Why Electronic Surveillance Reform is Necessary
Editor's Note: A full version of this paper, complete with citations, can be found here.
***
Published by The Lawfare Institute
in Cooperation With
Editor's Note: A full version of this paper, complete with citations, can be found here.
***
Over the next year, Congress will have to address one of the most controversial electronic surveillance statutes, the FISA Amendments Act (commonly referred to by one of its key provisions, Section 702), before it expires at the end of 2017. Legislators will have to wrestle with the public’s deep unease with electronic surveillance, given that the U.S. Intelligence Community (IC) consistently argues that Section 702 provides a key tool for national security and will urge its reauthorization. Members of Congress are then faced with the question, “Is reform necessary?”
Section 702 was written to be an important intelligence tool, but drafters did not give sufficient consideration to (1) how the statute is applied in the law enforcement context and (2) how the statute impacts U.S. companies operating in foreign jurisdictions. These two deficiencies have given rise to substantial concerns about the statute at home and abroad, and, in effect, mean that the statutory scheme is “out of balance”; the legitimate security concerns that motivated Section 702 currently outweigh valid concerns related to civil liberties and commerce. During consideration of the statute’s reauthorization, Congress has the opportunity to rebalance these concerns to safeguard Americans’ constitutional rights and ensure the continued global competitiveness of U.S. technology companies.
Background
After the terrorist attacks of September 11, 2001, the Bush Administration established a secret electronic surveillance program to collect data and search for terrorist communications. Under that program, known internally as Stellar Wind, Administration officials negotiated with telecommunications companies to obtain on U.S. soil their foreign-to-domestic traffic, doing so without obtaining court warrants. President Bush acknowledged the existence of the program at the end of 2005, after it was revealed in the media, but Congress did not investigate the program or begin to put statutory controls on it until after the President’s party lost control of Congress in the 2006 elections.
Congress passed the Protect America Act (PAA) in 2007 and the FISA Amendments Act, containing Section 702 in 2008. These statutes, which were controversial when they were enacted, aimed to allow the IC to collect needed foreign intelligence and counterterrorism information from U.S. telecommunications and internet companies while also providing additional checks on the IC. In drafting these laws, Congress focused mainly on the legal framework that applies to the IC for its collection abroad.
The IC’s legal authority derives from the President’s Commander in Chief powers under Article II of the Constitution and is further set out in Executive Order 12333. The focus of the IC’s efforts is foreigners abroad, who are not entitled to Constitutional protections. The theory is that if such foreigners are in contact with Americans, the Americans on the other end of the communication cannot assert a privacy interest for those foreigners. Indeed, the warrant requirement usually does not apply to the IC because the intelligence services generally operate against foreigners abroad.
Collection under Section 702 allows elements of the IC to collect data on U.S. soil without a warrant from non-U.S. persons located abroad. Intelligence collection under Section 702 is conducted through two different programs. The first program, known as PRISM, collects communications from what are known as “edge providers,” that is, companies that provide Internet content as opposed to Internet connections. The IC obtains access to edge provider communications after the Attorney General and the Director of National Intelligence issue directives, pursuant to guidelines approved by the Foreign Intelligence Surveillance Court, mandating that companies turn over certain information. After these directives are issued, a somewhat obscure branch of the FBI known as the Data Intercept Technology Unit (DITU) coordinates with edge providers, on behalf of the NSA, to collect content such as emails, video chats, and social media posts. This content is then transmitted by the DITU to the NSA, which then disseminates it to other intelligence agencies.
In addition to PRISM, the IC also obtains information through a program called Upstream. Upstream collects “all e-mail and voice data flowing through the Internet ‘backbone’—large fiber optic networks owned and operated by private companies like AT&T.” The NSA’s Special Source Operations (SSO) division partners with the corporate owners of these networks to gather data at certain key points, like at network routers or switches. The companies filter the data passing through these points according to directions they receive from the SSO, and this filtered data is then stored in NSA databases, from which it can be disseminated to other members of the IC.
