Group items tagged

Ahead of Thursday’s US House vote on a bill sold as reform of a major US government spying program, top technology firms like Google have joined civil liberties and privacy groups in calling the legislation inadequate in fighting mass surveillance. The Reform Government Surveillance coalition – AOL, Apple, Dropbox, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo – offered a statement on Wednesday denouncing the USA Freedom Act as a weak attempt at ending the government’s bulk storage of domestic phone metadata.

The USA Freedom Act would take the mass storage of phone records away from the government. Instead, telecommunications companies would be required to store the data. The bill would require the National Security Agency to get approval to search the telecoms’ cache of records from the often-compliant Foreign Intelligence Surveillance Court. Last-minute changes to the bill rankled privacy groups on Tuesday, leading many of them to decry the backdoor dealings as responsible for a “weakened,” “watered down” bill compared to what had previously passed the House Judiciary and Intelligence Committees earlier this month. On Wednesday, the tech coalition echoed these concerns, calling the amended legislation a move “in the wrong direction” of needed reform regarding mass surveillance. "The latest draft opens up an unacceptable loophole that could enable the bulk collection of Internet users' data," the coalition said. "While it makes important progress, we cannot support this bill as currently drafted and urge Congress to close this loophole to ensure meaningful reform." The loophole referred to by the coalition pertains to the USA Freedom Act’s definition for how and when government officials can search collected phone metadata records.

The new language – approved by House leaders and the Obama administration in recent days – modifies the prohibitions on bulk collection of domestic data to allow government officials to search for Americans’ phone records using a “a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of the information or tangible things sought.” This revised standard for the USA Freedom Act’s reform of surveillance is too broad and leaves privacy protections at risk, civil liberties groups said on Tuesday. In addition, the legislation’s new language also weakens the bill’s transparency provisions which outlined how much technology companies can disclose to customers about the extent of government requests of user data.

The United Nations’ top official for counter-terrorism and human rights (known as the “Special Rapporteur”) issued a formal report to the U.N. General Assembly today that condemns mass electronic surveillance as a clear violation of core privacy rights guaranteed by multiple treaties and conventions. “The hard truth is that the use of mass surveillance technology effectively does away with the right to privacy of communications on the Internet altogether,” the report concluded. Central to the Rapporteur’s findings is the distinction between “targeted surveillance” — which “depend[s] upon the existence of prior suspicion of the targeted individual or organization” — and “mass surveillance,” whereby “states with high levels of Internet penetration can [] gain access to the telephone and e-mail content of an effectively unlimited number of users and maintain an overview of Internet activity associated with particular websites.” In a system of “mass surveillance,” the report explained, “all of this is possible without any prior suspicion related to a specific individual or organization. The communications of literally every Internet user are potentially open for inspection by intelligence and law enforcement agencies in the States concerned.”

Mass surveillance thus “amounts to a systematic interference with the right to respect for the privacy of communications,” it declared. As a result, “it is incompatible with existing concepts of privacy for States to collect all communications or metadata all the time indiscriminately.” In concluding that mass surveillance impinges core privacy rights, the report was primarily focused on the International Covenant on Civil and Political Rights, a treaty enacted by the General Assembly in 1966, to which all of the members of the “Five Eyes” alliance are signatories. The U.S. ratified the treaty in 1992, albeit with various reservations that allowed for the continuation of the death penalty and which rendered its domestic law supreme. With the exception of the U.S.’s Persian Gulf allies (Saudi Arabia, UAE and Qatar), virtually every major country has signed the treaty. Article 17 of the Covenant guarantees the right of privacy, the defining protection of which, the report explained, is “that individuals have the right to share information and ideas with one another without interference by the State, secure in the knowledge that their communication will reach and be read by the intended recipients alone.”

The report’s key conclusion is that this core right is impinged by mass surveillance programs: “Bulk access technology is indiscriminately corrosive of online privacy and impinges on the very essence of the right guaranteed by article 17. In the absence of a formal derogation from States’ obligations under the Covenant, these programs pose a direct and ongoing challenge to an established norm of international law.” The report recognized that protecting citizens from terrorism attacks is a vital duty of every state, and that the right of privacy is not absolute, as it can be compromised when doing so is “necessary” to serve “compelling” purposes. It noted: “There may be a compelling counter-terrorism justification for the radical re-evaluation of Internet privacy rights that these practices necessitate. ” But the report was adamant that no such justifications have ever been demonstrated by any member state using mass surveillance: “The States engaging in mass surveillance have so far failed to provide a detailed and evidence-based public justification for its necessity, and almost no States have enacted explicit domestic legislation to authorize its use.”

