National Security

Comey Don't Play That

How Obama's pick to lead the FBI tried to put the brakes on the NSA's surveillance dragnet.

It was not until Attorney General John Ashcroft was hospitalized with pancreatitis in early 2004 that his deputy, James Comey, first learned the extent of the Bush administration's surveillance programs. Reluctantly, the White House had agreed to "read him in." What Comey found out -- about both the government's warrantless domestic telephone interceptions and the bulk collection of data processed on American servers -- stunned him. Relying on an extreme interpretation of executive authority, the Bush legal team had established a set of war powers that broke precedent and concentrated power in the White House. Together with Jack Goldsmith, the Justice Department's head of the Office of Legal Counsel, Comey realized these efforts were based on legal opinions that should never have been signed.

Of particular concern was the fact that telecom companies, Internet companies, credit-rating agencies, and the like had been providing the National Security Agency (NSA) with any customer records that the agency asked to see -- who called whom, who bought what, who rented a car where. As many as 50 companies were providing the NSA with un-sifted bulk data on a regular basis without a court order. There was no discrimination at all; Americans and non-Americans alike were swept up by this surveillance dragnet. Faced with a White House request to reauthorize these activities, as Ashcroft had done, Comey balked.

Comey, who is said to be President Obama's choice to be the next director of the FBI, has never publicly disclosed exactly what he refused to sanction when he was briefly acting attorney general during Ashcroft's hospital stay, but people briefed on the program who have spoken to Comey say it was the legal rationale giving the NSA quick access to un-sifted telecom and service provider-collected metadata that "drove him bonkers," not the Bush administration's warrantless wiretapping program. There was just no way, Comey thought, to justify an effort that simply turned over such a large amount of data on American citizens to one of America's foreign-intelligence agencies. It contravened a number of laws with which he, as a former federal prosecutor of terrorism cases, was intimately familiar.

With recent revelations that the NSA has undertaken a huge effort to collect telephonic metadata -- information about a phone call, such as the originating and receiving numbers, the time and duration of the call, and technical information about the call and the phone used -- the Bush administration's intelligence collection efforts have reclaimed a central place in the debate over the balance between national security and privacy. To understand the current controversy, one has to return to the origin of the government's post-9/11 expansion of intelligence gathering, an effort that set off a vicious internal debate. For critics of the recently revealed NSA programs, the bitter irony is that they are now in all likelihood fully legal. This is the story of how Congress made them lawful.

 

To acquire communications inside the United States before 9/11, the NSA needed the cooperation of the courts and U.S. telecommunications companies. The Stored Communications Act of 1986 (SCA) would not allow the provision of historical data without an order or warrant, and the Electronic Crimes and Privacy Act (ECPA) banned real-time monitoring without an order or warrant. Furthermore, because the types of communications the NSA wanted were considered "consumer proprietary information," telecom companies couldn't just turn them over at the government's request. This latter point was rejected by the NSA's lawyers, who said that the Federal Communications Commission, which enforces the relevant laws, misread the statute. But the SCA's language seemed pretty clear to Comey: "[A] provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service... to any governmental entity" -- unless the government obtains a warrant.

So, assuming that citizens of the United States counted as customers, telecom companies were forbidden from voluntarily turning over records to the federal government. In the fight to maintain privacy rights in the face of expanding national security prerogatives, few fights were more consequential than the one Comey was starting. Anything a telecom company kept in storage and anything involving the customer's past communications counted as a "record." In other words, these business records included everything the telecom companies knew about their customers.

In its pursuit of greater intelligence capacities, the Bush administration discarded those legal protections. The activities authorized by President Bush provided a get-out-of-jail-free card to telecom companies, authorizing them to ignore the Stored Communications Act and Electronic Crimes and Privacy Act. The card came in the form of a certification signed by the attorney general attesting that the government would not criminally prosecute the telecoms for their cooperation. There was no court involvement whatsoever. The initial justification for this seems to have been based -- the legal opinion itself remains classified -- on both an assertion of presidential powers and an interpretation of the USA Patriot Act's "business records provision," which allowed the government to collect "tangible things" from U.S. businesses so long as they related to terrorism. There was no statutory definition of "tangible thing" and no real sense of what it meant. Interpreted broadly, it would essentially give the entire government license to collect anything, at any time, without a warrant or order.

