A new call for U.S. surveillance reform

On June 2, 2015, the U.S. Congress passed the USA FREEDOM Act to reform certain U.S. surveillance authorities. At the time we praised the bill as an important step toward badly needed, comprehensive reform of U.S. surveillance law — the first in decades. We also indicated that the reform process was only just beginning.

Today we are renewing our call to reform the law to ensure that human rights for all people are protected. One of the broadest authorizations for global, warrantless surveillance is in Section 702 of the FISA Amendments Act, or FAA. Congress must take action to extend the law, or it will expire at the end of 2017. This gives us an opportunity to make the critical changes that are necessary to protect rights.

It’s more important than ever to have a check on broad surveillance authorities that are largely exercised out of public view. We must ensure that U.S. surveillance is narrowly drawn to target the real threats without impacting millions of innocent individuals, and that there is public accountability with codified safeguards written into the law. As it stands, Section 702 is the embodiment of mass surveillance. It is unconstitutional and the programs operated under its purview violate international human rights standards. They also harm private business and the global internet economy.

We’re not going to sugarcoat this: in the current political climate, we are facing extraordinary challenges to surveillance reform in the U.S. There are more threats to increase existing surveillance authority than there are efforts to reform it. President-elect Trump has announced potential appointees who publicly support not only the expansion of existing U.S. surveillance powers but also the repeal of reforms Congress has already passed.

But we’re not backing down. We believe that meaningful reform to Section 702 is not only absolutely necessary, but also achievable. We’re willing to fight for it and other key reforms — today, tomorrow, and for however long it takes to ensure that the law passes constitutional muster and protects rights across the globe.

In the series of blog posts we’re publishing today, we provide the context for 702 reform and identify the changes that are necessary. This includes taking a look at the history of Section 702, how it is being used (and challenged in court), how it is harming people, and how it should be reformed.

Click the tabs below to cycle through blog posts in this series.

Section 702 is rooted in the warrantless wiretapping program that The New York Times revealed in 2005. Former U.S. President George W. Bush initiated the program in the immediate wake of the September 11th terrorist attacks. It operated in secret, without congressional or judicial knowledge or oversight, and authorized invasive surveillance of individuals’ communications so long as there was probable cause to believe one of the communicants was in Afghanistan, or engaged in or preparing for acts of international terrorism. There were subsequent modifications to the program, including transfer of authority under Congress’ Authorization for the Use of Military Force. Throughout all iterations of the program, it remained necessary, however, to demonstrate that the target was engaged in or potentially connected to terrorism or terrorist activity (albeit including through geographic ties).

Before The New York Times broke the story, knowledge of the program — and other secret surveillance operating under the rubric of the “President’s Surveillance Program” — was tightly controlled. Afterward, the administration released a white paper providing the purported legal justification for the program, though it also undertook efforts to move it under the Foreign Intelligence Surveillance Act (FISA). This was accomplished in 2007, and the Foreign Intelligence Surveillance Court (FISA Court) issued two orders (one international and one domestic). National Security Administration (NSA) analysts complained that the new system for international surveillance was overly burdensome because it required intelligence officers to obtain individualized authorizations.

In August 2007, Congress passed the Protect America Act to provide the mass surveillance programs with a statutory framework, but under standards much less stringent than under traditional FISA. The law was considered a temporary measure until another, more permanent provision could be passed, and it had a 180-day “sunset” (an expiry date). That permanence was obtained in 2008 when Former President Bush signed the FISA Amendments Act (FAA). The FAA also has included a sunset, albeit a much longer one than its predecessor. It was set to expire in 2012, at which point the law got a clean reauthorization and a new sunset date of December 31, 2017 — the end of next year.

For a long time it was unclear how Section 702 was used in practice. The documents made available by Edward Snowden in 2013 provided unprecedented transparency into its use (we’ll spend more time on that in the next post in this series). Following news reports on these programs, the Privacy and Civil Liberties Oversight Board, or PCLOB, undertook to review use of Section 702. PCLOB is tasked with “ensur[ing] that liberty concerns are appropriately considered in the development and implementation of laws, regulations, and policies related to efforts to protect the Nation against terrorism.” However, this review, finalized and published in 2014, only covered the law’s impact on U.S. persons, not non-U.S. persons, the people that Section 702 most directly targets. And because the PCLOB is currently without a chairman, it is not likely that we will get a report on that topic in the near future. This leaves the record bare on how Section 702 interferes with human rights globally. That brings us to today.

