NSA, Director Of National Intelligence Sued For Zero Day Disclosure Process

San Francisco - The Electronic Frontier Foundation (EFF) today filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to gain access to documents showing how intelligence agencies choose whether to disclose software security flaws known as “zero days.”

A zero day is a previously unknown security vulnerability in software or online services that a researcher has discovered, but the developers have not yet had a chance to patch. A thriving market has emerged for these zero days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets’ computers.

In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the “Heartbleed” bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability. The government strongly denied the report, claiming it had a developed a new “Vulnerability Equities Process” for deciding when to share vulnerabilities with companies and the public. The White House’s cybersecurity coordinator further described in a blog post that the government had “established principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” But the substance of those principles has not been shared with the public.

EFF filed a FOIA request for records related to these processes on May 6 but has not yet received any documents, despite ODNI agreeing to expedite the request.

“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

“Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,” Global Policy Analyst Eva Galperin said.

For the complaint:
https://www.eff.org/document/eff-v-nsa-odni-complaint

New York DA Employs 381 Secret Orders To Gather Complete Digital Dossiers From Facebook

This article by Kurt Opsahl originally appeared on the website of the Electronic Frontier Foundation.

Unfortunately, it appears that the lure of bulk surveillance is not just a temptation for the Federal government. Last summer, about a month after new leaks exposed the NSA’s bulk content PRISM program, Cyrus Vance, Jr., the District Attorney for Manhattan, decided to go secretly fishing through 381 Facebook accounts, and wanted to ensure no one was allowed to stop him.

The DA was looking for evidence of disability fraud, and saw Facebook as a treasure trove. Many people put their lives online, sharing their daily ups and downs with a steady stream of photos, comments, and wall posts to friends and family. Perhaps some of them, after claiming a disability, would post a windsurfing selfie or write about their marathon training, and evidence their fraud.

So the DA put together nearly 400 search warrants, which ordered Facebook to provide near total access to the accounts, and gagged the social media giant from informing the users. Facebook reports that this “unprecedented request is by far the largest we’ve ever received — by a magnitude of more than ten.” According to Facebook’s appeals brief, the targets included a cross-section of America “from high schoolers to grandparents, … electricians, school teachers, and members of our armed services.”

Facebook’s brief explains that the warrants sought “information that cannot possibly be relevant to the crimes the Government presumably continues to investigate,” including what “Group” people belong to (and who else is in that group), chat messages, private messages, friends list (including removed friends) and even past and future events. And indeed, for the vast majority of the target, the information was not relevant to any crime. Only 62 people were ultimately charged.

Sometimes “come back with a warrant” is not enough. The warrant must also conform to constitutional limitations, narrowly seeking evidence of a crime with particularity, based on probable cause. It is not a license for the government to rifle through the private lives of anyone it suspects. As the Supreme Court recognized just yesterday, the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity.

Facebook rightly challenged this overboard pile of warrants. Indeed, it was the only entity that could. The gag order prevented Facebook from giving notice, so none of the users was in a position to assert their constitutional rights, or even know those rights were in danger.

Nevertheless, the DA disputed Facebook’s right to challenge the warrant in court, and the New York State trial court agreed, holding that “it is the Facebook subscribers who could assert an expectation of privacy in their posting, not the digital storage facility, or Facebook.” The court reasoned that this wouldn’t be a problem, because a criminal defendant could move to suppress the evidence before trial.

But what about the users who are never charged? The court never grapples with that issue, perhaps not realizing that ultimately 80% would not be the fraudsters the DA was looking for. Instead, the opinion moves on to justify the non-disclosure provisions by raising the specter of evidence tampering by the users.

Under this pair of holdings, no one is allowed to challenge the authority of the DA in court. Facebook is not allowed and the users don’t know. (Ironically, in an earlier case involving Twitter, the court had found that the user had no rights to challenge the NY DA’s data demand on Twitter). To paraphrase yesterday’s landmark Supreme Court ruling, the Founders did not fight a revolution to gain Fourth Amendment rights that no one can assert.

Facebook has appealed this dangerous precedent, seeking to “invalidate these sweeping warrants and to force the government to return the data it has seized and retained.” And, nearly a year after the warrants issued, the case has been unsealed. But, despite a temporary stay, Facebook was eventually forced to comply, and the DA continues to hold a digital dossier of the lives of over 300 people never charged with a crime.

Facebook’s appeal is well grounded. The Stored Communications Act, upon which the court relied to issue the warrants, specifically allows for service providers to challenge court orders. On the merits, the overly broad warrants go beyond what the Constitution permits by failing to identify with particularity the criminal evidence to be seized, and failing to put in place procedures to protect the privacy of the people whose lives were invaded by the government.

The information cannot be undisclosed, but the New York appeals court can still help right this wrong by overturning the erroneous criminal court decision, quashing the warrants and requiring the DA to destroy the ill-gotten evidence.

Smith v. Maryland Turns 35, But Its Health Is Declining

This article, written by EFF staff attorney Hanni Fakhoury, was originally published June 24 on the EFF website.

The U.S. Supreme Court’s 1979 decision of Smith v. Maryland turned 35 years old last week. Since it was decided, Smith has stood for the idea that people have no expectation of privacy in information they expose to others. Labeled the third party “doctrine” (even by EFF itself), Smith has come up over and over in the debates surrounding electronic surveillance and NSA spying.

But the idea that information exposed to others is no longer private has been oversold. Millions of Americans expect all sorts of things exposed to third parties remain private under state law. And as technology advances and the information we give to ISPs and telcos becomes more and more revealing, even federal courts are beginning to rethink whether Smith is the absolute rule the government claims it should be.

On its 35th birthday, Smith’s vitality is on the decline, and that’s a good thing.

The Smith Decision

In Smith police requested a telephone company to install a pen register to monitor the phone numbers a robbery suspect dialed. Although police had no warrant or judicial order, the phone company installed the pen register and police monitored the calls for three days. Eventually, Smith was arrested and challenged the government’s use of a pen register as an unreasonable search under the Fourth Amendment.

A Fourth Amendment “search” occurs when the government intrudes on a subjective expectation of privacy that society would consider reasonable. In Smith’s case, the trial and appellate courts rejected his argument that the use of a pen register was a “search.” The Supreme Court agreed to review the case because lower courts had issued conflicting opinions about whether people expect the phone numbers they dial to remain private.

In a 6-3 decision, the Supreme Court rejected Smith’s argument and ruled the use of the pen register wasn’t a “search.”

It found Smith had no subjective expectation of privacy in the dialed phone numbers because he (and everyone else) conveyed those numbers to the phone company in order to have his calls completed. Even if Smith thought the numbers would remain private, the Supreme Court believed society would treat that expectation as unreasonable because the high court had consistently held “that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith relied on an earlier case, United States v. Miller, where the Supreme Court found a bank customer’s deposit and banking records were not private because the customer assumed the risk that someone they shared information with could reveal that same information to another person, including the government. Since Smith had no expectation of privacy in the numbers he dialed, there was no “search” and no need for police to get a warrant to install the pen register.

Three justices dissented, finding that people do have an expectation of privacy in the phone numbers they dial. In a dissent that was ahead of its time, Justice Potter Stewart wrote that phone numbers were an “integral part” of communication and a part of the “content” of the communication itself. And Justice Thurgood Marshall noted “privacy is not a discrete commodity, possessed absolutely or not at all.”

Smith’s Aftermath

After Smith, the government continued to press the idea that people have no expectation of privacy in information exposed to others, and the Supreme Court accepted this in many contexts. In California v. Greenwood, for example, the Supreme Court ruled that people have no expectation of privacy in garbage they leave on the side of the road for pickup because animals or scavengers could access the contents. And in California v. Ciraolo, the Court ruled police could fly a plane over someone’s fenced-in backyard and look in without a warrant because homeowners expose their backyards to overhead aerial observation.

Miller, Smith and Greenwood were all decided under the Fourth Amendment, which applies to state and federal law enforcement throughout the United States. But these decisions were met with resistance by states who believed their citizens’ bank records, the phone numbers they dial and the trash they left on the side road are presumably private, even if possibly exposed to other people in limited contexts. As a result, state courts began issuing opinions disagreeing with these Supreme Court decisions and interpreting their state constitutions to provide stronger privacy protections than the Fourth Amendment. In states like Florida, Pennsylvania and Utah, customers have an expectation of privacy in their bank records. Residents of California, Colorado and Illinois have an expectation of privacy in their phone records. And in Hawaii, New Hampshire and New Mexico, people have an expectation of privacy in the garbage they leave for pickup.

Taken together, approximately 36 percent of the United States population has an expectation of privacy in either their bank records, phone records or garbage under state law. Residents of California and New Jersey—approximately 47 million people—have an expectation of privacy in all three.

Smith in the 21st Century

eop_map_v._2

It’s doubtful the justices would have predicted that their narrow decision upholding the warrantless collection of the phone numbers one person dialed over three days would be stretched to justify forms of electronic surveillance that would have been the stuff of science fiction in 1979. Unfortunately, Smith has been used to justify all sorts of surveillance, from the FBI seeking Twitter account information and the police tracking a cell phone’s past locations to the NSA’s bulk collection of telephone metadata and Internet communications.

But as technology that creates and collects vast amounts of data about those who use it becomes commonplace, courts are starting to push back.

In 2007, the New Jersey Supreme Court ruled people have an expectation of privacy in Internet subscriber records. In 2010, the federal Sixth Circuit Court of Appeals—which includes Kentucky, Michigan, Ohio and Tennessee—ruled in United States v. Warshak that people have an expectation of privacy in email stored with an online service provider.

Then in 2012, Supreme Court Justice Sonia Sotomayor’s concurring opinion in United States v. Jones, which involved the constitutionality of installing a GPS device onto a car, sent a strong signal to courts that it was time to “reconsider” Smith. She found the idea that people have no expectation of privacy in information they turn over to others was “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

After Jones, state and federal courts have increasingly rejected the government’s attempts to extend Smith to new forms of data. Just last week, the Eleventh Circuit Court of Appeals—which covers Alabama, Florida and Georgia—ruled in United States v. Davis that people have an expectation of privacy in “even one point of cell site location data.” Disagreeing within a 2013 decision from the Fifth Circuit Court of Appeals, it distinguished Smith by noting that cell phone users don’t voluntarily convey their location because they don’t realize their location will be revealed to the cell phone company when they make a call, and because users have no choice about what information they reveal when they receive a call from someone else. The state courts of Massachusetts and New Jersey reached the same result under their state constitutions. Several states have passed legislation that requires police to obtain a search warrant to track a person’s location through their cell phone. And it’s likely that in states like California, where there is an expectation of privacy in dialed phone numbers, people would also have an expectation of privacy in cell site location info too.

cell_tracking_v.2

When it comes to using Smith to justify the NSA’s bulk collection of phone records, courts have issued conflicting opinions. A New York federal judge ruled the program was constitutional under Smith while another federal judge in DC, Judge Richard Leon, ruled the seizure of phone records was likely unconstitutional, noting it was foolish to compare the limited use of the pen register in Smith with the NSA’s enormous data collection. Most recently, a federal judge in Idaho reviewing the NSA’s phone records program believed it was bound to follow Smith but hoped that Judge Leon’s opinion would “serve as a template for a Supreme Court opinion.”

Not All or Nothing

Despite these varying standards, it’s clear that Justice Marshall was correct in his Smith dissent when he noted that privacy is not an all or nothing commodity. Most Americans expect their bank records or the phone numbers they dial are private, and many Americans live in states that provide constitutional protection to that information. An increasing number of law enforcement agencies throughout the United States must use a search warrant to get cell site records from a cell phone company under state and, increasingly, federal law.

Ultimately, as more people have a subjective expectation of privacy in information exposed to others, these expectations also become ones that society is prepared to accept as reasonable. And if that’s the case, then the Fourth Amendment should recognize that expectation of privacy as reasonable too. In other words, as more people do have an expectation of privacy in information they’ve turned over to third parties, it’s the Smith decision, and not the expectation of privacy, that becomes unreasonable.

EFF: Wants You To Help Defeat The NSA

This post, written by activist nadia Kayyali, was originally published on the EFF website.

The NSA may seem like an intimidating giant, but it has a serious Achilles’ heel— the enormous budget it claims from taxpayer dollars every year. While change to the actual words of the laws that govern NSA surveillance seems to be a difficult task, a group of representatives have decided to take the battle to the bank.

Within the next few days, the House of Representatives will be considering the 2015 Department of Defense Appropriations bill, H.R. 4870. Rep. Thomas Massie and Rep. Zoe Lofgren have introduced a bipartisan amendment to the bill to prohibit use of appropriated funds for certain types of surveillance, creating real change to NSA spying. The amendment has the support of civil liberties advocates and Internet companies. But the House needs to hear from you. Tell your representative to vote yes on the Massie-Lofgren amendment.

How is this unfolding? Every year, Congress votes on the Defense Appropriations Act, which funds the Department of Defense. Every year, this bill also makes substantive policy through prohibiting or placing conditions on funding.

Last year, a bipartisan group of representatives introduced the so-called “Amash amendment” (named after co-sponsor Rep. Justin Amash) that would’ve prohibited funding for Section 215 bulk collection of telephone records, instead limiting collection to “tangible things that pertain to a person who is the subject of an investigation.” Though it garnered incredibly strong support from both sides of the aisle, the Amash amendment did not pass. The final vote was very close: 205 in favor, 217 against. In other words, if just seven representatives had changed their votes from “no” to “yes,” the amendment would’ve passed.

