The Cybersecurity Executive Order: A Right Start

May 13, 2017

President Trump issued two days ago a much anticipated executive order that reflects mature thinking about managing the sprawling kluge of federal networks, a determination to do it, and an over-estimation of the government’s ability to comply with demands for 16 Cabinet-level reports in short order. Whether the order is rigorously implemented remains to be seen, but it’s a right start.

The order’s provisions on critical infrastructure are hesitant by comparison, but far more robust than the terms of the leaked drafts floating around since January. That’s a welcome change. The order follows by six weeks the publication of a Report by MIT’s Internet Policy Research Institute called “Keeping America Safe: Toward More Secure Networks for Critical Infrastructure.” (I was the principal author of that report.) The comparisons are interesting.

Federal Networks 

The order’s strong points are simple, yet they had never been articulated at the highest level of government, let alone implemented. First, excepting national security systems, cybersecurity risk will now be managed as a joint executive branch enterprise, rather than as a series of inconsistent departmental enterprises. Doing this will trench on departmental prerogatives and will therefore require strong presidential leadership. Watch for blood on the floor. If you don’t see any, it isn’t happening. If it does happen, better security and substantial efficiencies in procurement and management should result.

Second, the order directs the newly created American Technology Council to report within 90 days on the technical feasibility and cost effectiveness of transitioning all federal agencies, or a subset of them, to one or more consolidated network architectures and shared IT services. The danger here is the risk of moving from multiple points of failure to a single point of failure. The drafters seem aware of this danger, however. Hence the reference to subsets of agencies and “one or more” architectures.

Third, the order requires agencies to abandon competing standards for evaluating cybersecurity risk. All agencies must now use “The Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology. The MIT Report observed (as have others) that competing compliance standards create confusion and suggested that the NIST Framework be adopted across the government. This will now be done. We also suggested that the Framework be imposed on federal contractors. That has not been done.

Fourth, the order requires the Office of Management and Budget to join the Secretary of Homeland Security in assessing the progress of the order’s implementation. This is critical. OMB is the hammer in the Executive Branch. It controls the money. It not only giveth; it taketh away. The MIT Report’s first recommendation was to involve OMB in precisely this way. If this provision is robustly implemented, it will bring results.

How should we judge the success this part of the order? The only metric that ultimately matters is the reduction in the number of federal cyber incidents that result either in the loss of significant information (by volume or sensitivity) or in the implantation of malware that cannot be readily identified and remediated.

Five proxy metrics should also be officially tracked and made public:

  1. An increase in the dollar volume of joint department procurement of equipment and services relating to the order;
  2. The number of agencies that move to (a) one or more consolidated network architectures, and (b) to shared IT services – without creating a single point of failure;
  3. The dollar volume of funds that are re-programed within and between agencies in response to the ongoing evaluations called for in the order;
  4. The dollar volume of Congressionally authorized expenditures fenced in response to these evaluations; and
  5. Whether cabinet officials are fired if their departments suffer from avoidable network failures.

Critical Infrastructure

 The section of the order dealing with critical infrastructure is less precise, less sure-footed, and less satisfying. I believe it represents an awareness that earlier drafts paid insufficient attention to the topic, but no conviction about what to do about it. Fair enough. About 85 percent of this infrastructure is privately owned, and while national security depends on it, the President can’t simply order its owners to do what he wants.

The order therefore commands five reports to the President. The first is to identify all federal legal authorities that can be used to support the infrastructure at greatest risk. It is difficult to believe that authoritative memoranda on this topic do not already exist in the departments of justice and homeland security.

The second report will examine “the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities ….” Obscurity this dense in an otherwise clear order must be intentional. I translate it thus: “We are going to figure out better ways to publicly embarrass big companies whose cybersecurity really stinks.” If that’s what it means, I’m for it.

The third report will evaluate ways to improve resilience against botnets and other automated attacks. This is a good idea, but I fear the drafters believe that the fundamental insecurity of Internet communications is technological. Technological challenges do exist. Automated attacks require automated defenses. But as the MIT Report makes clear, the most difficult obstacles in the way of higher cybersecurity are not technological. They are legal, economic, and managerial. (Short explanation here.) If the required report to the President fails to address these non-technological challenges, it will be useless.

The fourth report will be an assessment of the nation’s readiness to prevent, manage, and recover from a disruption of our regional electric grids. I applaud this focus. But the order has missed a trick. We simply don’t have sufficient data on which to base much more sophisticated, cross-sector simulations than we can now do. Why? Because the companies that own the vulnerability data won’t share it. At the same time, the companies that have vulnerability data don’t have a handle on the latest threats. The Internet Policy Research Initiative at MIT is about to tackle this problem. We aim to discover whether data owners would be willing to put anonymized and encrypted data into a secure facility at MIT, then participate in realistic simulations of cyber-initiated disasters – and share the results.

The fifth report will concern the challenges faced by the defense industrial base, including supply chain risk.

These studies will be useful for the security of critical infrastructure – but only if they deal with three fundamental issues identified in the MIT Report but ignored in the executive order:

  1. Isolation. The President must be told that critical infrastructure systems cannot be made reasonably secure unless key controls are isolated from public networks. Believing otherwise is delusional.
  1. A Market for Safe Controls. One of the worst supply chain threats to infrastructure doesn’t come from malicious manipulation of equipment. It comes from insecure, multipurpose electronic controls that are not suitable for specialized, sensitive uses. The government must explore the cost and feasibility of supporting a market for simpler, secure variants of commercial controls for critical infrastructure.
  1. Market and Tax Incentives. The incentives for producing more secure hardware and software, and for retiring legacy systems, are misaligned, and the order should have said so. Tax incentives should encourage firms to retire legacy components, for example. Negative incentives are also important. Apart from the manufacture of hardware and software, in what area of economic life is it possible to put unsafe or unsuitable products into the stream of commerce without liability? I can’t think of any. This must change.

If the cabinet-level reports required by the order do not address each of these issues, then critical infrastructure vulnerabilities will continue to get worse, and the Trump Administration will simply join its predecessors in producing feckless, hand-wringing rhetoric on the subject. Stay tuned.


 It seemed we’d been waiting a long time for this order, but only because several half-baked drafts were leaked at the start of Trump’s term. In fact, this order comes less than four months into his term. That’s quick. The frustrating thing about it is not that we waited four months for Trump’s team to issue the order. Rather, it’s that we waited about 12 years for Presidents Bush and Obama to issue an order like this, and they never did.

I like to think this order is evidence of the wisdom of appointing Rob Joyce as the new cyber advisor on the national security staff, but it’s too soon to tell. The media continue to refer to Joyce as the cyber “czar.” The best reason to avoid calling any American official a “czar” comes from former CIA Director Jim Wolsey, who used to say that five hundred years of reactionary stupidity followed by seventy-two years of Bolshevism is not a governance model we want to emulate. Czars were absolute rulers. Joyce is a mere “coordinator” – which means he has no power at all. Which brings me back to the first recommendation in the MIT Report: Joyce should be elevated to the position of deputy national security advisor. Rank counts. It will determine who returns his phone calls and how quickly and whether he’s even invited to meetings with senior officials whose actions he’s trying to influence. I wish him much luck.

FISA and Foreign Intelligence: Getting the History Straight

The editors of the New England Law Review have kindly given permission to post the following book review in anticipation of its appearance in that review later this year.

51 New Eng. L. Rev. (forthcoming, 2017)

Response to:

Laura K. Donohue, The Future of Foreign Intelligence: Privacy and Surveillance in a Digital Age (New York: OUP, 2016)

By Joel Brenner

(Joel Brenner is a research fellow at the Massachusetts Institute of Technology. He is the former inspector general and senior counsel of the National Security Agency and former head of U.S. counterintelligence under the first three directors of national intelligence. He gratefully acknowledges the assistance of Alexander Loomis of Harvard Law School in preparing this response.)


Professor Donohue has given us a full-throated denunciation of the entire legal framework governing the government’s collection of data about American citizens and permanent residents, whom we call “U.S. Persons.”[1] She contends that in the wake of the digital revolution, current law “is no longer sufficient to guard our rights”[2] – she’s right about that – and that we have actually returned to the untrammeled issuance of general warrants that characterized the eighteenth century British practice that our nation’s Founders rebelled against. She proposes a thorough revision of the laws governing the collection of foreign electronic intelligence within the United States and abroad, and she advocates severe limitations on the collection and access to digital information of any sort. I will address the merits of her arguments – but first a threshold question: Is this really a book about the future of foreign intelligence?

From the half-century leading to the end of the Cold War, the nearly exclusive control by nation-states over the tools of spy craft seemed like a natural monopoly. The complexity of modern cryptography from the 1930s onward put high-end encryption beyond the capability of all but a few intelligence services.[3] Most forms of electronic intelligence gathering — advanced listening devices, sophisticated radars and antennae, and measurement of weaponry signatures, for example — were also developed by governments and were unavailable to most nations. Free-lance and commercial human spying never went away, but they became the exception after Europe was rigidly divided into East-West blocs, and as border controls, which hardly existed before World War I,[4] became the norm.

Between the collapse of the Soviet Union in 1991 and the 9/11 attacks a decade later, the monopoly vanished as the tools of spycraft became the products and instruments of the marketplace. The encryption now found in an ordinary smart phone can be broken only with extraordinary effort, if at all, and its computing power dwarfs anything available to the presidents and premiers of a previous generation. The absolute monopoly of the two Cold War superpowers over high-thrust rocketry and orbital satellites is ancient history. Countries around the world now compete with, or rely on, private companies to do the heavy lifting. The commercial satellite imagery readily available to the public is also jaw-droppingly good, at resolutions that were state secrets only a few years ago. The advantage of states over private enterprises in surveillance, counter-surveillance, and clandestine operations has not disappeared, but the private sector is catching up fast. At the same time, the digitization of information and the consequent explosion of freely available data have both delighted and disoriented us, turning private lives inside out and making secrets extremely difficult to keep for individuals, businesses, and governments alike — including intelligence services. The ubiquity of data has also made open-source intelligence more valuable than ever and has called into question the scope, though not the necessity, of secret intelligence gathering and analysis. The challenges this environment presents to intelligence services are severe.[5] In the wake of these developments, the distinction insisted upon by the grand viziers of Langley, Cambridge Circus, and Moscow Center between intelligence (that’s what you think, with a small “i”) and Intelligence (that’s what we think, with its reifying initial capital) appears risible.

Profound political, ethical, and legal challenges also confront agencies that make a living stealing secrets. Stealing secrets involves breaking the laws of other nations, including friendly ones. In an increasingly integrated world, we can expect new norms, and perhaps laws, to control that kind of activity. Drones and robots also present still-unresolved questions.[6] Profound issues of mission focus are also up for grabs — whether the CIA will continue to be dominated by its para-military side,[7] and whether the National Security Agency (“NSA”) is destined to remain essentially a targeting service for a war machine at the expense of its national intelligence mission.[8] Distinguishing domestic from foreign communications is increasingly difficult, heightening the need to regulate this aspect of foreign intelligence operations.[9]

Opening a book entitled The Future of Foreign Intelligence, this is the platter of issues one would expect on the table. But from this menu, the only dishes Professor Donohue serves up are the government’s access to domestic digital data and the legal difficulties that arise from the inevitable mingling of domestic and foreign communications. Her book thus has little to do with the future of foreign intelligence, and rather than evaluate it as such, we will do better to accept it as the book her subtitle accurately describes: Privacy and Surveillance in the Digital Age. This is not a mere quibble about a title. Her argument is infected with a fundamental confusion between the scope and purpose of the Foreign Intelligence Surveillance Act (“FISA”) and the general regulation of foreign intelligence, and that confusion is reflected on the book’s cover. In any case, privacy and surveillance are topic enough for a brief but passionate argument about the constraints (or as she would say, the lack of constraints) on the government’s ability to vacuum up everyone’s digital exhaust. Professor Donohue shapes this conversation through her teaching and as one of a handful of amici curiae appointed to advise the Foreign Intelligence Surveillance Court (“FISC”) in cases of broad applicability. On these issues her views demand respectful attention.

