Authors: Bruce Schneier
Section 215 of the PATRIOT Act was never intended to authorize mass surveillance,
and strong arguments can be made that the act’s language doesn’t allow it. The idea
was that the FBI would be able to get information “relevant to an authorized [national
security] investigation”—that is, about a specific subject of investigation—from a
wider set of sources than it could previously. The example the administration talked
about was information about what books a suspect checked out of the library; maybe
he was reading
The Anarchist’s Cookbook
or something. In fact, when the bill was being debated, it was known as the “library
provision.” It only empowered the FBI to demand information that it could have obtained
with a grand jury subpoena—all metadata, no content—but it allowed it to do
this without having to convene a grand jury. That made sense; there aren’t really
grand juries in national security investigations.
However, after the PATRIOT Act was passed in 2001, the Department of Justice’s national
security lawyers combed through the law looking for loopholes. Even though the law
was intended to facilitate targeted surveillance, they decided it could be stretched
to authorize mass surveillance. Even though it only empowered the FBI, they decided
that the FBI could demand that information be sent to the NSA. At first they did this
without any court approval at all. Eventually they decided to argue their case in
front of the secret FISA Court. Because there was no one arguing the opposing position,
they were able to convince a judge that
everything
was “relevant” to an investigation. This was a new interpretation of the word “relevant,”
and one that doesn’t even pass the sniff test. If “relevant” doesn’t restrict collection
because everything is relevant, then why was the limitation put into the law in the
first place? Even Congressman Jim Sensenbrenner, the person who wrote the USA PATRIOT
Act, was surprised when he learned that the NSA used it as a legal justification for
collecting mass-surveillance data on Americans. “It’s like scooping up the entire
ocean to guarantee you catch a fish,” he said.
Section 702 of the FISA Amendments Act was a little different. The provision was supposed
to solve a very specific problem. Administration officials would draw diagrams: a
terrorist in Saudi Arabia was talking to a terrorist in Cuba, and the data was flowing
through the US, but the NSA had to eavesdrop outside of the US. This was inefficient,
it argued, and Section 702 allowed it to grab that conversation from taps inside the
US.
Again, there’s nothing in Section 702 that authorizes mass surveillance. The NSA justifies
the use by abusing the word “incidental.” Everything is intercepted, both metadata
and content, and automatically searched for items of interest. The NSA claims that
only the things it wants to save count as searching. Everything else is incidental,
and as long as its intended “target” is outside the US, it’s all okay. A useful analogy
would be allowing police officers to search every house in the city without any probable
cause or warrant, looking for a guy who normally lives in Bulgaria. They would save
evidence of any crimes they happened to find, and then argue that none of the other
searches counted because they hadn’t found anything, and what they found was admissable
as evidence because it was “incidental” to
the search for the Bulgarian. The Fourth Amendment specifically prohibits that sort
of search as unreasonable, and for good reason.
My guess is that by the time the FISA Amendments Act came around in 2008, the NSA
knew what it was doing and deliberately wordsmithed the bill to allow for its preferred
interpretation. Its leadership might have even briefed the Senate and House intelligence
committees on how it was going to interpret that language. But they certainly didn’t
brief all of Congress, and they never told the American people.
I believe that much of this will eventually be found to be unconstitutional. The Fourth
Amendment protects not only against unreasonable searches but also against unreasonable
seizures. I argued in Chapter 10 that computer searches are searches. The mere act
of obtaining a copy of the data in bulk from companies like Verizon is an illegal
seizure as well.
The problem is that all three branches of government have abrogated their responsibilities
for oversight. The normal democratic process of taking a law, turning it into rules,
and then turning those rules into procedures is open to interpretation every step
of the way, and therefore requires oversight every step of the way. Without it, agencies
abuse their power. We saw this in the 1970s, when the FBI and NSA illegally spied
on Americans under projects SHAMROCK and MINARET, as well as under an unnamed program
that was part of the war on drugs. And we’re seeing it again today.
Lest you think this is solely a US phenomenon, the same thing happened in the UK in
2000 around the passage of the Regulation of Investigatory Powers Act. Section 16(3),
largely unnoticed when the bill was debated, has been used by GCHQ to spy on British
citizens
. It was intentionally drafted that way, with some members of Parliament in on it
and stubbornly defending the obscure and convoluted language that didn’t actually
legalize mass surveillance but nonetheless ended up being used to justify it. I believe
the idea for FAA Section 702 came from RIPA Section 16(3).
In 2013, President Obama tried to reassure Americans that NSA surveillance programs
are reviewed and approved by all three branches of government. His statement was deeply
misleading. Before Snowden, the full range of government surveillance activity was
known by only a few members of the executive branch, partially disclosed to a few
senior members of the legislative branch, and approved by a single judge on the FISA
Court—a court that rejected a mere 11 out of 34,000 warrant requests between
its formation in 1979 and 2013. That’s not real oversight. However, to be fair, it’s
much more oversight than you’ll find in other countries, including European democracies
like France, Germany, and the UK.
Some members of Congress are trying to impose limits on the NSA, and some of their
proposals have real teeth and might make a difference. Even so, I don’t have any hope
of meaningful congressional reform right now, because all of the proposals focus on
specific programs and authorities: the telephone metadata collection program under
Section 215, bulk records collection under Section 702, and so on. It’s a piecemeal
approach that can’t work. We are now beyond the stage where simple legal interventions
can make a difference. There’s just too much secrecy, and too much shifting of programs
amongst different legal justifications. When companies refuse National Security Letters,
the government comes back with a Section 215 order. And the NSA has repeatedly threatened
that if Congress limits its authority under Sections 215 and 702, it will shift curtailed
programs to the more permissive, less regulated, and more secret EO 12333 authority.
There are other attempts at oversight. The president’s 2013 NSA review group had broad
access to the agency’s capabilities and activities. They produced an excellent report
outlining 46 policy recommendations, and President Obama agreed to implement many
of them. The key question now is whether he will do so. In 2004, Congress created
the Privacy and Civil Liberties Oversight Board on the recommendation of the 9/11
Commission to oversee national security issues. It was mostly unstaffed and unfunded
until 2012, and has limited powers. (The group’s 2014 report only discussed NSA collection
under Section 702. It was widely panned as inadequate.)
More members of Congress must commit to meaningful NSA reform. We need comprehensive
strategic oversight by independent government agencies, based on full transparency.
We need meaningful rules for minimizing data gathered and stored about Americans,
rules that require the NSA to delete data to which it should not have access. In the
1970s, the Church Committee investigated intelligence gathering by the NSA, CIA, and
FBI. It was able to reform these agencies only after extensive research and discovery.
We need a similar committee now. We need to convince President Obama to adopt the
recommendations of his own NSA review group.
And we need to give the Privacy and Civil Liberties Oversight Board real investigative
powers.
Those recommendations all pertain to strategic oversight of mass surveillance. Next,
let’s consider tactical oversight. One primary mechanism for tactical oversight of
government surveillance is the warrant process. Contrary to what many government officials
argue, warrants do not harm security. They are a security mechanism, designed to protect
us from government overreach.
Secret warrants don’t work nearly as well. The judges who oversee NSA actions are
from the secret FISA Court. Compared with a traditional court, the FISA Court has
a much lower standard of evidence before it issues a warrant. Its cases are secret,
its rulings are secret, and no one from the other side ever presents in front of it.
Given how unbalanced the process it is, it’s amazing that the FISA Court has shown
as much backbone as it has in standing up to the NSA (despite almost never rejecting
a warrant request).
Some surveillance orders bypass this process entirely. We know, for example, that
US Cellular received only two judicially approved wiretap orders in 2012—and another
10,801 subpoenas for the same types of information without any judicial oversight
whatsoever. All of this needs to be fixed.
Start with the FISA Court. It should be much more public. The FISA Court’s chief judge
should become a position that requires Senate confirmation. The court should publish
its opinions to the extent possible. An official public interest advocate should be
assigned the task of arguing against surveillance applications. Congress should enact
a process for appealing FISA rulings, either to some appellate court or to the Supreme
Court.
But more steps are needed to put the NSA under credible tactical oversight. Its internal
procedures are better suited to detecting activities such as inadvertent and incorrect
surveillance targeting than they are to detecting people who deliberately circumvent
surveillance controls, either individually or for the organization as a whole. To
rectify this, an external auditor is essential. Making government officials personally
responsible for overreaching and illegal behavior is also important. Not a single
one of those NSA LOVEINT snoops was fired, let alone prosecuted. And Snowden was rebuffed
repeatedly when he tried to express his concern internally about the extent of the
NSA’s surveillance on Americans.
Other law enforcement agencies, like the FBI, have their own internal oversight mechanisms.
Here, too, the more transparency, the better. We have always given the police extraordinary
powers to investigate crime. We do this knowingly, and we are safer as a society because
of it, because we regulate these actions and have some recourse to ensure that the
police aren’t abusing them. We can argue about how well these are working in the US
and other countries, but the general idea is a sound one.
PROTECT WHISTLEBLOWERS
Columbia law professor David Pozen contends that democracies need to be leaky—leaks
and whistleblowing are themselves security mechanisms against an overreaching government.
In his view, leaks serve as a counterpoint to the trend of overclassification and,
ultimately, as a way for governments to win back the trust lost through excessive
secrecy.
Ethnographer danah boyd has called whistleblowing the civil disobedience of the information
age; it enables individuals to fight back against abuse by the powerful. The NGO Human
Rights Watch wrote that “those who disclose official wrongdoing . . . perform an important
service in a democratic society. . . .”
In this way of thinking, whistleblowers provide another oversight mechanism. You can
think of them as a random surprise inspection. Just as we have laws to protect corporate
whistleblowers, we need laws to protect government whistleblowers. Once they are in
place, we could create a framework and rules for whistleblowing legally.
This would not mean that anyone is free to leak government secrets by claiming that
he’s a whistleblower. It just means that conscience-driven disclosure of official
wrongdoing would be a valid defense that a leaker could use in court—juries would
have to decide whether it was justified—and that reporters would legally be able to
keep their sources secret. The clever thing about this is that it sidesteps the difficult
problem of defining “whistleblower,” and allows the courts to decide on a case-by-case
basis whether someone’s actions qualify as such or not. Someone like Snowden would
be allowed to return to the US and make his case in court, which—as I explained in
Chapter 7—currently he cannot.
Additionally, we need laws that protect journalists who gain access to classified
information. Public disclosure in itself is not espionage, and treating journalism
as a crime is
extraordinarily
harmful to democracy.
In Chapter 7, I mentioned the Obama administration’s overzealous prosecution of whistleblowers.
That policy is both hypocritical and dangerous. We encourage individuals to blow the
whistle on violations of law by private industry; we need to protect whistleblowing
in government as well.
TARGET MORE NARROWLY, AND ONLY WITH JUDICIAL APPROVAL
Electronic surveillance is a valuable tool for both law enforcement and intelligence
gathering, and one we should continue to use. The problem is electronic surveillance
on the entire population, especially mass surveillance conducted outside of a narrow
court order. As we saw in Chapter 11, it doesn’t make us any safer. In fact, it makes
us less safe by diverting resources and attention from things that actually do make
us safer. The solution is to limit data collection and return to targeted—and only
targeted—surveillance.