Although PRISM and Upstream surveillance are similar in many ways, they also exhibit certain key differences. One of the most prominent differences is the type of communications they collect. PRISM only gathers information that is to or from a “selector”—an identifier like an email address, IP address, or social media handle that is associated with a target of foreign intelligence collection. However, Upstream collects information that is to, from, or about a selector. For example, if the NSA were targeting baddude@qaedamail.com, PRISM collection would only collect communications that were to or from that email address. However, Upstream, in addition to collecting such to or from communications, would also collect any communications that contained the email address baddude@qaedamail.com, even if they weren’t to or from that address. Upstream also collects multi-communication transactions (MCTs), which are bundles of communications of which one or more communications may be to, from, or about a targeted selector.
The scope of PRISM and Upstream cannot be overstated. These programs sift through massive quantities of data in an effort to find terrorist communications. in doing so, they are able to look at far more information than before in order to find the national security threat information they need.
The Government Argues that Section 702 is an Important Intelligence Tool
The NSA maintains that 702 surveillance “is the most significant tool in [the] NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the U.S. and around the world.” The IC cites 53 counterterrorism investigations in which information obtained under 702 “contributed in some degree to the success of the investigation” over the first five years of the program. An independent panel established by President Obama, the Privacy and Civil Liberties Oversight Board, reached similar conclusions, stating in a 2014 report that “the information the [702] program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence.”
The effectiveness of 702 surveillance is perhaps most visible in the case of Najibullah Zazi, an Afghan-born American citizen who received bomb-making training in Pakistan and planned to attack the New York City subway in September 2009. In a statement submitted to the House Judiciary Committee in February 2016, officials from the Office of the Director of National Intelligence, the Counterterrorism Division of the FBI, and the Signals Intelligence Directorate of the NSA claimed that, by using Section 702 authorities, the NSA was able to intercept discussions between Zazi and a foreign contact concerning the attack. These intercepted communications were then passed on to the FBI, which performed its own investigation which culminated in thwarting the attack and the arrest and conviction of Zazi.
The case of Khalid Ouazzani and his co-conspirators, Sabirhan Hasanoff and Wesam El-Hanafi, is, according to former FBI Deputy Director Sean Joyce, another example of the effectiveness of 702 surveillance. Ouazzani, a U.S. citizen from Morocco, ran a used car parts store in Kansas City, Missouri, and provided material support to al-Qaeda by collaborating with Hasanoff and El-Hanafi. Joyce indicated in testimony before the House Intelligence Committee that 702 surveillance tied Ouzzani to a Yemeni extremist, with this leading the FBI to investigate and eventually convict Ouazzani and his accomplices.
Aside from these cases, the perception by terrorists that the U.S. is monitoring their communications could deter them from using communication technology to launch coordinated attacks. This deterrence could force terrorist groups to resort to the least deadly acts, like lone wolf attacks, to implement their agenda. It can also force them to rely upon in-person communications, with such communications likely being more susceptible to penetration by human intelligence sources.
While the government trumpets law enforcement successes under Section 702, it downplays the fact that such criminal investigations and prosecutions are carried out by the Justice Department and not the NSA. While the NSA gathers 702 information for the purpose of understanding national security concerns about foreigners abroad, the cases that the government cites deal with U.S. persons, operating in the U.S., and prosecuted by the Justice Department, a domestic law enforcement body, subject to the Constitution and Fourth Amendment. And while the NSA is not constrained by the Constitution in its surveillance of non-U.S. persons outside the US, the Justice Department’s job is to ensure that the Constitution is followed in the U.S.
Section 702’s Drafters Overlooked How Law Enforcement Uses Intelligence Information
The Fourth Amendment of the U.S. Constitution states,
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Courts have interpreted this text as requiring government authorities seeking to perform searches to, absent certain exigent circumstances, (1) swear an affidavit (2) before a neutral, detached magistrate (3) setting out with particularity (i.e. specificity) (4) the place, person, or things to be searched or seized. Upon fulfilling these requirements, the judge before whom a law enforcement officer appears may choose to grant or deny that officer a search warrant, depending on whether the judge believes that there is probable cause that evidence of a crime will be found.
