Correcting the Record on Section 702: A Prerequisite for Meaningful Surveillance Reform, Part III

In our previous posts, we’ve argued that the NSA is collecting massive amounts of data about US citizens under conditions that have nothing to do with terrorism or national security, thanks to the authorities granted to the US government by section 702 of the Foreign Intelligence Surveillance Act. Now, in our final post, we’ll look at how that data is used for reasons that are far removed from those the intelligence community gives its overseers and the public when justifying this sweeping surveillance program.

Warrantlessly Acquired 702 information Can Be Searched and Used for Non-Foreign Intelligence Purposes

The government can, and regularly does, search through its massive databases of content and metadata gathered under section 702 for information about U.S. persons. Such searches are often referred to as the “backdoor search loophole,” because they enable the government to access information that would otherwise be unavailable without a warrant or similar probable cause finding. The NSA and the CIA minimization procedures now require analysts to create a “statement of facts showing that a query is reasonably likely to return foreign intelligence information” before searching section 702 data for U.S.-person information, but the procedures do not require that foreign intelligence be the purpose of conducting the search (see here and here for more). Moreover, this restriction does not pertain to the FBI, whose agents can query 702-acquired data for U.S.-person information as part of routine criminal investigations. The FBI can even search section 702 data for U.S.-person identifiers in order to initiate an investigation – without a suspicion of wrongdoing, never mind probable cause.

Even unauthorized FBI agents can conduct warrantless and suspicionless fishing expeditions through section 702 data for criminal conduct and thereby gain access to private information about Americans. According to the FBI’s minimization procedures, the FBI does not consider a search a “query” if the agent conducting the search does not immediately see responsive data containing U.S.-person information – either because they are not authorized to access section 702-acquired data or because no section 702-acquired data was responsive to their query. Unfortunately, the inability to see 702-acquired information immediately after a query does not prevent unauthorized agents from easily gaining access to it: upon notification that some results from their query contain section 702 information, the procedures allow unauthorized agents to simply ask an authorized person to give them access once that authorized person determines the information “reasonably” appears to be foreign intelligence or evidence of a crime. Worse, if it is unclear in the procedures to the authorized person whether or not the 702 information may contain foreign intelligence or evidence of a crime, the unauthorized agent can view the information and make that determination himself.

With such a huge repository of data, government agents have the capacity to learn whether individuals have engaged in particularly “sensitive” activities, which the FBI’s minimization procedures define as including, among other things, religious activities, political activities, activities involving the press or other media, sexual activities, and medical, psychiatric, or psychotherapeutic activities. If the sensitive information returned “reasonably appears” to be foreign intelligence information or evidence of a crime, that information may be retained, processed, and disseminated in the same manner as all other “non-sensitive” information.

The public has no idea how often the FBI conducts backdoor searches because the FBI will not report this data. However, the latest Statistical Transparency Report from the Office of the Director of National Intelligence shows that the backdoor search loophole is being used by the NSA and the CIA more than ever before: last year, there were 4,672 acknowledged backdoor search terms concerning a “known” U.S.-person – a 223% increase since 2013, according to the Privacy and Civil Liberties Oversight Board’s report on Section 702 surveillance programs.

In 2015, largely in response to the PCLOB’s criticisms of the section 702 programs, the Office of the Director of National Intelligence announced that it would limit the introduction of section 702 information as evidence against U.S. persons to the prosecution of “serious” crimes. However, this policy was not officially adopted into the FBI’s 2015 minimization procedures, which means that the policy may change at any time and without the Attorney General’s approval or FISC oversight. In addition, ODNI General Counsel Robert Litt’s explanation of what constitutes a “serious” crime indicates that the government may interpret this term broadly. Along with a few somewhat more specific serious crimes such as human trafficking and “incapacitation or destruction of critical infrastructure,” ODNI defines “serious crimes” to include cases “related to national security” and “transnational crimes.” Moreover, even if section 702 information cannot be used as evidence in court against a U.S. person for certain crimes, law enforcement can still use the information to find other evidence that can be used in court. In 2013, Reuters revealed that the U.S. Drug Enforcement Administration has engaged in a technique known as “parallel construction,” in which they used intelligence-gathered data to launch criminal investigations. Once they found enough information, they used traditional investigatory tools and legal processes to create a new discovery trail for the data, thereby obscuring the fact that foreign intelligence surveillance was the true source of the evidence.