The Argument

Her arrows are aimed chiefly at two specific targets. The first is the Supreme Court’s “third-party doctrine,” which denies Americans a constitutionally based privacy interest in data they give to third parties, including common carriers and other digital platforms that provide essential services. I enlarge her attack on this doctrine.

Her second major target is the 2008 amendments to the Foreign Intelligence Surveillance Act of 2008[10] (the “FISA Amendments Act” or “FAA”). That law allowed the NSA to collect, without a warrant, communications between targeted foreign citizens and Americans. She and I agree that reforms are needed. But she would go further than I would by subjecting foreign intelligence collection to strict warrant requirements. That proposal misunderstands FISA’s purpose and constitutional limitations

Professor Donohue also presents a jaundiced but, as I will explain, undeveloped view of the area of government operations known as intelligence oversight. Finally, she contends that criminal law and the law governing intelligence gathering have little or nothing to do with one another and that the distinction between them is both meaningful and clear. Her most startling and potentially consequential proposal is to resurrect that doctrine by re-erecting “The Wall” that, until 2002, required the complete separation of criminal investigations from all information gathered using foreign intelligence sources and methods. In my view, the destruction of that barrier was one of the most significant and desirable changes to the organization of the federal government following the attacks of 9/11.

I examine her arguments in this order.

Third-Party Doctrine and Metadata

In the early 1970s, federal authorities served subpoenas on two banks with which a bootlegger named Miller did business. The banks complied. Miller moved unsuccessfully to suppress the banks’ evidence on the grounds that it had been seized without warrants in violation of the Fourth Amendment. He was later convicted of various federal crimes. The Court of Appeals for the Fifth Circuit overturned his conviction, but the Supreme Court reversed. The Court held that

  1. the subpoenaed papers were the bank’s business records,
  2. the bank was required to maintain them under the Bank Secrecy Act of 1970,[11] and
  3. Miller had no reasonable expectation of privacy either in the bank’s copy of the records or in the original checks, which were negotiable instruments used in commercial transactions.[12]

Miller’s holding could easily have been confined to negotiable instruments or to business records maintained under statute. But three years later, in Smith v. Maryland[13] the Supreme Court expanded Miller to cover any information given to third parties. Petitioner Smith had been convicted of robbery based in part on telephone numbers collected from a pen register placed on his phone without a warrant. Holding that he had no Fourth Amendment interest in the phone company’s business records, the Court expressed “doubt that people in general entertain any actual expectation of privacy in the numbers they dial.”[14] For good measure the Court added that if Smith did have such an expectation of privacy, it was not one society was prepared to recognize as reasonable. Smith had “voluntarily conveyed” his dialing information to the phone company[15] and had therefore “assumed the risk” that the company would reveal the information to the police. We now had a broad, clearly articulated third-party doctrine: “This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”[16]

Miller and Smith were both based on the “reasonable expectation of privacy” test of Katz v. United States.[17] With rare exceptions,[18] lower courts have repeatedly reaffirmed the third-party doctrine. But as Professor Donohue makes clear, it no longer protects reasonable expectations of privacy. During the 1970s, people only shared information with third parties (other than the bank and the phone company) by handing a box of papers to their lawyers, accountants, or business associates. There were no permanent records of people’s messages to their family and friends. Today, by contrast, nearly all information is routinely digitized and shared with cloud service providers. If your smartphone or laptop is backed up by Google, Apple, or anyone else, you have no constitutional privacy interest in its contents. People increasingly keep all manner of personal and business records “on” their smartphones, which combine the features of filing cabinets, photo albums, contact directories, diaries, credit cards, and so forth all in one place. Dating apps record people’s sexual preferences and romantic liaisons. And unlike the defendant’s phone in Smith, which was tethered to a wall, mobile phones move freely.[19] Mobile phones, especially smartphones, are tracking devices. Uber and Lyft, the weather app, the city transportation app, and many others have little or no value if they do not know exactly where you are. Your mobile phone must also know where you are at all times in order to connect your calls, so it constantly communicates with cell towers even when you’re not on the phone. Companies keep this data and often sell it. Our phones thus record not merely where we are now, but where we have been and how long we were there. Soon, thanks to the third-party doctrine, no one will have a reasonable expectation of privacy in almost anything.[20]

Technological developments notwithstanding, the third-part doctrine was also bad law to begin with. It treats a substantive constitutional right as if it were merely an evidentiary privilege that is automatically lost when shared with anyone else. That view does not reflect reasonable expectations of privacy, and it never did. If you disclose to a third party an otherwise privileged conversation with your lawyer, you lose the privilege. But this is merely a rule of evidence. We do not use the subsequent third-party disclosure to declare that the client had no right to share information in confidence with the lawyer in the first place. Rather, we recognize that lawyer and client, like doctor and patient, communicate in a zone of confidence. The third-party doctrine recognizes no such zone for information that ordinary people must, as a necessity of life, share with companies that promise to protect their privacy.[21] In Miller, for example, the petitioner’s bankers testified that they regarded their customers’ records as confidential,[22] and the prosecution admitted as much.[23] But Miller’s holding effectively eliminated any such confidence that reasonable customers had.[24] In short, the reasonable expectation test of Katz would have fit the facts in Miller like a glove, if the Court had only tried it on.[25]

Miller and Smith thus represent an attempt to define a substantive right through a mechanical, inapt test borrowed consciously or unconsciously from the law of evidence. The attempt was always flawed in principle. But thanks to technological developments putting virtually all our private information in third parties’ hands, it now produces intolerable results. So Professor Donohue is right: Supreme Court precedent does not protect ordinary citizens from government unreasonable intrusions into private lives and requires re-thinking.

Several members of the Court appear to agree, as Justice Scalia’s opinion for the Court and the concurrences in Jones v. United States[26] suggest. Jones presented the question whether attaching a GPS tracking device to a man’s automobile, and subsequently using that device to monitor the vehicle’s movements on public streets, constituted a Fourth Amendment search or seizure. A five-justice majority declined to apply the rule on the narrow ground that, notwithstanding Katz’s expectation of privacy test, the government had trespassed in affixing the device to the vehicle.[27] The majority knew that its disposition of the case left the hard question lurking in the wings: “It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question.”[28] Justice Sotomayor, who concurred with the majority, wrote separately. “I would ask,” she wrote, “whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the Government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.” Her implication was clear: “More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.”[29] Justice Alito, joined by Justices Ginsburg, Breyer, and Kagan, had the same concern. “[I]f long- term monitoring can be accomplished without committing a technical trespass — suppose, for example, that the Federal Government required or persuaded auto manufacturers to include a GPS tracking device in every car — the Court’s theory would provide no protection.”[30] We thus had all nine members of the Court expressing discomfort both with the third-party doctrine and its interplay with Katz.[31]

Jones may mark the beginning of the end for an across-the-board third-party doctrine, but the end is unlikely to come at a single stroke. Congress has displayed no enthusiasm for legislating in this area, and courts will be slow to abandon a mechanically applied doctrine that produces clear results.[32] But doctrinal clarity costs too much in today’s digital economy. The third-party doctrine destroys information privacy and yields unreasonable results. It is premised on technologically obsolete assumptions about the world — a point that Professor Donohue makes wonderfully clear — and it was unsound from the beginning.

In its time, Katz expanded individual rights by holding that citizens enjoy a zone of privacy that moves with them. But its reasonable expectation standard should be re-thought. On the one hand, it is insufficient to deal with technological advances that are rapidly destroying expectations of privacy that still seem reasonable to many people; on the other hand, it could be useful in fashioning protections for information that must, as a practical matter, be shared with third parties. Professor Donohue thinks we may be in “a pre-Katz moment,” ripe for a doctrinal shift. When a majority of the Court declares that “Fourth Amendment rights do not rise or fall with the Katz formulation,”[33] she’s probably right.

Collection Under FISA

Professor Donohue mounts three principal attacks on the FAA. First, it authorizes the collection of bulk electronic metadata without a warrant, by which she apparently means a Title III warrant.[34] She asserts this practice is unconstitutional, by which she presumably means that in her view it should be unconstitutional, because she knows that the third-party doctrine, just discussed, denies citizens a Fourth Amendment right to privacy in communications metadata.[35]

Second, she argues that a FISA order that authorizes the collection of large numbers of international communications that begin or terminate in the United States between foreign persons overseas who are associated with terrorism is unconstitutional. Instead, she believes a FISA order must be restricted to single, particularized call or message. She provides no constitutional foundation for her position, and there is none.

Third, she argues that the government’s unrestrained ability to retain and examine lawfully collected intercepts of conversations involving U.S. Persons under section 702 is unconstitutional and should be regulated. Here again Professor Donohue’s arguments about constitutionality are perplexing, at least to this reader, because they are not based on a parsing of constitutional text and Supreme Court decisions as they apply to particular parts of FISA. Instead, she offers a lively disquisition, fully a quarter of the book, on the origins of the Fourth Amendment and the history of general warrants in the run-up to the American Revolution.[36] As a former member of the guild of legal historians, I found this background relevant but, standing alone, unpersuasive. Nevertheless, I agree with her that access to stored 702 data should be regulated, though I am not sure we agree on how.

While I find common ground with several of Professor Donohue’s specific proposals for further FISA reform, I see two major weakness in the foundation of her attacks on FISA collection and thus with her broader argument. The first weakness — in my view, error — is constitutional and legal. It concerns the scope and purpose of the FISA statute, which were limited in their reach by the President’s independent constitutional authority to collect foreign intelligence. The second weakness is partly technological and partly a result of failing to acknowledge the altered intelligence challenge in the form of metastasized terrorism that confronts anyone, regardless of political inclination, who wishes to regulate the monitoring of communications. Before addressing these points, however, a brief history of bulk metadata and FISA collection since the attacks is in order.

Origins of Bulk Collection and the “702 Program”

Shortly after 9/11, the Bush Administration put in place a surveillance program called STELLAR WIND. That program authorized NSA to intercept communications between persons overseas with known terrorist affiliations and persons in the United States. It also authorized the collection of bulk metadata (that is, information about a communication but not its contents)[37] from U.S. telecommunications carriers in order to understand who the persons on the U.S. end of those calls were communicating with. Through link analysis, these metadata connections could be followed for three “hops,” thereby gathering call information about a huge number of domestic calls. The program was authorized by Presidential order, outside the FISA structure. (FISA at that time did not address metadata collection.) But metadata analysis was beginning to play a critical role in wiping out terrorist networks overseas,[38] and the Bush Administration believed it would similarly be critical in rolling up any of those networks that extended into the United States.

By late 2003, however, some government officials had become concerned about the legal authority to collect bulk metadata.[39] Consequently, in July 2004 the collection of bulk Internet metadata quietly was moved under section 214 of the Patriot Act (which amended section 402 of FISA). That statute permits pen registers and trap-and-trace devices, but authorizations for such devices had previously been used only for specific telephone numbers or Internet addresses. However, then-chief judge of the FISC District Judge Coleen Kollar-Kotelly was persuaded that the statute could be used to collect Internet metadata in bulk in real time.[40] Suffice it to say that this was a novel and controversial, if also arguably supportable, interpretation of section 214 that vastly expanded the scope of the government’s statutory power to collect bulk metadata. And it occurred in secret.

The portion of STELLAR WIND relating to the interception of the content of U.S.-foreign calls (but not bulk metadata collection) was exposed by the New York Times in December 2005. The disclosure increased the sense of urgency within the Justice Department’s Office of Legal Counsel that the telephony portion of metadata collection should also be given a firmer and explicit statutory basis.[41] In May 2006 the collection of bulk telephony metadata was moved under section 215 of the Patriot Act, which had amended section 501 of FISA. That statute authorized the government to obtain certain business records through legal process.[42] Technically, this meant that NSA stopped “collecting” telephony metadata in real time as part of its intelligence mission and was instead merely obtaining business records through legal process. Practically speaking, however, there was no difference because the business records went to the government more or less as they were generated. Thanks to the third-party doctrine discussed above, this program was entirely constitutional.

The following year, in August 2007, Congress passed the Protect America Act (“PAA”) to provide clear statutory authority to collect the content of communications between a person overseas and a person in the United States,[43] but that authority expired after only eighteen months. After a hiatus, Congress passed the FAA in July 2008. It remains in effect. Unlike the original FISA, the FAA required a FISA order before a U.S. Person could be targeted, even if that person was overseas, in circumstances where a Title III warrant would be required in a criminal case.[44] This was a significant expansion of FISA’s regulatory scope and, to that extent, an expansion of civil liberty.

