​By the end of 2023, Congress must decide whether to reauthorize Section 702 of the Foreign Intelligence Surveillance Act. Section 702 was intended to provide U.S. agencies with the authority to collect foreign intelligence. Unfortunately, for over a decade agencies have abused this authority to an extreme degree, using loopholes in Section 702 to conduct warrantless surveillance on millions of everyday Americans.
 
A report published by ODNI in April 2022 disclosed that, in 2021 alone, the FBI conducted as many as 3.3 million searches of Section 702-derived data for information about Americans' communications. And in 2018, Foreign Intelligence Surveillance Court (FISC) Judge James Boasberg rebuked the FBI for improper use of 702 databases against Americans. The FISC also revealed that the FBI has used warrantless NSA data in a wide range of cases involving purely domestic issues.
 
Such a system is worse than broken: it is assembling the elements for a pervasive, unaccountable surveillance state. Congress should not reauthorize Section 702 without making significant reforms to ensure these abuses end once and for all.
 
Specifically, legislation to reauthorize Section 702 should ensure compliance with these key principles:

1. Any surveillance of Americans should be undertaken only pursuant to a statute, duly enacted by the people’s representatives in Congress.  
   
   
2. Any surveillance of Americans should be undertaken only pursuant to a probable cause judicial warrant.  
   
   
3. Any surveillance of Americans should be subject to adequate mechanisms—in both Congress and the judiciary—to ensure accountability for compliance with governing law.  
   ​
4. “Surveillance” should be defined broadly, to include (among other things) data purchases, searches of databases compiled by governments, and searches of private records held by third parties.  

These principles are critical to protecting Americans’ privacy and civil liberties. We must end the pervasive abuse of Section 702 and other surveillance authorities.

​PPSA recently reported that the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), in a response to our Freedom of Information Act (FOIA) request, downplayed its use of stingrays, as cell-site simulators are commonly called. Yet one agency document revealed that stingrays are “used on almost a daily basis in the field.”
 
This was a critical insight into real-world practice. These cell-site simulators impersonate cell towers to track mobile device users. Stingray technology allows government agencies to collect huge volumes of personal information from many cellphones within a geofenced area.
 
We now have more to report with newly-released documents that, as before, include material for internal training of ATF agents. One of the most interesting findings is not what we can see, but what we can’t see – the parts of documents ATF takes pains to hide. The black ink covers a slide about the parts of the U.S. radio spectrum. Since this is a response to a FOIA request about stingrays, it is likely that the spectrum discussed concerns the frequencies telecom providers use for their cell towers. What appears to be a quotidian training course for agents on electronic communications has the title of the course redacted.
 
If that is so, was there something revealing about the course title that we are not allowed to see? Could it be “Stingrays for Dummies?”
 
The redactions also completely cover eleven pages about pre-mission planning. Do these pages reveal how ATF manages its legal obligations before using stingrays?
​
This course presentation ends somewhat tastelessly, a slide with a picture of a compromised cell-tower disguised as a palm tree. 
 
In the release of another tranche of ATF documents, forty-five pages are blacked out. It appears from the preceding email chain that these pages included subpoenas for a warrant executed with the New York Police Department. The document assigns any one of a pool of agents to “swear out” a premade affidavit to support the subpoena.
 
The ATF reveals it uses stingrays on aircraft, which requires a high level of administrative approval. It seems, however, from an ATF PowerPoint presentation that this is a policy change, which suggests that prior approvals were lax. Was this a reaction to the 2015 Department of Justice’s policy on cell-site simulators? If aerial surveillance now requires a search warrant, what was previously required – and how was such surveillance used? Was it used against whole groups of protestors?
 
Finally, the documents reveal that the ATF has had cell-site simulators in use in field divisions in major cities, including Chicago, Denver, Detroit, Houston, Kansas City, Los Angeles, Phoenix, and Tampa, as well as other cities.
 
PPSA will report more on ATF’s ongoing document dumps as they come in.

