Amanda Lynch
Even before Edward Snowden called a press conference using a Lavabit email address, the FBI was interested in the secure email service. Lavabit founder Ladar Levison tried to cater to the savvy consumer: providing private communication in a market where participants are increasingly aware of the government’s access to their data. However, Levison shuttered his email service in August, after receiving a search warrant from the FBI compelling him to turn over Lavabit’s SSL encryption keys. These keys would have exposed not only Snowden’s data, but also that of 400,000 other users. As Levison said of the FBI in a recent talk, “They didn’t understand the industry implications.” Levison’s case is now before the Fourth Circuit, suggesting not only commercial but also legal implications.
In a free market system, people can choose companies that embody their preferences. In theory, preferring Internet companies with norms and practices that protect user information should pressure competitors into offering similar options. But when no company can prevent the government from accessing their records, consumers are robbed of this power. Nearly unfettered government access to information stored by third party, commercial entities has deflated whatever market for privacy might have resulted from recent widespread media coverage of this access.
So long as the government can compel commercial providers to provide users’ metadata, and in some cases the content of their communications, assurances of privacy ring hollow. This is particularly true for those companies with shareholders to answer to, which are unlikely to follow Lavabit’s lead and symbolically exit the market, no matter how libertarian their public posture. Major Internet companies are also unlikely to scale back the personal data they collect, given that the business models of Google, Facebook, and other public companies rely on information about users’ locations and browsing habits to enable the targeted advertising that brings in their revenue. Under the current system, all of this aggregated information is fair game if the government can produce the right request.
In short, the market for privacy is broken. While there is demand, the supply is compromised. Understanding the mechanisms by which the government compels access to consumer information may be helpful in understanding, and eventually combating, the limitations on this market. The government gains access to consumer data, in large part, under the FISA Amendments Act, Section 215 of the PATRIOT Act, and National Security Letter provisions.
Originally passed in 2008, Section 702 of the FISA Amendments Act (FAA) allowed government surveillance of persons “reasonably believed to be located outside the United States” without an individualized court order. In effect, it legalized a version of President Bush’s warrantless wiretapping program, and loosened the limitations on surveillance included in the Foreign Intelligence Surveillance Act of 1978 (FISA). It was reauthorized in 2012 for five more years. Section 702 permits the Attorney General and Director of National Intelligence to jointly authorize targeting of non-US persons without a probable cause warrant. They must secure approval from the Foreign Intelligence Surveillance Court, or jointly determine that “exigent circumstances” exist to begin surveillance. Under exigent circumstances, information gathering can begin before explicit approval by the Court. Otherwise, the AG and DNI must submit certification, targeting, and minimization procedures to the Court, which decides on the face of the claims whether they contain methods reasonably designed to prevent acquisition of communications where all parties are located in the U.S. The request need not include the specific parties or facilities where the investigation will be directed. If they seek stored electronic communications, they must also certify that they will acquire information with the assistance of an “electronic communication service provider.”
The FAA is considered the legal grounds for the NSA’s PRISM program, which collects intelligence from Internet companies like Google, Facebook, and Skype. The FISA Court must authorize the program once a year by secret order. Though the NSA’s requests must target “foreigners,” the program also “incidentally” collectsAmericans’ emails, chats, VOIP calls, metadata, and other information. NSA analysts select search terms and fill out an electronic form specifying the analyst’s foreign-intelligence goal and the grounds for “reasonable belief” that the search will not target U.S. citizens or persons located in the U.S. A second analyst must confirm this application. The search results are processed first by equipment installed at company sites, and then by NSA computers before they reach the analyst’s desk. The NSA usually destroys search results pertaining to Americans or persons in the U.S., but if the search results include U.S. communications relating to a foreign target, they can be kept. Minimization rules limit interagency sharing of communications by U.S. citizens or residents, but reports suggest that identities can be disclosed if the person in question is linked to a crime or has intelligence value. Yahoo challenged the legality of binding warrantless surveillance requests under PRISM, but the FISA court held that compliance was obligatory.