But the FAA also created what is often called the “702 Program,” which is one of Professor Donohue’s chief targets. As amended by the FAA,[45] Section 702 permits “the targeting of [non-U.S.] persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”[46] In this context, “foreign intelligence information” mean the contents of communications and not merely metadata. A FISA order is not required for this collection. Rather, the Attorney General and the Director of National Intelligence select what information to “target” and direct electronic communications providers to turn over this information. If the government has “reasonable articulable suspicion” that a foreign person has a terrorist connection, that person may be targeted when they communicate with persons in the United States. If, for example, a known terrorist overseas is having conversations with a U.S. Person in Minneapolis, our agencies may collect that communication. However, an agency may not do so if the purpose of the collection is really to target the person in Minneapolis. That would be “reverse targeting.” Electronic communications service providers may challenge these directives before the FISC and appeal to the FISA Court of Review. By long-standing practice, the database of 702 information may be accessed at any time by intelligence officials without court approval and may be queried with any search term, including U.S. Person identifiers.

Professor Donohue objects vehemently to this program. It appears she would subject 702 collection to the criminal warrant process of Title III. In my view, she reaches this position based on a misunderstanding of FISA’s purpose and an unsupportable view of the constitutional requirements governing foreign intelligence collection.

FISA’s Purpose and Constitutional Requirements

Professor Donohue confuses FISA’s purpose with the general regulation of foreign intelligence. This may account for the book’s inapt title. She asserts: “FISA represented the culmination of a multibranch, multiyear, cross-party initiative directed at bringing the collection of foreign intelligence within a circumscribed legal framework” (my italics).[47] This is not true. Foreign intelligence collection is a broad category, occurring in many ways through a variety of human and technological means and gathered against targets who are overwhelmingly outside the United States. FISA brought under law one element of that enterprise, namely, the collection of (i) electronic foreign intelligence (ii) taken off a wire or from a radio signal (iii) in the United States. That slice of foreign intelligence, because it was collected domestically, could be (and sometimes had been) used to avoid the search-and-seizure strictures of the Fourth Amendment. In the wake of the Church Committee hearings in 1976, Congress enacted FISA to prohibit such evasions.

The Constitutional difficulty with Professor Donohue’s argument about this portion of foreign intelligence is inseparable from this issue of statutory purpose. Contrary to her assertions, foreign intelligence taken from domestic telecommunication networks involves powers granted to two branches of government.[48] Under Article I, Congress has the power to regulate interstate and foreign commerce, including telecommunications (at least when used in commerce).[49] But Congress has long deferred to the view that foreign intelligence collection is an executive function vested in the President under Article II of the Constitution,[50] even though the there is no express provision for it in Article II.[51] Indeed, the President’s power to monitor communications entering and leaving the country has been recognized since Washington’s administration.[52] This is why Congress, in enacting FISA, recognized a reasonableness limitation on its power to control communications entering or leaving the country if they concerned foreign intelligence.[53]  It certainly did not contest the principle that the President has the “exclusive function to command the instruments of national force, at least when turned against the outside world for the security of our society.”[54] The Bush Administration, by acting as if it had the power to conduct the STELLAR WIND program on a long-term, non-emergency basis outside the FISA framework, failed to recognize that it shared constitutional authority over activities involving the telecommunications of the American people. In a mirror image of that error, former Senator Russ Feingold was also wrong to assert, in a flight of rhetorical excess with which Professor Donohue is much enamored, that electronic foreign intelligence is an area of “absolutely clear, exclusive authority adopted by Congress ….”[55] This is wrong.  Like Senator Feingold, Professor Donohue ignores FISA’s purpose and history, which probably accounts for her failure to explain why the standard for obtaining a FISA order, which she criticizes repeatedly, differs from the Title III warrant standard.[56]

Title III was passed in 1968 in response to the Supreme Court’s Katz decision one year earlier.[57] Congress reacted by crafting standards for issuing surveillance warrants sufficient to meet Fourth Amendment standards in criminal cases. Under Title III, a magistrate may issue a warrant authorizing the executive to acquire the contents of a wire, oral, or electronic communication if

(1)  “there is probable cause for belief that an individual is committing, has committed, or is about to commit” certain crimes; and

(2)  if there is probable cause for belief that particular communications concerning that offense will be obtained through such interception”; and

(3)  if “normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous”; and

(4)   if (in most cases) “there is probable cause for belief that the facilities from which, or the place where, the wire, oral, or electronic communications are to be intercepted are being used, or are about to be used, in connection with the commission of such offense, or are leased to, listed in the name of, or commonly used by such person.”[58]

Would the imposition of these requirements on foreign intelligence collection be unreasonable? Surely they would be, if only because it would irrationally assume that foreign intelligence may not be collected in the United States unless there were probable cause to believe a crime were involved. A great deal of foreign intelligence does not involve the commission of crimes cognizable in U.S. courts. The Supreme Court has recognized that these statutory requirements are not constitutionally necessary as applied to “domestic security surveillance [, which] may involve different policy and practical considerations from the surveillance of ‘ordinary crime.’”[59] The Court expressed further doubts about constitutional restrictions on collection “with respect to activities of foreign powers or their agents.”[60] In such a conflict, we would arguably be in Justice Jackson’s third category, in which the President could ignore a statute. But Justice Jackson was an eminently practical man, and he might point out that he was writing to decide a particular case, that his taxonomy is not holy writ, and that it did not attempt to resolve all the varieties of problems that might arise in cases of conflicting constitutional power.  As he said, “any actual test of power is likely to depend on the imperatives of events and contemporary imponderables, rather than on abstract theories of law.”[61] He might therefore simply say that where two lawful but different powers both impinge on a single area of governmental activity, Congress must exercise its power in a manner that does unreasonably impinge on the President’s authority – and in this case, on his duty to protect the nation. Either way, there are limits on what Congress can do.

In contrast to Title III, the FISA standard to which Professor Donohue objects was created to deal with an entirely different problem than the investigation of crime, namely, the potential misuse of the President’s power to collect foreign intelligence in the United States. The President has the power to collect foreign intelligence even in the United States without a search warrant.[62] A surveillance operation against a foreign embassy in Washington, for example, has never required a Title III warrant; nor does it now require a FISA order.[63] However, if that power is abused to collect against citizens on the pretext, for example, that the citizen was or might be a member of a foreign-controlled entity, the Fourth Amendment‘s warrant requirement would be effectively evaded. The purpose of the FISA standard was to police such evasion, not to impose a criminal-law standard on foreign intelligence collection.[64] This is why, under FISA, an interception order may issue if the court finds there is probable cause to believe only that “(1) the target of the electronic surveillance is a foreign power or an agent of a foreign power …; (2) each of the facilities or places at which the electronic surveillance is directed is being used, or is about to be used, by a foreign power or an agent of a foreign power”; and certain procedures are followed to minimize inadvertent collection.[65] Professor Donohue gets this history and purpose all wrong.  She writes, “The point of having lowered [FISA] standards [compared to Title III] was to facilitate the collection of information about significant threats to national security.”[66] No, it wasn’t. Congress was not facilitating executive power; it was regulating a portion of that power severely and for the first time.

Professor Donohue is on far stronger ground in her criticism of the lowered standard for the production of business records under FISA. The statute was amended in 2015 so that the government was required merely to certify, not to demonstrate, to the FISC that the records sought were merely relevant to an authorized investigation “to protect against international terrorism or clandestine intelligence activities.” [67] In such a case, the magistrate may not inquire further and must enter the order. Professor Donohue asserts that the statute as it now stands is unconstitutional on its face, but that would be true only if persons had a constitutionally recognized privacy interest in data given to third parties. At present they do not. I would agree, however, that the relaxed standard has produced a British-style regime of seizure orders independent of the judiciary, and I would strengthen the standard to require the FISC judge to determine that the government has a factual basis for its assertion. [68]

The statute also creates too much room for evasion of the Title III warrant standard and may thus be unconstitutional as applied, even under Smith. Suppose the FBI wanted to compel the production of the business records of an American citizen who was not an agent of a foreign power but may have been colluding with a foreign agent in a different criminal scheme. The government could get a production order without having to obtain a Title III warrant. It would simply have to assert that evidence in the second scheme would somehow be useful in investigating the first one. That would be a dangerous infringement of constitutional protection against arbitrary executive power, and I hope it could not be defended merely by reference to the President’s Article II powers.

Technology Effects

The advent of fiber-optic technology long before the passage of the FAA had the unintended effect of expanding the FISA’s reach in irrational ways that are not widely understood. When FISA was enacted in 1978, telecommunications meant telephone and telegraph; there was no commercial Internet. Most long distance telecommunications employed a satellite link at some point in the transmission. That is, the electronic impulses representing a caller’s voice on a call between, say, New York and Hamburg, or between Hamburg and Tokyo, were sent via radio frequency up to a satellite and then down from a satellite before finishing their journey by copper wire. If NSA wanted to target that communication, it could and usually did collect it though the air, probably from an overseas location, so it was not regulated by FISA. Even if it was collected from a location inside the country, FISA did not regulate the collection as long as no U.S. Person was the target.[69] With the advent of commercial fiber-optic cable on international lines beginning in the 1988,[70] international call quality and reliability improved dramatically. But it also meant that the call between Hamburg and Tokyo was probably transmitted through a wire in the United States and thus became subject to FISA if collected in the United States, which was the easier and less risky way to do it. And given the U.S.-centric quality of the worldwide fiber-optic cable networks,[71] many other foreign-to-foreign communications also became subject to FISA. An unintended and perverse result was that a large volume of communications having nothing to do with FISA’s purpose was brought under the act. This was a major nuisance, and it meant that in a significant class of cases, FISA was not protecting the privacy of U.S. Persons. It was merely regulating the place of collection. The PAA and then the FAA fixed that anomaly.

A typical fiber-optic trunk cable carries a petabit of data per second.[72] The government does not “tap” these cables using alligator clips in the basement wire closet of an apartment building like in a 1940s movie. Interception occurs at a carrier’s switching station. If done by the police or FBI under a Title III warrant, the targeting must be precise because the government is forbidden from collecting anything outside the terms of the warrant. In the case of foreign intelligence, however, the situation is largely reversed. The President has the power to collect any communication likely to have foreign intelligence value but must take care not to collect U.S. Person communications except as authorized by FISA. This reversal is based on constitutional requirements, but it offends Professor Donohue. She asserts that FISA orders should be limited to “seizing or monitoring the content carried by a single telephone line, or to and from a particular computer address.[73] The Constitution does not require the President to take such a dainty approach to foreign intelligence collection, and Congress appears to believe, correctly in my view, that it has no power to impose such a requirement.

Access to Stored U.S. Person Data

 So much for electronic collection under section 702, but what about analysis of 702 data and the access to data that intelligence analysis and law enforcement both require? As Professor Donohue correctly notes, the database of collection under this section has become enormous. It contains the records of a publicly unknown but undoubtedly very large number of communications involving U.S. Persons located in the United States communicating with intelligence targets overseas. Our intelligence agencies and the FBI may search that database using U.S. Person selectors without restraint whenever they feel like it, even years after the collection occurred, even if they have lost interest in the overseas target. The government may not intentionally target that kind of communication for collection if the U.S. Person is the true target. But once the communication has been lawfully collected, the agency may “target” the U.S. Person when it searches the database by using that person’s name, phone number, email address, or other specific selector as a search term. This use of the term “target” to refer to database searches as opposed to collection is still unusual to intelligence agencies but is unlikely to remain so.