There are several sections to the FISA Amendments Act, or FAA. Section 702 may be the most notorious. The U.S. Congress passed FISA in 1978 to govern certain electronic surveillance domestically. It requires an individualized showing that there is probable cause to believe the target is a foreign power or agent thereof.

Section 702 of the FAA does not require government agents to request surveillance related to specific targets. Instead, the U.S. Attorney General and the Director of National Intelligence submit to the FISA Court, on an annual basis, an application for the approval of surveillance programs that target non-U.S. persons located outside the U.S. (“non-U.S. persons” includes those who are not citizens or permanent residents in the U.S., as well as companies incorporated outside the U.S.). Under 702, the surveillance itself takes place in the United States (surveillance that takes place outside the U.S. is typically governed by Executive Order 12333, which has no legislative or congressional oversight). Additionally, the 702 programs must be conducted for the purpose of acquiring “foreign intelligence information.” Foreign intelligence information is defined very broadly, and includes information that relates to “the conduct of the foreign affairs of the United States.”  

The FISA Court receives and examines two key documents in addition to the programmatic application and certain certifications: targeting procedures (available but not de-classified) and minimization procedures (de-classified for several agencies). The FISA Court must, without discretion, approve the program if all of the required documents are submitted and it finds (1) that the targeting procedures are “reasonably designed” to both “ensure that an acquisition…is limited to targeting persons reasonably believed to be located outside the United States” and “prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States,” and (2) the minimization procedures meet certain statutory requirements, which essentially amount to limiting the retention or dissemination of information related to U.S. persons unless it is evidence of a crime.

With this approval structure in mind, we currently know about two programs that are operated under Section 702: Prism and Upstream.

Through Prism, the government sends directives to internet companies that require them to turn over all records, including the content of communications, to or from identified “selectors” — that is, “specific communications identifier[s]” like email addresses among other things — that are used by targets. Remember, targets can be any non-U.S. person outside the U.S. if they are likely to reveal anything that falls under the broad definition of foreign intelligence information.

By contrast, in Upstream, the government sends directives to the service providers who operate the “backbone” infrastructure of the internet. Through this program all communications over the wire are acquired and scanned, first (supposedly) to attempt to remove anything that can be determined to be fully domestic communications, and then to identify and capture any communications to, from, or about selectors (adding some emphasis here — more on this in part 4 of our series).

Providers who receive 702 directives are able to challenge them through the secretive FISA Court system. Several groups have attempted to challenge the constitutionality of Section 702, but most cases have been dismissed due to lack of standing. In one case, Clapper v. Amnesty International, the government attorney argued that defendants who had information from Section 702 surveillance used against them in court would be notified of the fact. However, they were never notifiedSome defendants have since been notified and are also challenging Section 702 programs. Here’s an overview of Section 702 cases.

ACLU v. NSA – challenged the initial version of the warrantless wiretapping program. The sixth circuit threw out the case, based on the finding that the plaintiffs had not shown concrete harm, and therefore did not have standing to bring the case.

Hepting v. AT&T – challenged AT&T’s involvement in the initial version of the warrantless wiretapping program. The ninth circuit dismissed the case (along with several similar lawsuits) in 2009 after the FISA Amendments Act granted retroactive immunity to companies that participated in the program.

In re: Directives – Yahoo! challenged an order to comply with directives issued under the Protect America Act. The FISA Court held that the program was constitutional, based in part on a “foreign intelligence exception” to the Fourth Amendment, an exception that the Supreme Court has not recognized. Yahoo! appealed to the FISA Court of Review (FISC-R), which upheld the lower court’s ruling. The opinion was released in 2008 but only declassified in 2009. Additional materials from the litigation were released in 2014.

Jewel v. NSA – after Hepting was mooted, the Electronic Frontier Foundation brought a lawsuit on behalf of AT&T customers directly against the NSA for its surveillance, arguing it is unconstitutional and unlawful. The case is ongoing.