Fortunately, after more than a year of disturbing NSA revelations, civil liberties defenders in Congress are taking another stab at severing funding for mass spying. The 2015 Defense Appropriations bill is on its way to the full House and an exciting amendment that would limit use of funds for some of the worst NSA abuses will be up for a vote.

The USA FREEDOM debate has focused on Section 215, but there are other problems with NSA spying. In particular, NSA collects contents of communications under Section 702 of the FISA Amendments Act, and has acknowledged that it searches this information without a warrant for the communications of Americans (a practice known as “backdoor searches”). Furthermore, leaked documents have shown that the NSA was engineering backdoors into products and services, from encryption software to online communications tools like Skype—something that weakens the Internet and American business. The Massie-Lofgren amendment would prohibit use of the bill’s funds for both of these purposes.

The vote last year showed us that this amendment truly does have a chance to pass. Seven flipped votes is nothing, in Congressional terms. And where might those seven votes come from? It could be from either party. A look at the numbers shows support for the Amash amendment crossed party lines—the ayes were 94 Republican and 111 Democrat. The votes against, though, came reliably from NSA defenders like Reps. Mike Rogers and Nancy Pelosi.

That’s why you need to contact your representative now. Regardless of what party your representative belongs to, they need to know that NSA reform—in the form of the Massie-Lofgren amendment—is a key issue. This is not about political parties. It is about respecting the Constitution, and protecting privacy and civil liberties.

The vote happens within the next few days. There isn’t time to send emails. If you want your Representative to support this amendment, you must call rather than email. Call now.

Flawed Priorities Reflected In Updated U.S. ‘Trade Objectives’

This analysis was written by Maira Sutton, a global policy analyst at the Electronic Frontier Foundation.

The Office of the United States Trade Representative published its updated objectives for the Trans-Pacific Partnership (TPP) agreement, including its priorities in the Intellectual Property (IP) chapter of the multilateral trade agreement. Its new objectives in copyright enforcement mostly contain some vague rhetorical changes while continuing to bolster bloated claims about the necessity of IP enforcement for the U.S. economy without any commitment to protecting users’ rights. The U.S. Trade Rep’s language reflects the underlying, ongoing problem with the executive agency’s misplaced priorities on negotiating international trade deals.

TPP-map1

Exaggerated Claims of Importance of “IP-Intensive Industries”

The U.S. Trade Rep starts off the “Intellectual Property” section by claiming how vital its enforcement is to economic growth and jobs by citing a dubious 2-year old report from the U.S. Patent Trade Office (USPTO). This report, called the Intellectual Property and the U.S. Economy: Industries in Focus, is often referenced by State officials to claim how reliant the U.S. economy is on copyrights and patents.

For starters, the USPTO defines any “IP-intensive” job to cover anything that remotely benefits from copyright, patent, or trademark protection. Under this definition, bagging at a grocery store, repairing cars, or even manufacturing can all be deemed jobs that are protected by IP. It goes on to say that such jobs that are “directly or indirectly attributable” to intellectual property “pay higher wages to their workers” without citing evidence. Unless the folks at the U.S. Trade Rep’s office know of some particularly well-paid workers at U.S. grocery stores, we’re going to call foul on this claim. Where is the data that backs this sweeping statement?

Such inflated statements reflect one of the biggest problems with the U.S. Trade Rep: they continue to justify expanding copyright and patent enforcement without any grounding in factual analysis of their policies. Of course, these grandiose statements of public benefit are only used to thinly veil the actual benefactors of their policies: the big, corporate rightsholders who are influencing the priorities of the U.S. Trade Rep.

Restrictive Definition of Fair Use

As we have seen from the leaked November 2013 draft text of the “Intellectual Property” chapter, the agreement holds weak safeguards for fair use rights in the form of a restrictive “Three-Step Test” system, which can be used to limit how countries establish rights for users to use, modify, and access copyrighted works.

It is welcome that the U.S. Trade Rep is explicit about seeking any sort of fair use rights for users. But the language here reveals the trade office’s position that a “balance” in copyright systems can be achieved by simply having an enumerated list of exceptions to the overarching rule that creative works are locked up and controlled by rightsholders. Since their first priority is the “strong protection for patents, trademarks, [and] copyrights,” it seems the U.S. Trade Rep itself should also call for the explicit defense of users’ rights against the encroachment of over-expansive IP rights so it itself maintains a balance of priorities.

Selective Transparency for “Intellectual Property” Issues

Strangely, it commits to promoting “transparency and due process,” but only with respect to “trademarks and geographical indications.” Are they admitting that they do not seek the same principles when it comes to copyrights and patents? Based upon the November 2013 leak, the U.S. Trade Rep already fails to uphold these values in its proposed texts on Internet Service Provider (ISP) liability provisions and digital rights management (DRM). They have been calling for draconian measures for private firms and law enforcement to crack down on users’ activities, often without a requirement of judicial oversight or disclosure of takedown processes.

Safeguards in its ISP Liability and DRM Proposals

The last listed priority does give us the tiniest glimmer of hope that the U.S. Trade Rep is taking into consideration the concerns of start-ups and new tech businesses. They now claim to seek safeharbor protections for ISPs and provisions over technological protection measures (aka DRM) that will “foster new business models and legitimate commerce in the digital environment.” Although vague, it is reassuring that they are at least giving acknowledgement to creators and innovators who are threatened by existing copyright enforcement measures. In this case too, the last leaked text revealed that the U.S. Trade Rep’s proposals are still vastly inconsistent with this particular priority.

~

All in all, these updated IP objectives reflect a subtle positive shift in the U.S. Trade Rep’s rhetoric around copyright and patent enforcement in acknowledging that there must be some sort of balance in their proposals. But none of this matters if it is not reflected in the proposals they are pushing forth in the TPP negotiations. There’s no way of confirming whether the U.S. Trade Rep is upholding these priorities until it conducts its policymaking transparently and reveals the text to the public—unless of course, there is another leaked draft. This secrecy and lack of oversight has been, and continues to be, the fundamental curse that undermines the legitimacy of TPP and similar trade deals.

There are now several reports that the next TPP negotiation round will be held in Vancouver from July 3-12. This will be an opportunity for the U.S. Trade Rep to re-think its approach to copyright and patent policies, and to uphold some of these stated new priorities that include other considerations beyond the narrow, relentless objective of enforcing rightsholders’ monopolistic control over creative works. Given the U.S. Trade Rep’s shameful history of acting on behalf of corporate interests at the expense of the public interest however, we won’t be holding our breath.

EFF: On 6/5, 65 Things We Know About NSA Surveillance That We Didn’t Know a Year Ago

This post, written by Electronic Frontier Foundation activist Nadia Kayyali and international rights director Katitza Rodriguez, originally appeared on EFF’s website on June 5.

It’s been one year since The Guardian first published the Foreign Intelligence Surveillance Court order, leaked by former National Security Agency contractor Edward Snowden, that demonstrated that the NSA was conducting dragnet surveillance on millions of innocent people. Since then, the onslaught of disturbing revelations — from disclosures, admissions from government officials, Freedom of Information Act requests and lawsuits — has been nonstop. On the anniversary of that first leak, here are 65 things we know about NSA spying that we did not know a year ago:

1. We saw an example of the court orders that authorize the NSA to collect virtually every phone call record in the United States — that’s who you call, who calls you, when, for how long and sometimes where.

2. We saw NSA PowerPoint slides documenting how the NSA conducts “upstream” collection, gathering intelligence information directly from the infrastructure of telecommunications providers.

3. The NSA has created a “content dragnet” by asserting that it can intercept not only communications where a target is a party to a communication but also communications “about a target, even if the target isn’t a party to the communication.”

4. The NSA has confirmed that it is searching data collected under Section 702 of the FISA Amendments Act to access American’s communications without a warrant, in what Senator Ron Wyden called the “back door search loophole.”

5. Although the NSA has repeatedly stated it does not target Americans, its own documents show that searches of data collected under Section 702 are designed simply to determine with 51 percent confidence a target’s “foreignness.’”

6. If the NSA does not determine a target’s foreignness, it will not stop spying on that target. Instead, the NSA will presume that target to be foreign unless the target “can be positively identified as a United States person.”

7. A leaked internal NSA audit detailed 2,776 violations of rules or court orders in just a one-year period.

8. Hackers at the NSA target sysadmins, regardless of the fact that these sysadmins themselves may be completely innocent of any wrongdoing.

9. The NSA and CIA infiltrated games and online communities like “World of Warcraft” and Second Life to gather data and conduct surveillance.

10. The government has destroyed evidence in the Electronic Frontier Foundation’s cases against NSA spying. This is incredibly ironic, considering that the government has also claimed EFF’s clients need this evidence to prove standing.

11. Director of National Intelligence James Clapper lied to Congress when asked directly by Senator Ron Wyden whether the NSA was gathering any sort of data on millions of Americans.

12. Microsoft, like other companies, has cooperated closely with the FBI to allow the NSA to “circumvent its encryption and gain access to users’ data.”

13. The intelligence budget in 2013 alone was $52.6 billion. This number was revealed by a leaked document, not by the government. Of that budget, $10.8 billion went to the NSA. That’s approximately $167 per person in the United States.

14. The FISC has issued orders that allow the NSA to share raw data — without personally identifying information stripped out — with the FBI, CIA, and the National Counterterrorism Center.

15. Pursuant to a memorandum of understanding, the NSA regularly shares raw data with Israel without stripping out personally identifying information about U.S. persons.

16. The Snowden disclosures have made it clear the Barack Obama Administration misled the Supreme Court about key issues in American Civil Liberties Union’s case against NSA spying, Clapper v. Amnesty International, leading to the dismissal of the case for lack of standing.

17. The NSA “hacked into Al Jazeera‘s internal communications system.” NSA documents stated that “selected targets had ‘high potential as sources of intelligence.’”

18. The NSA used supposedly anonymous Google cookies as beacons for surveillance, helping it to track individual users.

19. The NSA “intercepts ‘millions of images per day’ — including about 55,000 ‘facial recognition quality images’” and processes them with powerful facial recognition software.

20. The NSA facial recognition program “can now compare spy satellite photographs with intercepted personal photographs taken outdoors to determine the location.”

21. Although most NSA reform has focused on Section 215 of the PATRIOT Act, and most advocates have also pushed for reform of Section 702 of the FISA Amendments Act, some of the worst NSA spying happens under the authority of Executive Order 12333, which Obama could repeal or modify today.

22. The NSA collected Americans’ cellphone location information for two years as part of a pilot project to see how it could use such information in its massive databases.

23. In one month, March 2013, the NSA collected 97 billion pieces of intelligence from computer networks worldwide, including 3 billion pieces of intelligence from U.S. computer networks.

24. The NSA has targeted Tor, a set of tools that allow Internet users to browse the Internet anonymously.

25. The NSA program MUSCULAR infiltrates links between the global data centers of technology companies such as Google and Yahoo. Many companies have responded to MUSCULAR by encrypting traffic over their internal networks.

26. The XKEYSCORE program analyzes emails, online chats and the browsing histories of millions of individuals anywhere in the world.

27. NSA undermines the encryption tools relied upon by ordinary users, companies, financial institutions, targets and non-targets as part of BULLRUN, an unparalleled effort to weaken the security of all Internet users, including you.

28. The NSA’s Dishfire operation has collected 200 million text messages daily from users around the globe, which can be used to extract valuable information such as location data, contact retrievals, credit card details, missed call alerts, roaming alerts (which indicate border crossings), electronic business cards, credit card payment notifications, travel itinerary alerts and meeting information.

29. Under the CO-TRAVELER operation, the U.S. collects location information from global cell towers, Wi-Fi and GPS hubs, which is then information analyzed over time, in part in order to determine a target’s traveling companions.

30. A 2004 memo entitled “DEA-The ‘Other’ Warfighter” states that the Drug Enforcement Administration and the NSA “enjoy a vibrant two-way information-sharing relationship.”

31. When the DEA acts on information its Special Operations Division receives from the NSA, it cloaks the source of the information through “parallel construction,” going through the charade of recreating an imaginary investigation to hide the source of the tip, not only from the defendant, but from the court. This was intended to ensure that no court rules on the legality or scope of how NSA data is used in ordinary investigations.

32. The fruits of NSA surveillance routinely end up in the hands of the Internal Revenue Service. Like the DEA, the IRS uses parallel construction to cloak the source of the tip.

33. Even the President’s handpicked Privacy and Civil Liberties Oversight Board recommended that the government end Section 215 mass telephone records collection, because that collection is ineffective, illegal and likely unConstitutional.

34. The NSA has plans to infect potentially millions of computers with malware implants as part of its Tailored Access Operations.

35. The NSA had a secret $10 million contract with security firm RSA to create a “back door” in the company’s widely used encryption products.

36. The NSA tracked access to porn and gathered other sexually explicit information “as part of a proposed plan to harm the reputations of those whom the agency believes are radicalizing others through incendiary speeches.”

37. The NSA and its partners exploited mobile apps, such as the popular “Angry Birds” game, to access users’ private information such as location, home address, gender and more.

38. The Washington Post revealed that the NSA harvests “hundreds of millions of contact lists from personal email and instant messaging accounts around the world, many of them belonging to Americans.”

Many of the Snowden revelations have concerned the NSA’s activities overseas, as well as the activities of some of the NSA’s closest allies, such as the its UK counterpart Government Communications Headquarters (GCHQ). Some of these have been cooperative ventures. In particular, the “Five Eyes” — The United States, New Zealand, Australia, the United Kingdom, and Canada — share citizen data among themselves, providing loopholes that might undermine national legislation.

