Cybersecurity & Standards, Government Surveillance
Review Group Report Doesn’t Go Far Enough on Protecting Global Human Rights
The extensive surveillance conducted by the National Security Agency (NSA) affects the privacy rights of people around the world – not just U.S. citizens and lawful permanent residents of the United States (“U.S. persons”). CDT was pleased to see this essential fact recognized in the report released by the President’s Review Group on Intelligence and Communications Technologies. The Review Group, charged with providing recommendations to the Obama Administration regarding necessary reforms to U.S. national security surveillance activities, included several recommendations aimed at limiting the impact of these activities on the rights of “non-U.S. persons.” While these recommendations are a first step, the report falls far short of offering the necessary policy reforms to protect the privacy of persons abroad.
If the United States is to be a leader in establishing global surveillance standards, it needs to serve as a model in terms of adopting reasonable limitations on surveillance of persons abroad. Significant reforms must be made for this to occur.
Scope of Surveillance
Section 702 of the Foreign Intelligence Surveillance Act (FISA) permits the U.S. government to compel communications service providers to assist with surveillance of non-U.S. persons reasonably believed to be outside the U.S. for the purpose of collecting foreign intelligence information. Section 702 forms the legal basis for the NSA’s PRISM program. If a person outside the U.S. is a known U.S. person, FISA prohibits surveillance absent a finding by the FISA Court that the target is a spy, terrorist or other agent of a foreign power. Non-U.S. persons enjoy no such protection: Surveillance of non-U.S. persons is permitted regardless of whether the person is a suspected spy or terrorist or other agent of a foreign power, and no court order is required.
Instead, the purpose of such surveillance of non-U.S. persons pursuant to Section 702 of FISA is the only real limitation that protects non-U.S. persons and that purpose limitation is woefully deficient. The surveillance can be conducted for the purpose of collecting “foreign intelligence information” that is broadly defined in U.S. law to include any information that merely relates to the conduct of U.S. foreign affairs as well as information that relates to attacks, terrorism, espionage, weapons proliferation and national security. 50 USC 1801(e). The Review Group’s report states that Section 702 does not authorize the NSA to acquire the content of the communications of masses of ordinary people. This statement is inaccurate under the law.
As we previously noted in testimony before the U.S. Privacy and Civil Liberties Oversight Board and in testimony before the European Parliament, collecting information merely because it relates to a country’s foreign affairs could encompass surveillance of political activities such as peaceful protests outside a U.S. embassy or global conference. The Review Group’s caution that surveillance of persons abroad should not be “based solely on that person’s political views or religious convictions” (emphasis added) is of little help to the protester outside the U.S. embassy: Surveillance could be justified because it relates to U.S. foreign affairs even if based partly on the protester’s political views inferred from the protest. If every country asserts the authority to compel communications service providers to assist with surveillance to collect information that merely relates to the country’s foreign affairs, the zone of privacy left would be severely diminished and the right to free expression substantially chilled.
The Review Group’s report is ambiguous as to whether the overly broad foreign intelligence purpose for which Section 702 surveillance may occur should be narrowed to exclude surveillance to collect information because it merely relates to U.S. foreign affairs. The report states that surveillance of foreign persons “must be directed exclusively at protecting national security interests of the United States or our allies” (emphasis in original). Recommendation 13 also states that the U.S. “must not disseminate information about non-U.S. persons if the information is not relevant to protecting the national security of the U.S. or its allies.” Much information that merely relates to U.S. foreign affairs has no national security nexus, so these recommendations could be interpreted as a call both for narrowing the purpose for which Section 702 surveillance is conducted and the use to which information collected under Section 702 could be put. If it is, the Review Group should make this clear when its members testify before Congress on January 14, because narrowing the scope of Section 702 surveillance could significantly advance the privacy rights of non-U.S. persons.
The Review Group also recommends measures such as restricting the monitoring of communications of foreign leaders. While we support such reforms, they should not eclipse the reforms most needed: Ensuring that individuals throughout the world are not under surveillance. In addition, while the Review Group begins to address the scope of Section 702 surveillance, it does little to address the broader problems of surveillance under Executive Order 12333, and as recent revelations show, this authority has been used to create a location-tracking dragnet that likely monitors tens of millions of people and to collect mass amounts of data as it flows between the data centers of tech giants such as Google and Yahoo.
Surveillance Agreements and the Human Right To Privacy
The report notes “there are bilateral arrangements or understandings on [surveillance] (which include, in appropriate cases, intentions, strictures, and limitations with respect to collection),” and recommends expanding such agreements. These agreements would extend only to “a small number of other closely allied governments.”
However, the report also recommends that the United States support international agreements regarding online communications. If such agreements are pursued, they must have as a cornerstone the protection of human rights of the people who may be monitored under them, including the rights guaranteed under Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence and that everyone has the right to the protection of the law against such interference. The Review Group’s report says “the United States should be a leader in championing the protection by all nations of fundamental human rights.” Doing so would entail both incorporating Article 17 protections in any such agreements, and extending Article 17 protections to non-U.S. persons outside the U.S. who may be subject to U.S. surveillance.
Finally, the report recommends that the U.S. government apply Privacy Act protections to the data of non-U.S. persons when it is intermingled in a single system of records with the data of U.S. persons. The Department of Homeland Security (DHS) has adopted this approach; the Review Group recommends extending it government-wide.
The Privacy Act of 1974 requires agencies of the U.S. government to maintain personally identifiable data in certain systems of records in a manner designed to promote the accuracy and security of those records. It gives people the right to access records about them and make corrections as necessary. By its terms, the Privacy Act applies only to U.S. persons. DHS, by policy, extended Privacy Act protections to non-U.S. persons whose personally identifiable information is mixed in with the personally identifiable information of U.S. persons.
Information that is classified is exempt from disclosure under the Privacy Act, including much information related to intelligence surveillance activity. Even for information that is not classified, non-U.S. persons would have no right to judicial remedy for violations of the Privacy Act because such remedy would have to be granted by law. Thus, under the proposed policy change, a non-U.S. person could request his or her records under the Privacy Act, but if those records were improperly withheld, such person would have no remedy.
As a result of the exemption for classified information and the absence of any judicial remedy, the policy decision to extend Privacy Act protections to non-U.S. persons would have limited benefits in the context of NSA surveillance. However, if adopted government-wide for all records systems including those not maintained by intelligence and law enforcement agencies – as the Review Group recommended – it could bring some benefits of the Privacy Act to non-U.S. persons, but a statutory change would be needed to extend to non-U.S. persons the right to pursue such benefits in court.
The Review Group’s report includes recommendations that are a beginning, but substantially more work needs to be done in order to ensure that NSA surveillance does not violate the privacy and free speech rights of non-U.S. persons outside the United States.