Regulating the surveillance state, upstream and down: a law & economics approach to the intelligence framework and proposed reforms.

• Author: Atkinson, L. Rush

INTRODUCTION I. THE UPSTREAM-DOWNSTREAM TAXONOMY OF INTELLIGENCE REGULATION A. Upstream Regulations B. Downstream Regulations II. HISTORICAL DOWNSTREAM REGULATION OF U.S. INTELLIGENCE OPERATIONS III. AN ECONOMIC COMPARISON OF UPSTREAM AND DOWNSTREAM REGULATIONS CONCLUSION: DOWNSTREAM REGULATIONS, BACK IN VOGUE? INTRODUCTION

The twelve and a half years since the September 11 attacks have seen an unprecedented development in the regulation of the U.S. national security apparatus, particularly in the intelligence arm of that apparatus. Since 2001, Congress has passed the USA PATRIOT Act of 2001; the Intelligence Reform and Terrorism Prevention Act of 2004; the Protect America Act of 2007; the FISA Amendments Act of 2008; and the FISA Amendments Act Reauthorization Act of 2012, not to mention various technical amendments and other smaller reforms along the way. On top of legislative actions, the executive branch has implemented policies and regulations that include two new Attorney General's guidelines for national security investigations. (1)

The thicket of new regulations means that there are now restrictions on countless facets of intelligence collection: court approval for domestic surveillance, predication requirements for foreign targets, minimization rules for U.S. person information, limits on the dissemination of collected information, restrictions on the use of intelligence by recipients, and so on. And yet while policymakers, analysts, and academics have been quick to suggest more or less regulation, we have not done a good enough job of laying out a framework that allows us to categorize, compare, and study these different rules. As a result, we lack a compass for navigating this thicket, leaving us analytically understaffed.

This Article begins by laying out a basic framework for how one can conceptualize the regulation of the intelligence community. Intelligence laws--those affecting the executive's ability to collect and utilize information about foreign threats--can be visualized as "upstream" or "downstream" restrictions. Upstream regulations limit the ways that the government collects information about different threat streams, such as terrorists, spies, and state-sponsored hackers. (2) These include requirements of predicate suspicion (probable cause) and particularity (limits on "dragnet surveillance" or the indiscriminate collection and analysis of data). (3) Downstream regulations limit the government's responses to threats identified through intelligence collection. Assassination bans, restrictions on prosecution (such as bars on the prosecutorial use of collected intelligence (4)), and protections against indiscriminate administrative actions (such as due process requirements connected to sanctions (5)) are all forms of downstream regulations. As explained in Part I, many downstream regulations are not thought of as affecting the intelligence community, but in practice they can shape intelligence collection as much as upstream regulations.

Starting with the passage of the Foreign Intelligence Surveillance Act in 1978, the U.S. intelligence community has become increasingly governed by upstream regulations, and current debates seem fixated on possible upstream regulations. This approach was a sharp departure from earlier methodologies of regulating U.S. intelligence collection, which focused much more on downstream regulations. Part II discusses the historical use of downstream regulation to control U.S. intelligence collection and its effectiveness in regulating the intelligence community.

Finally, in Part III, this Article examines some of the relative merits of regulating intelligence collection via upstream and downstream means. It argues that downstream regulation of intelligence agencies possesses several general advantages over upstream means. Indeed, the Article suggests that, from the perspective of civil liberties, upstream regulations can be self-defeating, as the executive branch often takes broad prophylactic measures to guard against unknown threats. Conversely, downstream regulations can allow the intelligence network to observe threat streams with a broad aperture, while protecting the citizenry against the most serious costs generated by an active intelligence community.

Ultimately, the optimal regulatory approach to the U.S. intelligence community is likely to be a mix of upstream and downstream regulations. For a variety of reasons, however, downstream regulations receive short shrift in today's debates about how to regulate the intelligence community. There are two major consequences of this short-sightedness. First, because downstream regulations are often overlooked, assessments often underreport the total number of regulations that face U.S. intelligence collection, running a risk of suboptimal overregulation of intelligence collection. Second, privileging upstream regulation has led to regulatory mismatch, where less precise upstream approaches to intelligence regulation are the only option considered, to the exclusion of downstream regulations that would be better for the intelligence community and citizenry alike.

