NYU REV. L. & SECURITY, No. VII Supl. Bull. on L. & Sec.


Cite this article as:
K. A. Taipale, Whispering Wires and Warrantless Wiretaps: Data Mining and Foreign Intelligence Surveillance, N.Y.U. REV. L. & SECURITY, No. VII Supl. Bull. on L. & Sec.: The NSA and the War on Terror, (Spring 2006) available at; PDF available for download at

See also, related material at Foreign Intelligence Surveillance Project.

Whispering Wires and Warrantless Wiretaps:
Data Mining and Foreign Intelligence Surveillance



In the current debate over whether the President has the inherent power to authorize the National Security Agency to monitor international communications with suspected terrorists, one thing is clear — even the most strident opponents concede the need to identify and monitor the communications of terrorists and stop them before they can act. [1] 

Preempting terrorist attacks requires uncovering information useful to anticipate and counter future events. [2] Automated data analysis technologies can help by monitoring communications and revealing evidence of organization, relationships, or other relevant patterns of behavior indicative or predictive of potential threats thus allowing law enforcement or security resources to be focused more effectively on likely targets.

This essay examines certain implications of employing these techniques for foreign intelligence surveillance and suggests that the Foreign Intelligence Surveillance Act ("FISA") [3] is inadequate to address recent technology developments, including: the transition from circuit-based to packet-based communications; the globalization of communications infrastructure; and the development of automated monitoring techniques, including data mining and traffic analysis. [4]


Although this essay discusses how FISA is challenged by technology developments, the suggestion that FISA procedures are inadequate to encompass certain aspects of foreign intelligence surveillance is not new, nor unique to technical developments.

Testifying before the Church Committee in 1975, then-Attorney General Edward Levi suggested that FISA should include provisions for the approval of "programs of surveillance" in foreign intelligence situations where "by [their] nature [they do] not have specifically predetermined targets" and where "the efficiency of a warrant requirement would [therefore] be minimal."  However, Congress passed FISA in 1978 without including any provisions for such programmatic approvals. [5]

In a recent essay, Judge Richard A. Posner opined that FISA "retains value as a framework for monitoring the communications of known terrorists, but it is hopeless as a framework for detecting terrorists. [FISA] requires that surveillance be conducted pursuant to warrants based on probable cause to believe that the target of surveillance is a terrorist, when the desperate need is to find out who is a terrorist." [6]

FISA is inadequate.

FISA did not anticipate the development of global communication networks or advanced technical methods for intelligence gathering.  FISA provides a cumbersome mechanism requiring individual application to the FISA court for authorization to target a specific individual or source based on showing a connection to a foreign power or foreign terrorist group. [7]   Although FISA permits such applications to be made after the fact in certain cases, it does not provide a mechanism for programmatic pre-approval of technical methods like automated data analysis or filtering that may be the very method necessary for uncovering such a connection.

From circuit-based to packet-based communication networks.

To understand the need for applying automated data analysis technologies to foreign intelligence surveillance requires not just recognizing the vast data volumes potentially subject to monitoring — imagine for a moment the capture of an al Qa'ida laptop in the battlefield of Afghanistan containing hundreds or thousands of phone numbers [8] or email addresses — but also an understanding of the nature of modern communications networks. 

Thirty years ago when FISA was being drafted it made sense to speak exclusively about the interception of a targeted communication — one in which there were usually two known ends and a dedicated ("circuit-based") communication channel that could be "tapped."  In modern networks, however, data and increasingly voice communications are broken up into discrete packets that travel along independent routes between point of origin and destination where these fragments are then reassembled into the original whole message ("packet-based").  Not only is there no longer a dedicated circuit, but individual packets from the same communication may take completely different paths to their destination.  To intercept these kinds of communications, filters ("packet-sniffers") and search strategies are deployed at various communication nodes to scan and filter all passing traffic with the hope of finding and extracting those packets of interest and reassembling them into a coherent message.  Even targeting a specific message from a known sender requires intercepting (i.e., scanning and filtering) the entire communication flow.  Were FISA to be applied strictly according to its terms prior to any "electronic surveillance" of foreign communication flows passing through the US or where there is a substantial likelihood of intercepting US persons, then no automated monitoring of any kind could occur. [9]

The globalization of communications.

A further problem arises because FISA is triggered by foreign intelligence collection conducted "within the United States" or against "U.S. persons." [10] Advances in information technology together with the borderless nature of terrorist threats and global communications has made place-of-collection and U.S. personhood an increasingly unworkable basis for controlling the collection of intelligence.  Indeed, because of packet-based communication technologies like VoIP and the use of proxy servers, it may no longer even be technically possible to determine exactly when a communication is taking place "within the United States" and no practical means exists to determine if a particular participant is a U.S. person or not until after further investigation. [11]  FISA does not account for this. [12]

Automated analysis: data mining and traffic analysis.