​The training manual of the Bureau of Alcohol, Tobacco, Firearms and Explosives states that cell-site simulators “do not function as a GPS locator, as they do not obtain or download any location information from the device or its applications.” This claim is disingenuous. It is true that exact latitude and longitude data are not taken. But by tricking a target’s phone into connecting and sending strength of signal data to a cell tower, the cell-site simulator allows the ATF to locate the cellphone user to within a very small area. If a target uses multiple cell-site simulators, agents can deduce his or her movements throughout the day.
 
Below is an example from a Drug Enforcement Agency document that shows how this technology can be used to locate a target (seen within the black cone) in a small area.

​The generation of children who grew up entranced by Dr. Seuss’s 1990 bestseller “Oh, the Places You’ll Go!” are now adults who are definitely going places – with every move tracked and recorded in multiple ways.
 
In the 2018 Carpenter case, the U.S. Supreme Court held that Americans have a reasonable expectation of privacy with respect to their historical location data. This expectation, the Court reasoned, requires a probable cause warrant under the Fourth Amendment before someone’s location history can be inspected by law enforcement. That sounds like a definitive ruling, but it wasn’t.
 
Law enforcement agencies expand legal loopholes and use legal tricks to get around this narrow opinion. For example, last year the Virginia Mercury news organization found that 18 police departments around the state accessed more than 7,000-days-worth of surveillance, often in pursuit of minor criminal cases. How did the police get around the Carpenter rule? By creating their very own assembly line for warrants. In another example, stingrays – cell-site simulators that mimic cell towers – are still used by at least 14 federal agencies and 75 state agencies to locate people. And, of course, our cars have become digital devices with GPS features that record our trips.
 
Now it has been revealed by security researchers that they can track one’s location by hacking digital license plates in California. These are special plates that Golden State residents can sport for a monthly fee, giving them a battery- or wire-powered plate that can digitally update the bottom line of their license plate to display changing messages (such as celebrating a recent bowl win by the customer’s football team). They also text owners if a car has been removed without permission, sending a “stolen” alert.
 
Vice’s Motherboard reports that security researchers gained administrative access to the sole provider of these plates, Reviver. Through this access, the researchers tracked vehicles and their movements by GPS. They could also change the digital slogans at the bottom. On the more benign end, imagine switching someone’s “Go Cal!” license plate to “Go Stanford!” Far more maliciously, the researchers surmised that an actual attacker could also delete a customer’s Reviver plate. Somewhat concerning is the researchers’ discovery that granting themselves superuser access gave them the ability to track vehicles – which begs the question of why the company manufacturing these license plates felt the need to give themselves this ability to begin with.
 
Reviver told Vice that it had quickly patched the system. The security of digital license plates is a concern for the minority of drivers who’ve purchased this technology and can afford its monthly fee. The larger issue is that as the Internet of Things unfolds, we’re going to be tracked eight ways to Sunday that the law allows.
 
When more cases about permutations of location tracking next appear before the Supreme Court – and the narrowness of Carpenter ensures that it will – the Justices should take that as an opportunity to issue a more comprehensive ban on warrantless tracking.

​In March, PPSA reported on the existence of a unit of the Department of Homeland Security that accessed bulk data on Americans’ money wire transfers above $500. This data was collected by a non-profit, private-sector organization, the Transaction Record Analysis Center (TRAC), that relied on what the ACLU calls “overbroad and illegal subpoenas” issued by the State of Arizona.
 
At the time, PPSA asked how many federal, state, and local agencies accessed this data from TRAC. Now we know, thanks to an investigation by Sen. Ron Wyden (D-OR) and the ACLU, which released startling results today. Surveying more than 200 documents, they report:

• The database of money transfers grew from 75 million records from 14 service businesses in 2017 to 145 million records from 28 companies in 2021.

 

• More than 600 law enforcement agencies have access to this information, ranging from a sheriff’s office in a small Idaho county to the FBI and the Drug Enforcement Administration, no probable cause warrant needed.

 

• More than 150 million money transfers between people in the United States and more than 20 countries have been accessed without judicial oversight.

 
Under the law, a bank must receive a subpoena for bank records and notify customers that their records have been examined. No such protections exist for money transfer companies subpoenaed to provide bulk information to the TRAC program.
 
As we reported last year, domestic wire transfers within the United States between American citizens are also being pulled by TRAC.
 