I. THE UPSTREAM-DOWNSTREAM TAXONOMY OF INTELLIGENCE REGULATION

Part I of this Article sets forth a simple taxonomy for categorizing intelligence laws. Though there are countless regulations affecting the U.S. intelligence community, one easy way to sort regulations is to think of them as either "upstream" or "downstream" regulations. In addition to setting forth basic definitions and examples of upstream and downstream regulations, Part I also addresses how many of the downstream regulations that affect intelligence collection are overlooked because they are not directly aimed at the intelligence agencies.

1. Upstream Regulations

   Upstream regulations affect the aperture of intelligence agencies, essentially narrowing the amount of information that they take in. The most common examples of these in the intelligence world are predication requirements. In the current version of the Foreign Intelligence Surveillance Act ("FISA"), for example, there are a few different levels of predication imposed on intelligence collection. "Traditional" FISA, that is, Titles I and III of FISA, imposes different probable cause requirements: probable cause to believe that the target of surveillance is an agent of a foreign power (or a foreign power itself), probable cause to believe that the facility being targeted is used or owned by the target, and, in the case of U.S. persons, probable cause to believe that a crime has been committed. (6) In more recently passed amendments of FISA concerning overseas collection, the standard is lower but is still real. Section 702, probably the most famous of the new FISA provisions passed under the FISA Amendments Act, requires reasonable suspicion before targeting a person believed to be overseas. (7)

   Predication is just one example of upstream regulation. Other regulations have a significant impact on the amount of information collected by an intelligence agency. For example, judicial approval is a requirement that can very much limit collection. (8) Even with slam-dunk probable cause, the need to go to a judge imposes significant bureaucratic costs; the result is that the "smaller" cases tend to fall by the wayside. Similar winnowing occurs from FISA and Title III requirements that not only require a Department of Justice attorney to draft and submit the application but also require multiple high-ranking officials to certify the application. (9) Other upstream regulations include monitoring or resource requirements. Title III, for example, requires constant monitoring of any wire that the government surveils in order to minimize the collection of irrelevant information. (10) The need to babysit a wire translates to the government being limited to how many wires it has the resources to monitor, since robust surveillance requires paying for overtime and taking people off the streets to monitor the wire.

2. Downstream Regulations

   When talking about regulating the U.S. intelligence community (USIC), it is important to keep in mind that the agencies within the community have a very mission-oriented purpose: to supply others involved in the national security apparatus with actionable intelligence. As a colleague working in an intelligence agency recently told me, people seem to forget that the USIC does not go around collecting information willy-nilly. Rather, the USIC bases its intelligence-gathering decisions on the needs communicated to it by its "clients" or "customers." (11) Those clients include the military, foreign governments, and domestic law enforcement groups--ranging from counter-narcotics and human trafficking to counterterrorism and counterespionage groups. (12) This supply and demand connection may seem fairly obvious, but it is crucial to remember that every intelligence agency is a rational market-driven supplier of information.

   Downstream regulations focus on what the government does with the information collected by surveillance. Often the regulations do not target the "watchers" directly, but rather are regulations that affect the customers of the U.S. intelligence agencies. After the U.S. government has identified a threat, it often has a variety of policy options with which to respond. For example, in the prototypical foreign terrorism scenario (i.e., a plot hatched by overseas actors), the government often has certain military options overseas--whether unilateral or with its allies. The government also has law enforcement options: For example, the government could work with foreign authorities to arrest the suspects, bring them back to the United States, and try them for various terrorist charges. Law enforcement and military options, however, are just the first two arrows in the quiver. The information could be passed to the U.S. Treasury Department, which could freeze the cell's identified assets...