FILE PHOTO: A man is silhouetted near logo of the U.S. National Security Agency (NSA) in this photo illustration taken in Sarajevo March 11, 2015. REUTERS/Dado Ruvic/File Photo
The recently renewed foreign-intelligence surveillance law has privacy advocates spooked — not for what it would do to people from other countries, but because of how it can allow the warrant-free collection and use of U.S. citizens’ own data.
The government pledges not to abuse this power. But you can’t blame Americans for worrying that their conversations might get swept up in surveillance, because it will remain difficult to confirm the government plays by its own rules.
What 702 allows
This section of the Foreign Intelligence Surveillance Act — added ina 2008 law, then renewed in 2012 — governs NSA tapping of communications of foreign nationals from inside the U.S. An April 2017 document from the office of the Director of National Intelligence cites such 702 successes as the identification of an al-Qaeda sympathizer later recruited as a source.
This surveillance, however, may incidentally scoop up data from Americans and U.S. permanent residents in the U.S. or abroad — none of whomthe NSA may intentionally target, and all of whom retain Fourth Amendment rights against government searches.
The Feds can’t copy and paste data about you from a 702 collection into domestic law-enforcement databases. But investigators can query it under limited circumstances for use in a criminal proceeding.
The renewal bill Trump signed Friday offers two options. First, the Federal Bureau of Investigation can get an order from the FISA court. Second, the attorney general can approve it on the grounds that the investigation involves national security or eight other categories of offense.
There’s also the risk that police investigators may also attempt to use 702 data in“parallel construction” to set up legal searches that can yield findings unusable in court from the original data.
Technology can’t fix this
This is not a situation that gives you, the U.S. citizen who happens to correspond with the occasional overseas person, any terrific technological countermeasures against intelligence-community curiosity.
NSA 702 searches, which the agency said in 2017targeted 106,000 people overseas in 2016, take two forms. “Upstream” collection involves tapping into internet backbones to search data in transit, while “downstream collection,” directs particular internet companies to turn over messages sent to or from specific addresses.
TheTLS encryption that secures89% of messages to and from Gmail, according to Google (GOOG,GOOGL) statistics, leaves the metadata of senders and recipients intact — otherwise, your mail would go nowhere.
TLS should, however, thwart new upstream “abouts” collection, the searches for people mentioned inside messages sent between two other individuals, that the renewal bill allows the NSA to resume gathering, subject to tighter oversight. The agency hadstopped “abouts” collection last April.
A less common form of cryptography,end-to-end encryption like that in Facebook’s (FB) Messenger and WhatsApp and theSignal messaging app, should protect message content from downstream searches. But that, too, unavoidably exposes metadata.
A matter of trust
Advocates of 702 renewal point to the people and processes around it.
Ina post on the influential Lawfare blog, former government lawyers Jack Goldsmith and Susan Hennessey nodded to support from such fellow Trump opponents as Rep. Adam Schiff (D.-Calif.): “Given everything Schiff has publicly said and done over the last year […] he knows not only how valuable the 702 program is but also how law-constrained and carefully controlled and monitored it is.”
They also heralded “the absence of credible allegations of political or venal use of 702 authorities.” The 2014 oversight-board report made the same point, as did another 702 backer who touted 702’s multiple sources of supervision — not just the FISA court but also House and Senate intelligence committees and agency inspectors general.
“These oversight mechanisms combined with the additional transparency measures provided in this legislation and others put in place in recent years should give the American people a great deal of confidence,” said Jamil Jaffer, head ofGeorge Mason University’s National Security Institute.
But those checks take place in secret and often after the fact.
“Those methods also have a record of taking a long time to notice or act on abuse, and those abuses may not ever be made public,” said Amie Stepanovich, U.S. policy manager with the digital-rights groupAccess Now.
“The general problem with intelligence oversight is that it operates substantially on the honor system,” said Julian Sanchez, a senior fellow at the libertarianCato Institute. He judged them “great for catching honest errors” while “not terribly good mechanisms for spotting deliberate abuse.”
Under these conditions, fear of abuse of power should come as no surprise. Can you know for sure that has — or hasn’t — happened under this renewed law? Sanchez had a two-word answer: “You won’t.”
