Details of the recently revealed large-scale, secret United States surveillance programs, the collection of Verizon users’ metadata and PRISM, are still emerging. However, from the information available, it is clear that while the programs rest on dubious legal ground under the Foreign Intelligence Surveillance Act (FISA), they are both unconstitutional.
As we previously reported, the NSA is collecting the phone numbers used in all calls made by Verizon customers — and very likely AT&T and Sprint customers as well — on an “ongoing, daily basis,” despite supposed restrictions built into Section 501 of FISA (AKA Section 215 of the Patriot Act). That section allows the government to order the production of records of international intelligence or terrorism relating to an investigation, but the FISA court, whose actions are kept secret, granted a sweeping order to allow the collection of data from all Verizon customers, over 115 million in total.
The amount of data collected would make this program the largest single investigation ever. It raises the question as to whether the law, though vague, was written to allow such widespread surveillance. When dealing with vague laws, courts often interpret in the light of fundamental values, which include privacy.
The second program, codenamed PRISM, grants the government widespread access to personal data of people not believed to be US citizens under Section 702 of the FISA Amendments Act (FAA). While the NSA’s processes are unclear, what is already known provides little assurance that the content of US citizens’ communications is protected.
In this instance the FISA court authorized the collection of online information held by at least nine major internet companies including Google, Facebook, Microsoft, and Apple. The NSA has said there must be a 51% certainty of the target not being a US subject, a determination made based on a series of “selectors.” 51% certainty of foreignness is a vague and possibly inadequate standard, far from the claim that US subjects are not targeted.
Clapper has argued that data has not been “collected” by the NSA until it is processed and accessed by a human, and therefore neither the 4th Amendment nor the protections built into FISA apply. However, while it is unclear how the NSA gets a hold of the data, accessing data from company servers clearly constitutes “collecting” it. Clapper should reveal the “selectors” used to determine whether a source is foreign and whether the process of collecting data is automated so we know the extent that it implicates the data of US citizens.
Constitutionality and Fourth Amendment issues
The secretive and classified nature of FISA Courts makes it unlikely that the principles of due process, including an unbiased tribunal and notice, are being upheld. Those who are the subjects of the court’s surveillance are generally unaware and have no opportunity to challenge it. In addition, the FISA Court generally issues gag-orders along with requests for information, which prevent the recipient from revealing anything about the requests or the processes involved, and likely violate the First Amendment’s protection of free speech. Section 501 of FISA requires that investigations not be based solely on activities protected by the First Amendment. However, without further protection or transparency around these programs, this provision is insufficient to protect the expression of internet users from the chilling effect of surveillance.
The Fourth Amendment protects against unreasonable searches and seizures, and while the Supreme Court has so far failed to address online surveillance, the scope and lack of oversight indicate that the NSA surveillance is unconstitutional. The Supreme Court did address questions raised by the Verizon surveillance program in Smith v. Maryland, a 1979 case in which pen registers, used to record dialed phone numbers, were determined not to constitute a search protected by the Fourth Amendment.
However, there are major differences between Smith and the surveillance conducted of Verizon users. In that case, law enforcement officials targeted an individual under investigation and only retained the phone numbers that the individual dialed. The surveillance in Smith was targeted and limited in scope. Collecting vast amounts of data, on the other hand, creates the potential for law enforcement to learn a great deal about personal habits. As Justice Sotomayor said in her concurring opinion to last year’s Jones v. United States, unrestrained power to access private data, which reveals “private aspects of identity” is susceptible to abuse.
The PRISM surveillance potentially goes much farther because it involves the collection of actual content rather than anything resembling the phone numbers in Smith. That information includes the content of email and other online communications. As noted, the NSA claims to collect information when it is 51% certain that targets are foreign, but in order to have a basis to believe the target is foreign, it needs a system that accesses some data to make that determination – meaning every US citizen is targeted on some level. In Jones v. United States, the Supreme Court reiterated that people are protected against searches and seizures, which violate a reasonable expectation of privacy.
As Senator Wyden said before these programs were revealed, Americans would be “stunned and angry” once they discovered how surveillance laws were being used. We find no reason to disagree now.