NSA Spying: Now It’s Personal

This article first appeared July 11 on the website of the Electronic Frontier Foundation.

By Eva Galperin and Nadia Kayyali

Imagine that you watched a police officer in your neighborhood stop ten completely ordinary people every day just to take a look inside their vehicle or backpack. Now imagine that nine of those people are never even accused of a crime. They just happened to be in the wrong place at the wrong time. Even the most law-abiding person would eventually protest this treatment. In fact—they have.

Now replace police officers with the NSA. The scenario above is what the NSA is doing with our communications, under cover of its twisted interpretation of Section 702 of the FISA Amendments Act. The Washington Post has revealed that “Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets.” Additionally, “[n]early half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents.”

The thousands of pages of documents that provide that basis for the article are not raw content. Rather, as Barton Gellman, one of the authors of the article states in a follow up published several days later states: “Everything in the sample we analyzed had been evaluated by NSA analysts in Hawaii, pulled from the agency’s central repositories and minimized by hand after automated efforts to screen out U.S. identities.”

What that means is that if you’re on the Internet, you’re in the NSA’s neighborhood—whether you are in the U.S. or not. And like those who protest unjust policies like stop and frisk in their cities, you should be protesting this treatment.

This revelation is significant because it proves the point privacy and civil liberties advocates have been making for years: NSA surveillance is not narrowly targeted. EFF’s legal fight against the NSA’s warrantless mass surveillance program has been ongoing since 2006, but The Washington Post’s statistics about 160,000 intercepts they have analyzed from the Snowden files indicate that even what the NSA calls “targeted” surveillance is far from narrow in scope.  In fact, it is so bloated that we should all be questioning its necessity and efficacy at this point. Taken hand in hand with The Intercept’s article outlining the targeting of five civil rights and political leaders from the Muslim-American community, our outrage should be palpable.

What’s more, the report comes on the heels of a debate specifically about Section 702 that has been brewing in Congress for months, as civil liberties champions like Senator Ron Wyden and Representative Zoe Lofgren question and work to address how the NSA uses this authority. This revelation should make it clear to the Senate when it considers the USA FREEDOM Act: Section 702 needs to be reformed. Cosmetic changes to NSA spying, or even substantive changes to Section 215 bulk telephone records collection, are insufficient. Unbridled, unconstitutional collection of the contents of communications needs to end.

The Washington Post article is based on a comprehensive review of thousands of pages of documents. In fact, as the article points out: “No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects.” What’s more, these are documents that government officials have repeatedly insisted Edward Snowden would never have been able to access.

Regardless of the government’s denials, Snowden did have these documents, and now we know at least some of what they contained. So does Congress. So there’s no excuse anymore for the type of maneuvering that led to the gutting of USA FREEDOM in the House.  More importantly, there’s no excuse for the Senate to ignore Section 702 when it considers USA FREEDOM.

Real NSA reform from Congress will, among other things, shut the backdoor that allows the NSA to access American’s communications. It will also end collection of communications “about” a target.

Of course, none of this solves the problem of how NSA surveillance affects non-U.S. persons. One of the shocking things about The Washington Post’s article is its description of the communications intercepted:

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

We are no longer talking about statistics. We are talking about real people going about their daily lives. It is not surprising to learn that in the course of its investigations, the NSA gathers up a considerable number of communications that prove to be insignificant, irrelevant, or (as is the case with communications between US persons) outside the scope of their work. What is shocking is that the NSA keeps this enormous trove of personal data about people it should not be watching in the first place. It appears that the unspoken coda to General Alexander’s “collect it all” motto is “and never throw it away.”

The bottom line is this: The Internet is a global neighborhood. We shouldn’t feel unsafe there. But the NSA doesn’t seem to care.

The good news is, we can do something. Take action now. Go to https://www.standagainstspying.org and see how your elected representative stacks up when it comes to reforming the NSA, tweet at them, and send a letter to President Obama urging him to use his executive authority to reform the NSA now. You can also take action by contacting lawmakers here. If you are overseas, you can sign the letter to President Obama. You can also endorse the Necessary and Proportionate principles. Take back the Internet.

International Treaty Negotiations Go Further Underground with Unprecedented Secrecy Around Meetings in Canada

This post, written by EFF Global Policy Analyst Maria Sutton, was originally published on the foundation’s website July 8.

EFF is in Ottawa this week for the Trans-Pacific Partnership (TPP) negotiations, to influence the course of discussions over regressive digital policy provisions in this trade agreement that could lead to an increasingly restrictive Internet. But this round is different from the others—the secrecy around the talks is wholly unprecedented. The Canadian trade ministry, who is hosting this round of talks, has likely heightened the confidentiality due to the mass public opposition that is growing against this undemocratic, corporate-driven trade deal.

The trade offices from the 12 countries negotiating this deal no longer pre-announce details about the time and location of these negotiations. They don’t bother releasing official statements about the negotiations because they no longer call these “negotiation rounds” but “officials’ meetings.” But the seeming informality of these talks is misleading—negotiators are going to these so-called meetings to secretly pull together a deal. As far as we know, they’re still discussing whether they could expand the international norm of copyright terms to make it even longer. They are negotiating provisions that could lead to users getting censored and filtered over copyright, with no judicial oversight or consideration for fair use. And trade delegates are deliberating how much of a crime they should make it if users break the DRM on their devices and content, even if users don’t know it’s illegal and the content they’re unlocking isn’t even restricted by copyright in the first place.

So for this negotiation, we had to rely on rumors and press reports to know when and where it was even happening. At first, there were confirmed reports that the next TPP meeting would take place at a certain luxury hotel in downtown Vancouver. So civil society began to mobilize, planning events in the area to engage users and members of the public about the dangers of TPP. Then seemingly out of the blue, the entire negotiating round was moved across the country to Ottawa. There’s no way to confirm whether this was a deliberate misdirection, but either way it felt very fishy.

Already given this level of secrecy, it goes without saying that there will be no room for members of civil society or the public to engage directly with TPP negotiators. Towards the beginning of TPP talks, we were given 15 minutes to present to stakeholders, in addition to a stakeholder event that allowed us to hang around a big room to meet and pass information to negotiators who walked by. Then it was cut down to ten minutes (after we made some noise that it was going to be cut down to a mere eight minutes). In the following rounds, the stakeholder event was completely removed from the schedules of the official rounds. These didn’t provide sufficient time to convey to negotiators about the major threats we saw in this agreement, so those events already seemed to be a superficial nod to public participation. But now, they don’t even pretend to give us their ear.

