The Privacy and Civil Liberties Oversight Board (PCLOB) has concluded its six-year investigation into Executive Order 12333, one of the most sprawling and influential authorities that enables the U.S. government’s mass surveillance programs. The result is a bland, short summary of a classified report, as well as a justified, scathing, and unprecedented unclassified statement of opposition from PCLOB member Travis LeBlanc.
Let’s start with the fact that the report is still classified—the PCLOB is supposed to provide public access to its work “to the greatest extent” consistent with the law and the needs of classification. Yet the public statement here is just 26 pages describing, rather than analyzing, the program. Nothing signals to the public a lack of commitment to transparency and a frank assessment of civil liberties violations like blocking the public from even reading a report about one of the most invasive U.S. surveillance programs.
Member LeBlanc rightly points out that, at a minimum, the PCLOB should have sought to have as much of its report declassified as possible, rather than issuing what he correctly criticizes as more like a “book report” than an expert legal and technical assessment.
The PCLOB was created after a recommendation by the 9/11 Commission to address important civil liberties issues raised by intelligence community activities. While its first report about Section 215 was critical in driving Congress to scale back that program, other PCLOB reports have been less useful. EFF sharply disagreed with the Board’s findings in 2014 on surveillance under FISA Section 702, especially where it found that the Section 702 program is sound “at its core,” and provides “considerable value” in the fight against terrorism—despite going on to make ten massive recommendations for what the program must do to avoid infringing on people’s privacy.
But even by the standards of past PCLOB reports, this latest report represents a new low, especially when addressing the National Security Agency’s XKEYSCORE. XKEYSCORE is a tool that the NSA uses to sift through the vast amounts of data it obtains, including under Executive Order 1333. As the Guardian reported in 2013 based upon Edward Snowden's revelations, XKEYSCORE gives analysts the power to watch—in real time—anything a person does on the Internet. There are real issues raised by this tool and, as LeBlanc notes, other than by the PCLOB, the XKEYSCORE program is “unlikely to be scrutinized by another independent oversight authority in the near future.”
LeBlanc writes that his opposition to the report stems from:
- The unwillingness of the investigation into Executive Order 12333 to scrutinize modern technological surveillance issues, such as algorithmic decision making, and their impact on privacy and civil liberties;
- A failure of the Board majority to investigate and evaluate not just how XKEYSCORE can query online communications that the NSA already has, but the legal authority and technological mechanisms that allow it to collect that data in the first place;
- The decision to leave out of the report any analysis of the actual effectiveness, costs, or benefits of XKEYSCORE;
- The haphazard and unthoughtful way the NSA defended its legal justification for the program’s use—and the Board’s unwillingness to probe into any possible issues of compliance;
- A vote to exclude LeBlanc and Board member Ed Felten’s additional recommendations from the report;
- The unwillingness of the Board to attempt to declassify the full report or inform the public about it, which LeBlanc labels as “inexcusable,” and,
- The unconventional process by which the Board voted to release the report.
Any one of these concerns would be significant.Taken together they are a scathing indictment of an oversight board that appears to be unable or unwilling to exercise actual oversight.
As LeBlanc notes, there is so much about XKEYSCORE and the NSA’s operations under Executive Order 12333 that require more public scrutiny and deep analysis of their legality. But it seems impossible to achieve this under the current regime of overbroad secrecy and PCLOB's refusal to play its role in both analyzing the programs and giving the public the information it needs. LeBlanc rightly notes that the report ignores the “collection” of information and that both collection and querying “are worthy of review for separate legal analysis, training, compliance and audit processes.” As we have long argued, this analysis is important “whether the collection and querying activities are performed by humans or machines.”
He also notes that the PCLOB failed to grapple with so-called “incidental” collection—how ordinary Americans are caught up in mass surveillance even when they are not the targets. And he notes that the PCLOB failed to investigate compliance and accepted a legality analysis of XKEYSCORE by the NSA’s Office of General Counsel that appears to only have been written after the PCLOB requested it, despite the program operating for at least a decade before. What's more, the review fails to take into consideration the Supreme Court’s more modern analysis of the Fourth Amendment. Those are just some of his concerns—all of which we share.
Nor did the PCLOB analyze the effectiveness of the program. Basic questions remain unanswered, like whether this program has ever saved any lives. Or whether, like so many other mass surveillance programs, any necessary information it gathered could not be gathered in another manner? These are all important questions that we deserve to know—and that at least one member of the PCLOB board agrees we deserve to know.
On December 4, 1981, Ronald Reagan signed Executive Order 12333, which gave renewed and robust authorities to the U.S. intelligence community to begin a regime of data collection that would eventually encompass the entire globe. Executive Order 12333 served as a damning pivot after less than a decade of reforms and mea culpas. The 1975 report of the Church Committee revealed, and attempted to end, three decades of lawless surveillance, repression, blackmail, and sabotage that the FBI, CIA, and NSA wrought onto Americans and the rest of the world. Executive Order 12333 returned the intelligence community to its original state: legally careless, technically irresponsible, and insatiable for data.
Twenty-three years after Reagan signed Executive Order 12333, PCLOB was established as a counterbalance to the intelligence community’s free reign over the years. But it’s clear that despite some early achievements, the PCLOB is not living up to its promise. That’s why cases like EFF’s Jewel v. NSA, while not about XKEYSCORE or Executive Order 13333 per se, are critically important to ensure that our constitutional and statutory rights remain protected by the courts, since independent oversight is failing. But at minimum, the PCLOB owes the public the truth about mass surveillance—and even its members are starting to see that.