Thus, section 702 surveillance can be abused in ways that create an end-run around the Fourth Amendment. The vast scope of collection under Section 702 means that troves of sensitive information belonging to or concerning U.S. persons is warrantlessly gathered without any connection to crime or national security threats. This information is subsequently available to a wide variety of government actors for a variety of purposes, including suspicionless searches meant to ferret out criminal activity.

Conclusion: The Overbroad Scope of Section 702’s Warrantless Collection Endangers Privacy and Civil Liberties Without Necessarily Contributing to National Security

Once the scope of section 702 collection is truly understood, it is clear that communications gathered under its authority do not only belong to the terrorists hiding in caves who wish to do us harm. As the statute and the guidelines that go with it are written, section 702-acquired data could belong to scientists, protestors, advocates, journalists, diplomats, students, and other everyday civilians. Given the broad scope of section 702 collection, coupled with the fact that collected data may be kept for several years and searched without probable cause or even factual predicate, the surveillance statute comes with grave privacy and civil liberties concerns. Lawmakers considering the reauthorization of section 702 must understand that such privacy and civil liberties concerns are not merely a necessary by-product of national security efforts. Rather, they are an unnecessary symptom of a statute that has metastasized well beyond its purported goal. This must be resolved before section 702 surveillance is allowed to continue past its expiration date.

Correcting the Record on Section 702: A Prerequisite for Meaningful Surveillance Reform, Part II

Last week, we argued that the public discussion surrounding two of the government’s most controversial mass surveillance programs – PRISM and Upstream – has not sufficiently acknowledged the broad scope of collection under these programs, which take place under section 702 of the Foreign Intelligence Surveillance Act (FISA). In short, hiding behind the counterterrorism justifications for section 702 is a broad surveillance program that sucks up massive amounts of irrelevant private data.

Today we show why, even though digital surveillance conducted under section 702 is directed overseas, such efforts collect substantial amounts of Americans’ private data. Next week we show how that data can be used for multiple purposes that have nothing to do with foreign intelligence or national security, including criminal investigations.

Our efforts come as lawmakers begin to debate the merits of the PRISM and Upstream surveillance programs ahead of section 702’s December 31, 2017 sunset date. We hope to clear misperceptions about the nature of a surveillance regime that is inconsistent with both the US Constitution’s “reasonableness” requirement as well as international human rights norms that require surveillance to be necessary and proportionate.

Section 702 Programs Gather a Substantial Amount of US Persons’ Communications

Section 702 proponents emphasize the FISA statute’s requirement that surveillance under the 702 provision only target non-US persons located abroad. They then push the seductive (but false) implication that this requirement means section 702 does not materially affect Americans. For example, during the 2012 FISA reauthorization debate, former House Intelligence Committee Chairman Mike Rogers (R-MI) acknowledged that the law might permit surveillance of Americans, but that this would happen “only very rarely.” In 2013, shortly after newspapers revealed details of the PRISM program, Director of National Intelligence James R. Clapper issued a statement reassuring the public that section 702 cannot be used to intentionally target any US citizen or anyone located within the United States. Director Clapper also emphasized that agencies conducting section 702 surveillance must follow procedures meant to minimize the acquisition, retention, and dissemination of incidentally acquired information about US persons.

Nevertheless, a recently declassified FISA Court (FISC) opinion from November 2015 confirmed what many people already suspected – section 702 actually sweeps up “substantial quantities” of information concerning US persons. In other words, the surveillance program subjects Americans to extensive, warrantless surveillance. This broad collection of communications may be politically palatable when Americans are talking to terrorists — the implication is that this “incidental” collection is minor and necessary for public safety. However, as explained above, foreign targets are not necessarily terrorism suspects, or wrongdoers of any kind. Section 702 contemplates surveillance targeting bureaucrats, scientists, aid workers – anyone of “foreign intelligence” interest. Because the sanctioned surveillance topics are so broad, a vast number of people, including Americans, routinely have their communications swept up with no national security benefit attached.

First, Americans are surveilled when they talk to foreign targets. The obvious case is international communications, where one of the parties is a target and the other is an American. However, this “incidental collection” is more extensive than one might think because of the very nature of the internet and the many different ways information is exchanged throughout it. For example, internet messages are commonly multi-user communications taking place in chat rooms and on social networks. If even one participant is foreign, communications from all the other people participating may be subject to section 702 collection. In other words, a single target can justify surveillance of tens or hundreds of other people, some of which may be US persons on US soil.

