Debate over the Patriot Act often seems to suggest that mass surveillance comes primarily from Section 215. But other, less-known programs actually account for most of the metadata collected. American University law professor Stephen Vladeck tells Brooke about how two other surveillance authorities — Executive Order 12333, and Section 702 of FISA — persist, and how real issues with government surveillance stem from lack of oversight.
BOB: During his filibuster, Rand Paul did not merely condemn the expiring provisions of the Patriot Act, or the notorious bulk collection of telephone metadata under provision 215.. He wanted to stop all surveillance… including the programs no one knows about.
Rand Paul: So we know about this one but what other programs are out there? There’s something called executive order 12333. There’s some who believe that this is just the tip of the iceberg, the bulk collection, that there is an enormous amount of data being collected on people through this other program.
BOB: Now, Senator Paul has been known to throw his lot in with, let us say, the conspiracy-inclined. Several weeks ago, he vowed to look into whether the federal government was planning to invade Texas, and in 2011 he compared the right to health care to slavery. But in this case...he’s right. Consider executive order 12-333.
John Napier Tye: 12-333 it's not a law, it's not a statute. It was never passed by Congress.
BOB: John Napier Tye is a former State Department official turned whistleblower. Here he is during a TED talk last year, shedding some light on the mysterious Executive Order.
John Napier Tye: Most members of Congress have no idea how this is being used at all. The NSA is using this authority to collect the majority of intelligence. But it actually got no press at all for a year after the Snowden leaks. A huge amount of data is being collected under 12-333.
BROOKE: In fact, according to documents leaked by Edward Snowden, more than half of the metadata the NSA has collected comes not from the Patriot Act but through 12-333.
So what is it? Here’s what we know: Twelve triple three was signed by President Reagan in 1981, to lay out rules for the intelligence community -- including surveillance of non U.S. citizens on foreign soil. But that was before the internet, which is to say, before our communications were routinely bounced across the globe. Steve Vladeck is co-editor-in-chief of the Just Security blog and a professor at the American University Washington College of Law. He says that the whole foreign domestic divide is continually, inevitably, breached.
Steve Vladeck: The problem that has arisen is that although it is primarily aimed at surveillance of non-citizens outside the US, it seems increasingly clear that the government is collecting an awful lot of U.S. person communications as well, perhaps not intentionally, but certainly knowingly.
BROOKE: Well, does that have partly to do with the fact that the information that we send out digitally goes all over the world in packets? I could be sending something down the street but it might make a stop in Bulgaria before it gets there.
Steve Vladeck: Indeed. I mean I think there are two reasons why this is happening. One is that data is in effect, borderless. We don't control where the data is going. But second, I think it's about the technological capabilities of our surveillance agencies. It just isn't possible based on what we know right now, for those agencies to segregate communications from a U.S. person, from communications from a non-U.S. person, at least at the moment of collection. They can't know who is the sender and who is the receiver until they accept a packet, they won't know until they actually look at more information about that specific communication.
BROOKE: What kind of information are we talking about here? Phone metadata, you know, telephone numbers and durations of calls and so on, or are we actually talking about content?
Steve Vladeck: We don't actually know the whole story here because so much of the government's activities under 12-333 remain classified. But there seems to be no question that some of what they're collecting under 12-333 are the contents of emails, telephone calls, web searches. We just don't know where the lines are, what the rules are, for when certain content is and is not collected.
BROOKE: And Congress doesn't know either.
Steve Vladeck: Senator Feinstein, who was chair of the Senate intelligence committee, has said publicly that we don't pay nearly enough attention to what the government does under 12-333 as Congress does to what the government does under statues Congress passed, if for no other reason than Congress has long assumed that most of the 12-333 based surveillance is directed overseas. And so that's why I think there are all these concerns about these authorities blurring together, and all this focus on 215 perhaps distracting us from the larger puzzle of which 215 is really a very small, almost infinitesimal piece.
