May 2014 Archives
May 20, 2014
The Senate Judiciary Committee is holding an oversight hearing of the FBI on Wednesday, May 21. There are plenty of things to oversee with respect to FBI's programs, but here are a couple questions that interest me.
What's the status of the various privacy assessments the FBI has committed to performing?
In a previous post, I detailed how documents obtained by EPIC through a Freedom of Information Act ("FOIA") request showed how the FBI was told in early 2012 that the agency needed to do a privacy assessment of its use of License Plate Readers ("LPRs"). The FOIA documents even showed that a rough draft of a privacy assessment had been created. There is no indication that the FBI ever finished its assessment of LPRs.
Similarly, the FBI doesn't seem intent on ever following through on its promise to renew its privacy assessment of facial recognition technology. Something the agency explicitly said it would do in a statement for the record for a hearing on facial recognition technology. I wrote about this issue in a previous blog post too. The short version is that the FBI is "working" on it. This privacy assessment must be the most thorough one ever because the FBI has been "working" on it since July 2012. The lack of an adequate privacy assessment of facial recognition hasn't stopped the FBI from using the technology for its Next Generation Identification program. Did I mention the FBI is willing to accept a 20% error rate for its facial recognition technology?
In the last oversight hearing back in July 2013, the then Director of the FBI, Robert Mueller, admitted that the FBI uses drones for domestic surveillance; furthermore, he indicated that the FBI did not do a privacy assessment prior to implementing the use of drones and did not establish procedures for the use of drones. Director Mueller stated that the FBI was in its initial stages of assessing the privacy implications and implementing some guidelines for the use of drones domestically. The FBI's track record suggests the agency is probably still at the initial stages of developing guidelines.
What is the Surveillance Program Integrated Reporting & Intelligence Tool ("SPIRIT")?
EPIC received a document as part of a larger request for information about the FBI's LPR program that described a central database of raw surveillance called SPIRIT. From the document, "The SPIRIT system will serve as the primary repository for raw investigative and intelligence data collected through surveillance methods across all operational programs, as well as provide for workflow automation relating to FBI surveillance information."
The SPIRIT database, as a repository of raw intelligence, probably requires a privacy assessment. There is none. Additionally, because of the nature of the information likely contained within the spirit database, it most likely also requires what is known as a Systems of Records Notice ("SORN"). There is not one of those either. A SORN is required by the Privacy Act of 1974 when a database has records in it that are retrievable by the name of an individual or some other unique identifier associated with a specific individual. Of course, the existence of an FBI database that contains all of its raw investigative and intelligence data raises a number of other questions too, not the least of which are:
- Who has access to the SPIRIT database?
- Does the database contain bulk surveillance?
- What are the privacy and civil liberty safeguards in place for this database?
There are numerous things for the Senate Judiciary Committee to oversee with respect to the FBI, but I hope some of the issues raised above get addressed.
May 14, 2014
NSA Reforms Move Forward in Congress - With a Clear Prohibition on Bulk Collection But Still Missing Important Transparency and Oversight Provisions
We have focused a lot on NSA reform since the disclosure of sweeping surveillance last summer, and now Congress is finally taking steps to move the reform process forward. The House Judiciary Committee voted unanimously to pass the USA Freedom Act last week and the House Intelligence Committee followed suit shortly after, paving the way for the bill's consideration by all members of the House with strong bipartisan support. The surveillance reform bill was first introduced back in October following the disclosures of bulk surveillance on Americans.
So far civil liberties advocates have provided mixed reviews of the bill (see examples here, here, here, here, here, and here). Any progress is good, but the newly amended version of the Freedom Act is weaker in terms of its reform of National Security Letter authorities, its protection against back-door searches of Americans' communications collected under Section 702, its creation of a public interest advocate at the FISA Court, and its mandate of greater transparency. Still I think that the amended bill would provide significant protections that do not currently exist in FISA, and would be a step forward for privacy and transparency.
What follows is an in-depth analysis of the major differences between the original USA FREEDOM Act and the current amended bill that will be considered by the U.S. House of Representatives.
House Committee Markups and Amendments
During last week's markup of the USA FREEDOM Act, H.R. 3361, the House Judiciary and Intelligence Committees adopted amendments that made some significant changes, both substantive and structural, to the Freedom Act. Following the amendments, Senator Patrick Leahy (D-Vt), Chairman of the Senate Judiciary Committee and the original co-sponsor of the bill, issued a statement supporting the vote but voicing his concerns that the newly amended bill does not include adequate National Security Letter protections, transparency reforms, or a strong special advocate at the FISA Court. Others have criticized the amended bill for weakening the "bulk collection" restriction and removing an explicit prohibition on "back door searches" for U.S. person communications
But the current version of the bill would still provide an explicit prohibition of bulk collection and improve transparency and oversight of the FISA process, and it is certainly preferable to the intelligence committee proposal that would expand, rather than contract, NSA's spying powers.
