Tag Archives: FISA

Section 702 Renewal Could Have Huge Negative Impact on Business

As I said in an earlier post, after 9-11 Congress passed some major new surveillance laws.  The idea was to increase surveillance in a move to try and find more terrorists.  Congress also wasn’t completely sold on the idea, so the law sunsets every few years and Congress has to renew it.  This is one of those renewal years.

But there is a wrinkle.  Congress is still not sold on the idea.  The law was set to expire at the end of December and rather than allowing it to lapse while they were on vacation, Congress renewed the law prior to leaving town.  Renewed that is, for four weeks.  The law is set to expire, again, next week.

There are several bills in various stages of approval that range from a permanent renewal with no restrictions to a limited renewal with restrictions.

Apparently one of the sticking points is something called “About” collection.  This was abandoned last year, but some of the bills in Congress now reincarnate it.  About collection, some say, is a back door to allow the FBI via the NSA to collect information ABOUT Americans without a warrant, using some slight of hand saying the information was collected incidental to someone or some thing they were interested ABOUT.

Congress has 9 days to either figure it out or kick the can down the road.  Again.

But here is the negative business impact.

For U.S. companies that do business in Europe, many of them, especially smaller ones, need to be able to bring that data back to the United States.  Due to Europe’s much stricter privacy laws, they can’t do this unless the agree to offer E.U. citizens the same protections that they would get in Europe.  Enter Privacy Shield, son of Safe Harbor.  Privacy shield is an agreement between the U.S. government and the E.U. government regarding what we will and will not do with respect to protecting E.U. citizen’s privacy.  About 2.400 U.S. companies currently follow the Privacy Shield agreement and more are in process.

But the E.U. lawmakers are not very fond of Section 702.  In fact, they have said so publicly.  In fact, they have threatened to go to E.U. court to have Privacy Shield declared null and void.

And that is exactly what will likely happen (and did happen to Safe Harbor) if the U.S. extends Section 702 as is.

I am not clear that some U.S. Senators and Congresspeople understand that;  they would much rather deal in crisis.

So here is one possible outcome.  Congress renews Section 702 with no reforms, the E.U. goes to court and gets Privacy Shield declared unconstitutional and American businesses get to scramble to figure out how to continue to do business in Europe.  This is worth billions to U.S. businesses.

It probably won’t be that bad.  The court will probably give the U.S. 6-12 months to figure out a solution.  Then bureaucrats in the U.S. and E.U. will need to try and figure out how to deal with it and Congress may have to amend Section 702.

Alternatively, Congress could be proactive.  Not. Counting. On, That.

If you sell into Europe, you might want to contact your Congress-critters.

Otherwise, get some popcorn and watch the fun.

Information for this post came from The Hill.

Facebooktwitterredditlinkedinmailby feather

FISA Court Affirms FBI Does NOT Need A Warrant To Read Your EMail

The Foreign Intelligence Surveillance Court or FISA Court has affirmed that the Feds do not need a warrant to search your email.  Of course, if that email is encrypted – not like GMail, but with real encryption – then while they may have the FISA court’s permission to look at it, they will have to figure out how do decrypt it first.

FISA Court Judge Thomas Hogan, in an opinion from last November that was recently declassified, said that Section 702 of the Patriot Act, including as amended by the FISA Amendments Act allows the government to keep any emails from American citizens that they hoover up as part of their mass data collection if that email is evidence of a crime.  Evidence of a crime is a pretty low bar.  After all, a lot of evidence would never convince a jury of anything.

This confirms a couple of things.

First, you should not say incriminating things in email.  To me, this falls into the “DUH!” category.

And second, Section 702 of the FISA Amendments Act allows the government to hoover up a lot of email and keep it and share it if they think it could be evidence of a crime.

The implication of this is that if you expect your email to be private, that would require extraordinary steps on your part to make sure that it is.

In that same opinion, the criticized the NSA for not destroying old surveillance data in spite of rules that require them to do that.

“Perhaps”, Judge Hogan wrote, ” more disappointing that the NSA’s failure to purge this information for more than four years, was the Government’s failure to convey to the Court, explicitly during that time that the NSA was continuing to retain this information,”.

