The Guardian has published two more top-secret NSA memos, courtesy of whistleblower Edward Snowden. The memos are appendices to "Procedures used by NSA to target non-US persons" (1, 2), and they detail the systems the NSA uses to notionally adhere to the law that prohibits them from spying on Americans.
More importantly, they expose the "truth" behind NSA director James Clapper's assertion that "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." This turns out to be technically, narrowly true, but false in its implication, as Declan McCullagh explains on CNet:
Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations.
"The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.
This is important in the context of McCullagh's earlier story about Rep. Jerrold Nadler allegedly saying that the NSA listens in on Americans' phone-calls, a statement he later denied. As the Guardian's publications make clear, the NSA operates under a baroque and carefully engineered set of guidelines that allow it to spy on Americans while insisting that it's not spying on Americans.
For example, as Glenn Greenwald writes:
However, alongside those provisions, the Fisa court-approved policies allow the NSA to:
• Keep data that could potentially contain details of US persons for up to five years;
• Retain and make use of "inadvertently acquired" domestic communications if they contain usable intelligence, information on criminal activity, threat of harm to people or property, are encrypted, or are believed to contain any information relevant to cybersecurity;
• Preserve "foreign intelligence information" contained within attorney-client communications;
• Access the content of communications gathered from "U.S. based machine[s]" or phone numbers in order to establish if targets are located in the US, for the purposes of ceasing further surveillance.
On Ars Technica, Dan Goodin goes further into the documents, showing how people who use encryption and proxies, such as Tor and PGP mail, are especially targeted for spying and data-retention, even when it is clear that the communications originate with, and are destined for, US persons:
While the documents make clear that data collection and interception must cease immediately once it's determined a target is within the US, they still provide analysts with a fair amount of leeway. And that leeway seems to work to the disadvantage of people who take steps to protect their Internet communications from prying eyes. For instance, a person whose physical location is unknown—which more often than not is the case when someone uses anonymity software from the Tor Project—"will not be treated as a United States person, unless such person can be positively identified as such, or the nature or circumstances of the person's communications give rise to a reasonable belief that such person is a United States person," the secret document stated.
And in the event that an intercepted communication is later deemed to be from a US person, the requirement to promptly destroy the material may be suspended in a variety of circumstances. Among the exceptions are "communications that are enciphered or reasonably believed to contain secret meaning, and sufficient duration may consist of any period of time during which encrypted material is subject to, or of use in, cryptanalysis."
Other conditions under which intercepted US communications may be retained include when it is "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed."
The document, dated July 28, 2009, bears the signature of US Attorney General Eric Holder.
And as Goodin notes, some of the heaviest users of PGP-encrypted email are lawyers handling confidential, privileged attorney-client communications, meaning that the US Attorney General is deliberately targeting privileged communications between US persons for extra surveillance and retention, an act of galling lawlessness.