A key legal linchpin for the National Security Agency’s vast Internet surveillance program is scheduled to disappear in under 90 days. Section 702 of FISA—enacted in 2008 with little public awareness about the scope and power of the NSA’s surveillance of the Internet—supposedly directs the NSA’s powerful surveillance apparatus toward legitimate foreign intelligence targets overseas. Instead, the surveillance has been turned back on us. Despite repeated inquiries from Congress, the NSA has yet to publicly disclose how many Americans are impacted by this surveillance.
With the law’s sunset looming, Congress is taking up the issue. The USA Liberty Act, introduced by Representatives Goodlatte (R-Va.), John Conyers (D-Mich.), Jim Sensenbrenner (R-Wis.), and others, may offer a chance to address some of the worst abuses of NSA Internet surveillance even as it reauthorizes some components of the surveillance for another six years.
But the first draft of the bill falls short.
The bill doesn’t effectively end the practice of “backdoor searching,” when government agents—including domestic law enforcement not working on issues of national security—search through the NSA-gathered communications of Americans without any form of warrant from a judge. It doesn’t institute adequate transparency and oversight measures, and it doesn’t deal with misuse of the state secrets privilege, which has been invoked to stave off lawsuits against mass surveillance.
Perhaps most importantly, the bill won’t curtail the NSA’s practices of collecting data on innocent people.
The bill does make significant changes to how and when agents can search through data collected under 702. It also institutes new reporting requirements, new defaults around data deletion, and new guidance for amicus engagement with the FISA Court. But even these provisions do not go far enough.
Congress has an opportunity and a responsibility to rein in NSA surveillance abuses. This is the first time, since 2013 reporting by the Washington Post and the Guardian changed the worldwide perception of digital spying, that Congress must vote on whether to reauthorize Section 702. Before this debate moves ahead, leaders in the House Judiciary Committee should fix the shortcomings in this bill.
The Problems of 702
Section 702 is supposed to give the NSA authority to engage in foreign intelligence collection. The NSA is only allowed to target non-Americans located outside U.S. borders. This legal authority has been the basis for two controversial data collection programs:
- Upstream surveillance: data collection that siphons off copies of digital communications directly from the “Internet backbone,” the high-capacity fiber-optic cables run by telecommunications companies like AT&T that transmit the majority of American digital communications.
- PRISM (also known as “downstream surveillance”): data collection gathered from the servers of major Internet service providers, such as Google, Facebook, and Apple.
These programs flourished under President Bush and President Obama. As the Washington Post reported, their NSA director took an expansive view on data collection:
“Rather than look for a single needle in the haystack, his approach was, ‘Let’s collect the whole haystack,’ ” said one former senior U.S. intelligence official who tracked the plan’s implementation. “Collect it all, tag it, store it. . . . And whatever it is you want, you go searching for it.”
Unfortunately, the Liberty Act won’t address most of these fundamental problems. Here’s an analysis of some of the key provisions in the bill, and we’ll have future articles exploring specific topics in more detail.
Leaving the Backdoor Ajar
Agents for the NSA, CIA, and FBI have long rifled through the communications collected under Section 702, which include American communications, as well as the communications of foreigners who have no connection to crime or national security threats. With no approval from a judge, they’re able to search this database of communications using a range of personal identifiers, then review the contents of communications uncovered in those searches. Government agents can then use these results to build a case against someone, or they may simply review it without prosecution.
Ordinarily, if the FBI wants to intercept or collect a U.S. person’s communications, they must first get permission from a judge. But as a result of Section 702, the FBI today reviews NSA-collected communications of U.S. persons without permission from a judge. Privacy advocates call this the “backdoor search loophole.”
This practice violates the Fourth Amendment right to privacy against unreasonable searches and seizures. And it can be difficult to prove because government agents may not disclose when they use evidence from the 702 database in prosecutions or for any other purposes.