Let me translate that to English.

Ye Olde Judge is pissed that the NSA lied to him when they certified that they were complying with the rules for Section 702,  when in fact, they were not compliant.  I am gathering that the judge is saying that this was not an oopsie.

The NSA replied to the ruling by issuing a statement from ODNI Director James Clapper that said “prior representations could have been clearer”. – i.e., we lied and got caught at it.  My bad.  Sorry.

And some people are wondering why some citizens don’t trust the government.  Seems pretty clear why some people don’t trust the government.

Information for this post came from SC Magazine.

Facebooktwitterredditlinkedinmailby feather

HR 4681 and government surveillance

HR 4681, the Intelligence Authorization Act for FY 2015 was signed into law on December 19th, 2014 and provides funding for the intelligence community until next September.  The bill and now law contains one section – section 309 – that deals with the collection, retention and sharing of information collected by the intelligence community.  Because Congress wanted to get out of D.C., this bill was not debated and it was voted on under a rules suspension that is used to push through non-controversial bills.  Since no one wants to appear soft on terrorism, this bill fit into that category and it passed 325-100.

Section 309 was an effort to curtail some of the practices of mass data collection and retention of the intelligence community, but it seems to have a lot of wiggle room.  The text of the bill can be found here.

Interestingly, most of the data collection that the intelligence community collects is not done under the Patriot Act or the Foreign Intelligence Surveillance Act, but rather, under a very dusty executive order that President Reagan signed in 1981 called EO 12333.  A primer on the EO is available here.  Since EOs are written by the executive branch with no oversight by Congress, they tend to formalize what the executive branch wants to do anyway and are typically one-sided.   It covers, among other things, mass data collection and the minimization of data collected on U.S. citizens.  Those rules are currently covered by a document called USSID SP0018 which is available here.  In the preface it says that they need to balance the rights under the 4th amendment to the US Constitution against the needs of the government to collect intelligence.  In concept that makes sense, but in the case of both the EO and the USSID, the fox is squarely in charge of guarding the hen house.  EFF, a privacy watchdog, created a primer on it, which is linked to above and suggests that there are a lot of loopholes in these documents which allow for over collection, over retention and not much oversight.  Section 309 was an attempt to begin to reign in some of those activities.

Since Congress did not take the time to debate this bill, there was not much consideration of what section 309 formally codifies.  For the first time, there is a law that says that the intelligence community can collect, share and retain information on U.S. citizens.

It is a start.  Section 309:

  • It defines a covered communication as any electronic or telephone communication collected without the consent of a (only one) party to the communication.
  • It requires that the heads of each part of the intelligence community create policies approved by the Attorney General within the next two years describing how they are going to comply with Section 309.  That means that nothing is likely to change for at least two years and Congress won’t review these procedures.
  • That intelligence collected (including mass intelligence) can only be kept for 5 years unless the fox guarding the hen house decides- in compliance with these procedures that are going to be written in the next two years – that it is (a) foreign intelligence, (b) reasonably believed to be evidence of a crime, (c) encrypted, (d) all parties are reasonably believed to be non US citizens, (e) retention is necessary to protect against an imminent threat to human life (in which case they have to tell Congress about it later), (f) retention is necessary for technical assurance or compliance reasons (in which case they have to write a dusty report every year to the Senate and House Intelligence Committees) or (g) the head of an intelligence community element decides it is necessary to protect the national security (in which case they have to report on some unstated frequency to the intelligence committees again).

So while section 309 is a reasonable start, it appears that there is a lot of wiggle room and, for the first time, legally says that the intelligence community can keep encrypted communications forever and that if they think the intercepted communication is reasonably believed to be evidence of a crime, they can share it with unspecified law enforcement agencies, without a warrant and with no guidelines as to what reasonable means.  It also creates a process to keep that intelligence forever if something thinks it is important.

There is clearly no room for abuse in section 309.  So, while I think this is a good start, we are definitely no where near done yet.





Facebooktwitterredditlinkedinmailby feather