39. The NSA paid its British counterpart GCHQ $155 million over the past three years “to secure access to and influence over Britain’s intelligence gathering programmes.”

40. The Guardian reported: “In one six-month period in 2008 alone, [GCHQ] collected webcam imagery — including substantial quantities of sexually explicit communications — from more than 1.8-million Yahoo user accounts globally.”

41. GCHQ used malware to compromise networks belonging to the Belgian telecommunications company Belgacom.

42. Major telecommunications companies including BT, Vodafone and Verizon business have given GCHQ unlimited access to their fiber-optic cables

43. GCHQ used distributed denial-of-service (DDoS) attacks and other methods to interrupt Anonymous and LulzSec communications, including communications of people not charged with any crime.

44. GCHQ’s Bude station monitored leaders from the EU, Germany and Israel. It also targeted non-governmental organizations such as Doctors of the World.

45. The NSA’s partners Down Under, the Australian Signals Directorate, has been implicated in breaches of attorney-client privileged communications, undermining a foundational principle of our shared criminal justice system.

46. Australian intelligence officials spied on the cellphones of Indonesian cabinet ministers and President Susilo Bambang.

47. In 2008, Australia offered to share its citizens’ raw information with intelligence partners.

48. The Communications Security Establishment Canada (CSEC) helped the NSA spy on political officials during the G-20 meeting in Canada.

49. CSEC and the Canadian Security Intelligence Service (CSIS) were recently rebuked by a Federal court judge for misleading him in a warrant application five years ago with respect to their use of Five Eyes resources in order to track Canadians abroad.

Ironically, some of the NSA’s operations have been targeted at countries that have worked directly with the agency in other instances. And some simply seemed unnecessary and disproportionate.  

50. NSA documents show that not all governments are clear about their own level of cooperation with the NSA. As The Intercept reports, “Few, if any, elected leaders have any knowledge of the surveillance.”

51. The NSA is intercepting, recording and archiving every single cellphone call in the Bahamas.

52. The NSA monitored phone calls of at least 35 world leaders.

53. The NSA spied on French diplomats in Washington and at the U.N.

54. The NSA hacked in to Chinese company Huawei’s networks and stole its source code.

55. The NSA bugged EU embassies in both New York and Washington. It copied hard drives from the New York office of the EU, and tapped the internal computer network from the Washington embassies.

56. The NSA collected the metadata of more than 45 million Italian phone calls over a 30-day period. It also maintained monitoring sites in Rome and Milan.

57. The NSA stored data from approximately 500 million German communications connections per month.

58. The NSA collected data from more than 60 million Spanish telephone calls over a 30-day period in late 2012 and early 2013 and spied on members of the Spanish government.

59. The NSA collected data from more than 70 million French telephone calls over a 30-day period in late 2012 and early 2013.

60. The Hindu reported that, based on NSA documents: “In the overall list of countries spied on by NSA programs, India stands at fifth place.”

61. The NSA hacked into former Mexican President Felipe Calderon’s official email account.

62. The Guardian reported: “The NSA has, for years, systematically tapped into the Brazilian telecommunication network and indiscriminately intercepted, collected and stored the email and telephone records of millions of Brazilians.”

63. The NSA monitored emails (link in Portuguese), telephone calls and text messages of Brazilian President Dilma Roussef and her top aides.

64. Germany’s intelligence agencies cooperated with the NSA and implemented the NSA’s XKeyscore program, while NSA was in turn spying on German leaders.

65. Norwegian daily Dagbladet reported (link in Norwegian) that the NSA acquired data on 33 million Norwegian cellphone calls in one 30-day period.

There’s no question that the international relationships Obama pledged to repair, as well as the confidence of the American people in their privacy and Constitutional rights, have been damaged by the NSA’s dragnet surveillance. But one year later, both the United States and international governments have not taken the steps necessary to ensure that this surveillance ends. That’s why everyone must take action: Contact your elected representative, join Reset the Net and learn about how international law applies to U.S. surveillance today. 

NSA Defenders Ought To Stop Making These Five Claims If They Wish To Remain Credible

This post, written by EFF legal director Cindy Cohn and activist Nadia Kayyali, originally appeared on the foundation’s website on June 2.

Over the past year, as the Snowden revelations have rolled out, the government and its apologists have developed a set of talking points about mass spying that the public has now heard over and over again. From the President, to Hilary Clinton to Rep. Mike Rogers, Sen. Dianne Feinstein and many others, the arguments are often eerily similar.

But as we approach the one year anniversary, it’s time to call out the key claims that have been thoroughly debunked and insist that the NSA apologists retire them.

So if you hear any one of these in the future, you can tell yourself straight up: “this person isn’t credible,” and look elsewhere for current information about the NSA spying. And if these are still in your talking points (you know who you are) it’s time to retire them if you want to remain credible. And next time, the talking points should stand the test of time.

1.  The NSA has Stopped 54 Terrorist Attacks with Mass Spying

The discredited claim

NSA defenders have thrown out many claims about how NSA surveillance has protected us from terrorists, including repeatedly declaring that it has thwarted 54 plots.  Rep. Mike Rogers says it often. Only weeks after the first Snowden leak, US President Barack Obama claimed: “We know of at least 50 threats that have been averted” because of the NSA’s spy powers. Former NSA Director Gen. Keith Alexander also repeatedly claimed that those programs thwarted 54 different attacks.

Others, including former Vice President Dick Cheney have claimed that had the bulk spying programs in place, the government could have stopped the 9/11 bombings, specifically noting that the government needed the program to locate Khalid al Mihdhar, a hijacker who was living in San Diego.

Why it’s not credible:

These claims have been thoroughly debunked.  First, the claim that the information stopped 54 terrorist plots fell completely apart.  In dramatic Congressional testimony, Sen. Leahy forced a formal retraction from NSA Director Alexander in October, 2013:

“Would you agree that the 54 cases that keep getting cited by the administration were not all plots, and of the 54, only 13 had some nexus to the U.S.?” Leahy said at the hearing. “Would you agree with that, yes or no?”

“Yes,” Alexander replied, without elaborating.

But that didn’t stop the apologists. We keep hearing the“54 plots” line to this day.

As for 9/11, sadly, the same is true.  The government did not need additional mass collection capabilities, like the mass phone records programs, to find al Mihdhar in San Diego.  As ProPublica noted, quoting Bob Graham, the former chair of the Senate Intelligence Committee:

U.S. intelligence agencies knew the identity of the hijacker in question, Saudi national Khalid al Mihdhar, long before 9/11 and had the ability find him, but they failed to do so.

“There were plenty of opportunities without having to rely on this metadata system for the FBI and intelligence agencies to have located Mihdhar,” says former Senator Bob Graham, the Florida Democrat who extensively investigated 9/11 as chairman of the Senate’s intelligence committee.

Moreover, Peter Bergen and a team at the New America Foundation dug into the government’s claims about plots in America, including studying over 225 individuals recruited by al Qaeda and similar groups in the United States and charged with terrorism,  and concluded:

Our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading…

When backed into a corner, the government’s apologists cite the capture of Zazi, the so-called New York subway bomber. However, in that case, the Associated Press reported that the government could have easily stopped the plot without the NSA program, under authorities that comply with the Constitution. Sens. Ron Wyden and Mark Udall have been saying this for a long time.

Both of the President’s hand-picked advisors on mass surveillance concur about the telephone records collection. The President’s Review Board issued a report in which it stated “the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks,” The Privacy and Civil Liberties Oversight Board (PCLOB) also issued a report in which it stated, “we have not identified a single instance involving a threat to the United States in which [bulk collection under Section 215 of the Patriot Act] made a concrete difference in the outcome of a counterterrorism investigation.”

And in an amicus brief in EFF’s case First Unitarian Church of Los Angeles v. the NSA case, Sens. Ron Wyden, Mark Udall, and Martin Heinrich stated that, while the administration has claimed that bulk collection is necessary to prevent terrorism, they “have reviewed the bulk-collection program extensively, and none of the claims appears to hold up to scrutiny.”

Even former top NSA official John Inglis admitted that the phone records program has not stopped any terrorist attacks aimed at the US and at most, helped catch one guy who shipped about $8,000 to a Somalian group that the US has designated as a terrorist group but that has never even remotely been involved in any attacks aimed at the US.

2. Just collecting call detail records isn’t a big deal.

The discredited claim

The argument goes like this: Metadata can’t be privacy invasive, isn’t very useful and therefore its collection isn’t dangerous—so the Constitution shouldn’t protect it.  Even the President said, “what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content”—as if that means there is no privacy protection for this information.

Why it’s not credible:

As former director of the NSA and CIA Michael Hayden recently admitted: “We kill people based on metadata.”  And former NSA General Counsel Stu Baker said: “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

In fact, a Stanford study this year demonstrated exactly what you can reconstruct using metadata: “We were able to infer medical conditions, firearm ownership, and more, using solely phone metadata.” Metadata can show what your religion is, if you went to get an abortion, and other incredibly private details of your life.

3.  There Have Been No Abuses of Power

The discredited claim

President Obama stated in an interview that “there are no allegations, and I am very confident —knowing the NSA and how they operate — that purposefully somebody is out there trying to abuse this program…” And General Alexander stated in a speech that “We get all these allegations of [abuses of power] but when people check… they find zero times that that’s happened. And that’s no bullshit. Those are facts.”

Why it’s not credible:

We already have evidence of abuses of power. We know that NSA analysts were using their surveillance powers to track their ex-wives and husbands, and other love interests. They even had a name for it, LOVEINT. The FISA court has also cited the NSA for violating or ignoring court orders for years at a time. And those are just self-reported abuses – the only oversight that occurs is that the NSA investigates itself and reports on the honor system to Congress or the FISC about what it finds. A real independent investigation might reveal even more. Unfortunately, until we get something like a new Church Committee, we are unlikely to see such details.

4. Invading Privacy is Okay Because It’s Done to Prevent Terrorist Attacks

The discredited claim

We keep hearing the same thing: Surveillance is a “critical tool in protecting the nation from terror threats.” When we reform the NSA, it must be done in a way that “protect[s] the operational capability of a critical counterterrorism tool.” The implication is that the stopping terrorist attacks is the government’s only goal.

Why it’s not credible:

We know that NSA surveillance is not used just for stopping terrorists and it’s not even just used for national security.

The Intercept recently revealed leaks detailing the NSA’s role in the “war on drugs,”—in particular, a 2004 memo detailing how the NSA has redefined narcotics trafficking as a national security issue. We also know that the NSA feeds data to the DEA, where it ends up playing a part in ordinary law enforcement investigations. And internationally, the NSA engages in economic espionage and diplomatic spying, something detailed in Glenn Greenwald’s recent book No Place to Hide.

5. There’s Plenty of Oversight From Congress, the Foreign Intelligence Surveillance Court, and Agency Watchdogs

The discredited claim

We’ve repeatedly heard from the President and from NSA defenders like Sen. Dianne Feinstein and Rep. Mike Rogers that Congress knows all about NSA spying. Right after the first Snowden leak, President Obama said: “your duly elected representatives have been consistently informed on exactly what we’re doing.” We’ve also heard that a court has approved these programs, so we shouldn’t be concerned.

Why it’s not credible:

EFF and others have long documented that Congress has an incredibly hard time getting information about NSA spying. And it’s not just Congress. We learned a few months ago that the Department of Defense’s deputy Inspector General, in charge of Intelligence and Special Program Assessments, was not aware of the call detail collection program.

What’s more, the secretive Foreign Intelligence Surveillance Court (FISC) is completely incomparable to an ordinary adversarial court. It makes decisions in a vacuum, and it doesn’t always have complete information, much less a second adversarial voice or technical help. Its chief judge has said that it’s not equipped to conduct oversight. EFF recently had to tell the court that its Jewel v. NSA case even existed – the government had apparently decided that it didn’t have to. We also know that the FISC isn’t much of a block, since in 11 years “the court has denied just 10 applications, and modified several dozen, while approving more than 15,000.”

So why are we giving up our rights?

It’s time for NSA and its supporters to admit what we all know is true: what is at stake in this debate is the simple ability for any of us—in the US or around the world—to be able to use the Internet without fear of surveillance. They continue to be willing to overstate their case in order to scare us into allowing them to continue to  “collect it all.”  But the American people are getting wise and the media are increasingly double-checking their claims. As a result, more Americans than ever now say that the NSA has gone too far and those tired old stories are starting to wear thin.

That’s why it’s time to tell Congress that these excuses won’t work anymore. Right now, Congress is considering legislation that could be a first step to reining in NSA mass spying. But there’s a contentious political battle taking place on Capitol Hill, with NSA defenders pushing a weaker version of the reform bill while civil liberties groups campaign for powerful reform. Please add your voice and call on the Senate to pass real NSA reform.

Civil Liberties Groups Blast House’s ‘Gutted’ USA Freedom Act

EFF and Other Civil Liberties Organizations Call on Congress to Support Uncompromising Reform

This post, written by Legislative Analyst Mark Jaycox, Activist Nadia Kayyali and Staff Attorney Lee Tien, was originally published by the Electronic Frontier Foundation on May 20.

Since the introduction of the USA FREEDOM Act, a bill that has over 140 cosponsors, Congress has been clear about its intent: ending the mass collection of Americans’ calling records. Many members of Congress, the President’s own review group on NSA activities, and the Privacy and Civil Liberties Oversight Board all agree that the use of Section 215 to collect Americans’ calling records must stop. On Tuesday, House Leadership reached an agreement to amend the bipartisan USA FREEDOM Act in ways that severely weaken the bill, potentially allowing bulk surveillance of records to continue. The Electronic Frontier Foundation cannot support a bill that doesn’t achieve the goal of ending mass spying. We urge Congress to support uncompromising NSA reform and we look forward to working on the Senate’s bipartisan version of the USA FREEDOM Act.

