... [After 9/11, the FBI is looking at several new challenges.] Number one is a whole new function: pre-emption; prevention. ... What kind of a lurch is this for people inside the FBI, the cultural change, trying to figure out what information do we need, what is useful?

Right. It was quite a shock, and I don't think the FBI is anywhere near over it even six years … after 9/11. ... [T]hese are people who are steeped in the criminal process, who really are taught to think in terms of making a criminal case.

Everything about the FBI -- the way it organizes its information, the statistics that are used to judge people's performance, the language, everything -- is shaped by the criminal-case experience, and so I think it is asking a lot of people to shift quickly out of that. There is a cultural orientation there that it will take a long time to change, and it will probably only change as the generation of the FBI moves forward or people are trained in a more proactive way.

On the other side of this, the people talk about proactive, preventative operations, but that's rarely followed by a very precise definition of what that means. So in addition to the culture I think you also have the FBI being tasked with a requirement that's not that well understood. We all want to prevent the next terrorist attack. What exactly does that mean for an FBI agent? ...

[Intelligence is] the currency of the new war against terrorists. If that has not been a traditional function, how does the FBI decide what information it needed, or is all information valuable at the beginning?

I think the paradigm in the FBI was really to focus on individual targets as quickly as possible. It struck me that if you look at the FBI's internal regulations, ... they all push you to identify the target of the investigation as soon as possible, collect the information that you need there, and then sort of discard the rest.

[What are] the legal changes that gave the FBI greater latitude and a broader perspective?

Certainly many of these you will find in the Patriot Act, which was passed in the fall of 2001, about six weeks after the 9/11 attacks. One of the key changes was to the FBI's investigative authority, some basic information-gathering tools in which the legal standard went from specific suspicion, or having to demonstrate specific facts about an individual targeted, to an authority that said look, you can go get this information if it's relevant to your ongoing investigation. ...

In practical terms, what does that mean to the FBI, when the Patriot Act says you can gather information relevant to an ongoing investigation? Does that open the doors?

It opens the doors considerably. The FBI still has some rules about what it takes to open an investigation … in the terrorism context, but prior to the Patriot Act, the question was the tools. So if I was looking at a particular threat or an individual or a potential terrorist cell, well, I would want to go find out who are these people in contact with. So I might want to look at telephone records; I might want to look at financial records; I might want to look at credit records.

Prior to Patriot Act I could get access to those things through a legal authority, but I would need to, in order to get that legal authority, demonstrate that the person I was targeting was to a certain legal-proof level -- not the probable-cause level but somewhat lower, still quite detailed -- that that person was a terrorist.

When you say had to go to a legal authority, [you] had to go to a judge to get a warrant? ...

No, we're not even talking about warrants. These are subpoena-like authorities that the FBI would use to collect basic information, like financial records, telephone records. When I say telephone records, I don't mean the contents of people's phone calls. I mean the numbers that were dialed, say, from a particular location or that dialed in. This is all referred to as transactional information; in other words, information that doesn't carry content of communications.

So before 9/11, before the Patriot Act, the FBI has authority to use administrative subpoenas to gather specific information. After 9/11, after the Patriot Act, what can they do?

These authorities, these administrative subpoenas, which are called national security letters [NSL], still exist. But the legal authority has changed to say you can issue these if the information you are seeking is relevant to your investigation. So in other words, it's become unlinked from the specific target and the standard of proof. In other words, what you have to demonstrate before you can use the authority is much lower. It's simply: "This information is something that I believe is useful [and] will be useful in furthering this investigation." So it is a much broader tool, much easier to use.

And what happens? Are there more national security letters issued? Is much more information gathered?

Well, it's hard to tell. The numbers of national security letters are reported each year to Congress. The report, however, is classified. There is certainly anecdotal information or it's been reported in the press that the numbers of national security letters have increased substantially since these changes were made in the Patriot Act. ...

Prior to the Patriot Act there was what people commonly refer to as a "wall" between [intelligence and criminal] investigations. … In addition to broadening some of the national security tools like the national security letters, the Patriot Act also punched holes in that wall so that there was much more of a flow of information between these two kinds of cases.