I share Professor Donohue’s objection to this legal state of affairs under section 702, and the objection will be more powerful if placed in a broader context. We have entered an era when the terms on which the government may search lawfully gathered information are becoming as important as the terms on which the information may be lawfully collected. We are used to regulating collection but not access to information. That is likely to change. The government’s access to vast quantities of information about U.S. Persons is growing dramatically. U.S. intelligence agencies already hold massive databases of information about Americans. They also have access to readily available commercial databases through a few keystrokes or through the purchase of proprietary databases. The data ocean is expanding as if propelled by a Digital Big Bang, and dealing with it requires automated analytic capabilities at previously unimaginable scale. Most of this data ocean is held by private companies, whose ability to gather it and skill in analyzing it exceed the government’s. The vast expansion of the private data market means that the government itself will gather relatively less data and purchase relatively more of it in open markets. Historically our laws and regulations have controlled who may collect intelligence, whose communications may be collected, how they may be collected, and what may be collected.[74] And once information about U.S. Persons has been lawfully collected, we also regulate how and to whom it may disseminated, but we have not regulated the conditions or frequency under which the collecting agency may access or analyze it. The protections afforded to U.S. Persons through collection rules seemed sufficient to protect our liberty. Section 702 is merely an example of this historical way of doing business. We are probably at the threshold of a new era. In the future, we are likely to be at least as concerned with the state’s ability to access information already collected, or available in the marketplace, as we have been with the conditions under which the state may collect it using its own resources.

Greater attention to data access as opposed to data collection will also be impelled by a change in intelligence agencies’ mission. Their task is no longer simply to acquire the communications of known foreign agents or to hunt moles in their own organizations, as was the case throughout the Cold War. Knowing who the foreign targets were was relatively easy. Stealing their communications was hard.[75]  That mission is now accompanied by a new one that has deep legal and public support, namely, to discover terrorist networks before they can wreak havoc. In the foreseeable future, this challenge will probably condition the intersection between intelligence gathering and citizens’ rights more than any other factor, yet it strangely finds no place in this book. In pursuit of terrorists, stealing the secrets is usually the less difficult task. The harder and more important part is knowing who they are, and that involves access under controlled conditions to communications data in bulk – both metadata and lawfully collected intercepts – and sifting them for information with intelligence value. Congress has properly begun to regulate that access, but the access must be available to carry out the mission, and a regulation that unreasonably impeded it would present a constitutional issue. To a significant degree, therefore, the challenge in intelligence collection has been turned on its head. Whether we like it or not, from now on more and more information will be in government hands or easily available to government. Increasingly the questions will be: When can government look at it? And how can we police abuses? 


 The subject of potential abuse brings us to the question of oversight, but this is a subject on which Professor Donohue, after raising it, has little to say. She treats us to a tantalizing observation by Stanford’s Professor Scott Sagan, whose work on nuclear weapons policy led him to conclude, in her words, that “the more protection one builds into a system, somewhat counterintuitively, the less secure it may become.” This is a brilliant insight of remarkably limited value here, since hardly anyone (including Professor Sagan[76]) would argue the converse: That the less protection one builds into the system of intelligence oversight, the more secure it is likely to become. Indeed Professor Donohue wants “more robust oversight.”[77] But she is vague on what that means. Her only concrete suggestion is to say it would be a good idea to have more people like her —amici curiae appointed by FISC — but this is what the USA Freedom Act actually did in 2015.

What Professor Sagan describes is a version of the shared responsibility trap, in which an actor with partial or redundant responsibility becomes lazy and inattentive in the belief that others have their eyes on the ball (“social shirking,” he calls it).[78] As the former inspector general of the National Security Agency during the STELLAR WIND period, that’s not how I saw intelligence oversight. My office had its hands full and was deeply involved not only in uncovering abuse after the fact (not usually involving intelligence collection, I might add) but also in preventing it. Different oversight mechanisms in different organizations are designed to accomplish different objectives – they are not redundant – and their critics usually pay insufficient attention to what the different parts are meant to do. It is unreasonable, say, to expect the House and Senate select committees on intelligence to monitor collection activities. Their responsibilities are strategic and general, not tactical and granular. In contrast, it would be reasonable for these budget authorizing committees to require that new collection capabilities be auditable to a standard agreeable to agency inspectors general, who are (or should be) able to monitor collection. But no oversight system will be perfect, and expecting perfection (usually with a handwringing reference to the unanswerable question, Who will watch the watchers?) leads only to the continual imposition of additional oversight mechanisms on top of one another, a tendency that expands the pool of unproductive employment opportunities at the expense of efficiency.

Expecting perfection also leads to what I call the Oversight Paradox: The closer one is to the activity being overseen, the more one will know about how it works, but the less one will be trusted; and the farther one is from the activity, the less one will know but the more one will be trusted. Since the Snowden disclosures, this paradox has been compounded by a different misunderstanding. Agency oversight officials are charged with preventing waste, fraud, and abuse, which includes illegality. But the bulk metadata collection program ordered by the President, personally approved by the attorney general under guidelines approved by the Justice Department, disclosed to the leaders of both houses of Congress and the chairmen and ranking members of both intelligence committees, and sanctioned in particular cases by more than a dozen federal judges was not unlawful. The problem was that the law was arguably secret — not to the Congress but to the public. No oversight system is built to deal with the failure of political judgment that led to that circumstance.[79]


Professor Donohue and I agree on a number of specific proposal and disagree profoundly on FISA’s rationale and constitutional limitations. The areas of agreement are important. First, the government should not be able to search the 702 database of lawfully collected U.S. Person information using U.S. Person selectors without a FISA order. Under the USA Freedom Act of 2015, we already impose a similar requirement before the government can access metadata records that are now held by the carriers rather than the intelligence agencies.[80]

Second, retention limitations should be considered for U.S. Person data held under section 702, though that kind of limitation may be difficult to apply in cases where the identity and citizenship or immigration status of the person or persons involved is doubtful.

Third, we should consider relieving FISA judges of some of their other workload as Article III federal district judges during their tenure on the FISC.[81]

Fourth, the standard for the production of tangible things under FISA should be strengthened. Congress should make it the same as the standard for the obtaining a surveillance order under the act. Both orders involve the same infringement on personal liberty, and there is no reason in principle to believe that one kind of infringement (acquisition of records of past communications) is less serious that the other (acquisition of current communications).

But then Professor Donohue and I part company because, if her basic diagnosis is constitutionally unsound, her favorite remedy could kill the patient. In her judgment, the fundamental problem with the FAA is that it muddled a supposedly clear distinction between foreign intelligence and criminal law. Consequently, she proposes that we build this dichotomy back into law and government operations. This is an appalling proposition, because if we have learned anything since 9/11, it is that the distinction was illusory. The barrier between criminality and foreign intelligence gathering was not done in by a nefarious ideological attack; it collapsed under the weight of the Twin Towers and our inability to track terrorists effectively.[82] Foreign intelligence investigations often, even usually, involve criminal acts,[83] and they often touch our own citizens and territory. Wishful thinking embellished with a different verbal formula will not make these facts go away. Professor Donohue’s refusal to acknowledge them then leads her to propose the re-erection of “The Wall”[84] — that is, the hermetical separation of criminal and intelligence investigators that had created a state of self-imposed blind man’s bluff between law enforcement and intelligence officials before 9/11, and the abolition of which was essential to our ability to maintain our security. Re-erecting that Wall would mean abolishing or neutering the Justice Department’s recently created National Security Division and re-imposing the voluntary ignorance and dysfunctionality by which the government’s left hand had no idea what its right was doing. Fortunately, the extreme undesirability of this proposal is matched by the extreme unlikelihood of its being adopted. Neither the country nor the courts are likely ever again to endorse self-imposed ignorance as a national policy.



[1] 50 U.S.C. § 1801 (i).

[2] Donohue, Future of Foreign Intelligence at 3.

[3] See David Kahn, The Code Breakers: The Story of Secret Writing (New York, 1967).

[4] See Government of Canada, “History of Passports,” at For a colorful evocation of the period, see Preface, Evelyn Waugh, When the Going Was Good (London, 1946).

[5] Joel Brenner, America the Vulnerable, Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (New York, 2011), c. 8, “Spies in a Glass House.” the near-monopoly of nation-states over the means of intelligence gathering was actually an anomaly. We are returning to the historical norm. Id. at 190-199.

[6] E.g., George R. Lucas, Jr., “Automated Warfare,” Stanford Law & Policy Rev. 25:327 (2014), at, accessed June 14, 2016.

[7] See, e.g., Jane Harman,” Disrupting the Intelligence Community: America’s Spy Agencies Need an Upgrade,” Foreign Affairs, March–April 2015, at, accessed June 14, 2016.

[8] See Dana Priest, “NSA Growth Fueled by Need to Target Terrorists,” Washington Post, July 21, 2013, at, accessed September 7, 2016; Michael V. Hayden, Playing to the Edge, American Intelligence in the Age of Terror (New York, 2016), at [c.17] (“Years after I left government, I reviewed my Thursday morning briefing scripts for the President and was struck by how much they focused on terrorism and within terrorism how much they were about South Asia—Pakistan and Afghanistan”); Harman, “Disputing the Intelligence Community” (“What role does that leave for the NSA? Its top priorities should be code-making, code-breaking, and cyberwarfare. Washington will still need the capacity to penetrate secure state networks and prevent its enemies, state and nonstate, from doing the same. Although the NSA has demonstrated abilities in this sphere, it needs to focus on keeping pace with talented Chinese, North Korean, Russian, and nonstate hackers.”). Drawing causal connections between NSA’s current priorities and missed opportunities is of course difficult. But in just the last few years, many have criticized America’s spies for failing to predict national shifts abroad. See, e.g., Stephen Blank, Turkey: Another US Intelligence Failure, Atlantic Council (July 20, 2016), at, accessed Sept 1., 2016; James S. Robbins, American intelligence failure in Syria, USA Today (Oct. 14, 2015), at, accessed Sept. 1, 2016;

John Crawley, U.S. intelligence under fire over Ukraine, CNN (Mar. 5, 2014), at, accessed Sept. 1, 2016

[9] See also Michael Morell, The importance of intelligence, The Strategist, Australian Strategic Policy Institute (Aug. 31, 2016),, accessed Sept. 1, 2016; Michael V. Hayden, Playing to the Edge, American Intelligence in the Age of Terror (New York, 2016), at 422 (“Long before Snowden, I was asking CIA’s civilian advisory board ‘Will America be able to conduct espionage in the future inside a broader political culture that every day demands more transparency and more public accountability from every aspect of national life?’ The board studied it for a while and then reported back that they had their doubts.”).

[10] Pub. L. 110-261 (July 10, 2008).

[11] 84 Stat. 1114, 12 U.S.C. § 1829b(d).

[12] United States v. Miller, 425 U.S. 435 (1976).

[13] Smith v. Maryland, 442 U.S. 735 (1979).

[14] Id. at 744.

[15] It would have been more accurate to say that his data had been automatically captured by a common carrier which at that time was still a monopolist of an essential means of communication.

[16] Id.

[17] 349 U.S. 347 (1967).

[18] See, e.g., Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C., 2013), vacated and remanded, 800 F.3d 559 (D.C. Cir. 2015), injunction granted, 142 F. Supp. 3d 172 (D.D.C., 2013), stayed, No. 15-5307, 2015 WL 9010330, at *1 (D.C. Cir. Nov. 16, 2015), rh’g denied, 805 F.3d 1148 (Mem.) (en banc) (per curiam).

[19]Americans are fast giving up landlines. See Stephen J. Blumberg and Julian V. Luke, National Health Interview Survey Early Release Program, Centers for Disease Control, December 2014, at  (“Preliminary results from the January–June 2014 National Health Interview Survey (NHIS) indicate that the number of American homes with only wireless telephones continues to grow. More than two in every five American homes (44.0%) had only wireless telephones … during the first half of 2014—an increase of 3.0 percentage points since the second half of 2013. More than one-half of all adults aged 18-44 and of children under 18 were living in wireless-only households.”).

[20] Cisco forecasts that cloud usage will grow three-fold from 2014-2019, and that by 2019, “more than four-fifths (86 percent) of workloads will be processed by cloud data centers; 14 percent will be processed by traditional data centers.” Cisco, “Cisco Global Cloud Index: Forecast and Methodology, 2014–2019,” at, accessed June 14, 2016. Individuals and businesses are moving to third-party cloud services, particularly in the United States. See, e.g., Statista, “United States: Brand preferences for cloud data storage in Q1 2016, by income,”

at, [n.d.], accessed June 14, 2016. This trend is bound to grow worldwide. In 2015, 3.37 billion people, or 46.4 percent of the world’s population, had Internet access. In North America the penetration percentage was 87.9 percent. Even in the least connected places, access is growing at a dramatic rate. Internet World Stats, at, accessed June 14, 2016. Facebook alone claimed 1.65 billion monthly active users as of March 31, 2016.

