Foreign Policy Research Institute A Nation Must Think Before it Acts Collision Course: Navigating a Path for FISA between State Secrets and Individual Privacy, Part I
Collision Course: Navigating a Path for FISA between State Secrets and Individual Privacy, Part I

Collision Course: Navigating a Path for FISA between State Secrets and Individual Privacy, Part I

Last January, Congress passed the FISA Amendments Reauthorization Act of 2017 extending the electronic surveillance authority conferred by Section 702[1] of the Foreign Intelligence Surveillance Act (“FISA”) until December 31, 2023. It seemed, at the time, to close the often acrimonious debate that had surrounded the National Security Agency (NSA) and the Section 702 collection program since aspects of that program had first been publicly revealed through the unauthorized disclosures of Edward Snowden in June 2013.

But this is America, where legislative frustration all too frequently simply redirects itself to the courts. To be fair, the American Civil Liberties Union, the Electronic Frontier Foundation, and the various other constituencies that find Section 702 so odious already had commenced litigation challenging the constitutionality of Section 702 before last January’s reauthorization. Now, with Congress having rebuffed most of the substantive changes the critics had sought to this critical part of the FISA surveillance authorities (which, not coincidentally, would have seriously handicapped the effectiveness of Section 702 as a foreign intelligence collection tool), Section 702’s opponents have redoubled their efforts in the courts. So, for now, the fate of America’s most important intelligence collection program[2] lies exposed to the federal judiciary.

While a number of challenges to Section 702 are circulating through the courts,[3] the two that have produced the most intense legal skirmishing are Wikimedia Foundation v. National Security Agency and Jewel v. National Security Agency. The cases were initiated by the American Civil Liberties Union (Wikimedia Foundation) and the Electronic Frontier Foundation (Jewel), two of Section 702’s most vigorous opponents. A synopsis of each case demonstrates the stakes presented by these lawsuits and prompts examining whether the state secrets privilege, as applied by the federal courts, affords the safeguards necessary to protect America’s most sensitive—and important—foreign intelligence collection programs from exposure in civil litigation.

Wikimedia v. NSA[4]

In June 2015, the Wikimedia Foundation (“Wikimedia”) and eight other plaintiffs filed a lawsuit in federal court seeking a judicial order to permanently stop NSA from continuing the “Upstream surveillance” program[5] contending it violates a variety of federal statutes as well as the First and Fourth Amendments of the U.S. Constitution. The lawsuit also requested an order requiring that NSA purge all records of their communications in its possession derived from “Upstream surveillance.”

Initial skirmishing in all lawsuits targeting Section 702 almost always begins with the government challenging the “standing” of the plaintiffs, i.e., whether the plaintiffs can demonstrate a sufficiently concrete personal injury from the challenged conduct—in these cases, whether they can show that their individual communications were wrongfully intercepted as part of the surveillance conducted by NSA under the authority granted by Section 702 of FISA. In October 2015, the federal district court determined that Wikimedia and the other plaintiffs could not demonstrate “standing” and granted the government’s motion to dismiss, but, on appeal, the Fourth Circuit Court of Appeals partially reversed[6] concluding that Wikimedia, but only Wikimedia among the nine original plaintiffs,[7] had presented enough information to proceed with its lawsuit. The case was returned to the district court for further proceedings.

The Fourth Circuit based its distinction on Wikimedia’s premise of how Upstream collection works—a supposition that, if plausible, must be accepted under the legal rules governing Wikimedia’s allegation at that particular stage of the legal proceedings.[8] Consequently, a discussion of the general mechanics of Internet communications and Wikimedia’s view of Upstream collection is productive in understanding both the judicial decisions already made in the case, and those likely coming as the proceedings continue.

