A Deep Dive into the House's Version of Narrow NSA Reform: The New USA Freedom Act
NSA reform is finally moving in Congress. Last year, Senator Patrick Leahy and Representative Jim Sensenbrenner introduced the USA Freedom Act, one of the first comprehensive bills to address multiple aspects of the NSA's spying. The Senate version has languished since October, but last week the House Judiciary Committee (chaired by Rep. Bob Goodlatte) introduced and passed out of committee a heavily rewritten House version. As a result, two versions of the USA Freedom Act exist: the narrowed House version and the more encompassing Senate version. The movement in the House is a good indication that Congress is still engaged with NSA reform, but the House's bill must be strengthened and clarified to ensure that it accomplishes one of its main intentions: ending mass collection.
Here's how the House version of the USA Freedom Act compares to the Senate's version, what the new House version of the USA Freedom Act does, and what it sorely lacks.
The Senate's Version of USA Freedom Act
As we mentioned when the original USA Freedom Act was first introduced, it proposed changes to several NSA activities and limited the bulk collection of all Americans' calling records. It would fix a key problem with Section 702 (.pdf) of the Foreign Intelligence Surveillance Amendments Act (FISAA), bring more transparency to the Foreign Intelligence Surveillance Act Court (FISA court), and introduce a special advocate to champion civil liberties in the FISA court.
The House's New Version of the USA Freedom Act:
The new USA Freedom Act concentrates on prohibiting the collection of all Americans' calling records using Section 215 of the Patriot Act. Other sections of the bill would allow the FISA Court to assign amici, or non-parties who can brief issues before the court; create new government reports about the spying powers; and create new company reports detailing how many accounts and customers are affected by FISA Court orders.
First and foremost, the bill introduces a different conceptual approach to prohibiting mass spying under Section 215. Unlike the Senate version, which tries to stop the mass collection of calling records by mandating that the records sought "pertain to" an agent of a foreign power or their activities—an approach that we’ve worried about because “pertains to” and “relevant” are so similar—the House version mandates that a "specific selection term" (currently defined as uniquely describing a person, entity, or account) be the "basis for the production" of the records. The overall language may be stronger than in the old USA Freedom Act, but "specific selection term" must be further defined as "entity" could be construed expansively. After the order is filed, the government can obtain up to "two hops"—which may be too expansive for many investigations—from the selection term.
The bill also tries to tighten the "minimization procedures" that apply to government collection of records using Section 215 and other spying authorities like national security letters and the FISA Pen Register/Trap and Trace (PR/TT) provision. But the procedures only touch the FBI, not other agencies—like the NSA—that may be obtaining records using Section 215. In addition, the House version uses language we've seen in Section 702's minimization procedures. If you remember, those procedures are horrendous. They allow for the overcollection, overretention, and oversharing of Americans' communications "mistakenly" collected. The House must draft stronger minimization language to completely ensure improper information about untargeted users is not collected. For instance, simply inserting the word “acquisition” or “collection” would help.
Will Providers Be Forced to Decrypt?
Currently, Section 215 of the Patriot Act is intended for the government to obtain records created in the normal course of business. If the records don't exist at the time of the order, then the government uses a different tool. Unfortunately, the House's version of USA Freedom also includes a "provider assistance" clause. This means that a company served with an order must technically assist the government in obtaining the information.
One might think that “assistance” merely means helping to execute the order in a ministerial way, but we worry that it could be used much more broadly—especially when the clause mirrors language in the PR/TT statute that the Department of Justice has used to pressure secure email providers to warrantlessly disclose their encryption keys, potentially revealing private data of all of the service’s customers.
Another question the clause raises is whether or not the government could obtain an order for information not collected by the business, but with an assistance mandate that forces the company to collect such data in direct conflict with its ordinary business practice. This situation has already occurred in other contexts: under the bulk Internet metadata collection program, the government forced providers to collect information the providers were not initially collecting. The technological way in which the providers implemented the government's demands ended up collecting the content of communications.
What Does "Basis for the Production" Mean?
While the new USA Freedom appears to strengthen the prohibition on using Section 215 to collect all Americans' calling records, it permits overly expansive searches because the selection term mentioned above must only be used as the "basis for production" of the records sought. The bill does not require that the records belong to or be created by the person or entity identified by the selection term. So as written, the records could merely contain the selection term. Combined with "two hops," the ambiguity presents the government with the ability to cast a potentially overbroad net to search with.
New USA Freedom Must Reform Section 702
The House's version of USA Freedom drops many of the reforms dealing with Section 702 found in the Senate's version. For example, one reform dealt with the "backdoor" loophole that the government uses to retain and search Americans' emails and phone calls collected under the statute. The House version also fails to address other problems with Section 702, like "about" searching, the overbroad targeting procedures and minimization procedures, the definition of "foreign intelligence information," and the rights of innocent users. Rep. Zoe Lofgren introduced amendments to fix many of these problems, but without success. At the minimum, the House must reincorporate the Senate's fixes to Section 702.
The Senate Moves Forward
While the House's USA Freedom Act may do a better job of addressing bulk collection under Section 215 and related statutes, it is much weaker in all other regards. Fortunately, the Senate version of the bill remains unchanged. Senator Leahy noted that he plans to push forward with the Senate's version of USA Freedom over the summer. In the meantime, the Privacy and Civil Liberties Oversight Board will issue a comprehensive report on Section 702.
It's good to see the House move forward on surveillance reform, but we must ensure Congress takes up all of the issues regarding NSA's egregious activities. We urge EFF members to help us advance the stronger version of the USA Freedom Act by telling your Senator now to support the Senate version of the bill.
Recent DeepLinks Posts
Mar 27, 2017
Mar 27, 2017
Mar 27, 2017
Mar 26, 2017
Mar 26, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Eyes, Ears & Nodes Podcast
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games