The first draft of the Liberty Act doesn’t resolve the problem. It still allows government agents—including domestic law enforcement agents—to query the 702 database, including using identifiers associated with American citizens, such as the email address of an American. The main improvement is that when an agent conducts a query looking for evidence of a crime, she must obtain a probable cause warrant from a judge to access the results.
But the warrant requirement is limited due to a number of troubling carve-outs. First, this court oversight requirement won’t be triggered except for those searches conducted to find evidence of a crime. No other searches for any other purposes will require court oversight, including when spy agencies search for foreign intelligence, and when law enforcement agencies explore whether a crime occurred at all.
Metadata—how many communications are sent, to whom, at what times—won’t require court oversight at all. In fact, the Liberty Act doesn’t include the reforms to metadata queries the House had previously passed (which unfortunately did not pass the Senate). In the Massie-Lofgren Amendment, which passed the House twice, agents who conducted queries for metadata would be required to show the metadata was relevant to an investigation. That relevance standard is not in the Liberty Act.
Finally, some may interpret vague language in the bill as putting responsibility for assessing probable cause in the hands of the Attorney General, the main governmental prosecutor, rather than in the hands of the FISA Court. This language should be clarified to ensure the judge’s role in approving the applications is the same as in other FISA proceedings.
The bill will require the NSA to exercise “due diligence in determining whether a person targeted is a non-United States person reasonably believed to be located outside of the United States,” and requires agents to consider the “totality of the circumstances” when making that evaluation.
At face value, this sounds promising. We do want the NSA to exercise due diligence when evaluating targets of surveillance. However, this provision is more of a fig leaf than a real fix, because even if targeting is improved, it won’t resolve the problem of Americans’ communications being collected. Right now, countless Americans are surveilled through so-called “incidental collection.” This means that while the official target was a non-American overseas, American communications are swept up as well. Even though Americans were never the intended “target,” their emails, chats, and VOIP calls end up in a database accessible to the NSA, FBI, and others. Tightening up targeting won’t address this problem.
In addition, the bill doesn’t change the NSA’s practice of intercepting communications of countless innocent foreigners outside the United States. People outside our national borders are not criminals by default and should not be treated as if they were. If the United States wants to uphold our obligations to human rights under the International Covenant on Civil and Political Rights, we must respect the basic privacy and dignity of citizens of other countries. That means not vacuuming up as many communications as possible for all foreigners overseas. This is an especially pressing issue now, as the European Union decides whether to limit how European data can be held by American companies. The recently enacted Privacy Shield falls short of the privacy commitments enshrined in European law.
Retention of Communications
After the NSA uses Section 702 to collect vast quantities of communications, the NSA stores these records for years to come. Every day the NSA holds these sensitive records is a day they can be misused by rogue government employees or deployed by agency leadership in new ways as part of inevitable “mission creep.” That’s why privacy advocates call for legislation that would require the NSA to purge these Section 702 communications by a fixed deadline, except for specific communications reasonably determined by analysts to have intelligence or law enforcement value.
Unfortunately, the Liberty Act does not solve this problem. Rather, it would only require that if the NSA determines that a communication lacks foreign intelligence value, then the NSA must purge it within 90 days. However, it’s unclear how often the NSA reviews its collected data to assess its foreign intelligence value. Since the bill requires no review, this provision may have little practical effect.
Whistleblowers Left Unprotected
Whistleblowers like Thomas Drake, Mark Klein, Bill Binney, and Edward Snowden were fundamental to the public’s understanding of NSA surveillance abuses. But they risked their careers and often their freedom in the process. The United States has a pressing need to improve protections for whistleblowers acting in the public good—including federal contractors who may be witness to wrongdoing.
The Liberty Act includes a section that would extend certain whistleblower protections to federal contractors. However, these protections only apply to “lawful disclosure” to a handful of government officers, such as the Director of National Intelligence. It does not provide any protection when a whistleblower speaks to the media or to advocacy organizations such as EFF.
Furthermore, the bill only protects whistleblowers against “personnel action,” so whistleblowers could still face criminal prosecution. The Espionage Act—a draconian law from 1917 with penalties including life in prison or the death penalty—has become the tool de jour to intimidate and punish public-interest whistleblowers. The Liberty Act will provide whistleblowers no protection against prosecution under the Espionage Act.
