The recently renewed foreign-intelligence surveillance law has privacy advocates spooked — not for what it would do to people from other countries, but because of how it can allow the warrant-free collection and use of U.S. citizens’ own data.
Renewing the National Security Agency’s “Section 702” authority became so controversial that even President Donald Trump denounced it in a tweet. Within hours, though, the White House had walked that back, and on Friday Trump signed a bill extending 702 authority through 2023.
The government pledges not to abuse this power. But you can’t blame Americans for worrying that their conversations might get swept up in surveillance, because it will remain difficult to confirm the government plays by its own rules.
What 702 allows
This section of the Foreign Intelligence Surveillance Act — added in a 2008 law, then renewed in 2012 — governs NSA tapping of communications of foreign nationals from inside the U.S. An April 2017 document from the office of the Director of National Intelligence cites such 702 successes as the identification of an al-Qaeda sympathizer later recruited as a source.
This surveillance, however, may incidentally scoop up data from Americans and U.S. permanent residents in the U.S. or abroad — none of whom the NSA may intentionally target, and all of whom retain Fourth Amendment rights against government searches.
Yet Section 702 collections happen without particular search warrants, subject only to the secret Foreign Intelligence Surveillance Court approving overall procedures.
(For an extended discussion of 702, see a 2014 report by the Privacy and Civil Liberties Oversight Board, an independent government office set up in 2007.)
The Feds can’t copy and paste data about you from a 702 collection into domestic law-enforcement databases. But investigators can query it under limited circumstances for use in a criminal proceeding.
The renewal bill Trump signed Friday offers two options. First, the Federal Bureau of Investigation can get an order from the FISA court. Second, the attorney general can approve it on the grounds that the investigation involves national security or eight other categories of offense.
Those enumerated exceptions include such hard-to-argue items as terrorism and human trafficking. But they also fold in the Computer Fraud and Abuse Act, an exceedingly broad law that has been misused to threaten cybersecurity research and yet seems immune to serious discussions of reform.
There’s also the risk that police investigators may also attempt to use 702 data in “parallel construction” to set up legal searches that can yield findings unusable in court from the original data.
Technology can’t fix this
This is not a situation that gives you, the U.S. citizen who happens to correspond with the occasional overseas person, any terrific technological countermeasures against intelligence-community curiosity.
NSA 702 searches, which the agency said in 2017 targeted 106,000 people overseas in 2016, take two forms. “Upstream” collection involves tapping into internet backbones to search data in transit, while “downstream collection,” directs particular internet companies to turn over messages sent to or from specific addresses.
The TLS encryption that secures 89% of messages to and from Gmail, according to Google (GOOG, GOOGL) statistics, leaves the metadata of senders and recipients intact — otherwise, your mail would go nowhere.
TLS should, however, thwart new upstream “abouts” collection, the searches for people mentioned inside messages sent between two other individuals, that the renewal bill allows the NSA to resume gathering, subject to tighter oversight. The agency had stopped “abouts” collection last April.
A less common form of cryptography, end-to-end encryption like that in Facebook’s (FB) Messenger and WhatsApp and the Signal messaging app, should protect message content from downstream searches. But that, too, unavoidably exposes metadata.
A matter of trust
Advocates of 702 renewal point to the people and processes around it.
In a post on the influential Lawfare blog, former government lawyers Jack Goldsmith and Susan Hennessey nodded to support from such fellow Trump opponents as Rep. Adam Schiff (D.-Calif.): “Given everything Schiff has publicly said and done over the last year […] he knows not only how valuable the 702 program is but also how law-constrained and carefully controlled and monitored it is.”
They also heralded “the absence of credible allegations of political or venal use of 702 authorities.” The 2014 oversight-board report made the same point, as did another 702 backer who touted 702’s multiple sources of supervision — not just the FISA court but also House and Senate intelligence committees and agency inspectors general.
“These oversight mechanisms combined with the additional transparency measures provided in this legislation and others put in place in recent years should give the American people a great deal of confidence,” said Jamil Jaffer, head of George Mason University’s National Security Institute.
But those checks take place in secret and often after the fact.
“Those methods also have a record of taking a long time to notice or act on abuse, and those abuses may not ever be made public,” said Amie Stepanovich, U.S. policy manager with the digital-rights group Access Now.
“The general problem with intelligence oversight is that it operates substantially on the honor system,” said Julian Sanchez, a senior fellow at the libertarian Cato Institute. He judged them “great for catching honest errors” while “not terribly good mechanisms for spotting deliberate abuse.”
Meanwhile, the Trump administration continues to hand out good reasons to suspect its intentions — most obviously, it campaigns for “responsible encryption” to ease police investigations of our mobile devices while also searching and seizing more of our gadgets at U.S. borders.
Under these conditions, fear of abuse of power should come as no surprise. Can you know for sure that has — or hasn’t — happened under this renewed law? Sanchez had a two-word answer: “You won’t.”
More from Rob: