The Obama administration promised privacy protections for foreigners abroad, but PPD-28 fails to deliver those protections

In early 2014, still reeling from global outrage over recently uncovered surveillance programs, President Barack Obama pledged to rein in the U.S. government’s spying and boost privacy protections for people in the U.S. and abroad. His words were heartening:

“People around the world, regardless of their nationality, should know that the United States is not spying on ordinary people … and that we take their privacy concerns into account,” he said, standing in front of American flags at Justice Department headquarters in Washington, D.C.

Obama specifically pointed to Presidential Policy Directive 28, an executive branch document that set out new rules for how the government treats foreigners’ information. In Obama’s telling, PPD-28 took “the unprecedented step of extending certain protections that we have for the American people to people overseas.”

That sounds noble, but it vastly overstates how the protections work in practice.

In truth, the U.S. does not provide significant safeguards to protect the privacy rights of foreigners abroad from its surveillance programs. To the contrary, even after PPD-28 in 2014, the U.S. government has continued to seize and scan the communications of hundreds of millions of foreigners abroad with no ties to crime or national security threats. A huge number of those communications are then collected and made available for a wide range of further uses. In fact, while the U.S. has pointed to PPD-28 as a major protection for people around the world, that document marked no significant change to the actual surveillance the U.S. has been conducting.

The U.S. has an Americans-Only Approach to Privacy

For Americans, of course, the bedrock protection against their country spying on them is U.S. Constitution. But the U.S. maintains that because non-citizens located outside the U.S. largely lack constitutional rights, it can act in ways regarding foreigners that would be completely unconstitutional if those affected were Americans. It similarly excludes people outside the U.S. from the protections of most U.S. privacy laws, even when the actions of the U.S. government impact their privacy.

The U.S. is Ten Years Behind Europe

The U.S. is ten years behind Europe in requiring their government agencies to protect the privacy of noncitizens when government actions affect them. In 2006 and again in 2008 the European Court of Human Rights ruled that people and groups have privacy rights when it comes to surveillance conducted by other countries. In the 2008 case of Liberty and Others v. United Kingdom, the court ruled that the UK violated the privacy rights of two Ireland-based NGOs with its extraterritorial surveillance. In the 2006 case of Weber and Savaria v. Germany, the court was similarly prepared to consider the complaints of two residents of Uruguay against monitoring of their telecommunications by the German government.

The U.S. is Not Compliant with International Law

Even after PPD-28 was issued, the United Nations’ independent experts on human rights explicitly criticized the U.S. for its Americans-only approach to privacy protections. In its report on U.S. surveillance practices, the Human Rights Committee welcomed PPD-28 but expressed concerns that it provided “only limited protection against excessive surveillance” and “that the persons affected have no access to effective remedies in the case of abuse.” It urged:

[M]easures should be taken to ensure that any interference with the right to privacy complies with the principles of legality, proportionality and necessity, regardless of the nationality or location of the individuals whose communications are under direct surveillance.

Similarly, in 2013 the United Nations rejected attempts by the U.S. to limit its responsibilities to just protections Americans in a recitation [.pdf], stating that it was:

Deeply concerned at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights.

The UN expressly recognized that international law includes a duty on a state to respect the human rights of persons physically outside the state but whose rights are interfered with by the state’s actions within its borders. The U.S. has not met this duty.

PPD-28 Loopholes and Limits

People around the world were hopeful that President Obama’s statement meant that the U.S. would finally recognize that it must provide foreigners with meaningful protection against U.S. surveillance. And PPD-28 sounds good, providing that  “all persons are entitled to respect, regardless of their nationality” and directing the U.S. government to apply data protections policies and procedures equally to all persons regardless of nationality.

But, as the U.N. noted, PPD-28 has not resulted in meaningful protections for foreigners. While PPD-28 speaks of harmonizing protections for all people, it has a number of loopholes. And because foreigners, unlike U.S. citizens, receive essentially no other protections in U.S. law, these loopholes are especially significant.