It also meant that criminal investigative authorities and national security investigative authorities could be mixed. So not only were the legal standards of these tools changed, but the range of tools available was brought by the act. And all of this is probably playing into the increased numbers or the increased amount of information that we see being collected.

[Earlier] you were saying something like there was a mushrooming of programs to gather and amass much more information than to analyze it. I wonder if you could just describe that to me. What was the process? What was happening?

After the initial reaction to 9/11 -- and this was not limited to the FBI; I would say government-wide there [was] this growth in ... the government starting programs, kind of connect-the-dots programs. So collect a lot of information, low-level information, information that's not necessarily or not traditionally been viewed as very intrusive, and analyze to start to see patterns to try to catch the person that we don't know about, who has no record, whose name would mean nothing in the FBI's databases or the CIA's databases, but [who] is doing things that we know fit a pattern of the way international terrorists tend to operate.

You certainly see efforts at the FBI. You see efforts at what becomes Homeland Security. The various Transportation Security Administration databases on airline travel -- that is one. There are efforts in the Treasury Department in the financial world. There are efforts in the Department of Defense. Everyone is sort of chasing this idea that if we could construct the right tool for analyzing all of this disparate data, we could spot the next unknown terrorist.

There is a famous example of that. The Total Information Awareness [TIA] initiative was a very sort of theoretical idea, but it was a development along these lines: the idea that if you could pull from all the right databases and you could connect all of these bodies of information, then you could search them intelligently, and you could look for patterns.

So Total Information Awareness was a program, but it was also a kind of a mind-set that was growing in government.

I would say in the government, and then of course as the government does this, you have private industry which supplies the government with these tools. So in the post-9/11 environment, if you were a large defense or information technology contractor, this is a service that there is a market for. So you have many, many people building systems that are designed to search large amounts of information or designed to help a government analyst draw together disparate forms of information. ...

Why? At that time, late 2001, 2002 and so on, was there greater expertise in the private sector? Were there people who had better software for analyzing data?

I think the private sector is probably where you will always find the most up-to-date technical solutions. I think the government -- there are some exceptions in the government -- but certainly the FBI, technology was never their strong suit, and that if you wanted this kind of expertise, it would be logical to look outside for support. Plus, this is something the private sector has been doing for a long time. If you think about telephone companies, credit bureaus, banks, they have in place to protect their own information very sophisticated mechanisms for handling huge amounts of information, for looking for trends. ...

You are talking about the FBI being maybe a little more behind the curve on this than some other agencies. Would a company like LexisNexis or ChoicePoint, would they actually have sort of a service they could offer the FBI?

Oh, absolutely. These companies, the two examples you've given, LexisNexis and ChoicePoint, are used throughout the government. An ordinary person can subscribe to both of them. These are used in government agencies principally as a means for quickly checking public records. Both of those services and others like them collate vast amounts of publicly available information in an easily searchable form.

What we started to see, I believe, mostly after 9/11 were companies like that marketing sort of law enforcement-only-type databases, so things mostly involving credit records that were not publicly accessible records but could be accessed under the proper authorities. For law enforcement there is a big private market for this.

So you're saying there was data that they had collected that wasn't public data.

Yes.

And the FBI and other agencies could get hold of it by what, buying the information, subscribing to the service?

Subscribing, and there were certain legal authorities that had to be met to allow, but these would have been enforced internally in the FBI and in law enforcement. Maybe you'll be able to understand that the, for example, credit information which is readily accessible out there in the private sector -- all kinds of people can run credit reports on you. People who want to sell you credit cards can do it; go try to buy a car or a house, etc.

The law, however, places a much higher barrier, interestingly enough, to the government. The FBI can't just go run a credit report on you. Particularly prior to 9/11, [it] has to meet a certain legal standard. ... So what you had then as this market develops is you have private entities, the same people that do credit searches for car dealerships and credit card marketing companies will say, well, we can offer this service to the government as well.

[When he changed the guidelines for the FBI,] Attorney General [John] Ashcroft made a big deal out of it. He had a press conference. He said we are unleashing the FBI. ... In terms of the FBI's ability to gather information, whether it's going to mosques or going to ChoicePoint, what did it mean to agents in the field?

