The Rule of Law in Secret

It’s a joy to be back in Charlottesville, where I have so many friends and fond memories, both on the faculty, and as a law clerk to Judge Wilkinson. And it’s a privilege to be a part of this lecture series on the rule of law in Lillian Bevier’s honor.

When I was on the faculty, Lillian taught me two things that have continued to have an outsized influence on my life.

First, she taught me how to cook. Soon after I arrived in the Fall of 1994, Lillian decided that the faculty social scene would improve if she taught some of the young faculty how to cook.   And so several then-young faculty members, including Professor Walt and I, had lessons in Lillian’s great kitchen learning how to chop, and make sauces, and roast things, and the like. To this day every time I make an omelet I think of Lillian.

The second thing Lillian taught me was about the meaning and importance of the rule of law. The “rule of law” is a phrase we often throw around, usually in platitudinous ways. Lillian’s scholarship takes the idea seriously, especially in understanding its importance for judicial decision-making. A constant thread in her work is the idea that the rule of law demands judicial self-restraint. This idea is unfortunately growing out of fashion in conservative circles. Many conservative thinkers today argue against judicial restraint in favor of what some of them euphemistically call “judicial engagement” to strike down legislation that defies the conservative conception of the Constitution. This is an unfortunate trend, I think, for all of the reasons that Lillian explains so well in her scholarship.

My topic today is about how we should think about the rule of law as it applies to secret national security activities. More specifically, and to make the issue concrete and topical, I will focus on the National Security Agency. The NSA is, with the CIA, the most important intelligence-collection agency in the government.   It collects, processes, and disseminates signals intelligence information that is vital to our national security and foreign policy. But it is also the most secretive, and scariest, of U.S. institutions. As Snowden revealed, the NSA has vast technical collection and code-cracking capabilities, as well as impressive capacities to store and analyze electronic data. Like no other American institution, the NSA represents power, scale, technology and secrecy. It is thus an important test case for the rule of law.

My aim in this talk is to first explain how the rule of law applies in secret to NSA activities. I will then claim that the Snowden revelations reveal that the system has worked pretty well, though not perfectly. I will suggest some reforms. And I will conclude by explaining, in light of these remarks, how the Snowden revelations will ultimately improve our security.

First, I should address a preliminary objection, namely, that the idea of the rule of law applying in secret is a contradiction. Lillian once wrote:

By limiting in principle the legitimate authority of those who wield the power of the state, the rule of law secures to all citizens the promise that law itself will exhibit qualities of regularity, certainty, transparency, predictability, evenhandedness, and equal impersonal treatment according to known general rules and without regard to status, rank, or political persuasion.

Lillian here captures conventional view in saying that “transparency” and public knowledge of laws are core elements of the rule of law.

I agree with this but I think that – with an important qualification I will return to at the end of this talk – transparency is mostly relevant to the rule of law for instrumental reasons. The main aim of the rule of law, as John Jeffries wrote in a formulation that Lillian drew on, is “the constraint of arbitrariness in the exercise of government power.” The evils that the rule of law seeks to avoid, John explained, are “caprice and whim, the misuse of government power for private ends, and the unacknowledged reliance on illegitimate criteria of selection. The goals to be advanced are regularity and evenhandedness in the administration of justice and accountability in the use of government power. In short, the ‘rule of law’ designates the cluster of values associated with conformity to law by government.”

John is right to emphasize that conformity to law by government is the essence of the rule of law.   Transparency into the processes of law making, and law-interpretation, and law-execution is usually a means – a presumptive means – to the end of ensuring conformity to law by government. Transparency helps ensure these ends by ensuring that legal processes are subject to criticism and analysis by the press, legal experts, elected representatives, and civil society, and that they are ultimately approved, or not, by judges and by the People in elections. This intense scrutiny on legal process forces public officials to explain why their actions are lawful, to address criticisms and new information that might affect legality, and to correct mistakes. And of course transparency tamps down on capricious action and abuse.

The problem is that, for good reasons, the NSA must conduct most of its activities in secret. Surveillance techniques are fragile. Public scrutiny of NSA operations would reveal those operations to our adversaries and seriously undermine, if not destroy, their effectiveness. And full public scrutiny of the legal elements of NSA activities would reveal NSA operations in ways that would defeat their effectiveness.