The Fourth Amendment’s warrant requirements apply not only to physical searches, but also to searches of electronic information. Congress has explicitly acknowledged this in 18 U.S.C. § 2703 (the Stored Communications Act), which states that a “governmental entity may require the disclosure . . . of the contents of a wire or electronic communication . . . only pursuant to a warrant.” Therefore, in a normal law enforcement context, a federal agent operating inside the U.S. must adhere to the Fourth Amendment’s warrant requirement when seeking to acquire and search an American’s electronic communications.
While searches under the Stored Communications Act must be conducted pursuant to a warrant, with this offering assurances against unreasonable invasions of privacy, searches under Section 702 are noticeably lacking in such safeguards. This wouldn’t be a problem if Section 702 databases only contained the information of non-U.S. persons. But Section 702, while targeted at non-U.S. persons, inevitably collects the information of U.S. persons as well. Indeed, the courts have said that the SCA applies inside the US, and that law enforcement officials cannot use that statute to compel companies to produce the information in the US. However, if such information transits the US, the government can collect it under Section 702, regardless of the location of the target.
When law enforcement officials examine Section 702 databases, they may search for “U.S. person identifiers” (terms or indicators that are linked to a U.S. person). No search warrant is required to query such information. Rather, a law enforcement official may search for this information if the search is “reasonably designed to ‘find and extract’ either ‘foreign intelligence information’ or ‘evidence of a crime.’” Further, although Section 702 imposes a low level of judicial scrutiny for the creation of the large pools of information in 702 databases, when law enforcement searches a database for a particular individual’s communication, there is not higher judicial scrutiny for that query, despite the heightened privacy interest. In addition, for individual searches of 702 databases there is no neutral, detached magistrate; sworn affidavit; or particularized statement. In fact, even if a court were engaged in overseeing individual searches of U.S. person identifiers, there would be no way for it to assess the reasonableness of an FBI officer’s search, as the FBI does not require its analysts to document their rationales for querying U.S. person data.
While the standards for querying Section 702 data are well-suited for foreign intelligence purposes, they are woefully inadequate for law enforcement purposes. Under the Constitution, criminal defendants are entitled to protections from unreasonable searches and seizures, with the Fourth Amendment’s Warrant Clause being the primary bulwark against such invasions of privacy. However, the broad discretion to collect information under Section 702 can be construed so as to allow law enforcement agencies, like the FBI, to access Section 702 data not just for foreign intelligence purposes, but for purposes that are wholly focused on domestic criminal prosecutions. Such access, which avoids the more exacting requirements of the Stored Communications Act, is often referred to as a “backdoor search” or “U.S. persons search,” and there is significant evidence that such searches are a regular occurrence.
For example, in the Privacy and Civil Liberties Oversight Board’s 2014 Report, the drafters noted that
“[w]hen an FBI agent or analyst initiates a criminal assessment or begins a new criminal investigation related to any type of crime, it is routine practice . . . to conduct a query of FBI databases in order to determine whether they contain information on the subject of the assessment or investigation . . . The databases queried may include information collected . . . under Section 702.”
The Board further noted that “many” FBI analysts and agents “who solely work on non–foreign intelligence crimes” query Section 702 databases.
The troubling nature of backdoor searches of Section 702 databases should not be downplayed. The warrant requirement is one of the foundations of the U.S.’s justice system. Without it, law enforcement is given a blank check to subject Americans to intrusive, unjustified invasions of private life. Backdoor searches are a refutation of the necessity of a warrant, a refutation that, gone unchallenged, could seriously undermine the Fourth Amendment protections guaranteed by the Constitution.
A practice that is just as troubling as the FBI’s backdoor searches is the Justice Department’s failure to notify criminal defendants when evidence is introduced against them that is derived from Section 702 surveillance. Section 702 requires the government to notify defendants whenever information obtained through 702 authorities will be used against them in criminal proceedings, but there are indications that the government has often failed to fulfill such notice requirements. Most tellingly, for the first five years of collection under Section 702, not a single criminal defendant received notice of the use of evidence derived from its authorities, despite repeated testimony by government officials about the success of the program. After this initial drought, DOJ issued five notices in the latter months of 2013 and the early months of 2014. However, since April 2014, no further notices of the use of Section 702 data have been issued to criminal defendants. This suggests either a failure on the part of prosecutors to disclose the use of this information or that government officials are overstating the importance of this program in counterterrorism efforts.
