[justinschuh]

I don't see how you could think the PAA and FAA have similar language. The PAA was a pretty ugly bill, and significantly loosened both FISA and USSID 18 restrictions against collection on US persons. Whereas the FAA actually reinstated FISA order requirements and closed the third-party carrier loophole. So, the FAA was an unambiguous win for privacy over the then-expiring PAA, and more importantly it was an improvement over the pre PAA version of FISA.

Before the FAA passed, there were no requirements or oversight governing collection of non US persons communicating over a US carrier. And in fact, existing legal precedent does not treat the carrier as party to the communication, so collection under those circumstances was likely legal. That's exactly the loophole the previous administration exploited to compel third-party compliance in foreign intelligence collection without oversight.

[declan]

I didn't think it was controversial to claim that the PAA and FAA have similar language. Here's one section from both bills (Sec. 702 in the FAA and 105B in the PAA) authorizing warrantless surveillance:

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:s.01927: Notwithstanding any other law, the Director of National Intelligence and the Attorney General, may for periods of up to one year authorize the acquisition of foreign intelligence information concerning persons reasonably believed to be outside the United States...

http://thomas.loc.gov/cgi-bin/bdquery/z?d110:H.R.6304: Notwithstanding any other provision of law... the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be located outside the United States...

I didn't say they were identical, just that they were similar. Though each does use the identical language about limits on targeting "persons reasonably believed to be located outside the United States" -- and we found out from last week's leaks how far that language can be stretched.

[justinschuh]

Claiming the bills have similar language implies that they have similar effect. However, the facts are quite opposite. The PAA significantly reduced oversight and individual protections while the effect of the FAA was to increase both.

Even those passages you're citing are night and day apart. The first authorizes collection against US persons on foreign soil, which flew in the face of 50 years of precedent. Whereas the second is truncated to the point of being almost meaningless, but in context it defines some terms of collection against non US persons outside the US--something legal for all of US history. The only similarities between the two are the responsible parties and the duration, which are basically boilerplate.

[csoghoian]

Justin, have you read the recently leaked NSA rules outlining how they define a non-US person for the purpose of FAA surveillance?

See: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi..., page 4, paragraph 1.

If the NSA does not know whether someone is a US person or a foreigner, the agency assumes that the person is a foreigner. That matters a lot if, for example, you're using Tor.

You might also want to look at the recently leaked minimization rules, which permit the retention of purely domestic communications collected under the FAA, if that information can be used to develop and exploit security vulnerabilities. Given where you work now, and what you work on, that might be somewhat important.

See: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi..., page 5, paragraph 3.

[justinschuh]

Chris, that's one paragraph absent the surrounding context. Targeting must be validated and verified as outside the US, but beyond that it can be very hard to authoritatively guarantee what the nationality of the parties is. The best I can add is that I've done the job, and I know the cardinal rule is you do not collect on US persons except in the rare case that you have a FISA order. And the people I know still doing the job concur that hasn't changed. Violating it willfully or negligently means the end of a career and possible jail time.

[csoghoian]

There appears to be a bit of a conflict between the cardinal rule you were taught when you worked at NSA of not collecting information on US persons with the current practices of the NSA.

The Section 215 program in which the NSA has been collecting metadata about every domestic telephone call would appear to violate that rule, even if, as we are told, only a couple dozen NSA employees can query the database, and even if they only use it for investigations related to terrorism.

Likewise, the non-us persons targeting rules leaked last week suggest that the NSA has ongoing access to GSM Home Location Register data for the entire United States. While this doesn't pinpoint someone's location to a house or street, we're still talking about the NSA getting city-level location data for hundreds of millions of innocent Americans.

See page 6 of: http://www.guardian.co.uk/world/interactive/2013/jun/20/exhi...

Given how compartmentalized NSA is, it seems quite reasonable that your former team (which, I assume, penetrated the computers of foreign targets) would have no contact at all with the teams tasked with collecting domestic communications.

[justinschuh]

I don't know what was ambiguous about "except in the rare case that you have a FISA order." I'm dubious of the metadata thing (a bit less knowing that it is not part of the collection and A&P pipeline), but the fact is that it was approved by the FISA court and an order was issued.

[lawnchair_larry]

You're clearly using the bullshit redefinition of "collect" here, because you know damn well that's a lie.

[declan]

I was amused to see your claim of the FAA "increas[ing]" oversight appearing within a few hours of the Guardian's article on the latest NSA disclosures. It says precisely the opposite: that the FAA "relaxed surveillance restrictions." Here's the link:

http://www.guardian.co.uk/world/2013/jun/27/nsa-online-metad... It relied, legally, on "FAA Authority", a reference to the 2008 Fisa Amendments Act that relaxed surveillance restrictions.

[justinschuh]

You do realize how the last one of these Greenwald articles from the Guardian played out, right? Another reporter actually had to write a piece walking back every one of the accusations concerning PRISM. And yet, given Greenwald's proven track record of being wrong, you're happy to take him at face value? Perhaps it's time you look inward and consider your own personal biases and motivations here?

[declan]

My article was, I believe, the first to rebut those accusations: http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-of...

I just happened to be reading that Greenwald article around the same time I saw your response, but I'm not relying on his analysis: I posted excerpts from both bills. They are similar, not identical, and I wrote about both at the time they were enacted.

I'm going to decline to speculate about personal biases and motivations.