Arizona had set up TRAC with settlement money from Western Union. With that money now exhausted, Sen. Wyden believes that TRAC is now federally funded. Sen. Wyden told The Wall Street Journal that TRAC lets the government “serve itself an all-you-can-eat buffet of Americans’ personal financial data while bypassing the normal protections for Americans’ privacy.”
 
Gene Schaerr, PPSA general counsel, said:
 
“This purely illegal program treats the Fourth Amendment as a dish rag. We commend Sen. Wyden and ACLU for giving us a better understanding of the scale of this program, as well as the likelihood that taxpayers’ dollars are being used to spy on us. This warrantless intrusion into the financial privacy of millions of Americans suspected of no crime ought to excite the bipartisan interest of the newly elected House majority as well as Sen. Wyden and his colleagues.”

Listen to a discussion about the ways our government spies on us and what we can do about it this year. This is a talk between Bob Goodlatte, former Chairman of the House Judiciary Committee and PPSA Senior Policy Advisor, and Sean Vitka, Senior Policy Counsel for Demand Progress.

​The media is aflame with stories about the mishandling of classified material by President Joe Biden and former President Donald Trump, with partisans arguing why one or the other is in greater breach of the law. Trevor Timm, executive director of the Freedom of the Press Foundation, looks beyond the partisan wrangling at the underlying problem: the Espionage Act of 1917. Like a deep trawl scraping the ocean floor, the Espionage Act is broad enough to catch almost everything, including the wrong fish.
 
The Espionage Act is the worst kind of law, one that is as vague as it is broad. It weaponizes the tendency of government to put a “classified” stamp on even anodyne material. “No one is ever punished for overclassifying information, yet plenty of people go to prison for disclosing information to journalists that never should have been classified to begin [with],” Trim wrote in The Guardian. “Even efforts to reform the secrecy system end up being classified themselves.”
 
PPSA filed Freedom of Information Act (FOIA) requests before a host of government agencies seeking documents that would gauge how well they are complying with an Executive Order 13526. This order, issued by President Obama, was meant to stem the tide of classification and prevent government agents from classifying documents “for self-serving reasons or simply to avoid embarrassment.”

In the wake of President Obama’s executive order to curb over-classification, the number of U.S. classified government documents rose from almost 55 million to 77.5 million documents in five years. Less than one percent of federal money spent on the classification system is spent on declassification.
 
“Tens or hundreds of millions of documents are classified per year,” Timm wrote. “A tiny fraction will ever see the light of day, despite the fact the vast majority never should have been given the ‘secret’ stamp in the first place.”
 
While most government agencies have ignored PPSA’s FOIA requests, the State Department did respond to PPSA with a pinhole look at some of the problems with its classification system. Documents were classified when they shouldn’t have been; documents were classified at the wrong level; some information was classified for a longer duration than necessary. The government is self-forgiving, allowing itself to be free to make mistakes, but an American accused under the Espionage Act is apt to get rough treatment and a good stretch in a federal prison.
 
We should remember that the Espionage Act was the centerpiece of the police state erected by President Woodrow Wilson. Socialist Charles T. Schenck went to prison for violating that law. His crime? He passed out a leaflet opposing America’s military draft during World War One. These outrages against free speech paved the way for the even more draconian anti-speech amendment, the Sedition Act (which, thankfully, Congress repealed).
 
Justice Oliver Wendell Holmes Jr., writing for the majority, found an exception to the First Amendment. Speech that “creates a clear and present danger” may be prohibited and speakers prosecuted. Fortunately, Congress and prosecutorial practice have pulled back on those measures. But the blacking out of a wide swath of government activities from public view, and criminalizing discussion about those activities, remains a disturbing exception to the First Amendment.
 
Whatever one’s opinions concerning the current and former presidents, the breadth of this law in enforcing an over-classification system run amuck is a sure sign that reform is needed. Perhaps it will take two presidents of both parties getting snared in the Espionage Act’s net to spur Congress to pass limits on the classification system and the secret state.

The Privacy and Civil Liberties Oversight Board (PCLOB) has posted a rich discussion among its board members, civil libertarians, and representatives of the intelligence community.
 