... What the new guidelines acknowledged in a way that the old ones did not was that the FBI had this preventative mission, and you could open an investigation on a particular threat or a particular area of concern without knowing the individual yet to target. That was always theoretically possible under the old guidelines, but it was a much more convoluted process. ...

Significant?

Very significant.

Why?

I think because it starts to get the FBI thinking: "I don't have to have my end case in mind. I don't have to have the name or the picture of the person I am going to prosecute to start using these tools. I could have a target that we need to protect from terrorism. I could have some intelligence that has come from another agency that we should be looking at this." And it sort of delinks it from the specific individual, which was the traditional way of thinking. ...

Let's take a real case. In Las Vegas, New Year's 2003, 2004, … they got a report from headquarters that said Al Qaeda may have an interest in Las Vegas around New Year's Eve. No target, no names of any individuals. Totally open-ended. They gathered the information on every single person who visited Las Vegas in the two-week period -- all the hotel records, car records, airline records. Are we looking at the impact of the new guidelines issued by the attorney general?

Certainly. The new guidelines and all the post-9/11 developments we have been talking about. If you tell the FBI to do preventive work, this is the sort of thing that one would expect the FBI to do. …

It's a very double-edged sword, this idea of preventive work by the FBI. It means that you kind of break the FBI out of the traditional investigative mode, but it also means you're going to have the FBI looking at a lot of amorphous situations in which the targets aren't apparent and the foundational information could just be wrong, and so all this information that has been collected might in the final analysis be unnecessary.

But you are also getting a lot of information collected on a lot of innocent people.

Absolutely, yes.

I mean, is that one of the costs of the new methods?

I believe it is. ... When you are looking at an individual, you focus in. If you have incidental collection of information that you kind of got swept up with the information you're really after, you segregate it; you push it away. …

When you talk about prevention, you're saying to people, well, you can't just focus on one person. You have to cast the net a bit more broadly, and you have to start to work with situations where you are going to collect a lot of data and then try to connect the dots. But that means you're going to collect a lot of data, and that means you're going to end up holding a lot of data about ordinary people who have nothing to do with your threat.

That sounds pretty intrusive.

It is, it is. … There are situations in which you can raise the level of security without compromising people's privacy, but I think if you do it on a scale that we announced we were doing after 9/11, yes, there is going to be an impact on people's privacy. Most Americans have seen that, and, you know, going to an airport, going to all sorts of travel -- you know, what can I carry on the subway? -- and I think this is a related development.

The question is for me, as a lawyer inside that system, is then, well, what new rules do you develop? How do you guide the investigators, analysts through the thicket of: So you are holding all this information. What do you do with it? At what point do you throw it away? How do you minimize the impact on the privacy of individuals. But there is no question about it, that a preventive approach is more intrusive than a reactive investigative approach.

[Do] we Americans have to lower our expectations of privacy during an era of fighting terrorism?

I think that is largely true. I don't believe in an absolute trade-off, but I do think that in most situations there is some interaction between those two. There is just simply no question that a society can't allow widespread, anonymous travel, communications, high expectation of privacy in a lot of contexts, and at the same time say, "Well, we want to be able to somehow ferret out the terrorists." The 9/11 terrorists I think knew full well how they could come into this country and avoid detection. …

... [I]s there a difference between ChoicePoint having the information and the FBI, the cops having the information? …

… Well, the easy answer is that ChoicePoint can't come and arrest you. … They can't come search your house. They can't use that information to put into motion the machinery of the justice system. Once it's in the hands of the government it has those consequences, and that's why the government is looking for the information. So there is a difference in specific cases.

Now, are most people going to suffer those consequences? That's the exception, but I think whenever the government has that information [about] you, it's being placed in a context where it could be used to support other forms of intrusion into private lives. That's from my perspective what I would say. I think people generally don't understand the extent to which data is held by private entities. Most people never really think about what a credit card company knows about them, what a phone company knows about them, what who knows how many people on the Internet know about them. We have this idea that these stores of data and information are so vast that no one can really get a handle on them …

In your job you had to deal with applications for FISA [Foreign Intelligence Surveillance Act] warrants. ...