Of course, corporate lobbyists continue to have easy access to the text. Advisors to major content industries can comment and read the text of the agreement on their private computers. But those of us who represent the public interest are left to chase down negotiators down the halls of hotels to let our concerns be heard and known to them.

As we watch TPP crawl its way towards getting finalized, signed, and eventually taint our laws with its one-sided corporate agenda, we need to continue to remember this fact: laws made in secret, with no public oversight or input, are illegitimate. That is not how law is made in democracies. If we’re to defend the fundamental democratic rule that law is based on transparent, popular consensus, we need to fight back against an agreement that engages in such a secretive, corporate-captured process.

Additional Resources:

Michael Geist: Why The Secrecy on the TPP Talks in Ottawa This Week? Because There is Something to Hide

Council of Canadian: Secretive critical talks on the Trans Pacific Partnership happening in Ottawa

EFF: Is Your Android Device Telling the World Where You’ve Been?

This post, written by technology projects director Peter Eckersley and staff technologist Jeremy Gillula, was originally published on the EFF website.

Do you own an Android device? Is it less than three years old? If so, then when your phone’s screen is off and it’s not connected to a Wi-Fi network, there’s a high risk that it is broadcasting your location history to anyone within Wi-Fi range who wants to listen.

This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you’ve been, including homes (“Tom’s Wi-Fi”), workplaces (“Company XYZ office net”), churches and political offices (“County Party HQ”), small businesses (“Toulouse Lautrec’s house of ill-repute”), and travel destinations (“Tehran Airport wifi”). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you’ve spent enough time to use the Wi-Fi. Normally, eavesdroppers would need to spend some effort extracting this sort of information from the latititude/longitude history typically discussed in location privacy analysis. But even when networks seem less identifiable, there are ways to look them up.

The Electronic Frontier Foundation briefly mentioned this problem during our recent post about Apple deciding to randomize MAC addresses in iOS 8. As EFF pointed out there, Wi-Fi devices that are not actively connected to a network can send out messages that contain the names of networks they’ve joined in the past in an effort to speed up the connection process. But after writing that post, EFF became curious just how many phones actually exhibited that behavior, and if so, how much information they leaked. To our dismay, we discovered that many of the modern Android phones EFF tested leaked the names of the networks stored in their settings (up to a limit of 15). And when EFF looked at these network lists, we realized that they were, in fact, dangerously precise location histories.

Aside from Android, some other platforms also suffer from this problem and will need to be fixed, although for various reasons, Android devices appear to pose the greatest privacy risk at the moment.

In Android EFF traced this behavior to a feature introduced in Honeycomb (Android 3.1) called Preferred Network Offload (PNO). PNO is supposed to allow phones and tablets to establish and maintain Wi-Fi connections even when they’re in low-power mode (i.e. when the screen is turned off). The goal is to extend battery life and reduce mobile data usage, since Wi-Fi uses less power than cellular data. But for some reason, even though none of the Android phones EFF tested broadcast the names of networks they knew about when their screens were on, many of the phones running Honeycomb or later (and even one running Gingerbread) broadcast the names of networks they knew about when their screens were turned off.

Response From Google

When EFF brought this issue to Google’s attention, it responded:

We take the security of our users’ location data very seriously and we’re always happy to be made aware of potential issues ahead of time. Since changes to this behavior would potentially affect user connectivity to hidden access points, we are still investigating what changes are appropriate for a future release.

Additionally, yesterday a Google employee submitted a patch to wpa_supplicant that fixes this issue. While we are glad this problem is being addressed so quickly, it will still be some time before that fix gets integrated into the downstream Android code. And even then, Android fragmentation and the broken update process for non-Google Android devices could delay or even prevent many users from receiving the fix. (We hope Google can make progress on this problem, too.)

Protective Steps You Can Take Today

With that said, a workaround is available (for most devices) for users who want to protect their privacy right now: Go into your phone’s “Advanced Wi-Fi” settings and set the “Keep Wi-Fi on during sleep” option to “Never.” Unfortunately, this will cause a moderate increase in data usage and power consumption — something users shouldn’t have to do in order to keep their phone from telling everyone everywhere they’ve been.

Unfortunately, on at least one device we tested — a Motorola Droid 4 running Android 4.1.2 — even this wasn’t sufficient. On the Droid 4, and perhaps on other phones, the only practical way to prevent the phone from leaking location is to manually forget the networks you don’t want broadcast, or disable Wi-Fi entirely whenever you aren’t actively connecting to a known Wi-Fi network. You can also find apps that will do this automatically for you.

Location history is extremely sensitive information. We urge Google to ship their fix as soon as possible, and other Android distributors to offer prompt updates containing it.

NSA, Director Of National Intelligence Sued For Zero Day Disclosure Process

San Francisco - The Electronic Frontier Foundation (EFF) today filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to gain access to documents showing how intelligence agencies choose whether to disclose software security flaws known as “zero days.”

A zero day is a previously unknown security vulnerability in software or online services that a researcher has discovered, but the developers have not yet had a chance to patch. A thriving market has emerged for these zero days; in some cases governments—including the United States—will purchase these vulnerabilities, which they can use to gain access to targets’ computers.

In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the “Heartbleed” bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability. The government strongly denied the report, claiming it had a developed a new “Vulnerability Equities Process” for deciding when to share vulnerabilities with companies and the public. The White House’s cybersecurity coordinator further described in a blog post that the government had “established principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” But the substance of those principles has not been shared with the public.

EFF filed a FOIA request for records related to these processes on May 6 but has not yet received any documents, despite ODNI agreeing to expedite the request.

“This FOIA suit seeks transparency on one of the least understood elements of the U.S. intelligence community’s toolset: security vulnerabilities,” EFF Legal Fellow Andrew Crocker said. “These documents are important to the kind of informed debate that the public and the administration agree needs to happen in our country.”

Over the last year, U.S. intelligence-gathering techniques have come under great public scrutiny. One controversial element has been how agencies such as the NSA have undermined encryption protocols and used zero days. While an intelligence agency may use a zero day it has discovered or purchased to infiltrate targeted computers or devices, disclosing its existence may result in a patch that will help defend the public against other online adversaries, including identity thieves and foreign governments that may also be aware of the zero day.

“Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors,” Global Policy Analyst Eva Galperin said.

For the complaint:
https://www.eff.org/document/eff-v-nsa-odni-complaint

New York DA Employs 381 Secret Orders To Gather Complete Digital Dossiers From Facebook

This article by Kurt Opsahl originally appeared on the website of the Electronic Frontier Foundation.