Buried amid details of “rectal rehydration” and waterboarding that dominated the headlines over last week’s Senate Intelligence Committee findings was an alarming detail: Both the committee’s summary report and its rebuttal by the CIA admit that a source whose claims were central to the July 2004 resumption of the torture program  — and, almost certainly, to authorizing the Internet dragnet collecting massive amounts of Americans’ email metadata — fabricated claims about an election year plot. Both the torture program and President Bush's warrantless wiretap program, Stellar Wind, were partly halted from March through June of 2004. That March, Assistant Attorney General Jack Goldsmith prepared to withdraw Pentagon authorization for torture, amid growing concern following the publication of pictures of detainee abuse at Iraq's Abu Ghraib, and a May 2004 CIA inspector general report criticizing a number of aspects of the Agency's interrogation program. On June 4, 2004, CIA Director George Tenet suspended the use of torture techniques.

During the same period, the DOJ lawyers who pushed to stop torture were also persuading President George W. Bush to halt aspects of Stellar Wind, a program that conducted warrantless wiretapping of Americans’ communications inside the U.S., on top of the Internet metadata. After a dramatic confrontation in the hospital room of Attorney General John Ashcroft on March 10, 2004, acting Attorney General Jim Comey and Goldsmith informed Bush there was no legal basis for parts of the program. Ultimately, Bush agreed to modify aspects of it, in part by halting the collection of Internet metadata. But even as Bush officials suspended that part of the program on March 26, they quickly set about finding legal cover for its resumption. One way they did so was by pointing to imminent threats — such as a planned election-season attack — in the United States.

The CIA in March 2004 received reporting from a source the torture report calls "Asset Y,” who said a known Al-Qaeda associate in Pakistan, Janat Gul — whom CIA at the time believed was a key facilitator — had set up a meeting between Asset Y and Al-Qaeda's finance chief, and was helping plan attacks inside the United States timed to coincide with the November 2004 elections. According to the report, CIA officers immediately expressed doubts about the veracity of the information they’d been given by Asset Y. A senior CIA officer called the report "vague" and "worthless in terms of actionable intelligence." He noted that Al Qaeda had already issued a statement “emphasizing a lack of desire to strike before the U.S. election” and suggested that since Al-Qaeda was aware that “threat reporting causes panic in Washington” and inevitably results in leaks, planting a false claim of an election season attack would be a good way for the network to test whether Asset Y was working for its enemies. Another officer, assigned to the group hunting Osama bin Laden, also expressed doubts. In its rebuttal to the Senate report, the CIA argues the agency was right to take seriously Asset Y’s reporting , in spite of those initial doubts. The CIA wrote numerous reports about the claim “even as we worked to resolve the inconsistencies.” Reports from detainee Hassan Ghul, who was captured in January 2004, supported the possibility that a cell of Al-Qaeda members in Pakistan’s tribal areas might be planning a plot of which he was unaware. And the CIA corroborated other parts of Asset Y's reporting.

A federal judge ruled in 2007 that the U.S.A. Patriot Act empowered the National Security Agency to collect foreigners’ emails and phone calls from domestic networks without prior judicial approval, newly declassified documents show.The documents — two rulings of the Foreign Intelligence Surveillance Court — fill in a chapter in the history of the N.S.A.’s warrantless surveillance program. They show the agency’s secret moves in the months before Congress authorized the spying by enacting the Protect America Act in August 2007.The disclosure also brought into public view a previously unknown example of how the surveillance court, which hears arguments only from the government before issuing secret rulings, sometimes accepts novel interpretations of the law to bless government requests for spying powers.

In the post 9/11 era, the U.S. government vastly expanded its surveillance of nearly everyone on earth, even U.S. citizens, brushing aside constitutional protections in the name of security. A group of intelligence veterans urges reform of those practices to protect privacy and to stop the waste of resources. MEMORANDUM FOR: Privacy and Civil Liberties Oversight BoardFROM: Veteran Intelligence Professionals for Sanity (VIPS)Subject: Two Administrations and Congress Dismantled the Constitution – How Can It Be Restored? Drastic Erosion of Citizen Privacy Since 9/11Since the events of September 11, 2001, actions by successive U.S. administrations – backed by legislation such as the Patriot Act and the FISA Amendments Act (FAA) – have eroded privacy provisions guaranteed under the U.S. Constitution. Lawsuits challenging these actions have languished, with the U.S. Supreme Court having declined to hear the one case to reach it for review, Clapper vs. Amnesty International.