We need not be embarrassed by secrecy in this context. The framers of the Constitution understood that secrecy was appropriate in the conduct of national security and they assumed that many executive branch national security activities – especially those related to intelligence-gathering and war and the conduct of foreign relations – would be secret.

But while we must not deny the need for most NSA activities to be secret, we should also not deny that secret NSA activities are presumptively deeply suspect because we cannot see them. We should be especially suspicious about the NSA’s law-compliance in secret, and worry about all of the evils that the rule of law and democratic deliberation are designed to avoid.

The challenge, then, is for the NSA to achieve the ends of rule of law compliance when the means of public transparency would defeat the agency’s vital mission. For a long time, until the Church-Pike reforms of the 1970s, NSA was untouched by law. When the deputy director of the NSA testified before the Church commission in 1975 about a Nixon-era plan of secret domestic surveillance, he stated that issues of legality “never entered into the discussion” and that he was never “concerned about whether [the operation] would be legal and proper.” Today the opposite view prevails. The NSA is highly legally regulated and exceedingly legalistic. The process of getting to this point has not always a happy one, and it had an unfortunate hiccup (to put it mildly) during the early Bush years in which I played a role. But by the time of Snowden’s revelations, the system for upholding the rule of law in secret was fully in place. Here are its main elements.

First, Congress and courts and the Department of Justice imposed significant legal rules on the NSA. Today NSA is governed by a hornet’s nest of statutes, regulations, executive orders, court orders, compliance directives, and by the Constitution, most notably the First and Fourth Amendments. There are rules about when and where and how and against whom NSA can collect, and how it can store, analyze, and distribute the information. The rules are complex and constraining. And the NSA is unique in the government, I believe, in requiring operators to take several courses annually about their legal obligations.

Second, and crucially, the government has tried to achieve transparency and adversariness behind walls of secrecy. It might seem strange to talk about transparency in secret. But many evils of executive abuse in secret occur because the circle of secrecy within the executive branch is drawn too tightly in ways that foster groupthink, that chill deliberation, and that permit mistakes to be hidden, or worse. The reforms of the past few decades have given numerous actors within the Executive branch, and across branches, legal duties and incentives to report what they are doing in secret to adversarial actors who have various veto powers over the action.

The first level of transparency and adversariness comes within the Executive branch. NSA has not just a General Counsel and Inspector General, like most agencies, but a Directorate of Compliance as well. All of these offices are charged, in different ways, with ensuring that NSA acts in accordance with the laws and regulations that govern its behavior. The Department of Justice has a strong presence at the NSA through the legal advice and scrutiny of the National Security Division and the Office of Legal Counsel. DOJ, including the Attorney General himself, also has broader duties to audit and oversee the NSA. At least half a dozen other government components – in the DOD, the DNI, and the White House – play an independent role within the Executive branch in supervising NSA’s legal compliance. All of these actors know at different levels of detail what NSA is doing because NSA has a duty to report and these actors have duties of scrutiny. Many also have statutory duties to reports legal wrongdoing to various Inspectors General, the Department of Justice, and Congress.

You should be very skeptical about the constraining effect of executive branch lawyers in these contexts, because these lawyers have duties that are not easy to reconcile and you do rarely witness instances of their restraint. Nonetheless, the groups of different lawyers with different duties and responsibilities are, and are widely seen within the Executive branch to be, important points of scrutiny and veto on NSA activities.

Next comes scrutiny by the congressional intelligence committees, to which NSA also has broad duties to report. In recent years, this reporting has included legal opinions and analysis – not just to the intelligence committees, but also to the judiciary committee. Not every member of every committee seriously scrutinizes and acts upon the information reported. But I think it is fair to say that most members of the intelligence committees are informed and engage in responsible oversight of the NSA. Just as important, even sporadic or dysfunctional oversight has important “before-the-fact” disciplining and accountability effects within the Executive branch. NSA interacts with the intelligence committees on literally a daily basis. The duties to comply with the law and report activities to Congress, combined with political and legal and personal penalties for not doing so, spark valuable deliberation and care inside the executive branch about legal compliance even before the committees react. Having to tell another institution with different and often adversarial interests about NSA activities and their legal basis forces the executive branch to reflect on its actions, and anticipate problems, and ensure compliance.

