US endorses principles it’s not living up to

In March 2014, the US government adopted 6 privacy principles to govern surveillance (the “US Framework”). Scott Busby, US Deputy Assistant Secretary of State for Democracy, Human Rights, and Labor, articulated the Framework at RightsCon (which Access hosted).

While rhetoric between the US government and human rights advocates diverges on whether large-scale surveillance violates fundamental rights, the US Framework is similar to the one endorsed by much of privacy-focused civil society. Access along with 400 organizations and over 285,000 individuals have endorsed the International Principles on the Application of Human Rights to Communications Surveillance as the proper framework for analyzing surveillance policy and practices. The US Framework is substantially similar to much of this document, and focuses on six principles: (1) rule of law, (2) legitimate purpose, (3) non-arbitrariness, (4) competent external authority, (5) meaningful oversight, and (6) increased transparency. Despite the public commitment to these principles, US communication surveillance programs do not respect the rights laid out in the US Framework.

The International Principles on the Application of Human Rights to Communications Surveillance, in short

The Principles will be only 200 days old in April, yet they’ve already had a significant impact on the understanding of the right to privacy in the digital age. The Principles provide a framework for civil society groups, industry, states, and others to determine whether existing or proposed surveillance policies comply with human rights obligations. Experts and members of industry distilled the Principles from existing human rights law, including the International Covenant on Civil and Political Rights, as well as a number of other international and regional treaties and principles and national constitutions. With nearly 400 organizations and more than 285,000 individuals endorsing the Principles, they speak to a growing global consensus that modern mass surveillance has gone too far and needs to be restrained.

Before the Principles were released in September 2013, the United Nations recognized the need for a framework to analyze the human rights impact of surveillance. Frank La Rue, Special Rapporteur for Freedom of Expression, provided a test that shares a number of elements with the Principles, including requirements that any restriction on privacy must be provided by law, must be necessary to reach a legitimate aim, and must be proportionate.

Since their launch, the Principles have garnered a great deal of attention. The Principles were formally unveiled at a side event at the UN Human Rights Council, which was sponsored by six governments and featured La Rue and UN High Commissioner for Human Rights, Navi Pillay, as speakers. Three month’s later, President Obama’s Review Group on Intelligence and Communications Technologies cited to the Principles when expressing doubt that metadata deserves less protection than other forms of content. Some of the most prominent US tech firms, including Microsoft, Google, and Yahoo, have publicly supported a separate framework that largely echoes the Principles.

The US Framework

The US Framework expands upon President Obama’s Presidential Policy Directive 28 (PPD-28), released in January 2014, which establishes principles to guide surveillance. The six principles endorsed by the US are (1) rule of law, (2) legitimate purpose, (3) non-arbitrariness, (4) competent external authority, (5) meaningful oversight, and (6) increased transparency. The US Framework borrows heavily from the Principles, though it omits several Principles, and even within those it adopts it oftens fails to meet the same standards. Those principles not adopted by the US include due process, user notification, integrity of communications and systems, safeguards for international cooperation, and safeguards against illegitimate access.

In a report submitted by Access and other Principles coalition members to the UN Human Rights Committee as part of its regular ICCPR Review of the US, we noted that US government surveillance is inconsistent with a number of the Principles. Below, we’ll examine the overlap between the US Framework and the Principles while looking at where US policy is failing to meet its own Framework:

1. Rule of Law — In his speech setting out the US Framework, Assistant Secretary Busby discussed how surveillance operates “pursuant to statutes and executive orders that were adopted as part of our democratic process.” However, the Principles, under Rule of Law, further require that laws, and their subsequent policies, provide clarity for individuals within the jurisdiction. US surveillance policy has proven to be anything but clear and accessible to the public. Instead, surveillance practices often depend on loose legal interpretations, written in secret, approved by secret courts, and overseen by secret Congressional committees. By contrast, the Principles’ require that the law contain a “standard of clarity and precision” to provide users of notice of the application of surveillance.

The failure of policy to conform to the rule of law is apparent in US surveillance law and practice. For example, Patriot Act Section 215, under which the bulk telephony metadata collection program is operated, permits collection of records only when they are “relevant to an authorized investigation.” However, authorities have interpreted the language to permit collection of all phone records transiting the United States. Another surveillance authority, FISA Section 702 (not to mention 703 and 704), contains language that is overly vague, granting the Attorney General and Director of National Intelligence the authority to “target persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” Limitations on that authority attempt to restrict collection of US-person data, but the programs under this authority that have been revealed, namely Prism and Upstream collection, allow virtually limitless surveillance on any non-US person outside the US, and, by extension, “incidental” collection of vast amounts of US-persons data.

2. Legitimate Purpose — The US Framework would permit surveillance only on the “basis of articulable and legitimate foreign intelligence and counter-intelligence purposes.” Similarly, the Legitimate Aim Principle requires surveillance to be conducted only in the furtherance of a “predominantly important legal interest.” PPD-28 permits bulk collection only for certain, legitimate reasons under the PPD, such as cybersecurity and terrorism. However, no similar restriction is placed on other non-bulk, yet highly intrusive forms of surveillance authorized under Section 702. The government should specify, and identify limits, to the purposes for which it acquires and collects foreign intelligence.

3. Non-Arbitrariness — Non-arbitrariness, as articulated by the US Framework, requires surveillance to be tailored and intrusiveness minimized. This element matches up to the Proportionality, Necessity, and Adequacy Principles.

