OK, it's time to talk mass spying again: America's Section 702 powers are up for renewal
And tech groups are starting the fightback now
Analysis While the entire US political machinery has been caught up with one Trump-based scandal after another over the past three weeks, larger underlying issues are starting to re-emerge. And top of the list is mass surveillance.
Section 702 of America's Foreign Intelligence Surveillance Act (FISA) expires at the end of the year – December 31, 2017. As such, it will need to be actively renewed by Congress. And the drumbeat has begun on getting Congress to have a full, public debate on the measure before it authorizes any extension.
Just this week, the American Civil Liberties Union (ACLU) called on tech companies to start pushing for reform as it fought a critical legal battle in Ireland over the legality of data sharing between Europe and the United States.
On Wednesday, a number of tech industry groups, including the Computer & Communications Industry Association (CCIA), Consumer Technology Association (CTA), Information Technology Industry Council (ITI) and Internet Association, sent a letter [PDF] to the heads of four key congressional committees asking for "an open debate around the reauthorization of Section 702."
And legal commentators have started writing up their thoughts on what needs to change to stop widespread abuse of the law. Or, as the tech groups argued, "includes meaningful safeguards for internet users' privacy and civil liberties, measures to ensure transparency and accountability, and a commitment to continued Congressional oversight."
So, what is Section 702 and why is it important?
When Edward Snowden exposed the depth and breadth of mass surveillance being carried out in secret by the US government, much of the subsequent attention revolved around Section 215 of the Patriot Act, which had been interpreted to allow for bulk collection of Americans' phone records.
The reason for that focus was that while Section 215 was being used to gather Americans' records, Section 702 of a different act was, according to the US authorities, never used to gather information on Americans.
In fact the first limitation in Section 702 is that it cannot be used to "intentionally target any person known at the time of acquisition to be located in the United States."
Unfortunately, as Snowden documents and subsequent investigations made clear, the National Security Agency (NSA) had chosen to creatively interpret what seem like crystal clear rules to achieve the exact opposite of their intention. (It still claims [PDF] not to be doing what it is doing.)
The reality is that Section 702 has been used to create a vast database of information on millions of US citizens that is used every day by law enforcement to research even the smallest of crimes.
How did we get from a law specifically written to only target foreigners when they were outside the United States and only when it would result in "foreign intelligence information," to a reality where an FBI agent can search the private emails of a US citizen who has never left the United States on suspicion of car theft? Here's how:
- The term "foreign intelligence information" was first interpreted so broadly as to cover any and all information with any relevance to the United States.
- The NSA then decided that such information flows into and out of the United States all the time, thanks to servers hosted by US email providers, and so it should have access to all of that information – leading to the infamous PRISM program where email, chats, text messages and videos were pulled from Google, Facebook, Microsoft, Yahoo! and Apple and stored in a giant database.
- Any information from US citizens captured during this process is termed "incidental" by the NSA, which continues to pretend that the information gathered is no more than an accidental by-product of its legitimate search. It does not, however, delete that information.
- Other information on US citizens that really is captured by accident is called "inadvertent" collection. It is also retained.
- Critically, the NSA decided that the law only prevented it from capturing information on people that it actively knew to be US citizens. And as a result, it decided it could presume that everyone it gathered information on was a foreigner based overseas unless it had information to the contrary. So even though it was tapping the servers of US companies based in the United States, it allowed itself to believe that it was capturing the information of foreigners from outside the country.
- The NSA also decided that it was entitled to keep all this information it gathered in a database and the law would only apply to how it searched that database.
- Then the NSA decided that so long as it used search terms that gave it "51 per cent confidence" that the results would bring up information on a foreigner, it could access the database however it wished.
- In 2001 – after the terrorist attacks in New York City and Washington DC – the NSA then persuaded the Foreign Intelligence Surveillance Court that it should be allowed to search using the personal identifiers of US citizens, ie, their telephone numbers or email addresses. This was despite the fact that the law had previously specifically prohibited this sort of "reverse targeting."
- Following a recommendation from the 9/11 Commission that "the wall" between security services be removed to allow for greater sharing of intelligence, the FBI was granted access to the vast database.
- Under its guidelines for accessing the data, the FBI is allowed to search the database to investigate any federal crime and agents are in fact encouraged to do so.
Sponsored: Becoming a Pragmatic Security Leader