President's review board says: protect thy neighbor’s privacy

[Editor’s Note: _Just Security_ is holding a “mini forum” on the Report by the President’s Review Group on Intelligence and Communications Technologies. Others in the series include a post

by Marty Lederman analyzing the Report’s highlights, a post by Julian Sanchez examining the scope of the NSA’s section 702 program, a post by David Cole and Marty Lederman analyzing how

metadata is used under section 215, a post by Ryan Goodman discussing the effectiveness of the section 215 metadata program, and a follow-up post by Jennifer Granick, subsequent to the one

below, examining the implications for non-US persons.]   Today’s report from the President’s Review Group on Intelligence and Communications Technologies–“Liberty And Security In A Changing

World”—is impressive in a number of ways.  Importantly, it pushes consideration of the privacy and civil liberties rights of non-U.S. persons into the policy debate.  In particular, the

Board suggests–among other recommendations–that surveillance of foreigners: * must be directed exclusively at protecting national security interests of the United States or our allies; *

must not target any non-United States person based solely on that person’s political views or religious convictions; and * must not disseminate information about non-United States persons if

the information is not relevant to protecting the national security of the United States or our allies. Old-school national security wonks commonly express disdain for the idea that the

U.S. should respect the rights of non-citizens.  And until today, even valuable proposals to reform FISA have not hit hard enough at overseas collection and mass surveillance of foreigners.

This omission is short sighted. Foreigners’ privacy is essential to American interests. We’ve learned that National Security Agency (NSA) practices which purportedly target foreigners

nevertheless directly harm Americans’ privacy.  This is because, as the Review Board says, “traditional distinctions between ‘foreign’ and ‘domestic’ are far less clear … than in the past,

now that the same communications devices, software, and networks are used globally by friends and foes alike.” One example of this phenomenon is collection under section 702 of the FISA

Amendments Act, which “incidentally” acquires untold numbers of Americans’ one-end foreign communications. The statute allows warrantless collection of Americans’ one end foreign

communications that are to, from, or about the target. And, the PRISM/section 702 program is only designed to ensure 51% confidence in the target’s foreignness. Since the program acquired

250 million communication transactions in a single year, statistically, hundreds of millions of those communications could belong to U.S. persons. Once collected, the NSA uses American

identifiers to warrantlessly search its databases for incidentally collected U.S. person communications, a practice Senator Ron Wyden (D-OR) has dubbed “back door searches.” Also, the

collection technology NSA uses “inadvertently” grabs tens of thousands of off-limits purely domestic messages. With all this in mind, the Review Group’s conclusion that section 702 “does not

adequately protect the legitimate privacy interests of United States persons when their communications are incidentally acquired …” is most certainly true. Overseas collection suffers from

the same kind of failure.  The NSA gathers hundreds of millions of address books and contact lists from people around the world, including some Americans. NSA access to unencrypted

information flowing between Google and Microsoft data centers puts the agency in a position to collect information from hundreds of millions of user accounts, including those belonging to

Americans, at will. Thus, Americans’ privacy rights rise and fall with those of foreigners, and far more foreigners than ever before are subject to NSA surveillance.  That is because in the

original version of FISA, individuals could only be targeted if they were “agents of foreign powers.” But the 2008 FISA Amendment Act did away with that limitation. Thus, FISA as it now

stands authorizes warrantless surveillance of any non-U.S. individual reasonably believed to be located abroad, allowing for the interception of the most private kind of information so long

as it “relates to” U.S. foreign affairs. It’s disturbing that NSA targets can include regular people, not just those who are agents of foreign powers, that the surveillance purpose is not

limited to national security, and that, while analysts provide their foreign intelligence purpose when selecting the target, the rationale is just one short sentence. A Christopher Sprigman

and I said back in June, unfettered surveillance of foreigners is bad for U.S. business and a blow to free expression and democracy movements around the world. Without question, the role of

Internet firms, especially those based in America, is a net plus for democracy abroad. Yet, unfettered spying has driven the EU to call for localization of services, which plays right into

the hands of nations who want more control over the Internet within their own borders in order to censor, spy on, and control their citizens. For these reasons, the Review Board’s

recommendations on protecting the civil liberties of non-US persons—a relatively new aspect of the policy discussion—is incredibly welcome.