Oh, that was actually the majority of my time was probably devoted to FISA issues.

Now, a lot has been made about the FISA process since 9/11 and particularly since December 2005, that the FISA process is slow; it's cumbersome; it's unwieldy; it couldn't possibly deal with the kind of threat that we face with terrorism. … What [is] your assessment. Is that fair?

It is in the main. It also, however, had the capacity to act very quickly and to respond to emergency situations. It was designed that way. I think the reputation of the process as slow and unwieldy came from the fact that as you had many different types of FISA surveillances moving through the system, some of them long-term surveillance of known foreign intelligence officers that were simply renewed all the time and others in response to very immediate threats. The system dealt with the threats first, which often, given resource limitations, slowed down the sort of ordinary, if you will, FISA packages. And people also have to keep in mind that prior to 9/11 the resources devoted to this process were actually quite limited. ...

Let me phrase the question slightly differently, because people have said this to us: FISA was broken. You couldn't work it in the new world.

I think prior to 9/11 there were some things definitely broken in the FISA process. One of them -- and it was particularly relevant to counterterrorism -- was this wall concept that I referred to earlier. It meant that when you had a situation in which there might be related criminal and national security investigations you needed to be very careful about this wall between the two of them prior to 9/11, prior to the Patriot Act. The mechanism for keeping the two separate had to be described in great detail in the FISA application, and if there was any question about a detail, if there was any detail that was wrong, this was something that could stop the FISA application in its tracks. It would have to go back and [be] reworked. …

The comment was made to us about FISA being broken long, long after the Patriot Act was passed and implemented. ... [P]eople have made the claim that FISA can't keep up with the technology of the modern era and can't keep up with the threat of the modern era. ... I'm just wondering from the standpoint of the FBI, is that true? ...

I don't believe so, and here's why: There are really a very, very small group of people in the government who have significant practical experience using FISA. What I often tell people I'm teaching is there are a lot more people in the government that talk about FISA than ever come close enough to see how it actually operates. ...

The technology doesn't necessarily defeat FISA. It is certainly harder to work with it, but our criminal statutes were written in the same era. They are no closer to being up to date. If you are going to have a system of laws, you have to deal with a situation in which the law doesn't keep pace. The law is never going to keep pace with the technology. I think the only hope is to write the law in a way that is adaptable enough. And to me that was one of the strengths of FISA. You had the law, but you also had a court who could work with the individual case and try to accommodate it. …

FISA is a tool largely for targeted surveillance. It doesn't necessarily require that I have to know precisely the individual that I am targeting, but I have to be able to describe my target with some particularity. It is not a tool that is written for broad collection of information, because when it was written, and I think to some extent now, the general belief is that's not something we want to be doing inside the United States. ...

… The president has described the NSA program as involving an effort to eavesdrop or monitor calls from an Al Qaeda [agent] or another terrorist agent overseas to somebody inside the United States. To a layman that sounds like precisely the kind of call and connection for which you could obtain a FISA warrant, and if that's the case, then why would that kind of program need to go outside of FISA?

Well, that's exactly correct. If the scenario the president describes -- you have Al Qaeda on one end of the phone call and you have a person in the United States on the other end -- you have on the one hand an Al Qaeda person, an agent of a foreign power, a person [who] absolutely meets the FISA definitions for surveillance, and you could intercept that call. … So I have the same issue. If that is the scenario, and if you know that, then you have met the standard for the FISA.

So this to me raises the question: Is that really the scenario? What I think is the most, to my mind, most likely answer is, well, this is what we are aiming at, but we may not have quite that level of certainty. In other words, we may not exactly know that the person overseas is Al Qaeda. We may have some suspicion, or we may not be clear yet, or maybe it's not a person over there; maybe it's a phone number over there. And so we want to look at anyone from the United States who is in contact with that phone number. Maybe we have a pattern of behavior without specific individuals, and we just want to look at when a communication meets this template, then we want to be able to look into [it]. I mean, there had to have been something that --

Something more.