[21] As the doctor-patient example illustrates, we know how to create such a zone even when it has no Constitutional underpinning. See also Samuel D. Warren and Louis D. Brandeis, “The Right to Privacy,” The Harvard L. Rev., vol. 5, no. 4 (December 15, 1890), available at, accessed June 17, 2016, building on breach of trust cases in developing a proposed right to privacy at common law. Breach of trust may be ready for a come-back in the privacy wars.

[22] 425 U.S. at 449.

[23] Id. at 448-49 (Brennan, J., dissenting)

[24] See Smith, 442 U.S. at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes.”).

[25] Nor is it sufficient to say that the bank was obliged to keep the records by the Bank Secrecy Act, because a requirement to preserve records to make them amenable to legal process does not prescribe the process by which the government may obtain them. If these records are entitled to Fourth Amendment protection, the legislature had no more right to violate that right than did the executive. The assumption-of-risk rationale is even flimsier, as one could as well say that a party assumes the risk that anyone owing a duty of confidence, including a lawyer or physician or spouse, would breach it.

[26] 132 S. Ct. 945 (2012).

[27] “[T]he Katz reasonable-expectation-of-privacy test has been added to, not substituted for, the common-law trespassory test.” Id. at 952.

[28] Id. at 954.

[29] Id. at 956, 957 (Sotomayor, J., concurring).

[30] Id. at 961 (Alito, J., concurring in the judgment). Justice Alito also suggested that the Congress rather than the courts should take the lead in this area.

[31] Two years later, a unanimous Court held that digital technology required changes to traditional Fourth Amendment doctrine in Riley v. California, 134 S. Ct. 2473, 2490 (2014) (“Finally, there is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not typically carry a cache of sensitive personal information with them as they went about their day. Now it is the person who is not carrying a cell phone, with all that it contains, who is the exception. … Today, by contrast, it is no exaggeration to say that many of the more than 90% of American adults who own a cell phone keep on their person a digital record of nearly every aspect of their lives — from the mundane to the intimate.”).

[32] Abandoning the third-party doctrine per se could also have implications for the law governing the use of informants by the government. See United States v. White, 401 US 745 (1971).

[33] 132 U.S. at 950 (majority opinion).

[34] Professor Donohue uses the term “warrant” to refer both Title III and to FISA orders. Under FISA, surveillance orders are formally known simply as orders rather than warrants, apparently because the drafters of that statute wished to make clear that the President’s Article II power to collect foreign intelligence was not subject to the Fourth Amendment. I follow the statutory usage. The distinction can be significant. See Microsoft Corp. v. United States (In re Warrant to Search a Certain E-Mail Account) (Docket No. 14-2985, 2nd Cir., July 14, 2016).

[35] See, e.g., United States v. Graham, No. 12-4659, 2016 WL 3068018, at *1 (4th Cir. May 31, 2016) (en banc); United States v. Carpenter, 819 F.3d 880, 887 (6th Cir. 2016); In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 136 (3d Cir. 2015); United States v. Guerrero, 768 F.3d 351, 358 (5th Cir. 2014), cert. denied, 135 S. Ct. 1548, 191 L. Ed. 2d 643 (2015).

[36] Characterizing arguably overbroad orders as general warrants strikes me as wildly exaggerated, and it would no doubt surprise the judges of the FISC, who spend considerable effort crafting restraints they appear to find meaningful. She concedes, “There are some differences between the general warrants about which the Framers were concerned and those that mark the realm of foreign intelligence today.” Donohue, Future of Foreign Intelligence at 94. Among other things, FISA orders are limited in scope and must have a foreign intelligence nexus.

[37] Telecommunications metadata includes such information as the number of IP address of the other party to the communication, the path taken by the communication, and its duration.

[38] Hayden, Playing to the Edge at 76. For a description of how this played out in Iraq, see, e.g., Shane Harris, How the NSA Became a Killing Machine, The Daily Beast (Nov. 9, 2014), at, accessed Sept. 1, 2016. For a discussion of the benefits of NSA programs generally, see John McLaughlin, NSA intelligence-gathering programs keep us safe, The Washington Post (Jan. 2, 2014), at, accessed Sept. 1, 2016; Philip Mudd, Mapping Terror Networks: Why Metadata Matters, The Wall Street Journal (Dec. 29, 2013), at, accessed Sept. 1, 2016.

[39] For a hint of this unease, see Barton Gellman, Angler: The Cheney Vice Presidency (New York, 2008), at 151, and Jack Goldsmith, The Terror Presidency: Law and Judgment Inside the Bush Administration (New York: 2007) at 181–82.

[40] The opinion, with the data and caption and other material redacted, is available through the Office of the Director of National Intelligence, at, accessed June 14, 2016.

[41] Professor Donohue would deny that the program had any statutory basis. She dismisses without discussion the Bush administration’s reliance on the Authorization for Use of Military Force (“AUMF”) — as if it were frivolous to argue that intelligence collection against persons in communication with the enemy is a normal incident of war-making authority. The AUMF is found at Pub. L. No. 107-40, § 2(a), 115 Stat. 224, 224 (Sept. 18, 2001) (reported as a note to 50 U.S.C.A. § 1541). For the administration’s arguments about its effect, see U.S. Department of Justice, “Legal Authorities Supporting the Activities of the National Security Agency Described by the President,” January 19, 2006, at, accessed June 14, 2016. For another view of the limits of the President’s Article II power, see David J. Barron and Martin S. Lederman, “The Commander in Chief at the Lowest Ebb – A Constitutional History,” 121 Harv. L. Rev. 941 (2008).

[42] Internet service providers, unlike phone companies, do not keep business records of communication data. Hence this change was limited to the telephony portion of the metadata program.

[43] Pub. L. 110-55, § 105B, 121 Stat. 552 (2007). The PAA also dropped the requirement of a FISA order for foreign-to-foreign communications that happened to “transit” the United States. Id. § 105A. Under the old rule, NSA could freely collect that same communication if it captured it, say, from a satellite signal or a cable overseas, but it needed a FISA order if it captured the communication off a wire in the United States. Compare 50 U.S.C. § 1801(f)(2) (2006), with § 1801(f)(3) (2006). That requirement protected no one’s privacy. It merely regulated the place of interception.

[44] See Pub. L. 110-261, § 703(a)(1), 122 Stat. 2436 (2008).

[45] 50 U.S.C. § 1881a, Pub. L. 95-511, title VII, § 702, as added Pub. L. 110-261, title I, § 101(a)(2), July 10, 2008, 122 Stat. 2438; amended Pub. L. 114-23, title III, § 301, June 2, 2015, 129 Stat. 278.

[46] Section 702(a), 50 U.S.C. §1881a (a).

[47] Donohue, The Future of Foreign Intelligence at 10.

[48] Professor Donohue asserts without citation, “Congress and the courts … had previously considered and declined to recognize claims to Article II authority to conduct foreign intelligence gathering inside the United States absent a warrant.” If this is a reference to United States v. United States District Court, 407 U.S. 297 (1972) (“Keith”), it is wrong (“[This case involves only the domestic aspects of national security. We have not addressed, and express no opinion as to, the issues which may be involved with respect to activities of foreign powers or their agents”). Id. at 322–23.

[49] Letter from Constitutional Law Scholars and Former Government Officials to Members of Congress (July 14, 2006) at 7, at, accessed Sept. 1, 2016.

[50] Arguments in favor of this position are set forth at length in DOJ, “Legal Authorities Supporting the Activities of NSA,” at The Senate Intelligence Committee also acknowledged that the law was not intended to cover “electronic surveillance abroad.” S. Rep. No. 95-701, at 7 (1978). While “protect[ing] the rights of Americans abroad from improper electronic surveillance” might raise constitutional issues, it never even occurred to the Committee that the same could be said with the surveillance of non–U.S. Persons. Id. at 7 n.2.

[51] See Jack Goldsmith, “Zivotofsky II as Precedent in the Executive Branch,” 129 Harv. L. Rev. 112, 114 (2015) (“Until Zivotofsky II, [executive branch] lawyers had to rely on shards of judicial dicta, in addition to executive branch precedents and practices, in assessing the validity of foreign relations statutes thought to intrude on executive power”); see also James E. Baker, In the Common Defense: National Security Law for Perilous Times (New York, 2007), at 72 (“The president’s intelligence authority is derived from his enumerated authorities as commander in chief and chief executive, as well as his collective authority over foreign affairs, and to take care that the laws be faithfully executed. As intelligence is an integral function of military command and the conduct of foreign affairs, as a general matter the president has broad derived authority over the intelligence function. Congress has recognized as much in statute.”).

[52] Christopher Andrew, For the President’s Eyes Only: Secret Intelligence and the American Presidency from Washington to Bush (New York, 1995), c. 1; see also Louis Henkin, Foreign Affairs and the United States Constitution (Oxford, 1996) (2d edition), 111 (“From our national beginnings, Congress has recognized the President’s exclusive responsibility for gathering intelligence, as an extension of his role as ‘sole organ’ and his traditional function as ‘the eyes and ears’ of the United States.”); Baker, In the Common Defense, at 71 (“Presidents have engaged in the practice of domestic and foreign intelligence collection since the advent of the United States. . . . [I]n the landline age, presidents routinely authorized electronic surveillance (wiretapping) to collect foreign intelligence.”).

[53] See S. Rep. No. 95-604, at 16 (1978) (“The basis for this legislation is the understanding—concurred in by the Attorney General—that even if the President has an ‘inherent’ constitutional power to authorize warrantless surveillance for foreign intelligence purposes, Congress has the power to regulate the exercise of this authority by legislating a reasonable warrant procedure governing foreign intelligence surveillance.”) (emphasis added). See S. Rep. No. 95-604, at 7 (1978) (“The Federal Government has never enacted legislation to regulate the use of electronic surveillance within the United States.”).

[54] Youngstown, 343 U.S. at 645 (Jackson, J., concurring) (my italics). Cf. Zivotofsky ex rel. Zivotofsky v. Kerry, 135 S. Ct. 2076, 2094 (“Throughout the legislative process, however, no one raised a serious question regarding the President’s exclusive authority to recognize the PRC—or to decline to grant formal recognition to Taiwan. Rather, Congress accepted the President’s recognition determination as a completed, lawful act; and it proceeded to outline the trade and policy provisions that, in its judgment, were appropriate in light of that decision. This history confirms the Court’s conclusion in the instant case that the power to recognize or decline to recognize a foreign state and its territorial bounds resides in the President alone.”) (citations omitted).

[55] Donohue, Future of Foreign Intelligence at 36, citing 154 Cong. Rec. S6382 (daily ed. July 8, 2008) (statement of Sen. Feingold). The reference Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 635-38 (1952) (Jackson, J., concurring). Justice Jackson proposed three categories of presidential acts corresponding to three levels of authority. Category One involved acts taken “pursuant to an express or implied authorization of Congress.” Category Two involved acts taken in the “absence of a congressional grant or denial of authority.” Category Three involved acts taken in defiance of the express or implied will of Congress.

[56] Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. § 2518 (my italics).

[57] Katz v. United States, 389 U.S. 347 (1967).

[58] 18 U.S.C.§ 2518 (3).

[59] United States v. United States District Court, 407 U.S. 297, 322 (1972) (“Keith”).

[60] Id.

[61] Youngstown, 343 U.S. at 637.

[62] See Katz, 389 U.S. at 363 (1967) (White, J., concurring) (“Wiretapping to protect the security of the Nation has been authorized by successive Presidents”); United States v. U.S. Dist. Ct., 444 F.2d 651, 669–71 (6th Cir. 1971) (reproducing as an appendix memoranda from Presidents Roosevelt, Truman, and Johnson); In re Sealed Case, 310 F.3d 717, 742 (FISA Ct. Rev. 2002) (“[A]ll the other courts to have decided the issue [have] held that the President did have inherent authority to conduct warrantless searches to obtain foreign intelligence information . . . . We take for granted that the President does have that authority and, assuming that is so, FISA could not encroach on the President’s constitutional power.”)