Passing the bill out of the Judiciary Committee for a vote on the House floor is an important sign that Representative Bob Goodlatte, Jim Sensenbrenner, and other leaders of the House are engaging in a conversation over NSA reform. We are glad that the House added a clause to the bill clarifying the content of communications cannot be obtained with Section 215. Unfortunately, the bill’s changed definitions, the lack of substantial reform to Section 702 of the Foreign Intelligence Surveillance Amendments Act, and the inability to introduce a special advocate in the FISA Court severely weakens the bill.

In particular, we are concerned with the new definition of “specific selection term,” which describes and limits who or what the NSA is allowed to surveil. The new definition is incredibly more expansive than previous definitions. Less than a week ago, the definition was simply “a term used to uniquely describe a person, entity, or account.” While that definition was imperfect, the new version is far broader. The new version not only adds the undefined words “address” and “device,” but makes the list of potential selection terms open-ended by using the term “such as.” Congress has been clear that it wishes to end bulk collection, but given the government’s history of twisted legal interpretations, this language can’t be relied on to protect our freedoms.

Further, the bill does not sufficiently address Section 702 of the Foreign Intelligence Surveillance Amendments Act. We are specifically concerned that the new language references “about” searches, which collect and review messages of users who do not even communicate with surveillance targets. Congress must include reforming Section 702 in any NSA reform. This includes stopping the NSA from searching illegally collected Americans’ communications, stopping the suspicionless “about” surveillance, and ensuring companies can report on the exact number of orders they receive and the number of users affected.

We are encouraged by Senator Leahy’s commitment to continue with the more comprehensive version of the USA FREEDOM Act over the summer and look forward to working towards NSA reform in the Senate.

Justice Department’s National Security Division Nominated For Golden Padlock Award For Egregious Secrecy

This article, written by EFF media relations coordinator and investigative researcher Dave Maass, was originally published on the foundation’s website on May 20.

For the second year in a row, Investigative Reporters and Editors solicited nominations from the public for one of the least coveted prizes in government: the Golden Padlock. The award recognizes “the most secretive publicly-funded agency or person in the United States,” and the U.S. Border Patrol last year took home the inaugural honor for stonewalling Freedom of Information Act requests related to agent-involved shootings along the border. While we’ve had our own FOIA battles with Customs & Border Protection in the past, it’s nothing compared to what we’ve encountered trying to shine light on how the NSA conducts mass surveillance.

This year, we formally and publicly nominate the Department of Justice’s National Security Division, or DOJ NSD, for the Golden Padlock.

For years, EFF has been trying to obtain opinions issued by the Foreign Intelligence Surveillance Court, or FISA court, that contain secret interpretations of the Constitution and federal surveillance laws. The government then relies on those  secret interpretations to justify the NSA’s surveillance programs. We requested these opinions from DOJ NSD, which represents the government before the FISA court. After the government refused to produce the opinions, we sued—twice.

In each case, DOJ NSD claimed that none of the FISA court’s opinions—not a page, not a portion of a page, not a sentence, not a word—could be released without damaging national security. In some cases, DOJ NSD even refused to tell us how many pages the opinions contained.

The Snowden leaks changed things. In the government’s scramble to contain the damage from the leaks, they publicly disclosed many aspects of the programs the opinions described. That allowed us to successfully argue in court for the release of many of these opinions, which show multiple ways in which, by policy, error or outright misconduct, the rights of Americans were violated by NSA’s surveillance programs. But we also learned something else from these releases: DOJ NSD had misled EFF and the courts hearing our lawsuits when they claimed that nothing could be released from the opinions they were withholding.

There are numerous examples we can point to, but one is just so spectacularly egregious that it, alone, is worthy of special recognition. In one lawsuit, a DOJ NSD official swore that everything in the opinion was classified as “TOP SECRET” and disclosure of any part of the opinion would threaten “grave harm” to national security.  Now that the FISA court’s opinion has been declassified, we now know that the super-sensitive information the DOJ was so aggressively defending included… the text of the Fourth Amendment to the Constitution.

Other information the DOJ NSD contended was classified as TOP SECRET included sentences concerning illegal government action, like these:

  • “The Court is exceptionally concerned about what appears to be a flagrant violation of its order in this matter[.]”
  • “[T]he Court must have every confidence that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court’s orders. The Court no longer has such confidence.”
  •  “The Court now understands, however, that the NSA has acquired, is acquiring, and . . . will continue to acquire, tens of thousands of wholly domestic communications.”

No exemption to FOIA justified the withholding of this information at any time. Release of these sentences would not have revealed any sensitive intelligence information: it only would have informed the public that the government’s surveillance programs were in dire need of reform.

Even as the White House pledges greater transparency on issues surrounding mass surveillance, DOJ NSD continues to withhold key opinions that are necessary to an informed public debate. The agency’s obstinacy seems to be contrived to control public perception rather than protect any legitimate intelligence-gathering practices. EFF has gone back to court to force the DOJ to release more opinions and orders, but in the meantime, we’ll make our case to IRE’s Golden Padlock judges.

The Department of Justice’s National Security Division deserves a trophy for trampling transparency.

The Electronic Frontier Foundation Explains The USA Freedom Act

NSA reform is finally moving in Congress. Last year, Senator Patrick Leahy and Representative Jim Sensenbrenner introduced the USA Freedom Act, one of the first comprehensive bills to address multiple aspects of the NSA’s spying. The Senate version has languished since October, but last week the House Judiciary Committee (chaired by Representative Bob Goodlatte) introduced and passed out of committee a heavily rewritten House version. As a result, two versions of the USA Freedom Act exist: the narrowed House version and the more encompassing Senate version. The movement in the House is a good indication that Congress is still engaged with NSA reform, but the House’s bill must be strengthened and clarified to ensure that it accomplishes one of its main intentions: ending mass collection.

Here’s how the House version of the USA Freedom Act compares to the Senate’s version, what the new House version of the USA Freedom Act does, and what it sorely lacks.

The Senate’s Version of USA Freedom Act

As we mentioned when the original USA Freedom Act was first introduced, it proposed changes to several NSA activities and limited the bulk collection of all Americans’ calling records. It would fix a key problem with Section 702 of the Foreign Intelligence Surveillance Amendments Act (FISAA), bring more transparency to the Foreign Intelligence Surveillance Act Court (FISA court), and introduce a special advocate to champion civil liberties in the FISA court.

The House’s New Version of the USA Freedom Act:

The new USA Freedom Act concentrates on prohibiting the collection of all Americans’ calling records using Section 215 of the Patriot Act. Other sections of the bill would allow the FISA Court to assign amici, or non-parties who can brief issues before the court; create new government reports about the spying powers; and create new company reports detailing how many accounts and customers are affected by FISA court orders.

First and foremost, the bill introduces a different conceptual approach to prohibiting mass spying under Section 215. Unlike the Senate version, which tries to stop the mass collection of calling records by mandating that the records sought “pertain to” an agent of a foreign power or their activities — an approach that we’ve worried about because “pertains to” and “relevant” are so similar — the House version mandates that a “specific selection term” (currently defined as uniquely describing a person, entity, or account) be the “basis for the production” of the records. The overall language may be stronger than in the old USA Freedom Act, but “specific selection term” must be further defined as “entity” could be construed expansively. After the order is filed, the government can obtain up to “two hops“— which should be further as it may be too expansive— from the selection term.

The bill also tries to tighten the “minimization procedures” that apply to government collection of records using Section 215 and other spying authorities like national security letters and the FISA Pen Register/Trap and Trace (PR/TT) provision. But the procedures only touch the FBI, not other agencies — like the NSA — that may be obtaining records using Section 215. In addition, the House version uses language we’ve seen in Section 702’s minimization procedures. If you remember, those procedures are horrendous. They allow for the overcollection, overretention, and oversharing of Americans’ communications “mistakenly” collected. The House must draft stronger minimization language to completely ensure improper information about untargeted users is not collected. For instance, simply inserting the word “acquisition” or “collection” would help.

Will Providers Be Forced to Decrypt?

Currently, Section 215 of the Patriot Act is intended for the government to obtain records created in the normal course of business. If the records don’t exist at the time of the order, then the government uses a different tool. Unfortunately, the House’s version of USA Freedom also includes a “provider assistance” clause. This means that a company served with an order must technically assist the government in obtaining the information.

One might think that “assistance” merely means helping to execute the order in a ministerial way, but we worry that it could be used much more broadly — especially when the clause mirrors language in the PR/TT statute that the Department of Justice has used to pressure secure email providers to warrantlessly disclose their encryption keys, potentially revealing private data of all of the service’s customers.

Another question the clause raises is whether or not the government could obtain an order for information not collected by the business, but with an assistance mandate that forces the company to collect such data in direct conflict with its ordinary business practice. This situation has already occurred in other contexts: under the bulk Internet metadata collection program, the government forced providers to collect information the providers were not initially collecting. The technological way in which the providers implemented the government’s demands ended up collecting the content of communications.

What Does “Basis for the Production” Mean?

While the new USA Freedom appears to strengthen the prohibition on using Section 215 to collect all Americans’ calling records, it permits overly expansive searches because the selection term mentioned above must only be used as the “basis for production” of the records sought. The bill does not require that the records belong to or be created by the person or entity identified by the selection term. So as written, the records could merely contain the selection term. Combined with “two hops,” the ambiguity presents the government with the ability to cast a potentially overbroad net to search with.

New USA Freedom Must Reform Section 702

The House’s version of USA Freedom drops many of the reforms dealing with Section 702 found in the Senate’s version. For example, one reform dealt with the “backdoor” loophole that the government uses to retain and search Americans’ emails and phone calls collected under the statute. The House version also fails to address other problems with Section 702, like “about” searching, the overbroad targeting procedures and minimization procedures, the definition of “foreign intelligence information,” and the rights of innocent users. Representative Zoe Lofgren introduced amendments to fix many of these problems, but without success. At the minimum, the House must reincorporate the Senate’s fixes to Section 702.

The Senate Moves Forward

While the House’s USA Freedom Act may do a better job of addressing bulk collection under Section 215 and related statutes, it is much weaker in all other regards. Fortunately, the Senate version of the bill remains unchanged. Senator Leahy noted that he plans to push forward with the Senate’s version of USA Freedom over the summer. In the meantime, the Privacy and Civil Liberties Oversight Board will issue a comprehensive report on Section 702.

It’s good to see the House move forward on surveillance reform, but we must ensure Congress takes up all of the issues regarding NSA’s egregious activities. EFF urges members to help advance the stronger version of the USA Freedom Act by telling your Senator now to support the Senate version of the bill.

One Year Later: Electronic Frontier Foundation Takes A look At The Edward Snowden Leaks And How Government Spying Affects Us All

This essay, written by EFF International Rights Director Katitza Rodriguez, was originally published on the foundation’s website May 15.

June 5th marks the first anniversary of the beginning of the Edward Snowden revelations–a landmark event in global awareness of the worldwide spying machine. It has been a year where the world has learned that the NSA and its four closest allies in the Five Eyes partnership (United Kingdom, Canada, Australia, and New Zealand) have been spying on much of the world’s digital communications. What have we learned?

The foreign intelligence agencies of these nations have constructed a web of interoperability at the technical and operational levels that spans the entire globe. We have learned the extent of the cooperation and intelligence sharing amongst these countries, and have witnessed how material gathered under one country’s surveillance regime is readily shared with the others. The strategic location of the Five Eyes countries enables them to surveil most of the world’s Internet traffic as it transits through their hubs and is stored in their various territories. Moreover, they have partnered with over 80 major global corporations to leverage their spying capabilities. The scope and reach of their cooperation and intelligence sharing has shocked the world, including many who were previously unaware of the privacy threats that EFF has been covering since 2005.

In a leaked internal document, the NSA defined their “posture” as, “Sniff, know, collect, process, exploit, partner it all.” This last year, we have learned that the NSA has strayed far from its legitimate goal of protecting national security. In fact, we have seen the NSA participate in economic espionage, diplomatic spying and suspicionless surveillance of entire populations. Even worse, the NSA has also surreptitiously weakened the products and standards that Internet users use to protect themselves against online spying.

In his new book about working with Snowden, No Place To Hide, journalist Glenn Greenwald lays out some alarming facts that have been revealed in the year of leaks:

  • In a 30 day period, the NSA collected almost 3 billion telephone calls and emails that had passed directly through US telecom networks. As Greenwald explained, that exceeds the collection of each of the systems from “Russia, Mexico, and virtually all countries in Europe, and roughly equal to the collection of data from China.”
  • In a 30 day period, a single NSA unit had collected data on more than 97 billion emails and 124 billion phone calls from around the world.
  • In a single 30 day period, the NSA has collected 500 million pieces of data from Germany, 2.3 billion from Brazil, and 13.5 billion from India.
  • The NSA has collected 70 million pieces of metadata in cooperation with France, 60 million with Spain, 47 million with Italy, 1.8 million with the Netherlands, 33 million with Norway, and 23 million with Denmark.

In addition, the Snowden report has brought to light a three-tiered hierarchy of NSA partnerships with foreign governments. As reported by Greenwald’s book:

TIER 1: Five Eyes is an agreement between the U.S. and United Kingdom, Canada, Australia, and New Zealand to collaborate on global spying while voluntarily restricting their own spying on one another unless specifically requested to do so by a partner country’s own officials.