Unfortunately, it appears that the lure of bulk surveillance is not just a temptation for the Federal government. Last summer, about a month after new leaks exposed the NSA’s bulk content PRISM program, Cyrus Vance, Jr., the District Attorney for Manhattan, decided to go secretly fishing through 381 Facebook accounts, and wanted to ensure no one was allowed to stop him.

The DA was looking for evidence of disability fraud, and saw Facebook as a treasure trove. Many people put their lives online, sharing their daily ups and downs with a steady stream of photos, comments, and wall posts to friends and family. Perhaps some of them, after claiming a disability, would post a windsurfing selfie or write about their marathon training, and evidence their fraud.

So the DA put together nearly 400 search warrants, which ordered Facebook to provide near total access to the accounts, and gagged the social media giant from informing the users. Facebook reports that this “unprecedented request is by far the largest we’ve ever received — by a magnitude of more than ten.” According to Facebook’s appeals brief, the targets included a cross-section of America “from high schoolers to grandparents, … electricians, school teachers, and members of our armed services.”

Facebook’s brief explains that the warrants sought “information that cannot possibly be relevant to the crimes the Government presumably continues to investigate,” including what “Group” people belong to (and who else is in that group), chat messages, private messages, friends list (including removed friends) and even past and future events. And indeed, for the vast majority of the target, the information was not relevant to any crime. Only 62 people were ultimately charged.

Sometimes “come back with a warrant” is not enough. The warrant must also conform to constitutional limitations, narrowly seeking evidence of a crime with particularity, based on probable cause. It is not a license for the government to rifle through the private lives of anyone it suspects. As the Supreme Court recognized just yesterday, the Fourth Amendment was the founding generation’s response to the reviled “general warrants” and “writs of assistance” of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity.

Facebook rightly challenged this overboard pile of warrants. Indeed, it was the only entity that could. The gag order prevented Facebook from giving notice, so none of the users was in a position to assert their constitutional rights, or even know those rights were in danger.

Nevertheless, the DA disputed Facebook’s right to challenge the warrant in court, and the New York State trial court agreed, holding that “it is the Facebook subscribers who could assert an expectation of privacy in their posting, not the digital storage facility, or Facebook.” The court reasoned that this wouldn’t be a problem, because a criminal defendant could move to suppress the evidence before trial.

But what about the users who are never charged? The court never grapples with that issue, perhaps not realizing that ultimately 80% would not be the fraudsters the DA was looking for. Instead, the opinion moves on to justify the non-disclosure provisions by raising the specter of evidence tampering by the users.

Under this pair of holdings, no one is allowed to challenge the authority of the DA in court. Facebook is not allowed and the users don’t know. (Ironically, in an earlier case involving Twitter, the court had found that the user had no rights to challenge the NY DA’s data demand on Twitter). To paraphrase yesterday’s landmark Supreme Court ruling, the Founders did not fight a revolution to gain Fourth Amendment rights that no one can assert.

Facebook has appealed this dangerous precedent, seeking to “invalidate these sweeping warrants and to force the government to return the data it has seized and retained.” And, nearly a year after the warrants issued, the case has been unsealed. But, despite a temporary stay, Facebook was eventually forced to comply, and the DA continues to hold a digital dossier of the lives of over 300 people never charged with a crime.

Facebook’s appeal is well grounded. The Stored Communications Act, upon which the court relied to issue the warrants, specifically allows for service providers to challenge court orders. On the merits, the overly broad warrants go beyond what the Constitution permits by failing to identify with particularity the criminal evidence to be seized, and failing to put in place procedures to protect the privacy of the people whose lives were invaded by the government.

The information cannot be undisclosed, but the New York appeals court can still help right this wrong by overturning the erroneous criminal court decision, quashing the warrants and requiring the DA to destroy the ill-gotten evidence.

Smith v. Maryland Turns 35, But Its Health Is Declining

This article, written by EFF staff attorney Hanni Fakhoury, was originally published June 24 on the EFF website.

The U.S. Supreme Court’s 1979 decision of Smith v. Maryland turned 35 years old last week. Since it was decided, Smith has stood for the idea that people have no expectation of privacy in information they expose to others. Labeled the third party “doctrine” (even by EFF itself), Smith has come up over and over in the debates surrounding electronic surveillance and NSA spying.

But the idea that information exposed to others is no longer private has been oversold. Millions of Americans expect all sorts of things exposed to third parties remain private under state law. And as technology advances and the information we give to ISPs and telcos becomes more and more revealing, even federal courts are beginning to rethink whether Smith is the absolute rule the government claims it should be.

On its 35th birthday, Smith’s vitality is on the decline, and that’s a good thing.

The Smith Decision

In Smith police requested a telephone company to install a pen register to monitor the phone numbers a robbery suspect dialed. Although police had no warrant or judicial order, the phone company installed the pen register and police monitored the calls for three days. Eventually, Smith was arrested and challenged the government’s use of a pen register as an unreasonable search under the Fourth Amendment.

A Fourth Amendment “search” occurs when the government intrudes on a subjective expectation of privacy that society would consider reasonable. In Smith’s case, the trial and appellate courts rejected his argument that the use of a pen register was a “search.” The Supreme Court agreed to review the case because lower courts had issued conflicting opinions about whether people expect the phone numbers they dial to remain private.

In a 6-3 decision, the Supreme Court rejected Smith’s argument and ruled the use of the pen register wasn’t a “search.”

It found Smith had no subjective expectation of privacy in the dialed phone numbers because he (and everyone else) conveyed those numbers to the phone company in order to have his calls completed. Even if Smith thought the numbers would remain private, the Supreme Court believed society would treat that expectation as unreasonable because the high court had consistently held “that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Smith relied on an earlier case, United States v. Miller, where the Supreme Court found a bank customer’s deposit and banking records were not private because the customer assumed the risk that someone they shared information with could reveal that same information to another person, including the government. Since Smith had no expectation of privacy in the numbers he dialed, there was no “search” and no need for police to get a warrant to install the pen register.

Three justices dissented, finding that people do have an expectation of privacy in the phone numbers they dial. In a dissent that was ahead of its time, Justice Potter Stewart wrote that phone numbers were an “integral part” of communication and a part of the “content” of the communication itself. And Justice Thurgood Marshall noted “privacy is not a discrete commodity, possessed absolutely or not at all.”

Smith’s Aftermath

After Smith, the government continued to press the idea that people have no expectation of privacy in information exposed to others, and the Supreme Court accepted this in many contexts. In California v. Greenwood, for example, the Supreme Court ruled that people have no expectation of privacy in garbage they leave on the side of the road for pickup because animals or scavengers could access the contents. And in California v. Ciraolo, the Court ruled police could fly a plane over someone’s fenced-in backyard and look in without a warrant because homeowners expose their backyards to overhead aerial observation.