[63] 50 U.S.C. § 1822(a).

[64] Compare S. Rep. No. 95-604, at 7 (1978) (“This legislation is in large measure a response to the revelations that warrantless electronic surveillance in the name of national security has been seriously abused.”), with id. at 18 (“[T]he Supreme Court noted the reasons for domestic surveillance may differ from those justifying surveillance for domestic crimes and that, accordingly, ‘different standards may be compatible with the Fourth Amendment if they are reasonable in relation to the legitimate needs of the Government for intelligence information and the protected rights of our citizens. For the warrant application may vary according to the governmental interest to be enforced and the nature of citizens rights deserving protection.’”) (quoting Keith, 407 U.S. at 322).

[65] 50 U.S.C. § 1805.

[66] Donohue, Future of Foreign Intelligence at 28.

[67] 50 U.S.C. § 1861.

[68] Professor Donohue also notes that the number of FISA orders now exceeds the number of Title III warrants per year. She asserts there is now a direct relationship between the decline in Title III warrants and the increase in FISA orders. Donohue, Future of Foreign Intelligence at 30. Her data suggest she may be correct, but a deeper inquiry (and better data) would be required to prove the point. One would think that the changed nature of the threat to the nation had something to do with it.

[69] As originally passed in 1978, FISA defined “electronic surveillance” as “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire or radio communication sent by or intended to be received by a particular, known United States person who is in the United States, if the contents are acquired by intentionally targeting that United States person, under circumstances in which a person has a reasonable expectation of privacy and a warrant would be required for law enforcement purposes.” Pub. L. 95-511 (Oct. 25, 1978), 92 Stat. 1785.

[70] Wikipedia, “Fiber-Optic Communication,” at, accessed June 17, 2016.

[71] See Telegeography, “Submarine Cable Map,” 2016, at, accessed June 18, 2016.

[72] Wikipedia, at One petabit = 1015 bits, or about 9.38 trillion pages of plaintext.

[73] Donohue, Future of Foreign Intelligence at 32 (my italics).

[74] See, e.g., Exec. Ord. 12333 and 50 U.S.C. Subch. III.

[75] See also Hayden, Playing to the Edge at 32 (“Intelligence [during the Cold War] was hard work, but it was difficult for our adversary to hide tank armies of Group Soviet Forces East Germany or the vast Soviet ICBM fields in Siberia. That enemy was pretty easy to find. Just hard to kill. This was different. This enemy was relatively easy to kill. He was just very, very hard to find.”).

[76] Scott Sagan, The Problem of Redundancy Problem: Why More Nuclear Security Forces May Produce Less Nuclear Security, Risk Analysis 24(4):935-46 (Sept. 2004) (“The implication of the argument, however, is not that redundancy never works in efforts to improve reliability and security. Moreover, the central policy lesson is not that the U.S. government should reject all proposals to place more security forces at nuclear facilities, given the heightened terrorist threat after the September 11, 2001 attacks. Instead, the lesson is that we need to be smarter in the way we think about redundancy.”).

[77] Donohue, Future of Foreign Intelligence at 136-38.

[78] Sagan, supra at 939. Sagan discussed three factors that vitiate the value of redundancy: common-mode errors, insider threats, and social shirking.

[79] See Joel Brenner, “Forty Years After Church-Pike: What’s Different Now?” Henry F. Schorreck Lecture at NSA, May 15, 2015, at, accessed June 14, 2016.

[80] Pub.L. 114-23, 129 Stat. 268 (June 2, 2015), section 101 (b)(2), amending FISA section 501, 50 U.S.C. § 1861 (b)(2). Section 103 prohibited the government from collecting tangible things (including bulk communications records) in bulk.

[81] Professor Donohue criticizes the political composition of the FISC as heavily Republican and therefore, in her view, anti-civil liberties. Apart from the dubious connection with political affiliation and libertarian views, she assumes that the number of Democrats on the court reflects the number of Democrats who have been offered the job. One Democratically appointed district judge of my acquaintance turned down the job — too much extra work, he said.

[82] The 9/11 Commission Report (New York: W.W. Norton, 2004), at 270–71.

[83] In re Sealed Case, 310 F.3d 717, 744 (FISA Ct. Rev. 2002) (“[T]he criminal process is often used as part of an integrated effort to counter the malign efforts of a foreign power.”).

[84] Donohue, Future of Foreign Intelligence at 27, 150.

Emerging Standard of Care in Data Security: The FTC’s LabMd decision

Company data security practices will now be measured against a legally enforceable standard of care. The National Institute for Standards and Technology (NIST) began creating the groundwork for this standard in 2002,[1] the Third Circuit announced its arrival last year in Wyndham  Hotels[2], and the Federal Trade Commission (FTC or Commission) told you last month in its LabMD decision exactly what your company can and cannot do if it wants to avoid lengthy and expensive regulatory proceedings and related litigation.[3]

LabMD was a clinical laboratory testing service, the kind your physician probably uses. It held the records of 750,000 patients – under shoddy conditions. LabMD is now out of business.

The FTC’s Checklist

 The Commission’s findings provide a check-list for company counsel and IT managers. LabMD:

  1. Had no intrusion detection system or file integrity monitoring.
  2. Failed to monitor traffic coming through its firewalls.
  3. Failed to monitor its network for unauthorized exfiltration.
  4. Failed to provide meaningful data security training to its employees.
  5. Collected sensitive consumer data it did not need.
  6. Failed to delete consumer data for which it had no further use.
  7. Failed to control the hardware and software its employees could run on its system.
  8. Failed to require strong passwords.

Under the “deceptive” standard of Section 5, FTC proceedings have become routine (and FTC orders often oppressive) against companies that fail to adhere to their own privacy statements. Under Wyndham and LabMd, we can expect a similar development under the “unfairness” standard of Section 5 – routine proceedings that raise the cybersecurity bar in the private sector, but often involving oppressive compliance orders of unreasonable duration that can cripple small firms. The FTC’s checklist is also likely to become a general negligence standard in the courts. So be warned.

The Commission was particularly scathing about LabMD’s failure to control employees’ use of peer-to-peer or P2P software such as music sharing services. These services, unless configured perfectly, permit millions of strangers to access a wide variety of material other than the music the employee intends to share. This vulnerability has been widely known for years, yet many companies do not forbid P2P software on their networks. In LabMd’s case, the failure resulted in the exposure of the medical and other sensitive records of thousands of patients. And when management was told about the vulnerability, it did essentially nothing about it.

It would be a mistake to assume the FTC’s decision in LabMD was limited to companies subject to the Health Insurance Portability and AccountabilityAct (HIPAA), which imposes special standards on parties holding patient data. HIPAA is barely mentioned in the opinion, and Wyndham Hotels, which laid the groundwork for this decision, did not involve health care.

You can assume, however, that your risk of facing an FTC proceeding is vastly greater if you hold sensitive personal information than if you do not. If the only sensitive information in your system are the formulas, business plans, and trade secrets that make your company valuable, the FTC probably won’t care. In that case, nobody but your competitors, particularly in China and Russia, will be interested in getting into your system. However, your shareholders, who will be well represented by class action counsel, may feel they have an interest in keeping them out, in which case LabMd outlines the first wave of discovery demands you will get.

Two Take-Aways

The immediate take-away from LabMD is obvious. You now have a legal standard against which to measure your company’s behavior. But the case should also impel management to ask a deeper question: What business do you want to be in? If you are a widget manufacturer or in a service business, running a complex and expensive IT system is not your line of work, and you are probably not equipped with the talent and know-how to do it right. Now that the legal consequences of running a porous and insecure system are becoming clearer, many companies will confront anew the question of what functions they would be prudent to out-source.


[1] See In the matter of LabMD, Inc., FTC docket no. 9357 (July 29, 2016), at 12, n. 23, at

[2] FTC v. Wyndham Worldwide, Inc. 799 F.3d 236 (3d Cir. 2015). This case upheld the FTC’s power to regulate poor data security under the “unfairness” standard of Section 5 of the FTC Act. Previously its data security cases had been brought only under the “deceptive” standard of Section 5.

[3] LabMD, supra, upholding the FTC’s statutory and constitutional authority to proceed under the “unfairness” standard of Section 5.

Debating the Chinese Cyber Threat

If you follow cyber conflict issues, you’ll want to see this correspondence from International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195:

In “The Impact of China on Cybersecurity: Fiction and Friction,” Jon Lindsay asserts that the threat of Chinese cyber operations, though “relentlessly irritating,” is greatly exaggerated; that China has more to fear from U.S. cyber operations than the United States does from China; and that U.S.-China relations are reasonably stable.1 He claims that “[o]verlap across political, intelligence, military, and institutional threat narratives . . . can lead to theoretical confusion” (p. 44). In focusing almost exclusively on military- to-military operations, however, where he persuasively argues that the United States retains a signiacant qualitative advantage, Lindsay underemphasizes the signiacance of vulnerabilities in U.S. civilian networks to the exercise of national power, and he draws broad conclusions that have doubtful application in circumstances short of a full-out armed conoict with China. In addition, he does not discuss subthreshold conoicts that characterize, and are likely to continue to characterize, this symbiotic but strife-ridden relationship.

To begin, Lindsay argues that American infrastructure is safe from nation-state cyberattack. For support, he cites a similar conclusion by Desmond Ball, who touts the supposed “sophistication of the anti-virus and network security programs available” in advanced Western countries.2 The notion that Western-made anti-virus and network se- curity programs are effective against sophisticated cyberattacks would astonish any group of corporate security ofacers. Anti-virus programs are oimsy alters designed to catch only some of the malware that their designers know about. They miss a great deal. New malware enters the market at the rate of about 160,000 per day.3 Filters, whether employed by the military or not, are unable to keep up. “Network security programs” vary in quality, are insufaciently staffed, and are often not implemented at all across the economy. The Pentagon is expending huge sums to build its own power grids, even as its budget shrinks, precisely because the civilian grid cannot be relied upon in a crisis. On this subject, Lindsay says only that China’s ability to attack the U.S. grid “cannot be discounted.” In contrast, Adm. Michael Rogers, director of the National Security Agency (NSA) and commander of U.S. Cyber Command, testiaed in 2014 that China and “one or two” other countries could shut down the power grid and other critical systems in the United States.4

Lindsay’s article also fails to address the relationship between nonmilitary vulnera- bilities and the exercise of national power. For example, when Russian intruders pene- trated JPMorgan Chase Bank’s computer system in 2014 during tensions over Ukraine, no one could tell President Barack Obama whether Russian President Vladimir Putin was sending him an implied threat.5 Taking down a major bank would have enormous economic repercussions, and Chase’s vulnerability was there for all to see. When evalu- ating his options, could the president ignore the possibility that exercising one of them carried the palpable risk that a major U.S. bank could be taken down? Whatever the source and objective of the intrusion in the Chase case, the incident demonstrates the way in which a critical vulnerability in the civilian economy could constrain the ex- ercise of national power, including military power, in a crisis.

Lindsay speculates skeptically about the increase in the reporting of commercial net- work exploitation since 2010 and wonders whether it may be spurred by self-interested disclosures by network defense arms seeking to scare up demand for their services. He does not mention that the Securities and Exchange Commission issued guidance in 2011 stating that public companies “should review, on an ongoing basis, the adequacy of their disclosure relating to cybersecurity risks and cyber incidents.”6 And despite Lindsay’s claim that commercial network exploitation is overreported, virtually every private-sector lawyer and consultant I know in this aeld believes that publicly dis- closed information understates the severity and frequency of attacks on corporate net- works. The reasons are well known: companies resist disclosure for fear of harm to their brands and stock prices and to avoid shareholder derivative class-action lawsuits and regulatory action by the Federal Trade Commission.

Lindsay is on better footing when he denies that a network penetration, even when it results in the theft of intellectual property (IP), necessarily results in lost proat or mar- ket share. The absorption and application of stolen intellectual property are compli- cated processes; they require know-how as well as a recipe. This is one reason why IP theft and reverse engineering do not necessarily produce market share for the thief and the copy-cat. Thus China still cannot produce a jet engine, even though it has plenty of American and Russian engines to study, because it cannot master the fabrica- tion process. These are not contested propositions, however. Insurance carriers cer- tainly understand them, which is largely why IP cannot be insured against theft. It is incorrect, however, to imply from this, as Lindsay does, that IP theft is not a signiacant issue for many of its victims. China has no difaculty using stolen IP about, say, oil and gas exploration data and materials testing research. Both are prime targets.