Further, the failure to give notice to defendants about the use of Section 702-derived information prevents courts from reviewing the Constitutional adequacy of the surveillance statute, as applied in a law enforcement context.
Section 702’s Drafters Overlooked Its Impact on U.S. Companies Operating Abroad
While the IC maintains that Section 702 has sufficient protections for U.S. persons operating abroad, there is a significant category of U.S. actors that have been adversely affected by U.S. overseas surveillance: U.S. technology companies trying to compete internationally.
When made aware of the extent of Section 702 surveillance by the Snowden revelations, foreign governments, concerned that dealing with U.S. telecom and tech companies could expose their data to U.S. surveillance, refused to renew their contracts with U.S. companies and awarded contracts to foreign companies at the expense of their U.S. rivals. Examples of this may be found in Germany’s 2014 refusal to renew a contract with Verizon for Internet services and Microsoft’s 2013 loss of a contract to provide email services to the Brazilian government. In addition to this loss of government contracts, U.S. companies lost consumers to foreign companies. For example, after the Snowden revelations a Norwegian email company, Runbox, which touts itself as a foreign alternative to U.S.-based email services like Gmail, benefited from a 34 percent annual increase in customers. Some analysts estimate that NSA surveillance concerns could cost the U.S. cloud computing industry as much as $180 billion by 2016.
Perhaps the most worrisome outgrowth of the Snowden revelations came in the European Court of Justice’s (ECJ) decision to strike down the EU-U.S. Safe Harbor Agreement. The ECJ ruled that this pact, which allowed for U.S. companies to have their collection and use of EU persons’ data classified as compliant with EU data protection laws, failed to comport with privacy standards set forth by Article 25(6) of EU Directive 95/46 and the EU’s Charter of Fundamental Rights. The ECJ alluded to Section 702 programs when justifying its ruling, citing “legislation permitting the public authorities to have access on a generalised [sic] basis to the content of electronic communication” as one of the reasons for the Safe Harbor Agreement’s invalidity.
The invalidation of the Safe Harbor Agreement was no small matter. U.S. companies regularly transfer data about EU customers and employees across the Atlantic to their U.S.-based servers. With the Safe Harbor gone, U.S. companies, absent standard contractual clauses or binding corporate rules, could now be forced to store consumer data in European facilities or be subject to penalties imposed by regulators. The cost of localizing data or complying with each EU member’s data protection regulations could be especially prohibitive for U.S. small and medium-sized enterprises.
Although EU and U.S. officials have recently implemented a replacement for the Safe Harbor Agreement, a framework known as the EU-U.S. Privacy Shield, it is by no means certain that this successor agreement will withstand judicial scrutiny. In fact, less than three months after the Privacy Shield framework began to operate, the non-profit Digital Rights Ireland filed a challenge to it in the ECJ’s lower General Court. In its challenge, Digital Rights Ireland alleged that the European Commission’s decision to approve the Privacy Shield did not comply with European law and cited Section 702 as a reason for such noncompliance. The ECJ has yet to rule on this challenge.
One of the main objections that parties like Digital Rights Ireland have raised is that the EU-U.S. Privacy Shield still allows for generalized surveillance of EU communications. Although, as part of the agreement, U.S. authorities assured European policymakers that “any access of public authorities to personal data will be subject to clear limitations, safeguards, and oversight mechanisms” and “affirm[ed] [the] absence of indiscriminate or mass surveillance,” the Europeans may be wise to be skeptical. In the past, even though U.S. authorities have assured Americans that their data is subject to certain protections, declassified FISC opinions and leaked documents reveal that such protections have often been flouted. If such disregard for the privacy interests of Americans has occurred, it is not outlandish to suspect that similar disregard will be expressed for Europeans’ privacy interests.