Automated screening can monitor data flows to uncover terrorist connections or terrorist communication channels without human beings ever looking at anybody's emails or listening in on their phone calls. Only when the computer identifies suspicious connections or information do humans get involved.

It is beyond the scope of this essay to explore all the different analysis techniques that can be applied to the monitoring of terrorist communications but two examples show the range of activity possible: content filtering and traffic analysis. 

Content filtering is used to search for the occurrence of particular words or language combinations that may be indicative of terrorist communications.  A simple example of this would be to screen for messages to or from known terrorist sources containing the words "nuclear weapon".  Actual search algorithms are, of course, much more complex and sophisticated and can employ artificial intelligence, machine learning, and powerful statistical methods such as Bayesian analysis to identify potential threats. 

Traffic analysis is the examination of traffic patterns — message lengths, frequency, paths, etc. — of communications without examining the content of the message (traffic analysis can be used even where content is encrypted).  Traffic analysis can reveal patterns of organization, for example, by measuring "betweeness" in email traffic or other communications.  By looking for patterns in traffic these techniques, together with social network theory, can help identify organizations or groups and the key people in them.  These methods can uncover terrorist organization and reveal activity even if they are communicating in code or only discussing the weather. [13]

'Programs of surveillance' are not general warrants.

It is important to remember that we are not contemplating the use of these technologies in an undirected fashion in the manner of a general warrant to examine all communication flows. [14] 

Rather, we argue for a mechanism for programmatic approval where these technologies are applied in the first instance against known or reasonably suspected foreign terrorist communication sources — that is, against legitimate foreign intelligence targets not subject to FISA and not requiring a warrant [15] — and are used to automate the process of looking for connections, relationships, and patterns for further follow-up investigation. 

These technologies are not a general method for finding terrorists by monitoring all global communications with no starting point, nor for determining guilt or innocence.  Rather, they are powerful tools to help better allocate law enforcement and security resources to more likely targets.  If the initial automated process identifies potentially suspicious connections — including US persons or sources — some additional monitoring or follow-up investigation must occur to determine if that initial “suspicion” is justified. 

The problem with FISA is that it contemplates only a single threshold for authorizing interception within the US or targeting of US persons — probable cause.  In the case of automated monitoring, there must be some approved procedure that identifies potential threats and allows for some limited follow-up — either additional automated monitoring or human investigation — to determine if indeed the initial indicia of suspicion are justified.  If so, then existing FISA procedures can be followed to “target” that US person or source.

What is needed then, is the electronic surveillance equivalent of a Terry [16] stop — in this case an authorized period for follow up monitoring or investigation of initial suspicion derived from automated monitoring.  If the suspicion is not justified on follow-up, monitoring is discontinued, however, if suspicion is reasonable then monitoring continues under the programmatic approval.  If there is probable cause to suspect that the target is actively engaged in terrorism or is an agent of a foreign terrorist group, then a FISA warrant issues to target that US person or source.

Conclusion: A mechanism for programmatic approvals.

What is needed is a legal mechanism for pre-approving such methods so that legitimate foreign intelligence can be exploited and further threats identified for follow up investigation.  With programmatic approval of initial monitoring, existing FISA warrant procedures could then be followed for targeted monitoring of identified US persons or sources in appropriate cases based on the results of the initial automated selection and follow up query done subject to such programmatic approval.

It is beyond the scope of this essay to recommend particular mechanisms or standards for authorizing such programmatic approvals.  It has been argued that courts are ill-suited, and may be constitutionally prohibited, from such an oversight role [17] and that a statutory executive [18] or legislative [19] authorization or oversight body should be created.

By all means let us debate who should have the authority to authorize and oversight such intelligence gathering programs, but let us not forget that someone must, and the existing mechanisms are inadequate. [20]


*    Kim Taipale, BA, JD (New York University), MA, EdM, LLM (Columbia University), is the founder and executive director of the Center for Advanced Studies in Science and Technology Policy.  Mr. Taipale is also a Senior Fellow at the World Policy Institute and an adjunct professor of law at New York Law School. (bio)

[1]      See, e.g., Adam Nagourney, Seeking Edge In Spy Debate, N.Y. TIMES (Jan. 23, 2006 (" 'We all support surveillance...,'  [Senator John] Kerry said."); and Statement released by U.S. Senator Patrick Leahy (Feb. 15, 2006) ("We all agree that we should be wiretapping al Qaeda terrorists").

[2]      See generally U.S. Department of Justice, Fact Sheet: Shifting from Prosecution to Prevention, Redesigning the Justice Department to Prevent Future Acts of Terrorism (May 29, 2002); The National Security Strategy of the United States (Sep. 17, 2002) ("[T]he United States ... will not hesitate ... to exercise our right of self defense by acting preemptively against such terrorists", p. 6).

