In an earlier blog, I explored the fraught implications of the US intelligence community’s crisis of confidence and legitimacy, brought on in part by the fallout from politicization of intelligence information by both the Trump administration and its foes. In the near term, this battle is also certain to shake up the coming debate and struggle over reauthorizing Section 702 of the Foreign Intelligence Surveillance Act. As I explained previously (0), Section 702 grants the US government the authority to target the communications of foreign individuals, assumed to be outside the US, for the purpose of gathering foreign intelligence. While forbidding the collection of information on individuals within the US (or from US citizens directly), the government can compel internet service providers and telephone companies to aid in the collection of information from targeted individuals. The US government, however, is allowed to obtain further information about US citizens “incidentally” caught up in the surveillance of foreigners. There are supposedly strict rules governing these probes (the process is overseen by the FISA court). Controversially, intelligence agencies have shared their information with domestic law enforcement officials, leading to investigations and indictments for purely domestic crimes.
In recent weeks, the Trump administration has come down on the side of the strong push by US intelligence agencies for reauthorizing Section 702 without changes. Former US Sen. Dan Coates (R-IN), incoming director of National Intelligence, recently called Section 702 one of the “crown jewels (1)” of US intelligence.
But even before the current revelations concerning “unmasking” and the outing of Michael Flynn by leakers in the government, a powerful coalition of privacy groups and high tech companies was pushing back. They argued (2) that Section 702 had been abused and excessively broadened to ensnare US citizens with no connection to subversive or even criminal activities: a “relatively free rein” to “trawl” through databases. They now have received important support from libertarian-leading Republican senators such as Sen. Rand Paul (R-KY) and Sen. Mike Lee (R-UT). Lee has weighed in emphatically (3), noting that although he did not know the details of the current Russian hacking/unmasking affair, he had warned about the unchecked power of US surveillance activities for some years: “This is what human beings do when they . . . are given too much power and they are given technology.”
Congress is likely deeply divided among defenders of the intelligence agencies, Democratic privacy advocates, libertarian-leaning Republicans, and many members in the middle (a situation that has continued since the struggle to pass the USA Freedom Act in 2015). But key congressional leaders are demanding more information on the workings and reach of Section 702 before taking action later this year. On March 1, the House Judiciary Committee held a preliminary hearing on Section 702, and Chairman Bob Goodlatte (R-VA) has joined the ranking Democrat, Rep. John Conyers (D-MI), in demanding that the director of National Intelligence supply Congress with an accounting of the number of Americans swept up in “incidental” data collection under Section 702. The letter also signaled the increased concern opponents voiced that information was used for non-intelligence purposes (4): “It is clear that Section 702 surveillance programs can and do collect about US persons, on subjects unrelated to counter-terrorism. It is imperative that we understand the size of this impact on US persons as our committee proceeds with the debate on reauthorization.”
Dustin Volz, the Reuters reporter who wrote the story, tied changing attitudes in Congress directly to the current imbroglio over Russian spying and illegal leaks. He wrote (5): “The request comes as some Republican lawmakers, many of whom have stridently defended US surveillance programs in the past, express sudden interest in considering additional privacy safeguards as to how US spy agencies collect and share intelligence that contains information about Americans.”
Beyond the US, the ongoing turmoil has deepened European skepticism over the workability of the US-EU Privacy Shield, which guarantees privacy for EU citizens against government cyber incursions. This agreement provides (6) the legal basis for the huge transfer of data across the Atlantic ($280 billion in services trade), by allowing US companies to self-certify that they are complying with EU security and privacy principles. In February, a group of 17 European human rights organizations petitioned European leaders to force changes in Section 702 or revoke the Privacy Shield. They argued (7) that the breadth of Section 702 authority “served as a loophole for the FBI to collect data for criminal investigations.” The EU will review the US-EU Privacy Shield agreement this summer, with a decision on continuing the pact due in September.
As I have noted before, we are months away from a final decision on Section 702, and as evidenced by the past two months, a lot can happen to influence and change the outcome of a final decision. At this point, the view espoused here is that Section 702 in some form should be reauthorized. But even “crown jewels” may need to be mended and upgraded. The most significant change should come in the current policy to allow data collected under Section 702 for intelligence purposes to be shared with domestic law enforcement. The valid rationale for “incidental” information on US citizens when national security is at issue does not obtain for potential domestic law enforcement activities: There, the Fourth Amendment rights are clearly implicated in such warrantless searches. If pressure from the FBI and other domestic law enforcement agencies proves too strong for a clean break, then at a minimum, a stricter definition of which “serious” crimes might be exempted from Fourth Amendment protections should be crafted (8). Further, in the upcoming debate over Section 702 reauthorization, Congress should educate itself (9) on the exact connection and overlap between “incidental” data collection for valid security purposes and the “incidental” gathering of information for domestic law enforcement purposes. It should also review (10) the policy that allows the information to be available to a wide variety of government actors for a variety of purposes, including suspicionless searches meant to ferret out criminal activity.
Finally, in light of the alleged White House involvement in unmasking US citizens, it has been suggested White House operatives (the national security adviser) be excluded from the list of personnel with access to the “incidental” data on US citizens. This is certainly a step too far, but it does illustrate the damaging reverberations from the whole Russian hacking/unmasking episode.