TIER 2: Countries that the NSA works with for specific surveillance projects while also spying heavily on them. These include mostly European countries, some Asian countries, and no Latin American ones.

TIER 3: Countries on which the United States routinely spies but with whom it virtually never cooperates: Brazil, Mexico, Argentina, Indonesia, South Africa, Kenya are some democratic countries that are on the list.

Finally, we now know of the following covert NSA operations:

EGOTISTICAL GIRAFFE: The NSA has targeted the Tor browser, an anonymity tool enabling Internet users to browse the net anonymously.

MUSCULAR: Launched in 2009, MUSCULAR infiltrates links between global data centers of technology companies such as Google and Yahoo not on U.S. soil. These two companies have responded to MUSCULAR by encrypting these exchanges.

XKEYSCORE: The software interface through which NSA analysts search vast databases collected under various other operations. XKEYSCORE analyzes emails, online chats and the browsing histories of millions of individuals anywhere in the world. The XKEYSCORE data has been shared with other secret services including Australia’s Defence Signals Directorate and New Zealand’s Government Communications Security Bureau.

BULLRUN: Not in and of itself a surveillance program, BULLRUN is an operation by which the NSA undermines the security tools relied upon by users, targets, and non-targets. BULLRUN represents an apparently unprecedented effort to attack security tools in general use.

DISHFIRE: The Dishfire operation is the worldwide mass collection of text messages and other phone records, including location data, contact retrievals, credit card details, missed call alerts, roaming alerts (which indicate border crossings), electronic business cards, credit card payment notifications, travel itinerary alerts, meeting information, etc. Communications from U.S. phones have been allegedly minimized, although not necessarily purged, from this database. The messages and associated data from non-U.S.-persons were retained and analyzed.

CO-TRAVELER: Under this operation, the U.S. collects location information from global cell towers, Wi-Fi, and GPS hubs. This information is collected and analyzed over time, in part in order to determine a target’s traveling companions.

OLYMPIA: Canada’s program to spy on the Brazilian Ministry of Mines and Energy.

BLARNEY: A program to leverage unique key corporate partnerships to gain access to high-capacity international fiber optic cables, switches and routers throughout the world. Countries targeted by Blarney include: Brazil, France, Germany, Greece, Israel, Italy, Japan, Mexico, South Korea, and Venezuela as well as the European Union and the United Nations.

and much more ….

While the Snowden revelations have proved invaluable in confirming the existence of global, cross-border spying by the NSA (and its four primary allies), the governments of the affected billions of Internet and telephone users have been slow to fight back. In some cases, America’s allies might be holding back because of their own tangled complicity in this shared network – or else, like Russia and China, they have their own pervasive surveillance networks and arrangements to protect.

But now that a year has passed it’s clear that we need to update both our global technical infrastructure and local laws, consistent with long-standing international human rights standards, in order to regain any reasonable degree of privacy.  Specifically, we must end mass surveillance. Politicians in every country need to stand up to the NSA’s incursions on their territory; the United States needs to reform its laws to recognize the privacy rights of innocent foreigners, and the international community needs to set clear standards which makes any state conducting mass surveillance a pariah.

EFF Petitions Court For Criminal Defendants’ Right To Review Foreign Intelligence Surveillance Act Evidence

This post, written by EFF staff attorney Hanni Fakhoury, was originally published on the foundation’s website on May 9.

In the 36-year existence of the Foreign Intelligence Surveillance Act (FISA), the government has never disclosed classified FISA materials—the specific applications for surveillance and the factual affidavits that support the surveillance request—to a criminal defendant. That all changed in January 2014 when a Federal judge in Chicago ordered the government to turn over surveillance applications and affidavits to the attorneys representing Adel Daoud, a 19 year-old accused of attempting to blow up a bar in Chicago. As the government appeals that decision to the Seventh Circuit Court of Appeals, we’ve signed onto an amicus brief written by the ACLU and the ACLU of Illinois filed today that explains why Judge Sharon Coleman was right to order disclosure.

Legal Background

In most criminal cases, defendants receive discovery from the government, including police reports and search warrant applications and affidavits, which they can use to argue to a judge that the government improperly obtained evidence. If the judge is convinced the government did something wrong, it can “suppress” the evidence and preclude the government from using it in the defendant’s trial.

FISA follows a similar procedure with respect to government disclosure of the FISA applications, affidavits, and orders submitted to or issued by the Foreign Intelligence Surveillance Court (“FISC”). But because FISA materials deal with national security concerns, defendants typically do not get the materials directly. Instead, when a defendant challenges the FISA evidence used against him, the federal district court hearing the criminal case reviews the materials on its own (known as an in camera review) and can order the government to turn materials over to the defense if it finds disclosure is “necessary” to accurately decide whether the government’s FISA surveillance was legal.

There has never been a disclosure of FISA materials to a defendant. Instead, courts have generally accepted the government’s view that disclosure would harm national security or found that the defendant did not need the materials to make a legal challenge to the surveillance.

United States v. Daoud

In 2011, Daoud—an American teenager living in Hillside, Illinois—came to the attention of authorities after he was allegedly found to be reading al-Qaida propaganda and distributing online material about violent jihad. Undercover FBI agents pretending to be terrorists then spent months communicating with Daoud online about killing Americans, culminating in a September 2012 fake plot to allegedly detonate a bomb (which was not real) outside of a Chicago bar. After Daoud was charged in Federal court, the government notified Daoud’s lawyers that it had used evidence obtained under FISA. Months later, while the Senate was debating whether to reauthorize the infamous FISA Amendments Act (FAA) in December 2012, Senator Dianne Feinstein used Daoud’s case specifically to highlight how surveillance conducted under the FAA had lead to “good intelligence” that prevented terrorist attacks. She never explained the details of how the FAA was used in Daoud’s case.

As the Snowden revelations revealed more information about how FAA surveillance worked, Daoud’s lawyers asked the government if Feinstein’s comments were true and if the government had used the FAA, specifically section 702 of the FAA, to obtain evidence against Daoud. The government claimed it had not used the FAA, although it seemed plausible that Daoud’s communications had initially been gathered under one of the NSA’s section 702 collection programs. Daoud ultimately brought a challenge to the use of FISA evidence against him without the benefit of seeing the FISA materials submitted to the FISC.

Consistent with its 36-year practice, the government argued that national security concerns prevented the government from sharing the FISA materials with the defense. So Judge Coleman reviewed the FISA materials on her own in camera. In a surprise ruling, she ordered the government to disclose the FISA materials to the defense, finding that the best way to determine the legality of the FISA surveillance was through an adversarial process that allowed Daoud’s lawyers—all of whom had top secret security clearance—to see the materials and raise legal challenges based on what was contained therein.

The government appealed this ruling to the Seventh Circuit and that’s where our amicus brief with the ACLU was filed, supporting Judge Coleman’s decision to order the materials disclosed.

Disclosure is Appropriate

Our brief explains why disclosure was appropriate under FISA generally and in Daoud’s case specifically.

FISA clearly contemplated that these materials could be disclosed to the defense in some cases. If Congress wanted to prohibit disclosure of FISA materials altogether, it could have done so explicitly in FISA rather than create the statute as it exists now, which allows a judge to make an individual determination about whether disclosure is necessary. The government can’t now complain that this system undermines national security when a judge actually takes up the procedure created by Congress and decides to order the government disclose the materials. Plus, given the fact that one of the most important revelations to come out of the recent NSA scandal is the government’s repeated miscommunications about both its surveillance practices and its interpretation of the terms in FISA, a Federal judge could reasonably worry that that the government’s submissions are based on a self-serving understanding of FISA.

There’s proof that’s already happened with the FAA specifically. In Clapper v. Amnesty International, the U.S. Supreme Court threw out a lawsuit brought by the ACLU challenging the constitutionality of the FAA, finding that a group of lawyers, scholars and journalists didn’t have standing to challenge the FAA. At oral argument, the U.S. Solicitor General Donald Verilli assured the high court that the FAA would not go unchallenged and that a defendant would get notice from the government if it intended to use evidence collected under the FAA against them. The court accepted that representation, specifically referencing it in its opinion. But in reality, the government had not been notifying defendants that FAA evidence had been used in their cases and it was only until Verilli put internal pressure on the Department of Justice that the government belatedly began notifying defendants.

With that background, Judge Coleman could be rightly skeptical of the government’s ability to grasp its own national security practices especially in light of Daoud’s case specifically. Given the uncertainty about whether the FAA evidence was used in Daoud’s case or not, with conflicting statements by two separate branches of the government, the Court could rightly determine that a careful review of the surveillance applications and affidavits was necessary to determine the legality of all of the government’s FISA surveillance here.

We hope the Seventh Circuit agrees with Judge Coleman and find disclosure was appropriate. In addition to giving Daoud a chance to determine what type of surveillance was used against him, disclosure serves the public interest by showing that it is possible to balance national security and civil liberties.

Oral argument is scheduled in the case for June 4, 2014 in Chicago.

EFF: The Way The NSA Uses Section 702 Is Deeply Troubling; Here’s Why

The most recent disclosure of classified National Security Agency documents revealed that the British spy agency GCHQ sought unfettered access to NSA data collected under Section 702 of the FISA Amendments Act. Not only does this reveal that the two agencies have a far closer relationship than GCHQ would like to publicly admit, it also serves as a reminder that surveillance under Section 702 is a real problem that has barely been discussed, much less addressed, by Congress or the President.

In fact, the “manager’s amendment” to the USA FREEDOM Act, which passed unanimously out of the House Judiciary Committee, has weakened the minimal changes to Section 702 that USA FREEDOM originally offered. Although Representative Zoe Lofgren — who clearly understands the import of Section 702 — offered several very good amendments that would have addressed these gaps, her amendments were all voted down. There’s still a chance, though. As this bill moves through Congress, it can be strengthened by amendments from the floor.

Section 702 has been used by the NSA to justify mass collection of phone calls and emails by collecting huge quantities of data directly from the physical infrastructure of communications providers. Here’s what you should know about the provision and why it needs to be addressed by Congress and the President:

  • Most of the discussion around the NSA has focused on the phone records surveillance program. Unlike that program, collection done under Section 702 captures content of communications. This could include content in emails, instant messages, Facebook messages, Web-browsing history and more.
  • Even though it’s ostensibly used for foreign targets, Section 702 surveillance indiscriminately sweeps up everyone’s communication, including the communications of Americans. The NSA has a twisted, and incredibly permissive, interpretation of targeting. As John Oliver put it in his interview with former NSA Director Gen. Keith Alexander: “No, the target is not the American people, but it seems that too often you miss the target and hit the person next to them going, ‘Whoa, him!'”
  • The NSA has used Section 702 to justify programs like PRISM, allowing the NSA to “siphon off large portions of Internet traffic directly from the Internet backbone.” PRISM exploits the structure of the Internet, in which a significant amount of traffic from around the world flows through servers in the United States. According to The Washington Post, it gives the NSA direct access to servers of major American companies like Facebook and Google.
  • Section 702 is likely used for computer warfare, including activities targeting computers in the United States. We know that the NSA’s hacking outfit, the Tailored Access Operations Unit, needs information like that collected by PRISM to function, and Richard Ledgett, deputy director of NSA, noted the use of intelligence authorities to mitigate cyberattacks.
  • The FISA Court has little opportunity to review Section 702 collection. The court approves procedures for 702 collection for up to a year. This is not approval of specific targets, however; “court review [is] limited to ‘procedures’ for targeting and minimization rather than the actual seizure and searches.” This lack of judicial oversight is far beyond the parameters of criminal justice.
  • Not only does the FISA Court provide little oversight,Congress is largely in the dark about Section 702 collection as well. NSA spying defenders say that Congress has been briefed on these programs. But other members of Congress have repeatedly noted that it is incredibly difficult to get answers from the intelligence community, and that attending classified hearings means being unable to share any information obtained at such hearings. What’s more, as Senator Barbara Mikulski stated: “‘Fully briefed’ doesn’t mean that we know what’s going on.” Without a full picture of Section 702 surveillance, Congress simply cannot provide oversight.
  • Section 702 is not just about keeping us safe from terrorism. It’s a distressingly powerful surveillance tool. While the justification we’ve heard repeatedly is that NSA surveillance is keeping us safer, data collected under Section 702 can be shared in a variety of circumstances, such as ordinary criminal investigations. For example, the NSA has shared intelligence with the Drug Enforcement Agency that has led to prosecutions for drug crimes, all while concealing the source of the data.
  • The President has largely ignored Section 702. While the phone records surveillance program has received significant attention from President Barack Obama, in his speeches and his most recent proposal, Section 702 remains nearly untouched.
  • The way the NSA uses Section 702 is illegal and unConstitutional — and it violates international human rights law. Unlike searches done under a search warrant authorized by a judge, Section 702 has been used by the NSA to get broad FISA court authorization for general search and seizure of huge swathes of communications. The NSA says this is OK because Section 702 targets foreign citizens. The problem is, once Constitutionally protected communications of Americans are swept up, the NSA says these communications are “fair game” for its use.
  • Innocent non-Americans don’t even get the limited and much abused protections the NSA promises for Americans. Under international human rights law, to which the United States is a signatory, the United States must respect the rights of all persons. With so many people outside the United States keeping their data with American companies and so much information being swept up through mass surveillance, that makes Section 702 the loophole for the NSA to violate the privacy rights of billions of Internet users worldwide.

