe, you may be connecting to a server located in Redmond, Wash. And if the government gets your e-mail from that server, it is subject to FISA.
But the same is not true of telephone calls. If you travel to Paris and call your friend in London, the U.S. government can listen in on the call without following FISA. And that is the case no matter where the government does its listening—i.e., even if the call is routed through the United States and wiretapped here.
These "foreign-to-foreign" telephone calls are simply outside the reach of FISA, and there is widespread agreement that this is appropriate.
I think the Protect America Act was designed in the first instance to treat foreign-to-foreign e-mail messages like foreign-to-foreign telephone calls—and to exempt them from FISA. This would allow the government to acquire those messages without spending the hours needed to write the application, secure the approval of various high-ranking government officials, and persuade a judge of the FISA court to find probable cause. It's a legislative solution to the central policy question I identified at the outset, tailored for foreign-to-foreign e-mail. There is a certain attractive symmetry to this approach: Why shouldn't e-mail messages be treated like telephone calls?
The main problem with this, however, is that people can read and write e-mail from anywhere—from their home in New York City or from a cybercafe in Paris. That makes it very difficult to amend FISA in a way that exempts only foreign-to-foreign e-mail messages, but not e-mail messages to or from persons located in the United States. (The same is true of some mobile telephone calls.)
As a result of this uncertainty about location (and other factors), I think, the Protect America Act actually exempts not only foreign-to-foreign communications, but essentially any communication involving a person abroad, including telephone calls and e-mail messages to or from persons in the United States. I think this was Marty's basic point about the new legislation, and I agree with him.
This gives the government more power than it had before even to wiretap telephone calls and brings up the second scenario to which McConnell referred—namely, the surveillance of communications with one end abroad and one end in this country. According to the government, nearly 30 years ago, when FISA became law, many international telephone calls were transmitted by means of radio waves that bounced off satellites orbiting the earth. To eavesdrop on such calls made by visiting foreigners, NSA could intercept the radio waves. And it could do so without regard to FISA, which contained an exemption for international radio transmissions, as long as the government was not seeking information from or about particular Americans located in the United States.
In the years since 1978, the government claims, communications satellites have been replaced by undersea fiber-optic cables, effectively reducing the use of radio waves to transmit international calls. This improved call quality but also limited the government's authority. Thus, the argument goes, new legislation was necessary to restore FISA's original balance.
Not everyone accepts the government's argument. Resolving this empirical-historical question is beyond me (for now), but Congress might want to take it up if lawmakers hold hearings in the fall. We need not be prisoners to the policy judgments of 1978—as the government points out, the world has changed since then. But it would be good to understand those judgments if we can.
In January of this year, the Justice Department apparently persuaded a judge to approve the TSP wiretaps under FISA. The government has not explained the legal theory that led to this result, but I can offer an educated guess (I have not been briefed on the TSP or the government's legal theory). Essentially, I believe, the government obtained authorization to wiretap international telecommunications switches, which serve as gateways between the United States and the rest of the world. Virtually all international calls, both to and from the United States, go through these switches. Al-Qaida and other terrorist groups are surely using them to make international calls, but their communications cannot possibly account for even 1 percent of the total traffic on the switches; the remaining 99 percent of calls are being made by everyone else. In effect, al-Qaida's calls are a handful of needles in several very large haystacks.
If I am right, the government obtained at least nominal authority to search the haystacks, rather than just the needles (although it may be listening to and recording calls only when it believes they actually involve a terrorist or a terrorist affiliate). But even if it has theoretical permission to monitor every call on the gateway switches, I suspect, the government cannot monitor an individual call without first deciding that it's worth looking into, by finding probable cause. The novelty, of course, is that such findings of probable cause are usually made by judges, not by the NSA or the FBI. If my theory is correct, the January 2007 orders of the FISA court shifted these determinations from the court to the government, using the "minimization" procedures that Patrick noted.
Taken to its logical conclusion, this approach might have eliminated the need for any legislative changes to FISA, now or in the future. If the government can obtain a single order authorizing wiretaps of an entire gateway switch, why can't it do so for all of the e-mail that goes through facilities maintained by Hotmail, AOL, or any other Internet service provider or telecommunications company? To put it even more starkly, if this theory is correct, why couldn't the government get a single conventional search warrant to search for drugs everywhere in Washington, D.C., on condition that it not search any particular home in Washington unless an FBI supervisor found probable cause that cocaine was within? Why, in other words, are those scenarios any less "reasonable," under the Fourth Amendment, than what (I think) the government is already doing under the January 2007 orders? These scenarios may well be distinguishable, but if I were a FISA judge, I would want the government to explain the distinctions.
Putting constitutionality aside, it's important to see how such an approach would give the government tremendous flexibility. There would be no need to return to a judge or to the attorney general for each person whose e-mail the government wanted to read. Instead, armed with a few blanket orders, the government would enjoy almost unlimited speed and agility to monitor the communications of anyone it suspected of wrongdoing. Final operational judgments about who should be wiretapped could be made by any midlevel supervisor at the NSA.
The recent press for the Protect America Act may have arisen from a partial repudiation of this legal theory, as Rep. John Boehner, R-Ohio, has suggested. Such characterizations of the FISA court's opinion may well be incorrect, or overblown, but that does not necessarily mean that the government retains full confidence in its own legal theory. And if the theory were to fail without a legislative solution in place, there could be profound consequences—including, probably, a return to the era of FISA applications that demonstrate probable cause separately for each telephone number or e-mail account to be monitored.
In fact, the Protect America Act may go even further than the January 2007 orders. Those orders, at least, required the government to follow minimization procedures subject to judicial review, albeit after the fact. As Marty pointed out, the new law seems to substitute semiannual congressional oversight for judicial review.
I have a lot more to say, including a response to Patrick's question about whether and how the Protect America Act gives the government more or less authority than might appear, but I will save that for the next round.