According to Wikimedia, Upstream surveillance involves the NSA’s seizing and searching the Internet communications of U.S. citizens and residents en masse as those communications traverse the Internet ‘backbone’ in the United States. The “Internet backbone” is the network of high-capacity cables, switches, and routers (administered by telecommunications-service providers like AT&T and Verizon) that facilitates both domestic and international communication via the Internet. It includes the approximately 49 international submarine cables carrying Internet communications into and out of the United States and that land at approximately 43 different points within the country (locations often referred to as Internet “chokepoints”). Wikimedia says that NSA tasks “selectors” which are, generally speaking, the e-mail addresses or telephone numbers that Section 702’s foreign targets use to communicate, and sends those “selectors” to telecommunications service providers along with a “directive” requiring those providers to furnish the information, facilities, and technical assistance necessary to implement the collection. From a purely mechanical standpoint, this description is largely accurate and mirrors the account of Section 702 collection mechanics as described in the comprehensive report issued by the Privacy & Civil Liberties Oversight Board (PCLOB) in 2014.[9]

Prior to March 2017, NSA’s Section 702 collection program would acquire communications to, from, or “about” these selectors. “About” communications are those that contain a tasked selector in their content, but are not to or from the target. For instance, a communication between two third parties might be acquired because it contains a targeted email address in the body of the communication even though the target is not one of the communicants. In April 2017, NSA announced that it would terminate “about” collection, and, in reauthorizing Section 702 in January 2018, Congress statutorily prohibited the resumption of “about” collection without notice and satisfaction of certain enumerated statutory requirements.[10] The termination of “about” collection occurred after the filing of most of the lawsuits challenging Section 702, and represents a significant subsequent event given that the plaintiffs in virtually all of the Section 702 lawsuits have objected to “about” collection as particularly offensive to Fourth Amendment rights.

Wikimedia also insists that the technical features of how the Internet operates essentially assure that NSA is collecting its communications. According to Wikimedia, while Upstream surveillance is intended to acquire Internet communications, it does so through the acquisition of Internet transactions.[11] The distinction was highlighted in the PCLOB Report, which explained that an email transmitting the Internet is broken up into one or more “data packets,” which are transmitted across the Internet backbone to their destination and, upon arrival, reassembled by the recipient’s computer to reconstruct the communication. The individual data packets generated by a single email can take different routes (across the backbone) to their common destination, and can be combined en route with data packets from one or more other communications. Because NSA cannot know the routes taken by the data packets for any particular communication, it must, says Wikimedia, necessarily collect them all.

NSA’s acquisition of these Internet transactions is a function of the collection devices it has designed and, at least based on government representations made in 2011 to the Foreign Intelligence Surveillance Court (“FISC”), NSA’s upstream Internet collection devices were (at that time) “generally incapable of distinguishing between transactions containing only a single discrete communication to, from, or about a tasked selector and transactions containing multiple discrete communications, not all of which are to, from, or about a tasked selector.”[12] This was due then, and perhaps remains so today, to the constantly changing protocols used by Internet service providers and the evolving services they provide because, as a measure of the speed of technological change, if time were frozen and NSA built the perfect filter to acquire only single, discrete communications, that filter would be obsolete as soon as time was restarted and either a protocol was changed, a new service or function offered, or a user changed his or her settings to interact with the Internet in a different way.

Working off this premise that no device exists to reliably filter Internet traffic while ensuring that valuable foreign intelligence is not lost, the Wikimedia plaintiffs allege that Upstream surveillance currently works in practice as follows. First, the NSA copies substantially all international text-based communications flowing across certain high-capacity cables, switches, and routers by using surveillance devices installed at key access points along the Internet backbone. Second, it attempts to filter out and discard some wholly domestic communications though, for the reasons described earlier, that effort is incomplete. Finally, it reviews the full content of the copied communications for targeted selectors, including IP addresses, and then retains (and with few restrictions analyzes) all communications that contain selectors associated with its targets, as well as those that happen to be bundled with them in transit. These, then, are the offensive NSA surveillance actions specifically identified by Wikimedia in its complaint: copying; filtering; content review; and, retention and use.

Tying these allegations together with the volume of its international communications (more than one trillion per year, according to Wikimedia), Wikimedia asserts, and the Fourth Circuit Court of Appeals accepted as a plausible allegation, that if NSA is monitoring a single Internet backbone link, then NSA is intercepting, copying, and reviewing at least some of Wikimedia’s communications.

So, the Fourth Circuit returned the case to the federal district court where Wikimedia must now not simply say it is a victim of Section 702 surveillance, but factually show that harm. Having moved beyond supposition to the stage where Wikimedia now wants access to information about the operational details of the Upstream collection program, what exactly is it about Upstream surveillance that produces the constitutional infringements that Wikimedia insists justifies this potentially dangerous exposure of the actual details of this critical foreign intelligence collection program?

