nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

OK, it's time to talk mass spying again: America's Section 702 powers are up for renewal

And tech groups are starting the fightback now

By Kieren McCarthy, 15 Feb 2017

Analysis While the entire US political machinery has been caught up with one Trump-based scandal after another over the past three weeks, larger underlying issues are starting to re-emerge. And top of the list is mass surveillance.

Section 702 of America's Foreign Intelligence Surveillance Act (FISA) expires at the end of the year – December 31, 2017. As such, it will need to be actively renewed by Congress. And the drumbeat has begun on getting Congress to have a full, public debate on the measure before it authorizes any extension.

Just this week, the American Civil Liberties Union (ACLU) called on tech companies to start pushing for reform as it fought a critical legal battle in Ireland over the legality of data sharing between Europe and the United States.

On Wednesday, a number of tech industry groups, including the Computer & Communications Industry Association (CCIA), Consumer Technology Association (CTA), Information Technology Industry Council (ITI) and Internet Association, sent a letter [PDF] to the heads of four key congressional committees asking for "an open debate around the reauthorization of Section 702."

And legal commentators have started writing up their thoughts on what needs to change to stop widespread abuse of the law. Or, as the tech groups argued, "includes meaningful safeguards for internet users' privacy and civil liberties, measures to ensure transparency and accountability, and a commitment to continued Congressional oversight."

Quick primer

So, what is Section 702 and why is it important?

When Edward Snowden exposed the depth and breadth of mass surveillance being carried out in secret by the US government, much of the subsequent attention revolved around Section 215 of the Patriot Act, which had been interpreted to allow for bulk collection of Americans' phone records.

The reason for that focus was that while Section 215 was being used to gather Americans' records, Section 702 of a different act was, according to the US authorities, never used to gather information on Americans.

In fact the first limitation in Section 702 is that it cannot be used to "intentionally target any person known at the time of acquisition to be located in the United States."

Unfortunately, as Snowden documents and subsequent investigations made clear, the National Security Agency (NSA) had chosen to creatively interpret what seem like crystal clear rules to achieve the exact opposite of their intention. (It still claims [PDF] not to be doing what it is doing.)

The reality is that Section 702 has been used to create a vast database of information on millions of US citizens that is used every day by law enforcement to research even the smallest of crimes.

How did we get from a law specifically written to only target foreigners when they were outside the United States and only when it would result in "foreign intelligence information," to a reality where an FBI agent can search the private emails of a US citizen who has never left the United States on suspicion of car theft? Here's how:

  • The term "foreign intelligence information" was first interpreted so broadly as to cover any and all information with any relevance to the United States.
  • The NSA then decided that such information flows into and out of the United States all the time, thanks to servers hosted by US email providers, and so it should have access to all of that information – leading to the infamous PRISM program where email, chats, text messages and videos were pulled from Google, Facebook, Microsoft, Yahoo! and Apple and stored in a giant database.
  • Any information from US citizens captured during this process is termed "incidental" by the NSA, which continues to pretend that the information gathered is no more than an accidental by-product of its legitimate search. It does not, however, delete that information.
  • Other information on US citizens that really is captured by accident is called "inadvertent" collection. It is also retained.
  • Critically, the NSA decided that the law only prevented it from capturing information on people that it actively knew to be US citizens. And as a result, it decided it could presume that everyone it gathered information on was a foreigner based overseas unless it had information to the contrary. So even though it was tapping the servers of US companies based in the United States, it allowed itself to believe that it was capturing the information of foreigners from outside the country.
  • The NSA also decided that it was entitled to keep all this information it gathered in a database and the law would only apply to how it searched that database.
  • Then the NSA decided that so long as it used search terms that gave it "51 per cent confidence" that the results would bring up information on a foreigner, it could access the database however it wished.
  • In 2001 – after the terrorist attacks in New York City and Washington DC – the NSA then persuaded the Foreign Intelligence Surveillance Court that it should be allowed to search using the personal identifiers of US citizens, ie, their telephone numbers or email addresses. This was despite the fact that the law had previously specifically prohibited this sort of "reverse targeting."
  • Following a recommendation from the 9/11 Commission that "the wall" between security services be removed to allow for greater sharing of intelligence, the FBI was granted access to the vast database.
  • Under its guidelines for accessing the data, the FBI is allowed to search the database to investigate any federal crime and agents are in fact encouraged to do so.

Changes coming down the line

So, what changes do people wish to see to Section 702 before it is reauthorized at the end of the year?

At this stage, few want to put down specific measures – the tech groups, as mentioned, have asked for "meaningful safeguards for internet users' privacy and civil liberties, measures to ensure transparency and accountability, and a commitment to continued congressional oversight."

Legal analysts were to make sure that the "backdoor search loophole" – where the FBI ends up being able to access confidential information through the careful building up of extreme interpretations of the law – is permanently closed off, probably by adding specific prohibitions on the use of Section 702 data for domestic investigations.

As for lawmakers, back in May of last year, the Senate's Judiciary Committee held a hearing titled "Oversight and reauthorization of the FISA Amendments Act: the balance between national security, privacy and civil liberties." During that hearing, several senators promised to add in privacy protections before reauthorizing, although they remained vague over what they would be.

For its part, the House Judiciary Committee sent a letter in April last year to director of national intelligence (DNI) James Clapper asking him exactly how many US citizens' data had been gathered through Section 702.

Delay

Six months later, the DNI published a document [PDF] called "The Implementation Plan for the Principles of Intelligence Transparency," which talked about principles for the release of information but supplied no actual information.

That prompted a letter [PDF] from over 30 civil rights organizations asking again for a clear statement of the number of US citizens affected. There still hasn't been a response.

It is an absolute certainty that the security services will provide the absolute minimum amount of information, and attempt to delay any efforts to gather facts about the use of Section 702, in the reasonable expectation that Congress will simply vote to reauthorize the law when it comes to the crunch.

However, the fact remains that through careful and wildly liberal interpretations of that law, the NSA, FBI and others have managed to subvert the very clear intent of the law to build a vast database of information on US citizens that should be illegal.

Since Congress is the only organization with sufficient leverage to force change and since the law is typically renewed for a five-year period, it means that the next time it will be possible to limit the mass surveillance of US citizens will be at the end of 2022.

For this reason alone, it is vital that vigorous public debate over Section 702 – what it is intended to achieve and how to prevent future abuses of the law – happen as soon as possible. ®

Sign up to our Newsletter

Get IT in your inbox daily

The Register - Independent news and views for the tech sector. Part of Situation Publishing