Speaker 0
0:10 – 0:12
Welcome to Tech Talk. Bye.
Speaker 1
0:13 – 0:14
CT. Tea.
Speaker 2
0:15 – 1:39
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. It's been a while since we've talked US government surveillance reform on the show. That's partially because there was an actual legislative win on the front when the USA Freedom Act passed just over a year ago. That bill essentially ended the NSA's bulk collection of Americans communications records. The timing of the passage of the USA Freedom Act had a fair amount to do with the imminent expiration of section two fifteen of the Patriot Act under which the bulk collection was being conducted. Well, there is another expiring section upon us that is helping advance discussion around the need for greater government surveillance reforms. This one is section seven zero two of the Foreign Intelligence Surveillance Act or FISA of the notorious FISA court. To talk about section seven zero two, what it means and why it should be reformed, I am pleased to welcome two of our surveillance reform smarties to Tech Talk, the esteemed mister Greg Nojime and his brilliant protege, Yaja Butler. Welcome. Thank you. Always great to have you two here. So first, could you tell me a little bit about what section seven zero two of FISA is, what it does, and why it's problematic?
Speaker 0
1:39 – 3:18
Well, that's a loaded question. Yeah. Go for it. All in one quick hit. Section seven zero two authorizes in certain circumstances the warrantless, collection and surveillance of, electronic communications content. So those, circumstances are when you're targeting non US persons located abroad and when a significant purpose of that collection is to gather foreign intelligence information. So on the face of it, it sounds like a really limited authority, but actually it's quite broad and and and that's the problem we have with it. So the scope of it is not actually completely limited to just what you would think about when you think of foreign intelligence information. And by that, I mean, this isn't just about counterterrorism. Under the statute itself, the definition of foreign intelligence information is extremely broad, and it can include things that are, for example, related to, US foreign affairs, which could mean pretty much anything. So relatedly, in addition to its broad scope, it is used for a lot of purposes that aren't related to foreign intelligence or to national security. Anything that is gathered under section seven zero two for example can be used by the FBI to investigate any crime. That crime does not have to be limited to national security or to foreign intelligence. So the statute on its face seems very narrow, very limited, but really it's much broader in scope and much broader in use. And and that's something that we want to try to reign in. Brian,
Speaker 1
3:18 – 4:02
section seven zero two, when it was adopted in 02/1988, marked a sea change in surveillance conducted under the foreign intelligence surveillance act. Prior to this statute, the government had to go in front of a court and prove that it had probable cause that the target of its surveillance was an agent of a foreign power, like a terrorist or a spy. Under this authority, it doesn't have to do that. Under old FISA, there were about 1,500 targets surveillance being conducted is quite broad.
Speaker 2
4:02 – 4:25
And I would assume because this is digital communications that it's obviously not just the foreign agents communications, but a lot of other people that are either communicating with or kind of you know, I remember hearing hops away, three hops away? There's no hopping. No hopping? Oh, good.
Speaker 1
4:25 – 5:19
We don't have to worry about explaining hopping. Instead, what happens is the government is targeting, a person it believes to be a non American who is abroad, and it starts listening in on that person, or it collects their stored communications, or it does both. Oftentimes, those people will be communicating with people who are Americans. Think about email messages that you send and you cc or bcc 15 people. Right. If one of those people isn't an American, they are eligible for this surveillance. Wow. So the it ends up sweeping in the communications of a lot of people in The United States and of a lot of people who are citizens or residents of of The United States. And one of the problems is that the government regards that information as lawfully collected and therefore fair game
Speaker 2
5:20 – 5:33
to be used as they as they please. So could you, just tell us tell me a little bit under section seven zero two, what is the main difference between, the surveillance under section two fifteen of USA Freedom?
Speaker 0
5:35 – 6:12
So the difference is is both, in terms of what is being collected and and whom the targets could could be. So under section seven zero two, as I said, it is supposed to be geared towards non US persons located abroad, and it gathers electronic communications content. Under section two fifteen, it didn't necessarily have to be a non US person located abroad. In in fact, the order that was leaked by Edward Snowden said that it could be entirely domestic. But at that point, they were only they were only collecting telephony metadata. So they weren't collecting actual electronic content under two fifteen.