Third, the NSA has its very own court, the Foreign Intelligence Surveillance Court, and no other agency in government is as closely supervised by the judiciary. In addition to its role issuing warrants for foreign intelligence surveillance, the FISA court authorizes the NSA’s more programmatic collections under Section 215 (the bulk telephony metadata collection program) and 702 (the program of targeted surveillance of foreigners abroad). It also plays an active role in ensuring compliance with its orders. Importantly, the government is to “immediately” notify the FISA Court if it discovers anything that doesn’t comply with the Court’s authorization or approval or with applicable law. We shall see in a moment this rule has real bite.

These in a nutshell are the mechanisms by which several hundreds of men and women in government spend all or most of their time ensuring NSA compliance with law. I don’t think there is any agency in the government that is more heavily scrutinized – by Executive branch lawyers, by an oversight committee, or by federal courts – for rule-of-law compliance.

But how does all this work in practice? Some people think that the Snowden revelations show that the rule-of-law system I described is broken. I think that view is wrong. The Snowden revelations show that the system works pretty well, with a large exception that I believe we are on the way to fixing.

After the Snowden leaks, the government revealed serious compliance problems with two of NSA’s major programmatic collection programs. With regard to Section 215 bulk collection program, beginning in 2009, NSA reported to the FISA Court significant issues of non-compliance with court orders related to, among other things, the description of NSA programs and NSA searches of and distribution of metadata. The NSA said these were good faith mistakes in implementing complex legal directives in a complex context. Judge Walton took a harshly skeptical view of the non-compliance and significantly curtailed NSA’s discretion related to the program until NSA improved its compliance structures. Through an iterative process between the NSA and the court, overseen by the Justice Department and with full knowledge of congressional intelligence committees, the program was eventually restored and its compliance system blessed. Among other innovations, this iterative process led to the creation of NSA’s compliance office and augmentation of DOJ oversight. A similar episode occurred when NSA reported compliance problems with regard to the Section 702 program, which targets foreigners overseas. Judge Bates in October 2011 excoriated NSA for mishandling or insufficiently minimizing U.S. person information collected under 702, among other things. The NSA made changes, and reported to Judge Bates, who one month later that he was satisfied NSA had fixed the problem.

Some people view these episodes as evidence of NSA lawlessness. I view them quite differently. I think they show the rule of law system working well in secret.

First, while Judge Walton seemed to believe he was misled, my reading of the record is that the compliance problems were not purposeful or willful.  Instead, they reflected the difficulties of implementing a massive, newly re-structured collection program that required application of fine-grained legal distinctions to billions of communications.  The challenges of legal and technical interpretation; of communication between judge, lawyer, technologist, and operator; and of technological implementation, were enormous. Errors large and small, especially at first, were inevitable here, as they always are even in much less complicated governmental or corporate actions.

Second, these episodes reveal that many actors in all three institutions of government took law and compliance seriously. The congressional Intelligence committees and FISA court knew everything that was going on and were deeply involved in scrutinizing and, when appropriate, pushing back against NSA. They could do these things because NSA or DOJ discovered problems and reported them to the court and to the intelligence committees. This is a crucial point. The Executive branch discovered and reported the problem without external nudging. This transparency within the executive branch (NSA self-scrutiny and self-reporting) fostered transparency and accountability across the branches (in the form of consequential judicial and congressional review).

Third, and most importantly, In a context when the government had no reason to think its actions would ever be scrutinized extensively in public, everyone in the system took the rule of law very seriously IN SECRET and worked to ensure that it was satisfied.

I don’t want to be mistaken for arguing that the Snowden leaks revealed no rule-of-law problems. The main problem they revealed is this. The NSA is governed by publicly enacted laws. But the public elements of its governing laws sometimes only distantly relate to its legal authorities and restrictions. Over time, law-in-secret develops in many directions through interpretation by executive branch lawyers and FISA judges. This is not unusual, of course. In public contexts, statutory and constitutional law often changes through interpretation and practice. But when this happens in the NSA, citizens and the press and civil society and ordinary federal courts cannot assess these accretions to determine whether they approve of them.