General Paul Nakasone, who heads the U.S. Cyber Command, gave the group a keynote address that is a likely harbinger of how the intelligence community will approach Congress when it seeks reauthorization of Section 702, an amendment to the Foreign Intelligence Surveillance Act that authorizes the government to surveil foreigners, with a specific prohibition against the targeting of Americans, but also allows “incidental” surveillance of Americans.
 
Gen. Nakasone detailed cases in which would-be subway bombers and ISIS planners were disrupted because of skillful use of 702 surveillance. Mike Harrington of the FBI doubled down with a description of thwarted attacks and looming threats. April Doss, general counsel of the National Security Agency, emphasized how each request from an analyst for surveillance must be reviewed by two supervisors.
 
Civil liberties scholar Julian Sanchez reached back to the formation of the U.S. Constitution to compare today’s use of Section 702 authority to the thinking behind the Fourth Amendment. He asked if a program that mixes the private data of Americans with surveilled foreigners could possibly clear the Founders’ objection to general warrants. (31:50)
 
Jeramie Scott (40:25) of the Electronic Privacy Information Center, who argued for greater transparency in 702 collection, questioned whether “about” collection truly ended with downstream collection (i.e., information taken directly from Google, Facebook, and other social media companies). The NSA declared in 2017 it had ended the practice of such “about” collection, which moves beyond an intelligence target to email chains and people mentioned in a thread. Could such collection still be occurring in downstream surveillance?
 
Travis LeBlanc, a board member who had previously criticized a milquetoast report from PCLOB for a lack of analysis of key programs, seemed liberated by the board’s new chair, Sharon Bradford Franklin. (Chair Franklin also brings a critical eye of surveillance programs, reflecting her views at the Center for Democracy and Technology.) LeBlanc asked Julian Sanchez if the Constitution requires warrants when an individual’s data is searched under Section 702. Sanchez said that delegating such an authority under the honor system has led to FBI’s behaving as if compliance were a game of “whack-a-mole.” (57:15)
 
Cindy Cohn of the Electronic Frontier Foundation suggested PCLOB examine Section 702’s tendency to be subject to “mission creep,” such as the recent practice of using Section 702 to justify surveillance for “strategic competition” as well as the statutory purpose of anti-terrorism. Cohn said she was not aware of any defendant in a criminal trial ever getting access to Section 702 evidence. (128:45)
 
Cohn concluded:
 
“I think we have to be honest at this point that the U.S. has de facto created a national security exception to the U.S. Constitution.”
 
A revealing insight came from Jeff Kosseth, cybersecurity professor at the U.S. Naval Academy. He pointed to a paper he wrote with colleague Chris Inglis that concluded that Section 702 is “constitutional” and “absolutely essential for national security.” (See 143:40) That opinion, Kosseth added, is something he has “reconsidered” over “deep concern about the FBI’s access” to 702 data, especially concerning U.S. persons.
 
Kosseth said:
 
“At a certain point, we must stop giving the nation’s largest law enforcement agency every benefit of the doubt. The FBI cannot play fast and loose with Americans’ most private information. This has to stop now. And if the FBI cannot stop itself, the Congress has to step in.”
 
Congress needs to “step in” regardless: surveillance of Americans should never occur without express authority in a statute passed by the people’s representatives.

​Facial recognition technology has proven to be useful but fallible. It relies on probabilities, not certainties, algorithms measuring the angle of a nose or the tilt of an eyebrow. It has a higher chance of misidentifying women and people of color. And in the hands of law enforcement, it can be a dangerous tool for mass surveillance and wrongful arrest.
 
It should come as no surprise, then, that police mistakenly arrested yet another man using facial recognition technology. Randall Reid, a Black man in Georgia, was recently arrested and held for a week by police for allegedly stealing $10,000 of Chanel and Louis Vuitton handbags in Louisiana. Reid was traveling to a Thanksgiving dinner with his mother when he was arrested three states and seven hours away from the scene of the crime.
 
Despite Reid’s claim he’d never even been to Louisiana, facial recognition software identified Reid as a suspect in the theft of the luxury purses. That was all the police needed to hold him for close to a week in jail, according to The New Orleans Advocate.
 