Something more, something that wasn't as simple as that explanation, because that explanation you could take to the FISA court. And I should say here, too, FISA, as I said, only covers interceptions inside the United States. ... [I]f you wanted to tap the person's phone overseas or somehow intercept it in the stream of communications at a point outside the United States, you wouldn't even be under FISA authority. That's the sort of thing that NSA and our intelligence agencies do all the time. That's executive authority surveillance. …

They say it took two years to craft this.

That, frankly, would surprise me. Again, I don't know the particulars of the program, but I do know from my experience that very complex programs were handled under the FISA framework, and it takes some time. ...

Weeks or months?

A FISA can be done in hours. Now, admittedly, something with technical complexity would take longer. FISAs could take months. Two years is a very long time, especially for something that important. …

Given the president's explanation of the NSA program, does it make sense to you as a former FBI lawyer that he had to [go] outside the FISA court?

Well, if we assume that what the program involves is domestic surveillance, then the answer is no. …

… Does that suggest to you that considerably more was actually being done, and maybe only part of it has been brought back under the FISA court?

Personally I take that view. I think that what was probably taken to the FISA court, even though the administration says this is not the case, but I suspect that this is a scaled-down version, because I cannot think of a reason why you could have diffused this entire situation much, much earlier. You could have regularized it by simply going to the court. ...

[Former NSA director] Gen. [Michael] Hayden has used the term several times, and I believe Attorney General [Alberto] Gonzales has as well: "We have had reasonable suspicion." The FISA law uses the term, I understand, "probable cause." You have probable cause that somebody is acting as an agent of a foreign-power terrorist organization. Is there a lesser standard, a softer standard to reasonable suspicion?

That's the way I read it. One of the problems with the phrase "reasonable suspicion" is it doesn't appear any place in the law. … Unlike "probable cause," it's not in the Constitution, and we have 200-plus years of law about what exactly constitutes probable cause. That's the reason it was used in the FISA statute, is this is something that is a known quantifier. It's something a FISA judge can apply. … What exactly is legal, reasonable suspicion? I can't define it. I can't point and say, "Well, this is reasonable suspicion; this isn't," with the same degree of certainty that I can with probable cause. And I read it as something less than probable cause. ...

Should that be significant to ordinary Americans?

It should be. I doubt many people will appreciate the difference. It sounds sort of like a legal standard. It probably troubles lawyers more than anyone else.

But it's a watered-down standard is what you are saying.

That is how I would characterize it. ...

In terms of this program, do we know what the rules are? Do we know what the triggers are?

No, we don't know the specifics, and we probably shouldn't. When you conduct surveillance there is a legitimate security interest in not letting your potential targets know how they could avoid helping you meet the legal standard.

That's what the FISA court was for, wasn't it? We didn't know, but we knew through the FISA court, as it were.

Exactly. And that's why it's important to have this under the FISA court. … That's the purpose of FISA is to take these very sensitive surveillances that we all know need to happen. ... We need to be able to do them outside of the public process in the criminal justice system, but we need to do them in such a way that we are assured that that secrecy and that lack of visibility doesn't mean the legal standard slides further than we want it to slide. ...

Your fear is that at least for five years those legal standards did slide.

I think it's a very real fear, because we don't know. You know, I spent my brief career in government in the executive branch, much of it in the national security apparatus, and these are well-intentioned people. The picture that sometimes comes out of these sort of maniacal, information-hoarding, privacy-be-damned types is not very accurate.

What I get concerned about is that however well intentioned, in that environment, where there is no external measure, as you move forward operationally, your standard is going to adjust to get you closer to the accomplishment of your mission.

Does history tell you that abuse is likely?

Absolutely. That is why we have FISA in the first place. Before 1978 all of this was largely left to the discretion of the executive branch under a variety of different sets of rules. The attorney general, for example, could approve these surveillances simply upon the application of the FBI. ... Well, the problem is that people in the national security business like the FBI will define a threat to the national security, and as they continue to pursue something they may very well say, "Well, this is a threat; this is something we should be looking at," whereas a more objective third party would say, "Wait a minute; you've gone too far down the line." This is exactly the sort of thing that happened in the 1960s with the anti-war movement, with the civil rights movement. ...

We've learned the hard way that that system doesn't work.

