One of the most consequential decisions facing U.S. lawmakers this year is whether or not to renew Section 702 of the Foreign Intelligence Surveillance Act. Although the Carter-era FISA is as old as I am, 2008’s Section 702 is a product of the War on Terror and is perhaps best known as the legal basis for the privacy-busting shenanigans exposed by National Security Agency whistleblower Edward Snowden a decade ago.
With Section 702 due to expire at the end of the year unless it is reauthorized, the Privacy and Civil Liberties Oversight Board—which advises the White House—just dropped a major report on the matter. And it will not make easy reading for U.S. Big Tech, nor for Americans in general.
First, the citizens. Section 702 is supposed to only authorize the warrantless surveillance of people outside the U.S., but this new report (PCLOB’s first review of Section 702-based surveillance since 2014) makes clear that the authorized programs “incidentally” collect Americans’ communications all the time, when targeted people communicate with them. Not that any agencies are keeping data on this phenomenon.
The most relevant technique here is “downstream collection” (known as Prism in the Snowden days), which involves forcing a provider like Google to hand over someone’s communications. Both the NSA and the Federal Bureau of Investigation get to make such requests, and PCLOB said in its report that “although all U.S. person queries by the Intelligence Community present privacy and civil liberties risks, FBI’s querying procedures and practices pose the most significant threats to Americans’ privacy.” (This will delight the eyes of Republicans who oppose 702 renewal on the basis of alleged FBI bias, but I’m trying to steer clear of the intra-U.S. political debate here.)
Except in limited circumstances, "government personnel are not required by Section 702 to make any showing of suspicion that the U.S. person is engaged in any form of wrongdoing prior to using a query term associated with that specific U.S. person,” the report continues. “Nor does Section 702 require analysts or agents to seek approval from any judicial authority or other independent entity outside their agency…The government has not demonstrated that such queries [about Americans] have nearly as significant value as the Section 702 program overall.”
The board recommends that the program should be renewed but with changes including a requirement for “individualized and particularized judicial review for all U.S. person query terms.” Problems solved? Well, not so much if you’re looking at this from a non-American perspective.
Here’s where things get tricky for Big Tech. Remember how the EU’s top court has repeatedly blown up tech firms’ legal justifications for sending Europeans’ personal data to the U.S.? That’s largely because of 702-based surveillance programs, which are certain to prove pivotal yet again when EU privacy campaigners challenge the latest EU-U.S. data-sharing agreement, the Trans-Atlantic Data Privacy Framework.
Imagine how the European Court of Justice will react to excerpts from the PCLOB report such as these: “In CY2022, the Section 702 program targeted approximately 246,073 non-U.S. persons located abroad, which represents a 276% increase since CY2013. The surge in Section 702 targeting in recent years increases the privacy and civil liberties risks, both for actual targets and for those whose information has been incidentally or inadvertently collected…The program lacks individualized and particularized judicial review of targeting decisions…This poses risks that targeting can be overbroad or unjustified. These risks are increasing as the target numbers and their associated selectors continue to grow.”
The report also refers to a new, “highly sensitive technique” that the NSA was last year authorized to start using when collecting data about non-Americans directly from U.S. telecommunications networks. Apparently it “involves new privacy risks” and presents “novel and significant legal issues,” which is not going to set anyone’s mind at rest here in Europe.
Max Schrems, the Austrian lawyer-campaigner whose lawsuits sunk the Trans-Atlantic Data Privacy Framework’s two predecessors, tells me his challenge to the new framework will commence within weeks. I think it’s fair to say this PCLOB report will give him plenty of ammunition. Even if Section 702 is reauthorized with the board’s recommended reforms to better protect people in the U.S. from American surveillance, Big Tech has much to fear from abroad.
More news below.
Want to send thoughts or suggestions to Data Sheet? Drop a line here.
David Meyer