More than 30 big internet companies including Google, Facebook, Amazon and Microsoft have sent a letter to the chair of the House Judiciary Committee asking for specific reforms to the law used for carrying out mass surveillance.
The letter [PDF] concerns Section 702 of the Foreign Intelligence Surveillance Act, which has to be renewed by Congress before the end of the year and has been the center of a tussle between Congress and the security services.
Over the years, the security services have creatively interpreted the law to allow them to store information on potentially millions of US citizens – despite the law specifically requiring the opposite. They have allowed that vast database to be searched during investigations of possible crimes committed in the United States – again, an interpretation that goes directly against the explicit wording of the law.
Recent pressure by Congress and civil rights groups caused the NSA to announce that it would end the most controversial aspect of its program: the gathering of information “about” a foreign intelligence target – used to scoop up all information from anyone who mentions a person of interest, rather than simply communication to or from that person.
And the first of five very specific requests for reform from Big Internet asks Congress to make that change permanent.
“Reauthorization legislation should codify recent changes made to ‘about’ collection pursuant to NSA’s Upstream program,” the letter reads. “This reform would merely codify changes already embraced by the US government … to correct deficiencies that implicate the constitutional rights of US citizens.”
The second request is related to the first and asks that judicial oversight be required before the government (typically the FBI) queries the vast 702 database for information on US citizens.
Hold onto your hats
Under their mind-boggling interpretation of Section 702, the NSA/FBI claim that searching the database using US citizen identifiers such as name, phone number or email does not break the Fourth Amendment because it does “not result in any new acquisition of data; it is instead only an examination or re-examination of previously acquired information.”
The tech companies – and many in Congress – want that to end. And judicial oversight would require the FBI to get a warrant to do so, which would mean proving that they had evidence to believe an individual has committed a crime.
In other words, the system would be pulled back under existing US laws that everyone had assumed were being used in the first place.
The third requested change is that the definition of “foreign intelligence information” be tightened up to limit what can be gathered by the security services. At the moment, many suspect that the NSA/FBI are using their own definition of the term to effectively encompass anything and everything and then use that to tap the internet’s backbone and store everything they find.
If the definition is tightened, the authorities would likely need to identify individuals and target them, rather than simply scooping up everything. This approach would be more in keeping with the explicit intent of the law.
The tech companies – which also include Cisco, Yahoo, Dropbox and Cloudflare – ask, fourth, for “increased oversight and transparency” of Section 702 data collection, specifically stating that they should be allowed to disclose the number of requests they receive from the authorities as well as be more precise about what those requests encompass. They also want the orders of the court that oversees such requests to be declassified.
And lastly, they ask for greater transparency “around how the communications of US persons that are incidentally collected under Section 702 are searched and used, including how often 702 databases are queried using identifiers that are tied to US persons.” In other words, they want a spotlight shone on how and how often the security services are using what is supposed to be a law covering non-US citizens to spy on US citizens.
It is worth noting that the House Judiciary Committee asked the authorities over a year ago to provide them with an estimate of the number of US citizens whose data is included in the 702 database.
They have stonewalled and continue to stonewall, claiming initially that it was not possible, then that it would be too time-consuming, then promising to come up with a process for figuring out how to do it. In short, the authorities are trying to run out the clock on the request and many people suspect it’s because if the true number of US citizens whose personal information has been seized and stored was released, it would completely undermine law enforcement’s position and could even see the end of Section 702.
It’s not clear what impact the letter will have on the congressional review of the spying power, but it might serve to strengthen the back of the House Judiciary Committee and its chair Bob Goodlatte after the NSA clearly tried to undercut criticisms by saying it would end the “about” collection of information.
The reality is that the measure must be reapproved by Congress so the politicians have all the power they need to make changes to the law and curb years of blatant abuse of the system. The question is: how far are they willing to push back against the security services?
By listing five clear points, the tech companies – who are often the recipients of data requests – have made it easier to put a scorecard on that Congressional effort.
It is however worth noting the companies that have not signed the letter. Notably that includes Apple, which for unclear reasons continues to do its own thing when it comes to security. There are also no security companies on the list and no chip companies. Critically, there are no telcos – as they are perhaps the biggest sources of data for law enforcement and are known to give the NSA direct access to their raw traffic.
Clearly this is a fight some are unwilling to join, even with Congress seemingly onside. ®
State of Malware Report 2017: The year ransomware got real