The best example is the bulk collection program, which rests on a controversial interpretation of Section 215 of the PATRIOT Act. To apply for an Order from the FISA court for production of “tangible things,” which includes telephone records, the application must show that there “reasonable grounds” to suspect that the items sought are “relevant to an authorized investigation.” The most obvious reading of this provision is to authorize information which is itself discreetly relevant to an investigation. The government argued, and the FISA court agreed, that collection of almost all telephone metadata in the nation could be deemed “relevant” based on the fact that without it the government could not discern patterns and connections of relevant terrorist activity. The FISA court also agreed that this bulk collection did not violate the Fourth Amendment, based on a precedent that did not involve meta data searches on anything approaching this scale.

This interpretation and the collection program built upon it was without a doubt the most controversial disclosure from the Snowden revelations. It was controversial because governmental bulk metadata collection is inherently controversial. But it was also controversial because neither the statutory nor the constitutional interpretations were obviously right. I do not think the interpretations were obviously wrong either, or even outside the normal range of executive and judicial extension of law to new situations that happens every day in public and that is often fodder in Supreme Court opinions. But it all happened in secret, the program was enormous and controversial, and almost everyone was very surprised to learn what NSA was doing.

The 215 Bulk Collection program is, I think, a failure of the rule of law in secret. It is not necessarily a failure of legal compliance. That depends on whether you think the government in secret got it right – an issue now being litigated in public. But assume that the Supreme Court eventually upholds the 215 program in its entirely. The program still has to be considered a failure of the rule of law because the American People could not have known about it by looking carefully at NSA’s authorizing statutes. (The same was not true of the 702 targeted collection of foreigners program – many were shocked by what the government was doing but those activities were in general clearly contemplated by the revisions 2008 FISA Amendments.)   I said earlier that the conformity to law by government is the essence of the rule of law. The problem with the 215 program was that it rested on a controversial and non-obvious interpretation of a law to such a degree that the very meaning of conforming to law was deeply contestable.

The 215 experience teaches that it is very difficult to justify secrecy about what the law basically authorizes and permits, as opposed to law enforcement and compliance. The American people, and the rule of law, can accept secrecy about NSA operations, and sources, and compliance rates with generally known authorities. But it is unacceptable when the contours of a massive governmental surveillance operation in the United States are unknowable to the public and a huge surprise based on known legal authorities. And this is so, I think, even if the non-obvious statutory interpretation that supported it was fully vetted and approved in secret with the mechanisms I described earlier.

How might we fix this problem consistent with both the rule of law and with the need for secrecy? One much-discussed procedural fix might be to introduce more adversariness into the process. The idea is that the FISA court never would have approved bulk collection under 215 if it had full adversary briefing. While I think full adversary briefing might be a useful innovation, I don’t think it is any guarantee that government won’t reach surprising legal interpretations in secret. Perhaps a better way to avoid that outcome is to take up a proposal by Orin Kerr in the Virginia Law Review. Kerr proposes a rule of narrow construction, or rule of lenity, for national security surveillance statutes that would significantly raise the bar to imaginative privacy-narrowing legal interpretations.

A third possibility, an obvious possibility, and one that is potentially less restrictive to NSA authorities, is simply to require the government to disclose publicly all fundamental legal interpretations in such a way that the public can grasp in general terms what NSA might be doing in the domestic realm. This is easier said than done, of course, because such a rule would necessarily disclose sensitive activities that, taken alone, retard our security. But secrecy about collection capacities of the government is one value, and not the only or even the most important one. And not all revelations of NSA capabilities are equally harmful. Disclosure that the government has interpreted Section 215 to sweep up metadata is less damaging to its intelligence-collection mission than disclosure of the fine-grained details about how NSA collects and analyzes that metadata. And moreover, it is much less damaging for NSA to self-disclose its underlying legal authorities, than for the public to learn of the matter through leaks. This is true both because the government has more control about what’s disclosed and because the government is more likely to get credit and gain legitimacy from self-disclosure.