The ACLU has filed a lawsuit challenging the constitutionality of the NSA’s mass interception and searching of Americans’ international communications. At issue is the NSA's “upstream” surveillance, through which the U.S. government monitors almost all international – and many domestic – text-based communications. The ACLU’s lawsuit, filed in March 2015 in the U.S. District Court for the District of Maryland, is brought on behalf of nearly a dozen educational, legal, human rights, and media organizations that collectively engage in hundreds of billions of sensitive Internet communications and have been harmed by NSA surveillance.

The plaintiffs in the lawsuit are: Wikimedia Foundation, The National Association of Criminal Defense Lawyers, Human Rights Watch, Amnesty International USA, PEN American Center, Global Fund for Women, The Nation Magazine, The Rutherford Institute, and The Washington Office on Latin America. These plaintiffs’ sensitive communications have been copied, searched, and likely retained by the NSA. Upstream surveillance hinders the plaintiffs’ ability to ensure the basic confidentiality of their communications with crucial contacts abroad – among them journalists, colleagues, clients, victims of human rights abuses, and the tens of millions of people who read and edit Wikipedia pages. Read the complaint » Upstream surveillance, which the government claims is authorized by the FISA Amendments Act of 2008, is designed to ensnare all of Americans’ international communications, including emails, web-browsing content, and search engine queries. It is facilitated by devices installed, with the help of companies like Verizon and AT&T, directly on the internet “backbone” – the network of high-capacity cables, switches, and routers across which Internet traffic travels.

The NSA intercepts and copies private communications in bulk while they are in transit, and then searches their contents using tens of thousands of keywords associated with NSA targets. These targets, chosen by intelligence analysts, are never approved by any court, and the limitations that do exist are weak and riddled with exceptions. Under the FAA, the NSA may target any foreigner outside the United States believed likely to communicate “foreign intelligence information” – a pool of potential targets so broad that it encompasses journalists, academic researchers, corporations, aid workers, business persons, and others who are not suspected of any wrongdoing.

Margo Schlanger has written a great article forthcoming in the Harvard National Security Journal about intelligence legalism, an ethical framework she sees underlying NSA surveillance. Margo makes the case that NSA and the executive branch haven’t been asking what the right surveillance practices should be, but rather what surveillance practices are allowed to be. She takes the concept of legalism from political theorist Judith Shklar: “the ethical attitude that holds moral conduct to be a matter of rule following, and moral relationships to consist of duties and rights determined by rules.” In the model of legalism that Margo sees the NSA following, any spying that is not legally prohibited is also right and good because ethics is synonymous with following the rules. Her critique of “intelligence legalism” is that the rules are the bare minimum, and merely following the rules doesn’t take civil liberties concerns seriously enough.

My question is whether legalism serves as a moral code for US Intelligence Community (IC) leadership, or only as a smokescreen. I believe the evidence shows that since 9/11,the IC, and specifically the NSA has not followed the rules. Rather, the agency has resorted to legalistic justifications in pursuit of other goals—namely whatever might be useful in countering terrorism. Before 9/11, the agency may have been focused on complying with FISA. But afterthat day, the NSA’s approach was that it “could circumvent federal statutes and the Constitution so long as there was some visceral connection to looking for terrorists.” In other words, since 9/11, the moral center of gravity in the surveillance world has focused on doing whatever is necessary for hunting terrorists, not following the rules. 

We all know justice is blind. But that is supposed to mean that everyone before it is treated equally, not that the justice system must close its eyes and refuse to look at important legal issues facing Americans.  Yet the government continues to convince courts that they cannot consider the constitutionality of its behavior in national security cases and, last week, in an important case for anyone who has ever used Wikipedia, another judge agreed with that position.  A federal district judge in Maryland dismissed Wikimedia v. NSA, a case challenging the legality of the NSA’s “upstream” surveillance—mass surveillance of Internet communications as they flow through the Internet backbone. The case was brought by our friends at the ACLU on behalf of nine plaintiffs, including human rights organizations, members of the media, and the Wikimedia Foundation.1 We filed a brief in the case, too, in support of Wikimedia and the other plaintiffs. The judge dismissed the case based on a legal principle called standing. Standing is supposed to ensure, among other things, that the party bringing the lawsuit has suffered a concrete harm, caused by the party being sued, and that the court can resolve the harm with a favorable ruling.