Miller, Smith and Greenwood were all decided under the Fourth Amendment, which applies to state and federal law enforcement throughout the United States. But these decisions were met with resistance by states who believed their citizens’ bank records, the phone numbers they dial and the trash they left on the side road are presumably private, even if possibly exposed to other people in limited contexts. As a result, state courts began issuing opinions disagreeing with these Supreme Court decisions and interpreting their state constitutions to provide stronger privacy protections than the Fourth Amendment. In states like Florida, Pennsylvania and Utah, customers have an expectation of privacy in their bank records. Residents of California, Colorado and Illinois have an expectation of privacy in their phone records. And in Hawaii, New Hampshire and New Mexico, people have an expectation of privacy in the garbage they leave for pickup.

Taken together, approximately 36 percent of the United States population has an expectation of privacy in either their bank records, phone records or garbage under state law. Residents of California and New Jersey—approximately 47 million people—have an expectation of privacy in all three.

Smith in the 21st Century

eop_map_v._2

It’s doubtful the justices would have predicted that their narrow decision upholding the warrantless collection of the phone numbers one person dialed over three days would be stretched to justify forms of electronic surveillance that would have been the stuff of science fiction in 1979. Unfortunately, Smith has been used to justify all sorts of surveillance, from the FBI seeking Twitter account information and the police tracking a cell phone’s past locations to the NSA’s bulk collection of telephone metadata and Internet communications.

But as technology that creates and collects vast amounts of data about those who use it becomes commonplace, courts are starting to push back.

In 2007, the New Jersey Supreme Court ruled people have an expectation of privacy in Internet subscriber records. In 2010, the federal Sixth Circuit Court of Appeals—which includes Kentucky, Michigan, Ohio and Tennessee—ruled in United States v. Warshak that people have an expectation of privacy in email stored with an online service provider.

Then in 2012, Supreme Court Justice Sonia Sotomayor’s concurring opinion in United States v. Jones, which involved the constitutionality of installing a GPS device onto a car, sent a strong signal to courts that it was time to “reconsider” Smith. She found the idea that people have no expectation of privacy in information they turn over to others was “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.”

After Jones, state and federal courts have increasingly rejected the government’s attempts to extend Smith to new forms of data. Just last week, the Eleventh Circuit Court of Appeals—which covers Alabama, Florida and Georgia—ruled in United States v. Davis that people have an expectation of privacy in “even one point of cell site location data.” Disagreeing within a 2013 decision from the Fifth Circuit Court of Appeals, it distinguished Smith by noting that cell phone users don’t voluntarily convey their location because they don’t realize their location will be revealed to the cell phone company when they make a call, and because users have no choice about what information they reveal when they receive a call from someone else. The state courts of Massachusetts and New Jersey reached the same result under their state constitutions. Several states have passed legislation that requires police to obtain a search warrant to track a person’s location through their cell phone. And it’s likely that in states like California, where there is an expectation of privacy in dialed phone numbers, people would also have an expectation of privacy in cell site location info too.

cell_tracking_v.2

When it comes to using Smith to justify the NSA’s bulk collection of phone records, courts have issued conflicting opinions. A New York federal judge ruled the program was constitutional under Smith while another federal judge in DC, Judge Richard Leon, ruled the seizure of phone records was likely unconstitutional, noting it was foolish to compare the limited use of the pen register in Smith with the NSA’s enormous data collection. Most recently, a federal judge in Idaho reviewing the NSA’s phone records program believed it was bound to follow Smith but hoped that Judge Leon’s opinion would “serve as a template for a Supreme Court opinion.”

Not All or Nothing

Despite these varying standards, it’s clear that Justice Marshall was correct in his Smith dissent when he noted that privacy is not an all or nothing commodity. Most Americans expect their bank records or the phone numbers they dial are private, and many Americans live in states that provide constitutional protection to that information. An increasing number of law enforcement agencies throughout the United States must use a search warrant to get cell site records from a cell phone company under state and, increasingly, federal law.

Ultimately, as more people have a subjective expectation of privacy in information exposed to others, these expectations also become ones that society is prepared to accept as reasonable. And if that’s the case, then the Fourth Amendment should recognize that expectation of privacy as reasonable too. In other words, as more people do have an expectation of privacy in information they’ve turned over to third parties, it’s the Smith decision, and not the expectation of privacy, that becomes unreasonable.

EFF: Wants You To Help Defeat The NSA

This post, written by activist nadia Kayyali, was originally published on the EFF website.

The NSA may seem like an intimidating giant, but it has a serious Achilles’ heel— the enormous budget it claims from taxpayer dollars every year. While change to the actual words of the laws that govern NSA surveillance seems to be a difficult task, a group of representatives have decided to take the battle to the bank.

Within the next few days, the House of Representatives will be considering the 2015 Department of Defense Appropriations bill, H.R. 4870. Rep. Thomas Massie and Rep. Zoe Lofgren have introduced a bipartisan amendment to the bill to prohibit use of appropriated funds for certain types of surveillance, creating real change to NSA spying. The amendment has the support of civil liberties advocates and Internet companies. But the House needs to hear from you. Tell your representative to vote yes on the Massie-Lofgren amendment.

How is this unfolding? Every year, Congress votes on the Defense Appropriations Act, which funds the Department of Defense. Every year, this bill also makes substantive policy through prohibiting or placing conditions on funding.

Last year, a bipartisan group of representatives introduced the so-called “Amash amendment” (named after co-sponsor Rep. Justin Amash) that would’ve prohibited funding for Section 215 bulk collection of telephone records, instead limiting collection to “tangible things that pertain to a person who is the subject of an investigation.” Though it garnered incredibly strong support from both sides of the aisle, the Amash amendment did not pass. The final vote was very close: 205 in favor, 217 against. In other words, if just seven representatives had changed their votes from “no” to “yes,” the amendment would’ve passed.

Fortunately, after more than a year of disturbing NSA revelations, civil liberties defenders in Congress are taking another stab at severing funding for mass spying. The 2015 Defense Appropriations bill is on its way to the full House and an exciting amendment that would limit use of funds for some of the worst NSA abuses will be up for a vote.

The USA FREEDOM debate has focused on Section 215, but there are other problems with NSA spying. In particular, NSA collects contents of communications under Section 702 of the FISA Amendments Act, and has acknowledged that it searches this information without a warrant for the communications of Americans (a practice known as “backdoor searches”). Furthermore, leaked documents have shown that the NSA was engineering backdoors into products and services, from encryption software to online communications tools like Skype—something that weakens the Internet and American business. The Massie-Lofgren amendment would prohibit use of the bill’s funds for both of these purposes.

