CDT testified before a rare, open hearing of the Senate Select Committee on Intelligence focused on the USA FREEDOM Act, which passed the House of Representatives May 22. Our testimony, and much of the hearing, focused on how to change the bill to ensure that it ends mass, untargeted surveillance under Section 215 of the PATRIOT Act.
CDT pulled its support for the USA FREEDOM Act prior to House passage, along with many other civil liberties groups and major technology companies, primarily because the bill was significantly weakened, undermining the bill’s goal of ending mass surveillance. In particular, the definition of “specific selection term” – the principle mechanism the bill provides to limit the scale of surveillance orders under Section 215, the FISA Pen/Trap statute, and the National Security Letter statutes – became too ambiguous and exploitable.
At the hearing, government witnesses repeatedly claimed that the USA FREEDOM Act would end “bulk collection.” However, it was openly debated whether the bill precluded mass collection of records about tens of thousands or even millions of Americans with no connection to terrorism. Chairman Diane Feinstein – long a defender of NSA programs – acknowledged this, stating that specific selection term could potentially be used to obtain all flight manifests of an airline, and that the definition required greater review.
CDT’s testimony illustrated the seriousness of this problem and offered ideas about how to prohibit mass surveillance while simultaneously providing necessary flexibility to government to protect security. We called for clarity in the bill’s definition of specific selection term, closing loopholes that could allow for abusive interpretations
However, aware that it may be impossible to find a perfect definition, we also proposed an additional safeguard: Beyond an improved definition of “specific selection term,” Congress should impose additional strict minimization procedures to limit acquisition to least intrusive methods (including employing as narrow a selector term as possible), and clearly limiting retention and use of data obtained to individuals directly connected to a national security threat.
We also encouraged Congress to enact a series of reforms to Section 702 — the statutory authority for the PRISM program — such as limiting the scope of permissible surveillance and closing the “backdoor search loophole.” That loophole permits the NSA to conduct a warrantless search of communications of Americans in the trove of data it collects under Section 702 by targeting people and entities reasonably believed to be abroad. This problem was emphasized by Senator Wyden, who demanded a record of how often the government uses this loophole to deliberately seek out Americans’ communications absent any court review. We also discussed the need to enhance transparency by permitting companies to disclose more information about the number of surveillance demands they receive and the importance of having a Special Advocate at the FISC, whose presence will be even more critical if preventing mass collection depends on the FISC’s interpretation of “specific selection term.”
At the hearing, data retention mandates emerged as major issue that could derail this reform effort. As we’ve previously stated, a retention mandate would not solve any problems but would raise a range of new issues such as risk of data breach, cost, and increased access by government agencies and civil litigants. There is also a significant risk of mission creep: If the government mandates retention of phone records, what’s to stop it from next requiring retention of all Internet records, or financial records? Indeed, as Michael Woods, a hearing witness from Verizon, pointed out in his written statement, technology is changing rapidly and the universe of calls handled by VoIP technologies and peer to peer applications is growing while the proportion over the traditional public switched telephone networks is shrinking. A data retention mandate for traditional calls would certainly engender demands for data retention for the Internet.
Beyond the significant policy concerns, a data retention mandate is simply not politically viable. When Congress last considered a data retention mandate, the measure was criticized by a broad range of civil society advocates and members of Congress, with Representative Sensenbrenner declaring that the policy “runs roughshod over the privacy rights of people who use the Internet for thousands of lawful purposes,” and “should be defeated and put in the dustbin of history.” The retention mandate was strongly rejected; the legislation only received the support of 39 co-sponsors in the House of Representatives, and never advanced to the full floor for debate. If a data retentions mandate is considered, it will face strong opposition from telecommunications and tech companies, civil society, and privacy advocates across the political spectrum. We expect including a data retention mandate in the USA FREEDOM Act would lead it to be swept into the dustbin as well. Given that we seem to be getting closer to achieving meaningful reforms through the USA FREEDOM Act, this is a possibility we must not allow.