(The Senate Select Committee on Intelligence would later conclude that "we have seen no evidence that Congress intended the AUMF" -- the Authorization for Use of Military Force, the post-9/11 law that inaugurated the Bush administration's war on terror -- "to authorize a widespread effort to collect the content of Americans' phone and e-mail communications," implying that the NSA had used that law as justification as well. And, according to the Washington Post, the White House also advanced an interpretation of an obscure 1982 Department of Defense rule that defined "collection" in a way whereby the Fourth Amendment would not apply until a human being actually used the collected material.)

So what did the telecoms turn over to the NSA? Millions of transaction records, which included millions of instances of domestic telephones dialing other domestic telephones. Other companies sent over tranches of e-mail messages. The NSA would ask for telephone logs from a certain time at a certain place (that is, a company, a neighborhood, a mosque), and telecoms would transmit those records. The NSA could scan the metadata that attached itself to anything digital, whether a call or an e-mail, but actually listening to a call or reading an e-mail required probable cause.

The agency used several computer programs to scan the pen register logs (the lists of phone numbers that called other numbers) and the metadata associated with e-mails (for example, the to, from, and subject lines; IP addresses; lengths; frequencies; and so on). If a group of people associated with an entity (like an Islamic charity) had (or appeared to have) a connection with an entity connected to foreign terrorism, all three were subject to interception protocols.

 

When Ashcroft temporarily transferred power to Comey during his hospitalization in March 2004, the lanky former prosecutor would not sign a new certification for the collection of bulk metadata. There was no sound legal basis for the bulk transmission of data to the NSA, he believed, especially if the NSA meant to store it for future use. He was uncomfortable that the judicial branch was not involved at any step in the process. The Stored Communications Act and the Electronic Crimes and Privacy Act had exceptions, but Comey didn't think they applied. And the Patriot Act's provisions required a specific target.

The NSA's potential uses for the data only added to Comey's concerns. The agency could have taken telephone records and correlated them with the bulk intercepted data from, say, Yemen, to see which calls overlapped. Then it could (and would) task an analyst to either listen to the U.S. end of a call if the whole call had been recorded somewhere outside the United States, or to listen to future calls emanating from the U.S. terminus.

Mike McConnell, a former director of the NSA and the second director of national intelligence during the Bush administration, would later describe what happened next to a group of intelligence industry professionals: "If the U.S. end of the call was Grandma, and they were talking about cakes, we would minimize it. If it was operationally significant, we would keep it. If that U.S. number were to call another U.S. number, we would have to get a FISA warrant," he said, referring to the Foreign Intelligence Surveillance Act, which regulated the monitoring of calls between the United States and abroad.

Initially, the White House was ready to have the president's counsel, Alberto Gonzales, affix his own name to the certification authorizing bulk metadata collection that Comey had sent back without a signature. But with Ashcroft in the hospital on the night of March 10, the White House first tried to bully the barely conscious attorney general into signing the orders from his hospital bed. Comey got wind of the plan and raced to the hospital to intercept Gonzales and White House Chief of Staff Andy Card. In a now-legendary show of defiance against the Bush White House, a nearly delirious Ashcroft refused to sign. Card and Gonzales left empty-handed.

Then, to force Comey's hand, the White House tried to use Congress as a lever.

In a hastily organized briefing a few weeks later in the White House Situation Room with Comey and the so-called Gang of Eight -- the speaker and minority leader of the House, the majority and minority leaders of the Senate, and the chairs and ranking members of the intelligence committees -- a member of Congress asked White House officials whether any ongoing operations would be jeopardized if the telecoms refused to hand over data without a warrant. A senior official from the National Security Council brought up a major counterterrorism investigation code-named CREVICE. The United States, British MI5, and German intelligence were working closely together on the case, which involved al-Qaeda-linked jihadists in Europe who were communicating with Americans. One was caught on a wire musing about blowing up an airplane. At least some of their communication was transiting through the United States. Without the program, the White House insisted, the ability to disrupt CREVICE would be significantly reduced. But the FBI and the Justice Department representatives in the room who had been working CREVICE for months knew that wasn't true. FISA warrants had already been issued, and MI5 had its own technical surveillance operation under way. The bulk provision of data was just not necessary.