Gizmodo reports, “numerous studies show the technology is especially inaccurate when identifying people of color and women compared to identifications of white men. Some law enforcement officials regularly acknowledge this fact, saying facial recognition is only suitable to generate leads and should never be used as the sole basis for arrest warrants. But there are very few rules governing the technology. Cops often ignore that advice and take face recognition at face value.”
 
When scientists tested three facial recognition tools with 16 pairs of doppelgangers – people with extraordinary resemblances – the computers found all of them to be a match. In the case of Reid, however, he was 40 pounds lighter than the criminal caught on camera.
 
In Metairie, the New Orleans suburb where Reid was accused of theft, law enforcement officials can use facial recognition without legal restriction. In most cases, “prosecutors don’t even have to disclose that facial recognition was involved in investigations when suspects make it to court.” Elsewhere in Louisiana, there is no regulation. A state bill to restrict use of facial recognition died in 2021 in committee. Some localities use facial recognition just to generate leads. Others take it and run with it, using it more aggressively to pursue supposed criminals.
 
As facial recognition technology proliferates, from Ring cameras to urban CCTVs, states must put guardrails around the use of this technology. If facial recognition tech is to be used, it must be one tool for investigators, not a sole cause for arrest and prosecution. Police should use other leads and facts to generate probable cause for arrest. And legal defense must always be notified when facial recognition technology was used to generate a case.
 
It may be decades before the technical flaws in facial recognition are resolved. Even then, we should ensure that the technology is closely governed and monitored.

The Project for Privacy and Surveillance Accountability wore holes in the bottoms of our shoes on Capitol Hill to advocate for common sense reforms of federal surveillance practices. We also wrestled with federal agencies in court to glean insights into the state of surveillance. Through our Freedom of Information Act (FOIA) requests and lawsuits, we compelled the release of documents about how federal agencies are getting around the Fourth Amendment of the U.S. Constitution to access our most private information.
 
PPSA’s Legislative Year

PPSA was instrumental in helping pass the NDO Fairness Act in the U.S. House of Representatives in 2022. This bill promises to curb the routine government practice of using Non-Disclosure Orders to block telecommunication service providers from notifying their customers that a search of their personal information has been conducted by prosecutors.

• Rep. Jim Jordan, slated to be the Chairman of the House Judiciary Committee, joined with fellow Republicans and with Democrats, including then-Chairman Jerry Nadler, to sing the praises of this bill. With backing like that, the NDO Fairness Act sailed through the full House with a voice vote.

 

• PPSA is determined that this momentum not be squandered, but focused to push the NDO Fairness Act through this Congress and to the president’s desk in 2023.

PPSA encouraged Members of Congress in both parties to sponsor the Fourth Amendment Is Not for Sale Act. This measure would require law enforcement and intelligence agencies to seek probable cause warrants before accessing our personal information scraped from social media and apps.

• General counsels of federal agencies assert with a straight face that there is no violation of the U.S. Constitution if they pay private data brokers for your information. PPSA believes this argument is beyond disingenuous.

 

• “A loophole that we never imagined, one as big as the J. Edgar Hoover Building, has weakened the Constitution’s protection of Americans’ privacy,” Bob Goodlatte, PPSA Senior Advisor, testified about this practice to the House Judiciary Committee in July. PPSA believes that government’s lawless extraction of Americans’ personal information is a ready-made issue for the 118th Congress.

 

• Goodlatte also described in an op-ed in The Hill how the government uses statutes designed to allow the surveillance of foreign nationals to spy on Americans.

 

• PPSA Senior Policy Advisors Bob Goodlatte and Mark Udall, one a former  Chairman of the House Judiciary Committee, the other a former U.S. Senator, ran an op-ed in The Hill that revealed how, in response to PPSA’s FOIA work, the government has responded that it can neither confirm nor deny that it is spying on individual members of Congress.

 
We also built on our advocacy that helped the Lee-Leahy Amendment pass the U.S. Senate with 77 votes in 2020. This amendment would require the secret Foreign Intelligence Surveillance Court to appoint an expert attorney to represent the privacy interests of American citizens – a common sense requirement in a court with secret operations that continues to withhold some of its past rulings to this day.

