Dark Territory (32 page)

That's all we have the authority to do, Inglis replied.
Moreover, if the metadata revealed that someone inside the United States had called, or been called by, a suspected terrorist, just twenty-two people in the entire NSA—twenty line personnel and two supervisors—were able to request and examine more data about that phone number. And before that data could be probed, two of those twenty personnel and at least one of the supervisors had to agree, independently, that an expanded search was worthwhile. Finally, the authority to search that person's phone records would expire after 180 days.

If something suspicious showed up in one of those numbers, the NSA analysts could take a
second hop; in other words, they could
extract a list of all the calls that
those
numbers had made and received. But if the analysts wanted to expand the search to a third hop, looking at the numbers called to or from
those
phones, they would have to go through the same procedure all over again, obtaining permission from a supervisor and from the NSA general counsel. (The analysts usually did take a second hop, but almost never a third.)

From the looks that they exchanged across the table, all five members of the Review Group seemed satisfied that the Section 215 program was on the up-and-up (assuming this portion of the briefing was confirmed in a probe of agency files): it was authorized by Congress, approved by the FISA Court, limited in scope, and monitored more fastidiously than any of them had imagined. But President Obama had told them that he didn't want a
legal
opinion of the programs; he wanted a broad judgment of whether they were worthwhile.

So the members asked about the results of this surveillance: How many times had the NSA queried the database, and how many terrorist plots were stopped as a result?

One of the other senior officials had the precise numbers at hand.
For all of 2012, the NSA queried the database for 288 U.S. phone numbers. As a result of those queries, the agency passed on twelve “tips” to the FBI. If the FBI found the tips intriguing,
it
could request a court order to intercept the calls to and from that phone number—to
listen in
on the calls—using NSA technology, if necessary.

So, one of the commissioners asked, how many of those twelve tips led to the halting of a plot or the capture of a terrorist?

The answer was zero. None of the tips had led to anything worth pursuing further; none of the suspicions had panned out.

Geof Stone was floored.
“Uh,
hello
?” he thought. “What are we
doing
here?” The much-vaunted metadata program (a) seemed to be tightly controlled, (b) did
not
track every phone call in America, and, now it turned out, (c) had not unearthed a single terrorist.

Clarke asked the unspoken question: Why do you still
have
this program if it hasn't produced any results?

Inglis replied that the program had hastened the speed with which the FBI captured at least one terrorist. And, he added, it might point toward a plot sometime in the future. The metadata, after all, exist; the phone companies collect it routinely, as “business records,” and would continue to do so, with or without the NSA or Section 215. Since it's there, why not use it? If someone in the United States phoned a known terrorist, wasn't it
possible
that a plot was in the works? As long as proper safeguards were taken to protect Americans' privacy, why
not
look into it?

The skeptics remained tentatively unconvinced. This was something to examine more deeply.

Inglis moved on to what he and his colleagues considered a far more important and damaging Snowden leak.
It concerned the program known as PRISM, in which the NSA and FBI tapped into the central servers of nine leading American Internet companies—mainly Microsoft, Yahoo, and Google, but also Facebook, AOL, Skype, YouTube, Apple, and Paltalk—extracting email, documents, photos, audio and video files, and connection logs. The news stories about PRISM acknowledged that the purpose of the intercepts was to track down exclusively foreign targets, but the stories also noted that ordinary Americans' emails and cellular phone calls got scooped up in the process as well.

The NSA had released a statement, right after the first news stories, calling PRISM
“the most significant tool in the NSA's arsenal for the detection, identification, and disruption of terrorist threats to the US and around the world.”
General Alexander had publicly claimed that the data gathered from PRISM had helped discover and disrupt the planning of fifty-four terrorist attacks—a claim that Inglis now repeated, offering to share all the case files with the Review Group.

Whatever the ambiguities about the telephone metadata program, he stated, PRISM had demonstrably saved lives.

