President’s Review Board Says: Protect Thy Neighbor’s Privacy

[Editor’s Note: Just Security is holding a “mini forum” on the Report by the President’s Review Group on Intelligence and Communications Technologies. Others in the series include a post by Marty Lederman analyzing the Report’s highlights, a post by Julian Sanchez examining the scope of the NSA’s section 702 program, a post by David Cole and Marty Lederman analyzing how metadata is used under section 215, a post by Ryan Goodman discussing the effectiveness of the section 215 metadata program, and a follow-up post by Jennifer Granick, subsequent to the one below, examining the implications for non-US persons.]

 

Today’s report from the President’s Review Group on Intelligence and Communications Technologies–“Liberty And Security In A Changing World”—is impressive in a number of ways.  Importantly, it pushes consideration of the privacy and civil liberties rights of non-U.S. persons into the policy debate.  In particular, the Board suggests–among other recommendations–that surveillance of foreigners:

  • must be directed exclusively at protecting national security interests of the United States or our allies;
  • must not target any non-United States person based solely on that person’s political views or religious convictions; and
  • must not disseminate information about non-United States persons if the information is not relevant to protecting the national security of the United States or our allies.

Old-school national security wonks commonly express disdain for the idea that the U.S. should respect the rights of non-citizens.  And until today, even valuable proposals to reform FISA have not hit hard enough at overseas collection and mass surveillance of foreigners.

This omission is short sighted. Foreigners’ privacy is essential to American interests. We’ve learned that National Security Agency (NSA) practices which purportedly target foreigners nevertheless directly harm Americans’ privacy.  This is because, as the Review Board says, “traditional distinctions between ‘foreign’ and ‘domestic’ are far less clear … than in the past, now that the same communications devices, software, and networks are used globally by friends and foes alike.”

One example of this phenomenon is collection under section 702 of the FISA Amendments Act, which “incidentally” acquires untold numbers of Americans’ one-end foreign communications. The statute allows warrantless collection of Americans’ one end foreign communications that are to, from, or about the target. And, the PRISM/section 702 program is only designed to ensure 51% confidence in the target’s foreignness. Since the program acquired 250 million communication transactions in a single year, statistically, hundreds of millions of those communications could belong to U.S. persons. Once collected, the NSA uses American identifiers to warrantlessly search its databases for incidentally collected U.S. person communications, a practice Senator Ron Wyden (D-OR) has dubbed “back door searches.” Also, the collection technology NSA uses “inadvertently” grabs tens of thousands of off-limits purely domestic messages. With all this in mind, the Review Group’s conclusion that section 702 “does not adequately protect the legitimate privacy interests of United States persons when their communications are incidentally acquired …” is most certainly true.

Overseas collection suffers from the same kind of failure.  The NSA gathers hundreds of millions of address books and contact lists from people around the world, including some Americans. NSA access to unencrypted information flowing between Google and Microsoft data centers puts the agency in a position to collect information from hundreds of millions of user accounts, including those belonging to Americans, at will.

Thus, Americans’ privacy rights rise and fall with those of foreigners, and far more foreigners than ever before are subject to NSA surveillance.  That is because in the original version of FISA, individuals could only be targeted if they were “agents of foreign powers.” But the 2008 FISA Amendment Act did away with that limitation. Thus, FISA as it now stands authorizes warrantless surveillance of any non-U.S. individual reasonably believed to be located abroad, allowing for the interception of the most private kind of information so long as it “relates to” U.S. foreign affairs. It’s disturbing that NSA targets can include regular people, not just those who are agents of foreign powers, that the surveillance purpose is not limited to national security, and that, while analysts provide their foreign intelligence purpose when selecting the target, the rationale is just one short sentence.

A Christopher Sprigman and I said back in June, unfettered surveillance of foreigners is bad for U.S. business and a blow to free expression and democracy movements around the world. Without question, the role of Internet firms, especially those based in America, is a net plus for democracy abroad. Yet, unfettered spying has driven the EU to call for localization of services, which plays right into the hands of nations who want more control over the Internet within their own borders in order to censor, spy on, and control their citizens.

For these reasons, the Review Board’s recommendations on protecting the civil liberties of non-US persons—a relatively new aspect of the policy discussion—is incredibly welcome. 

About the Author(s)

Jennifer Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology Follow her on Twitter (@granick).