UPDATE: We're happy to report that this controversial provision was removed from the 2016 Intelligence Authorization bill.

EFF joined a broad coalition of 31 organizations in sending a letter to Senate leadership opposing an unconstitutionally vague bill that would require Internet companies to report to the government when they obtain “actual knowledge” of any “facts and circumstances” related to “terrorist activity.” Section 603 of the Intelligence Authorization Act for Fiscal Year 2016 (S. 1705), which does not define “terrorist activity,” raises significant First and Fourth Amendment concerns, including the chilling of protected speech and the warrantless search and seizure of private electronic content. 

First Amendment Concerns

The most obvious flaws in Section 603 are its vagueness and overbreadth: it will chill wholly legal speech and conduct. The key reason is that there is no clear agreement in U.S. society about what counts as “terrorism” (and triggers mandatory reporting). The single, tiny island of clarity in the term “terrorist activity” is one non-exclusive reference to 18 U.S.C. § 842(p), which makes it unlawful for a person to distribute information relating to explosives if the person has knowledge that the recipient intends to use the information to commit a violent crime. Otherwise, Section 603 is a Rohrschach blot. 

Because Section 603 leaves both companies and users uncertain as to what exactly triggers the mandatory reporting requirement, this vague obligation to report will encourage service providers to broadly implement the law and will, in turn, encourage users to self-censor to avoid being reported to the federal government as possible “terrorists.” Without further clarification, the bill will likely put innocent political activists, journalists, engaged citizens, professors and students participating in wholly lawful debate and research under a cloud of suspicion. For many, the risk of being put on a mysterious government watch list will more often than not outweigh the benefit of speaking.

With limited context for, say, a tweet or private direct message, service providers will err on the side of over-reporting and submit First Amendment-protected speech through content-flagging or automated monitoring systems. Section 603 includes a “protection of privacy” subsection, which clarifies that nothing in the provision “may be construed to require [a] service provider…to monitor any user…or the content of any communication.” Yet this “protection” does little to counteract the pressure on intermediaries to monitor their users’ behavior and content. While intermediaries often rely on content-flagging systems that enable users to report apparent unlawful or abusive activity of other users, this mechanism is prone to fraudulent notices. An automated monitoring system based on keywords would allow intermediaries to avoid having to themselves make decisions about their users’ content. But because it’s not obvious what constitutes “terrorist activity,” a user could be reported any time she uses a buzzword related to terrorist groups, the Middle East, U.S. foreign policy, or a particular political ideology. 

Fourth Amendment Concerns

Section 603 not only chills lawful speech, it also tries to evade constitutional barriers that protect against unreasonable searches and seizures of private communications by the government.

EFF has consistently argued that a warrant based on probable cause is required for compelled government access to content stored by “cloud” service providers. In United States v. Warshak, the Sixth Circuit held that the government cannot access email content without a warrant because users have a Fourth Amendment-protected reasonable expectation of privacy in the email content that they store with these intermediaries.

While Section 603 does not permit the government to demand the production of content, it does require Internet companies to report content—including private content—reflecting “terrorist activity.” There is no question that this kind of mandatory reporting statute is subject to Fourth Amendment scrutiny, not unlike the ordinance found unconstitutional in Los Angeles v. Patel.

The applicability of the Fourth Amendment is particularly important given the amount of private content the government will acquire under this provision. As noted above, this mandatory provision will encourage companies to over-report both public and private content to the government. This will enable the government to evade normal due process requirements—including meeting legal standards such as probable cause and submitting to judicial review—while collecting much private content protected by the Fourth Amendment.

Future Action

Section 603’s constitutional implications have not gone unnoticed in Congress. On July 27, the Senate was set to pass the bill by unanimous consent until Sen. Wyden objected to this expedited procedure. The Senate will now have to engage in the normal process of debate and amendment, or remove this provision from the bill to prompt Sen. Wyden to withdraw his objection and enable the bill to pass by unanimous consent. The government should not be permitted to evade constitutional limits by turning private companies into watchdogs with no leashes. We urge Senate leadership to withdraw Section 603 from the intelligence authorization bill.

Post co-authored by EFF Legal Intern Erica Fisher

Related Issues