Since late 2001, the special NSA programs had been briefed to the Gang of Eight. Other members of the intelligence committees and some members of the armed services committees were given partial briefings. But Congress was an observer at this point, rather than a participant. From the secret programs' earliest days, the White House had never asked Congress to explicitly authorize bulk data collection or to update FISA, and Congress, not wanting to get its hands dirty, never volunteered to. In the Situation Room meeting, Comey got the impression that the legislative branch was brought in for show, to intimidate him.

The White House advanced a practical argument to Congress, arguing that the lawyers who handled the bulk data collection programs for the telecom companies would panic if after months of seeing executive branch authorizations bearing the signature of the attorney general -- the nation's top law enforcement officer -- they saw instead the scribble of Alberto Gonzales, the president's in-house guy.

Gonzales believed that without Comey's signature, without the signature of the attorney general, the telecoms and other content providers would not only have questioned any past cooperation with the NSA, but would probably also significantly curtail their cooperation in the future, raising the prospect that Comey's objections to bulk metadata collection might jeopardize the warrantless wiretapping program. Though Comey had signed off on that part of the program -- certifying that it was legal to intercept the U.S. side of an international communication connected with terrorism -- he refused to sign off on bulk metadata collection. Without his signature on that second program, the White House feared the companies might balk at providing any assistance.

But congressional leaders didn't want -- and didn't think they had an obligation -- to publicly rewrite a surveillance law to account for a secret program. This was the president's program. He initiated it, so he owned it. 

It was because of these practical considerations that the White House changed course after the hospital room confrontation. With no help forthcoming in Congress, the White House had to. It simply could not send a document to the telecoms with anyone else's signature. It took six months before the NSA was able to develop procedures that fit the interpretation of the metadata provisions promulgated by Jack Goldsmith and his successor, Daniel Levin.

As the main obstacle to continuing the bulk metadata collection program, Comey became a hated figure in the White House. Dick Cheney in particular was not a fan. Comey first met the vice president the same day he appointed Patrick Fitzgerald to investigate the Valerie Plame leak -- an investigation that would culminate with the indictment of Cheney's chief of staff for perjury. When Comey introduced himself that day, Cheney replied, without looking back, "Oh, I know you from television." He wasn't smiling.

 

The scene at the hospital marked a turning point for the data collection program but did so in a way that may well have hastened the day that Congress would officially deem it sound and legitimate. Immediately after he became attorney general in early 2005, Alberto Gonzales asked the new head of the OLC, Steve Bradbury, to reexamine whether there might be a different legal approach to the NSA activities authorized by the president -- one that would put those activities on a stronger legal footing. So, Bradbury crafted a novel legal analysis that, if approved by the FISA court, would permit much of the NSA program to be based on section 702 of the FISA statute, which allowed the NSA to acquire communications on foreign entities that happened to use U.S.-based content providers. In essence, the FBI would take a first pass at the data collection to make sure it did not contain information about U.S. persons. Then, and only then, would it be provided to the NSA. The attorney general would have to certify to the FISA court that the data was needed for foreign intelligence purposes.

Bradbury presented his new approach to the White House in the late spring of 2005, and the White House approved it without hesitation, provided that the director of national intelligence and the NSA were confident that the new approach would not materially compromise the value and effectiveness of the program. The DNI and the NSA expressed support, and over the next several months, the OLC, working with the Office of Intelligence Policy and Review at the Justice Department, developed a detailed analysis and proposal intended to be submitted to the FISA court in late 2005 or early 2006.

But in December 2005, the New York Times scuttled the effort to build a new legal basis for the metadata program by reporting on the OLC's attempt to draft a new justification under FISA. Bradbury and others in DOJ spent much of their time and attention in 2006 explaining to the public (and to Congress) the legal basis for the NSA activities, which were now publicly acknowledged by the president following the Times article, as well as addressing other alleged activities and rumors swirling around those charges. As a consequence of the distraction, it wasn't until January 2007 that Gonzales told Congress that DOJ had succeeded in obtaining a court order authorizing foreign collection using bulk data under a novel interpretation of FISA. What he did not say in open session was that bulk data collection had resumed under the Patriot Act's business-records provision. The main difference: The FISA court was reviewing and certifying all of the government's data requests. 