While a detailed legal analysis of Wikimedia’s Fourth Amendment claims[13] is beyond the scope of this article, the allegations in the Wikimedia complaint deserve some comment. Wikimedia claims that NSA’s Upstream surveillance copies and reviews substantially all international emails and text-based communications as they transit the Internet backbone, including at least some of the trillion of yearly communications sent or received by Wikimedia. Significantly, especially for purposes of future litigation in the Wikimedia case, NSA’s termination of “about” collection in the spring of 2017 (subsequently statutorily endorsed in the FISA Amendment Reauthorization Act of 2017) seems to remove a critical element of Wikimedia’s constitutional claims since ¶44 of the Wikimedia complaint alleges: “One aspect of the processes outlined above bears emphasis: Upstream surveillance is not limited to communications sent or received by the NSA’s targets.” That allegation is now demonstrably untrue—Upstream surveillance, in fact, is limited solely to acquiring communications to or from Section 702 targets identified pursuant to the criteria in a Section 702 certification approved by FISC.

So, with “about” collection removed, Wikimedia is left to complain that “[t]he interception, copying and review of [Wikimedia’s] communications while in transit is a violation of [Wikimeida’s] reasonable expectation of privacy in those communications [and] [i]t is also a violation of [Wikimedia’s] right to control those communications and the information they reveal and contain.” Indeed, Wikimedia acknowledges that “in connection with [its] constitutionally protected activities, [it] communicate[s] with people whom the government is likely to target when conducting Upstream surveillance, including foreign government officials, journalists, experts, human rights defenders, victims of human rights abuses, and individuals believed to have information relevant to counterterrorism efforts”[14] and, further, that those communications are likely to generate “foreign intelligence information” within the meaning of FISA. Given this medley of foreign communicants, it cannot be surprising to Wikimedia that some of these same communicants indeed are likely Section 702 Upstream targets, so it is difficult to comprehend how Wikimedia can insist that its expectation of privacy in its international communications is either subjectively or objectively “reasonable” when its acknowledged legal position is that it knows it is “communicat[ing] with people whom the government is likely to target” because those communications are likely to generate “foreign intelligence information.” This is akin to complaining that your telephone calls have been intercepted when you know the person you’re calling is subject to a court-authorized wiretap.

Left unacknowledged by Wikimedia is that the government has national security responsibilities and the acquisition of foreign intelligence information is critical to performing those responsibilities. Section 702 isn’t aimed at surveilling Wikimedia’s communications; indeed, such targeting is specifically forbidden by FISA.[15] Wikimedia’s communications will only be collected as part of an authorized Section 702 acquisition if it is communicating with a foreign person located outside the United States, who has no Fourth Amendment rights,[16] and who is properly targeted pursuant to a FISC-approved certification because his communications are likely to produce foreign intelligence. Neither the First (nor Fourth) Amendments have ever been read to immunize legitimate foreign intelligence targets from Section 702 surveillance simply because Wikimedia, or any media entity, views them as “sources.” To give these constitutional provisions such expansive scope would essentially subordinate the conduct of U.S. foreign intelligence operations to the news-gathering decisions made by Wikimedia and, arguably, any other person claiming to be communicating while engaged in some sort of journalistic undertaking. No court ever has endorsed such an expansive, and logically counterintuitive, interpretation.

Jewel v. NSA

Which brings us to the Jewel[17] case, a lawsuit actually filed prior to the passage of the 2008 FISA Amendments Act asserting claims reaching back to the electronic surveillance originally conducted under the presidentially authorized “Terrorist Surveillance Program” initiated after the September 11 terrorist attacks. Indeed, one argument pursued by the government is that the “outdated” claims of the plaintiffs fail to allege any misconduct attributable to surveillance conducted under the statutory authority now conferred by Section 702. Nonetheless, the case trudges on. The Jewel plaintiffs, all of whom are current or former AT&T customers whose communications were allegedly intercepted by virtue of AT&T’s cooperation with NSA’s surveillance programs, are pursuing constitutional (First and Fourth Amendment) claims, as well as a number of statutory claims alleging violations of FISA, the Wiretap Act, and the Stored Communications Act.