Second, Americans’ communications are collected as part of section 702’s Upstream collection program. Under the program, the government “tasks” a given selector (such as an email address or phone number) in the stream of internet data flowing through particular network gateways (known as the “internet backbone”). If the stream of internet packets contains the selector, the Upstream program will acquire the entire “internet transaction” containing that selector. Some transactions only include one communication (Single Communications Transactions – SCT’s), while others contain multiple discreet communications (Multiple Communications Transactions – MCT’s). Because of the way the NSA conducts Upstream collection, if any communication within an SCT or MCT is “to,” “from,” or even “about” a tasked selector, the entire transaction is collected. The collection of MCT’s further removes the nexus between the communicants and the intended target because any communication that is embedded within a transaction that happens to include a communication that so much as mentions the targeted selector can get swept up. This includes wholly domestic communications.

Changeable Minimization Procedures Allow US-Person Information to be Retained, Disseminated, and Used

Congress anticipated that Americans’ communications would get swept up through warrantless section 702 surveillance, so they required the adoption of “minimization procedures” as a way to control the retention, dissemination, and use of nonpublic, non-consenting US-person information. The statute requires the procedures to be consistent with the government’s need to “obtain, produce, and disseminate” foreign intelligence information, and to permit the retention and dissemination of evidence of any crime. As a result, there are still many ways in which communications of or about innocent Americans can not only be collected under section 702, but can also remain in government databases for several years at a time and be used for a variety of purposes unrelated to national security or counterterrorism.

In response to recommendations made by the Privacy and Civil Liberties Oversight Board (PCLOB), the ODNI has made an effort to declassify the minimization procedures used by intelligence agencies as part of their section 702 surveillance practices. Most recently, in August 2016, the 2015 minimization procedures for the NSA, the CIA, the FBI, and the NCTC were partially declassified. Although declassifying the minimization procedures is a welcome step in the right direction, we still do not know when the rules apply and when the intelligence agencies may disregard them. For example, the 2015 minimization procedures for the NSA, the CIA, and the FBI state that “[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial or legislative mandates.” The apparent ability of agencies to deviate from the minimization procedures based on unspecified “mandates” undermines the anemic privacy safeguards those procedures contain. The FISC cannot ensure that the procedures meet either statutory or constitutional requirements in the face of such a vague exception. FISC Judge Thomas F. Hogan was aware of this problem when he nevertheless approved the NSA and the CIA procedures in November 2015. Without fully explaining his conclusion, Judge Hogan concluded the vague language was not as problematic as it seemed, referring to informal conversations in which NSA and CIA officials said they planned to only use this exception to the minimization procedures sparingly.

Beyond this worrisome language that appears to permit agencies to disregard their minimization procedures when they decide that doing so comports with some unspecified “mandate,” there are additional flaws to the most recently declassified procedures that allow Americans’ communications to be retained, searched, and used by a range of government agencies without a warrant or other judicial oversight. First, Americans’ communications are generally fair game for retention, use, and dissemination if one participant at the other end of the communication is outside the United States. Such communications are deemed “foreign communications” despite the fact that at least part of the communication involves a US person. Defenders of the section 702 program may point out that during such “incidental” collection, the foreign end of the communication has likely been identified as a target of interest for surveillance. As explained above, however, it can be alarmingly easy to become such a target under the section 702 statute and the policy guidelines that go with it. Moreover, in all other contexts Americans cannot be subject to incidental collection in the first place unless an investigator has obtained a search warrant or Title III interception order based on probable cause from a judge – a critical oversight mechanism that is absent in the section 702 context.

Once these “foreign” communications get swept up, they can be retained in one or more databases at the NSA, the CIA, and the FBI for a number of years. They can remain in the NSA’s database, for example, between two to five years, depending on whether they were gathered via the Upstream or PRISM collection program. They may be retained longer under a variety of circumstances, such as when they are encrypted or may be used to help decrypt other encrypted communications. Given the growing proportion of communications that are encrypted by default, this is one of the most significant loopholes to the retention limitations.