Did Americans' calls and email get caught up in the sweep? Yes, but that was an unavoidable by-product of the technology. The NSA briefers explained to the Review Group what Mike McConnell had explained, back in 2007, to anyone who'd listen: that digital communications traveled in packets, flowing along the most efficient path; and, because most of the world's bandwidth was concentrated in the United States, pieces of almost every email and cell phone conversation in the world flowed, at some point, through a line of American-based fiber optics.

In the age of landlines and microwave transmissions, if a terrorist in Pakistan called a terrorist in Yemen, the NSA could intercept their conversation without restraint; now, though, if the same two people, in the same overseas locations, were talking on a cell phone, and if NSA analysts wanted to latch on to a packet containing a piece of that conversation while it flowed inside the United States, they would have to get a warrant from the Foreign Intelligence Surveillance Court. It made no sense.

That's why McConnell pushed for a revision in the law, and that's what led to the Protect America Act of 2007 and to the FISA Amended Act of 2008, especially Section 702, which allowed the government to conduct electronic surveillance inside the United States—“with the assistance of a communications service provider,” in the words of that law—as long as the people communicating were “reasonably believed” to be outside the United States.

The nine Internet companies, which were named in the news stories, had either complied with NSA requests to tap into their servers or been ordered by the FISA Court to let the NSA in. Either way, the companies had long known what was going on.

Much of this was clear to the Review Group, but some of the procedures that Inglis and the others described were baffling. What
did it mean that callers were “reasonably believed” to be on foreign soil? How did the NSA analysts make that assessment?

The briefers went through a list of
“selectors”—key-word searches and other signposts—that indicated possible “foreignness.” As more selectors were checked off, the likelihood increased. The intercept could legally get under way, once there was a 52 percent probability that both parties to the call or the email were foreign-based.

Some on the Review Group commented that this seemed an iffy calculation and that, in any case, 52 percent marked a very low bar. The briefers conceded the point. Therefore, they went on, if it turned out, once the intercept began, that the parties were
inside
the United States, the operation had be shut down immediately and all the data thus far retrieved had to be destroyed.

The briefers also noted that, even though a court order wasn't required for these Section 702 intercepts, the NSA couldn't go hunting for just anything.
Each year, the agency's director and the U.S. attorney general had to certify, in a list approved by the FISA Court, the
categories
of intelligence targets that could be intercepted under Section 702. Then, every fifteen days, after the start of a new intercept, a special panel inside the Justice Department reviewed the operation, making sure it conformed to that list. Finally, every six months, the attorney general reviewed all the start-ups and submitted them to the congressional intelligence committees.

But there was a problem in all this. To get at the surveillance target, the NSA operators had to scoop up the entire
packet
that carried the pertinent communication. This packet was interwoven with other packets, which carried pieces of other communications, many of them no doubt involving Americans. What happened to all of those pieces? How did the agency make sure that some analyst didn't read those emails or listen to those cell phone conversations?

The briefers raised these questions on their own, because, just one week earlier, President Obama had declassified a ruling, back
in October 2011, by a FISA Court judge named John Bates, excoriating the NSA for the Section 702 intercepts generally. The fact that domestic communications were caught up in these “upstream collections,” as they were called, was no accident, Bates wrote in his ruling; it was an inherent part of the program, an inherent part of packet-switching technology. Unavoidably, then, the NSA was collecting
“tens of thousands of wholly domestic communications” each year, and, as such, this constituted a blatant violation of the Fourth Amendment.

“The government,” Bates concluded, “has failed to demonstrate that it has struck a reasonable balance between its foreign intelligence needs and the requirement that information concerning U.S. persons be protected.” As a result, he ordered a shutdown of the entire Section 702 program, until the NSA devised a remedy that did strike such a balance, and he ordered the agency to delete all upstream files that had been collected to date.

