You have to read the FISA system in context. Surveillance under the Act is only authorized in cases where the 4th amendment doesn't apply and where no warrant would otherwise be required. Under those circumstances, it's not particularly outrageous to allow the AG or DNI to proceed without a FISA warrant under certain circumstances.
In fairness that's not very reassuring for the idea that an NSA analyst may decide to look at a U.S. citizen's traffic and then "whoops, let's minimize that".
I guess what I'm wondering is what are the supervisory controls that are put in place to catch and discipline an analyst who looks into warrant-required intercepts where it isn't a bona-fide innocent error? I.e. if you know the person is a citizen you shouldn't look at all (without getting a warrant), and if you don't know but find out in the middle of reading the data then you should stop and minimize immediately.
I can't so much as release a military member's pay transaction without having it looked at by a supervisor and eventually audited (likely by 2-3 different groups when it's all said and done). Are there similar supervisory controls in place here? Those would be good questions to ask to ensure that any such usage of the FISA is kept in line with the already quite-expansive spirit of the law.
All very fair points. I'm not sure if it's even possible to get the kind of necessary supervision. I'm just pointing out that the law isn't facially ridiculous, even if it might create structures that are practically unworkable.
I think we can get "good enough" supervision using a combination of even just widely-known management controls. Technical controls would add icing to that cake but I don't think it would even be technically necessary.
Much like with vaccination regimes we're trying to ensure that a critical mass of malicious analysts are not able to form, so you don't necessarily have to catch them all but you do have to catch enough to ensure no damaging conspiracies can form.
- Combine an evidence review process where an analyst's products are routed for minimize/warrant compliance to ensure the data is sourced properly.
- Ensure the supervisors are trained and maintain proficiency so as to be able to support those reviews.
- Have trained NSA analysts take a career path (or at the very least a detail) as auditors whose function is to audit usages of these collected records (both in the past and currently in-use). Require a supervisor of some level to override an audit hold on a current investigation, and have that override automatically emailed to designated personnel (the idea being to ensure that multiple unrelated persons get their hands dirty if malicious activity is going on).
These are all just examples, I'm those with more brains on human systems engineering could think of something more appropriate.
But the point is that, even as serious as this issue is, we're not talking about things like life or death, severe damage to property, people not getting paid, people improperly getting paid, or any of the numerous other pressure points a government can use to create a police state. So surely there are administrative controls that can be emplaced, if we must choose to do this, to get the benefit without the risk to the rise of a police state. In fact I think such a thing could even be itself publicly documented without affecting the real need of the NSA (and other IC agencies) to maintain absolute secrecy about their tactical operations and policies.