This brings me to my final point, the value of the Snowden leaks. These leaks went far beyond domestic whistleblowing and revealed some of our most sensitive penetrations of our adversaries’ communications. It is hard to overstate how damaging the revelations were in terms of investments lost, collection capabilities compromised, and intelligence partnerships diminished. But there is a happy side as well, not just for government-skeptical civil libertarians, but also for those, like me, who generally approve of aggressive government action against threats. The happy side is that the NSA, and more broadly many in the intelligence community, get the point I just made about the need to be less secretive and disclose much more about what it is doing, especially at home and especially with regard to law.

Consider what Director of National Intelligence James Clapper said soon after the Snowden revelations: “Before the unauthorized disclosures, we were always conservative about discussing specifics of our collection programs, based on the truism that the more adversaries know about what we’re doing, the more they can avoid our surveillance. But the disclosures, for better or worse, have lowered the threshold for discussing these matters in public.”

Before Snowden, the rule in NSA was to reveal nothing about its activities unless compelled. The NSA was quite proud of and confident in its commitment to law in secret and felt no need to win public trust; and so it focused solely on the intelligence mission narrowly conceived. Snowden changed all this. He drove home what earlier NSA revelations should have made clear, namely, that the same technologies that empower the government to surveil on an unprecedented scale also empower actors in and out of government to surveil NSA and reveal its secrets. He also revealed that compliance in secret is not enough when there is the large gap in public expectations that I described earlier. And he showed that the NSA was incredibly poorly equipped to explain in public its commitment to law in secret or, moe generally, the legitimacy of its actions.

Since the Snowden revelations, the NSA has changed quite a lot on all of these fronts. To take one example, the NSA has done what was once unthinkable by releasing well over one hundred highly classified documents, almost all of them related to law compliance. These disclosures implicitly confirm general elements of NSA collection capabilities, including details beyond what Snowden revealed. The revelations have been bewildering to most people in the intelligence community and no doubt hurt some elements of collection. But they are justified by the countervailing need for public debate about, and public confidence in, the legal basis for NSA activities that had run ahead of what the public expected. And the NSA is adjusting itself in other ways to be much more transparent about the legal basis of its operations, especially domestically.

The general challenge for the NSA and for the country is to find the level of scrutiny and transparency that allows NSA the greatest freedom to do its security mission that is consistent with the effectiveness of its surveillance methods and public confidence that NSA is acting legally and in the public interest. Many people have different views about how this complex balance should be struck, especially in light of what Snowden disclosed.

But here, in closing, is a prediction about how the balance will be struck, no matter what the thinking now. An important feature of modern life is the decentralization of ever-more-powerful weapons into the hands of individuals with the capability of achieving extraordinary harm from a distance. The 9/11 attacks were an example of this. The cybersecurity threat to our digital networks – on which we depend for literally everything – are the most frightening and pressing example today.   The rise of more-pervasive and ever-smaller drones is yet another example. As are biological threats.

These powerful decentralized threats are hard to defend against. One important way to defend against them is for the State to monitor for potential malicious actors aggressively so it can find and stop them before they strike or do too much harm. In the cybersecurity context, for example, defense will require the government in some form to live in the networks to find and stop malicious attacks in real time.

My prediction is that these decentralized threats, and especially the cyber threat, will compel the government, pushed by the public, to give the NSA broader authority than today to surveil, and to monitor digital threats, within the United States. That broader authority will necessarily be accompanied by greater oversight, review, and auditing of the type I described earlier, and greater NSA transparency.

Two important lessons of the last dozen years are FIRST, the government will increase its powers to meet the national security threat fully (because the People demand it), and SECOND, the enhanced powers will be accompanied by novel systems of review and transparency that seem to those in the Executive branch to be intrusive and antagonistic to the traditional national security mission, but that in the end are key legitimating factors for the expanded authorities. This was true about habeas review of GTMO detentions, enhanced congressional and judicial oversight of military commissions, the 2008 amendments to FISA, and greater public transparency and congressional oversight of targeted killing by drone. And it will be true of expanded NSA authorities as the NSA’s vital capabilities become even more important to our security. In this sense, the Snowden revelations – to the extent that they force NSA to open up, and to get used to greater public scrutiny, and to recalibrate its understanding of the tradeoffs between openness and security – will one day be seen to have paved the way to broader NSA powers and better national security.