U.S. Congress finally moves on surveillance reform, but it may be too little, too late

Today, U.S. Senator Ron Wyden, Rand Paul, and others introduced the USA RIGHTS Act to reform and add greater transparency to U.S. surveillance authorities. A companion bill has also been introduced in the House of Representatives. The introduction comes only one day after a “pre-markup” draft from Senator Richard Burr was posted online, detailing provisions that essentially codify even broader collection and use of surveillance data. Unfortunately, even in the wake of Senator Burr’s shockingly invasive proposal, it’s clear that the USA RIGHTS Act doesn’t go far enough to make the vital and necessary reforms that matter for protecting human rights.

Access Now thanks all of the sponsors of the USA RIGHTS Act, as well as the sponsors of the USA Liberty Act, which was introduced in the House of Representatives earlier this month. However, while we’re offended by Senator Burr’s anti-reform draft, we cannot endorse either of the other proposals in their current forms. We urge the authors at a minimum to combine the positive provisions in each of these drafts into a single proposal. As we explain below, merging the two bills, together with few changes, might be barely sufficient to protect the free flow of data overseas and thereby positively impact global data privacy and U.S. economic interests internationally. However, it would not guarantee that outcome, so we further urge members of Congress to demonstrate global leadership and do more to protect the rights of people around the world.

Efforts to reform Section 702: what you need to know

In June 2015, former U.S. President Barack Obama signed the USA FREEDOM Act into law. At the time, Access Now and several other human rights and civil liberties groups praised the measure, but warned that it represented only a first step in a more comprehensive effort to reform overreaching surveillance authorities that are available to U.S. intelligence agencies, including and especially Section 702 of the FISA Amendments Act. And, in fact, it was during the debate over USA FREEDOM that House Judiciary Chairman Bob Goodlatte committed to holding hearings about Section 702.

That was two years ago, which is why it’s disappointing that it is only this month that we are seeing bills to reform parts of Section 702. It’s even more disappointing that these proposals don’t do enough to fix one of the most significant problems with the law: its incredible overbreadth, which allows innocent people to be targeted for invasive surveillance so long as they’re not citizens or permanent residents of the United States.

For those who don’t know, Section 702 is part of U.S. surveillance law that was passed to codify (and expand) the warrantless wiretapping that was authorized as a temporary measure after the 9/11 attacks. In December of 2016, we wrote about its history and use/abuses, while also giving our recommendations for reform. For reference, those recommendations included:

  1. Include definitions to ensure proper understanding of the law
  2. Codification (and expansion) of Presidential Policy Directive (PPD) 28
  3. Minimize the data that are retained in massive surveillance databases
  4. Limit surveillance targets to foreign powers or agents of foreign powers
  5. Recognize human rights standards
  6. Strengthen the standards for collection
  7. Strike the encryption exception for data retention
  8. Prohibit acquisition of communications from non-targets
  9. Limit the dissemination of data to other agencies and international partners
  10. Increased transparency at the FISA Court (FISC)
  11. Increased public reporting

We explained that these reforms aren’t enough to bring Section 702 and its programs into compliance with international human rights law, but would represent a significant step in the right direction.

How the Section 702 reform bills stack up

So what is on the table now? We have:

USA RIGHTS Act

Introduced by Senators Ron Wyden and Rand Paul, “The Uniting and Strengthening America by Reforming and Improving the Government’s High-Tech Surveillance (USA RIGHTS) Act 2017” contains positive reform provisions. The majority of these reforms benefit only U.S. persons, although many of the protections cover, for the first time, all people residing in the United States (the term “U.S. person” is a legal term that encompasses U.S. citizens and permanent residents).

Here is how it stacks up, compared to our recommendations above:

Rec. 1: Additional definitions – Partial
Rec. 2: PPD 28 – No
Rec. 3: Minimize personal data – No
Rec. 4: Limiting targets – No
Rec. 5: Human rights standards – No
Rec. 6: Higher standards for collection – No
Rec. 7: Limit retention of encrypted comms – No
Rec. 8: Limit collection – Yes
Rec. 9: Limit dissemination – Partial
Rec. 10: Increased FISC transparency – Yes
Rec. 11: Increased public transparency – Partial

 

The bill would end the practice of collecting not just communications “to” or “from” a foreign target, but also “about” a target. This is essential reform. The FISC found significant problems with “about” collection earlier this year and it was ostensibly discontinued, but reports indicate that agencies may be looking for ways around that limitation.

Further, unlike the USA Liberty Act, which includes a separate sunset provision for its prohibition on “about” collection, this bill ends the practice definitively. The format of the USA Liberty Act is dangerous because it opens the door for the practice to be re-instituted unless Congress takes an additional action, and we all know how difficult it sometimes is for Congress to agree to do anything. Even worse, if the prohibition on “about” collection does later sunset and the practice continues, the National Security Agency and other agencies could then argue that Congress had implicitly authorized it, an argument they don’t have today.