Amnesty International v. Clapper – challenged the constitutionality and legality of the FISA Amendments Act on behalf of “a coalition of attorneys and human rights, labor, legal and media organizations.” In 2013 the Supreme Court dismissed the lawsuit for lack of standing by the defendants on the grounds that concrete harm could not be established because there was no proof that specific communications had been collected.

U.S. v. Mohamud and related cases – challenging use of data derived from Section 702 surveillance in criminal cases where the defendants were convicted but only notified of the use of evidence taken from 702 surveillance after the verdict was issued. In December 2016, the court in Mohamud narrowly held that the use Section 702 was not unconstitutional, though we don’t know right now whether the case will be further appealed. Other cases are ongoing, and there are other defendants who have not yet received notice.

Wikimedia v. NSA – a legal challenge to the Upstream program of surveillance operated under Section 702. This case was brought by the ACLU on behalf of human rights, media, and other organizations. The case is ongoing.

Section 702 of the FISA Amendments Act authorizes mass warrantless surveillance that undermines our human rights. However, there are other reasons why it is urgent to reform the law. Without significant reform, Section 702 will continue to threaten the free flow of information overseas, and negatively impact global data privacy and U.S. economic interests internationally.  Section 702 programs undoubtedly impact the human rights of U.S. persons. However, at their heart, these programs target non-U.S. persons — the 95% of the global population who are neither U.S. citizens nor permanent residents. In fact, 702 surveillance can be authorized so long as it targets a non-U.S. person and is aimed at retrieving broadly defined “foreign intelligence information.” That’s an extraordinarily broad authority. For non-U.S. people, the issue is less  about how 702 authority is “abused” and more about the inherently privacy-invasive and harmful ways it can permissibly be used.

That was a concern for the Court of Justice of the European Union (CJEU) when it struck down the “Safe Harbor” data transfer arrangement between the United States and the European Union. The EU requires a demonstration that there are adequate data protection requirements — which the CJEU interprets to mean practices essentially equivalent to those in EU law — before allowing EU information to be transferred overseas and stored internationally. That information includes data such as social media posts and personal communications information, as well essential human resources data, like details for paychecks.

Even before the CJEU invalidated it, Safe Harbor was often criticized as inadequate for protecting data. Describing Section 702, the CJEU found that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” In short, Safe Harbor was weighed, measured, and found wanting.

After months of negotiations, the U.S. and the EU announced Privacy Shield, a new arrangement to replace the invalidated Safe Harbor. Privacy Shield, much like Safe Harbor, was agreed to unilaterally by the European Commission on the basis of written assurances made by the U.S. administration. This means that the EU can easily repeal the scheme if the U.S. does not deliver on its promises, including a pledge not to engage in mass surveillance. Privacy Shield took effect in 2016, and so far nearly 1,200 companies have signed up. However, the arrangement is up for its first annual review in 2017, and reforms to Section 702 are likely to play a central role in whether the deal will hold up. It’s already facing challenges in EU courts, and unless Section 702 undergoes significant reform to address the issues raised by the CJEU, Privacy Shield will likely also be invalidated, leaving companies and the people who use their services in a state of perpetual uncertainty.

Privacy Shield is far from perfect. It retains some of the key problems Safe Harbor had with respect to data protection and privacy. It also needs to be reformed to comply with EU law standards. In the U.S., meanwhile, Section 702 continues to stand as a barrier to the free flow of data. It authorizes mass surveillance globally and as such, represents one of the biggest threats to the free and open internet.

As we have pointed out, Section 702 has one of the broadest authorizations for global, warrantless surveillance, and it is set to expire at the end of 2017. Ultimately, the only real way to “fix” it would be to allow it to sunset. However, the simple truth is that the U.S. Congress is not likely do that. Right now, it would be unrealistic to anticipate Congress allowing the FISA Amendments Act to expire. Another way to fix some of the core issues with surveillance under Section 702 would be to outright prohibit Upstream collection, since this is perhaps the most unlawful part of the program. As some have pointed out, Upstream constitutes a search of all internet traffic. But, again, we don’t believe it would be realistic to anticipate that type of action in the current U.S. Congress. There are not enough members willing to end a program that many consider to be effective and important.  

