May 2, 2017
Congress has until December 31 to renew the FISA Amendments Act or it will expire, and with it, the highly controversial, large-scale surveillance authorities under Section 702. As Congress debates whether to renew Section 702, it must consider needed reforms so that surveillance will be narrowly tailored to the law’s stated purpose - stopping both terrorism and espionage - and so that millions of Americans’ communications will no longer be swept up in its net.
The Open Technology Institute’s Section 702 reform priorities include:
Limit the Scope of Collection Under Section 702: Currently, the NSA engages in large-scale surveillance of Americans’ communications under Section 702. This overbroad surveillance is possible due to the breadth of the definition for “foreign intelligence information,” collection of which must be a significant purpose of the surveillance. Additionally, the scope of surveillance under Section 702 is overbroad because of the NSA’s “upstream” surveillance program and “about” collection.
- Narrowly Tailor
the Definition of Foreign Intelligence Information: When Section 702 became
law in 2008, it was sold to Congress and the public as authorizing surveillance
that was necessary to stop terrorist threats and espionage. To this day, the
Office of Director of National Intelligence argues for reauthorization of
Section 702 stressing its necessity to national security,
even calling it the “crown jewel” of the intelligence community’s
surveillance authorities. Yet, Section 702 permits surveillance that goes well
beyond protecting national security. The definition for foreign intelligence
information also permits surveillance that is merely relevant
to the foreign affairs of the United States. The “foreign affairs” provision of the definition of foreign intelligence information is not
necessary to national security, and allows the NSA to sweep up the
communications of political or human rights activists, journalists, students,
and business people working abroad, and it should be struck from the authorized
purposes for surveillance under Section 702.
- End “Upstream”
Surveillance: Upstream surveillance is the term for the NSA’s practice of
wiretapping the internet backbone - the underseas fiber optic cables across
which about 80% of global internet traffic transits - and
scanning the data for communications to,from, or about their target, though at
the end of April the NSA stopped “about” collection. This practice is incredibly privacy-invasive, as it subjects
everyone’s communications to automated scans by the NSA. When Congress debated
the passage of Section 702, it never considered whether the NSA should have
such broad authority to intercept internet communications and nothing in the
statute suggests this type of surveillance is appropriate. Congress should reform Section 702 to make clear that “upstream”
surveillance is not authorized.
- Prohibit “About” Collection: Short of eliminating “upstream” surveillance altogether, Congress should prohibit “about” collection. As part of its “upstream” surveillance, the NSA scans the contents of all of the communications that transit the internet backbone for communications that merely reference, or are “about”, the target. Compliance issues with upstream surveillance date back to 2011 when the FISC shut it down until the NSA could remedy the problems. This April, the NSA announced that, as a result of still-persistent compliance issues, it would stop the practice of “about” collection and delete its stores of US person communications that were obtained via that form of surveillance. It claimed that the threat to Americans’ privacy outweighed any value from the collection. Considering the harmful impact “about” collection has on Americans’ privacy, it is indefensible to allow space for the NSA to restart this practice. Congress should pass a reform bill that includes a prohibition against “about” collection.
Enhance Post-Collection Protections for Americans’ Communications that are Swept Up Under Section 702: While narrowing the scope of surveillance under Section 702 is critically important, it will still result in a large quantity of incidental collection of Americans’ communications. For this reason, enhancing the protections for that information once it is in the intelligence community’s databases is also essential. This happens through limiting the purposes for which the information can be used, and ensuring that if the FBI searches the information using a US person identifier, they have a warrant authorizing that search.
- Establish Limits
on Use of Communications Collected Under Section 702: DOJ asserts that the
FBI has the authority to use Americans’ communications collected under Section
702 for investigations and prosecutions into any crime whatsoever since they
were lawfully obtained. In response to public outcry following the Snowden
revelations, DOJ issued new minimization procedures that offered one
additional protection: it may only use communications collected pursuant to
Section 702 in proceedings, such as prosecutions, with the approval of the
Attorney General. This limitation is wholly insufficient. The intelligence
community justifies the collection of large quantities of Americans’
communications under Section 702 by arguing that it is reasonable since the
surveillance is targeting foreign intelligence information. Congress should ensure that information
collected under Section 702, which is obtained pursuant to a standard that
falls far short of the probable cause standard required in criminal
investigations, can only be for the purpose for which it was collected: foreign
- Close the Backdoor Search Loophole: Currently, FBI agents routinely use US person identifiers to search the database containing information collected pursuant to Section 702 to further criminal assessments and investigations that are wholly unrelated to national security. DOJ has testified before the FISC that it engages in these US person queries so regularly that it would be too burdensome to so much as require agents to record a justification for each. Indeed, the DOJ attorney analogized how the FBI engages in these warrantless backdoor searches to how everyday Americans do Google searches. Backdoor searches are so controversial that votes to prohibit them have overwhelmingly passed the House of Representatives in 2014 and 2015. Now that Congress must either pass a reform and reauthorization bill or let Section 702 expire, it should ensure that this loophole is closed permanently. Congress should require that FBI agents obtain a warrant before running a US person query in a database containing Section 702 information, and that queries be limited to those involving investigations that are aligned with the purpose for the collection.
Increase Transparency for the Government and Companies: While the USA FREEDOM Act made many meaningful improvements to government and third party transparency surrounding national security processes, more should still be done.
Government Transparency: In 2011, Senator Wyden first asked the intelligence
community for an estimate of the number of Americans’ communications that are
incidentally swept up in surveillance under Section 702. Since then, the privacy community has joined in those calls,
and members of the House Judiciary Committee have written to the
Office of the Director of National Intelligence twice demanding that same information. This
number, which may well be in the millions, is necessary to gauge the scale of
impact that Section 702 surveillance has on Americans’ privacy. Despite
numerous requests from civil society and members of Congress over the last six
years, the intelligence community has not come forth with an estimate.
Additionally, while the NSA and the CIA are required to report on the number of
US person queries it makes in databases containing Section 702 information, the
FBI is exempt for this requirement. The NSA
and CIA made 30,355 of these queries for non-contents and 5,288 queries for
contents in 2016 alone. Considering the DOJ testified before the FISC that the
FBI makes these queries so frequently it’s akin to doing a Google search, reporting on the number of
times they are conducted is essential to effective oversight. Congress must increase transparency
around Section 702 surveillance by requiring annual estimates of the number of
Americans whose communications have been incidentally swept up, and by removing
FBI exemptions from reporting requirements.
- Allow for More Robust Third Party Reporting: The USA FREEDOM Act established a framework for companies that receive various types of national security processes, like NSLs, Pen Register and 215 orders, and Section 702 directives, to report in large bands (ex. 0-999) the number of processes they received, and the number of customer selectors that were targeted. The law does not allow companies to report on the source of authority, such that a company could not say how many selectors were targeted solely under Section 702. Additionally, the bands in which companies may report do not allow enough granularity to assure users that their information is adequately protected. Finally, there is still debate as to whether the law currently allows a company that has not received a particular type of national security process to state as much on their semi-annual transparency report. Congress should amend reporting provisions to allow for third parties that receive national security processes to report, with granularity, the number of processes they receive, including zero if they have not received any, and the source of authority that was the basis for each demand.