But the U.S. government has taken this doctrine, which was intended to limit the cases federal courts hear to actual live controversies, and turned it into a perverse shell game in surveillance cases—essentially arguing that because aspects of the surveillance program are secret, plaintiffs cannot prove that their communications were actually, in fact, intercepted and surveilled. And without that proof, the government argues, there’s no standing, because plaintiffs can’t show that they’ve suffered harm. Sadly, like several other courts before it, the judge agreed to this shell game and decided that it couldn’t decide whether the constitutional rights of Wikimedia and the other plaintiffs were violated.  This game is mighty familiar to us at EFF, but that doesn’t make it any less troubling. In our system, the courts have a fundamental obligation to conclusively determine the legality of government action that affects individuals’ constitutional rights. For years now, plaintiffs have tried to get the courts to simply issue a ruling on the merits of NSA surveillance programs. And for years, the government has successfully persuaded the courts to rely on standing and related doctrines to avoid doing so. That is essentially what happened here. The court labeled as “speculative” Wikimedia’s claim that, at a minimum, even one of its approximately one trillion Internet communications had been swept up in the NSA’s upstream surveillance program. Remember, this is a program that, by the government’s own admission, involves the searching and scanning of vast amounts of Internet traffic at key Internet junctures on the Internet’s backbone. Yet in court’s view, Wikimedia’s allegations describing upstream—based on concrete facts, taken from government documents— coupled with a plaintiff that engages in a large volume of internet communications were not enough to state a “plausible” claim that Wikimedia had been surveilled.

On the way to reaching that conclusion, and putting on its blindfold, the court made a number of mistakes. The Government’s Automated Eyes Are Still Government Eyes First, it appears the court fundamentally misunderstood Wikimedia’s claim about upstream surveillance and, in particular, “about surveillance.” As Wikimedia alleged, “about surveillance” (a specific aspect of upstream surveillance that searches the content of communications for references to particular email addresses or other identifiers) amounts to “the digital analogue of having a government agent open every piece of mail that comes through the post to determine whether it mentions a particular word or phrase.” The court held, however, that this type of “about” surveillance was “targeted insofar as it makes use of only those communications that contain information matching the tasked selectors,” like email addresses. But what the government "makes use of" is entirely beside the point—it is the scanning of the communications for the tasked selectors in the first place that is the problem.  To put it into a different context, the government conducts a search when it enters into your house and starts rifling through your files—not just when it finds something it wants to keep. The government's ultimate decision to “make use of” the communications it finds interesting is irrelevant. It is the search of the communications that matters.

In a seminal decision updating and consolidating its previous jurisprudence on surveillance, the Grand Chamber of the European Court of Human Rights took a sideways swing at mass surveillance programs last week, reiterating the centrality of “reasonable suspicion” to the authorization process and the need to ensure interception warrants are targeted to an individual or premises. The decision in Zakharov v. Russia — coming on the heels of the European Court of Justice’s strongly-worded condemnation in Schrems of interception systems that provide States with “generalised access” to the content of communications — is another blow to governments across Europe and the United States that continue to argue for the legitimacy and lawfulness of bulk collection programs. It also provoked the ire of the Russian government, prompting an immediate legislative move to give the Russian constitution precedence over Strasbourg judgments. The Grand Chamber’s judgment in Zakharov is especially notable because its subject matter — the Russian SORM system of interception, which includes the installation of equipment on telecommunications networks that subsequently enables the State direct access to the communications transiting through those networks — is similar in many ways to the interception systems currently enjoying public and judicial scrutiny in the United States, France, and the United Kingdom. Zakharov also provides a timely opportunity to compare the differences between UK and Russian law: Namely, Russian law requires prior independent authorization of interception measures, whereas neither the proposed UK law nor the existing legislative framework do.

The decision is lengthy and comprises a useful restatement and harmonization of the Court’s approach to standing (which it calls “victim status”) in surveillance cases, which is markedly different from that taken by the US Supreme Court. (Indeed, Judge Dedov’s separate but concurring opinion notes the contrast with Clapper v. Amnesty International.) It also addresses at length issues of supervision and oversight, as well as the role played by notification in ensuring the effectiveness of remedies. (Marko Milanovic discusses many of these issues here.) For the purpose of the ongoing debate around the legitimacy of bulk surveillance regimes under international human rights law, however, three particular conclusions of the Court are critical.