Speaker 2
6:12 – 6:38
Okay. As someone who lived abroad, I'm definitely thinking about all my correspondence, with non US persons on a regular basis. So then that data, say say, I was on the cc of an email, that data, how long is it stored? You know, how long would my information, you know, of that correspondence be in this database that, as you're saying, could be searched kind of at any time for non,
Speaker 0
6:38 – 7:45
you know, non related reasons? It really all depends on what you're talking about. So under the current minimization procedures, wholly domestic communications are supposed to be destroyed immediately upon recognition. I think the key there is upon recognition. I I don't think that people are actively going out to search and find for domestic communications to throw away. And and I think more often than not, there isn't anything that definitively shows that a communication is domestic and without that, they are not entitled to assume that it's domestic. I I think all other communications, the phase off period is supposed to be around two to five years depending on how it was collected, whether it was collected upstream or whether it was collected under prism. But even then we have exceptions. One of the biggest exception that currently exist is the exception for, cryptanalysis. So if information that is gathered is encrypted, it can actually be retained for an decipher it, it moves to the other normal phase off period. Think think about what that means.
Speaker 1
7:45 – 8:32
What that means is as we move toward more, types of encrypted communications, as we move toward more, types of encrypted communications, as we move toward more, types of encrypted communications, as more and more communications are encrypted as they should be, more and more communications collected in this program will be retained indefinitely. That's why the NSA has to build, a data center out in Utah that takes up, a significant amount of space, and that, is is, going to be collecting an awful lot of content. To to go back to to your earlier question, two fifteen, it's about non content, metadata, transactional records, who called whom. This is about content. So it's even more sensitive sensitive information, and it's,
Speaker 2
8:34 – 9:08
retained longer. So one of the other things I remember, you know, hearing both of you, more Greg, at this time talking during USA Freedom about, you know, section two fifteen really not being effective. There was no proven example that that mass, collection of data or metadata, as you just said, was beneficial. But in this case, I read the comments that you all submitted to the senate on this. And it seems as though you're acknowledging that this program has been effective in some cases. Does that affect your advocacy efforts here? It does.
Speaker 1
9:08 – 9:51
What what, has been reported is that section seven zero two, has been effective in thwarting actual terrorist attacks. And it's been reported not just by the intelligence community, but it's been confirmed by the president's review board, by the p club, and by the best friend of, civil liberties and or one of the best friends of civil liberties in the surveillance area in in the senate, and they're widened. So I I think there's strong evidence that that it has been effective. That's one of the reasons why we're not saying that congress should do away with this program completely, but we do think it can be narrowed and made more effective by focusing on the bad guys.
Speaker 0
9:52 – 11:03
Right. We really wanted to just become more focused on what is purported purposes. Whenever you hear policy makers and and, you know, members of congress talk about this program, they talk about it in a counter terrorism and a national security foreign intelligence related context. So why don't we narrow the program to make sure that it is actually focused for those purposes? And and I think when it comes to effectiveness, one thing to remember is is that, you know, yes, a program can be effective but that doesn't necessarily mean that it's the way we should go. So I'm sure it would be very effective to gather every single email, digital photograph, note that you take on your computer, instant messenger that you have, all of your electronic communications, and just send it right to the NSA so that they can have it just in case. But we as a society have decided that we don't want that. So although our message here isn't let's just completely scrap this program, we certainly want it to be more narrowly tailored, and and we want it to be subject to the appropriate level of oversight given the sensitivity of this data that's being gathered. Great. So then, I guess, just to, you know, kind of make it very clear and concrete, what would you say are the three most important reforms that you're asking for,
Speaker 2
11:04 – 11:11
in terms of Section seven zero two, especially with the the sunset, I guess, about a year away, well, a year and a half away now. I'll do the first one.
Speaker 1
11:12 – 12:21
First, the scope of the surveillance that's authorized should be narrowed. As Yaja was saying at the outset, right now they can wire tap a person who's outside The United States just because they believe the person has information that might be relevant to US foreign policy. That's a lot of information. Think about the person who's protesting, they're they're in a demonstration in Istanbul against the government. What that person is saying is relevant to US foreign policy because it shows why they're out on the streets, and it gives some indication about the stability of the government. It's relevant to foreign policy? Should it be a reason to wiretap a person just because they're protesting? I don't think so. Often when the program is defended by members of Congress, it's defended as a counterterrorism tool. Well, maybe it should be limited to counterterrorism purposes and to some other more narrowly defined national security purposes. That's one of our, reforms.