Then, just as quickly, that legal authorization was taken away. A FISA judge found problems with the collection. (We don't know exactly what the issues were.) It was then, and only then, that those in Congress read in to the program felt compelled to act. Congress passed stopgap legislation in 2007 and, in 2008, a permanent and fundamental restructuring of FISA.

In essence, the new FISA laws legalized bulk data collection for foreign intelligence gathered from wires passing through the United States, prohibited the collection of any content (audio of telephone calls, the body text of e-mails) on U.S. persons anywhere in the world without a warrant, and allowed the government to use FISA for collecting information to fight terrorism, proliferation, and espionage.

Today, the NSA's special programs are larger than they were when they first existed as a presidentially authorized intelligence collection tool. Inside the government there is a consensus that the NSA's intelligence-gathering activities -- both those recently revealed and those still classified -- are critical to national security. This consensus did not come easily, and from a civil libertarian standpoint the checks and balances are insufficient. It could be that the Justice Department, the courts, and Congress previously objected to the program only because they weren't let in on the secret. Now that they're in on it, they're willing participants in its perpetuation and expansion, one fully sanctioned by the law.

Congress has reauthorized the Patriot Act and rewritten FISA to allow for all of the activities that Comey found objectionable, although they are subject to a significantly higher level of oversight and auditing. But the legal interpretation and operational realities of what these reauthorizations meant were secret to all but a very small number of members.

That is, until just a few days ago.

Alex Wong/Getty Images

Feature

Longform’s Picks of the Week

The best stories from around the world.

Every weekend, Longform highlights its favorite international articles of the week. For daily picks of new and classic nonfiction, check out Longform or follow @longform on Twitter. Have an iPad? Download Longform's new app and read all of the latest in-depth stories from dozens of magazines, including Foreign Policy.

The Secret War

James Bamford • Wired

How General Keith Alexander, director of the NSA, became the most powerful intelligence officer in U.S. history.

Inside the government, the general is regarded with a mixture of respect and fear, not unlike J. Edgar Hoover, another security figure whose tenure spanned multiple presidencies. "We jokingly referred to him as Emperor Alexander-with good cause, because whatever Keith wants, Keith gets," says one former senior CIA official who agreed to speak on condition of anonymity. "We would sit back literally in awe of what he was able to get from Congress, from the White House, and at the expense of everybody else."

Now 61, Alexander has said he plans to retire in 2014; when he does step down he will leave behind an enduring legacy-a position of far-reaching authority and potentially Strangelovian powers at a time when the distinction between cyberwarfare and conventional warfare is beginning to blur. A recent Pentagon report made that point in dramatic terms. It recommended possible deterrents to a cyberattack on the US. Among the options: launching nuclear weapons.

Saul Loeb/AFP/Getty Images

Ghosts of the Rio Grande

Brendan Borrell • The American Prospect

On the hundreds of corpses that go unidentified every year along the U.S.-Mexico border.

The path across the border is littered with bodies. Bodies old and bodies young. Bodies known and bodies unknown. Bodies hidden, bodies buried, bodies lost, and bodies found. The stories of the dead haunt the frontier towns from Nuevo Laredo to Nogales, and even deep within the interior of Mexico down to Honduras, someone always knows someone who has vanished-one of losdesaparecidos-during their journey north.

Many of those missing end up in the South Texas soil. Out on the Glass Ranch, a man named Wayne Johnson stumbles upon a skull, some bones, and a pair of dentures scattered near a dry pond. During a bass fishing tournament at La Amistad Lake, anglers come upon a decomposing corpse near the water's edge. Late one summer night, a train rumbles down the Union Pacific Line, but it fails to rouse a father and son slumbering on the tracks. For 2012, Brooks County, with a population of just 7,223, reported 129 deaths from immigrants trying to evade the Border Patrol checkpoint in Falfurrias, double the previous year. The county judge told the San Antonio Express-News that Brooks had run out of space for John Does in its Sacred Heart Cemetery.

The dead appear in springtime, when temperatures hit the triple digits, their fading T-shirts and tennis shoes strewn about the land like wilted wildflowers. Whether they tried to cross for money, love, or security, they did so knowing they might not make it alive. Their families keep hoping and hunting for answers-if they can. Last May, 22-year-old Aldo collapsed on a South Texas ranch and made one last, desperate cell-phone call to his older brother Alejandro in Houston. But Alejandro can't drive there to conduct a search because he, too, is here illegally. "More than anything, I would like to know what happened to my brother," he says, "because if I could retrieve some part of his body to bring down to Mexico, we could give him a proper burial." 