The most significant differences between the original Freedom Act and the amended bill are (1) modifications in the National Security Letter reforms, (2) changes to the Special Advocate to an "amicus" position appointed by the FISC, (3) the addition of "two hops" call detail record authority to Section 215, and (4) elimination of some of the transparency reports and addition of "immunity" for certain telecommunications providers. Senator Leahy flagged the first two changes as significant and troubling, so I will focus on those before describing the two different versions of the bill.
National Security Letter Reforms
Title V of the original Freedom Act included four separate categories of reforms: (1) limitations on the collection of telephone toll records and financial records, (2) modification of non-disclosure rules for NSLs, (3) new judicial review procedures, and (4) mandated Inspector General reports. The purpose of these reforms was to elevate the standard for NSLs, to ensure that the government does not use them for bulk collection, and to improve judicial review and set standards for non-disclosure orders in light of the Second Circuit's decision in Doe v. Mukasey, 549 F.3d 861 (2nd Cir. 2008).
The Amended Freedom Act eliminates all but one section of the proposed National Security Letter reforms in the original bill. The remaining section prohibits bulk collection, setting the same "specific selection term" standard used in the Section 215 and FISA Pen Register reforms (see below). The section does not define or specify the types of financial and consumer records that can be obtained using NSLs, nor does it fix the non-disclosure rules or judicial review provisions that the Second Circuit held were unconstitutional in Doe v. Mukasey. As Senator Leahy noted, these amendments eliminated significant and important National Security Letter reforms that should be reintroduced when the Senate considers the bill this summer.
Special Advocate vs. FISC Amicus Curiae
Another major change in the Amended Freedom Act is the loss of the "Special Advocate" proposal that has been championed by Senator Blumenthal, Senator Leahy, and others. The original bill provided for a permanent, independent Special Advocate position, housed within the judiciary, that would wield a great deal of power in the FISA process. The Special Advocate could review all FISA opinions and applications, petition for review or appeal FISC orders, and seek additional disclosure to the public.
But the Special Advocate proposal, as described in the original Freedom Act, has been subject to criticism by Judge Bates of the FISC, and the Congressional Research Service has outlined potential constitutional issues with the position. Professors Steve Vladeck and Marty Lederman have responded to many of those concerns in posts on Just Security and Lawfare, but I think it is important to note that the amended "amicus" provision might be more in line with their defense than was the original Special Advocate proposal.
Rather than establishing a new federal officer with independent power, the amended bill would require the FISC to appoint an amicus from a pre-selected panel of attorneys in any case involving a "significant interpretation of law." This proposal is stronger than the status quo (FISC is permitted to accept amici briefs, but not required to order them), but clearly weaker than the original Special Advocate provision. Hopefully Senator Leahy will re-introduce some of the Special Advocate provisions when the Senate considers the amended bill this summer.
Transparency, Immunity, Two Hops, and Other Significant Changes
Other troubling changes in the amended bill are: the loss of mandatory Inspector General reports regarding the use of both FISA Pen Register and National Security Letter authorities during the period of 2010-2014; and the addition of immunity for compliance with Section 215 orders.
The substitution of the original bill's limitation on 215, Pen Register, and NSL collection with a new "specific selector" standard has been the subject of criticism as well, and Julian Sanchez has questioned whether it might be construed to allow as many as "four hops" (rather than two). But I think this revised language provides a much clearer prohibition on bulk collection than the original, and allowing for "two hops" of call detail records will make it more likely to gain support from both the judiciary and intelligence committees. The FISC would be hard pressed to interpret a provision titled "Prohibition on Bulk Collection" as anything but that, even with aggressive advocacy from DOJ. And the addition of a public interest advocate on this "significant interpretation" would make it even less likely that a "secret" interpretation would undercut the purpose of the amendments.
Below I will provide a quick overview of the original version of the USA FREEDOM Act, and compare it with the current amended bill.
USA FREEDOM Act 1.0
The version of the Freedom act introduced back in October had five main components: (1) limitation on the use of Section 215 business record orders, FISA Pen Register / Trap and Trace orders, and National Security Letters, (2) prohibition on searching Section 702 "PRISM" data for U.S. Person communications, (3) creation of an Office of the Special Advocate, and (4) new transparency report requirements and oversight powers.
(1) The primary focus of the Freedom Act is to prohibit "bulk collection" of communication records by revising and unifying the standards for Section 215 orders, Pen Register orders, and National Security letters. The original version of the bill did this by requiring that the records sought are both "relevant and material to an authorized investigation into international terrorism or clandestine intelligence," and pertain to "(1) a foreign power or agent of a foreign power; (2) the activities of a suspected agent of a foreign power who is the subject of an investigation; or (3) an individual in contact with, or known to, a suspected agent of a foreign power."
(2) The original version of the Freedom Act explicitly prohibited searches of Section 702-acquired communications "in an effort to find communications of a particular United States person (other than a corporation)," except in emergency circumstances or with the consent of the person whose communications are sought. The bill also amended the Section 702 targeting requirements to make clear that the communications acquired should be limited to those where (1) "any party is a target of the acquisition," or (2) "that contain the account identifier of a target of an acquisition." But the second category of "about" communications can only be acquired "to protect against international terrorism or the international proliferation of weapons of mass destruction."