The Jewel case already has traversed the appellate ladder twice, which explains how a case over a decade old has yet to reach any stage addressing the actual merits of the plaintiffs’ claims — with one significant exception. In February 2015, the court considered the Jewel plaintiffs’ claim that the Upstream interception of their communications constitutes a violation of their Fourth Amendment rights. While multiple other claims and issues remain to be resolved in the Jewel litigation, this—the Fourth Amendment challenge—is the primus inter pares because it is the constitutional transgression that Section 702’s critics have trumpeted since its inception, and also because the resolution of the Fourth Amendment claim, as a practical matter, is largely dispositive of the plaintiffs’ First Amendment claim as well.[18]

In 2013, the Jewel district court (sitting in the Northern District of California) had ruled that the in camera, ex parte process provided in FISA §1806(f) preempts the state secrets privilege, at least with respect to those claims pursued by the Jewel plaintiffs alleging violations of the Wiretap Act, the Stored Communications Act, or FISA. Thus, the Jewel court apparently intends to employ FISA’s §1806(f) procedures with respect to the handling of classified information relevant to plaintiffs’ statutory claims, and appeared poised to reject any effort by the government to assert the state secrets privilege.

Two years later, however (in 2015), in dismissing plaintiffs’ Fourth Amendment (i.e., constitutional) claims, the Jewel court specifically referred to the “Government’s assertion of the state secrets privilege” in concluding that plaintiffs’ Fourth Amendment claims could not be fully adjudicated “without risking exceptionally grave damage to national security.” Apparently, at least to the Jewel court, the state secret privilege has been preempted by FISA’s disclosure provisions with respect to certain statutory claims, but remains available to the government when the claims at issue are of constitutional dimension. By implication, then, the state secret privilege will be available to the government in connection with resolving any First Amendment claim, although the Jewel court has issued no ruling specifically stating so.

In seeking a judgment in their favor on their Fourth Amendment claims, the Jewel plaintiffs supported their claims principally through: (1) sworn declarations from former AT&T employees purporting to describe the activities of AT&T and NSA personnel at the AT&T Folsom Street telecommunications facility in San Francisco (in 2003-2004); (2) sworn declarations of experts discussing the mechanics of internet operation; and (3) public disclosures regarding the operation of the Section 702 collection program including, particularly, the unauthorized disclosures made by Edward Snowden. So confident was the Electronic Frontier Foundation that its self-described whistleblowers[19] had accurately depicted the mechanics of Upstream collection that, for years past and continuing today, an EFF webpage titled “How It Works” has included a schematic diagram breaking the Upstream process into 4 stages and identifying the specific stages where the allegedly “unconstitutional seizure” (stage 1) and “unconstitutional search” (stage 3) of their Internet communications occurs.

The government’s principal opposition to the Fourth Amendment claims was presented to the court in the form of classified submissions. After reviewing those submissions, the court dismissed the Fourth Amendment claims saying that the content of those classified filings convinced the court that: (1) “Plaintiffs’ version of the significant operational details of the Upstream collection process is substantially inaccurate;” and (2) “even if Plaintiffs could establish standing, a potential Fourth Amendment Claim would have to be dismissed on the basis that any possible defenses [offered by the government] would require impermissible disclosure of state secret information.”[20] Elaborating, the court observed that, “even if the public evidence proffered by Plaintiffs were sufficiently probative on the question of standing, adjudication of the standing issue could not proceed without risking exceptionally grave damage to national security.”[21] In closing, the court rued:

The Court is frustrated by the prospect of deciding the current motions without full public disclosure of the Court’s analysis and reasoning. However, it is a necessary by-product of the types of concerns raised by this case. Although partially not accessible to the Plaintiffs or the public, the record contains the full materials reviewed by the Court. The Court is persuaded that its decision is correct both legally and factually and furthermore is required by the interests of national security.[22]

The Jewel court’s disquiet frames the tension between individual privacy concerns in a technological society where the dominating modes of communication are electronic, and the government’s use of extraordinary, but highly classified, surveillance capabilities to acquire foreign intelligence from these communications. That tension is addressed through a legal framework that embraces both statutory and constitutional elements while also including a unique legal privilege available to the government when legal disputes threaten to expose the most fragile of the government’s surveillance sources, methods, and capabilities. The concluding installment of this article examines this important, and expansive “state secrets privilege” as it has been developed and, now, applied in both the Wikimedia and Jewel cases.