Speaker 0
12:22 – 13:55
Another one would be limiting what's called about collection. Right now, the government collects communications that are to and from a target, but they've also interpreted section seven zero two to mean that it's okay to collect communications about a target. That means that they're collecting communications surveillance program, but their communication happens to mention the target. That seems that seems a little extreme to us. And it's something that we definitely wanna talk about in terms of the value of that intelligence gathering and whether or not we can get rid of it. And then finally, one of our priorities is to eliminate what's called the backdoor search loophole. And and this is where, the government, probably the FBI, queries data that is gathered under section seven zero two without a warrant for information about Americans. Now the reason that seven zero two data can be gathered without a warrant is because it's supposed to be focused on non US people located abroad and it's also supposed to be focused on foreign intelligence, you know, national security information. So when the FBI is allowed to query all of this data that gets swept up incidentally through that program for information about Americans, which couldn't have been targeted in the first place through collection, and information that doesn't even involve foreign intelligence or national security, that seems counterintuitive. And it seems to go against the protections that Congress specifically put in the statute when it created this program. So we wanna fix that. It's really a bait and switch.
Speaker 1
13:55 – 14:30
They sold the program as a way to target people who are outside The United States, who aren't Americans, and they sold the program as a way to target people who are outside The United States, who aren't Americans, and they said it wouldn't affect Americans. Then they turn around, they have a broad collection against people outside The United States, as I said, 90,000 plus targets. They hold the data for a long time, and then they do the searches, of that data based on US person identifiers like your email address, like your phone number, as if, congress was telling them, yes, target these people abroad, but really, really,
Speaker 2
14:31 – 15:06
you wanna check to see whether Americans are talking to them. That's not what Congress had in mind. Interesting. So there was actually you mentioned the the backdoor search loophole. There was an amendment to an appropriations bill in the House of Representatives, that actually just got voted down last week. And even though it had passed, a similar amendment had passed towards the exact same amendment. I'm not sure, previously. You know, what was this amendment? Did it did that address the backdoor, search loophole that you just mentioned and why did it fail this time? What was the factors that kind of made it turn?
Speaker 0
15:06 – 16:25
Well, the amendment did address the backdoor search loophole. It would have prohibited funds from being used, to query section seven zero two data with The US person identifier without a warrant. And and that's exactly the type of reform that we've been advocating for. Unfortunately, this amendment came up for a vote at a very tough time, in America. We we just a few days ago witnessed one of the most brutal, terrorist attacks, massacres really, in our recent history in Orlando. And and having a vote come up so quickly after a tragedy like that when a lot of members of congress understandably want to make sure that something like that doesn't happen again. It's an incredibly tough sell even if it makes a lot of sense and even if it would not have prevented that attack in the first place. I think another thing that led to its downfall was the fact that the amendment also would have prohibited funds from going towards requesting or requiring companies to supply backdoors to encryption or other security mechanisms into their technology. And, you know, I think a lot of members of congress haven't figured that one out yet. It's obviously really clear where CBT stands. But tying those two things together, I think was another contributing factor for the amendment failing this time around. The thing is,
Speaker 1
16:26 – 17:31
the Orlando attack, by Omar Mateen, you know, I don't think it's really related to the section seven zero zero two issue. The government had Mateen in its sights. It had opened it had opened an investigation of him based on statements he made that concerned his coworkers. Once the government opens an investigation, it doesn't have to look for your information in these other, databases. It can target you directly. Mhmm. And it can go in front of the FISA court and get one of these section two fifteen orders. All they have to do is show that the information that they're seeking, who you communicated with, is relevant to their investigation of you. Well, that should be pretty easily done in a case like this. We don't know whether they used that authority, but again, I don't think it's a reason to vote against this change. Mhmm. I think as Yaja said, it was more, an emotional reaction. Sure. Sure. That makes sense. And I know that, actually, Yaja, you're from Florida. So this this case,
Speaker 2
17:32 – 18:05
or that massacre really hits you. So, good point to raise. Yeah. Let's pivot a little bit here and talk about privacy shield. So privacy shield, I know that we've been saying here at CDT for a bit that, you know, the reforms when Safe Harbor was struck down, you know, the reforms that Privacy Shield brought about maybe not good enough and that it's really, this statute, section seven zero two that needs to be reformed to address the concerns raised in the Schrems case. Is that true? Yeah. I think that's right. I think that's right.