Chinese intruders have also stolen negotiation strategies to good effect, as more than a few companies could testify (but will not). And in the case of solar-power tech- nology, Chinese IP thieves had no trouble absorbing stolen secrets and penetrating Western markets.7 Some descriptions of the economic losses have been hyperbolic, no doubt; and the losses have eluded persuasive quantiacation. Nevertheless, the problem is real and substantial.

The overall state of American networks and of private-sector capabilities simply is drastically different from the picture Lindsay paints. Take attribution. Public reports that the NSA can often—though not always—do very good attribution does not mean that private companies can do it. Attribution has three levels: (1) identifying the device from which an intrusion was both launched and commanded; (2) identifying the actor at the keyboard; and (3) identifying the actor’s afaliation. Even the NSA can- not always get to the second and third levels, as the Chase Bank incident demonstrated.

The most basic difference between the military-to-military situation and the corpo- rate reality, however, is that militaries and intelligence agencies aght back. In contrast, companies are exposed to attack without the legal right to retaliate (for mostly good reasons) even when they have, or could buy, the ability to do so. In this environment, offense is unquestionably dominant. According to Lindsay, since 2010 “Western cyber- security defenses, technical expertise, and government assistance to arms have im- proved” (p. 23). In fact, very few companies receive government help with intrusions. If he means that private-sector defenses have improved when measured against them- selves, then that is true but irrelevant. Attacks have also increased in sophistication, and when measured against the offense, defenses have not improved. All defenses are versions of Whac-A-Mole, and there are too many moles to whack them all.8

In sum, Lindsay and I agree that the current and foreseeable state of cyber technol- ogy “enables numerous instances of friction to emerge below the threshold of violence” (p. 9). This is what I have called “the gray space between war and peace.” If this envi- ronment is showing signs of strategic stability, it is partly, as Lindsay argues, because mutual vulnerability is creating mutual restraint among nation-states. But the vulnera- bilities remain, and they could be exploited by China or Russia in a crisis and by a growing number of second-tier cyber players that are not so constrained.


1. Jon R. Lindsay, “The Impact of China on Cybersecurity: Fiction and Friction,” International Security, Vol. 39, No. 3 (Winter 2014/15), pp. 7–47. Further references to Lindsay’s article appear parenthetically in the text.

2. Ibid., p. 35 n. 94, quoting Desmond Ball, “China’s Cyber Warfare Capabilities,” Security Affairs, Vol. 17, No. 2 (Winter 2011), p. 101.

3. Luis Corrons, “Malware Still Generated at a Rate of 160,000 New Samples a Day in Q2 2014,” Panda News, August 29, 2014, malware-still-generated-rate-160000-new-samples-day-q2-2014/.

4. Ken Dilanian, “NSA Director: Yes, China Can Shut Down Our Power Grids,” Associated Press, November 20, 2014, power-grids-2014-11.
5. See Joel Brenner, “Nations Everywhere Are Exploiting the Lack of Cybersecurity,” Washington Post, October 24, 2014.

6. U.S. Securities and Exchange Commission, Corporate Finance Division, “CF Disclosure Gui- dance: Topic No. 2: Cybersecurity” (Washington, D.C.: U.S. Securities and Exchange Commission, October 13, 2011), .htm.

International Security, Vol. 40, No. 1 (Summer 2015), pp. 191–195, doi:10.1162/ISEC_c_00208
© 2015 by the President and Fellows of Harvard College and the Massachusetts Institute of Technology.

Forty Years After Church-Pike: What’s Different Now?

This is the Henry F. Schorreck Memorial Lecture that I delivered at the  National Security Agency

May 15, 2015



About ten years ago, when I was the inspector general here, I found myself one day in Hawaii, under the Pineapples, and by coincidence there was at the same time a conference nearby of the agency’s training staff from all over the Pacific region. And one of them came to me and said, We do all this training about the legal restrictions on our activities — USSID 18 and Executive Order 12333 and all that – and we know it’s a big deal, but none of the people we’re training know why we’re doing it.  And then after a pause she said:  And frankly, we’re not sure either.

I had lived through the upheavals of the late ‘sixties and the ‘seventies – the Vietnam War, the intelligence scandals, the Nixon impeachment, and the implementation of the legislative and regulatory framework that we impliedly refer to every time we say that this agency operates under law.  Younger people had not.

We Americans don’t take instructions well if we don’t understand the reasons for them.  And so I decided it was incumbent on us to tell and re-tell the story of how and why the United States became the first nation on earth to turn intelligence into a regulated industry.  But the story isn’t entirely behind us.  It continues.  And so this morning I’m not only going to recount what happened in the ’seventies; I’m also going to address the Agency’s position in the wake of the Snowden leaks, and how we got here.  Because insofar as NSA has again been in the public’s doghouse (It is certainly not in the policymakers’ dog house), it is for very different reasons from those in 1976, and that difference is worth reflecting on.

Let’s go back to January 1970, when a former Army captain in military intelligence, Christopher Pyle, disclosed in the Washington Monthly that the U.S. Army intelligence had more than a thousand plainclothes agents surveilling every significant political demonstration in the United States.[2] According to Pyle’s account, the Army kept “files on the membership, ideology, programs, and practices of virtually every activist political group in the country . . . including . . . the Southern Christian Leadership Conference, Clergy and Laymen United Against the War in Vietnam, the American Civil Liberties Union, Women Strike for Peace, and the National Association for the Advancement of Colored People.”[3] It also kept a “Blacklist” of “people who might cause trouble for the Army.”[4]  There had been violent, destructive race riots in Los Angeles in 1965, in Detroit in 1967, and then in April 1968 in Washington after Rev. Martin Luther King, Jr. was assassinated.  Two months later, Bobby Kennedy was assassinated.  That same year, the Soviet Army moved into Prague, the Fifth Republic in France nearly fell as a result of massive domestic unrest, and Chicago during the 1968 Democratic National Convention was the scene of serious street violence.  Lest anyone forget, we were also deep in the Cold War, early in the Brezhnev years, and the antiwar movement unquestionably included a small but violent far-left element.  Stability was a genuine concern of sober people.

The scope of the Army’s domestic spying was nevertheless unauthorized in law, out of control, and plainly political.  In the Army’s eyes, dangerous people included Coretta Scott King, Georgia State Representative Julian Bond, folk singer Arlo Guthrie, and former military officers who opposed the Vietnam War.  In Colorado Springs, the leader of a church youth group attended a peaceful antiwar protest; in response, the Army infiltrated his church.  In Kansas City, the Army asked local high schools and colleges to turn over the names of ‘potential trouble makers’ and anyone who was ‘too far left or too far right.’”  Classroom statements by teachers and students found their way into police and Army files.[5]  Based on Pyle’s account, Senator Sam Ervin, a conservative southern Democrat from North Carolina and chairman of the Senate Judiciary Committee, opened hearings, but they ran into a wall because the Executive Branch, citing executive privilege and “national security,” declined to provide much information. This episode nevertheless opened the first, small wedge into a system of government secrecy that had been little questioned since 1941.

The Army hearings were not the beginning of the American public’s distrust of government, but by 1970, trust was running out on a strong ebb tide.  Just to color the picture a bit brighter, in April 1970, the United States secretly expanded the Vietnam War into Cambodia, but the operation was leaked and produced vehement opposition.  On May 4, frightened and undisciplined Ohio National Guard troops fired into a crowd of student demonstrators at Kent State University, killing four and wounding nine.  In July, a cabal of radicals blew up the Army Math Research Center at the University of Wisconsin, killing a graduate student.  The Weather Underground planned further bombings.

The sense of anxiety and pessimism was profound, and lots of people really did seem to believe, as the song said, that we were on the eve of destruction.  (That song was actually written in 1964, but it had long legs.)

On December 22, 1974, the New York Times published a front-page story by Seymour Hersh about a CIA program called “family jewels.”  It began this way:

The Central Intelligence Agency, directly violating its charter, conducted a massive, illegal domestic intelligence operation during the Nixon Administration against the antiwar movement and other dissident groups in the United States, according to well-placed Government sources.

An extensive investigation by The New York Times has established that intelligence files on at least 10,000 American citizens were maintained by a special unit of the C.I.A. that was reporting directly to Richard Helms, then the Director of Central Intelligence ….

This article is worth your reading, or re-reading after forty-one years – and not only for the mood of the country and the revelations themselves. It also lays out the unbelievably bad blood between the FBI and the CIA and the intentional freezing of cooperation between them.  The seeds of the next generation’s intelligence problem were there to see, unnoticed in plain view.

Just two weeks after Hersh’s article, in January 1975, the Senate convened a Select Committee to Study Governmental Operations with Respect to Intelligence Activities, chaired by Senator Frank Church of Idaho.  The Committee’s work had support from both sides of the aisle.  A similar committee convened in the House under Rep. Otis G. Pike of New York, but the Senate version under Church was the more significant. It published fourteen reports in 1975-76 on intelligence agency activities, probably the most such comprehensive reports in history, in any country.  The reports detailed the CIA’s habit of opening our mail, NSA’s domestic interception programs, and CIA’s human subject research – including a notorious instance of LSD administered to an unwitting subject who, in a hallucinating fit, jumped out a window to his death.  They also went deeply into intelligence activities overseas as well as at home, disclosing assassination plots against the Diem brothers of Vietnam, Patrice Lumumba in the Congo, General René Schneider in Chile, and Rafael Trujillo in the Dominican Republic, as we as the failed plan to use the Sicilian Mafia to kill Fidel Castro.  Coups against the governments of Arbenz in Guatemala and Mosadegh in Iran were also exposed.

The country was stunned by the systematic domestic surveillance, and shocked to learn that assassination was a tool of American foreign policy.  It was as if we Americans had eaten of the fruit of the Tree of Knowledge.  We had lost our innocence and the belief in the purity of our methods as well as our intentions.

Revelations about the FBI were, if possible, even more stunning. For 17 years, from 1956 to 1973, the Bureau under J. Edgar Hoover had run a covert program called COINTELPRO, for Counterintelligence Program.  It had antecedents at least back to World War I.  Its initial purpose was to assess the activities of the Communist Party of the U.S., but it eventually included surveillance of Senators Howard Baker and Church (who were the ranking member and chairman of the Senate Foreign Relations Committee), the women’s movement, nearly all groups opposing the Vietnam War, Albert Einstein, and many civil rights leaders.  Hoover loathed Martin Luther King, Jr., and after the March on Washington in 1963, he called King “the most dangerous Negro of the future in this nation from the standpoint of communism, the Negro, and national security.”  The FBI systematically bugged King’s home and hotel rooms.  By the way, much of the surveillance was personally approved by Attorney General Robert F. Kennedy – who later discovered he too had been a target of FBI surveillance.

On November 21, 1964, the FBI sent an anonymous package to King that contained audio recordings of his sexual indiscretions together with a letter that said: “There is only one way out for you. You better take it before your filthy, abnormal, fraudulent self is bared to the nation.” The FBI was encouraging King to commit suicide.

Hoover, by the way, was regarded by several presidents as too powerful to remove from office because he was known or believed to have dossiers on them with embarrassing information.

NSA, meanwhile, was running two projects called SHAMROCK and MINARET.  SHAMROCK began in August 1945 – the month Japan surrendered – and involved the collection by NSA’s predecessor, the Armed Forces Security Agency and then by NSA, of all telegraphic traffic entering or leaving the United States.  Western Union, RCA, and ITT gave the agency direct daily access to microfilm copies of this traffic – up to 150,000 messages per month.  There was wartime precedent for this, but the scope of the collection, and its conduct in peacetime, was a different story.