In addition, although the NSA may only pass US-person information on to other government entities if the identity of the US person is concealed, there are several exceptions to this rule – such as when the communication or information is “reasonably believed to contain evidence that a crime has been, is being, or is about to be committed.” Moreover, whether or not irrelevant US-person information must be minimized largely depends on whether or not the communicant is “known” to be a US person. The minimization procedures contain a presumption that people outside the US or whose location is unknown are “foreign” until there is evidence demonstrating otherwise. This presumption undermines assurances that US-person information that does not meet the requirements for retention will be destroyed “upon recognition,” since such assurances will only apply when that information is “known” to belong to or concern US persons. In practice, the chances of the agencies actually determining that a domestic communication is not the communication of a foreigner are slim, both because it is technologically difficult to determine for certain whether or not a communication belongs to or is about a US person, as well as because agencies do not scrutinize each and every communication to make such a determination.

Even if a communication is of or about a US person and irrelevant to foreign intelligence or crime, the NSA minimization procedures only require destruction “at the earliest practicable point” before the retention limit when such communications are “clearly” not relevant to the authorized purpose of collection (such as the acquisition of foreign intelligence information) or evidence of a crime. During the PCLOB’s public hearing on section 702, the NSA’s then-General Counsel admitted that it is often “difficult” to determine the foreign intelligence value of a particular piece of information at a given time, and the PCLOB concluded that, in reality, the “destroyed upon recognition” requirement rarely happens.

Finally, despite some improvements to the minimization procedures since the Edward Snowden leaks, there are still significant loopholes to the minimization procedures’ purging requirements that allow communications that took place entirely within the United States to be retained, searched, and disseminated. For example the NSA’s procedures require that all domestic communications (including, if applicable, the entire internet transaction in which such communications were contained) be destroyed upon recognition. The NSA director, however, may waive this requirement on a communication-by-communication basis when he determines that one side of the domestic communication was properly targeted under section 702 and at least one of several circumstances apply, such as when the communication is “reasonably believed” to contain significant foreign intelligence information, evidence of a crime, or to be information that can be used for cryptanalytic purposes. The CIA and the FBI 2015 minimization procedures contain similar exceptions, but they do not require that one side of the communication belong to a properly targeted individual. It is troubling that there are so many situations in which communications between people on US soil may be retained and used as part of a surveillance program purportedly geared towards foreign intelligence and national security. The fact that a very senior official at the intelligence agencies must approve of the retention on a case-by-case basis should help, but increased transparency in this area would help reassure the American public that this exception to the purging requirement is not being overused.

At the end of the day, the NSA is sweeping up vast amounts of Americans’ communication data for reasons other than public safety and national security. It is then allowed to retain, repurpose, and disseminate that information for other government pursuits. This is hardly consistent with the justifications presented by proponents of this type of mass spying. Next week, we will explain how warrantlessly acquired section 702 information is searched and used for a variety of domestic purposes unrelated to counterterrorism or even foreign affairs.

Correcting the Record on Section 702: A Prerequisite for Meaningful Surveillance Reform Part I

The legal authority behind the controversial PRISM and Upstream surveillance programs used by the NSA to collect large swaths of private communications from leading Internet companies – Section 702 of the Foreign Intelligence Surveillance Act (FISA) – is scheduled to expire on December 31, 2017. In recent months, Congress began to review these programs to assess whether to renew, reform, or retire section 702. Unfortunately, it appears the debate has already been skewed by misconceptions about the true scope of surveillance conducted under the contentious provision. These misconceptions need to be addressed before they completely derail the unique opportunity at hand to have a well-informed discussion about much-needed reforms – reforms that could stabilize the shaky constitutional ground that current US surveillance practices stand on, and reaffirm the US government’s commitment to fundamental human rights.

Specifically, the public debate has not sufficiently acknowledged the broad scope of section 702 collection, the volume of Americans’ data collected, or the liberality of the post-collection procedures governing intelligence and law enforcement usage of the data. Hiding behind the counterterrorism justifications for section 702 collection is a broad surveillance program that sucks massive amounts of private data – a sizeable chunk of which belongs to US persons – into government databases. Once the government has collected this information, it may use it for a variety of purposes that may have nothing to do with foreign intelligence or national security, including criminal investigations. As we’ll explore later, when the true scope of the section 702 program is understood, it is readily apparent that the collection of communications content under the program flies in the face of traditional notions of what constitutes a “reasonable” government search. Moreover, collection on this scale is inconsistent with international human rights norms that require surveillance to be necessary and proportionate. In short, the section 702 surveillance program is in desperate need of reform.