The vote last year showed us that this amendment truly does have a chance to pass. Seven flipped votes is nothing, in Congressional terms. And where might those seven votes come from? It could be from either party. A look at the numbers shows support for the Amash amendment crossed party lines—the ayes were 94 Republican and 111 Democrat. The votes against, though, came reliably from NSA defenders like Reps. Mike Rogers and Nancy Pelosi.

That’s why you need to contact your representative now. Regardless of what party your representative belongs to, they need to know that NSA reform—in the form of the Massie-Lofgren amendment—is a key issue. This is not about political parties. It is about respecting the Constitution, and protecting privacy and civil liberties.

The vote happens within the next few days. There isn’t time to send emails. If you want your Representative to support this amendment, you must call rather than email. Call now.

Flawed Priorities Reflected In Updated U.S. ‘Trade Objectives’

This analysis was written by Maira Sutton, a global policy analyst at the Electronic Frontier Foundation.

The Office of the United States Trade Representative published its updated objectives for the Trans-Pacific Partnership (TPP) agreement, including its priorities in the Intellectual Property (IP) chapter of the multilateral trade agreement. Its new objectives in copyright enforcement mostly contain some vague rhetorical changes while continuing to bolster bloated claims about the necessity of IP enforcement for the U.S. economy without any commitment to protecting users’ rights. The U.S. Trade Rep’s language reflects the underlying, ongoing problem with the executive agency’s misplaced priorities on negotiating international trade deals.

TPP-map1

Exaggerated Claims of Importance of “IP-Intensive Industries”

The U.S. Trade Rep starts off the “Intellectual Property” section by claiming how vital its enforcement is to economic growth and jobs by citing a dubious 2-year old report from the U.S. Patent Trade Office (USPTO). This report, called the Intellectual Property and the U.S. Economy: Industries in Focus, is often referenced by State officials to claim how reliant the U.S. economy is on copyrights and patents.

For starters, the USPTO defines any “IP-intensive” job to cover anything that remotely benefits from copyright, patent, or trademark protection. Under this definition, bagging at a grocery store, repairing cars, or even manufacturing can all be deemed jobs that are protected by IP. It goes on to say that such jobs that are “directly or indirectly attributable” to intellectual property “pay higher wages to their workers” without citing evidence. Unless the folks at the U.S. Trade Rep’s office know of some particularly well-paid workers at U.S. grocery stores, we’re going to call foul on this claim. Where is the data that backs this sweeping statement?

Such inflated statements reflect one of the biggest problems with the U.S. Trade Rep: they continue to justify expanding copyright and patent enforcement without any grounding in factual analysis of their policies. Of course, these grandiose statements of public benefit are only used to thinly veil the actual benefactors of their policies: the big, corporate rightsholders who are influencing the priorities of the U.S. Trade Rep.

Restrictive Definition of Fair Use

As we have seen from the leaked November 2013 draft text of the “Intellectual Property” chapter, the agreement holds weak safeguards for fair use rights in the form of a restrictive “Three-Step Test” system, which can be used to limit how countries establish rights for users to use, modify, and access copyrighted works.

It is welcome that the U.S. Trade Rep is explicit about seeking any sort of fair use rights for users. But the language here reveals the trade office’s position that a “balance” in copyright systems can be achieved by simply having an enumerated list of exceptions to the overarching rule that creative works are locked up and controlled by rightsholders. Since their first priority is the “strong protection for patents, trademarks, [and] copyrights,” it seems the U.S. Trade Rep itself should also call for the explicit defense of users’ rights against the encroachment of over-expansive IP rights so it itself maintains a balance of priorities.

Selective Transparency for “Intellectual Property” Issues

Strangely, it commits to promoting “transparency and due process,” but only with respect to “trademarks and geographical indications.” Are they admitting that they do not seek the same principles when it comes to copyrights and patents? Based upon the November 2013 leak, the U.S. Trade Rep already fails to uphold these values in its proposed texts on Internet Service Provider (ISP) liability provisions and digital rights management (DRM). They have been calling for draconian measures for private firms and law enforcement to crack down on users’ activities, often without a requirement of judicial oversight or disclosure of takedown processes.

Safeguards in its ISP Liability and DRM Proposals

The last listed priority does give us the tiniest glimmer of hope that the U.S. Trade Rep is taking into consideration the concerns of start-ups and new tech businesses. They now claim to seek safeharbor protections for ISPs and provisions over technological protection measures (aka DRM) that will “foster new business models and legitimate commerce in the digital environment.” Although vague, it is reassuring that they are at least giving acknowledgement to creators and innovators who are threatened by existing copyright enforcement measures. In this case too, the last leaked text revealed that the U.S. Trade Rep’s proposals are still vastly inconsistent with this particular priority.

~

All in all, these updated IP objectives reflect a subtle positive shift in the U.S. Trade Rep’s rhetoric around copyright and patent enforcement in acknowledging that there must be some sort of balance in their proposals. But none of this matters if it is not reflected in the proposals they are pushing forth in the TPP negotiations. There’s no way of confirming whether the U.S. Trade Rep is upholding these priorities until it conducts its policymaking transparently and reveals the text to the public—unless of course, there is another leaked draft. This secrecy and lack of oversight has been, and continues to be, the fundamental curse that undermines the legitimacy of TPP and similar trade deals.

There are now several reports that the next TPP negotiation round will be held in Vancouver from July 3-12. This will be an opportunity for the U.S. Trade Rep to re-think its approach to copyright and patent policies, and to uphold some of these stated new priorities that include other considerations beyond the narrow, relentless objective of enforcing rightsholders’ monopolistic control over creative works. Given the U.S. Trade Rep’s shameful history of acting on behalf of corporate interests at the expense of the public interest however, we won’t be holding our breath.

EFF: On 6/5, 65 Things We Know About NSA Surveillance That We Didn’t Know a Year Ago

This post, written by Electronic Frontier Foundation activist Nadia Kayyali and international rights director Katitza Rodriguez, originally appeared on EFF’s website on June 5.

It’s been one year since The Guardian first published the Foreign Intelligence Surveillance Court order, leaked by former National Security Agency contractor Edward Snowden, that demonstrated that the NSA was conducting dragnet surveillance on millions of innocent people. Since then, the onslaught of disturbing revelations — from disclosures, admissions from government officials, Freedom of Information Act requests and lawsuits — has been nonstop. On the anniversary of that first leak, here are 65 things we know about NSA spying that we did not know a year ago:

1. We saw an example of the court orders that authorize the NSA to collect virtually every phone call record in the United States — that’s who you call, who calls you, when, for how long and sometimes where.