Yes, and that we are better off. Now, I don't want to be naive about this. These safeguards always come at a price. A system where you have an external oversight by a court or you have some role from Congress is always going to be more complicated. It certainly [has] potential to be less efficient, but that, to my mind, is one of the prices we pay for preserving that standard.

Preserving our liberties?

Yes, absolutely. ...

Does the FISA law either permit or bar the National Security Agency from intercepting a foreign communication transiting and dipping down in the United States?

The FISA law says nothing about the authorities of the National Security Agency. In fact, the FISA [law] is agency-neutral in that respect. What the FISA law says is no matter who you are in the government, ... if you are going to intercept something inside the United States, this is the framework for doing it. So if you could theoretically -- and I need to be very careful here; I'm not saying this is what is actually occurring here -- but if you were to intercept a foreign-to-foreign communication and the point at which you grabbed that communication was physically inside the United States, that would be a matter for FISA.

So you'd have to get a FISA warrant.

Right. I would say that is true. But I would need to note that there are people who would say that FISA did not ... completely extinguish the president's inherent authority to authorize things, even domestically. Personally I don't think that's the case. ...

Congress killed the funding for the Total Information Awareness program. Did Congress kill Total Information Awareness as an aspiration and as a direction in which a lot of government agencies want to move?

No, I don't think Congress did that, because on the one hand, Congress focused on this one program, and they focused on a term, "data mining." On the other hand, we have the president, the Congress, everyone saying: "Be proactive; be preventative against terrorism. Connect the dots. Share information. Fuse the information that you do have." So there are many different incarnations of the same idea. ...

What do we need to do if there are more and more agencies that have initiatives that are one part or another of this Total Information Awareness, and without legal restrictions it poses dangers to our civil liberties and privacy? What do we need to do? Are we just going to have to live with this? Is this going to happen inevitably, and we just have to live with it?

I think that it is inevitable as long as we continue to place our emphasis on prevention and security. It doesn't have to be without legal ground rules. We do need to say, look, data mining or fusion of information or connecting the dots or whatever you want to call it is clearly going to be a huge feature of our law enforcement national security apparatus. Let's start crafting a set of rules for it. ...

The last systematic look at how the government handles private information on U.S. persons across the board was really the Privacy Act of 1975, which has been amended over time but never any sort of significant [changes], and that was very much a pre-Internet, pre-computer [law]. The computer provisions of it are almost amusing, because they were done when the technology was really in its infancy. That's a very long time; that's 30 years ago. I think we probably need to update that, to recognize --

So we need a new Privacy Act.

Or something like it. ... We need rules to apply across the board to all different agencies that just set a common standard of how we are going to handle information about U.S. persons and how do we protect it. How do we let people know that we've got it? How do we let people challenge its accuracy? All of that is in there. It's just that apparatus is somewhat creaky now. ...

Creaky. You mean it's overrun.

Yes, it's a pre-digital world; it's a pre-electronic world that it's talking about. ...

What worries you the most as a citizen?

My real worry about this technology privacy, all we've been talking about, is that it won't be taken seriously, that we won't have those kinds of discussions because it's too complicated or it's too remote, and that the situation will just -- it will be too far down the road by the time we address this. ...

I just wonder if, in this business of broad data collection, whether we have moved from the old Anglo-Saxon principle embodied in the Fourth Amendment of individualized suspicion and probable cause to sort of no suspicion and just engaging in a massive sort of computerized fishing expedition.

I'm not sure that we have abandoned the idea of probable cause. We are certainly encouraging fishing, because somewhat targeted fishing is how you would prevent a terrorist attack. When I think about the Fourth Amendment and what I see as eroding here is that in the Fourth Amendment, and in our tradition of law, there is this idea [that] there is private space around the individual -- the individual's home; their papers, as it says in the Constitution; that there is a sphere around you that the government can't come into without meeting this level of suspicion. And what I see in all of these developments is the sphere is getting smaller and smaller. We are allowing access to much more information so that maybe the government can't come into that sphere, but they can go all the way around it. They can get the contours, the outlines of your daily life through a lot of this information that isn't protected as well.

I think that's what's eroding, and that's what we need to focus attention on before it goes, before that distinction, the boundaries of that privacy are so fuzzy that we can't sort it out anymore. …