Even if Privacy Shield withstands the scrutiny of the ECJ, there is no guarantee that the European Commission won’t reassess its support for the program. Although U.S. officials have, with the impending advent of a Trump presidency, assured European authorities of the nation’s continued commitment to surveillance limitations imposed through Privacy Shield, such assurances are only as good as the consistency with which they are applied by the incoming Administration.
The fragile nature of U.S. promises on Privacy Shield is highlighted by the stances of President-elect Trump’s nominees for key national security positions. Trump’s pick for CIA Director, Rep. Mike Pompeo, has been a prominent critic of efforts to reform U.S. surveillance practices and has accused the Obama Administration of “blunting its surveillance powers.” Trump’s pick for Attorney General, Sen. Jeff Sessions, has been such an uncompromising cheerleader for surveillance that some worry that his tenure at the Justice Department could make “the Hoover era [look] like child’s play.” If these surveillance reform skeptics walk back the protections offered to the Europeans, or worse, broaden the scope of U.S. surveillance, the European Commission may be reluctant to reauthorize Privacy Shield when it reviews the program in 2017. Such reluctance could portend future economic storms for the tech and telecom sectors, including the worrisome costs of data localization, punitive payouts in privacy-related litigation, and, in a worst-case scenario, the severance or severe curtailment of transatlantic data flows.
Section 702 Reforms Must Protect the Rights of Americans and Redefine Government’s Relationship with U.S. Corporations
Section 702, while a helpful framework for conducting foreign intelligence, poses troubling quandaries when it comes to civil liberties and U.S. corporate interests. However, these worrisome conundrums can be addressed if lawmakers enact reforms that enhance the rights of Americans and redefine the government’s relationship with U.S. corporations.
First, efforts should be made to address the backdoor searches and notice deficiencies evident in FBI use of Section 702 data. Although the FISC has deemed backdoor searches to be constitutional, many scholars believe that the FISC was wrong to classify them as such. For example, Amy Jeffress, the former Counselor to the Attorney General for National Security and International Matters, argues that backdoor searches “are inconsistent with the requirements of the Fourth Amendment.” Georgetown law professor Laura Donahue claims that backdoor searches, among other practices facilitated by Section 702, have come at the cost of “inroads into rights that we have long—and for good reason—protected.” Making changes to Section 702 to address FBI queries using U.S. person identifiers and failures to give notice to criminal defendants would help ensure that Americans’ constitutional rights are protected.
Second, efforts need to be made to redefine the government’s relationship with the tech and telecom industries. Technology executives have repeatedly signaled their disapproval of what they describe as government overreach in the realm of surveillance. For example, in 2013 Facebook CEO Mark Zuckerberg said that “[r]eports about government surveillance have shown there is a real need for . . . new limits on how governments collect information.” Microsoft’s general counsel Brad Smith went so far as to argue that government surveillance posed an existential risk to the American tech industry, arguing that “People won’t use technology they don’t trust. Governments have put this trust at risk.” Statements such as these highlight the dissatisfaction that much of the tech industry currently feels with the state of surveillance and drive home the need for the government to empower the industry to push back against surveillance practices that could harm companies’ bottom lines. If such a rebalancing of government-industry relations is not prioritized, the government risks further antagonizing the industry and making it harder to work with tech companies to ensure the nation’s security. Furthermore, the tech industry’s unease with the current state of surveillance illustrates the need for lawmakers to seek out industry expertise when faced with making changes to Section 702, as any modifications can have a drastic impact on industry profitability and government relations with the tech industry.
Conclusion
Section 702 is a valuable intelligence tool that exhibits some significant deficiencies in its protections for U.S. persons in a law enforcement context and for U.S. competitive interests abroad. Policymakers should craft reforms that guard against the misuse of Section 702 by law enforcement and redefine the relationship between the IC and tech companies. As they do so, policymakers can ensure that Section 702 continues to fulfill its vital national security functions while also respecting the civil liberties and corporate interests of U.S. persons and companies.