Foreign Surveillance Post-9/11: A History of Privacy Erosion
by alethoBy Katitza Rodriguez and Mark Rumold and Tamir Israel | EFF | June 15, 2013
In order to fully appreciate how the revelations of this past week
will impact non-Americans based outside of the United States, a little
background on the legal framework on how the U.S. foreign intelligence
apparatus operates is helpful. The centerpiece of this framework is the
Foreign Intelligence Surveillance Act (FISA), enacted in the late 70s.
Historically, relying on a national security exception contained in the
Wiretap Act, the United States government considered it had no obligation
to obtain authorization from a court before intercepting communications
for the purpose of national security. This changed in 1972, when the
Supreme Court of the United States first held
that the Fourth Amendment warrant requirement does apply to
surveillance carried out in the name of national security – at least
with respect to domestic threats:
Security surveillance is especially sensitive because of the inherent vagueness of the domestic security concept, the necessarily broad and continuing nature of intelligence gathering, and the temptation to utilize such surveillance to oversee political dissent. We recognize, as we have before, the constitutional basis of the President's domestic security role, but we think it must be exercised in a manner compatible with the Fourth Amendment. In this case we hold that this requires an appropriate prior warrant procedure.
These
words of caution rang true when it was later revealed that the
Government’s unauthorized intelligence-gathering activities had included
extensive surveillance of
journalists, anti-war protestors, dissident groups and even political
opponents. The congressional hearings that followed, called the Church Committee,
led to what was perhaps the first comprehensive public look at the
activities of the National Security Agency–a clandestine intelligence
entity that had been colloquially dubbed “No Such Agency”
to reflect its unique ability to defy any attempt to document or
oversee its activities. Against this backdrop, FISA was passed
specifically for the purpose of limiting foreign intelligence activities
from being directed at U.S. persons.
While
FISA was always generous in the powers it granted U.S. government
agencies with respect to the surveillance of foreign agents, a series of
amendments beginning with the USA PATRIOT Act and culminating with the
FISA Amendment Act, 2008, transformed FISA into the vehicle for mass
surveillance it is today. Notably, these amendments, as the U.S.
government ultimately interpreted them:
- (a) provided a broader set of powers under which various digital service providers were compelled to assist U.S. foreign intelligence agencies in their activities;
- (b) removed the need for intelligence agencies to direct their activities at ‘foreign powers’ or ‘agents of foreign powers’ by making any non-U.S. person the legitimate focus of surveillance; and
- (c) applied these extra-ordinary powers to a broader set of circumstances by removing the obligation to ensure ‘foreign intelligence’ is a primary objective for their use.
These
amendments furnished the United States government with at least two
powerful secret legal surveillance powers that have apparently been used
by the NSA to conduct broad surveillance of both U.S. and non-U.S.
persons:
- a business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861) under which the U.S. Government can compel production of ‘any tangible thing’ reasonably believed to be relevant to an authorized investigation conducted for the purpose of obtaining foreign intelligence. The government has now confirmed that it has secretly interpreted ‘any tangible thing’ to include ”all call detail records”, and its telephone metadata surveillance program is based on this power; and
- a new general acquisition and interception power (section 702 of FISA, codified as 50 USC §1881a) that allows U.S. government agencies to compel access –possibly in real-time – to information from a diverse range of communications and data processing services. This second power has played a central role in populating the PRISM program.
Lots
of problems surround the breadth of these powers and the secretive
manner by which they have been interpreted. Very few substantive limits
are placed on these powers. To make matters worse, these powers are
interpreted secretly and are highly and effectively insulated from any
adversarial challenge. This permits the government to adopt the most
favourable interpretations it can devise, as has been shown in other contexts. The secret and non-adversarial context in which these interpretations are occurring is particularly problematic given the challenges inherent in applying privacy protections to technologically advanced state surveillance techniques.
Of
the few existing internal limits FISA places on its powers, most relate
to the need to limit exposure of U.S. persons. The only substantive
protections that do not relate to this objective include a loose
obligation that the powers be employed for foreign intelligence
purposes, compatibility with the Fourth Amendment and the fact that both
powers are subject to some limited, but highly secretive Judicial and
Congressional review. None of these safeguards is highly reassuring,
particularly to non-U.S. persons.
Safeguards primarily designed to limit exposure of U.S. persons
To
the extent there are limitations placed on these two FISA powers, they
are primarily designed to limit the exposure of U.S. persons. The
business records power, for example, cannot be directed at U.S. persons
solely on the basis of activities protected by the First Amendment. The
general acquisition power can only be directed at persons reasonably
believed to be located outside the United States and reasonably believed
to be non-U.S. persons. A recent leak, however, suggests that the United States Government has secretly interpreted this to require only 51% assurance of foreignness.
The
general acquisition power is also subject to general minimization
(§1801 (h)) and targeting (§1881a (i)(2)(B)) procedures, which must be
approved by FISC. The sole objective
of these requirements is to minimize the targeting, collection and
retention of private information of U.S. persons. Of course, it remains
secret how the specific techniques adopted seek to achieve this. The
business records power also includes minimization procedures, but these
only relate to minimizing the retention and dissemination of non-public information concerning U.S. persons, not, apparently, its collection (§1861 (g)(2)).
It
has become clear over the past several days that the Government and
FISC have secretly interpreted these various safeguards in a woefully inadequate
manner that fails to achieve even the basic requirement of insulating
U.S. persons from their reach. Non-U.S. persons, however, will probably
be most concerned by the fact that nothing in FISA or elsewhere in U.S. law seems to effectively limit the extent to which their own online activities are being surveiled.
Next in our Spies Without Borders series,
we will examine how the few protections FISA offers to individuals
outside the United States provide little or no protection under US law.
No comments:
Post a Comment