2. We saw NSA PowerPoint slides documenting how the NSA conducts “upstream” collection, gathering intelligence information directly from the infrastructure of telecommunications providers.

3. The NSA has created a “content dragnet” by asserting that it can intercept not only communications where a target is a party to a communication but also communications “about a target, even if the target isn’t a party to the communication.”

4. The NSA has confirmed that it is searching data collected under Section 702 of the FISA Amendments Act to access American’s communications without a warrant, in what Senator Ron Wyden called the “back door search loophole.”

5. Although the NSA has repeatedly stated it does not target Americans, its own documents show that searches of data collected under Section 702 are designed simply to determine with 51 percent confidence a target’s “foreignness.’”

6. If the NSA does not determine a target’s foreignness, it will not stop spying on that target. Instead, the NSA will presume that target to be foreign unless the target “can be positively identified as a United States person.”

7. A leaked internal NSA audit detailed 2,776 violations of rules or court orders in just a one-year period.

8. Hackers at the NSA target sysadmins, regardless of the fact that these sysadmins themselves may be completely innocent of any wrongdoing.

9. The NSA and CIA infiltrated games and online communities like “World of Warcraft” and Second Life to gather data and conduct surveillance.

10. The government has destroyed evidence in the Electronic Frontier Foundation’s cases against NSA spying. This is incredibly ironic, considering that the government has also claimed EFF’s clients need this evidence to prove standing.

11. Director of National Intelligence James Clapper lied to Congress when asked directly by Senator Ron Wyden whether the NSA was gathering any sort of data on millions of Americans.

12. Microsoft, like other companies, has cooperated closely with the FBI to allow the NSA to “circumvent its encryption and gain access to users’ data.”

13. The intelligence budget in 2013 alone was $52.6 billion. This number was revealed by a leaked document, not by the government. Of that budget, $10.8 billion went to the NSA. That’s approximately $167 per person in the United States.

14. The FISC has issued orders that allow the NSA to share raw data — without personally identifying information stripped out — with the FBI, CIA, and the National Counterterrorism Center.

15. Pursuant to a memorandum of understanding, the NSA regularly shares raw data with Israel without stripping out personally identifying information about U.S. persons.

16. The Snowden disclosures have made it clear the Barack Obama Administration misled the Supreme Court about key issues in American Civil Liberties Union’s case against NSA spying, Clapper v. Amnesty International, leading to the dismissal of the case for lack of standing.

17. The NSA “hacked into Al Jazeera‘s internal communications system.” NSA documents stated that “selected targets had ‘high potential as sources of intelligence.’”

18. The NSA used supposedly anonymous Google cookies as beacons for surveillance, helping it to track individual users.

19. The NSA “intercepts ‘millions of images per day’ — including about 55,000 ‘facial recognition quality images’” and processes them with powerful facial recognition software.

20. The NSA facial recognition program “can now compare spy satellite photographs with intercepted personal photographs taken outdoors to determine the location.”

21. Although most NSA reform has focused on Section 215 of the PATRIOT Act, and most advocates have also pushed for reform of Section 702 of the FISA Amendments Act, some of the worst NSA spying happens under the authority of Executive Order 12333, which Obama could repeal or modify today.

22. The NSA collected Americans’ cellphone location information for two years as part of a pilot project to see how it could use such information in its massive databases.

23. In one month, March 2013, the NSA collected 97 billion pieces of intelligence from computer networks worldwide, including 3 billion pieces of intelligence from U.S. computer networks.

24. The NSA has targeted Tor, a set of tools that allow Internet users to browse the Internet anonymously.

25. The NSA program MUSCULAR infiltrates links between the global data centers of technology companies such as Google and Yahoo. Many companies have responded to MUSCULAR by encrypting traffic over their internal networks.

26. The XKEYSCORE program analyzes emails, online chats and the browsing histories of millions of individuals anywhere in the world.

27. NSA undermines the encryption tools relied upon by ordinary users, companies, financial institutions, targets and non-targets as part of BULLRUN, an unparalleled effort to weaken the security of all Internet users, including you.

28. The NSA’s Dishfire operation has collected 200 million text messages daily from users around the globe, which can be used to extract valuable information such as location data, contact retrievals, credit card details, missed call alerts, roaming alerts (which indicate border crossings), electronic business cards, credit card payment notifications, travel itinerary alerts and meeting information.

29. Under the CO-TRAVELER operation, the U.S. collects location information from global cell towers, Wi-Fi and GPS hubs, which is then information analyzed over time, in part in order to determine a target’s traveling companions.

30. A 2004 memo entitled “DEA-The ‘Other’ Warfighter” states that the Drug Enforcement Administration and the NSA “enjoy a vibrant two-way information-sharing relationship.”

31. When the DEA acts on information its Special Operations Division receives from the NSA, it cloaks the source of the information through “parallel construction,” going through the charade of recreating an imaginary investigation to hide the source of the tip, not only from the defendant, but from the court. This was intended to ensure that no court rules on the legality or scope of how NSA data is used in ordinary investigations.

32. The fruits of NSA surveillance routinely end up in the hands of the Internal Revenue Service. Like the DEA, the IRS uses parallel construction to cloak the source of the tip.

33. Even the President’s handpicked Privacy and Civil Liberties Oversight Board recommended that the government end Section 215 mass telephone records collection, because that collection is ineffective, illegal and likely unConstitutional.

34. The NSA has plans to infect potentially millions of computers with malware implants as part of its Tailored Access Operations.

35. The NSA had a secret $10 million contract with security firm RSA to create a “back door” in the company’s widely used encryption products.

36. The NSA tracked access to porn and gathered other sexually explicit information “as part of a proposed plan to harm the reputations of those whom the agency believes are radicalizing others through incendiary speeches.”

37. The NSA and its partners exploited mobile apps, such as the popular “Angry Birds” game, to access users’ private information such as location, home address, gender and more.

38. The Washington Post revealed that the NSA harvests “hundreds of millions of contact lists from personal email and instant messaging accounts around the world, many of them belonging to Americans.”

Many of the Snowden revelations have concerned the NSA’s activities overseas, as well as the activities of some of the NSA’s closest allies, such as the its UK counterpart Government Communications Headquarters (GCHQ). Some of these have been cooperative ventures. In particular, the “Five Eyes” — The United States, New Zealand, Australia, the United Kingdom, and Canada — share citizen data among themselves, providing loopholes that might undermine national legislation.