MINARET was a related project by which NSA intercepted electronic communications of 1,650 people who were on a watch list.  There were no warrants and no judicial oversight of these activities, which were simply assumed to be the normal activities of a foreign intelligence agency.  The targets included Senators Church and Baker, many critics of the Vietnam War, King, Whitney Young, Muhammad Ali, Tom Wicker of the New York Times, and Washington Post columnist Art Buchwald.  After the Church Committee disclosed these programs, then-NSA Director Lew Allen shut them down.  The director’s testimony before the Committee was the first time since NSA’s founding in 1952 that any director had publicly testified before Congress; it was also the first time that NSA’s existence was publicly acknowledged.  Before then, NSA really did stand for “No Such Agency.”  (Now it stands for “Not Secret Anymore.”)

I think it fair to say, and important to say, that everyone associated with these various programs thought that he was a patriot acting in the national interest.  Which is precisely why subjective notions of patriotism and national security are insufficient guides for people and agencies that claim to operate under law in a democratic republic.  (Snowden and Hoover actually represent converse instances of unmoored, egotistical arrogation to oneself of the right to determine the public good.  The comparison will annoy their respective admirers.  So much the better.  They should think about it.)

The Church-Pike hearings were watershed events in our nation’s history, psychologically as well as politically, and they led directly to the legal structures you operate under today. President Ford’s Executive Order 11905, later modified and reissued by President Reagan as E.O. 12333 in substantially the form we now know it; the creation of the House and Senate permanent select committees on intelligence; the Foreign Intelligence Surveillance Act of 1978; the Inspector General Act of 1978; and USSID 18 (originally issued in 1980) – not to mention drastic budget cuts in intelligence – all these were the direct product of the Church-Pike hearings and reports.

Because of the hearings whose anniversary we celebrate today, the men and women of the intelligence community operate with a profoundly different mindset.  You take orders from a democratically elected government, and you answer to an independent judiciary. This is the “why.”  This is the answer to the question put to me that day in Hawaii.  This is the history we must teach to our successors.

I’m glad to say that NSA did not repeat the mistakes of the period that led to the Church-Pike hearings.  Okay, then, so how did we get in the doghouse this time?

The seed of the problem was planted shortly after 9/11, when the White House determined to undertake certain collection outside the FISA regime under a highly classified, but now mostly declassified, program called STELLAR WIND.[6]  That program was not SAP’ed, because the creation of a new special access program requires Congressional notification, but it was run directly by the Office of the Vice President and put under the direct personal control of the Vice President’s counsel, David Addington.  Under periodically renewed Presidential orders, NSA collected two kinds of intelligence:  First, the contents of communications between a person outside the United States with a known connection to Al Qaeda or certain affiliated organizations, and a person inside the country; and second, bulk metadata in order to chain off the domestic link. In my judgment, any President who had failed to order such surveillance on an emergency basis immediately after 9/11 would have been derelict.  The President’s first duty is to protect the nation, and the fear of further attack was palpable.  You could smell it.  But under statute, the interceptions were not permissible without a FISA order because they were taken from a wire inside the United States; and FISA did not permit metadata collection at all.  Under prevailing law, metadata, which is analogous to the information on the outside of a mailed envelope, may have had no Constitutional protection.  But the bulk collection of that data was a watershed political event in the history of American intelligence and in American politics.  As an emergency matter, there’s no question in my mind that the President had the power under Article II of the Constitution to order this collection – both kinds.  But how long does an emergency last?  (An emergency usually doesn’t come with a specific expiration date like a quart of milk, but claims of emergency do get sour.)

Now, it was the view in the White House that the President did have the power to collect this intelligence on a permanent basis.  And I am persuaded that the White House, and certainly the Office of the Vice President, believed that FISA was an unconstitutional limitation on the President’s Article II power in all circumstances.  This was an odd view, because Article I, Section 8 of the Constitution gives Congress the power to regulate interstate and foreign commerce, and that includes telecommunica­tions.  Under well-settled law, Congress cannot exercise its power in a manner that makes it impossible for the Executive to carry out its Constitutional duties, but it can regulate that exercise in a reasonable manner.

Both the NSA General Counsel at the time, Bob Deitz, and I looked for guidance in this situation to one of the more famous passages of Twentieth Century Constitutional law, and I’m going to read you a short bit of it.  It’s by Justice Robert Jackson, concurring in the Supreme Court’s decision striking down President Truman’s seizure of the steel mills on national security grounds.  Jackson is talking about Presidential power in a divided government and the point at which law and politics cannot be separated.  The President’s power fluctuates, Jackson observed, depending upon Congress’ exercise of its power. He saw three possibilities:[7]

  1. When the President acts pursuant to an express or implied authorization of Congress, his authority is at its maximum, for it includes all that he possesses in his own right plus all that Congress can delegate.
  1. When the President acts in the absence of either a congressional grant or denial of authority, he can only rely upon his own independent powers, but there is a zone of twilight in which he and Congress may have concurrent authority, or in which its distribution is uncertain. …In this area, any actual test of power is likely to depend on the imperatives of events and contemporary imponderables rather than on abstract theories of law.
  1. When the President takes measures incompatible with the expressed or implied will of Congress, his power is at its lowest ebb ….

In my view, President Bush’s STELLAR WIND orders fell into the third category – at least, I thought they did after some fairly brief but indeterminate emergency.  (This was not the Administration’s view.  They thought the Authorization for Use of Military Force impliedly granted the power to implement STELLAR WIND.  That was a serious argument, but it was based on debatable inferences; so even accepting that view, I thought the President was in the twilight zone.)  You may know that after President Lincoln unilaterally suspended habeas corpus during the Civil War on the grounds that it was necessary to save the Union, he went to Congress to get his action ratified.  President Bush chose not to do that.  So I put the question to NSA’s senior leadership:  Why don’t we amend FISA, which we could easily have done in the aftermath of 9/11, and do this collection under statute?  This was actually an academic question, because policy was being driven, and driven hard, by Addington, who detested the FISA statute. “We’re one bomb away from getting rid of that obnoxious [FISA] court,” he would say.[8]   But the answer I got here at the Fort was interesting.  It was that amending FISA would require a public debate; that the public debate would educate our adversaries; and that we would lose intelligence as a result.  My response was that the program could not be kept secret forever, and that its eventual disclosure would create a firestorm and divide the country.  The broad unity of the country behind the agency’s activities was a strategic asset; the loss of collection was likely to be tactical and temporary; and sacrificing a strategic asset for tactical advantage was as foolish in politics as it is in military operations.  Better, I said, to amend the statute.  But Inspectors General do not make policy, and they are not consulted about it, nor should they be.

Sooner or later this program’s cover was going to be blown, and on December 16, 2005, it happened: The New York Times exposed the interception part of the program (but not the bulk metadata portion), amid accusations that NSA was engaged in “domestic” spying because it was intercepting communications involving Americans.  In my view that was a distorted description, but when you’re explaining, you’re losing.  This was the beginning of a shift in public opinion that until then had, on the whole, been highly supportive of our intelligence agencies.  Suddenly we faced a country that was seriously divided about our activities.

Most of the criticism actually had little to do with the merit of the interceptions, just the authority for it.  Nor surprisingly, the inflammatory publicity attendant on the STELLAR WIND disclosure and the resulting damage to actual collection, to NSA’s reputation, and to our public support were far greater than any damage that would have occurred if the program, and the reasons for it, had been publicly discussed at the outset and the FISA statute amended.

Ladies and gentlemen, democracies distrust power and secrecy and are right to do so.  Intelligence agencies are powerful and secret.  To square that circle, two conditions must be met: The rules under which they operate must be clear to the public and authorized by law, and the public must have reason to believe that the rules are being followed.  STELLAR WIND failed to meet those requirements, and NSA paid for it in loss of public trust.

Again, a lesson was learned – but imperfectly.  FISA was amended in 2008, but only after a rancorous public debate, and the statute is frankly a bit of a mess.  Still, you follow that statute.

And then in 2013 came Mr. Snowden.  Overseas, people were stunned to learn how extremely good NSA really is at its business – sometimes at their expense.  You were being criticized for being too good.  And of course the dough of outrage rose higher and higher when leavened with the yeast of hypocrisy.

But why did the Snowden leaks hurt so badly here in our own country?  There hasn’t been even a whiff of intelligence abuse for political purposes.  This was the only intelligence scandal in history involving practices approved by Congress and the federal courts and the President, and subject to heavy oversight.  How did this happen?

The answer, I think, goes back to the power-and-secrecy principle and to the evolution of our representative democracy in the digital age.  NSA was operating under statute – but ordinary, intelligent, educated Americans could not have looked at that statute and understood that it meant what the FISA Court interpreted it to mean.  The intelligence committees knew.  Any member of Congress who wanted to know either did know or could have known.  (I discount the hypocrisy from that quarter, and the Second Circuit Court of Appeals’ opinion last week is just wrong about that.)  But it is true that the FISA Court’s expansive interpretation of the law was secret.  So the argument that the Agency was operating under “secret law” had legs with the public, much of which is allergic to bulk collection and doubts its value.

We had amended FISA, yes, but our leaders had failed to absorb the transparency lesson.  You now live in a glass house.  How could anyone think the bulk collection program would remain secret?  I’m not telling you there are no more secrets.  You still have plenty of them.  I am telling you that with instantaneous electronic communications, secrets are hard to keep; and that which can be kept secret does not stay secret for long. The idea that the broad rules governing your activities – not specific operations, but the broad rules – can be kept secret is a delusion.  And they should not be kept secret.  Leaders who do not understand this will continue to make strategic blunders. I do not state this as a policy preference.  I state it as a fact of life that political leaders and intelligence agencies – I mean you – must take into account as you make decisions about what can be, and should be, kept secret – and about what activities you can and should undertake.

I should note that even if the general counsel or the Director had given different advice to President Obama about bulk collection, it would not have been followed. The fight in 2008 was bruising enough. The White House had no appetite for more FISA battles.  In any case, that was the President’s call – not the Director’s.  The Director was on the right side of the law.  Would the program be unpopular?  Maybe.  But we do our work.  We keep our heads down.  Sometimes we take some punches for it.  Besides, there’s always a political faction that doesn’t like us no matter what.  Tough luck.  If it’s legal, we do our work.

But in retrospect there’s a lesson to learn.  The public, not just the three branches of government, must know what kinds of things we are allowed to collect domestically.

If you disagree with me on this, do your own damage assessment.  In the wake of Snowden, our country has lost control of the geopolitical narrative; our companies have lost more than $100 billion in business and counting.  Collection has surely suffered.  The damage from the Snowden leaks to American foreign intelligence operations, to American prestige, and to American power – not to mention the damage to morale and to personnel retention right here at Fort Meade – has unquestionably been vastly greater than if the Executive Branch had determined from the outset to amend FISA back in 2002 to permit the activities the White House felt necessary to protect the country.

Do you reply that the Congress in late 2001 or in 2002 might not have permitted NSA to do it?  I doubt it.  But even so, in a functioning representative democracy, this Agency cannot keep the nation safer than the nation, acting through its elected representatives, wants to be kept.

We learned the hard lessons of 1976.  Let’s now think hard and learn this lesson too.  And let’s teach it to those who come after us.

Thank you for the opportunity to address you.  What you do is enormously important, and I count it a great privilege to have served among you.


[1] Joel Brenner was the Inspector General of the National Security Agency from 2002-2006; the National Counterintelligence Executive in the Office of the Director of National Intelligence from 2006-2009; and senior counsel at NSA from 2009-10.  He now maintains a private law and consulting practice and is the Robert F. Wilhelm Fellow at the Massachusetts Institute for Technology’s Center for International Studies.

[2] Christopher H. Pyle, “CONUS Intelligence: The Army Watches Civilian Politics,” Washington Monthly I, January 1970, 4; reproduced in Congressional Record (hereafter cited as “Cong. Rec.”) 91st Cong., 2nd sess., 2227‑2231.

[3] Pyle, “CONUS” Intelligence”, 5‑6.

[4] Ibid.

[5] Karl E. Campbell, “Senator Sam Ervin and The Army Spy Scandal of 1970-1971: Balancing National Security and Civil Liberties in a Free Society,” Charlotte-Mecklenburg Historic Landmarks Commission, at, citing primary sources.

[6] The orders themselves have not been declassified, so far as I know.

[7] Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 635 (1952).

[8]  Jack Goldsmith, The Terror Presidency: Law and Judgment Inside the Bush Administration (New York: W.W. Norton & Co., 2007), p. 181.