The legal justification for the NSA to tap the internet's backbone was put on the table Tuesday in a hearing of the Senate's Judiciary Committee, with some senators vowing to add privacy protections to the law as expert witnesses noted the FBI was likely reading the love letters of US citizens rather than tracking down terrorists.
The Congressional hearing - titled "Oversight and reauthorization of the FISA Amendments Act: the balance between national security, privacy and civil liberties" - dug specifically into the section of the 2008 law that allows the NSA to force Facebook, Google and other internet companies to provide them with all communications for review.
Section 702 has been used to justify mass surveillance of online activity and includes the infamous PRISM program revealed by Edward Snowden in 2013. Under the law, the NSA and other security services are only supposed to review the details of non-US citizens based outside the country.
In reality, however, the personal data of huge numbers of US citizens within the country are swept up in the broad programs justified by the law. How many? That is one of the questions Congress wants to know.
Last month, the House Judiciary Committee sent a letter to director of national intelligence James Clapper asking him exactly how many US citizens the security services are spying on through Section 702.
The security services has avoided answering the question for a number of years but with the required renewal of the FISA Act in 2017, senators are using it as an opportunity to force some sunlight on the surveillance issue. Following the letter, Clapper's team is saying to be working on a method for assessing the actual number.
It is far from certain what changes Congress will be willing to insist upon as a pre-condition for re-authorization however.
Two statements from leading members of the Judiciary Committee, Senator Patrick Leahy (D-VT) and Senator Chuck Grassley (R-IA), outlined different perspectives of the two political parties.
While Leahy made no bones about his concerns of abuse and insisted on reform, Grassley excused the known examples of where the law has been stretched to breaking point as mistakes and argued that recent changes were largely sufficient.
Leahy noted that "the government has repeatedly failed to comply with FISA court orders" and that the court had "reprimanded [it] for 'substantial misrepresentations' regarding operation of the 702 programs."
Leahy also notes that so-called "backdoor" searches carried out by the FBI - where it searches existing databases without requiring any kind of warrant - "raise serious constitutional questions, particularly since the FBI can use them to investigate crimes having nothing to do with national security."
Grassley on the other hand referred to recent atrocities including the Paris, Brussels and San Bernardino shootings and insisted that "the Intelligence Community have the tools to keep us safe."
While he acknowledge that "human error has led to mistakes in implementing the law over the years," he noted that no one has "ever found any instance of an intentional violation of the law."
He then pointed to the Privacy and Civil Liberties Oversight Board and noted that it had made recommendations "to help improve the privacy and civil liberties protections of the Section 702 program" and noted that all the recommendations had either been implemented or were being implemented.
Somewhat unusually, not one but two members of the Privacy and Civil Liberties Oversight Board were called as witnesses to the hearing, as well as two lawyers and a cybersecurity expert.
The reason why became immediately apparent: chairman of the oversight board, David Medine - who will be stepping down from the independent group this summer - was highly critical of the Section 702 as it currently stands.
He said that the government's databases built up through their interpretation of the law "inevitably contain deeply personal communications by, from, and concerning US persons." He continued that many of these communications "have nothing to do with terrorism or crime."
Instead, he noted, "they can include family photographs, love letters, personal financial matters, discussions of physical and mental health, and political and religious exchanges."
His fellow board member was far more supportive, defending the collection of data under Section 702 and arguing that it was "less invasive" than the information that security services would need to gather to justify a warrant to search their communications.
Another witness who was highly skeptical of law enforcement was Elizabeth Goitein of the Brennan Center for Justice who said that the "backdoor" searches created a "massive end run around the Fourth Amendment" and said that the US government was using its databases to investigate ordinary criminal cases of US citizens - the exact opposite of what Section 702 is supposed to be used for.
The discussion between the panelists and senators was occasionally revealing, such as when Senator John Cornyn (R-TX) argued that "the only American citizens impacted by this process without a court order will be those communicating with a known terrorist overseas."
Medine was quick to snap back: "This program does not just target terrorists. It targets anyone with foreign intelligence value. It could be a completely innocent businessman or anyone else out of the country who has that information."
It's impossible to know what reforms will be introduced and how far they will go but there are two promising signs for privacy advocates. First, the fact that the public hearing has happened at all; the law, passed in 2008 and renewed in 2012, has only ever passed through Congressional corridors and closed sessions.
Secondly, both Judiciary Committee in the House and Senate have started review of the Act more than 18 months before it needs to be renewed. That means there is a determination to make changes and to provide a sufficient timeline for doing so. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks