Intel Authorization Bill Would Turn Online Service Providers into Law Enforcement Watchdogs
Written by Emma Llansó
Last week, the Senate Intelligence Committee passed a version of the Intelligence Authorization Act for FY 2016 (S. 1705) that would create a new “duty to report” apparent “terrorist activity” for providers of electronic communication services, which include online content hosts, internet service providers, and public libraries and coffee shops that offer WiFi access. The ramifications of this provision, which was introduced through a secret, closed-door committee process, are immense: This vague requirement would turn every component of the online communications environment – access providers, website operators, cloud services, social media platforms, search engines, email services, and more – into agents of the government, reporting on their users according to a set of completely opaque criteria. This type of obligation eviscerates any notion of “trust” between individuals and the online services they use – trust that has already been damaged by the mass government spying revealed by Edward Snowden’s disclosures.
Online service providers would be tasked with scrutinizing any content that gets flagged to them for potential links to terrorism, putting these providers in the inappropriate position of deciding what counts as protected political advocacy or discussion of current events, and what sort of speech should put someone on a government watch list. Those who provide an electronic communication service will be compelled to pass judgment in a broad range of scenarios, including:
- A content reviewer at Facebook who sees a friends-only post about the Charleston massacre that has generated a heated exchange between several commenters and is flagged for review by another user for violating Facebook’s policy against bullying and harassment
- A professor running a massively open online course about terrorism and counterterrorism who sees comments from a student voicing sympathy with some of the radical ideology discussed in the curriculum
- The moderator of the comments section on a newspaper website who sees a passionate debate between readers of an article about US engagement in the fight against ISIS
- A librarian in a public library who sees a patron looking up information about Mojahedin-e-Khalq (MEK) on a library computer and doesn’t realize that the group has recently been removed from the State Department’s list of terrorist organizations
This provision of S.1705 raises numerous constitutional concerns:
Intermediaries must report private communications to the government. The bill requires reporting of “facts and circumstances” of apparent terrorist activity, which will almost certainly include the content of communications. This covers not only public blog posts, tweets, and status updates, but also private messages and emails, and even private journals kept online or backed up to remote storage, if the content host becomes aware of them. This is a huge intrusion into individual privacy and freedom of opinion and will create an intense chilling effect on individuals’ freedom of expression.
The obligation on intermediaries is entirely vague. S.1705 includes no definition of what content or behavior online could give rise to the actual knowledge of “terrorist activity” that would trigger the reporting requirement. The bill does not require that the “terrorist activity” be an apparent violation of the law. The bill references as a non-exclusive example one existing crime, the provision of information for how to create explosives with the knowledge that the person receiving the information intends to use it to commit a violent crime (18 U.S.C. § 842(p)), but otherwise provides no guidance whatsoever. This vagueness is likely to result in overbroad efforts by intermediaries to comply with the law, meaning that wholly lawful, constitutionally protected speech will be reported to the government, violating the speaker’s privacy and putting her under a cloud of suspicion as a potential terrorist.
No actual consequence is defined in the bill. The bill also includes no description of what penalty intermediaries face for a failure to report. S. 1705 does not specify what section of the US Code this provision is intended to amend, but because it is loosely patterned after a section of the criminal code (18 U.S.C. § 2258A, see below), intermediaries may well assume that some sort of criminal liability consequence is anticipated. This uncertainty for intermediaries over what may happen to them if they fail to file a report only compounds the potential for overbroad reporting by intermediaries.
No safeguards are included for abuse of the system or inaccurate reporting. S.1705 requires intermediaries to issue a report to the government when they “obtain actual knowledge” of apparent terrorist activity; typically this would be when a user of their service or member of the public flags certain content or activity to them. Such a system, like all content-flagging systems, is destined to be abused by users submitting fraudulent notices with the goal of making life difficult for another user – in this case, by bringing him under scrutiny by the intermediary and possibly by the US government. The bill includes no mention of ever notifying users that the intermediary has reported on them to the government, meaning there will be no opportunity for a user to contest a malicious or harassing notice. And, because of these incentives for overbroad reporting, the government is likely to receive an unmanageable influx of reports that contain little in the way of immediately actionable information. The bill includes no limitations on the sharing or use of this information within the government, raising the prospect that these reports, and the contents of people’s wholly innocent communications, will get squirreled away in a repository somewhere for future speculative use.
Proponents of the bill compare the reporting obligation in S.1705 to the existing reporting obligation for child pornography images in 18 U.S.C. §2258A. That law requires intermediaries who obtain actual knowledge of any facts and circumstances from which there is an apparent violation of federal child exploitation crimes involving child pornography – generally, intermediaries who are notified of an image of child pornography – to file a report with the National Center for Missing and Exploited Children (NCMEC). The report may, but is not required to, include the image itself, contact and identifying information about the image uploader (e.g. IP address, email address), and the complete communication in which the image of child pornography appears, to the extent that this information is within the custody or control of the intermediary.
The proposed obligation in S.1705 differs from §2258A in several key ways. First, the nature of the content that triggers the reporting obligation: Depictions of the sexual abuse of children are more obvious to distinguish from protected speech than wholly undefined “apparent terrorist activity.” Further, §2258A clearly focuses on specific instances of child pornography – there is a specific image or a video around which to build a report – while S.1705’s vague obligation for intermediaries to report on their knowledge of “terrorist activity” isn’t even necessarily linked to a particular user or communication.
Second, the contents of the report: While §2258A provides examples of the types of information that could potentially be included in the report (while not mandating any particular piece of information), S.1705 provides no such guidance, merely requiring intermediaries to report “the facts and circumstances.” This creates an incentive for cautious intermediaries to report all facts and circumstances relating to the apparent terrorist activity – which, if one imagines an exchange on a social media network, could include significant amounts of information about multiple individuals.
Finally, the recipient of the report: NCMEC is a private nonprofit organization that acts as a go-between for providers and law enforcement, but S. 1705 requires intermediaries to turn information over directly to the US government – no warrant, subpoena, or even National Security Letter required. A mandate to disclose the contents of a communication to governmental authorities upon the communication service provider’s own suspicion of unlawful activity is inconsistent with the Electronic Communications Privacy Act, which, as interpreted in the courts, generally requires that the government obtain a warrant in order to compel a provider to disclose communications content to the government. ECPA also permits providers to disclose voluntarily communications content to law enforcement if the contents are inadvertently obtained by the provider and appear to pertain to the commission of a crime, but mandated content disclosure requires a warrant.
Turning all communications intermediaries, who are today’s stewards of our electronic papers and effects, into informants for the government flies in the face of Fourth Amendment protections. And the knowledge that US-based internet companies have been co-opted in this way by the US government will chill the protected expression of ideas and opinions for millions of Americans, while driving all internet users to use online services that have no connection to US jurisdiction. NCMEC’s entanglement with the federal government already puts it on constitutionally shaky ground; this bill only exacerbates the problems posed by the NCMEC model by replacing a private entity with an arm of the government.
The version of the Intelligence Authorization Act that passed the House earlier in June did not include this intensely problematic provision. Because the bulk of the Senate Intelligence Committee’s meetings are closed, it’s not clear whether there was any discussion of the provision’s significant constitutional defects. It’s stunning that the Committee would report out legislation requiring internet companies to report on the activities of Americans without engaging in any public discussion; this process raises serious doubts over whether Congress has learned anything lasting from the public outcry about overbearing government surveillance. As this bill moves to the Senate floor, we urge Senators to reject this flawed approach.