Section 702 Is Not a Counterterrorism Statute

Legislators weighing the value of section 702 talk almost exclusively about its use for counterterrorism. For example, the May 10 Senate Judiciary hearing on reauthorizing the FISA Amendments Act opened with references to the terrorist attacks in Paris and San Bernardino, and throughout the discussion senators and panelists emphasized the government’s responsibility to keep people safe. The implication was that if Americans’ and innocent foreign civilians’ private data is warrantlessly captured under section 702, it is only as a necessary byproduct of counterterrorism surveillance.

Despite what many lawmakers appear to believe, counterterrorism and national security are not the only permitted justifications for surveillance under section 702. Surveillance can occur for any foreign intelligence purpose, including the collection of information about a foreign power or territory that is related to “the conduct of the foreign affairs of the United States.” Such broadly worded language permits surveillance far beyond that related to counterterrorism. For example, when protesters gather as part of the Arab Spring or to protest a government policy, the reasons for their complaints “relate” to US foreign affairs. Information about other countries’ economic policies, which could affect global markets, “relates” to US foreign affairs, as well. In 2015 alone, there were an estimated 94,368 targets under section 702, and the public does not know what fraction of those targets, many of whom communicate with Americans, were actually targeted for counterterrorism-related purposes.

Moreover, foreign intelligence need not even be the main purpose of section 702 collection. Collection under section 702 is valid so long as a “significant purpose” of the collection is to obtain foreign intelligence information. The primary purpose of the collection can be for another purpose entirely, such as investigating alleged tax evasion. The “significant purpose” loophole could also enable the FBI to use section 702 to direct warrantless surveillance for criminal investigations (although only the NSA can make actual targeting decisions, the FBI is permitted to “nominate” surveillance targets of its own).

Compounding the issue is the fact that decisions about whether or not a potential target is likely to communicate or receive such broadly defined “foreign intelligence information” are made with little guidance or limitation. The NSA’s 2009 Targeting Procedures contain a non-exhaustive list of factors that the NSA may consider when assessing whether a target is likely to have foreign intelligence information. These factors include whether or not there is “reason to believe” the target is or has communicated with an individual “associated with” a foreign power or territory. It is unclear what it means to be “associated with” a foreign power or territory when it comes to section 702 surveillance, but such language could be interpreted quite broadly.

Moreover, there is hardly any judicial oversight over section 702 targeting. FISA Court (FISC) judges have very little sway over the targeting procedures themselves – they may only review them to see if they are “reasonably designed” to fit the minimum statutory requirements. (For more see here and here.) In addition, FISC judges do not participate in making individual targeting decisions – such decisions are entirely internal determinations made by the NSA. A predictable by-product of judicial disengagement from targeting decisions is that innocent people may be improperly spied on. The public recently learned that the NSA targeted a peaceful New Zealand pro-democracy activist under the PRISM surveillance program based on erroneous claims by the New Zealand government that the man was plotting violent attacks. Had the NSA been required to provide some form of justification to a judge, the surveillance (in which the agency captured communications of people associated with a Fijian “thumbs up for democracy” campaign and turned them over to the New Zealand government) might not have happened.

Thus, when people talk about section 702 as if the only collection taking place under its auspices is for counterterrorism, that is wrong. Discussing the statute as if foreign intelligence must be the only, or even the primary, driver of its warrantless collection is also wrong. The statute allows warrantless content surveillance for a myriad of other purposes, so long as foreign intelligence collection is a “significant” purpose. Further, section 702 permits a very broad understanding of what type of person or entity is likely to communicate foreign intelligence information. Surveillance of conversations of foreigners that may be of foreign intelligence interest is thus neither necessary nor proportionate, as international human rights law requires. The broad scope of targeting under the 702 program should be tremendously worrisome, even for those who do not find the rights of non-US persons particularly compelling. The more foreigners deemed to potentially have foreign intelligence information, the more Americans communicating with those foreigners who may be incidentally spied on, as well. Moreover, in the 2015 Schrems decision, the Court of Justice for the European Union invalidated the EU-US Safe Harbor agreement, the basis for data transfers between the European Union and the United States, largely because of US surveillance programs such as section 702. This ruling threatens the ongoing flow of data between the US and Europe, potentially creating significant economic costs and legal risk for US-based companies, such as Google and Facebook, that transfer data under the scheme.

Next week, we’ll explore how broad the collection of Americans’ communications is under Section 702. In part 3, we’ll talk about the range of purposes beyond counterterrorism and national security for which section 702 data can be used.

