Federal oversight agency punts on international human rights, while findings the programs lawful and constitutional

The President’s Privacy and Civil Liberties Oversight Board (“PCLOB”) has voted to unanimously approve its “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act.” Though surprisingly detailed in scope, the report fails to provide any analysis on potential legislative reforms for Section 702. Further, and more egregiously, the report is also silent on the need for additional privacy protections for individuals around the world who are subject to the NSA’s massive surveillance machine.

Section 702, so-called in reference to a specific provision of the FISA Amendments Act of 2008, provides authority for surveillance targeting non-U.S. persons located outside of the United States, when the collection occurs within the United States. The report examines two surveillance programs and finds them both constitutional, though just barely, and within the boundaries of Section 702. The Board bases this analysis on a “totality of the circumstances” test which includes not only the statutory requirements of the program, but also voluntary and court-mandated restrictions on retention and use of collected data.

The report includes ten recommendations, on topics from oversight to transparency to efficacy, intended to “strengthen the privacy safeguards and to address” specific concerns related to the rights of U.S. persons.

However, on the topic of non-U.S. persons, who are the users primarily impacted by Section 702 surveillance programs, the Board is mostly silent: “[T]he treatment of non-U.S. persons in U.S. surveillance programs raises important but difficult legal and policy questions…the Board has concluded that it can make its most productive contribution in assessing these issues in the context of [a future review process].” This silence represents a failure to consider basic protections for people around the world who are the ultimate targets of the U.S.’s overreaching surveillance programs.

Background on Section 702

Section 702 became law in 2008 when Congress passed the FISA Amendments Act of 2008 (“FAA”). The FAA replaced the Protect America Act from the previous year, which codified and expanded the warrantless wiretapping program conducted under then-President George W. Bush.

We now know that there are two primary collection programs that the National Security Agency operates under Section 702 – Prism, detailed in documents obtained by Edward Snowden and revealed by theWashington Post and the Guardian in the first wave of NSA surveillance stories in June 2013, and another program known only as the “Upstream” program. Under Prism, the NSA requests user information, via court order, directly from private companies. The “Upstream” program allows the NSA to ingest communications off the backbone of the internet by tapping into the cables that connect users to one another.

While it was initially believed that the NSA could obtain only communications to or from a person under Section 702, revelations have also demonstrated that the NSA often obtains, under the Upstream program, communications “about” that person (though it is unclear how “person” is defined). However, the agencies cannot perform queries of this information “about” a U.S. person. By contrast, information obtained via Prism includes what is known as the “backdoor search loophole” – a term that refers to the practice of using U.S. person identifiers to perform searches through already-collected information. A recent letter in response to a question posed by Ron Wyden at a congressional hearing provided information on instances when these searches has occurred.

Legislative reform proposals in the U.S. Congress have largely not touched upon Section 702, instead focusing on reforms of other surveillance authorities. By exception, last month an amendment offered by Representatives Thomas Massie, Zoe Lofgren, and James Sensenbrenner to remove the “backdoor search loophole” was attached to the Defense Authorization Act for 2015 and passed the House of Representatives overwhelmingly. A similar provision has not yet been introduced in the Senate.

The good

The silver lining of the report is the incredible breadth of detail it provides on the operation and oversight of the Section 702 surveillance programs. The report dedicates over 60 pages to explaining, in great detail, the statutory structure, administrative guidelines, and oversight procedures.  During the public meeting to vote on the issuance of the report, one Board member explained that the Report includes 100 previously classified facts about Section 702 surveillance.

The bad

While the PCLOB report includes an analysis of Section 702 from both a legal and a policy perspective, in each case the Board found that both Prism and the Upstream program (as operated) were lawful and constitutional. In finding the programs constitutional, the Board explained:

“Any Fourth Amendment assessment of the Section 702 program must take into account the cumulative privacy intrusions and risks of all four categories above, together with the limits and protections built into the program that mitigate them.”

The Board found that “certain aspects of the Section 702 program push the entire program close to the line of constitutional reasonableness,” though ultimately that it fell within the bounds of constitutionality.