That said, we believe there are still several ways to achieve meaningful reform of Section 702, and we are ready to fight for those reforms. These changes could have a real impact on protecting the rights of the people most at risk, and put another stone into the cathedral that is global surveillance reform.

Generally we can split these proposals into categories based on whether they codify existing or previous safeguards or create new ones. In each of these categories, there are proposals to increase the transparency and accountability of the programs conducted pursuant to Section 702. Several are derived from reports of oversight bodies, such as the Privacy and Civil Liberties Oversight Board (PCLOB) and the President’s Review Group. Our list is not exhaustive, but it does represent realistic avenues for reforming Section 702 to better protect human rights.

Codifying existing or previously existing safeguards

Include definitions to ensure proper understanding of the law – As the PCLOB noted, keywords in the FISA, like “targeting,” are not defined by law. In addition, while the PCLOB sought to reassure the public that the term “selectors” (which is not actually used in the statute but guides the implementation of the programs) is no longer is being stretched to include servers or gateways, we still don’t have mandatory public reporting that can provide ongoing reassurance of this. As we learned in the fight to reform the USA PATRIOT Act from 2013-2015, the intelligence community’s capacity to secretly redefine the scope of key terms can have a huge impact on the scale of surveillance. To avoid this, key definitions and limitations must be written into the public law.

Codify and expand Presidential Policy Directive 28 – U.S. President Obama took a huge positive step in surveillance reform when he implemented Presidential Policy Directive (PPD) 28, which, among other things, recognized that non-U.S. persons have a legitimate privacy interest. We should codify protections in PPD 28 to preserve them under future administrations, for example by including in the law PPD 28’s  prohibition against using surveillance to obtain a competitive advantage. In addition, we should strengthen the language in PPD 28, such as by further narrowing the circumstances under which bulk data collection should be allowed (if ever), or by recognizing not only the “privacy interests” of non-U.S. persons, but also their fully fledged rights to privacy and freedom of expression. (We provide more information about this and meeting international human rights standards below, under “Creating new safeguards.”)

Minimize the data that are retained in massive surveillance databases – Some intelligence agencies have an internal practice of masking the identifiers of innocent people within surveillance information. This practice should be normalized and applied evenly to both U.S. and non-U.S. persons. Congress should also codify the requirement that all queries of Section 702 surveillance information be documented and included in regular audits.

Limit surveillance targets to foreign powers or agents of foreign powers – To limit the number of innocent people included in Section 702 surveillance, targets should be limited, at a minimum, to foreign powers or agents of foreign powers. This limitation existed in the original version of the President’s Surveillance Program (a program nevertheless hugely overbroad), and it would help to narrow the much broader mass surveillance program that operates today. We could accompany this requirement with improvements in process and procedure to help give the government the flexibility and faster response time it may need in some cases.

Creating new safeguards

Recognize human rights standards – The International human rights standards that exist under treaties ratified by countries around the world, including the United States, require that  surveillance must be both necessary and proportionate. Unfortunately, the U.S. has never recognized that non-citizens outside the country have these rights. In order for Section 702 to satisfy the United States’ international obligations, not only should surveillance be limited to foreign powers as described above, but operations should be limited to those that are necessary and proportionate to achieve a legitimate and identified aim.

Strengthen the standards for collection – As discussed previously, the scope of what can be collected under Section 702 is very broad. This should be narrowed. To do this the law should be amended to expressly limit the valid foreign intelligence purposes of Section 702, such as to specific national security threats: sabotage, international terrorism, clandestine intelligence activities, attacks on the U.S. and its allies, and WMD proliferation. In addition, the language in FISA that presumes to authorize surveillance if the collection of foreign intelligence information is only a “significant” purpose, and not even the primary purpose, must be stricken from the law to close the huge loophole for circumventing the statute’s protections for human rights, which are already sharply limited.