Surveillance Oversight Should Be President-Proof, But We’re Still a Long Way Off

Last week, at an event co-hosted by Just Security and NYU’s Brennan Center for Justice, the NSA’s Civil Liberties and Privacy Director Rebecca Richards dropped the ball. When asked whether Americans should be comfortable with our current surveillance regime should someone like Donald Trump become president, she gave a milquetoast answer obviously intended to comfort the uninitiated. But in doing so, she revealed a serious deficit in our legal system.

Richards went on for a few minutes about how valuable it is to have someone like her “inside the building” having conversations about civil liberties and privacy with other NSA folks because it can be uncomfortable talking to outside overseers about the implications of what they are doing. Then she made a passing reference — before an audience of surveillance experts — to the “layers of accountability” provided by the Office of the Director of National Intelligence, the Justice Department, the Privacy and Civil Liberties Oversight Board, and Congress.

Seriously?

History tells us that up against a determined adversary from within the most powerful office in the world, America’s surveillance safeguards are anemic, barely bumps in the road. What about oversight has changed since 2001 that would stop another president from starting a new StellarWind?

Kurt Eichenwald’s 500 Days: Secrets and Lies in the Terror Wars tells the story of how the Bush administration initiated StellarWind, an illegal domestic spying program, by manipulating Executive Branch agencies under the president’s command and without answering to judges or Congress. Bush, unlike Nixon or Trump, wasn’t acting politically. He had the legitimate motivation of protecting the country. Nevertheless, he hid StellarWind from even national security officials in his own administration, never mind from Congress. And think how much craftier Bush would have been at hiding his steps from “oversight” if his surveillance goals were Trump’s — to identify accused terrorists’ families to be killed in retaliation or to make a short list of candidates for waterboarding.

Here’s some of what the Bush administration did. Attorney General John Ashcroft only learned about StellarWind a few days after Bush had already okayed it and the spying had begun. Then, despite the fact he was the lead law enforcement officer of the nation, Attorney General Ashcroft conducted no legal research to verify the President’s conclusion that the domestic dragnet collection was acceptable. The President had “just shoved [the order] in front of me and told me to sign it,” Ashcroft said. Ashcroft didn’t rock the boat, and he didn’t delay. He just signed it.

When Dick Cheney and David Addington, the architects of StellarWind wanted more legal cover, they went to John Yoo at the OLC. The OLC is supposed to provide legal and constitutional advice to the White House on some of the most delicate questions arising in the conduct of Executive Branch business. It is incredibly powerful, because OLC opinions can immunize officials from liability even for illegal activity. That’s why they have to be exceedingly cautious — they are essentially giving the president a Get Out of Jail Free card.

But Yoo’s work wasn’t vetted through other OLC lawyers, as was the usual policy, nor was anyone at NSA allowed to see the StellarWind opinion he wrote. It was kept, along with other OLC memos approving extraordinary rendition (kidnapping), waterboarding, and other torture techniques, in a locked safe.

With the approval of junior attorney Yoo tucked away, the White House then went to the lawyers at the NSA. It was supposed to be baked into the NSA’s very DNA that you do not spy on Americans. But Cheney and Addington assured the NSA lawyers that there was a legal basis for the dragnets, signed off on by the OLC. Apparently, no one wanted to go against the White House. So rather than do their own legal analysis, the NSA attorneys decided to accept the White House’s assurance on faith and go along. After all, StellarWind was up and running. Were they going to stop a program that the president had already approved and said was necessary? The NSA legal counsel didn’t even get to read the OLC memo. Addington just read the lawyer the parts he thought were relevant over the phone, and put the damned thing back into his safe.

Those comfortable conversations with the Civil Liberties and Privacy Officer aren’t going to stop people at the NSA from implementing improper spying programs at the president’s behest. Richards won’t even be cleared to know. Nor is the valiant PCLOB, with its meager budget and non-existent subpoena power, likely to make up for the roles that the Attorney General, the Office of Legal Counsel, the NSA General Counsel, the Intelligence and Judiciary Committees, and the rest of Congress are supposed to (but have previously failed) to play.

Nothing has changed that will stop a president with a mission. The president isn’t required to inform Congress or the PCLOB if she changes Executive Order 12333. She is not required by law to give Congress notice of or the opportunity to review new Presidential Policy Directives affecting surveillance. The FISA Court still has no role in supervising overseas spying, nor must the president inform Congress when she initiates new overseas spying programs. When Office of Legal Counsel opinions justifying surveillance proposals are written, Congress need not be told nor given a copy. If the DOJ changes minimization procedures or FBI guidelines, it is not required to inform Congress. Classification continues to get in the way of oversight. There is no punishment for people who violate the law at a president’s behest. And whistleblowers have less, not more, reason to believe they will be protected and not prosecuted if they come forward.