• In 2022, PPSA lobbied hard to persuade Congress to attach this measure in funding bills, as well as a standalone bill.

 

• In 2023, civil libertarians and our champions on the Hill will have leverage to see a future version of Lee-Leahy through to the president’s desk. We are optimistic because by the end of this year, Section 702 of the Foreign Intelligence Surveillance Act will expire if it is not renewed.

 

• A prime legislative goal for 2023 will be to ensure that limits are set around the government’s ability to use Section 702 authority for warrantless surveillance of Americans of all political ideologies in political, civic, and religious organizations, or who are members of vulnerable groups. Installing a civil liberties expert in such sensitive cases is the best way to ensure these protections.

PPSA goes into 2023 with the firm intention of encouraging our champions in the House and Senate to block the reauthorization of Section 702 unless these necessary reform measures are attached to that authority or passed separately.
 
Freedom of Information Act Revelations

PPSA argued before a federal court that challenges the government’s abuse of the Glomar doctrine, a judicially created maneuver that allows the government to neither “confirm nor deny” the existence of records in response to a FOIA request. We have highlighted the absurd, Catch-22 response from the FBI that it cannot even conduct an internal search for its own documents (in this case, correspondence between the bureau and Members of Congress) without endangering national security.
 
Other  FOIA requests have challenged the secret practices of U.S. law enforcement and intelligence agencies, as well as the suppression of judicial opinions. One such PPSA FOIA yielded an FBI document revealing its collection of web browsing histories of Americans.
 
“This shows the FBI has a secret policy governing the collection of web browsing data of Americans,” responded Gene Schaerr, PPSA general counsel. “Web browsing data is deeply personal information. It can highlight a person’s religious beliefs, political allegiances, and personal relationships.”
 
Another PPSA FOIA request is seeking to obtain the secret opinions of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review. 
 
“The very idea of secret law – which can affect the free expression and privacy of millions of Americans – is not compatible with the basics of American democracy,” Gene Schaerr declared in a public statement. “These secret precedents and opinions are corrosive to the operations of a free society. It’s time for the government to come clean.”
 
Other recent revelations revealed by PPSA FOIA requests show that training documents for U.S. Attorneys require them to “always” seek a Non-Disclosure Order with a warrant application or subpoena. Our FOIA request also revealed documents that direct U.S. Attorneys to seek targets’ location histories from email, social media, or web hosting providers.
 
In the Courts

PPSA petitioned the U.S. Supreme Court in Torcivia v. Suffolk County to decide whether the Fourth Amendment recognizes a “special-needs” exception to the Constitution’s warrant requirement. Although the petition was ultimately denied, we cast a spotlight on the importance of the High Court ruling on law enforcement’s exceptions to the Fourth Amendment.

• Our petition was designated as a Petition of the Week by SCOTUSBlog, and drew support from many civil-liberty groups. This petition will lay the groundwork for the Supreme Court to resolve questions about law enforcement’s ability to ignore citizens’ Fourth Amendment rights. 

 

• We filed a brief in Egbert v. Boule, a case asking whether federal officials can be sued for violating the Constitution even without Congress creating an express cause of action. While the Court decided that it would not create such a cause of action on its own, the decision in that case will strengthen our efforts to persuade Congress to enact affirmative remedies for victims of improper surveillance or other violations of privacy.  

In short, 2022 was a building year. Major reform legislation, from Lee-Leahy, to the Fourth Amendment Is Not for Sale Act, to the NDO Fairness Act, have attracted growing bipartisan support and momentum for passage. We look forward to a productive year, both on Capitol Hill and what can be learned about secret surveillance through the courts.

In response to a Freedom of Information Act request filed by PPSA, the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) responded with a batch of documents, including internal training material. In those documents, the ATF confirmed that it uses cell site simulators, commonly known as “stingrays,” to track Americans.
 
Stingrays impersonate cell towers to track mobile device users. These devices give the government the ability to conduct sweeping dragnets of the metadata, location, text messages, and other data stored by the cell phones of people within a geofenced area. Through stingrays, the government can obtain a disturbing amount of information.
 