[1] 50 U.S.C. § 1881a, et seq.

[2] I explain the value, and the mechanics, of the Section 702 surveillance program in The Clock is Ticking: Why Congress Needs to Renew America’s Most Important Intelligence Collection Program, FPRI E Notes, September 2017,

[3] Although not an exhaustive list, see, e.g., Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (which involved a facial challenge to Section 702); Schuchardt v. President of the U.S., 839 F.3d 336 (3d Cir. 2016) (challenging Section 702 collection); Schubert v. Obama, C 07 00693 (JSW) (challenging Section 702 collection).

[4] Initially filed as Wikimedia Foundation v. National Security Agency/Central Security Service, No. 15-cv-662 (D. Md. 2015).

[5] Upstream” collection is one of two publicly acknowledged types of collection (the other being “downstream” or PRISM collection) conducted by NSA under the authority found in 50 U.S.C. § 1881a – colloquially known as “Section 702 collection.”

[6] Wikimedia Foundation v. NSA, 857 F.3d 193 (4th Cir. 2017)

[7] The other plaintiffs originally joining in the lawsuit were the National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America.

[8] Recognizing the application of this rule of procedure is important to understanding that the Fourth Circuit was evaluating whether Wikimedia had presented a plausible claim about how it contends that Upstream surveillance works—not how it actually works, which remains highly classified information. Ultimately, as will be discussed, entirely different considerations come into play when a court must decide whether the litigation has reached a stage requiring disclosure of how Upstream collection actually works.

[9] Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (hereafter, the “PCLOB Report”), July 2, 2014.

[10] FISA Amendments Reauthorization Act of 2017 (Pub. L. 115-118).

[11] The government describes an Internet ‘transaction’ as “a complement of [these] packets traversing the Internet that together may be understood by a device on the Internet and, where applicable, rendered in an intelligible form to the user of that device.” An Internet transaction can comprise one or many discrete communications; thus, some transactions may carry only a single Internet communication while others carry multiple Internet communications simultaneously.

[12] The quote is from the FISC opinion authored by Judge John Bates in October 2011. [Caption Redacted], [Docket No. Redacted], 2011 WL 10945618, at *1 (FISA Ct. Oct. 3, 2011) (“Bates October 2011 Opinion”). Bates’ heavily redacted opinion remains one of the few official “open sources” providing insight into the mechanics of Upstream collection, and it was cited extensively in the PCLOB Report. But, its descriptions and statistical data are now over 7 years old, a veritable lifetime in technology time; thus, any representation of its content as a continued authoritative source on current Upstream techniques or practices has to be viewed as speculative.

[13] Wikimedia also alleges that Upstream surveillance violates its First Amendment rights. Generally speaking, the analysis of First Amendment rights alleged to be chilled by governmental surveillance follows Fourth Amendment precepts but, when the First Amendment is invoked, courts are told to apply these standards “with scrupulous exactitude.” See, e.g., U.S. v. Mohamud, 2014 WL 2866749, at *11-12 citing Zurcher v. Stanford Daily, 436 U.S. 547, 564 (1978).

[14] The italics are mine, and added to emphasize the point.

[15] 50 U.S.C. § 1881a (b)

[16] See U.S. v. Verdugo-Urquidez, 494 U.S. 259, 267 (1990) (Fourth Amendment protections do not “apply to activities of the United States directed against aliens in foreign territory.”).

[17] Jewel v. NSA, No. 08-cv-4373 (JSW).

[18] As noted earlier, the resolution of a claim of “chilled” First Amendment activities generally follows a Fourth Amendment analysis.

[19] The government has a different view of these “whistleblowers” describing Edward Snowden in its legal papers, for example, as an “expatriate outlaw.”

[20] Jewel v. NSA, 2015 WL 545925, *1, *4 (N.D. Cal. Feb. 10, 2015).

[21] Id. at *5.

[22] Id.