As we detailed yesterday, a bill introduced this week by Sens. Ron Wyden and Rand Paul would represent the most comprehensive reform so far of Section 702, the law that authorizes the government to engage in mass warrantless surveillance of the Internet. EFF supports the bill, known as the USA Rights Act, because it closes the backdoor search loophole and addresses other glaring problems with Section 702.
But the bill also makes changes to lesser-known provisions of Section 702. One of these amendments raises it own questions about how the government has been enlisting private companies to provide access to our communications, including whether it has required circumvention of encryption as in the recent fight between Apple and the FBI. It may well also call into question the response EFF received from the government in FOIA litigation seeking records to determine whether such a case exists.
Section 14 of the USA Rights Act restricts when the government can demand that a email or other electronic communications service provider render “technical assistance” to facilitate the government’s mass spying. The bill would require the government to show that providing such assistance would not be burdensome and also obtain an order from the Foreign Intelligence Surveillance Court (FISC) first.
In a letter to EFF, the government wrote that it determined “that there were no cases brought before the Foreign Intelligence Surveillance Court (FISC) that would have resulted in responsive orders or opinions of the FISC.”
Under current law, government officials can require that providers give “all information, facilities, or assistance necessary” to the acquisition of targeted communications by simply telling them to do so. Under this regime, providers must comply or challenge the request before the FISC if the technical assistance the government wants is unreasonably burdensome or worse.
EFF is not aware of an instance in which the FISC has compelled a company to provide technical help, such as decrypting communications, to assist the government in its spying efforts under Section 702.
But the FISC operates in almost total secrecy, so those of us without security clearances ordinarily wouldn’t hear about it. We’ve long been concerned about this possibility. In 2016 we filed a Freedom of Information Act (FOIA) lawsuit seeking any FISC orders or other documents that would show that the government was demanding that companies provide take steps similar to the FBI’s efforts to force apple to decrypt one of its iPhones in the San Bernardino case.
In our FOIA case, the government has consistently said that the FISC has not issued any orders or opinions requiring that companies provide technical assistance. After we filed suit, the government agreed to conduct a second, more thorough search for those types of FISC orders. In a letter to EFF, the government wrote that it determined “that there were no cases brought before the Foreign Intelligence Surveillance Court (FISC) that would have resulted in responsive orders or opinions of the FISC.”
But the fact that the USA Rights Act specifically restricts the government’s ability to demand technical assistance from service providers is concerning precisely because it suggests the government may have done so in the past or will do so in the future. Others have similarly speculated that Senator Wyden, who often raises public concerns about the government’s spying activities via necessarily cryptic letters or public statements, is using the bill to raise alarms about this issue.
To be clear, we do not have reason to believe that the government misled EFF when it represented that the FISC had never issued any technical assistance orders. Because the statute presently allows the government to demand technical assistance without getting a court order and puts the burden on providers to challenge those demands, it’s possible that the secret surveillance court has never had the opportunity to deal with the issue. Thus, there may be no orders that would have come up in a search for records in response to our FOIA.
That said, the USA Rights Act’s provision does highlight the possibility that the government uses its surveillance authority to require companies to modify their services or otherwise assist with its mass surveillance efforts. It also underscores how little we know about how the government uses Section 702 as a practical matter, which is a problem in and of itself.