The ATF has gone to great lengths to obfuscate their usage of stingrays, despite one official document claiming stingrays are “used on almost a daily basis in the field.”
 
The ATF stressed that stingrays are not precise location trackers like GPS, despite the plethora of information stingrays can still provide. Answers to questions from the Senate Appropriations Committee about the ATF’s usage of stingrays and license plate reader technology are entirely blacked out in the ATF documents we received. An ATF policy conceals the use of these devices from their targets, even when relevant to their legal defense. Example: When an ATF agent interviewed by a defense attorney revealed the use of the equipment, a large group email was sent out saying: "This was obviously a mistake and is being handled."
 
The information released by the ATF confirms the agency is indeed utilizing stingray technology. Although the agency attempted to minimize usage the usage of stingrays, it is clear they are being widely used against Americans.
 
PPSA will continue to track stingray usage and report forthcoming responses to pending Freedom of Information Act requests with federal agencies.

​The State, Foreign Operations, and Related Programs Subcommittee (SFOP) released its Joint Explanatory Statement (JES) for this upcoming fiscal year. In it, the SFOP reports that the budget for the Open Technology Fund (OTF) has been raised to $40 million. This is a $13 million increase from this past fiscal year’s budget of $27 million, and double the 2021 budget of $20 million. This is excellent news for the development of a free and open internet.
 
The OTF funds emerging internet technologies that promote freedom around the world, from development through deployment. The OTF "support[s] open technologies and communities that increase free expression, circumvent censorship, and obstruct repressive surveillance as a way to promote human rights and open societies." This budget increase is the largest since the OTF was founded in 2012.
 
PPSA is pleased by the rapid increase in the OTF’s budget. Such an expansion marks an increasing commitment by the United States to support digital freedom, privacy, and security around the globe. PPSA believes the OTF should continue to expand its operations, most notably by making its services and technology available to U.S. citizens. Americans deserve the same privacy tools and resources as the rest of the world, and the OTF is in a prime position to promote U.S. developers as global leaders in internet freedom and privacy.

Secrecy makes us naturally distrustful of other people. When we sense that someone else is withholding information, we can’t help but feel suspicious of their motives. This may be why the State Department’s continued efforts to hide information from the American public, routinely through overclassification, leaves a sour taste in the mouth.
 
The State Department is no stranger to the misuse of classification procedures: in May, PPSA reported on the Department’s Self-Inspection Report, which we obtained through a Freedom of Information Act Request. The report detailed minimal instances where information was in some way misclassified. At the time, PPSA called the report into question, as it seemed statistically impossible that only a few dozen articles were misclassified out of over 70 million classifications. Furthermore, the State Department only polled a sample of their classifications, meaning there are undoubtedly more misclassifications than reported.
 
PPSA recently received an additional batch of documents from the State Department which only further cement our prior concern. According to internal documents spanning several years, the Department has failed to correct a “significant lack of portion marking,” when conducting classification. Portion marking refers to the process of marking specific portions of a record as classified, as opposed to the entire record. This means that entire documents have been classified where only smaller portions should have been.
 
PPSA will continue to report on overclassification in the State Department as more information becomes available.

​In the course of the 2020 presidential election, the FBI approached and pressured Twitter to grant the agency access to private user data. This information has come to light as part of the “Twitter Files” expose, a sprawling series of reports based on internal documents made available through Elon Musk’s ownership of the site.
 
In January of 2020, Yoel Roth, former Twitter Trust and Safety head, was pressured by the FBI to provide access to data ordinarily obtained through a search warrant. Roth had been previously approached by the FBI’s national security cyber wing in 2019 and had been asked to revise Twitter’s terms of service to grant access to the site’s data feed to a company contracted by the Bureau.
 
Roth drafted a response to the FBI, reiterating the site’s “long-standing policy prohibiting the use of our data products and APIs for surveillance and intelligence-gathering purposes, which we would not deviate from.” While Twitter would continue to be a partner to the government to combat shared threats, the company reiterated that the government must continue to “request information about Twitter users or their content […] in accordance with [the] valid legal process.”
 