Chip Somodevilla/Getty Images

Looking for Clues in a Romanian Village

Özlem Gezer • Der Spiegel

Investigating the influx of Roma immigrants to Germany.

That adviser is sitting at a conference table in Bucharest. Water is served in plastic bottles here and two iPhones rest on the table in front of him. The man has closely cropped hair, wears a suit and speaks English well. He himself is Roma and used to travel through the country making music. Romania has a Roma strategy, he says, but only because the European Commission, the EU's executive, requires one, and it's only on paper. "If you marry a woman knowing she's an alcoholic, you can't complain about it afterward," he says. In this analogy, Romania is the drunken wife and the EU the naïve husband.

He keeps asking: "Do you understand, Franziska?" If she has a problem, he says, he's glad to help. If too many Roma from Fântânele are going to Berlin, he suggests, he can initiate some projects in the village -- Giffey only needs to say the word. She laughs, and he laughs, when she tells him the child benefits that families can receive in Berlin are 20 times what they are in Bucharest. "Bullshit," he says over and over again, and rants about his country.

That evening, Giffey sips a glass of water at a reception on the 18th floor of a modern skyscraper in Bucharest, where she has come at the invitation of the German embassy. There are hors d'oeuvres of cream cheese and salmon, and men in suits are drinking sparkling wine. A foundation representative explains that mayors in Romania are glad to see their Roma residents go.

Daniel Milhailescu/AFP/Getty Images

Dribbling Man

Robert Andrew Powell • Grantland

On Richard Swanson, who died while trying to walk 10,000 miles from Seattle to São Paulo, Brazil.

His final video, taken in Lincoln City, is the most upbeat of all. "I finally made it to the ocean here!" he shouted, beaming. "I am in Lincoln City near the beach. I'm walking now to the waves. My feet are feeling amazing, having my shoes off and just walking through the water and kicking the ball." His smile grew even wider as he panned to Pacific waters lapping onto packed sand. "Very exciting moment today! I'm going to be on the ocean for thousands of miles, so this is my first taste of it, and I'm very excited about this. Finally!" He giggled - that's the right word - as cold surf lapped his ankles. "All right. I just wanted to say good morning. And I am very happy to be here. And hopefully today will be a wonderful day as I walk down the beach and [U.S. Route] 101 and enjoy everything that the ocean has to offer! All right, I will talk to you all later. Cheers, everyone!" Not 20 minutes later, Swanson would be dead.

When I got to Lincoln City, the last person he stayed with overnight told me she had seen that final video on the beach, and all the other videos that preceded it. She'd also fed Swanson dinner and breakfast and had sat with him on her couch talking at length about his adventure. "What people don't realize is this man was on a death trip," Susan Ulbright said. "I think subconsciously he knew he wasn't coming back."

 Shaun Tandon/AFP/Getty Images 

Inside the NSA's Ultra-Secret China Hacking Group

Matthew M. Aid • Foreign Policy

The inner workings of the U.S. government's vast cyber-espionage unit.

Hidden away inside the massive NSA headquarters complex at Fort Meade, Maryland, in a large suite of offices segregated from the rest of the agency, TAO is a mystery to many NSA employees. Relatively few NSA officials have complete access to information about TAO because of the extraordinary sensitivity of its operations, and it requires a special security clearance to gain access to the unit's work spaces inside the NSA operations complex. The door leading to its ultramodern operations center is protected by armed guards, an imposing steel door that can only be entered by entering the correct six-digit code into a keypad, and a retinal scanner to ensure that only those individuals specially cleared for access get through the door.

According to former NSA officials interviewed for this article, TAO's mission is simple. It collects intelligence information on foreign targets by surreptitiously hacking into their computers and telecommunications systems, cracking passwords, compromising the computer security systems protecting the targeted computer, stealing the data stored on computer hard drives, and then copying all the messages and data traffic passing within the targeted email and text-messaging systems. The technical term of art used by NSA to describe these operations is computer network exploitation (CNE).

Thomas Samson/AFP/Getty Images

For daily picks from around the web, check out Longform or download Longform for iPad.