BROOKE: There are a couple of other programs that achieved their 15 minutes of fame right after the Snowden leaks. One called PRISM, and the other called UPSTREAM. PRISM collected information from technology companies; UPSTREAM collected communications literally upstream from the users, as data moves through the infrastructure - like cables and so on. Neither of those programs are in the Patriot Act. They both come from Section 702 of the Foreign Intelligence Surveillance Act. So regardless of what happens with the Patriot Act, these two programs are going to continue, right?
Steve Vladeck: At least for the time being. And so here I think it's worth trying to situate these programs within the larger story. So 12-333 is directed at non-citizens outside the U.S.; 215 and the Patriot Act is directed at citizens within the U.S. The gap is for non-citizens outside the U.S. who communicate through U.S. servers. Whose emails go through a google server in California, or a Microsoft server in Massachusetts.
BROOKE: Taking my Bulgarian example again, it's not me sending information that might end up momentarily in Bulgaria and then get ensnared by 12-333: it's somebody in Bulgaria whose material ends up in a server in California, say.
Steve Vladeck: So that's what the statute is directed at. The problem is, how does the government know which email is from the Bulgarian and which email is from you. And so the statute is directed at the problem of non-citizens overseas whose communications are routed through the U.S. The whole idea is that the government can go to Google, to Microsoft, to all these other internet service providers, and basically ask them directly for that content. But once again we run into the technological problem, which is how does the government segregate that information so that it's not also collecting your email which just happens to bounce through the same server in the same packet as the email from the Bulgarian to his friend in, say, the Czech Republic.
BROOKE; Won't they just dump my stuff when they get it because they're not authorized to have it?
Steve Vladeck; So the government is supposed to, as you put it, dump that stuff so long as it's not relevant. And that's the whole purpose of these so-called minimization procedures.
BROOKE: I don't know what those are.
Steve Vladeck: Well, no one does.
Steve Vladeck: So the minimization procedures are statutorily required rules fashioned by the government and administered by the FISA courts - that's basically supposed to govern not the collection of information but what the government does once the government has collected it. The problem is that one of the things we've learned since the Snowden disclosures came out is that the government has repeatedly violated the minimization rules that it has promulgated and that the FISA court has administered.
BROOKE: And how do we know that?
Steve Vladeck: Because we've had these FISA court opinions that were previously classified that were some combination of leaked and de-classified by the office of the director of national intelligence. Including an especially telling October 2011 opinion by John Bates who was then the presiding judge of the FISA court, where he basically excoriates the government for a series of, in his view, completely intentional and perhaps even flagrant violations. So the regime is supposed to work on the theory that yes, the government is going to accidentally collect some of our emails too, but they're never going to do anything with them, and yet everything we've learned over the last couple of years suggests that we shouldn't trust that that's how its actually working on the ground.
BROOKE: So, if the entire Patriot Act were to go up in a puff of smoke, would that diminish the kind of surveillance overreach that is currently underway, or would it simply happen through other means?
Steve Vladeck: I think the government would just find ways to cleverly shoehorn existing programs into new authorities. I think the real lesson for all of us has to be, how do we bolster not just the substantive authorities the government has, but the ability of other institutions to check those authorities. As much as we might trust the government, however we might support this president or that president, at the end of the day it's not going to be the executive branch that checks itself. And I think it's a very real possibility that come whatever happens with the surveillance reform bill, people are going to think that that's the end of the story. Not only is it not the end of the story; it is barely the beginning of the story.
BROOKE: Steve, thank you very much. Steve Vladeck is a professor of law at the American University in Washington college of law and co-editor in chief of the Just Security blog.
And now Andy of Mayberry gives Opie a lesson on civil liberties:
Andy: Opie, I can't listen to this. Now I told you about eavesdropping.
Opie: But Pa, this is different.
Andy: Yes, it's worse. You overheard a conversation that was supposed to be private. Now I can't be a party to that.
Opie: But Pa if you just listen to this.
Andy: Opie, I can't listen.
Opie: Pa, you're erasing the tape!
Andy: That's what I mean to do! You bugged a conversation between a lawyer and his client. Now that's violating one of the most sacred rights of privacy.
Opie: But Pa!
Andy: No buts!
Opie: But if it helps the law...
Andy: Opie, the law can't use this kind of help. Because whether a man is guilty or innocent, we have to find that out by due process of law.