The omission of Section 702 reform from the discourse around NSA surveillance is incredibly concerning, because this provision has been used to justify some of the most invasive NSA surveillance. That’s why EFF continues to push for real reform of NSA surveillance that includes an end to Section 702 collection. You can help by educating yourself and engaging your elected representatives. Print out our handy one-page explanation of Section 702. Contact your members of Congress today and tell them you want to see an end to all dragnet surveillance, not just bulk collection of phone records.

Creative Commons License

EFF Praises Today’s Judiciary Committee Action On USA FREEDOM Act, But Calls For More FISA Reform

This article by Kurt Opsahl was originally published May 7 by the Electronic Frontier Foundation.

Earlier today, the House Judiciary Committee passed a revised version of the USA FREEDOM Act. We’re pleased by Congress’ strong step toward ending bulk surveillance of phone records of Americans. This bill is a good start toward reforming an out-of-control surveillance state, and we urge members of Congress to support it as the bill moves forward through the legislative process.

The USA FREEDOM Act includes a definition of call detail records which excludes cell site location data, a provision that will help safeguard the location privacy of millions of Americans from mass NSA surveillance. However, we remain concerned that the bill allows prospective collection—collection of records that have not yet been created—up to 180 days.

There are a number of surveillance issues that are not yet addressed by the current version of the USA FREEDOM Act. In particular, the bill does not address the collection authority under Section 702 of the FISA Amendments Act. The bill fails to fix the “backdoor loophole,” in which the NSA interprets the law to allow searches of the data collected under Section 702 for the purpose of finding communications of a United States person. Section 702 authorities need to be sharply limited to ensure that collection is only possible for communications to and from a designated target, not merely those who mention a target in a communication. The scope of Section 702 should be limited by requiring a description of who, what, and where the NSA is targeting.

In addition, the FISA court reform provisions in the current version of the USA FREEDOM Act provide a starting point, but more is needed to ensure a fair adjudication of surveillance authorization. The legislation has a provision that allows the FISA court to assign amici, meaning non-parties can brief issues before the court. But the court has already determined that it has the authority to do this. In fact, EFF filed a brief with the court just this year on an evidence preservation issue. The bill must go further and introduce a special privacy advocate who can review, challenge, and appeal orders in the highly secretive FISA Court orders.

Furthermore, the transparency amendment that was included in the bill did not go far enough, simply codifying the Department of Justice’s existing permission to report in broad bands. This legislation should provide stronger transparency provisions to ensure that users know, with as much granularity as possible, how and when the government issues orders for user data and how many accounts are affected. This is a vital check against government surveillance abuses.

And finally, we urge Congress to acknowledge that non U.S. persons have fundamental rights to privacy, and NSA surveillance should be the minimum necessary to achieve a desired result and proportionate to the actual threat.

The new version of the USA FREEDOM Act is a strong first step to undoing the damage of the government’s tortured interpretation of the PATRIOT Act. The Judiciary Committee should be commended for moving the conversation on reforming the NSA’s activities forward. We urge Congress to support this bill and to support additional privacy protections to address outstanding issues, whether through amendments or other legislative vehicles.

EFF Sues Justice Department Again For Secret Survelliance Court Rulings

Debate Over Mass Surveillance Hampered by Undisclosed FISA Court Decisions

San Francisco - In a continuing campaign to uncover the government’s secret interpretations of the surveillance laws underlying the National Security Agency (NSA)’s spying programs, the Electronic Frontier Foundation (EFF) today filed another lawsuit against the Department of Justice, demanding that the government hand over key Foreign Intelligence Surveillance Court (FISA court) opinions and orders.

“We can’t have an informed debate about mass surveillance with access to only half the story,” EFF Staff Attorney Mark Rumold said. “The government’s secret interpretation of laws and the Constitution needs to end. Disclosure of the opinions we’ve requested will be an important step towards providing the public with the information it needs to meaningfully debate the propriety of these programs.”

In recent months, the U.S. intelligence community has sought to repair its image by posting FISA court decisions and other documents on a new Tumblr site, icontherecord.tumblr.com. While this looks like an altruistic attempt to provide transparency, government officials often fail to acknowledge that the documents are primarily being made public in response to successful FOIA litigation from organizations such as EFF.

So far, EFF’s FOIA lawsuits have forced the government to disclose FISA court opinions detailing how the NSA violated court orders and the Fourth Amendment, as well other troubling facts and insight about the operations of these programs. We have also learned of the existence of other records and opinions that EFF believes should be made public.

“With all the disclosures that have taken place over the past year, there’s no valid reason these opinions are still secret,” EFF Senior Counsel David Sobel said. “The government’s refusal to provide these opinions looks more like an attempt to control public opinion about the NSA’s operations, rather than protecting any legitimate intelligence sources or methods. ”

EFF has yet to receive key documents in response to four outstanding FOIA requests. Among the most significant records EFF is seeking in this FOIA suit:

  • The FISA court’s “Raw Take” order, which was revealed in documents released by Edward Snowden. According to the New York Times, this secret 2002 order weakened restrictions on sharing private data, allowing federal intelligence agencies to share unfiltered information about Americans.
  • Two FISA court opinions from 2007 that first authorized, then later stopped, the NSA’s warrantless content collection program approved by President George W. Bush.
  • The first FISA court opinion from 2008 that analyzed the legality of NSA surveillance under Section 702 of the FISA Amendments Act.

EFF has also requested any still-secret Foreign Intelligence Surveillance Court of Review (FISCR) decisions and appeals from the FISCR to the Supreme Court on NSA surveillance.

For the complaint: https://www.eff.org/document/eff-v-doj-fisc-opinion-foia-2014

For more information and the underlying FOIA requests: https://www.eff.org/foia/fisc-orders-illegal-government-surveillance

EFF: Campus Activism Against NSA Spying is Growing Fast

This piece, written by Electronic Frontier Foundation activist April Glaser, originally appeared on the foundation’s website on April 25.

The Electronic Frontier Foundation has been on the road, traveling to cities and towns across the country to bring our message of digital rights and reform to community and student groups.

And while we had the tremendous opportunity to talk about our work and our two lawsuits against the National Security Agency, the best part of the trip was learning about all of the inspiring and transformative activism happening everyday on the local level to combat government surveillance and defend our digital rights.

We met students and professors in Eugene, Ore., who held a campus-wide digital rights event at the University of Oregon. There, students had the opportunity to unpack their campus privacy policy, download and learn freedom-enhancing software, and explore their library’s open access initiative.

We traveled to Cambridge, Mass., where we met local activists and students ready to join the fight against draconian computer crime laws and raise awareness about the effects of mass surveillance on student innovation and academic freedom. In one particularly inspiring meeting with MIT’s Student Information Processing Board, we talked about how student innovators have long felt rudderless in the face of poorly written and outdated computer crime laws.

Most recently, a student was issued a subpoena for a project developed with fellow MIT classmates at a local hackathon. The students’ project, called TidBit, demonstrates how a client’s computer can mine for Bitcoin as an alternative to website advertising. The project was designed for a hackathon (where it won an award for innovation) and was never actually implemented, but instead explicitly marked as a proof of concept. Yet the State of New Jersey issued a subpoena trying to get info about the project and suggesting the TidBit developers had violated the law. EFF is helping the students fight back by moving to quash the subpoena. The TidBit case is the latest in a string of student confrontation with computer crime laws at MIT over the years.

We remember how Aaron Swartz was charged under the grossly unfair and outdated Computer Fraud and Abuse Act. And we remember when the Massachusetts Bay Transit Authority ordered that MIT students cancel their scheduled presentation at DEFCON about vulnerabilities that they found in Boston’s transit fare payment system, violating their 1st Amendment right to discuss their important research. The facts are clear: Student innovation is chilled by broken computer crime laws, and reform is sorely needed.

While we were in Cambridge, we participated in LibrePlanet, the annual Free Software Foundation conference. And after the conference local activists, technologists and free software enthusiasts joined us for a Free Software Foundation/EFF Speakeasy. We had the opportunity to talk about how the Free Software Foundation is one of the 22 plaintiffs in our First Unitarian Church of Los Angeles  v. NSA case, as well as what technologists can do to combat mass surveillance.

EFF also stopped in New York City to meet with students from the New School and New York University to talk about what students can do on campus to oppose NSA surveillance. And we were delighted to co-host a Students’ Speakeasy, where we chatted about ways to get active on campus with the Student Net Alliance, a growing network of people involved in campus communities that support sound Internet law and policy. Whether it’s writing a letter about how mass surveillance chills academic freedom, learning, and the need to research and discuss controversial topics; holding regular campus cryptoparties; or petitioning for better open access policies on campus, there are plenty of things that students can do join the fight to protect our digital rights.

“The Internet was born on university campuses, and universities have always been at the center of critical fights to keep the Internet free and open,” said Alec Foster, founder of Student Net Alliance. “As students, we believe in advancing policy and technology that support the free and open flow of information, and ensure our private communications are equally protected online and offline.”

It’s been a busy month! Just last week we visited Iowa, where we collaborated with the student-run Iowa State University Digital Freedom Group to put together a giant event for the campus-wide First Amendment week. More than 250 people showed up to hear about EFF’s litigation against the NSA and learn about reforms in Congress that aim to rein the NSA back within the bounds of the Constitution.

When the ISU Digital Freedom Group was trying to form on campus last year, they met serious resistance from the school’s administration who wouldn’t give them the green light because they did not want ISU students to advocate for or participate in the “secrecy network” Tor and would not permit the student group to use any “free software designed to enable online anonymity.”

But the students had not proposed that a Tor node be established on campus. Rather, they simply asked that they be able to provide a forum to “discuss, learn and practice techniques to anonymize and protect digital communication.” EFF wrote an open letter to university administrations across the country about the importance of student groups like the Digital Freedom Group that aim to discuss and learn about methods for secure and private use of the Internet.

After our tremendously successful event, the ISU Digital Student Group hosted their first cryptoparty, where campus based technologists taught about important Internet privacy tools like GPG email encryption, Tor, and Off-the-Record instant messaging. We all had a wonderful time in Ames and look forward to watching the group grow.

At EFF we are thrilled to meet more activists across the country working on the front lines to defend our digital rights. And this fight is now more important than ever. Snowden’s revelations have brought conversations about government surveillance and the right to privacy into the spotlight. Now is the time to organize for real reform. Join us.

EFF’s Suggestions For Government Surveillance Oversight

This piece, written by Electronic Frontier Foundation Legal Director and Legislative Analyst Mark M. Jaycox, originally appeared on the foundation’s website on April 23.

EFF recently filed comments with the Privacy and Civil Liberties Oversight Board (PCLOB) concerning Section 702 of the Foreign Intelligence Surveillance Amendments Act (FAA), one of the key statutes under which the government claims it can conduct mass surveillance of innocent people’s communications and records from inside the US. EFF maintains that the government’s activities under Section 702 that we know about are unconstitutional, not supported by the statutory language, and violate international law.

The PCLOB, created as a result of recommendations by the 9/11 Commission, is an agency charged with ensuring privacy and civil liberties are included in the White House’s counterterrorism activities. After a long delay, the board became operational in February 2012. Their first report, issued in January 2014, reviewed the government’s use of the Patriot Act to collect all Americans’ calling records. The report largely agreed with our concerns about that program, carefully described how it is illegal and recommended the government stop the program. In our recent comments, we urge the PCLOB to take the same careful approach to the government’s activities under Section 702.

Specifically, we urge the PCLOB to work on:

1) Transparency: The PCLOB should push for more disclosures about surveillance conducted under Section 702, especially as it impacts innocent people in the US and around the world. The comments outline what is known about two types of spying the government has said are authorized by Section 702: the PRISM program and “upstream” collection. We also point out key information needed to have a real public debate on these issues, including specifics about the programs that have no reasonable harm to national security such as the number of orders sent and the number of US person communications collected. Throughout the comments, we offer specific suggestions about additional technical and policy information that should be made publicly available. This includes whether any of these programs limit or restrict the architecture or technology of private-sector systems. The information will help innocent people around the world understand whether and how their non-suspect communications are being collected, analyzed, used, and retained by the US government.

2) A Constitutional Analysis: As it did concerning the telephone records collection program, we urge the PCLOB to perform a serious Constitutional analysis of the government’s activities under Section 702. Section 702 is being used to authorize modern-day general warrants inconsistent with the Fourth Amendment. The comments discuss how the founders specifically rejected the so-called “hated writs” on the grounds, among others, that the writs did not require judicial approval, particularity, and a finding or probable cause prior to seizure and search of the “papers and effects.” The comments urge the PCLOB to consider the serious threats to privacy including:

  • Searches done “about” a target of surveillance, which collect the content of Americans and trigger Fourth Amendment requirements;
  • “Backdoor searches,” which are searches of potentially innocent communications sucked into the NSA’s databases containing phone calls and emails collected under Section 702;
  • The mass collection and analysis of millions of Americans’ communications, both domestic and international, which the government claims were merely “incidentally” collected;
  • The court review limited to “procedures” for targeting and minimization rather than the actual seizure and searches. This abstract approval is not a sufficient substitute for the Fourth Amendment’s requirement of a “neutral and detached” magistrate, especially when the NSA is seizing millions of complicated communications, like “multiple communications transactions” and nested messages including those of innocent users.
  • Filtering only by IP address, which is what the government says it does to protect Americans. IP filtering cannot tell what passport a person holds and is grossly insufficient as a way to ensure that only the communications of foreigners abroad are ultimately analyzed. EFF notes specifically that many American websites (including the House of Representatives website) load content from foreign websites with foreign IP addresses and that many Americans use VPNs and other common technological processes which result in Americans having foreign IP addresses.