Strike the encryption exception for data retention – Current policy is that information that is encrypted (or carries “secret meaning”) can be retained by the government indefinitely. As expert Laura Donohue has pointed out, it is an exception that threatens to swallow the rule limiting data retention, particularly as the amount of encrypted information on the internet continues to increase (a positive step that protects the digital integrity of users at risk). The current limits on retention should apply regardless of whether the information is encrypted.

Prohibit acquisition of communications that are not to or from targets – As part of the Upstream program, the NSA intentionally collects all internet transactions to, from, or “about” a target. This inclusion of information “about” a target specifically anticipates acquiring communications that are neither to or from people who have been identified as targets. The government has claimed, and the PCLOB has reiterated, that distinguishing content from metadata in the upstream scan is not possible at this time. But just because unlawful surveillance is necessary to conduct lawful surveillance does not mean it should be condoned. For example, there were previously limits to the scope of data that the NSA was getting under a surveillance program because the technology at the time did not allow compliance with statutory limitations. Only after the technology was developed to properly limit collection was the collection allowed.* Additionally, the ACLU has cast doubt on the overall assertion that there are no technical means to eliminate the acquisition of communications from non-targets.

Limit the dissemination of data to other agencies and international partners – Several U.S. government agencies and international partners or allies are authorized to access or receive surveillance data collected under Section 702. We should codify limitations on sharing and dissemination to ensure against secret mission creep and protect the sensitive information of people around the world.

Increase transparency and accountability

Increase transparency at the FISA Court – The USA FREEDOM Act took a step forward on transparency of FISA Court activities, including by requiring the publication of significant or novel FISA Court opinions no matter when they were written. To ensure that the public maintains an understanding of the law the government should be required to release the criteria it uses to determine whether an opinion issued by the FISA Court contains a significant or novel interpretation of the law. In addition, because the U.S. Department of Justice has refused to comply with the full scope of the USA FREEDOM Act provisions, Congress should reaffirm its intent to end secret law and give explicit retroactive application to those provisions.

Increase public reporting – Section 702 has provisions built in for internal oversight in the executive branch, by certain, limited Congressional committees, as well in the FISA Court. The current administration has supported transparency in its policy favoring publication of certain documents. However this has not included all documents that are necessary to review the programs, and there is no guarantee that the policy will continue, specifically when there are major changes or expansions of current programs. We must codify having a public eye into the operation of Section 702, consistent with national security, to preserve current levels of transparency. A start would be to require that reports about Section 702 surveillance, as well as the minimization procedures, which have already been released, and targeting procedures, be made public to the extent possible.

There is a long road ahead of us for reforming U.S. global, warrantless surveillance. However, Congress will have to consider the authority in Section 702 before the end of 2017. The reforms we’re suggesting today do not represent the entirety of potential reforms that we will be seeking to Section 702, nor the reforms necessary to bring the law into total conformity with human rights standards. However, they are representative of positive approaches for 702 reform that Access Now will be raising with members of Congress. There is also a very real and urgent need for reform of the authorities spelled out in Executive Order 12333, which provides structure for U.S. surveillance conducted extraterritorially. We do not address that issue here. It’s important to recognize the challenges we face in this push for reform. Any process to open up Section 702 to reform risks negative impacts. The intelligence community will push its own agenda, either independently or in exchange for certain limited reforms. Here’s what we could see proposed, that we should be prepared to fight:

  • The explicit codification of “about” collection;
  • The removal of the sunset provision, making the law permanent;
  • Expanded surveillance authority with less oversight;
  • Prohibitions on the development or use of encryption; or
  • Any number of other related or even unrelated provisions, such as lengthening sentences for certain criminal acts.

If any of these items are adopted, it would be heartbreaking. These changes would make Section 702 even more dangerous for human rights, and if any are forced through in exchange for superficial reforms or those that protect only U.S. persons, Congress will have failed — to protect human rights, to safeguard the global internet economy, and to mitigate harm for the people who are the most profoundly impacted by the overbroad surveillance that Section 702 authorizes.

Reforming U.S. surveillance practices is an enormous challenge, and it’s critically important that we take every opportunity we can to make progress. With your support, we can keep the ball rolling, working continually toward a better world, where the human rights of all people are protected, and everyone is free from unjustified surveillance.