Fixing surveillance

• Article
• Comments ()
• Click-2-Listen
• Videos

By

The controversy over whether the president has the power to authorize the National Security Agency to monitor international communications with terrorists obscures a simple fact: The Foreign Intelligence Surveillance Act (FISA) is no longer adequate.

Passed in 1978, FISA didn't anticipate the development of global communication networks or advanced technical methods for intelligence gathering. Congress should amend FISA to provide for programmatic approvals of cutting-edge technologies -- including automated monitoring of suspected terrorist communications.

While pundits and politicians are already passing judgment on the president's actions, many of their comments are premature. Not enough is known yet to justify many of the factual assertions and legal conclusions being offered. And, because of the highly classified nature of the methods used in this particular program, the only proper forum for reviewing these actions in detail is in the appropriate congressional committees with suitable safeguards for national security and with the full disclosure of all relevant documents and briefings by the Bush administration.

Nevertheless, what is clear is that the existing FISA procedures are themselves inadequate to authorize the use of advanced technical methods against global terrorist threats. The critical question being overlooked in the partisan bickering is whether there's a better way to stay one step ahead of the terrorists as well as protect the liberties of American citizens. There is.

FISA is cumbersome. It requires individual application to a judge for authorization to target a specific individual or source based on showing a connection to a foreign power or foreign terrorist. Although FISA permits applications to be made after the fact in certain cases, it doesn't provide a mechanism for programmatic pre-approval of technical methods like automated data analysis.

Automated screening can monitor data to uncover terrorist connections without human beings ever looking at anybody's emails or listening in on their phone calls. Only when the computer identifies suspicious connections or information do humans get involved. What's needed is a legal mechanism for pre-approving such methods so that when threats are identified, analysts can move quickly to provide the kind of "actionable intelligence" that can prevent terrorist acts. FISA can't do that.

Further, FISA applies to foreign intelligence collection conducted "within the United States" or against "U.S. persons." However, advances in information technology together with the borderless nature of terrorist threats and global communications has made place-of-collection and U.S. personhood an increasingly unworkable basis for controlling the collection of intelligence. Indeed, it may no longer even be technically possible to determine exactly when a communication is taking place "within the United States" and no practical means exists to determine if a particular participant is a U.S. person or not until after further investigation. FISA does not account for this.

Consider the following case: A computer is recovered in Afghanistan containing Pakistani e-mail addresses and phone numbers used by al Qaeda. NSA is told to exploit this intelligence. Assuming that the interception isn't "within the United States" and is not intentionally targeting a "U.S. person," FISA isn't applicable and NSA has full legal authority to monitor the communications. That's OK.

The debate begins when NSA monitoring uncovers a U.S. connection, like a U.S. person or phone number communicating with the foreign source. Under existing rules, U.S. person information collected collaterally in a legitimate foreign intercept is subject to "minimization" (shielded from further disclosure) and the U.S. person cannot be "targeted" without a warrant. That's OK, too.

The problem arises when the initial "monitoring" is conducted by technical or automated means that use computer analysis to identify connections, key words or patterns. Only those communications matching these criteria are then selected for further analysis. Critics of the current program contend that in all cases where a U.S. person or U.S. source communication is "intercepted," a warrant is required.

But how would this work for communications that are technically intercepted and analyzed but not selected for further investigation? Would these critics propose that retroactive FISA warrants be required for all "collection" of U.S. person information even if analysis showed those communications to be of no interest? If so, the very fact that they were found to be of no interest would preclude issuing a warrant.

Yet, without monitoring all the inbound and outbound traffic from a known terrorist communication node -- like Abu Musab Zarqawi's cell phone number -- no intelligence can be gained.

FISA must be amended to enable programmatic approvals for automated monitoring programs, since authorization for practical reasons cannot be sought on an individual basis even after the fact. With programmatic approval for the initial automated screening, existing FISA warrant procedures could then be followed for targeted monitoring of identified U.S. persons or sources in appropriate cases where follow-up investigation is needed.

By all means, let us debate who should have the authority to authorize and oversee such intelligence-gathering programs. But amid the partisan bickering, let's not forget that someone must do it -- and that the existing mechanisms are inadequate.

K.A. Taipale is the executive director of the Center for Advanced Studies in Science and Technology Policy, a senior fellow at the World Policy Institute, and an adjunct professor of law at New York Law School. James Jay Carafano is senior fellow for homeland security at The Heritage Foundation and co-author of "Winning the Long War: Lessons from the Cold War for Defeating Terrorism and Preserving Freedom."