Spies Without Borders III

This is the third article of our Spies Without Borders series. It has been co-authored by Tamir Israel, Staff Lawyer at CIPPIC,  Katitza Rodriguez, EFF International Rights Director and Mark Rumold, EFF Staff Attorney.  The Spies Without Borders series are looking into how the information disclosed in the NSA leaks affect Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. This article has been crossposted on the website of OpenMedia.ca.

Introduction

In our previous post, we examined how FISA arose from a historical backlash against the excessive use of foreign intelligence powers to surveil the activities of U.S. persons. We examined how two of FISA’s controversial powers, the business records power (section 215 of the USA PATRIOT Act, codified as 50 USC §1861) and the general acquisition power (section 702 of FISA, codified as 50 USC §1881a) and how their internal safeguards are primarily designed to limit protection to U.S. persons from being excessively spied upon. Now, we will examine what protections, if any, FISA offers to Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks. 

In brief, these safeguards are few and to make matters worse, FISA’s powers are interpreted secretly and generally isolated from any form of effective adversarial review. This makes it unlikely that Internet users outside the United States will even have the opportunity to take advantage of the few protections it offers. All this has led Privacy Researcher, Caspar Bowden, to go so far as to conclude that U.S. foreign intelligence powers “offer[] zero protection to foreigners’ data in U.S. Clouds.”

Secret Courts and Lack of Standing: Will FISA ever face adversarial review?

While FISA provides a secret court, the Foreign Intelligence Surveillance Court (“FISC”), with authority to review some aspects of the government’s surveillance, this role is greatly circumscribed.

FISC and the acquisition power (section 702 of FISA, codified as 50 USC §1881a)

With respect to the acquisition power, FISC’s authority is limited to substantively reviewing the minimization and targeting criteria (designed primarily to limit exposure of U.S. persons). Even in this regard, its review is ex parte, and the approved procedures are never made public.

FISA then obligates FISC to approve a government request, as long as the minimization and targeting criteria are consistent with FISA requirements and the Fourth Amendment (§1881a (i)(3)(A)) and the Government has self-certified that a “significant purpose of the acquisition is to obtain foreign intelligence information” (§1881a (g)(2)(A)(vi). This does not appear to leave FISC with much authority to reject excessively broad surveillance orders targeting Internet users around the world whose private information is stored in U.S. servers, or whose data travels across U.S. networks.

FISC and the business records powers (section 215 of the USA PATRIOT Act, codified as 50 USC §1861)

The business records power, in theory, grants the FISC judge somewhat more discretion to reject a government application than the acquisition power. Rather than simply accept government assertions, the judge must, with respect to applications investigating non-U.S. persons, find that the government's factual showing provides "reasonable grounds to believe" that the "tangible things" sought are "relevant" to an authorized investigation for foreign intelligence information or to protect against international terrorism or covert intelligence activities. If investigating U.S. persons, the judge must also be convinced that the investigation is not based "solely" on First Amendment activities such as speech or association. But both "reasonable grounds" and "relevance" are weak standards. Even worse, the judge must "presume" relevance in some cases, such as when the facts pertain to a foreign power or agent of a foreign power.

FiSC: Asserting a legal challenge appears dim

Additionally, it is notable that even asserting a legal challenge may be difficult as, before permitting a person to substantively challenge FISA, U.S. courts have required a significant degree of proof that the specific person’s communications have been surveiled as a pre-cursor to allowing a substantive challenge. All in all, the prospect of a rigorous, adversarial challenge to the application of these provisions to Internet users abroad appears dim. And even if such a challenge could be mounted, judicial review in this context can be characterized as “de facto an arbitrary approval.” It is perhaps not surprising, then, that of the 33,900 surveillance requests the U.S. government has submitted to FISC in its 33 years of operation, only 11 have been declined.

Fourth Amendment and Foreign Intelligence: Substantive Safeguards that Protect Little

The key substantive impediments to any order that effectively limits exposure of U.S.-persons is the need for a foreign intelligence objective to be engaged, and respect for the Fourth Amendment.

Under FISA, neither the business records power nor the general acquisition power can be employed in the absence of a foreign intelligence objective. However, this requirement is so weak as to offer little protection.

Frank La Rue, a U.N. Special Rapporteur, recently pointed out that:

“Vague and unspecified notions of ‘national security’ have become an acceptable justification for the interception of and access to communications in many countries.”

FISA is no different. FISA defines the term “foreign intelligence” quite broadly to include any information relating to (but, when applied to non-U.S. persons, not necessary for) the ability of the United States to protect against actual or potential attacks, terrorism or clandestine intelligence activities (§1801 (e)). It additionally includes information with respect to a foreign power or territory that relates to (but, again, is not necessary for) the conduct of foreign affairs – an extremely vague concept in itself.

The Government can issue an order under the general acquisition power (§1881a) as long as FISC is convinced that a “significant purpose” of the proposed surveillance is to acquire foreign intelligence. This potentially opens the door to more far reaching investigations, as foreign intelligence need not be the primary purpose of the investigation. Additionally, the business records power can only be used  to seek records that are “relevant” to an “authorized investigation” conducted in order to “obtain” foreign intelligence. ‘Relevancy’, it should be noted, does not apply very stringent restrictions in terms of ensuring that the information sought is likely to contribute to the ultimate objective of obtaining foreign intelligence. This only exacerbates the loose definition of ‘foreign intelligence’, which in itself only requires information of Internet users abroad obtained to be generally relevant to national security activities.

In short, when directed at Internet users abroad, FISA combines a broad definition of foreign intelligence, with a minimal requirement for there to be a nexus between the use of its extra-ordinary powers and the possibility that this use will yield information necessary for the protection of the country.

Constitutional protections to Internet users abroad

As to Constitutional protections, it is not at all clear that the Fourth Amendment even applies to Internet users abroad based outside the United States, nor is it clear whether other statutory protections designed to protect the private communications and data of U.S. persons, such as the Wiretap Act and the Stored Communications Act, can be relied upon extra-territorially. Even assuming Internet users abroad can claim protection under the Fourth Amendment at all, this protection is likely to be highly attenuated and does not appear to include the need for individualized suspicion, meaning Internet users abroad can rely on few constitutional checks to mass surveillance.

Limited and Secret Congressional Oversight is Not Reassuring

Nor is Congressional oversight a reassuring safeguard. While it is notable that of the few senators tasked with overseeing FISA (and, hence, of the few who have historically had knowledge of NSA activities under FISA), a number have publicly stated concerns over the immense scope and nature of the NSA’s surveillance. Senators Ron Wyden and Mark Udall have, for example, made voiced numerous public warnings in past years about the governments “secret legal interpretations” of the act. Regardless, Congressional oversight is limited because of the executive branch's strict secrecy rules, which prevent an informed public debate on FISA powers.

In this regard, it is worth noting that while the recent leaks have helped to expose facets of the U.S. governments’ foreign intelligence activities, a complete picture of NSA electronic surveillance activities is still forming. In fact, following a briefing on these matters conducted in response to the public outcry that followed last week’s revelations, one congresswoman ominously noted that what has been leaked today is only the “tip of the iceberg” in terms of the scope and parameters of NSA surveillance.

Following the leaks, Congress may be ready to more closely scrutinize current foreign intelligence surveillance activities. If the Church Committee serves as a historical precedent, this examination may, in fact, lead to more safeguards. However, given the historical development of FISA as a foreign intelligence power, Internet users abroad may not want to hold their breath!

Next in our Spies Without Borders series, we will examine what implications the Government’s use of these FISA powers has for Internet users abroadwith an eye to other jurisdictions and the requirements of international law.