Having only belatedly caught up on the European Court of Justice’s Safe Harbor decision, I wanted to weigh in on the excellent discussion between Tim Edgar and Peter Margulies over at Lawfare on its significance for surveillance reform (see here, here, here, and here).

I want to start by addressing the scope of Section 702. Both Tim and Peter argue that the provision isn’t as bad as the Europeans seem to think. Tim asserts that European data “has more protections in the US than when it is in the EU” because, unlike in many European countries, “content located inside the U.S. … cannot be collected except by order of the Foreign Intelligence Surveillance Court … [which] imposes detailed oversight and auditing requirements, and has enforced those rules with threats of contempt of court.”

In my view, this gives too much credit to what the FISA Court does in the Section 702 context. Sure, the court issues an annual authorization for surveillance, but that doesn’t even come close to our normal understanding of a court order permitting surveillance. As detailed in this Brennan Center report (which Liza Goitein and I co-authored):

[T]he court has no role in approving individual intrusions at all. Rather, its substantive role is limited to determining whether generic sets of targeting and minimization procedures comply with the statute (which gives little direction as to what is required) and with the Fourth Amendment. The court is not even informed of the specific targets of surveillance or the facilities to be surveilled, let alone asked to approve them. And the court may not review the substance of the government’s certifications, including its certification of a significant foreign intelligence purpose, even for “clear error.”

Critically, both the court’s surveillance order and the detailed oversight and auditing requirements that Tim references are focused on managing the acquisition and retention of US persons’ information. They offer no protection to Europeans. Of course Tim is right that many EU countries do no better, but Section 702 certainly doesn’t set an example for how to treat foreigners’ information.

In a later post, Tim argues that the European Court of Justice is incorrect in characterizing US surveillance law as permitting “access on a generalized basis to the content of electronic communications.” He points out that Section 702 “requires the NSA to identify specific targets through the use of strong selectors, such as telephone numbers or e-mail addresses.” But Section 702 says nothing at all about “strong selectors” — it only identifies the broad foreign intelligence purposes for which foreigners overseas may be targeted. And the NSA uses weaker selectors too, such as cyber threat signatures. The Schrems court is clearly concerned that the definition of foreign intelligence is so broad that it places no real limits on the NSA’s ability to access communications. The concern may even be stronger with respect to Upstream, which scans all Internet traffic flowing through the US. In my view, the European court is therefore correct in describing Section 702 as permitting “access on a generalized basis.”

Peter argues that European complaints that Section 702 allows the US to spy on political activities are unfounded because the statute allows for the collection of information relevant to the conduct of foreign affairs only insofar as that information concerns a foreign power (such as international terrorist groups or foreign governments) or a foreign territory (not defined in the statute). I’m not quite sure how the reference to a “foreign territory” constrains US surveillance operations. The EU report Peter references indicates that in response to European concerns that Section 702 could be used to collect information about political activities, the US simply noted that under the statute as interpreted by the FISA Court, foreign intelligence “includes information gathered with respect to a foreign power or a foreign territory.”

It’s certainly not surprising that EU officials are concerned about spying on political activities. Their own history, as well as ours, amply demonstrates how surveillance powers can be abused.

I think Tim’s proposal to limit the NSA to using Section 702 only for the six criteria identified in PPD-28 — espionage, terrorism, weapons of mass destruction, cyber, threats to US or allied armed forces, and transnational crime — is a start, although these criteria are themselves quite broad. The first criterion, “threats of espionage and other activities directed by foreign powers against the U.S.,” seems to provide sufficient cover for Peter’s concern about trade violations.

But simply narrowing the definition of foreign intelligence in the FISA Amendments Act won’t be enough to satisfy the Europeans, or indeed the Americans whose privacy interests are equally at stake in Section 702 surveillance. Indeed, a regular American court could well conclude that the Fourth Amendment requires jettisoning the entire framework. But focusing for a moment on the issue of protecting foreign persons’ rights, I would suggest considering the following additional constraints:

  • Revive the requirement that surveillance be directed against a foreign power or an agent of a foreign power, which was a cornerstone of the original FISA framework and the case law on foreign intelligence. This would help ensure that 702 programs are limited to foreign governments and dangerous non-state groups, but exclude ordinary people who don’t pose a security threat.
  • Require that foreign intelligence be the primary (or, even better, exclusive) purpose, and likely outcome, of 702 surveillance. This would ensure that narrowing the purposes of collection would not be swallowed by an exception for situations where other purposes were paramount.
  • Enhance the FISA Court’s role in reviewing 702 surveillance programs. For example, by giving it a more robust role in reviewing government certifications and submitting selectors to the court for review.
  • Address European concerns about economic espionage by importing the PPD-28 formula — i.e., require that “foreign private commercial information or trade secrets” may be collected only to protect the national security of the US, its partners, or its allies, and not “to afford a competitive advantage to U.S. companies and U.S. business sectors commercially.”
  • Also borrowed from PPD-28, include an explicit requirement that “[p]rivacy and civil liberties shall be integral considerations” in the identification of selectors, and that selectors shall not be chosen “for the purpose of burdening criticism or dissent, or for disadvantaging persons based on their ethnicity, race, gender, sexual orientation, or religion.”

All of these suggestions would enhance the privacy rights of both foreigners and Americans by limiting somewhat the universe of information that the NSA can access under Section 702 and making clear that certain types of information are off-limits.

More will likely be required to satisfy European concerns, however. Two big ticket items that require further thought are: 1) whether there is any way to improve protections for non-US persons by incorporating requirements for minimizing the retention of information about foreigners; and 2) developing an effective remedy mechanism. Tim has promised a post on the latter, which I look forward to reading.

I’ll end by noting that these suggestions are made from a position of imperfect information about programs that are still mostly secret. They are meant to contribute to a conversation about Section 702 that we urgently need to have — not just to facilitate data flows but also to protect fundamental rights of Americans and foreigners alike.