To make matters worse, the bill also creates new penalties for the unauthorized removal or retention of classified documents, including when done negligently. This will likely be another tool used to go after whistleblowers. This section of the bill must be significantly narrowed or cut.
Ending “About” Collection
The National Security Agency announced in April the end of a controversial form of spying known colloquially as “about surveillance.” After collecting data directly from the backbone of the Internet and doing a rough filter, government agents use key selector terms about targeted persons to search through this massive trove of data. In the past, these searches would not merely search the address lines (the to and from section of the communications) but would directly search the full contents of the communications, so that any mention of a selector in the body of the email would be returned in the results. Thus, communications of people who were not surveillance targets, and were not communicating with surveillance targets, were included in the results.
The NSA was unable to find a way to conduct this type of “about” searching while adhering to restrictions imposed by the FISA Court, and thus the agency discontinued the practice in April. However, this is currently a voluntary policy, and the agency could begin again. In fact, NSA Director Mike Rogers testified before Congress in June that he might recommend that Congress reinstitute the program in the future.
The Liberty Act codifies the end of “about surveillance.” It provides that the NSA must limit its targeting “to communications to or from the targeted person.” While the NSA’s upstream program will still collect the communications passing through the Internet backbone, including the communications of vast numbers of innocent U.S. and foreign citizens, the end of “about” surveillance will reduce the number of communications stored in the 702 database.
Other Positive Changes in the Bill
Critically, unlike some other pending reauthorization proposals, the Liberty Act will maintain Section 702’s “sunset,” ensuring that Congress must review, debate, and vote on this issue again in six years. Permanent reauthorization, which we strongly oppose, would prevent this Congressional check on executive overreach.
The Liberty Act makes some other modest improvements to the NSA’s surveillance practices. It gives the Privacy and Civil Liberties Oversight Board the ability to function without an appointed chair, which has been a persistent problem with this accountability body. It also puts in place new reporting requirements.
The bill would require the FISA Court to appoint an amicus curiae to assist it in reviewing the annual “certification” from the Attorney General and the Director of National Intelligence regarding the NSA’s Section 702 targeting and minimization procedures. This would be a helpful check on this currently one-sided process. However, the FISA Court could dispense with this check whenever it found the amicus appointment “not appropriate” – a nebulous test that could neuter this new safeguard.
A Few More Missing Pieces
Many vital fixes to the worst surveillance abuses of the NSA are missing from this bill.
Congress should clear a pathway for individuals to contest privacy abuses by the NSA. This includes ensuring that Americans whose data may have been “incidentally” collected by the NSA under Section 702 have legal standing to go to court to challenge this violation of their constitutional rights. It also requires an overhaul of the controversial state secrets privilege, a common law doctrine that government agencies have invoked to dismiss, or refuse to provide evidence in, cases challenging mass surveillance.
Congress should crack down on “incidental collection,” and ensure the communications of innocent Americans are not collected in the first place.
Finally, we need to empower the FISA court to review and approve the targets of NSA surveillance. Currently, the NSA receives only general guidelines from the FISA Court, with no individual review of specific targets and selector terms. This means the NSA has little obligation to defend its choice of targets, resulting in little recourse when agents are over-inclusive of inappropriate targets.
Next steps for the Judiciary Committee
Congress still has time to get this right. This bill hasn’t gone to markup yet, and the Judiciary Committee is likely to amend the bill before passing it to the floor. We urge the Judiciary Committee members to make changes to the bill to address these shortcomings.
As public awareness of NSA surveillance practices has grown, so too has public outrage. That outrage is the fuel for meaningful change. We passed one bill to begin reining in surveillance abuses in 2015, and from that small victory springs the political will for the next, more powerful reform. Join EFF in calling on Congress to rein in these surveillance abuses, and defend privacy for Internet users of today and in the years to come.
With assistance from Adam Schwartz.