The NSA’s policies and procedures under PPD-28 contain a glaring loophole that exempts data that is “temporarily acquired to facilitate targeted collection.” One example of data that is seemingly exempted under the loophole is anything collected through the U.S. government’s Upstream surveillance, which involves the collection of billions of foreign communications. The government then searches that data in order to perform “targeted” surveillance. As a result, all foreign communications that are acquired as part of the government’s access to the Internet backbone through Upstream are seemingly unprotected by PPD-28. Of course, this is a privacy violation that the government applies equally to Americans, so U.S. citizens also largely suffer from this same disproportionate collection and, to a lesser extent, mass searching.

Perhaps even more important, PPD-28 contains an explicit authorization to collect and use foreigners’ communications in bulk under a broad set of circumstances. By contrast, U.S. citizens are not supposed to be subject to bulk collection under any circumstances (although we know that’s not true in practice). As a result, PPD-28’s authorization to engage in bulk collection about foreigners represents a significant disparity. Also under PPD-28, the U.S. government has sweeping authority to forward, use, and retain foreigners’ communications collected in bulk in order to deal with six exceedingly broad categories of threats, including espionage “against the United States and its interests,” “cybersecurity threats,” and “transnational criminal threats.”

The Rest of U.S. Law is Little Help

The rest of U.S. law is also of little help when it comes to protecting the privacy of foreigners abroad, in that it allows the U.S. to specifically target them for spying for broadly defined foreign intelligence purposes.

Under FISA Amendments Act Section 702, for example, surveillance of non-U.S. citizens outside the U.S. is subject only to the limitation that a “significant purpose” of the surveillance be to gather “foreign intelligence information.” The term “foreign intelligence information” is expansively defined and constitutes any information that “relates to” a foreign power or territory and the United States’ foreign affairs, national defense, or security. And for surveillance conducted outside the U.S. under Executive Order 12333, the definition of “foreign intelligence” is even broader, including information that is merely related to the “capabilities, intentions and activities of foreign powers, organizations or persons.” Reported examples of surveillance undertaken for a “foreign intelligence” purpose under one or both definitions include economic targets such as Venezuelan and Brazilian oil companies. Once either of these indefinite standards – which are never reviewed by a neutral third party – are satisfied, the U.S. Government’s surveillance powers against foreigners is nearly absolute.  

Further underscoring the U.N.’s concerns, the availability of judicial review or any redress for this surveillance is severely limited. The massive secrecy surrounding these activities means that – similar to U.S. persons in our Jewel v. NSA case and others – the U.S. government would argue that foreigners abroad do not have sufficient proof of any use or misuse of their information to maintain standing in U.S. courts. We are fighting that position, of course, but the pathway is likely even more difficult for foreigners abroad affected by U.S. mass surveillance.

While the U.S. does have some requirements to notify surveillance subjects under FISA, those requirements are very narrow.  FISA requires such notice only when the government intends to use evidence against those “aggrieved persons” in a court proceeding. But by its nature, foreign intelligence surveillance rarely leads to criminal or other court proceedings. And even within that requirement, the government reads its obligation exceedingly narrowly. In practice, the government has notified fewer than a dozen “aggrieved persons” subject to surveillance under Section 702 out of the millions of individuals likely implicated in the hundreds of millions of communications collected annually. None of those notified have been foreigners abroad.

The Result: the U.S. Promise to Protect Foreigners Is Largely Illusory

Taken together, the U.S. government’s refusal to consider basic privacy rights for foreigners abroad, the glaring loopholes in PPD-28, and the inability for foreigners to learn about or challenge online surveillance means the protections Obama promised with PPD-28 back In 2014 are largely illusory. Remember that the next time you hear a U.S. official defend the government’s surveillance programs and their so-called privacy protections for foreigners abroad.