[3]      Codified at 50 USC §§1801-1811, 1821-29, 1841-46, and 1861-62. See also note 20 infra discussing the proposed Terrorist Surveillance Act of 2006 and the proposed National Security Surveillance Act of 2006. Both proposed bills would provide limited additional statutory authority for electronic surveillance of suspected terrorists in the United States: however, the Terrorist Surveillance Act would allow the President to authorize such surveillance subject to Congressional oversight; while the The National Security Surveillance Act would require FISA court approval, authorization, and oversight.

[4]      Although details of the NSA program are classified, press reports suggest that data mining and traffic analysis technologies are being used.  See, e.g., [Eric Lichtblau and James Risen, Spy Agency Mined Vast Data Trove, Officials Report, N.Y. TIMES (Dec. 24, 2005);] Shane Harris, NSA spy program hinges on state-of-the-art technology, NAT'L J. (Jan. 20, 2006). For an overview of NSA technical capabilities, see generally Patrick Radden Keefe, CHATTER (2005); James Bamford, Big Brother is Listening, THE ATLANTIC (Apr. 2006). For a general discussion of data mining and counterterrorism, see K. A. Taipale, Data Mining and Domestic Security: Connecting the Dots to Make Sense of Data, 5 COLUM. SCI. & TECH. L. REV. 2 (Dec. 2003) and Mary DeRosa, Data Mining and Data Analysis for Counterterrorism, Center for Strategic and International Studies (CSIS) Press (Mar. 2004). See also James E. Lewis, Domestic Communications Surveillance: Right Decision, Wrong Rules, CSIS (January 2006) (describing the differences between the FBI and NSA capabilities and needs in the context of domestic intelligence).

[5]      See John R. Schmidt, Commentary: A historical solution to the Bush spying issue, CHIC. TRIB. (Feb. 12, 2006) (describing Levi’s advocacy of statutory process for programmatic approvals in foreign intelligence). See also Sen. Arlen Specter, Statement Introducing the National Security Surveillance Act of 2006 (Mar. 16, 2006) (recounting same).

[6]      Richard A. Posner, Commentary: A New Surveillance Act, WALL ST. J. A16 (Feb. 15, 2006).

[7]      In the case of a US person, FISA requires probable cause to believe that the target is an “agent of a foreign power,” §1801(b) and that the person’s activities “involve or are about to involve” a violation of the criminal laws of the United States, §1801(b)(2)(B); or are activities in preparation for sabotage or "international terrorism" on behalf of a foreign power, §1801(b)(2)(C).

[8]      Note that even a mid-level al Qa’ida operative may carry four or five cell phones with multiple SIM cards supporting several numbers for each phone.  Training material describing how to avoid electronic surveillance is widely available on Jihadist web sites.  See, e.g., Jeffrey Pool, Technology and Security Discussions on the Jihadist Forums: Producing a More Savvy Next Generation, SPOTLIGHT ON TERROR, Vol. 3, No. 10 (Oct. 11, 2005).

[9]      The retroactive warrant procedures in FISA also do not work here since those communications 'intercepted' but not selected for further analysis by definition would not meet the requirement for a warrant application (i.e., no probable cause), and there would be no independent predicate for probable cause for those communications selected for follow-up as a result of filtering, unless there was programmatic authorization of the filtering in the first place.  Although procedures under FISA allow for the retention and use without a warrant of US person communications "with foreign intelligence value" if it is collected collateral to a legitimate foreign intelligence intercept, in practice such information is not deemed adequate to establish predicate for targeting such a person where the initial intercept is pursuant to a general surveillance program and follow-up investigation is required to determine if probable cause exists.

[10]      See §1801(f).

[11]      Indeed, certain networks are specifically designed to conceal such information by chaining proxy servers. See, e.g., the TOR Network, which uses onion routing to provide near anonymous communication capability and is specifically designed to avoid traffic analysis monitoring (see text accompanying note 13, infra, discussing traffic analysis).

[12]      Nor does it account for the fact that even wholly "foreign" communications today may pass through physical nodes located "within the United States." [See, e.g. Eric Lichtblau and James Risen, Spy Agency Mined Vast Data Trove, Officials Report, N.Y. TIMES (Dec. 24, 2005) ("with the globalization of the telecommunications industry in recent years, many international-to-international calls are also routed through ... American switches")].

[13]      See, e.g., Hazel Muir, Email Traffic Patterns can Reveal Ringleaders, NEW SCIENTIST (Mar. 27, 2003).  Note, however, that certain technologies exist to counter traffic analysis, see, for example, the discussion of the TOR Network in note 11, supra. For a discussion of the use of social network theory in counterterrorism analysis, see Patrick Radden Keefe, Can Network Theory Thwart Terrorists? N.Y. TIMES (Mar. 12, 2006).

