After Section 702 Reauthorization by Bruce Schneier
After Section 702 Reauthorization
For over a decade, civil libertarians have been fighting government mass
surveillance of innocent Americans over the Internet. We've just lost an
important battle. On January 18, President Trump signed the renewal of
Section 702, domestic mass surveillance became effectively a permanent
part of US law.
Section 702 was initially passed in 2008, as an amendment to the Foreign
Intelligence Surveillance Act of 1978. As the title of that law says, it
was billed as a way for the NSA to spy on non-Americans located outside
the United States. It was supposed to be an efficiency and cost-saving
measure: the NSA was already permitted to tap communications cables
located outside the country, and it was already permitted to tap
communications cables from one foreign country to another that passed
through the United States. Section 702 allowed it to tap those cables
from inside the United States, where it was easier. It also allowed the
NSA to request surveillance data directly from Internet companies under
a program called PRISM.
The problem is that this authority also gave the NSA the ability to
collect foreign communications and data in a way that inherently and
intentionally also swept up Americans' communications as well, without a
warrant. Other law enforcement agencies are allowed to ask the NSA to
search those communications, give their contents to the FBI and other
agencies and then lie about their origins in court.
In 1978, after Watergate had revealed the Nixon administration's abuses
of power, we erected a wall between intelligence and law enforcement
that prevented precisely this kind of sharing of surveillance data under
any authority less restrictive than the Fourth Amendment. Weakening that
wall is incredibly dangerous, and the NSA should never have been given
this authority in the first place.
Arguably, it never was. The NSA had been doing this type of surveillance
illegally for years, something that was first made public in 2006.
Section 702 was secretly used as a way to paper over that illegal
collection, but nothing in the text of the later amendment gives the NSA
this authority. We didn't know that the NSA was using this law as the
statutory basis for this surveillance until Edward Snowden showed us in
Civil libertarians have been battling this law in both Congress and the
courts ever since it was proposed, and the NSA's domestic surveillance
activities even longer. What this most recent vote tells me is that
we've lost that fight.
Section 702 was passed under George W. Bush in 2008, reauthorized under
Barack Obama in 2012, and now reauthorized again under Trump. In all
three cases, congressional support was bipartisan. It has survived
multiple lawsuits by the Electronic Frontier Foundation, the ACLU, and
others. It has survived the revelations by Snowden that it was being
used far more extensively than Congress or the public believed, and
numerous public reports of violations of the law. It has even survived
Trump's belief that he was being personally spied on by the intelligence
community, as well as any congressional fears that Trump could abuse the
authority in the coming years. And though this extension lasts only six
years, it's inconceivable to me that it will ever be repealed at this
point.
So what do we do? If we can't fight this particular statutory authority,
where's the new front on surveillance? There are, it turns out,
reasonable modifications that target surveillance more generally, and
not in terms of any particular statutory authority. We need to look at
US surveillance law more generally.
First, we need to strengthen the minimization procedures to limit
incidental collection. Since the Internet was developed, all the world's
communications travel around in a single global network. It's impossible
to collect only foreign communications, because they're invariably mixed
in with domestic communications. This is called "incidental" collection,
but that's a misleading name. It's collected knowingly, and searched
regularly. The intelligence community needs much stronger restrictions
on which American communications channels it can access without a court
order, and rules that require they delete the data if they inadvertently
collect it. More importantly, "collection" is defined as the point the
NSA takes a copy of the communications, and not later when they search
their databases.
Second, we need to limit how other law enforcement agencies can use
incidentally collected information. Today, those agencies can query a
database of incidental collection on Americans. The NSA can legally pass
information to those other agencies. This has to stop. Data collected by
the NSA under its foreign surveillance authority should not be used as a
vehicle for domestic surveillance.
The most recent reauthorization modified this lightly, forcing the FBI
to obtain a court order when querying the 702 data for a criminal
investigation. There are still exceptions and loopholes, though.
Third, we need to end what's called "parallel construction." Today, when
a law enforcement agency uses evidence found in this NSA database to
arrest someone, it doesn't have to disclose that fact in court. It can
reconstruct the evidence in some other manner once it knows about it,
and then pretend it learned of it that way. This right to lie to the
judge and the defense is corrosive to liberty, and it must end.
Pressure to reform the NSA will probably first come from Europe.
Already, European Union courts have pointed to warrantless NSA
surveillance as a reason to keep Europeans' data out of US hands. Right
now, there is a fragile agreement between the EU and the United States
-- called "Privacy Shield" -- that requires Americans to maintain
certain safeguards for international data flows. NSA surveillance goes
against that, and it's only a matter of time before EU courts start
ruling this way. That'll have significant effects on both government and
corporate surveillance of Europeans and, by extension, the entire world.
Further pressure will come from the increased surveillance coming from
the Internet of Things. When your home, car, and body are awash in
sensors, privacy from both governments and corporations will become
increasingly important. Sooner or later, society will reach a tipping
point where it's all too much. When that happens, we're going to see
significant pushback against surveillance of all kinds. That's when
we'll get new laws that revise all government authorities in this area:
a clean sweep for a new world, one with new norms and new fears.
It's possible that a federal court will rule on Section 702. Although
there have been many lawsuits challenging the legality of what the NSA
is doing and the constitutionality of the 702 program, no court has ever
ruled on those questions. The Bush and Obama administrations
successfully argued that defendants don't have legal standing to sue.
That is, they have no right to sue because they don't know they're being
targeted. If any of the lawsuits can get past that, things might change
dramatically.
Meanwhile, much of this is the responsibility of the tech sector. This
problem exists primarily because Internet companies collect and retain
so much personal data and allow it to be sent across the network with
minimal security. Since the government has abdicated its responsibility
to protect our privacy and security, these companies need to step up:
Minimize data collection. Don't save data longer than absolutely
necessary. Encrypt what has to be saved. Well-designed Internet services
will safeguard users, regardless of government surveillance authority.
For the rest of us concerned about this, it's important not to give up
hope. Everything we do to keep the issue in the public eye -- and not
just when the authority comes up for reauthorization again in 2024 --
hastens the day when we will reaffirm our rights to privacy in the
digital age.