Two fascinating articles have come out on what the NSA is up to. One is quite disturbing, the other is disturbing, but less so.
The disturbing one is an article in the Washington Post based on its review of a cross section (about 160,000 messages) of NSA surveillance. The great majority were instant messages, but also included were e-mails, stored documents, chat rooms, social networks, and real time voice, text or video. (Does that category include phone calls? If so, they were a small fraction of the communications, only 565. It is not clear to me whether that was so because phone calls make up only a small portion of NSA surveillance, or because Snowdon's collection simply did not include them). Some of the innocent communications swept in were actual contacts with real targets. Others were far more tenuous links -- visiting the same chat room, even using the same computer server. A warrant is required if the NSA believes its target is a "US person." But the NSA often used dubious criteria to determine that a target was "foreign." They also may switch to treating a target as foreign when a properly obtained warrant for a US target expires. (Expiration is automatic after 90 days).
If this sample is accurate, what the NSA listens to is about 10% actual targets and 90% innocent stuff swept in. The article cites a figure of 89,138 intentional targets (internationally) last year. At that ratio, there would have been surveillance of approximately 900,000 accounts, targeted or not. About half the surveillance files it reviewed (around 65,000) contained contact information on a "US person." The NSA, in proper accordance with the law, removed the actual identity of the "US person," but kept the content which is, after all, where the real violation of privacy takes place. It must be added that the roughly 10% of surveillance directed at real targets has yielded much real and legitimate intelligence. And it is no doubt inevitable that in the process of surveillance, a good deal of innocent material will get swept up. And finally, much of the surveillance activity the article describes took place outside the US and was of non-US persons, so the stricter standards of the Fourth Amendment do not apply. But the question remains, what sort of minimization procedures are appropriate in foreign spying. What measures should be taken to avoid sweeping in innocent communications? What rules should apply to discarding those communications? And should the rules overseas be the same as those at home, or different? And, if different, how so?
To put a human face on it, the article gives a single example -- a romance in Australia between a woman who had converted to Islam and the son of refugees from Afghanistan. He was seeking to join the Taliban. She had no idea what he was up to. Thus he was clearly and beyond dispute a legitimate target, which she was an innocent caught up in the net. Ultimately the romance failed and contact was broken off. Ultimately he returned from Afghanistan without joining the Taliban and was temporarily taken into custody by the Australian National Police but release without being charged. She was politely questioned, at home and knew of the surveillance well before the article came out. So, uncontroversially, he was an appropriate target. It was entirely proper to keep an eye on him, even if he did not end up joining the Taliban. It also seems fair to say that, once the case closed, he was not charged, and she was determined not to have been involved, the conversations between them should have been destroyed. (They have not been).
The real question is, to what extent was it legitimate to follow their conversations, once it became clear that they were purely romantic and in no way incriminating? She they have continued to surveil their target, but not included his conversation with his girlfriend at all? Should they have been allowed to follow each individual conversation, but then required to destroy it as soon as it became apparent that it was innocent? Or should they have been allowed to collect all their exchanges, but then destroyed them once the case closed? (For what it is worth, the girlfriend is prepared to concede the following all their conversations was legitimate because of his activities, but they should have been destroyed once the case closed).
These are difficult questions and there are reasonable arguments one way and the other. But they are arguments we should be having. They are arguments we should be having in Congress. The NSA has clearly proven that it cannot be trusted to minimize adequately. There need to be clear rules on the subject. And these rules need to take the form of a statute, set down by Congress, not the NSA being trusted to police itself, or the FISA court, which looks like a classic case of regulatory capture. Republicans may grumble about statutes running to hundreds of pages these days, but there is a reason for it. The reason is that we don't trust courts or regulatory agencies to interpret statutes right, and want to give them clear guidance. That guidance needs to be set forth in FISA.
Finally, the article comments that Obama's first term witnessed an "exponential" growth in NSA domestic surveillance, an infuriating thing for people like me who supported him in hopes of reigning in the out of control national security state we saw arising under Bush. The article also remarks that no government oversight body has delved into a comparably large sample of what the NSA collects.