A new version of the USA FREEDOM Act, the leading piece of NSA reform legislation in the U.S., has been introduced in the U.S. Senate by Senator Patrick Leahy (D-VT). It’s a vast improvement over the version recently passed in the House, and it goes a long way toward comporting with established human rights standards. But we’re far from the finish line.
The bill’s first iteration was introduced in the House and Senate in October 2013, largely in response to civil society’s condemnation of last year’s revelations that the National Security Agency has been engaged in the most extensive global surveillance programs in human history.
The initial version of the bill included strong privacy protections, but it had been significantly weakened by the time it reached a floor vote in the House last May. In response, many civil society groups including Access withdrew support for the USA Freedom Act.
However, Sen. Leahy’s Senate version restored many of the strong provisions in the original bill. Access voiced support, joining more than forty other groups in delivering a letter to congressional leaders, explaining how the revised text largely addresses many of the main concerns that had been identified in the much watered-down House bill.
The improved Senate version still has to survive review by, among others, the Obama Administration, the intelligence community, and the Senate Intelligence Committee. If the Senate passes the bill, it will either go to conference committee, with members from both the House and Senate seeking to reconcile the versions, or back to the House for a vote. After — and if — it makes it through this process, the bill can finally be sent to President Barack Obama’s desk for signature.
Access supports the Senate version of the bill, and views it as an improvement of current unlawful surveillance practices and a significant move toward conformance with the International Principles on the Application of Human Rights to Communications Surveillance (“the Principles”). The Principles, endorsed by more than 400 civil society groups worldwide, provide a framework to assess whether government surveillance is in compliance with human rights obligations. Access recently published an infographic which displays how USA FREEDOM has evolved in relation to the Principles over time. Below we examine how both the Senate and the House-passed versions of the bill stack up.
For reference, the full text of the House bill is available here, and the Senate version is here.
The Principles of Legality require that limitations on human rights are clearly and precisely stated in law, with periodic reviews to ensure rights protections remain up-to-date with current technologies. Secret law is not acceptable.
In the House-passed version, Section 107 allows the government to search for a specific term including any “person, entity, account, address, or device” related to an investigation. By leaving vague terms like “entity” and “device” subject to government interpretation, it is impossible for a user to foresee the potential future breadth of the authority. The Senate version removes the term “entity” from Section 107 and replaces device with “personal device.” By reducing the ambiguity in the law, the Senate bill provides greater clarity of the law’s scope.
2. Legitimate Aim
Legitimate Aim states that communications surveillance should only be permitted in pursuit of important state objectives. Section 301 of the House bill would have expanded the scope of the current authority by ratifying government practice of collecting communications that are not only “to” or “from,” but also “about” a target. The Senate bill removes this provision, leaving in place the status quo without either improving it nor making it worse. The Senate version does, however, narrow the circumstances under which government officials may authorize surveillance activities.
Under the Necessity Principle, a state has the obligation to prove that its surveillance activities are necessary to achieve a Legitimate Aim (as defined above). The aim of government surveillance practices has primarily been to collect information on terrorist activities. However, bulk collection practices call the acceptable scope of surveillance into question.
Section 301 of the House version requires government to minimize the use of foreign intelligence communications only where the recipient is located in the U.S. and as is “consistent with foreign intelligence needs.” This provision provides no protections for international users and allows the government to unilaterally decide whether U.S. user information is necessary for an investigation.
The Senate’s USA Freedom Act makes significant strides towards ensuring compliance with the Necessity principle. Section 101 requires that any call detail records sought from communications providers must include a statement of facts showing that the target is engaged in terrorism and the records are relevant to the investigation. Additionally, the Senate modified Section 107 to prohibit collection based on broad geographic terms, such as states or zip codes.
Any instance of communications surveillance authorized by law must be appropriate to fulfill the specific Legitimate Aim identified in order to comply with the Adequacy Principle, which implies a need for review measures to audit surveillance programs.
