February 3, 2006

NSA Surveillance - Why Was FISA Not Enough?

This article was posted on the "Hardball with Chris Matthews" blog on February 3.

During his January 23 remarks to the National Press Club, Deputy Director of National Intelligence General Mike Hayden gave some insights as to why the administration believes that the existing Foreign Intelligence Surveillance Act (FISA) warrant procedures are ineffective in monitoring communications between suspected Al-Qa'idah operatives in the United States and overseas locations. General Hayden is the former director of the National Security Agency (NSA), the organization charged with this operation - it was during his tenure that the operation began. The Attorney General made similar remarks the following day.

According to the FISA law and NSA regulations, intercept of international communications originating or terminating in the United States must be done under the authority of a warrant issued by the FISA court, or in certain instances, the authority of the Attorney General. Shortly after the attacks of September 11, 2001, the President directed NSA to intercept these communications (including telephones, cell phones and emails) without FISA warrants. However, FISA warrants are not that hard to get - why not use the existing system that has been in existence since 1978?

The General explained the situation in broad terms, so as not to get into sensitive operational details. Having worked in the communications intelligence business for many years, I was able to discern some of the challenges. Technology and access to it have evolved in the last 25 years - the 1978 FISA has not. Email and cell-phones were either unheard of or not readily available then in the parts of the world we are dealing with, primarily the Middle East, North Africa and South Asia. The people we are targeting now have multiple one-time use cell phones, anonymous email addresses accessed from a variety of public locations, use commercially available encryption system, etc.

FISA warrants, while generally easy to obtain, still require an application process. The key items you must have to obtain a warrant, in addition to the reason for the intercept, are a name (or unique identification) and the communications medium you plan to exploit. Given the realities of modern personal electronic communications, you may have neither. Let me explain by describing a hypothetical scenario based on events that have appeared in the media.

Based on human intelligence, the Pakistani intelligence service identifies and raids an Al-Qa'idah safehouse in Karachi. Inside the house, they find several laptop computers, cell phones and notebooks with communications procedures. The numbers in the cell phones include numbers in the United States. There are no names associated with these numbers. There are indications of when calls were made, but no idea who was on the other end of the call. (It could also have been the same with email addresses in the computers.) Obviously, the identity of that person and the content of the call are of interest to U.S. intelligence, homeland security and law enforcement agencies.

The "normal" procedure would be to obtain a FISA warrant to mount electronic surveillance against those numbers (or email addresses). The problem is that the owner/user of those numbers are unknown. Obtaining a FISA warrant on this information alone would be problematic, but I don't think anyone would argue that it is important that these communications be monitored.

You may have noticed a time delay between these safehouse raids and any public acknowledgement or announcement. This is to allow the intelligence communities, including NSA, to exploit their newly acquired knowledge. Once the bad guys are aware that you have acquired their current phone numbers and communications procedures, they change immediately to new ones.

In 2002, there was a move to amend the existing FISA rules, to bring them in line with the technological advances of the last 25 years. The administration was concerned however that the resultant public debate would tip the targets of the operation that their communications would become vulnerable to exploitation.

Perhaps it would be useful to explain which intercept operations require a FISA warrant. In the above scenario, let's assume an Al-Qa'idah operative is to make a trip to the United States via Paris. He calls and emails his Al-Qa'idah support contacts in Paris and New York. The communications from Karachi to Paris are totally external, so no warrant it required. The communications from Karachi to New York, however, terminate in the United States, thus requiring a warrant, despite it being an international communication. Obtaining a FISA warrant on just a phone number or email address is difficult, especially since the email can be checked in virtually any library and most coffee shops in the country.

Once the operative arrives in the United States, any of his communications back to Paris or Karachi require a warrant, since he is in the United States. If you know who he is, obtaining a FISA warrant would be routine. However, any of his communications between himself and the emails and phone numbers we know to be in the United States are solely domestic communications and now the purview of the FBI. They must show probable cause to obtain a warrant. It can be confusing and time consuming. Anytime you involve more than one agency, you also run the risk of poor coordination.

I know Mike Hayden, and I know many people that have worked and still work at NSA - I myself served there. These are honorable, dedicated intelligence professionals who take their responsibilities - and their legal obligations - seriously. Although I don't have all the details, or even enough to make an informed determination, right now I am willing to give them the benefit of the doubt that the FISA was not sufficient for them to monitor the people that we really need to be watching.