[14]      Such undirected uses are called "fishing expeditions" by critics and "drift nets" by intelligence professionals.  It is the use of general warrants by the English that led in part to the American Revolution, see, e.g., O.M. Dickerson, Writs of Assistance as a Cause of the Revolution, in THE ERA OF THE AMERICAN REVOLUTION (Richard Morris ed. 1939), and to enactment of the Fourth Amendment, see Edward Corwin, THE CONSTITUTION AND WHAT IT MEANS TODAY (1978, 1920).

[15]      For example, Abu Musab Zarqawi's cell phone number or a known al Qa’ida communication network in Pakistan or Hamburg. According to a classified German intelligence report, 206 international telephone calls were known to have been made by the leaders of the 9/11 hijacking plot after they arrived in the United States — including 29 to Germany, 32 to Saudi Arabia and 66 to Syria. See John Crewdson, Germany says 9/11 hijackers called Syria, Saudi Arabia, CHIC. TRIB. (Mar. 8, 2006).

[16]      Terry v. Ohio, 392 U.S. 1 (1968) (holding that police can detain a suspect for a reasonable period without probable cause to suspect a crime).

[17]      See, e.g., David B. Rivkin, Jr. and Lee A. Casey, Commentary: Inherent Authority, WALL ST. J. A16 (Feb. 8, 2006) ("The federal courts can only adjudicate actual cases and controversies; they cannot offer advisory opinions").  

[18]      See, e.g., Posner, supra note 6.

[19]      Compare, e.g., the proposed Terrorist Surveillance Act of 2006, note 20 infra, that would approve the NSA program subject to oversight by special Congressional committees, with the proposed National Security Surveillance Act of 2006, note 20 infra, that would require FISA court (FISC) approval and oversight, including review every 45 days to continue "electronic surveillance programs."

See generally Sheryl Gay Stolberg, Senate Chairman Splits With Bush on Spy Program, N.Y. TIMES (Feb. 18, 2006); Shaun Waterman, Senators to publish bills on NSA wiretap, UPI (Mar. 8, 2006); Scott Shane and David D. Kirkpatric, G.O.P. Plan Would Allow Spying Without Warrants, N.Y. TIMES (Mar. 9, 2006).

[20]      See generally K. A. Taipale & James Jay Carafano, Commentary: Fixing Foreign Intelligence Surveillance, WASH. TIMES (Jan. 24, 2006); Shane Harris, FISA's Failings, NAT'L J. (Apr. 8, 2006) [(republished as "Internet devices threaten NSA's ability to gather intelligence legally, ", Apr. 10, 2006); Mark Williams, "The Total Information Awareness Project Lives On," MIT Technology Review (Apr. 26, 2006).]

On March 16, 2006, Senators Mike DeWine (R-OH), Lindsey Graham (R-SC), Chuck Hagel (R-NE), and Olympia Snowe (R-ME) introduced the Terrorist Surveillance Act of 2006 (announcement) (bill text), under which the President would be given certain additional limited statutory authority to conduct electronic surveillance of suspected terrorists in the United States subject to enhanced Congressional oversight. See Katherine Shrader, GOP Senators Introduce Eavesdropping Bill, AP (March 16, 2006). Also on March 16, 2006, Senator Arlen Specter (R-PA) introduced The National Security Surveillance Act of 2006 (introducing statement) (bill text), which would amend FISA to provide FISA court (FISC) jurisdiction to review, authorize, and oversight "electronic surveillance programs."

[Bracketed material contained in this HTML version has been added subsequent to publication and is not contained in the original print version.]


See also the following news articles that quote extensively from this essay:

Shane Harris, FISA's Failures, Issues and Ideas, National Journal (Apr. 8, 2006) (republished as Internet devices threaten NSA's ability to gather intelligence legally, (Apr. 10, 2006).

Mark Williams, The Total Information Awareness Project Lives On, MIT Technology Review (Apr. 26, 2006).

For web links, please use permanent Document URL <>
TO PRINT: Download PDF from

A draft of this essay was first released on March 3, 2006 in connection with the Program on Law Enforcement and National Security in the Information Age (PLENSIA), a Global Information Society Project (GISP). (See, press release).

For more information, contact us.

See also, related material at Foreign Intelligence Surveillance Project, including related journal articles:

K. A. Taipale, The Ear of Dionysus: Rethinking Foreign Intelligence Surveillance, 9 Yale J. L. & Tech. (Spring 2007).

K. A. Taipale, Rethinking Foreign Intelligence Surveillance, World Policy Journal, Vol. XXIII No. 4 (Winter 2006/07).

All material on this page is copyright the Center for Advanced Studies or the editors or publisher referred to above © 2003-2006. Permission is granted to reproduce this introduction in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.