In both versions of the bill, Section 108 requires the Inspector General of the Intelligence Community to assess the importance of information acquired through surveillance, the manner in which it was collected, and any used or proposed minimization procedures, and to include those findings in a report to Congress. Providing these annual assessments to Congress allows for an external audit that ensures privacy protections remain adequate.
Additionally, the Senate version of the bill restored a provision the House had removed in Section 202. This restored provision allows judges to review the compliance of pen register or trap and trace devices with Attorney General (AG) created minimization and privacy procedures. This places an additional judicial check on executive authority.
Communications surveillance, according to the Proportionality Principle, should be regarded as a highly intrusive act that interferes with the rights to privacy and freedom of opinion and expression, threatening the foundations of a democratic society. Proportionate communications surveillance typically requires authorization from a competent judicial authority.
Both versions of USA FREEDOM have incorporated judicial review of minimization procedures, which are used to strip private information from collected records. Confining the investigation to relevant information prevents agents from intentionally misusing their authority, e.g., by spying on their significant others.
6. Competent Judicial Authority
The Competent Judicial Authority Principles requires that determinations related to communications surveillance must be made by a competent judicial authority that is impartial and independent.
The House bill allowed the Foreign Intelligence Surveillance Court (FISC) or the FISA Court of Review to appoint an amicus curiae, a “friend of the court,” to provide an expert opinion that could help inform the Court’s decision. However, FISC would only be required to appoint amici when a decision would require a “significant or novel interpretation of the law” and the expert would not have to represent those under investigation.
The Senate version strengthens this position by allowing the FISC, in coordination with the Privacy and Civil Liberties Oversight Board, to select five Special Advocate candidates, who are to “vigorously advocate” to the court on behalf of the investigated party’s right to privacy and civil liberties. The Special Advocate may participate when FISC requests or a case is appealed, and can respond to communications service provider requests for representation when their records are sought by the government.
7. Due Process
Under the Due Process Principle, any interference with human rights must be governed by lawful procedures that are publicly available and applied consistently in a fair and public hearing. In cases when there is an imminent risk of danger to human life, emergency production of information may be authorized, but retroactive judicial authorization must be sought within a reasonably practicable time period.
Both versions of the USA FREEDOM Act allow the Attorney General to issue an emergency order for evidence as long as the he or she seeks authorization from a court within seven days. By requiring judicial review, even in cases of emergency, the two versions of the bill take important steps toward greater recognition of due process rights.
Section 502 of the Senate version clarifies the existing ability of the Director of the Federal Bureau of Investigation to issue a nondisclosure order, or “gag order,” to companies who have provided information for an investigation. The bill tailors gag orders to apply only when disclosure may compromise national security, an ongoing investigation, diplomatic relations, or cause danger to any person. To prevent overreaching interpretation over what “may” cause these harms, gag orders are subject to judicial review.
The Transparency Principle requires that a government make sufficient information available so that the public understands the scope and nature of its surveillance activities and allow private entities to publish details on the scope and nature of their surveillance-related dealings with the State. Transparency is essential to any kind of meaningful oversight, whether by official bodies or civil society groups.
Both versions of the USA FREEDOM Act make moves toward greater recognition of transparency. They both require the Attorney General to: report semi-regularly to Congress on which departments and agencies received approval to install surveillance devices; send an annual report to Congress providing information on the total number of applications made for production of records and tangible things; disclose how many applications for production were approved, denied, or modified each year; and submit, within 45 days, any FISC decision containing any significant interpretation or novel construction of any provision of FISA.
Similarly, each bill requires the Director of National Intelligence (DNI) and the Director of Administrative Office (DAO) to publicly report the annual number of surveillance orders made under each FISA section, the number of orders approved, denied, or modified, and the number of individuals affected by surveillance to the intelligence committees of the House and Senate.