3) A Statutory Analysis: We also urge the PCLOB to engage in a statutory analysis of Section 702 and note, as it did for Section 215, that the statutory language does not provide for bulk collection. Instead, the statute forbids the government from “intentionally acquiring” fully domestic communications and requires “reasonably designed” procedures. We write: “it strains credulity to think that mass collection from the fiber optic cables located inside the US. is either ‘reasonably designed’ to ensure that acquisition is limited to persons believed to be outside the US,” especially given that the cables carry both international and domestic traffic.

4) An International Analysis: We point out that Section 702 violates international human rights law, as explained in detail in the Necessary and Proportionate Principles. Section 702’s mass surveillance is inherently disproportionate and is improperly discriminatory in ignoring the privacy rights of innocent foreigners.

5) Recommending Fixes: We urge the PCLOB to suggest legislative fixes to, or repeal of, Section 702. This includes narrowing definitions in the statute, like “foreign intelligence information;” ensuring a judge approves specific targets; and ensuring more information is released about the programs.

A full copy of the comments can be found here.

EFF: It’s Hard to Get The Whole Story In The One-Sided Surveillance Court

This article, written by activist Nadia Kayyali  and attorney Kurt Opsahl, was originally published by the Electronic Frontier Foundation on April 16.

While most courts in the United States are adversarial—each party presents its side and a jury, or occasionally a judge, makes a decision—in the Foreign Intelligence Surveillance Court (FISC), only the government presents its case to a judge. While typically two opposing sides work under public review to make sure all the facts are brought to light, in the FISC the system relies on a heightened duty of candor for the government. As is illustrated all too well by recent developments in our First Unitarian v. NSA case, this one-sided court system is fundamentally unfair.

In March, after we learned that the government intended to destroy records of Section 215 bulk collection relevant to our NSA cases, we filed for a temporary restraining order in the Federal court in San Francisco. We also filed a motion to correct the record with the FISC, since it was a FISC order requiring the destruction of bulk metadata after five years that was at issue.

Following the emergency hearing on our motion, the San Francisco federal court ordered the government to preserve the evidence. On the same day that the federal court issued its order, the FISC issued its own strongly worded order in which it granted our motion and mandated the government to make a filing with the FISC explaining exactly why it had failed to notify the Court about relevant information regarding preservation orders in two related cases, Jewel and Shubert. This omission influenced the FISC’s decision on the government’s request for relief, and the FISC was not happy about it.

On April 2, the DOJ made its filing. The government’s statements in this document deserve close attention because they illustrate in high-definition the failures of the FISC’s one-sided system.

The response essentially says that in hindsight, it is clear to the government why the FISC would have wanted to know about the Jewel and Shubert orders. But the government’s filings show that it unilaterally decided it was right about its interpretation of the legal theories in these cases. In so doing, it failed to live up to the heightened duty of candor present in ex parte proceedings by failing to inform the FISC that this was disputed. In essence, the government narrowly interpreted the causes of action in the Jewel complaint, excluding the Section 215 surveillance purportedly authorized by the FISC, and thereby narrowing the evidence it would preserve. By making a decision about what facts were relevant, the DOJ attorneys elevated themselves into the role of a judge.

The government apologized to the FISC for its omission, but it also continues to inaccurately portray the controversy over the legal theories our cases. In fact, the DOJ uses this filing to again present their interpretation of the disagreement over the scope of the cases, failing to mention the various arguments we have made on that issue before Judge White in San Francisco. The DOJ calls our view “recently-expressed,” attempting to create the impression that the DOJ had no idea that there was any controversy until 2014.  They neglect to mention that we wrote in a 2010 brief that the “government defendants’ assertion that ‘plaintiffs do not challenge surveillance authorized by the FISA Court’ … misconceives both plaintiffs’ complaint and the role of the district court ….”

If this had been a normal court proceeding, each side would present their position in the most favorable light, and the judge would decide who is right. In the FISC, however, this balanced system breaks down. This one-sided system allows for no accountability except in the rare circumstance where the affected parties can raise the issue with the court. Indeed, in most cases, the arguments and the decision are kept secret, and no one can second-guess the government.

This is why we continue to urge Congress to change the laws governing how FISC operates. At a minimum, significant court decisions must be made public, and a privacy advocate should be a part of the process. These improvements won’t bring the same kind of balance that can come with an adversarial system, but could at least deliver a semblance of fairness to the process.

EFF: Tea Party, Taxes And Why The Original Patriots Would’ve Revolted Against The Surveillance State

This article was originally published by the Electronic Frontier Foundation on April 15.

Let’s just imagine we could transport an Internet-connected laptop back to the 1790s, when the United States was in its infancy. The technology would no doubt knock the founders out of their buckle-top boots, but once the original patriots got over the initial shock and novelty (and clearing up Wikipedia controversies, hosting an AMA and boggling over Dogecoin), the sense of marvel would give way to alarm as they realized how electronic communications could be exploited by a tyrant, such as the one from which they just freed themselves.

As America’s first unofficial chief technologist, Benjamin Franklin would be the first to recognize the danger and take to trolling the message boards with his famous sentiment: Those who would trade liberty for safety deserve neither. (And he’d probably troll under a fake handle, using Tor, since the patriots understood that some truths are best told with anonymity.)

Today, the Tea Party movement continues the legacy of the founders, championing the rights guaranteed by the Constitution and Bill of Rights. Never afraid of controversy, Tea Party activists and elected leaders are fighting against mass surveillance in the courts and in the halls of state legislatures and Congress.

Each year on April 15, Americans pay taxes that keep the government running. It’s a time for reflecting upon whether that money is funding a government for the people or a government that is undermining the people, supposedly for their own good. After a watershed year of newly disclosed information about the National Security Agency, the Tea Party has plenty to protest about.

How The Founders Fought Mass Surveillance

Mass surveillance was not part of the original social contract — the terms of service, if you will — between Americans and their government. Untargeted surveillance is one reason we have an independent country today.

Under the Crown’s rule, English officials used writs of assistance to indiscriminately “enter and go into any house, shop cellar, warehouse, or room or other place and, in case of resistance, to break open doors, chests, trunks, and other package there” in order to find tax evaders. Early patriot writers, such as James Otis Jr. and John Dickinson, railed against these general warrants; and it was this issue, among other oppressive conditions, that inspired the Declaration of Independence and the Fourth Amendment.

James Madison drafted clear language guaranteeing the rights of Americans, and it bears reading again in full:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Centuries later, the principle still applies, whether we’re talking about emails or your mobile phone. As the Tea Party activists at FreedomWorks told us when we consulted them for this post: The Fourth Amendment does not stop at technology’s door.

(For a more in-depth historical review, check out former EFF legal intern David Snyder’s essay, “The NSA’s ‘General Warrants': How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying.”)

Tea Party Versus Big Brother

The Tea Party movement is closely associated with the right to bear arms, religious rights and tax freedom. But as Brian Brady, a prolific Tea Party activist in San Diego County we also consulted, said: The movement must embrace the Constitution as a whole. Threats to privacy, he says, are also threats to freedom of speech, religion and association. Property rights mean nothing if the government can search your home or computer without probable cause.

In other words, mass surveillance is a manifestation of big government.

Tea Party activists don’t shy away from confrontations that may put them at odds with other groups (particularly on the left); but no one can deny that on the subject of mass surveillance, the movement is on the frontlines protecting every American’s rights.

TechFreedom and gun-rights groups, such as the CalGuns Foundation and the Franklin Armory (named after Ben), have joined unlikely allies such as Greenpeace and People for the American Way to sue the NSA. Represented by the Electronic Frontier Foundation, the plaintiffs argue that collecting phone metadata (your number, who you called, when and for how long you spoke), chills the ability for these groups to associate freely, as guaranteed by the First Amendment as well as the Fourth Amendment. FreedomWorks and Sen. Rand Paul have also filed a class action lawsuit against the NSA on similar grounds.

Conservative attorney and founder of Judicial Watch Larry Klayman was the first plaintiff to challenge the program’s unconstitutionality. So far, his lawsuit in Washington, D.C. has been successful. In December, the federal judge in the case wrote, “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary invasion’ than this systematic and high-tech collection and retention of personal data on virtually every single citizen for purposes of querying it and analyzing it without judicial approval.”

Tea Party-affiliated lawmakers have also been pushing back against mass surveillance with a variety of bipartisan legislative reforms; Rep. Justin Amash, for example, came within a few votes of cutting the NSA’s telephone metadata program funding with a budget amendment last July. State legislators who align with the Tea Party have also sponsored bills across the country condemning the NSA, from California State Sen. Joel Anderson’s successful resolution calling for an end to the call records program to Michigan Rep. Tom McMillin’s call for the Department of Justice to prosecute Director of National Intelligence James Clapper for misleading Congress.

Tax, Spend And Surveil

Reason magazine has an excellent essay about IRS and privacy, outlining how the IRS obtains, scours and fails to secure personal data collected from taxpayers, while tax-reform advocate Grover Norquist wrote a worthwhile op-ed in The Daily Caller today about how the IRS exploits the outdated Electronic Communications Privacy Act. But it’s also important to consider that the taxes the government collects ultimately fund the surveillance state. “No taxation without representation” was the rallying cry of the American Revolution, and yet here we are today, with the NSA conducting surveillance without adequate checks and balances. Members of Congress complain that they haven’t been properly briefed on the NSA’s programs and judicial approval of these programs is conducted by a secret court that only hears the government’s side of the story. On the local level, law enforcement agencies are adopting new surveillance technologies such as automatic license plate readers, facial recognition and Stingrays with little public input or other oversight.

On the whole, maintaining the mass surveillance state is expensive. There are 17 (that’s right, 17) different federal agencies that are part of the “intelligence community,” each of them involved in various, interconnected forms of surveillance. There’s no concrete evidence of how it has made us safer, but there’s plenty of concrete evidence of how much it has cost. The bottom line? We’re paying the government to unreasonably intrude on our lives. The budget for intelligence in 2013 was $52.6 billion. Of that, $10.8 billion went to the NSA. That’s approximately $167 per person in the United States.

For a prime example of the wasteful spending, one only need to read  Sen. Tom Coburn’s report “Safety at Any Price,” which outlined the inappropriate spending done under the Department of Homeland Security’s grant program (such as paying for “first responders to attend a HALO Counterterrorism Summit at a California island spa resort featuring a simulated zombie apocalypse”). This followed on the heels of a harsh bipartisan Senate report criticizing the extreme waste at fusion centers around the country. Federal funds were used to purchase big screen TVs, decked-out SUVS and miniature cameras. To make matters worse, the report found that fusion centers violated civil liberties and produced little information of any use.

Mass surveillance is a symptom of uncontrolled government overreach. The question is: What’s the cure?

Defending Privacy Is A Patriotic Duty

While every single person has cause to be alarmed by surveillance, those who criticize government policies have particular reason to be concerned. Those who have new, or not yet popular, ideas (or, in the case of the Tea Party, old and popular ideas in resurgence) are often targets of overreaching surveillance. It’s not a partisan issue; it’s a constitutional issue.

Activism is most effective when is happens at the personal, local and national levels. And the Tea Party has proven it knows how make a ruckus, whether it’s on a personal blog or outside the White House. America needs the Tea Party to keep applying that patriotic passion to NSA reform.

We have also just created a new collection of resources for grass-roots activists, including tips on how to organize public events and use the media to spread the word about your issues, as well as a collection of one-page informational sheets that make it easy to explain these issues. And above all, speak out. Help EFF stop bills that attempt to legalize mass surveillance and join EFF in demanding real reform.

Stopping mass surveillance — it’s what the first patriots did, and it’s what today’s patriots are doing right now.

EFF: Digital Technology Can Leave Your Health History Exposed

This article was originally published by the Electronic Frontier Foundation on April 9.

The digitization of medical records is being pitched to the public as a way to revolutionize healthcare. But rapid technological innovation and lagging privacy laws are leaving patients — and their most sensitive information — vulnerable to exposure and abuse, especially in this age of “big data.” The Electronic Frontier Foundation (EFF) is launching a new medical privacy project today to identify the emerging issues and to give advocates the information they need to fight for stronger protections for patients.

“You assume that the decision about when to disclose medical data — like if you’ve had an abortion or have a serious heart condition — is yours and yours alone. But that information may be circulated in the process of paying for and providing treatment, or as part of mandated reporting,” said EFF Senior Staff Attorney Lee Tien. “As the American medical establishment moves towards complete digitization of patient records, it’s important to take a hard look on what that means for everyone’s privacy, and what we should do about it.”

EFF’s project explores the unsettled areas of medical privacy law and technology, including a primer on how law enforcement might get access to your health information or how the government might be able to collect it by claiming that it’s necessary for national security. There’s also a detailed discussion of public health reporting systems and how federal health laws give patients some rights but take others away. EFF will add more topics in the months to come.

“Genetic testing provides a striking example of some of the challenges we face with protecting medical data. Genetic data is uniquely identifiable and can be easily obtained from cells we shed every day,” says EFF Activism Director Rainey Reitman. “But we have weak laws protecting this highly sensitive data.”

EFF’s work on the medical privacy project is supported by a grant from the Consumer Privacy Rights Fund of the Rose Foundation for Communities and the Environment.

For EFF’s full medical privacy project:
https://www.eff.org/issues/medical-privacy

FAQ: Privacy Activist’s Guide To Why The Surveillance State’s Fusion Centers Matter

This handy FAQ was compiled by Electronic Frontier Foundation activist Nadia Kayyali and originally published on the foundation’s website on April 7.