Proportionality similarly requires a balancing between the government’s interests and the severity and and sensitivity of information. Both the Principles and the US interpretation cast doubt on US indiscriminate bulk surveillance practices. A recent study has demonstrated exactly how revealing communications metadata can be, even over a short period of time. The Obama administration has just this week proposed a limit on the use of bulk collection of telephone metadata under Section 215. Obama’s proposal, however, doesn’t prohibit bulk collection generally. It only addresses telephone metadata bulk collection under the 215 authority and for telephone metadata. The intelligence community uses bulk collections in other areas, such as for records of international money transfers, and previously operated a program to bulk collect internet metadata. The US must immediately end all bulk surveillance practices.

In a recent talk at Public Citizen, Professor Geoffery Stone, a member of President Obama’s Review Group on Intelligence and Communications Technologies, stated that in 2012, the NSA queried its database of hundreds of millions telephone metadata records 288 times. Of those 288 numbers queried, only 16 produced a connection to suspected terrorist activity that warranted a referral to the FBI for investigation. It’s difficult to see how this program comports with the Adequacy Principle, or with the Necessity Principle’s requirement that “Communications surveillance must only be conducted when it is the only means of achieving a legitimate aim, or, when there are multiple means, it is the means least likely to infringe upon human rights.”

4. Competent Authority — The US Framework and the Principles differ on the use of a competent authority: The US Framework seeks guidance from a “competent external authority” while the Principles specify that the authority be judicial. The US Framework expressly retains an exception for some operational decisions to be made within intelligence agencies. Further, the foreign intelligence surveillance court, which reviews surveillance programs and applications, has been repeatedly mis-led by US intelligence agencies in their applications, which makes its rulings inherently unreliable.

The Principles further require that the Competent Judicial Authority “be conversant in issues related to and competent to make judicial decisions about the legality of communications surveillance, the technologies used and human rights…” Recent proposals to introduce an Independent Advocate and technical experts to the Foreign Intelligence Surveillance Court — the authority principally charged with overseeing NSA surveillance activities — suggests this Court does not currently meet the standard of competence envisioned by the Principles.

5. Oversight — The US Framework calls for meaningful oversight. To bolster the US’s adherence to this element Deputy Assistant Secretary Busby pointed out the existence of internal oversight mechanisms. Despite claims that the NSA’s activities have been approved by all three branches of government, the disclosures themselves — as well as statements from Members of Congress — have called that assertion into question. In specific instances, it has been revealed that the NSA has in fact lied or misled all three branches of government.

In accordance with the Principles, true oversight mechanisms should operate independent of the surveillance agency. The Principles specifically call for public oversight with independent mechanisms that have access to all potentially relevant information.

6. Increased Transparency and Democratic Accountability — The final element to the US Framework is transparency. Busby pointed to recent efforts to declassify FISA Court opinions and the government’s intention to release the number statistics on the issuance of national security orders and requests. As we noted when the US Director of National Intelligence first signalled his intention to release a transparency report, the intelligence community “will release the total number of orders issued during the prior twelve-month period, and the number of targets affected by these orders:

  • FISA orders based on probable cause (Titles I and III of FISA, and sections 703 and 704).
  • Section 702 of FISA
  • FISA Business Records (Title V of FISA).
  • FISA Pen Register/Trap and Trace ( Title IV of FISA)
  • National Security Letters issued pursuant to 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709.”

While this is a step forward in terms of government transparency around its surveillance activities, this announcement falls short of what the “We Need to Know Coalition” — a multistakeholder group including companies like Google and Microsoft, NGOs including Access, CDT, and the ACLU, and trade associations — has called for. The letter sent by the coalition urged Congressional leaders and the Obama Administration to require the government to publish information about the specific numbers of requests, the specific authorities making those requests, and the specific statutes under which those requests are made. Furthermore, the letter calls for the ability to differentiate requests based on content vs. non-content data, and enumerate the number of persons, accounts, or devices affected, and to allow companies to voluntarily disclose the same information.

Unlike Google and Microsoft’s transparency reports, which break down both the number of requests they receive and the number of accounts affected, the DNI’s report will only include the number of requests and targets, which will make the scope of the nation’s surveillance machine to appear far more limited than it actually is. To put this in context, in 2012, there were 212 requests for business records justified under Section 215 of the Patriot Act, but that number also includes requests for the “ongoing, daily” disclosure of communications metadata of the millions of customers of AT&T, Verizon, and Sprint. And how do we know that? Because public disclosure of aggregate numbers of requests pursuant to most of the statutes to be included in the DNI’s report is already required.

It’s also worth noting that the government is only planning on releasing the number of targets, not the exponentially larger number of people who will have their privacy violated when their data are caught in the NSA’s dragnet. Moreover, by grouping statutes together in the categories the government will report statistics for, the DNI is further obfuscating the nature and scope of the government’s surveillance activities, further limiting an informed, public debate about the extent of the intelligence community’s violations into the private lives of users all over the world.

Public disclosure by both the government and the communications providers who hold user data is crucial in keeping both accountable. At this time, the US Government has not demonstrated an intention to publicly disclose details of the scope and scale of its surveillance activity at the level of clarity and granularity envisioned by the Principles, nor has it allowed corporations it requests data from to do so either.