What Should, and Should Not, Be in NSA Surveillance Reform Legislation
Following a wave of polls showing a remarkable turn of public opinion, Congress has finally gotten serious about bringing limits, transparency and oversight to the NSA’s mass surveillance apparatus aimed at Americans.
While we still believe that the best first step is a modern Church Committee, an independent, public investigation and accounting of the government’s surveillance programs that affect Americans, members of Congress seem determined to try to enact fixes now. Almost a dozen bills have already been introduced or will be introduced in the coming weeks.
While we’re also waiting to see what the various bills will look like before endorsing anything, here’s—in broad strokes—what we’d like to see, and what should be avoided or opposed as a false response. We know full well that the devil is in the details when it comes to legislation, so these are not set in stone and they aren’t exhaustive. But as the debate continues in Congress, here are some key guideposts.
This first post focuses on surveillance law reform. In later posts we’ll discuss transparency, secret law and the FISA Court as well as other topics raised by the ongoing disclosures. In short, there's much Congress can and should do here, but we also need to be on the lookout for phony measures dressed as reform that either don't fix things or take us backwards.
Patriot Act and FISA Amendments Act Reform
—Stop Bulk Collection. The starting point for NSA reform would be a definitive statement that court orders for bulk collection of information are not allowed and indeed are illegal. At all times, a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service) must be specified in the context of an investigation. And a category like: “all records of all Verizon customers,” is neither reasonable, small nor well-cabined.
—Limits on Hops. Clarification that if one identified person is under investigation, the NSA does not have the authority to run analysis of call records on persons “two hops” or “three hops” away from that person without a separate court authorization.
—Metadata Protection. Information about communications, also called metadata or noncontent, requires probable cause warrants issued by a court (or the equivalent) whenever it reveals previously nonpublic information about or comprising your communications. This includes revealing your identity if it is not public, what websites you visit and information you read, who you communicate with, when, from where, and for how long. Public metadata information, such as information about Facebook wall posts, public tweets and followers or information available in telephone books or similar resources should not be included in this requirement. This is also contained in the International Principles on the Application of Human Rights to Communications Surveillance that applies international human rights principles to the digital age that EFF and hundreds of NGOs around the world have recently endorsed.
—Location Information. Metadata about your location, including cell phone GPS data, IP addresses and cell tower information should also require a probable cause warrant. The NSA claims the legal authority to collect this information on Americans in mass quantities as well, but claims they do not do so, but Senator Wyden indicates that this might not be the whole story.
—Congressional Disfavor of Third-Party or Business Records Doctrine. Eliminate the so-called third-party or business records doctrine. The fact that communications or communications records are held, collected or generated by third parties should be irrelevant to their protection under privacy statutes. Congress should also state firmly that the fact of third party involvement should be irrelevant to a person’s "reasonable expectation of privacy," as this may assist the courts when considering Fourth Amendment implications.
—Americans Protected Even if Communicating with a “Target.” Confirm the NSA must obtain a specific, probable cause warrant to seize or search Americans’ communications when they are picked up via a FISA court order or otherwise even if the American is not the “target” of the order. Often while the “target” of orders are foreign, American communications are vacuumed up and able to be searched thereafter without a warrant.
—U.S. Law Protects All Data in the U.S. Ensure that the protections of American law, including standing to sue to challenge violations of law, apply to all data accessed by the NSA in the United States, even if the data is about a non-U.S. person. This can help American businesses by assuring foreigners that they may use U.S.-based communications services without discrimination and will enjoy the same rights as U.S. persons when the government comes knocking.
—Legal Protections Start with Any Government Access. Confirmation that the legal protections start when the government has any access to the information under the Wiretap Act, FISA and other laws. The NSA has claimed at various times that the legal protections do not start until a human reviews the information or when it is "processed" or otherwise prepared for human review, thus excluding any legal protections against collection, storing and even apparently many kinds of analysis done by computers. This gamesmanship should end.
—Seizures or Searches Done With Technological Assistance Still Count. Confirm that seizures and searches done by computers are “seizures and searches” for purposes of the Fourth Amendment and search and seizure laws. Again the government seems to be taking the position that only human review counts, and that's not sensible, right or sufficiently protective of Americans. The use of technology to do what humans used to do, only faster, more efficiently and likely more accurately, shouldn’t change the level of protections that Americans enjoy in their communications and communications records.
-Information Gathered for National Security Purposes Cannot be Used for Other Purposes. Completely unsurprisingly, news is now starting to come out about use of the NSA collected information for ordinary criminal prosecutions completely unrelated to national security or terrorism. Congress must make this illegal and grant standing and severe sanctions to anyone whose data is misused in this way.
Confirm Public, Adversarial, Federal Court Role
—State Secrets Reform. State Secrets reform that resembles the late Sen. Kennedy’s proposal from 2008. The government has tried to use the state secrets privilege to dismiss EFF’s multiple lawsuits challenging the NSA, as well as those of many others, despite the fact there are hundreds of pages of public evidence documenting unconstitutional actions.
—Public, Adversarial Courts Must Determine if Surveillance is lawful. Confirmation that federal courts are clearly allowed to hear challenges to illegal surveillance, no matter if the government considers it “classified” or not. Security procedures like those outlined in 50 U.S.C. 1806(f) may apply, but the courts must always be able to determine whether the surveillance was lawful.
—Standing. Standing must be granted for those who have a well-founded fear of surveillance in language that will fix the problem that was identified by the Supreme Court in Clapper v. Amnesty.
—Reform Sovereign Immunity. Remove sovereign immunity provisions in the FISA Amendments Act to more clearly allow plaintiffs to stop unconstitutional programs, obtain injunctions and seek damages free of the FTCA.
—Confirm FISA Procedures for National Security Evidence. Confirm that 1806(f) plainly applies to all claims for illegal surveillance, not just FISA ones and including constitutional ones. 1806(f) is a provision in FISA that overrides the state secrets privilege.
PHONY “REFORMS” TO RESIST
Just as important as ensuring good reforms is resisting phony or bad ones. Here are a couple that we will be watching for as the debate continues.
—Data Retention. A “compromise” has recently been floated by several members of Congress that instead of the NSA holding onto phone records for five years, the phone companies should do it themselves, without limiting NSA access capabilities. Even NSA critics like Sen. Mark Udall have suggested this be a solution. The US currently has no data retention laws, but companies often keep information on customers for months or years at a time. Creating logs as a way to “solve” the NSA’s access problem is no solution—indeed it ignores the problem that the NSA has bulk access in the first place.
Congress has tried to pass flawed data retention legislation before, most recently by SOPA author Rep. Lamar Smith, but it was abandoned after protest from the Internet community that it would violate users privacy. Data retention laws create a honeypot of sensitive data available to malicious hackers, or accidental disclosures. But most importantly, the problem isn’t that the NSA has custody of the information, it’s that it has access to the information in bulk. Shifting custody without limiting access does nothing.
—CALEA II or Internet Backdoors. This has not yet been floated, as far as we know, but any effort to reform the law in light of the NSA surveillance must not itself require that communications companies increase the surveillance capabilities of their systems. The FBI has been secretly lobbying for years for an update to Communications Assistance for Law Enforcement Act (CALEA), which would essentially force large internet companies to build a backdoor into their systems so the feds could more easily get real-time access to communications. Given the level of distrust users have had with Internet companies after their involvement in the PRISM program with the NSA, this bill should be permanently shelved, instead of being part of any sort of compromise reform bill relating to the NSA. As we’ve explained before, this bill would not only make Internet communications less private, it would inhibit innovation and make the Internet less secure as well.