39. The NSA paid its British counterpart GCHQ $155 million over the past three years “to secure access to and influence over Britain’s intelligence gathering programmes.”

40. The Guardian reported: “In one six-month period in 2008 alone, [GCHQ] collected webcam imagery — including substantial quantities of sexually explicit communications — from more than 1.8-million Yahoo user accounts globally.”

41. GCHQ used malware to compromise networks belonging to the Belgian telecommunications company Belgacom.

42. Major telecommunications companies including BT, Vodafone and Verizon business have given GCHQ unlimited access to their fiber-optic cables

43. GCHQ used distributed denial-of-service (DDoS) attacks and other methods to interrupt Anonymous and LulzSec communications, including communications of people not charged with any crime.

44. GCHQ’s Bude station monitored leaders from the EU, Germany and Israel. It also targeted non-governmental organizations such as Doctors of the World.

45. The NSA’s partners Down Under, the Australian Signals Directorate, has been implicated in breaches of attorney-client privileged communications, undermining a foundational principle of our shared criminal justice system.

46. Australian intelligence officials spied on the cellphones of Indonesian cabinet ministers and President Susilo Bambang.

47. In 2008, Australia offered to share its citizens’ raw information with intelligence partners.

48. The Communications Security Establishment Canada (CSEC) helped the NSA spy on political officials during the G-20 meeting in Canada.

49. CSEC and the Canadian Security Intelligence Service (CSIS) were recently rebuked by a Federal court judge for misleading him in a warrant application five years ago with respect to their use of Five Eyes resources in order to track Canadians abroad.

Ironically, some of the NSA’s operations have been targeted at countries that have worked directly with the agency in other instances. And some simply seemed unnecessary and disproportionate.  

50. NSA documents show that not all governments are clear about their own level of cooperation with the NSA. As The Intercept reports, “Few, if any, elected leaders have any knowledge of the surveillance.”

51. The NSA is intercepting, recording and archiving every single cellphone call in the Bahamas.

52. The NSA monitored phone calls of at least 35 world leaders.

53. The NSA spied on French diplomats in Washington and at the U.N.

54. The NSA hacked in to Chinese company Huawei’s networks and stole its source code.

55. The NSA bugged EU embassies in both New York and Washington. It copied hard drives from the New York office of the EU, and tapped the internal computer network from the Washington embassies.

56. The NSA collected the metadata of more than 45 million Italian phone calls over a 30-day period. It also maintained monitoring sites in Rome and Milan.

57. The NSA stored data from approximately 500 million German communications connections per month.

58. The NSA collected data from more than 60 million Spanish telephone calls over a 30-day period in late 2012 and early 2013 and spied on members of the Spanish government.

59. The NSA collected data from more than 70 million French telephone calls over a 30-day period in late 2012 and early 2013.

60. The Hindu reported that, based on NSA documents: “In the overall list of countries spied on by NSA programs, India stands at fifth place.”

61. The NSA hacked into former Mexican President Felipe Calderon’s official email account.

62. The Guardian reported: “The NSA has, for years, systematically tapped into the Brazilian telecommunication network and indiscriminately intercepted, collected and stored the email and telephone records of millions of Brazilians.”

63. The NSA monitored emails (link in Portuguese), telephone calls and text messages of Brazilian President Dilma Roussef and her top aides.

64. Germany’s intelligence agencies cooperated with the NSA and implemented the NSA’s XKeyscore program, while NSA was in turn spying on German leaders.

65. Norwegian daily Dagbladet reported (link in Norwegian) that the NSA acquired data on 33 million Norwegian cellphone calls in one 30-day period.

There’s no question that the international relationships Obama pledged to repair, as well as the confidence of the American people in their privacy and Constitutional rights, have been damaged by the NSA’s dragnet surveillance. But one year later, both the United States and international governments have not taken the steps necessary to ensure that this surveillance ends. That’s why everyone must take action: Contact your elected representative, join Reset the Net and learn about how international law applies to U.S. surveillance today. 

NSA Defenders Ought To Stop Making These Five Claims If They Wish To Remain Credible

This post, written by EFF legal director Cindy Cohn and activist Nadia Kayyali, originally appeared on the foundation’s website on June 2.

Over the past year, as the Snowden revelations have rolled out, the government and its apologists have developed a set of talking points about mass spying that the public has now heard over and over again. From the President, to Hilary Clinton to Rep. Mike Rogers, Sen. Dianne Feinstein and many others, the arguments are often eerily similar.

But as we approach the one year anniversary, it’s time to call out the key claims that have been thoroughly debunked and insist that the NSA apologists retire them.

So if you hear any one of these in the future, you can tell yourself straight up: “this person isn’t credible,” and look elsewhere for current information about the NSA spying. And if these are still in your talking points (you know who you are) it’s time to retire them if you want to remain credible. And next time, the talking points should stand the test of time.

1.  The NSA has Stopped 54 Terrorist Attacks with Mass Spying

The discredited claim

NSA defenders have thrown out many claims about how NSA surveillance has protected us from terrorists, including repeatedly declaring that it has thwarted 54 plots.  Rep. Mike Rogers says it often. Only weeks after the first Snowden leak, US President Barack Obama claimed: “We know of at least 50 threats that have been averted” because of the NSA’s spy powers. Former NSA Director Gen. Keith Alexander also repeatedly claimed that those programs thwarted 54 different attacks.

Others, including former Vice President Dick Cheney have claimed that had the bulk spying programs in place, the government could have stopped the 9/11 bombings, specifically noting that the government needed the program to locate Khalid al Mihdhar, a hijacker who was living in San Diego.

Why it’s not credible:

These claims have been thoroughly debunked.  First, the claim that the information stopped 54 terrorist plots fell completely apart.  In dramatic Congressional testimony, Sen. Leahy forced a formal retraction from NSA Director Alexander in October, 2013:

“Would you agree that the 54 cases that keep getting cited by the administration were not all plots, and of the 54, only 13 had some nexus to the U.S.?” Leahy said at the hearing. “Would you agree with that, yes or no?”

“Yes,” Alexander replied, without elaborating.

But that didn’t stop the apologists. We keep hearing the“54 plots” line to this day.

As for 9/11, sadly, the same is true.  The government did not need additional mass collection capabilities, like the mass phone records programs, to find al Mihdhar in San Diego.  As ProPublica noted, quoting Bob Graham, the former chair of the Senate Intelligence Committee:

U.S. intelligence agencies knew the identity of the hijacker in question, Saudi national Khalid al Mihdhar, long before 9/11 and had the ability find him, but they failed to do so.

