(This post is part 2 in a series of posts on the USA FREEDOM Act. See part 1 and part 3.)
In our previous post, we gave an overview of the reforms proposed by the USA FREEDOM Act. Here’s a deeper dive to show you what’s in the bill and what we believe is necessary to fix it.
What the USA FREEDOM Act does
Puts an end to (some) bulk collection
The primary intent of the USA FREEDOM Act of 2015 is to end bulk collection under certain authorities: Section 215 (the “business records” surveillance provision) and Section 214 of the USA PATRIOT Act, as well as the various National Security Letters authorities. Sections 214 and 215 have been used to conduct indiscriminate surveillance of telephone call and internet browsing information (so-called metadata), respectively, with little oversight. National Security Letters are methods by which law enforcement compels production of certain customer records without judicial approval. They are typically accompanied by “gag orders” that prevent companies from revealing that those records have been sought or produced.
The USA FREEDOM Act would not end these authorities, but it would require that data collected under them be tied to a specific identifier, such as the identity or phone number of a surveillance target. The target of surveillance could also potentially be an apartment building or a business, but it could not be a city or a zip code. The bill does this by requiring that a search be initiated with a “specific selection term,” a term of art defined as “a term that specifically identifies a person, account, address, or personal device, or any other specific identifier.” The new requirement would make it so that rather than collect all phone records indiscriminately, intelligence agencies could collect only records that are specifically identified.
Further, the government would have the authority to request specific records from phone companies (which already maintain the data in the ordinary course of business) only if there is “reasonable articulable suspicion that such specific selection term” is connected directly to terrorism.
Adds measures to promote adequate judicial oversight
Over the last two years, different versions of the USA FREEDOM Act have taken a variety of approaches to providing additional oversight for the Foreign Intelligence Surveillance Court, the secret court that reviews applications for surveillance in the name of national security. This new version stops short of establishing a special advocate to actively argue on his or her own volition in the name of the public. However, the bill would establish “friends of the court,” who could be called upon to provide expertise on the impact of surveillance on privacy, the technical implications of new methods and programs, and other specialized areas of knowledge.
Increases reporting and transparency
The bill includes provisions that would require government oversight agencies to conduct additional reviews and produce reports on the use of surveillance authorities. Transparency is vital to the public’s ability to analyze the impact of the reforms and the continued scope of surveillance.
Additionally, the bill would codify provisions on government and corporate reporting on the use of these authorities, albeit in large bands and approximations instead of granular or individual numbers. Further, the new version of the USA FREEDOM Act removes language from a prior version of the bill that would have created distinctions between U.S. and non-U.S. persons.
How the USA FREEDOM Act fails, and how we should fix it
Still allows for bulk(ish) surveillance
As we explain above, the USA FREEDOM Act would restrict indiscriminate surveillance under certain authorities -— what the government calls “bulk collection.” However, the bill would still allow for some practices that look pretty bulk-ish. In other words, it would allow for the collection of rather large amounts of data. For example, a “specific selection term” might be used to represent a large subset of the population, such as those related to a business target. The chance of this happening is exacerbated because the word “narrowly” was removed from the requirement that surveillance orders be limited in scope. Additionally, the bill allows for the collection of information “two hops out” -— records of entities who communicate with or are otherwise connected to a target. This would wrap in sensitive information of potentially millions of non-targets. Congress should also clarify what type of connection is necessary to allow for contact chaining, or “hops,” to take place.
Congress should add limits to bulk collection, not remove them. Congress should also include greater transparency to show in granular detail the number of targets impacted by surveillance orders (including those incidentally monitored).
Access will push for such changes as amendments during the mark-up process, as well as amendments to include the narrow construction from previous versions of the bill and amendments to greatly expand transparency and reporting requirements.
Leaves a backdoor for data retention via emergency procedures
One of the most disappointing changes from the last version of the USA FREEDOM Act is the loss of “super minimization” procedures, which would have put limits of the amount of time that the government can retain data not directly related to terrorism. The loss of this safeguard is particularly harmful with regard to the provision on emergency powers, which authorizes the Attorney General to allow surveillance for a limited period of time without prior court approval. The provision already fails to provide a sufficiently narrow standard for emergency surveillance, such as tying it specifically to an imminent threat of significant harm. However, with the loss of the super minimization procedures, there is now a loophole that would allow for the collection of information for up to seven days, with no requirement to delete much of the information even if a subsequent court order is not approved. Again, amendments should be made to remedy these issues.
Increases liability protection for companies, even when acting in bad faith
This bill, like its predecessors, offers liability protection for companies that comply with a valid court order. However, we need an amendment to clarify that this protection applies only when companies act in good faith. That would not undermine the purpose of the provision, but would give more protection to users against overbroad court orders, and would also give an incentive to companies to challenge requests that appear to violate the language of the law.
Grants new emergency authority for terrorism targets
In a new provision that was not included in any prior version of the USA FREEDOM Act, this bill includes language that would allow surveillance under a separate authority — FISA Amendments Act Section 702 — to be conducted on a target within the United States in certain circumstances. Section 702 is the government’s authority for conducting surveillance in the U.S. on targets who are not in the country. The new provision would allow for a small window in exigent circumstances for surveillance to continue after a target has passed into U.S. territory. The provision is tempered by reporting requirements and a requirement for information to be deleted if a judge determines that exigent circumstances did not exist. A preferred amendment would strip this provision from the bill, though a lesser solution would limit the time frame for the authority from 72 hours to 24 hours.
These amendments are vital to ensuring that the bill is as strong as it can be, and as strong as it needs to be to protect all users. In our next post, we map out our vision of what else needs to be done, and how we can get there. Stay tuned.