The Washington Post recently released what may be the most comprehensive review of the impact of Section 702 of FISA – which authorizes the NSA’s PRISM and upstream programs – on average Internet users. The scale and sensitive nature of communications being collected should generate widespread concern regarding the law’s use, and create demand for reform. Fortunately, Congress can enact measures that limit the collateral damage to privacy needlessly caused by this over-broad surveillance law.
Section 702 Programs Affect Millions of Average Internet Users
While the government has framed Section 702 as a “targeted” program that primarily affects suspected terrorists rather than normal individuals – a sentiment echoed by the Privacy and Civil Liberties Oversight Board in a report which CDT and others roundly criticized – the Washington Post report tells a troublingly different story: Based on a study of the largest sample of Section 702 data analyzed to date, approximately 90% of the text messages, emails, instant messages, and other communications retained by NSA, even after the application of minimization procedures, are to or from accounts who are not surveillance targets.
It is not surprising that a large portion of these accounts belong to non-targets; electronic surveillance of a target inevitably collects the communications of people who talk to the target about matters unrelated to the purpose of the surveillance. Considering the large number of individuals one regularly emails, texts, and calls, a 9:1 ratio does not seem that extreme. However, while this inevitable incidental collection might be tolerable in small levels when the surveillance target is suspected of wrongdoing and communications monitoring is approved by a judge, it is difficult to justify when the purpose of the surveillance is as broad as is authorized in Section 702, and the resulting scope is so enormous.
Further, because the 9:1 ratio is based on “accounts,” it might significantly underscore the number of non-targeted individuals affected. As 89,138 “persons” were targets last year, the Post concluded communications from over 800,000 non-targeted accounts were retained. The actual number is likely much larger. As Julian Sanchez notes, while there are 89,138 persons targeted, most targeted persons (a term that can include corporations and organizations) have many electronic communications accounts, meaning the number of accounts targeted is likely much higher. This would place the number of non-targeted accounts to or from which communications were retained in the millions.
Communications Retained Disclose Sensitive Activity
Perhaps more disturbing than the scope of incidental collection that occurs under the PRISM and upstream programs is the nature of what is retained. The report describes a range of personal information that provides no national security value, but is highly sensitive: “stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes… medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren… Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risqué poses in shorts and bikini tops.”
This type of information is strikingly similar to the “wealth of detail about her familial, political, professional, religious, and sexual associations” that the Supreme Court found in Riley v. California triggers warrant protection for examining the contents of a cell phone, even when it held by a person already under arrest.
In addition, the NSA has reportedly made plans to use and publicly expose personally sensitive information that it obtains through surveillance. According to a Huffington Post report, based on files disclosed by Edward Snowden, the NSA has developed plans to expose radicalizers “viewing sexually explicit materials online” for the purpose of “degradation.” Targets of such a program could be broadened in the future. And although there is no evidence sensitive personal information is currently being used maliciously, the specter of politically motivated surveillance conducted to discredit and blackmail activists that occurred in previous decades looms as an ever-present risk.
Section 702 Surveillance Is Fundamentally More Invasive
While incidental collection of the communications of a person who communicates with a target is an inevitable feature of communications surveillance, it is tolerated when the reason for the surveillance is compelling and adequate procedural checks are in place. In other instances of communications surveillance conducted in the US, surveillance requires court approval of a target, and that target must be a suspected wrongdoer or spy, a terrorist, or another agent of a foreign power. Section 702 requires neither of these elements.
Under Section 702, targeting can occur for the purpose of collecting foreign intelligence information even though there is no court review of any particular target. Instead, the super secret FISA court merely determines whether the guidelines under which the surveillance is conducted are reasonably designed to result in the targeting of non-Americans abroad and that “minimization guidelines” are reasonable. This means incidental surveillance may occur purely because someone communicated with an individual engaged in activities that may have broadly defined “foreign intelligence” value. For example, the communications of someone who communicates with a person abroad whose activities might relate to the conduct of U.S. foreign affairs can be collected, absent any independent assessment of necessity or accuracy.
Your personal information could be scooped up by the NSA simply because your attorney, doctor, lover, or accountant was a person abroad who engaged in peaceful political activity such as protesting a G8 summit
As another example, under traditional FISA – for intelligence surveillance in the U.S. of people in the U.S. – your communications could be incidentally collected only if you were in direct contact with a suspected agent of a foreign power, and additionally if the Foreign Intelligence Surveillance Court had affirmed this suspicion based on probable cause. Under Section 702, your personal information could be scooped up by the NSA simply because your attorney, doctor, lover, or accountant was a person abroad who engaged in peaceful political activity such as protesting a G8 summit.
Where Do We Go From Here?
There are sensible reforms that can significant limit the collateral damage to privacy caused by Section 702 without impeding national security. Limiting the purposes for which Section 702 can be conducted will narrow the degree to which communications are monitored between individuals not suspected of wrongdoing or connected to national security threats. Closing retention loopholes present in the Minimization Guidelines governing that surveillance will ensure that when Americans’ communications are incidentally collected, they are not kept absent national security needs. And closing the backdoor search loophole would ensure that when Americans’ communications are retained because they communicated with a target of Section 702 surveillance, they couldn’t be searched unless the standards for domestic surveillance of the American are met.
These – and many other reforms – have previously been recommended by CDT, and could serve as an effective means of restoring privacy protections currently absent in the law.