Based on these findings, the Report details ten recommendations (included in full below), falling in to six categories: targeting/tasking, U.S. person queries, the role of the FISA Court, upstream and “about” collection, transparency and accountability, and efficacy (Annexes to the Report included two additional statements, each by two members of the Board, offering further thoughts and clarifications on the Report’s findings and recommendations). The recommendations offer only potential policy changes, and do not include any guidance on legislative reform. On this matter, the Board appeared to defer fully to the “public debate” on the passage of the FAA, though it fails to mention that during that time neither the Upstream program nor “about” collection were publicly discussed or anticipated.

Here, the Board had an opportunity to really dig into a piece of legislation that was controversial when it was passed and remains so to this day. Instead, they ignore the chance to offer meaningful feedback and suggestions on codification of much-needed privacy protections in favor of weak requests for more unilateral oversight and administrative safeguards, which can be both added and removed without Congressional action or public debate.

One of the many changes the Board could have recommended (and that Access would endorse) is a limitation in Section 702 that would limit the collection or use of information exclusively to counterterrorism or limited foreign intelligence purposes. Such a limitation would have been especially salient considering that the Report focuses largely on the usefulness of information collected under Section 702 to detect and disrupt terrorist plots as a primary justification for its existence. However, the Board not only fails to request common sense limits on data collection under Section 702, but instead actually sanctions the use of the data for broad foreign intelligence purposes as well as for some domestic criminal matters (though two board members, David Medine and Judge Patricia Wald ask for judicial approval for some criminal searches using U.S. person identifiers).

The ugly

Perhaps the biggest failing of the PCLOB report is its silence on the issue of rights for non-US Persons. The Report ratifies the notion that privacy is a human right, citing to the International Covenant on Civil and Political Rights (“ICCPR”), “an international treaty ratified by the U.S. Senate.” The ICCPR declares, “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.” While the UN Human Rights Committee, not to mention the majority of the world, has interpreted the rights ascribed in the ICCPR to have extraterritorial application, the U.S. has held to the outdated notion that it only applies within a country’s borders.

Rather than explore the impact of the Section 702 surveillance programs on international users’ rights, particularly those under the ICCPR, the PCLOB report explained the Board would hold off on the issue until they issued their response to Presidential Policy Directive 28 (“PPD-28”). The Directive, released earlier this year, asks PCLOB to contribute to an assessment of how to extend protections granted to U.S. persons under surveillance laws to non-U.S. persons. The Report explains, “the Board has concluded that it can make its most productive contribution in assessing [issues involving the rights of non-U.S. persons] in the context of the PPD-28 review process.”

As such, the 10 recommendations include very few means by which the rights of non-U.S. persons can be increased or preserved under Section 702 surveillance programs. In remarks made at the Report’s presentation, Board Member Elisebeth Collins Cook explained that certain recommendations were “designed to prevent the Section 702 program from transforming over time from a foreign intelligence program to a means of effectively surveilling U.S. persons.”

In a speech in January of this year, President Obama expressed, “people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security.” PCLOB’s failure to provide any analysis on the disproportionate impact on Section 702 surveillance on those outside of the United States is disappointing at best, and irresponsible at worst. The same dangers posed by surveillance to those inside the United States are not diminished based on geography, and are potentially even greater considering the possibility that the U.S. government could share un-minimized surveillance information with other countries who may have fewer human rights protections.

Overall, the report offers a good explainer on surveillance conducted under Section 702 for those who are not well-versed on U.S. foreign intelligence surveillance laws and practices. For those who have more expertise, it offers additional facts, newly declassified, to help explain the scope and extent of surveillance activities.

However, the Report leaves much to be desired in the scope of its analysis and recommendations, including the lack of information on the impact of Section 702 on non-U.S. persons, who are primarily impacted by the law. Further, by concentrating on the programs as they are currently implemented, the Report fails to offer guidance on legislative reforms for the statutory text of Section 702 that could offer additional, legally binding protections for individuals. Access calls upon Congress to enact meaningful legislative reform of Section 702, as well as other laws and authorities for collecting large amounts of private and personal information about individuals around the world.