This was a serious legal problem, the briefers acknowledged, but, they emphasized, it had been brought to the court's attention
by
the NSA; there was no cover-up of wrongdoing. After Bates's ruling, the NSA changed the architecture of the collection system in a way that would minimize future violations. The new system was put in place a month before the Review Group was formed; Judge Bates declared himself satisfied that it solved the problem.

All in all, the first day of the Review Group's work was productive. The NSA officials around the table had answered every question, taken up every challenge with what seemed to be genuine candor, even an interest in discussing the issues. They'd rarely discussed these matters with outsiders—until then, no outsider had been cleared to discuss them—and they seemed to relish the opportunity. Geoffrey Stone in particular was impressed; the tenor seemed more like a university seminar than a briefing inside the most cloistered American intelligence agency.

It also seemed clear—if the officials were telling the truth (an assumption the Review Group would soon examine)—that, in one sense, the Snowden documents had been overblown. Stone's premise going into the day—that the NSA had morphed into a rogue agency—seemed invalid: the programs that Snowden uncovered (again, assuming the briefings were accurate) had been authorized, approved, and pretty closely monitored. Most of the checks and balances that Stone had thought about proposing, it turned out, were already in place.

But to some of the panelists, certainly to Stone, Swire, and Clarke, the briefings had not dispelled a larger set of concerns that the Snowden leaks had raised. These NSA officials, who'd been briefing them all day long, seemed like decent people; the safeguards put in place, the standards of restraint, were impressive; clearly, this was like neither the NSA of the 1960s nor an intelligence agency of any other country. But what if the United States experienced a few more terrorist attacks? Or what if a different sort of president, or a truly roguish NSA director, came to power? Those restraints had been put up from the inside, and they could be taken down from the inside as well. Clearly, the agency's technical prowess was staggering: its analysts could penetrate every network, server, phone call, or email they wished. The law might bar them from looking at, or listening to, the contents of those exchanges, but if the law were changed or ignored, there would be no physical obstacles; if the software were reprogrammed to track down political dissidents instead of terrorists, there would be no problem compiling vast databases on those kinds of targets.

In short, there was enormous
potential
for abuse. Stone, who'd written a book about the suppression of dissent in American history, shivered at the thought of what President Richard Nixon or FBI director J. Edgar Hoover might have done if they'd had this technology at their fingertips. And who could say, especially in the age of terror,
that Americans would never again see the likes of Nixon or Hoover in the upper echelons of power?

Stone nurtured an unexpected convert to this view in Mike Morell, the recently retired spy on the Review Group. The two shared an office in the SCIF on K Street, and Stone, a charismatic lecturer, laid out the many paths to potential abuse as well as the incidents of actual abuse in recent times, a history of which Morell claimed he knew little, despite his three decades in the CIA. (During the Church hearings, Morell was in high school, oblivious to global affairs; his posture at Langley, where he went to work straight out of college, was that of a nose-to-the-grindstone Company Man.)

Over the next four months, the group returned to Fort Meade a few times, and delegations from Fort Meade visited the group at its office a few times, as well. The more files that the group and its staff examined, the more they felt confirmed in their impressions from the first briefing.

Morell was the one who pored through the NSA case files, including the raw data from all fifty-four terrorist plots that Alexander and Inglis claimed were derailed because of the PRISM program under Section 702 of the FISA Act, as well as a few plots that they were now claiming, belatedly, had been unearthed because of the bulk collection of telephone metadata, authorized by Section 215 of the Patriot Act.
Morell and the staff, who also reviewed the files, concluded that the PRISM intercepts did play a role in halting fifty-three of those fifty-four plots—a remarkable validation of the NSA's central counterterrorist program.
However, in
none
of those fifty-three files did they find evidence that metadata played a substantial role. Nor were they persuaded by the few new cases that Alexander had sent to the group: yes, in those cases, a terrorist's phone number showed up in the metadata, but it showed up in several other intercepts, too. Had
there never been a Section 215, had metadata never been collected in bulk, the NSA or the FBI would still have uncovered those plots.