“There were plenty of opportunities without having to rely on this metadata system for the FBI and intelligence agencies to have located Mihdhar,” says former Senator Bob Graham, the Florida Democrat who extensively investigated 9/11 as chairman of the Senate’s intelligence committee.

Moreover, Peter Bergen and a team at the New America Foundation dug into the government’s claims about plots in America, including studying over 225 individuals recruited by al Qaeda and similar groups in the United States and charged with terrorism,  and concluded:

Our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading…

When backed into a corner, the government’s apologists cite the capture of Zazi, the so-called New York subway bomber. However, in that case, the Associated Press reported that the government could have easily stopped the plot without the NSA program, under authorities that comply with the Constitution. Sens. Ron Wyden and Mark Udall have been saying this for a long time.

Both of the President’s hand-picked advisors on mass surveillance concur about the telephone records collection. The President’s Review Board issued a report in which it stated “the information contributed to terrorist investigations by the use of section 215 telephony meta-data was not essential to preventing attacks,” The Privacy and Civil Liberties Oversight Board (PCLOB) also issued a report in which it stated, “we have not identified a single instance involving a threat to the United States in which [bulk collection under Section 215 of the Patriot Act] made a concrete difference in the outcome of a counterterrorism investigation.”

And in an amicus brief in EFF’s case First Unitarian Church of Los Angeles v. the NSA case, Sens. Ron Wyden, Mark Udall, and Martin Heinrich stated that, while the administration has claimed that bulk collection is necessary to prevent terrorism, they “have reviewed the bulk-collection program extensively, and none of the claims appears to hold up to scrutiny.”

Even former top NSA official John Inglis admitted that the phone records program has not stopped any terrorist attacks aimed at the US and at most, helped catch one guy who shipped about $8,000 to a Somalian group that the US has designated as a terrorist group but that has never even remotely been involved in any attacks aimed at the US.

2. Just collecting call detail records isn’t a big deal.

The discredited claim

The argument goes like this: Metadata can’t be privacy invasive, isn’t very useful and therefore its collection isn’t dangerous—so the Constitution shouldn’t protect it.  Even the President said, “what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people’s names, and they’re not looking at content”—as if that means there is no privacy protection for this information.

Why it’s not credible:

As former director of the NSA and CIA Michael Hayden recently admitted: “We kill people based on metadata.”  And former NSA General Counsel Stu Baker said: “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

In fact, a Stanford study this year demonstrated exactly what you can reconstruct using metadata: “We were able to infer medical conditions, firearm ownership, and more, using solely phone metadata.” Metadata can show what your religion is, if you went to get an abortion, and other incredibly private details of your life.

3.  There Have Been No Abuses of Power

The discredited claim

President Obama stated in an interview that “there are no allegations, and I am very confident —knowing the NSA and how they operate — that purposefully somebody is out there trying to abuse this program…” And General Alexander stated in a speech that “We get all these allegations of [abuses of power] but when people check… they find zero times that that’s happened. And that’s no bullshit. Those are facts.”

Why it’s not credible:

We already have evidence of abuses of power. We know that NSA analysts were using their surveillance powers to track their ex-wives and husbands, and other love interests. They even had a name for it, LOVEINT. The FISA court has also cited the NSA for violating or ignoring court orders for years at a time. And those are just self-reported abuses – the only oversight that occurs is that the NSA investigates itself and reports on the honor system to Congress or the FISC about what it finds. A real independent investigation might reveal even more. Unfortunately, until we get something like a new Church Committee, we are unlikely to see such details.

4. Invading Privacy is Okay Because It’s Done to Prevent Terrorist Attacks

The discredited claim

We keep hearing the same thing: Surveillance is a “critical tool in protecting the nation from terror threats.” When we reform the NSA, it must be done in a way that “protect[s] the operational capability of a critical counterterrorism tool.” The implication is that the stopping terrorist attacks is the government’s only goal.

Why it’s not credible:

We know that NSA surveillance is not used just for stopping terrorists and it’s not even just used for national security.

The Intercept recently revealed leaks detailing the NSA’s role in the “war on drugs,”—in particular, a 2004 memo detailing how the NSA has redefined narcotics trafficking as a national security issue. We also know that the NSA feeds data to the DEA, where it ends up playing a part in ordinary law enforcement investigations. And internationally, the NSA engages in economic espionage and diplomatic spying, something detailed in Glenn Greenwald’s recent book No Place to Hide.

5. There’s Plenty of Oversight From Congress, the Foreign Intelligence Surveillance Court, and Agency Watchdogs

The discredited claim

We’ve repeatedly heard from the President and from NSA defenders like Sen. Dianne Feinstein and Rep. Mike Rogers that Congress knows all about NSA spying. Right after the first Snowden leak, President Obama said: “your duly elected representatives have been consistently informed on exactly what we’re doing.” We’ve also heard that a court has approved these programs, so we shouldn’t be concerned.

Why it’s not credible:

EFF and others have long documented that Congress has an incredibly hard time getting information about NSA spying. And it’s not just Congress. We learned a few months ago that the Department of Defense’s deputy Inspector General, in charge of Intelligence and Special Program Assessments, was not aware of the call detail collection program.

What’s more, the secretive Foreign Intelligence Surveillance Court (FISC) is completely incomparable to an ordinary adversarial court. It makes decisions in a vacuum, and it doesn’t always have complete information, much less a second adversarial voice or technical help. Its chief judge has said that it’s not equipped to conduct oversight. EFF recently had to tell the court that its Jewel v. NSA case even existed – the government had apparently decided that it didn’t have to. We also know that the FISC isn’t much of a block, since in 11 years “the court has denied just 10 applications, and modified several dozen, while approving more than 15,000.”

So why are we giving up our rights?

It’s time for NSA and its supporters to admit what we all know is true: what is at stake in this debate is the simple ability for any of us—in the US or around the world—to be able to use the Internet without fear of surveillance. They continue to be willing to overstate their case in order to scare us into allowing them to continue to  “collect it all.”  But the American people are getting wise and the media are increasingly double-checking their claims. As a result, more Americans than ever now say that the NSA has gone too far and those tired old stories are starting to wear thin.

That’s why it’s time to tell Congress that these excuses won’t work anymore. Right now, Congress is considering legislation that could be a first step to reining in NSA mass spying. But there’s a contentious political battle taking place on Capitol Hill, with NSA defenders pushing a weaker version of the reform bill while civil liberties groups campaign for powerful reform. Please add your voice and call on the Senate to pass real NSA reform.