THE FISA COMPROMISE….The aspect of the FISA compromise that’s gotten the most attention is its grant of retroactive immunity to the telephone companies that cooperated with the NSA’s post-9/11 domestic spying program. Like everyone else in the liberal blogosphere, I think retroactive immunity is a bad idea that sets a bad precedent, but as I’ve mentioned before, this isn’t a hill I’m willing to die defending. Sure, the telcos may have made the wrong call, but they were caught in a genuinely tough bind in the days after 9/11. The real bad guys here are George Bush and his enablers, who refused to go to Congress after the immediate post-9/11 emergency was over and get legislative approval for the NSA surveillance program.

For my money, then, telecom immunity is a little bit of a sideshow. The rest of the bill matters a lot more. So what’s in it?

For starters, the most positive aspect of the bill is that it make clear that FISA and the criminal wiretap laws are the exclusive means by which electronic surveillance may be conducted. It’s true that the old FISA bill says the same thing, and in any case it wouldn’t surprise me if Bush issued a signing statement saying he disagrees with this section, but still, at least it’s something.

However, there are also several negative aspects of the bill aside from telecom immunity, and two of them stand out to me. First, the old FISA allowed NSA to conduct a wiretap for up to 72 hours while waiting for FISA approval. The new bill extends this to a week, allows the surveillance to continue during appeals, and permits the government to use any of the information it collects even if the FISA court eventually rules that the tap is unlawful. This pretty obviously opens the door to some fairly serious abuse in the future.

Second, and more fundamentally, the bill gives wholesale approval for NSA to conduct bulk monitoring of electronic communications (primarily email and phone calls). This is the issue that catapulted FISA into prominence in the first place, and it’s getting surprisingly little attention this time around. As near as I can tell, this is because bulk monitoring is now widely accepted on both sides of the aisle. For example, in his interview with Jake Tapper last week, Barack Obama made a point of correcting him on this score:

TAPPER: There has not been a terrorist attack within the U.S. since 9/11. And [the Bush administration says] the reason that is, is because of the domestic programs, many of which you opposed, the NSA surveillance program, Guantanamo Bay, and other programs. How do you know that they’re wrong? It’s not possible that they’re right?

OBAMA: Well, keep in mind I haven’t opposed, for example, the national security surveillance program, the NSA program. What I’ve said that we can do it within the constraints of our civil liberties and our Constitution.

At this point we have to engage in a bit of guesswork since the details of the NSA program are classified, but the basic problem is the same as it’s always been: NSA’s program isn’t targeted at particular people or even particular organizations. Nor is it targeted solely at foreign-to-foreign communications since modern communications technology makes it very difficult to be sure where a particular message originates or terminates. Rather, it’s based on complex computer algorithms, something that’s genuinely uncharted territory.

To repeat something I said a couple of years ago, the nice thing about probable cause and reasonable suspicion and other similar phrases is that they have a long history behind them. There are hundreds of years of statutory definition and case law that define what they mean, and human judges interpret them in ways that most of us understand, even if we disagree about which standard ought to be used for issuing different kinds of wiretap warrants.

But the NSA’s domestic spying program doesn’t rely on the ordinary human understanding of these phrases. Instead, it appears to rely primarily on software algorithms that determine whether or not a person is acting in a way that merits eavesdropping. The details are still murky, but what the NSA appears to be doing is very large scale data mining on virtually every phone call and email between the United States and overseas, looking for patterns that fit a profile of some kind. Maybe twice or three-times removed links to suspected terrorist phone numbers. Or anyone who makes more than 5% of their calls to Afghanistan. Or people who make a suspiciously large volume of calls on certain dates or from certain mosques. Stuff like that.

Then, if you happen to fit one of these profiles, your phone is tapped and an NSA analyst decides if you’re really a terrorist suspect. This apparently happens tens of thousands of times a year and most are washed out. Perhaps a thousand or two thousand a year are still suspicious enough to pass on the FBI, and most of these wash out too. At the end of the year, five or ten are still of enough interest to justify getting a domestic wiretap warrant.

Is this useful? Maybe. But we’re not listening in on al-Qaeda’s phone calls to America. We’re tapping the phones of anyone who fits a hazy and seldom accurate profile that NSA finds vaguely suspicious, a profile that inevitably includes plenty of calls in which one end is a U.S. citizen. But the new FISA bill doesn’t require NSA to get a warrant for any of these individuals or groups, it only requires a FISA judge to approve the broad contours of the profiling software. This raises lots of obvious concerns:

  • The algorithms that determine NSA’s profiles are almost certainly extremely complex and technical — far beyond the capability of any lawyer to understand. So who gets to decide which algorithms are legitimate and which ones go too far? NSA’s computer programmers?

  • What happens to the information that’s collected on the tens of thousands of people who turn out to be innocent bystanders? Is it kept around forever?

  • Is this program limited solely to international terrorism? Are you sure? If it works, why not use it to fight drug smuggling, sex slave trafficking, and software piracy?

  • Since this program was meant to be completely secret, what mechanism prevents eventual abuse? Because programs like this, even if they’re started with the best intentions, always get abused eventually.

The oversight on this stuff is inherently weak. After all, no court can seriously evaluate algorithms like this and neither can Congress. They don’t have the technical chops. Do the algorithms use ethnic background as one of their parameters? Membership in suspect organizations? Associations with foreigners? Residence in specific neighborhoods? Nobody knows, and no layman can know, because these things most likely emerge from other parameters rather than being used as direct inputs to the algorithm.

For all practical purposes, then, the decision about which U.S. citizens to spy on is being vested in a small group of technicians operating in secret and creating criteria that virtually no one else understands. The new bill requires annual review by Inspectors General of the government’s compliance with targeting and minimization procedures, which is better than nothing, but stronger amendments aimed at limiting the targeting of U.S. citizens were specifically rejected. See David Kris here for more.

In the end, everyone seems to have decided that bulk monitoring of electronic communications is OK, and that the new bill provides adequate oversight and minimization procedures. I’m not so sure myself, since I don’t trust procedures like this to stay robust. In any case, I’d say this is the core issue, not telecom immunity, and it deserves more attention. Unfortunately, it doesn’t look like it’s going to get it.