Hello again, Edward Snowden.

Photographer Mandel Ngan/AFP/Getty Images

NSA's Spying on Hackers Isn't So Scary

Noah Feldman is a Bloomberg View columnist. He is a professor of constitutional and international law at Harvard University and was a clerk to U.S. Supreme Court Justice David Souter. His books include “Cool War: The Future of Global Competition” and “Divided by God: America’s Church-State Problem -- and What We Should Do About It.”
Read More.
a | A

Did the Department of Justice go too far in 2012 when it apparently expanded the National Security Agency’s authority for warrantless searches of Internet traffic to search domestic data for signs of foreign hacking? The text of the secret Justice memos isn’t part of the latest batch of material revealed by former NSA contractor Edward Snowden. But a reading of the leaked materials doesn’t (yet) reveal a smoking gun that would obviously exceed the Constitution or legal authority. The searches were expanded -- but legal safeguards were also put in place.

Start with the revelations. A classified document, dated March 23, 2012, says that the NSA had completed a request to target materials that it previously couldn't. In the past, it says, NSA was only allowed look at Internet traffic in the U.S. “when the actor is known and can be tied to a foreign government or terrorist organization.” This was inadequate, the document says, because “many cyber threat targets currently cannot be tasked … due to lack of attribution to a foreign government or terrorist organization.”

QuickTake NSA Surveillance

In other words, when the NSA was tracking hackers, it was barred from looking at traffic that it couldn’t specifically trace to foreign governments or terrorists. It wanted to be able to see more. It requested a new authority that “will not require this attribution, and rather only require that a selector be tied to malicious cyber activity.” Evidence of hacking alone would authorize a search of the traffic, regardless of its origin.

This expansion sounds big -- and potentially bad. There’s a real difference between the government searching hacker traffic when it knows it’s coming from a specific bad actor abroad and the government searching all hacker traffic.

The document went on to say that the “collection will then be used to determine attribution, as well as perform collection against known targets.” Determining who’s doing the hacking doesn’t sound anywhere near as bad -- especially if all hacking not originating with foreign actors is protected from further NSA searching.

Did that protection occur? It’s hard to say for sure, but here’s what we do know. A leaked, classified timeline says that the NSA’s request was approved by Justice Department lawyers in May and July of 2012. We don’t have those memos.

The original report said the government intended to go to the secret Foreign Intelligence Surveillance Court for authorization. But the government never did so. That strongly implies that the Justice memos said that such authorization wasn’t necessary and that the new protocol could be approved under existing legal authority. If that inference is correct, it was at least an aggressive reading of existing legal authority.

But there do seem to have been protections in place. That understanding derives from a long, leaked, classified briefing by White House lawyers on the statutory and constitutional authorities and limitations of the NSA searches.

Time after time, the White House counsel’s briefing emphasizes restrictions on gathering and dissemination of material involving U.S. persons protected by law. The first idea is that searches are supposed to be designed not to gather protected materials. “Pay attention to what is being collected,” say the notes beneath one slide in the briefing. “NSA has a positive responsibility to defeat out to the extent possible collections of” communications by Americans.

When searches gather material that the NSA isn’t supposed to look at, it’s obligated not to disseminate that information to unauthorized government agencies. When information about Americans is collected incidentally to lawful searches, the slides say, the NSA must apply “minimization procedures.” Before “disseminating any information,” the NSA must “evaluate information for foreign intelligence and decide if any incidentally acquired US person information is suitable for dissemination.”

There are some worrisome elements here. For example, the briefing says that information on Americans can be retained for five years online and 10 years offline -- presumably, even if it has no bearing on foreign intelligence. Yet the same slide says that only signals-intelligence personnel should have access, thus limiting access to those “trained on 4th Amendment procedures.”

From the limited body of evidence available, the most reasonable conclusion seems to be that the NSA did expand its searches significantly, but its goal really was to find foreign hackers. Limitations seem to have been built in so that information on protected people in the U.S. wouldn’t be used in violation of existing legal and constitutional protections.

Maybe it will turn out that domestic intelligence actors like the FBI got inappropriate access to this data, in which case these protections will have been inadequate. And the legal authority for this expansion may have been overstated, given that the secret surveillance court wasn’t consulted. But until we know these things, we shouldn’t be as upset about the latest Snowden revelations as we’ve appropriately been about many that came before.

  1. Caveat: I’m no expert on computer intelligence gathering, and it’s possible I’ve missed or misunderstood something in 90 pages of material studded with acronyms, abbreviations and technical references. But the core of the material is legal -- and there I’m on firmer ground.

This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.

To contact the author on this story:
Noah Feldman at nfeldman7@bloomberg.net

To contact the editor on this story:
Stacey Shick at sshick@bloomberg.net