Additionally, under both bills, surveilled companies are permitted to release information about the number of national security orders they complied with as early as six months after compliance. The information may include the number of customer accounts affected, but it must be divided into “bands” that limit the number that can be included within each report. In the interest of transparency, the Senate version increases the granularity of semi-annual reports and decreases the two-year delay on a company’s first transparency report to 540 days. This is a modest improvement, though the bands and delays still prevent total transparency.
9. Public Oversight
States should establish independent oversight mechanisms to ensure transparency and accountability of communications surveillance in order to comply with the Public Oversight Principle. Oversight mechanisms should have the authority to access all potentially relevant information about state actions.
Both bills contain significant public oversight provisions; by way of example, the bills require the Attorney General to submit an annual report on government compliance with surveillance procedures, minimization, and constitutional rights to the intelligence and judiciary committees of the House and Senate. However, the Senate USA FREEDOM Act also grants district courts the power to review gag orders on information disclosure.
The Senate and House versions require the DNI to declassify and make publicly available any FISC decision containing a significant interpretation or novel construction of any part of FISA, unless a waiver is obtained to “protect national security.” Under Section 602, when the DNI and AG obtain a national security waiver, they must release a summary of the FISC’s significant or novel interpretation of the law. The House version allows the officials to determine what counts as a summary, while the Senate version ensures the summary addresses each legal question, interpretation, and context brought up in the opinion. Ensuring that the opinion summaries address all these points provides civil society and other oversight communities and mechanisms an alert should FISC authorize inventive surveillance mechanisms.
10. Safeguards Against Illegitimate Access and Right to Effective Remedy
The Principle that protections against Illegitimate Access requires governments to impose strict civil and criminal penalties on any party responsible for illegal electronic surveillance. Further, those affected by such surveillance must have access to effective legal redress.
The Senate bill significantly improves on the House bill in this category. The former limits collection of call records to cases where there is a reasonable association with international terrorism by specific selection term; the latter used a broader standard (reasonable association with a foreign power or agent).
In the House version, Section 601 requires the government to destroy any call detail records collected that they determine are unrelated to foreign intelligence needs. While this attempts to prevent investigators from accessing records that are outside their mission, the standard of relation to foreign intelligence needs is internally evaluated, foregoing an external check on the use of call detail records by the executive branch. The Senate version adds a similar provision under Section 103, requiring the destruction of all unrelated records collected under Section 215 of the USA Patriot Act.
Unfortunately, both versions retain liability protections for companies that cooperate with government surveillance, meaning that consumers have no means of legal redress when their right to privacy is violated so long as a company can claim it was done in the furtherance of the law.
What Principles Aren’t Included?
While the first draft of the USA FREEDOM Act included some reforms for User Notification, subsequent versions have removed these provisions. Similarly, neither Integrity of Communication Systems nor Safeguards for International Cooperation have been addressed by any drafts of the Act.
The Integrity of Communication Systems Principle states that service providers should never be forced to de-anonymize or retain data on their users as a course of business. Such data retention mandates would effectively increase the security risk posed by all users. The USA Freedom Act does not contain a provision that takes a stance against a priori data retention.
Safeguards for International Cooperation is meant to prevent government authorities from bypassing the protections and processes built into international treaties and agreements. Nothing in the USA Freedom Act prevents international cooperation from sidestepping national legislation.
While the Senate version of the USA FREEDOM Act makes marked improvements in other areas, these vital principles remain untouched and future legislation should address them.
Access fully supports the passage of the Senate version of USA FREEDOM (S.2685), but calls for additional legislation to protect the privacy of all users, including under programs conducted under FISA Amendments Act Section 702 and Executive Order 12333. The UN High Commissioner for Human Rights, the world’s foremost human rights authority, recently released a report condemning the invasion of privacy that surveillance presents to users worldwide. With recent disclosures about broad and unaccountable surveillance, the United States government must be more transparent on surveillance conducted under all authorities and undertake future legislation for comprehensive reform.