Speaker 1
18:06 – 19:19
Look, when the European court looks to see whether data that Facebook and Google and Microsoft and the other US providers are transferring, from Europe to The United States, they are asking themselves, is that data adequately protected? The companies can protect it themselves to some degree. The companies cannot protect it against the demands by the US government under this program, under section seven zero two. And what, the European court will be asking when it examines this issue again is whether US surveillance law meets human rights standards when it comes to the government's demands for this data. And in our view, US law falls short because the, again, the purpose of the surveillance can be so broad, and the uses, to which the data can be put are also broad. So I I think that, you know, privacy shield, it's important to transatlantic trade, but frankly, it's a it's a it's a band aid on a wound that's gonna require a tourniquet.
Speaker 2
19:20 – 19:29
There a lot more needs to be done to reform US surveillance law. So if all the reforms that you're recommending for section seven zero two,
Speaker 1
19:30 – 20:31
happened, do you think then US law would be sufficient? I think it would significantly increase the chance of US law surviving that examination that's going to happen in Europe. You know, you know, we keep we're talking about Europe, but we also measure US law against the US constitution. Sure. And, challenges have been brought to this program, in particular based on this backdoor searching, and, and and the breadth of the collection as well. A lot of those challenges though, they don't go forward because the government makes claims about state secrets and that it can't disclose to a person whether they were actually surveilled. Interesting. Well, the Europeans don't have those same rules. You don't have to prove you were actually actually surveilled in order to bring, the kind of challenge that this that's being brought to this, to this law. It's not actually a direct challenge to the law. It's a challenge to, the finding that, the Europeans' data is adequately protected after it's transferred. Yeah. And that's an
Speaker 0
20:38 – 21:21
Schrems decision that a lot of people don't talk about is the fact that in that decision, the CJAU specifically gave standing to all European citizens who may be concerned about what's happening with their data. And they said that if these civilians come forward to their data protection authority and they say, I have these concerns and here's why, that DPA is actually required now to investigate. There are a lot of DPAs in Europe. A lot of attention is about to be paid to 07/2002 as it comes up for sunset in December 2017. So a lot more information about this program is about to be released and I suspect a lot more concerns are going to be raised because of that. So how about I get you two into the prediction business, which is always risky?
Speaker 2
21:21 – 21:37
As you said, it is about to sunset in December 2017. Odds are, I mean, not nothing gonna happen this year. Right? Maybe, probably not. What about the prospects for congress doing anything in 2017? Yasha?
Speaker 0
21:40 – 22:15
Oh, gosh. You know, your guess is as good as mine, honestly. I I think you're right that in 2016, it's it's probably not going to happen. We're about to start off with the August recess and we're in an election year. No one's going to really wanna do anything. But as of 2017, you know, all all I can say is is that, we're trying to educate members of Congress as much as we can. We're trying to have our legislative reform proposals ready, and we're trying to talk to a lot of people who we know are going to support us and be on our side. So, hopefully, we'll prevail again just like we did with USA Freedom.
Speaker 1
22:16 – 22:37
I I think that we will get some reforms, Brian. I'm not I'm not sure how extensive they will be. I kinda doubt that the program will be reauthorized as is. There there's been enough, data out there to show that it's probably overbroad, can be narrowed, and can be narrowed without making it less effective.
Speaker 2
22:37 – 23:13
Great. Well, of course, I mean, Greg and Yaj's analysis is the way to go. So So all policy makers should be reading that, and everyone who wants to influence it should read that. Thank you so much for joining Tech Talk. Always a pleasure to have you both. Thanks for having us. Thank you. That's it for this episode of Tech Talk. Be sure to visit CDT's website, cdt.org, for the latest updates on our government surveillance reform efforts. And also, follow us on Twitter, like us on Facebook, or connect with us on LinkedIn. I'm Brian Wasilowski. Thanks so much for
Speaker 1
23:16 – 23:17
listening.