Becky Richards and the rest of the Intelligence Community owe the public the truth.

I have written in my forthcoming book, American Spies, that surveillance law should be President-Proof, exactly because someone like Trump could be — even has been — president. Rather than repeat the same comforting boilerplate, Richards should have been honest with the American people. Our laws are nowhere near ready for what might come next. And the election is only five months away.

* * *

Much of great value has been written about the limitations of oversight:

Shirin Sinnar on the PCLOB’s resources and subpoena power (here)
Margo Schlanger on “Intelligence Legalism” (here, here, and here)
Chris Sprigman on how a culture of legal compliance can still break the law (here)
Jennifer Hoelzer on Congress, security clearances, and the difficulties of intelligence oversight (here)
Chris Sprigman and I wrote about aspects of StellarWind that violated the USA Patriot Act and FISA (here)
James Risen and Eric Lichtblau originally broke the story about StellarWind in 2005 (here)

Who Sets the Rules of the Privacy and Security Game?

Last week’s big cybersecurity news was that the FBI obtained a court order to force Apple to develop new software that would bypass several iPhone security features so the FBI can attempt to unlock the work phone of one of the San Bernardino shooters. Apple plans to challenge that order. (Full disclosure: I am planning on writing a technologists’ amicus brief on Apple’s side in that challenge.)

The ruling was one of those rare moments where digital security developments grabbed a big share of the public limelight. There were technical explanations, legal explainers, and policy pieces. The editorial boards of The New York Times, The Wall Street Journal, and The Washington Post all weighed in to say they believed the government had overstepped by seeking to force Apple to write new code that would undermine the security of its devices. The House Energy and Commerce investigation subcommittee indicated it wants to jump into the mix, asking Apple CEO Tim Cook and FBI Director James Comey to testify about the challenge.

Meanwhile, the federal government is on a full public relations tear, with Comey disclaiming a desire to obtain legal precedent for future investigations, and cloaking himself in the PR-friendly goal of ameliorating the sorrow of the San Bernardino shooting victims and their families. Meanwhile, the DOJ wags its finger at Apple for being motivated by business interests. The government is waging this battle for the moral high ground despite last week’s leak of a confidential National Security Council “decision memo” setting out a broader Obama administration initiative to handle the so-called “Going Dark” problem by finding new encryption workarounds and identifying laws that agencies might want to change.

This story and its subsequent developments (including the government’s motion to compel and the updated briefing schedule) has been everywhere since the story broke last Tuesday. The story will continue to unfold, and as it does so, here are some things to think about.

We live in a software-defined world. In 2000, Lawrence Lessig wrote that Code is Law — the software and hardware that comprise cyberspace are powerful regulators that can either protect or threaten liberty. A few years ago, Mark Andreessen wrote that software was eating the world, pointing to a trend that is hockey sticking today. Software is redefining everything, even national defense. But, software is written by humans. Increasingly, our reality will obey the rules encoded in software, not of Newtonian physics. Software defines what we can do and what can be done to us. It protects our privacy and ensures security, or not. Software design can be liberty-friendly or tyranny-friendly.

This battle is over who gets to control software, and thus the basic rules of the world we live in. Who will write the proverbial laws of physics in the digital world? Is it the FBI and DOJ? Is it the US Congress? Is it private industry? Or is it going to be individuals around the world making choices that will empower us to protect ourselves — for better or for worse?

Some news outlets have returned to the familiar but tired and inaccurate trope of privacy versus security. This isn’t a privacy versus security case. The FBI has a search warrant that honors and overcomes the San Bernardino shooter’s privacy interests in the phone. (Of course, there won’t be a warrant in all or even most of the cases where governments demand forensic workarounds for phone security. In the US ,warrants are endangered — for international communications, intelligence investigations, border crossings, and more. Outside the US, we can’t count on even democracies to have judicial review or probable cause requirements, or human rights-respecting laws.)

There are other interests at stake here too. Apple has a liberty interest in not being dragooned into writing forensic software for our government or any other. As Judge James Orenstein of the Eastern District of New York wrote in October when he sparked a conversation about the proper scope of government power over communications providers by refusing to immediately sign an order compelling Apple to unlock a handset, Apple is “free to choose to promote its customers’ interest in privacy over the competing interest of law enforcement.” For this reason, it’s surprising that the more libertarian-leaning organizations and lawmakers in our nation have not come out more strongly and persistently on Apple’s side.