While NSA surveillance has been front and center in the news recently, fusion centers are a part of the surveillance state that deserve close scrutiny.

Fusion centers are a local arm of the so-called “intelligence community,” the 17 intelligence agencies coordinated by the National Counterterrorism Center (NCTC). The government documentation around fusion centers is entirely focused on breaking down barriers between the various government agencies that collect and maintain criminal intelligence information.

Barriers between local law enforcement and the NSA are already weak. We know that the Drug Enforcement Agency gets intelligence tips from the NSA which are used in criminal investigations and prosecutions. To make matters worse, the source of these tips is camouflaged using “parallel construction,” meaning that a different source for the intelligence is created to mask its classified source.

This story demonstrates what we called “one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA’s trove of information by other law enforcement agencies.” This is particularly concerning when NSA information is used domestically. Fusion centers are no different.

In fact, in early 2012, the Foreign Intelligence Surveillance Court approved the sharing of raw NSA data with the NCTC. The intelligence community overseen by the NCTC includes the Department of Homeland Security and FBI, the main Federal fusion center partners. Thus, fusion centers—and even local law enforcement—could potentially be receiving unminimized NSA data. This runs counter to the distant image many people have of the NSA, and it’s why focusing on fusion centers as part of the recently invigorated conversation around surveillance is important.

What are fusion centers?

Fusion centers are information centers that enable intelligence sharing between local, State, tribal, territorial, and Federal agencies. They are actual physical locations that house equipment and staff who analyze and share intelligence.

How many are there?

There are 78 recognized fusion centers listed on the Department of Homeland Security (DHS) website.

Who works at fusion centers?

Fusion centers are staffed by local law enforcement and other local government employees as well as Department of Homeland Security personnel. DHS “has deployed over 90 personnel, including Intelligence Officers and Regional Directors, to the field.” Staffing agreements vary from place to place. Fusion centers are often also colocated with FBI Joint Terrorism Task Forces.

What do fusion centers do?

Fusion centers enable unprecedented levels of bi-directional information sharing between State, local, tribal, and territorial agencies and the Federal intelligence community. Bi-directional means that fusion centers allow local law enforcement to share information with the larger Federal intelligence community, while enabling the intelligence community to share information with local law enforcement. Fusion centers allow local cops to get—and act upon—information from agencies like the FBI.

Fusion centers are also key to the National Suspicious Activity Reporting Initiative (NSI), discussed below.

What is suspicious activity reporting?

The government defines suspicious activity reporting (SAR) as “official documentation of observed behavior reasonably indicative of pre-operational planning related to terrorism or other criminal activity.” SARs can be initiated by law enforcement, by private sector partners, or by “see something, say something” tips from citizens. They are then investigated by law enforcement.

What is the National Suspicious Activity Reporting Initiative?

NSI is an initiative to standardize suspicious activity reporting. The NSI was conceived in 2008, and started with an evaluation project that culminated in a January 2010 report describing how NSI would encompass all fusion centers. It appears significant progress has been made towards this goal.

The evaluation project included so-called Building Communities of Trust (BCOT) meetings which focused “on developing trust among law enforcement, fusion centers, and the communities they serve to address the challenges of crime and terrorism prevention.”

BCOT “community” events involved representatives from local fusion centers, DHS, and FBI traveling to different areas and speaking to selected community representatives and civil rights advocates about NSI. These were invite only events with the clear purpose of attempting to engender community participation and garner support from potential opponents such as the ACLU.

So what’s wrong with Suspicious Activity Reporting and the NSI?

SARs do no meet legally cognizable standards for search or seizure under the Fourth amendment. Normally, the government must satisfy reasonable suspicion or probable cause standards when searching a person or place or detaining someone. While SARs themselves are not a search or seizure, they are used by law enforcement to initiate investigations, or even more intrusive actions such as detentions, on the basis of evidence that does not necessarily rise to the level of probable cause or reasonable suspicion. In other words, while the standard for SAR sounds like it was written to comport with the constitutional standards for investigation already in place, it does not.

In fact, the specific set of behaviors listed in the National SAR standards include innocuous activities such as:

taking pictures or video of facilities, buildings, or infrastructure in a manner that would arouse suspicion in a reasonable person,” and “demonstrating unusual interest in facilities, buildings, or infrastructure beyond mere casual or professional (e.g. engineers) interest such that a reasonable person would consider the activity suspicious. Examples include observation through binoculars, taking notes, attempting to measure distances, etc.

These standards are clearly ripe for abuse of discretion.

Do fusion centers increase racial and religious profiling?

The weak standards around SAR are particularly concerning because of the way they can lead to racial and religious profiling. SARs can originate from untrained civilians as well as law enforcement, and as one woman pointed out at a BCOT event people who might already be a little racist who are ‘observing’ a white man photographing a bridge are going to view it a little differently than people observing me, a woman with a hijab, photographing a bridge. The bottom line is that bias is not eliminated by so-called observed behavior standards.

Furthermore, once an investigation into a SAR has been initiated, existing law enforcement bias can come into play; SARs give law enforcement a reason to initiate contact that might not otherwise exist.

Unsurprisingly, like most tools of law enforcement, public records act requests have shown that people of color often end up being the target of SARs:

One review of SARs collected through Public Records Act requests in Los Angeles showed that 78% of SARs were filed on non-whites. An audit by the Los Angeles Police Department’s Inspector General puts that number at 74%, still a shockingly high number.

A review of SARs obtained by the ACLU of Northern California also show that most of the reports demonstrate bias and are based on conjecture rather than articulable suspicion of criminal activity. Some of the particularly concerning SARs include titles like “Suspicious ME [Middle Eastern] Males Buy Several Large Pallets of Water” and “Suspicious photography of Folsom Dam by Chinese Nationals.” The latter SAR resulted in police contact: “Sac[ramento] County Sheriff’s Deputy contacted 3 adult Asian males who were taking photos of Folsom Dam. They were evasive when the deputy asked them for identification and said their passports were in their vehicle.” Both of these SARs were entered into FBI’s eGuardian database.

Not only that, there have been disturbing examples of racially biased informational bulletins coming from fusion centers. A 2009 “North Central Texas Fusion Center Prevention Awareness Bulletin” implies that tolerance towards Muslims is dangerous and that Islamic militants are using methods such as “hip-hop boutiques” and “online social networks” to indoctrinate youths in America.

Do fusion centers facilitate political repression?

Fusion centers have been used to record and share information about First Amendment protected activities in a way that aids repressive police activity and chills freedom of association.

A series of public records act requests in Massachusetts showed: “Officers monitor demonstrations, track the beliefs and internal dynamics of activist groups, and document this information with misleading criminal labels in searchable and possibly widely-shared electronic reports.” The documents included intelligence reports addressing issues such internal group discussions and protest planning, and showed evidence of police contact.

For example, one report indicated that “Activists arrested for trespassing at a consulate were interviewed by three surveillance officers ‘in the hopes that these activists may reach out to the officers in the future.’ They were asked about their organizing efforts and for the names of other organizers.”

Who oversees the National Suspicious Activity Reporting Initiative?

The NSI is led by the Program Manager for the Information Sharing Environment (PM-ISE) in collaboration with the DHS and the FBI. The ISE is “the people, projects, systems, and agencies that enable responsible information sharing for National security.” The PM-ISE, currently Kshemendra Paul, oversees the development and implementation of the ISE. The position was created by the Intelligence Reform and Terrorism Prevention Act of 2004.

If this all sounds confusing, that’s because it is: the entire intelligence community is a plethora of duplicative agencies with overlapping areas of responsibility.

What kind of information do fusion centers have?

Staff at fusion centers have access to a variety of databases. Not all staff have the same level of clearances, and the entire extent of what is available to fusion centers is unclear. But we do know certain facts for sure:

Fusion centers have access to the FBI’s eGuardian database, an unclassified companion to the FBI’s Guardian Threat Tracking System. “The Guardian and eGuardian systems . . . have a bi-directional communication ability that facilitates sharing, reporting, collaboration, and deconfliction among all law enforcement agencies.”

Fusion centers also have access to DHS’ Homeland Security Data Network and it’s companion Homeland Security Information Network. These systems provide access to terrorism-related information residing in DoD’s classified network. It is worth noting that HSIN was hacked in 2009 and was considered so problematic that it was briefly decommissioned entirely.

Fusion centers have access to other information portals including the FBI’s Law Enforcement Online portal, Lexis Nexis, the Federal Protective Service portal, and Regional Information Sharing Systems .

Finally, as discussed above, we know that unminimized NSA data can be shared with the National Counterterrorism Center, which means that fusion centers could be in receipt of such data.

What Federal laws apply to fusion centers?

Because they are collaborative, legal authority over fusion centers is blurred, perhaps purposefully. However, there are some Federal laws that apply. The Constitution applies, and fusion centers arguably interfere with the First and Fourth Amendments.

28 Code of Federal Regulations Part 23 governs certain Federal criminal intelligence systems. The “Fusion Center Guidelines . . . call for the adoption of 28 CFR Part 23 as the minimum governing principles for criminal intelligence systems.” 28 CFR 23.20 requires reasonable suspicion to collect and maintain criminal intelligence and prohibits collection and maintenance of information about First Amendment protected activity “unless such information directly relates to criminal conduct or activity and there is reasonable suspicion that the subject of the information is or may be involved in criminal conduct or activity.” Finally, it prohibits inclusion of any information collected in violation of local law.

Section 552(a)(e)(7) of the Privacy Act prohibits Federal agencies, in this case DHS personnel who work at fusion centers, from maintaining any “record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” A 2012 U.S. Senate Permanent Subcommittee on Investigations report on fusion centers stated: “The apparent indefinite retention of cancelled intelligence reports that were determined to have raised privacy or civil liberties concerns appears contrary to DHS’s own policies and the Privacy Act.”

What State or local laws apply to fusion centers?

Fusion centers are sometimes bound by local and state laws. The law enforcement agencies that feed information into centers may also be restricted in terms of what information they can gather.

The Northern California Regional Intelligence Center, located in San Francisco, CA, serves as a good example of how State and local regulations can apply to a fusion center. NCRIC works with law enforcement partners around the region and stores criminal intelligence information. The California constitution has a right to privacy and California has other laws that address privacy and criminal intelligence. These should cover NCRIC.

The San Francisco Police Department’s relationship with NCRIC also serves as a good example of the applicability of local laws. SFPD participates in suspicious activity reporting, but is also bound by a number of restrictions, including Department General Order 8.10, which heavily restricts intelligence gathering by the SFPD, as well as the sanctuary city ordinance, which prohibits working with immigration enforcement. While the fusion center would not be bound by these regulations on its own, the SFPD is.

Who funds fusion centers?

Fusion centers are funded by Federal and State tax dollars. Estimates of exactly how much funding fusion centers get from these sources are difficult to obtain. However, there are some numbers available.

For 2014, the Homeland Security Grant Program, which is the Federal grant program that funds fusion centers, has $401,346,000 available in grant funds. The grant announcement emphasizes that funding fusion centers and integrating them nationally is a high priority. This is an approximately $50 million increase over last year’s allocation—somewhat shocking in light of the critiques around fusion center funding that have been raised by Congress.

A 2008 Congressional Research Service report states that the average fusion center derives 31% of its budget from the Federal government. Those numbers may have changed now.

Has there been any discussion about fusion centers at the Federal level?

Yes, but not enough. In October of 2012, fusion centers were the subject of an extremely critical report from the U.S. Senate Permanent Subcommittee on Investigations. The bipartisan report focused on the waste, ineptitude, and civil liberties violations at fusion centers. The report revealed that fusion centers spent tax dollars on “gadgets such as ‘shirt button cameras, $6,000 laptops and big-screen televisions. One fusion center spent $45,000 on a decked-out SUV…” Regarding the information produced by fusion centers, the report noted that fusion centers produced “‘intelligence’ of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not unrelated to terrorism.”

This report recommended a hard look at fusion center funding, but that clearly has not happened. They are still operating across the country with Federal funding. In fact, their funding has even been increased.

What about at the local level?

There are grassroots privacy advocates in multiple cities fighting to get more information about fusion centers and how their local law enforcement participates in them. These efforts have been frustrated by stonewalling of public records act requests and uneducated, or at times dishonest, public officials.

Have any regulations been passed or proposed?

To date, only one place has passed regulations around fusion centers. Berkeley, CA, passed a policy in September 2012 that the Berkeley Police Department can only submit suspicious activity reports after establishing reasonable suspicion of criminal behavior, and put in place an audit of SARs.

Massachusetts is also considering changes to fusion centers. SB 642 would strictly limit collection and dissemination of criminal intelligence information and would require a yearly audit of the Massachusetts Commonwealth Fusion Center.

What can I do?

Fusion centers are an area ripe for grassroots organizing. Groups like the StopLAPD Spying Coalition, which put together a “People’s Audit” of SARs in LA, provide excellent examples of how this can happen. Public records act requests can be leveraged to get information about what your local law enforcement is doing. Grassroots organizing and education can get people and elected officials talking about this issue.

On April 10, activists across the country will be participating in “Stop the Spy Centers: a national day of action against fusion centers.” These activists have three demands: 1. Shut down fusion centers, 2. De-fund fusion centers, and 3. Release all suspicious activity reports and secret files.

While April 10 is one day of action, the conversation around fusion centers must continue hand in hand with our national discourse around NSA, CIA, and FBI surveillance.

Where can I get more information about fusion centers?