As there is currently no requirement that defendants be notified that the evidence used against them was obtained via warrantless surveillance under the FAA, there is little opportunity for remedial litigation. Last February, the Supreme Court denied a challenge to the FAA in Clapper v. Amnesty International. The Court held that the human rights, labor, and media organizations that sued did not have Article III standing to challenge the act, because they could not definitively show that they had been targeted by the secret surveillance procedure. Earlier this month, however, the DOJ agreed to notify a defendant that evidence against him was obtained via warrantless surveillance, likely opening the door to a new Fourth Amendment challenge.
The administration relies on another provision, Section 215 of the PATRIOT Act, to justify a separate information-gathering program—the collection of call detail records from telecommunications providers like Verizon. Under this provision, the FBI requests an order from the Foreign Intelligence Surveillance Court to compel the production of “tangible things” related to an investigation to “protect against international terrorism or clandestine intelligence activities.” The FBI must specify to the Court that the records sought are relevant to an authorized investigation. Once approved, these orders are served on telecom providers. Section 215 of the PATRIOT Act amended the “business records” provision of FISA, and the FISA court has since interpreted Section 215 to allow collection of all telephone call detail records, affirming that interpretation this October. The FISA court also held that the FBI need not “provide specific and articulable facts, demonstrate any connection to a particular suspect, nor show materiality when requesting business records” from the secret court, suggesting that the FBI is given an enormous amount of discretion.
Though surveillance requests through both programs require authorization from the Foreign Intelligence Surveillance Court, the process only debatably provides a check. Nearly 1,800 requests were approved by the court last year, leading to accusations that the court simply rubber stamps the vast majority of the requests that end up on its desk (by some accounts, all of them).
A third way that government agencies can access user data from private companies is through National Security Letters (NSLs). The FBI issues National Security Letters to gain access to service providers’ non-content records, accompanied by a gag order preventing the recipient from disclosing to anyone even that they have received a letter. They do not require prior approval of a judge. The power to issue NSLs was created in 1978 pursuant to the Right to Financial Privacy Act of 1978, and this power was greatly expanded by Section 505 of the PATRIOT Act. (For more on the history of National Security letters, see Andrew Neiland’s National Security Letters and the Amended PATRIOT Act.) After Doe v. Gonzales in 2006, NSL recipients are able to consult a lawyer and seek judicial review of the letter’s validity. The gag order provision is still in place, but the FBI must annually certify that this level of secrecy is necessary.
The Justice Department has documented the FBI’s abuse of National Security Letter power to target U.S. citizens, and in 2012, the FBI made 15, 229 requests for information about persons within the United States. In a March 2013 ruling, the District Court for the Northern District of California struck down as unconstitutional one of five statutes used to justify National Security letters, holding that it violated the First Amendment. The ruling has been stayed pending appeal, and NSLs continue to be enforced.
These programs all gain access to Internet and telecom companies’ aggregated data with their knowledge and (admittedly, sometimes forced) compliance. In contrast, the latest revealed NSA program, the aptly named MUSCULAR, gives the NSA backdoor access to Google and Yahoo’s internal networks as they pass through offshore data centers. It appears that companies were unaware that the government had tapped into their clouds, and Google is now racing to encrypt the links between its data centers.
Though Internet companies have always maintained an adversarial tone towards the government, intelligence-gathering efforts like MUSCULAR, which circumvent these companies’ security measures, may align consumer and company incentives more closely. Recent polling suggests that Americans are now more concerned that national security policies restrict their civil liberties than they are about protection from terrorist attacks. Mainstream providers like Google are now in an open encryption race with the U.S. government. Last Thursday, Google and other tech companies sent a letter to members of the Senate Judiciary Committee urging transparency and reform of surveillance practices. In addition, consumers can anticipate the “Dark Mail Alliance,” a joint enterprise between Lavabit and Silent Circle, another privacy-minded company that shut down in August to avoid exposing its users to government surveillance.
Nevertheless, a robust market for privacy in the long run will depend on greater transparency and policy changes. Challenges in the courts and Congress, already underway, can do more to encourage privacy than the encryption race and other features of the free market ever will. And when concerned citizens and companies work jointly to mount these challenges, they will have a better chance of succeeding.