Finally, there’s a public safety issue here. This is a security versus security case — the government’s interest in investigations versus the public interest in increasingly secure communications. Government demands like this have security externalities. For technical, legal, and geopolitical reasons, it’s hard — probably impossible — to break security measures for just a few devices and only under the right circumstances. This matters because we also live in a world of rampant communications insecurity. Governments exploit security vulnerabilities to surveil people — both their own citizens and foreigners. They use such vulnerabilities to conduct drone assassinations, spy on journalists, and engage in mass surveillance. And that’s just the US. (See here, here, and here for the very tip of the iceberg elsewhere.) While the FBI’s request seems to go beyond what other governments have sought from Apple so far, if Apple is forced to develop code to exploit its own phones, it will only be a matter of time before other countries seek to do the same.

The big question then becomes: Are people going to be forced to live in a surveillance-friendly world? Or will the public be able to choose products — phones, computers, apps — that keep our private information, conversations, and thoughts secure?

Right now, the FBI wants to decide these questions with reference to a law that was originally passed in 1789. The All Writs Act allows courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Obviously, Congress wasn’t considering iPhone security at the time. The AWA has no internal limits and provides no guidance for courts on how to weigh individual privacy interests with corporate liberty and business interests with public safety interests. It is an utterly inappropriate vehicle for compelling forensic assistance.

Where Congress has actually authorized law enforcement to make demands of providers, it’s been far more nuanced than the AWA. The Communications Assistance for Law Enforcement Act (CALEA) passed in 1994 requires surveillance-friendly telephone networks. CALEA is a complex statute and its regulations are based on public hearings and an explicit consideration of public security. Still, CALEA mandates have led to insecure design and serious privacy breaches. Provider assistance provisions in the pen register statute, the Wiretap Act, and the Foreign Intelligence Surveillance Act allow the government to compel cooperation, but only for particular classes of providers and a limited set of data. The statutes also limit the burden our government can impose on private entities.

This is not to say that Congress should act. Communications security is global, complicated, critical, and we are very bad at it. Government policy should be, and often is, to improve it and not to tear it down. But Congress, when confronted with this issue in the past, has done and would do a far more thoughtful and nuanced job than the FBI and DOJ are doing.

Finally, this case is not about this particular phone. Contrary to a host of statements that claim the FBI’s request is narrow and will only apply to a single shooter’s work phone (here, here, and here), if it wins, the government will do this again. And so will others. The Manhattan DA has already indicated his appetite for such a workaround, as have foreign countries. This won’t be “exceptional access,” a phrase I would like to strangle and bury. There’s nothing “exceptional” about it. Apple has said that the software the FBI is seeking would be effective on every iPhone currently on the market. As soon as the code is out there, its use will be widespread.

Some people are trying to draw a line between design mandates, which this isn’t, and obligations to create forensic tools. Design mandates are a disaster, but this is nearly as bad. As soon as the legal precedent is out there, compelled forensic workarounds will quickly become routine. Legal precedent is bigger than the particular request in the specific case. It gets handed down and applied in a variety of contexts, many of which look vastly different than the facts that originally led to its development. If the All Writs Act can be used in this way — to force a company to develop forensic software that the government wants to deploy in a single case of terrorism — it could be used in any number of other (currently unforeseen) circumstances.

In other words, design mandates will be next. In fact, maybe it’s already happening behind our backs. When the Snowden documents showed that Microsoft had created surveillance backdoors in Skype, Outlook.com, and Hotmail, the company issued a statement. It said:

Finally when we upgrade or update products legal obligations may in some circumstances require that we maintain the ability to provide information in response to a law enforcement or national security request. There are aspects of this debate that we wish we were able to discuss more freely. That’s why we’ve argued for additional transparency that would help everyone understand and debate these important issues.
At the Center for Internet and Society, we’ve been trying to figure out what those legal obligations are. I wonder if these AWA arguments are part of it.

To make sound policy in this space, the public needs to know what the government is forcing companies to do, the full picture. This San Bernardino case is just one salvo in the ongoing war between a surveillance-friendly world and a surveillance-resistant world. The stakes for liberty, security, and privacy — for control over our software-defined world — are high.