Spies Without Borders II
This is the second article of our Spies Without Borders series. This article has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC, Katitza Rodriguez, EFF International Rights Director and Mark Rumold, EFF Staff Attorney. The Spies Without Borders series are looking into how the information disclosed in the NSA leaks affect Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. This article has been crossposted on the website of OpenMedia.ca.
In order to fully appreciate how the revelations of this past week will impact Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks, a little background on the U.S. legal framework is helpful. The centerpiece of this framework is the Foreign Intelligence Surveillance Act (FISA), enacted in the late 70s. Historically, relying on a national security exception contained in the Wiretap Act, the United States government considered it had no obligation to obtain authorization from a court before intercepting communications for the purpose of national security. This changed in 1972, when the Supreme Court of the United States first held that the Fourth Amendment warrant requirement does apply to surveillance carried out in the name of national security – at least with respect to domestic threats:
Security surveillances are especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillances to oversee political dissent. We recognize, as we have before, the constitutional basis of the President's domestic security role, but we think it must be exercised in a manner compatible with the Fourth Amendment. In this case we hold that this requires an appropriate prior warrant procedure.
These words of caution rang true when it was later revealed that the Government’s unauthorized intelligence-gathering activities had included extensive surveillance of journalists, anti-war protestors, dissident groups and even political opponents. The congressional hearings that followed, called the Church Committee, led to what was perhaps the first comprehensive public look at the activities of the National Security Agency–a clandestine intelligence entity that had been colloquially dubbed “No Such Agency” to reflect its unique ability to defy any attempt to document or oversee its activities. Against this backdrop, FISA was passed specifically for the purpose of limiting foreign intelligence activities from being directed at U.S. persons.
While FISA was always generous in the powers it granted U.S. government agencies with respect to the surveillance of foreign agents, a series of amendments beginning with the USA PATRIOT Act and culminating with the FISA Amendment Act, 2008, transformed FISA into the vehicle for mass surveillance it is today. Notably, these amendments, as the U.S. government ultimately interpreted them:
- (a) provided a broader set of powers under which various digital service providers were compelled to assist U.S. foreign intelligence agencies in their activities;
- (b) removed the need for intelligence agencies to direct their activities at ‘foreign powers’ or ‘agents of foreign powers’ by making any Internet users abroad the legitimate focus of surveillance; and
- (c) applied these extra-ordinary powers to a broader set of circumstances by removing the obligation to ensure ‘foreign intelligence’ is a primary objective for their use.
These amendments furnished the United States government with at least two powerful secret legal surveillance powers that have apparently been used by the NSA to conduct broad surveillance of both U.S. and Internet users abroad:
Business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861):
- Under the business records power, the U.S. Government can compel production of ‘any tangible thing’ reasonably believed to be relevant to an authorized investigation conducted for the purpose of obtaining foreign intelligence. The government has now confirmed that it has secretly interpreted ‘any tangible thing’ to include ”all call detail records”, and its telephone metadata surveillance program is based on this power; and
General acquisition and interception power (section 702 of FISA, codified as 50 USC §1881a):
- This general acquisition and interception power allows U.S. government agencies to compel access –possibly in real-time – to information from a diverse range of communications and data processing services. This second power has played a central role in populating the PRISM program.
Lots of problems surround the breadth of these powers and the secretive manner by which they have been interpreted. Very few substantive limits are placed on these powers. To make matters worse, these powers are interpreted secretly and are highly and effectively insulated from any adversarial challenge. This permits the government to adopt the most favourable interpretations it can devise, as has been shown in other contexts. The secret and non-adversarial context in which these interpretations are occurring is particularly problematic given the challenges inherent in applying privacy protections to technologically advanced state surveillance techniques.
Of the few existing internal limits FISA places on its powers, most relate to the need to limit exposure of U.S. persons. The only substantive protections that do not relate to this objective include a loose obligation that the powers be employed for foreign intelligence purposes, compatibility with the Fourth Amendment and the fact that both powers are subject to some limited, but highly secretive Judicial and Congressional review. None of these safeguards is highly reassuring, particularly to Internet users abroad whose private information is stored in U.S. servers, or whose data travels across U.S. networks.
Safeguards primarily designed to limit exposure of U.S. persons
To the extent there are limitations placed on these two FISA powers, they are primarily designed to limit the exposure of U.S. persons. The business records power, for example, cannot be directed at U.S. persons solely on the basis of activities protected by the First Amendment. The general acquisition power can only be directed at persons reasonably believed to be located outside the United States and reasonably believed to be Internet users abroad. A recent leak, however, suggests that the United States Government has secretly interpreted this to require only 51% assurance of foreignness.
The general acquisition power is also subject to general minimization (§1801 (h)) and targeting (§1881a (i)(2)(B)) procedures, which must be approved by FISC. The sole objective of these requirements is to minimize the targeting, collection and retention of private information of U.S. persons. Of course, it remains secret how the specific techniques adopted seek to achieve this. The business records power also includes minimization procedures, but these only relate to minimizing the retention and dissemination of non-public information concerning U.S. persons, not, apparently, its collection (§1861 (g)(2)).
It has become clear over the past several days that the Government and FISC have secretly interpreted these various safeguards in a woefully inadequate manner that fails to achieve even the basic requirement of insulating U.S. persons from their reach. The rest of the world, however, will probably be most concerned by the fact that nothing in FISA or elsewhere in U.S. law seems to effectively limit the extent to which their own online activities are being surveiled.