(3) A large chunk of the original Freedom Act described the role and authority of a new "Office of the Special Advocate." The Special Advocate would have access to all FISA applications and decisions of the FISC, and could seek to participate in FISC proceedings or appeal decisions. The Special Advocate could also request outside amicus participation or petition for public disclosure of FISC decisions, applications, or documents. The Special Advocate would be established within the judicial branch and confirmed by the Chief Justice of the Supreme Court.
(4) The Freedom Act also establishes new reporting and disclosure requirements to improve transparency and oversight of the FISA process. The bill would require new audits by the DOJ and IC Inspectors General for Section 215 Orders issued between 2010-2013, focusing in particular on whether the minimization procedures "adequately protect the constitutional rights of United States persons." The bill would require similar (unclassified) audits by the IGs of the use of FISA Pen Register orders, National Security Letters, and Section 702 orders.
Additional transparency and oversight reforms in the original version of the Freedom Act include rules permitting the aggregate reporting of surveillance orders by third-party recipients like Internet Service Providers and telecommunications companies. The bill would also require that the annual Attorney General FISA reports on the use of electronic surveillance, physical searches, 215 orders, Pen Register orders, and Section 702 orders be made public and include an estimate of the number of United States persons targeted by such surveillance orders. The bill would create a special Attorney General report on the use of National Security Letters.
The Amended Freedom Act
When the House Judiciary Committee held its markup of the Freedom Act on May 7, 2014, Representative Jim Sensenbrenner, the primary sponsor of the bill, introduced an amended version of the bill as a substitute. The Amended Freedom Act also has four main components (similar to the original bill): (1) a prohibition on bulk collection under the Section 215, FISA Pen Register, and NSL authorities, (2) amended minimization rules and "reverse targeting" prohibition for Section 702, (3) FISC amicus authority and declassification of significant FISC opinions, and (4) new FISA transparency and reporting requirements. One of the main differences between the two bills is the addition of Section 215 authority for the querying of Call Detail Records, similar to what the President recently proposed.
(1) The first title in the Amended Freedom Act adds new provisions to Section 215 governing applications to obtain "call detail records." Under the new provision, the Government can apply for a 180-day prospective order requiring the production of call detail records "based on a specific selection term" when there is a "reasonable, articulable suspicion" that the term is "associated with a foreign power or an agent of a foreign power." The Government may also require production "using the results of [the first production] as the basis for production." This allows the Government to get call detail records within "two hops" of a target.
The Amended Freedom Act also adds a new provision to Section 215, requiring that each application and order include "a specific selection term to be used as the basis for the production." The amendment makes clear that "No order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term," which is defined as "a term used to uniquely describe a person, entity, or account." The bill also includes a similar "prohibition on bulk collection" for FISA Pen Register orders and National Security Letters, requiring "a specific selection term as the basis for" each request.
(2) The amended bill alters somewhat the rules governing collection under Section 702 ("PRISM"), first by making clearer the prohibition on "reverse targeting" of Americans. Section 702 currently prohibits targeting "a person believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States." The amended language makes clear that reverse targeting is prohibited when it is "a purpose" not just when it is the sole purpose of such acquisition.
The amended bill also requires that the government "minimize the acquisition, and prohibit the retention and dissemination, of any communication" between two U.S. persons and "prohibit the use of any discrete, non-target communication" from a U.S. person or a person "who appears to be located in the United States" except in life threatening circumstances. The amendments also provide a bright line exclusionary rule, providing that "no information obtained or evidence derived from an acquisition" concerning a U.S. person "shall be received in evidence or otherwise disclosed" or used in a proceeding or "in any other manner by Federal officers or employees" without consent.
(3) In place of the original Special Advocate provisions, the amended bill requires that the FISA Court "appoint an individual to serve as amicus curiae to assist" in the consideration of "any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a written finding that such appointment is not appropriate." The amended bill also enables the FISC to provide support and assistance for the designated amicus, including training and other executive branch support.
The amended bill also requires that the Attorney General conduct a declassification review of all significant FISA Court opinions and either release them in redacted form, or "make publicly available an unclassified summary" if withholding the full opinion "is necessary to protect the national security of the United States or properly classified intelligence sources or methods."
(4) Finally, the Amended Freedom Act provides for reports by the DOJ and IC Inspectors General, similar to the original bill, but for "calendar years 2012 through 2014" instead of 2010-2013. The amended bill does not require IG reports regarding FISA Pen Register orders or National Security Letters. The amended bill would create new reporting requirements for Section 215 call detail record orders and government compliance reviews under Section 215. The amended bill would also require the Director of the Administrative Office of the United States Courts to submit an annual public report on the number of FISA orders issued, modified, or denied and on the appointment of FISC amicus curiae.
The Amended Freedom Act submitted by Representative Sensenbrenner did not include the third-party transparency provisions that were in the original bill, but during the House Judiciary Committee markup those provisions were approved as an amendment. Representative Rogers introduced that amendment in the House Intelligence Committee Markup.