The USA RIGHTS Act also makes strides in other areas. It extends the oversight and increases the functionality of the Privacy and Civil Liberties Oversight Board (PCLOB) and clarifies the USA FREEDOM Act to indicate that any significant court opinions must be published, even those pre-dating the 2015 law. The USA FREEDOM Act is also modified by expanding the transparency provisions to give more public oversight to the operation of Section 702. Finally, the FISC is given, for the first time, oversight of orders to providers to modify their systems as well as additional accountability through increased authority of the amicus curiae, a role that was introduced in the USA FREEDOM Act.

However, the bill still fails to limit, in any way, collection of or access to the communications of non-U.S. persons not residing in the United States, even those who are not suspected of any wrongdoing. It does not create any new limitations on data retention or dissemination of data to international partners, nor to other domestic agencies, for anyone outside the United States.

USA Liberty Act

We have already published brief first take on the USA Liberty Act, although lawmakers have since introduced a slightly modified version. The latest wording has a new version of the “Sense of Congress” resolution vis-a-vis the rights of people outside the United States, but doesn’t have any other significant changes except what appear to be corrections of minor errors in the drafting of the legislation. Here is how it stacks up, compared to our recommendations above:

Rec. 1: Additional definitions – No
Rec. 2: PPD 28 – Partial
Rec. 3: Minimize personal data – Partial
Rec. 4: Limiting targets – No
Rec. 5: Human rights standards – No
Rec. 6: Higher standards for collection – No
Rec. 7: Limit retention of encrypted comms – No
Rec. 8: Limit collection – Mostly
Rec. 9: Limit dissemination – Partial
Rec. 10: Increased FISC transparency – Yes
Rec. 11: Increased public transparency – Partial

 

FISA Amendments Reauthorization Act of 2017

This is the Burr proposal that was revealed just yesterday. This reauthorization bill obfuscates its intent through section titles that are immediately undermined by the text that follows. Subject to a brief delay for “intentional about collection” and with a lot of formality, it ends up codifying all “about” collection. It also codifies expanded uses of collected information and does absolutely nothing for the human rights of people outside the United States. In short, it’s a sham “reform” proposal.

Where do we go from here? At minimum, combine the two serious reform proposals

For a bill that has any shot of positively impacting the rights of all people, lawmakers should combine the transparency and accountability provisions of the USA RIGHTS Act with the additional reporting, limitations, and recognition of the importance of rights from the USA Liberty Act. Provisions concerning the PCLOB and the FISC should be combined to the greatest extent possible, and the limitation on “about” collection should be adopted from the USA RIGHTS Act, which is far stronger.

But that’s not nearly enough. These protections together give non-U.S persons only minimal new protections and insight into how the surveillance authorities are being used against them. Perhaps this is because protecting non-U.S. persons is simply not a priority for U.S. lawmakers. In fact, it is a common (and fairly accurate) perception that members of the U.S. Congress will take no steps to protect the rights of people who can’t vote for them. However, if Congress won’t act here for the purpose of protecting people’s rights, perhaps they will act once they understand that it’s necessary to protect U.S. economic interests.

Without meaningful reform, the U.S. will suffer international repercussions

The E.U-U.S. “Privacy Shield” agreement — which authorizes private companies to transfer, store, and process the personal data of persons in the European Union in the United States — is heading for review by the Court of Justice of the European Union (CJEU). The CJEU invalidated the previous “Safe Harbor” agreement that the Privacy Shield then replaced because of Section 702 surveillance. Without any real reform of Section 702, the court is likely to do the same thing with Privacy Shield.

Complicating matters further, in a related case earlier this year, the Irish High Court referred for CJEU review one of the mechanisms for data transfer that exists apart from the Privacy Shield, also because of Section 702. While the CJEU should consider these new changes, it may not be enough to save Privacy Shield, at least in regard to surveillance issues (as we’ve detailed previously, there are also data protection problems with Privacy Shield that are unrelated to Section 702).

This is not a small issue. A failed Privacy Shield would not only harm the free flow of data and damage companies in the U.S., neglecting to undertake vital and necessary surveillance reform is an attack on human rights that undermines trust in the global digital economy. Along with Access Now, organizations including Human Rights Watch, the ACLU, EFF, and CDT, to name only a few, have pointed out that Privacy Shield may not be viable without meaningful reform to Section 702.

What all of this means is that the U.S. Congress must start taking human rights seriously, and see beyond domestic horse-trading to consider U.S. relationships overseas and the impact of consistently failing to protect rights globally. This entails undertaking Section 702 reform that has appropriate limitations for surveillance targeting and data retention. If that goal cannot be met, lawmakers ought at least to commit to a short sunset window, to align with review of the Privacy Shield by the CJEU, and at minimum conduct semiannual public hearings on the law that would include witnesses with expertise in human rights and international law.

We hope to see more leadership from the Congress as the reform process continues — the kind that works to protect the rights of people in U.S. and elsewhere, as well as shoring up trust in global digital commerce. It’s time to keep our promise to continue the process toward the comprehensive reform that we all need, and that we will all benefit from.