The Court took issue with legislation permitting the interception of communications for broad national, military, or economic security purposes (as well as for “ecological security” in the Russian case), absent any indication of the particular circumstances under which an individual’s communications may be intercepted. It said that such broadly worded statutes confer an “almost unlimited degree of discretion in determining which events or acts constitute such a threat and whether that threat is serious enough to justify secret surveillance” (para. 248). Such discretion cannot be unbounded. It can be limited through the requirement for prior judicial authorization of interception measures (para. 249). Non-judicial authorities may also be competent to authorize interception, provided they are sufficiently independent from the executive (para. 258). What is important, the Court said, is that the entity authorizing interception must be “capable of verifying the existence of a reasonable suspicion against the person concerned, in particular, whether there are factual indications for suspecting that person of planning, committing or having committed criminal acts or other acts that may give rise to secret surveillance measures, such as, for example, acts endangering national security” (para. 260). This finding clearly constitutes a significant threshold which a number of existing and pending European surveillance laws would not meet. For example, the existence of individualized reasonable suspicion runs contrary to the premise of signals intelligence programs where communications are intercepted in bulk; by definition, those programs collect information without any consideration of individualized suspicion. Yet the Court was clearly articulating the principle with national security-driven surveillance in mind, and with the knowledge that interception of communications in Russia is conducted by Russian intelligence on behalf of law enforcement agencies.

The first (and thus far only) roll-back of post-9/11 surveillance authorities was implemented over the weekend: The National Security Agency shuttered its program for collecting and holding the metadata of Americans’ phone calls under Section 215 of the Patriot Act. While bulk collection under Section 215 has ended, the government can obtain access to this information under the procedures specified in the USA Freedom Act. Indeed, some experts have argued that the Agency likely has access to more metadata because its earlier dragnet didn’t cover cell phones or Internet calling. In addition, the metadata of calls made by an individual in the United States to someone overseas and vice versa can still be collected in bulk — this takes place abroad under Executive Order 12333. No doubt the NSA wishes that this was the end of the surveillance reform story and the Paris attacks initially gave them an opening. John Brennan, the Director of the CIA, implied that the attacks were somehow related to “hand wringing” about spying and Sen. Tom Cotton (R-Ark.) introduced a bill to delay the shut down of the 215 program. Opponents of encryption were quick to say: “I told you so.”

But the facts that have emerged thus far tell a different story. It appears that much of the planning took place IRL (that’s “in real life” for those of you who don’t have teenagers). The attackers, several of whom were on law enforcement’s radar, communicated openly over the Internet. If France ever has a 9/11 Commission-type inquiry, it could well conclude that the Paris attacks were a failure of the intelligence agencies rather than a failure of intelligence authorities. Despite the passage of the USA Freedom Act, US surveillance authorities have remained largely intact. Section 702 of the FISA Amendments Act — which is the basis of programs like PRISM and the NSA’s Upstream collection of information from Internet cables — sunsets in the summer of 2017. While it’s difficult to predict the political environment that far out, meaningful reform of Section 702 faces significant obstacles. Unlike the Section 215 program, which was clearly aimed at Americans, Section 702 is supposedly targeted at foreigners and only picks up information about Americans “incidentally.” The NSA has refused to provide an estimate of how many Americans’ information it collects under Section 702, despite repeated requests from lawmakers and most recently a large cohort of advocates. The Section 215 program was held illegal by two federal courts (here and here), but civil attempts to challenge Section 702 have run into standing barriers. Finally, while two review panels concluded that the Section 215 program provided little counterterrorism benefit (here and here), they found that the Section 702 program had been useful.

There is, nonetheless, some pressure to narrow the reach of Section 702. The recent decision by the European Court of Justice in the safe harbor case suggests that data flows between Europe and the US may be restricted unless the PRISM program is modified to protect the information of Europeans (see here, here, and here for discussion of the decision and reform options). Pressure from Internet companies whose business is suffering — estimates run to the tune of $35 to 180 billion — as a result of disclosures about NSA spying may also nudge lawmakers towards reform. One of the courts currently considering criminal cases which rely on evidence derived from Section 702 surveillance may hold the program unconstitutional either on the basis of the Fourth Amendment or Article III for the reasons set out in this Brennan Center report. A federal district court in Colorado recently rejected such a challenge, although as explained in Steve’s post, the decision did not seriously explore the issues. Further litigation in the European courts too could have an impact on the debate.

In response to a Freedom of Information Act (FOIA) request filed by Shadowproof, the Federal Bureau of Investigation (FBI) said it “can neither confirm nor deny the existence of records” regarding a wiretap of Trump Tower. The FBI sent its response via email earlier this afternoon, hours before news broke that the United States government wiretapped President Trump’s former campaign chairman, Paul Manafort. The Bureau’s response appears to be a reversal from its response to an earlier FOIA request, in which the Department of Justice stated that “Both FBI and NSD confirm that they have no records related to wiretaps as described by the March 4, 2017 tweets [in which Trump alleged President Obama had wiretapped Trump Tower]”. CNN reported today that U.S. investigators employed secret court orders to wiretap Manafort, both prior to and following the election. Though Manafort owns an apartment in Trump Tower, the report by CNN did not make clear whether that was the location or subject of the wiretap.