Twitter and other social media platforms have been aware of increasing FBI encroachment for some time. In January of 2020, Carlos Monje Jr., former Director of Public Policy and Philanthropy at Twitter, wrote to Roth, saying “we have seen a sustained (if uncoordinated) effort by the IC [intelligence community] to push us to share more info & change our API policies. They are probing & pushing everywhere they can (including by whispering to congressional staff)...” Accordingly, from January 2020 and November 2022, over 150 emails were sent between the FBI and Roth.
 
Not only is the FBI trying to gain a backdoor into Twitter’s data stream, in several cases, the Bureau has pressured Twitter to pre-emptively censor content, opinions, and people. For example, the agency allegedly demanded that Twitter tackle election misinformation by flagging specific accounts. The FBI pointed to six accounts, four of which were ultimately terminated. One of those profiles was a notorious satire account, which calls into question the FBI’s ability to spot fakes. In November, the FBI handed Twitter a list of an additional twenty-five accounts that “may warrant additional action.” And, of course, there is the story about Hunter Biden’s laptop. According to the “Twitter Files,” the FBI pressured Twitter to censor the story as a possible Russian misinformation attack. This was a major story mere days before a presidential election, which the FBI worked to suppress.
 
Expanding efforts by the FBI to gain a backdoor into private social media information is a grave concern, as is the Bureau’s efforts to suppress information. That the agency continues to pursue such options even after being advised that those options violate normal legal procedures is yet another example of how the agency has become increasingly politicized, to the extent that a House Judiciary Committee report described the Bureau’s hierarchy as “rotted at its core” and embracing a “systemic culture of unaccountability.” This is a serious cause for concern given the widespread effects that the agency’s use and potential misuse of its authorities can have on the country as a whole.

The largest web browsers are scrutinizing their dependence on root certificate authority TrustCor Systems after researchers discovered it has links with shady spyware producers and distributors.
 
TrustCor is an agency that vouches for the legitimacy of websites reached by hundreds of millions of users every day. Web browsers employ hundreds of such root certificate authorities to fulfill a vital role in online data security. But with TrustCor Systems, malicious spyware could have had a backdoor into a critical component of U.S. internet infrastructure.
 
According to a Washington Post report on research from Joel Readon at the University of Calgary and Serge Egelman of the University of California, Berkeley, TrustCor’s “Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.”
 
TrustCor’s products include an email service that has been found to host spyware developed by a Panamanian company. According to The Post, Google has since banned all software containing that spyware code from its app store.
 
TrustCor also has the same president, agents, and holding-company partners listed in Panamanian records as another company known as Measurement Systems, which has been caught “paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations.” Apps with that code were downloaded over “60 million times, including 10 million downloads of Muslim prayer apps.”
 
PPSA has reported how the federal government maintains an advanced surveillance network to stalk American Muslims. Who knows what they can do with these data?

​The Project for Privacy and Surveillance Accountability today released a response from the Office of the Director of National Intelligence to our Freedom of Information Act (FOIA) request seeking agency records regarding its treatment of classified documents.
 
Our request, filed in September 2020, seeks agency records concerning Executive Order 13526, which includes provisions for classifying, managing, and declassifying documents.
 
We recently received a response that included an internal memo to the ODNI’s Inspector General requesting an investigation for… something. Almost all the rest of the document is blacked out.
 
Under a section of the memo entitled “Summary,” we get redaction in the form of a sea of black. Under “Background,” we get only more sea of black.
 
Under “Compartmentalization,” we get some sea of black, but can tell that the issue has something to do with Controlled Access Programs, an intelligence community way of boxing off need-to-know information regarding sources, methods, and activities.
 
Under “Embarrassment,” we find that the offending program “might violate rules that prevent classification meant to avoid embarrassment because it targets exactly those areas where intelligence runs counter to policy.” Or it might not.
 
Under “Possible Problems with the Execution,” we are told “the program might violate regulations or constitute mismanagement.” Then another sea of black.
 
Under “Oversight,” we are told that “ODNI’s narrow communication might violate laws and regulations requiring Congressional oversight of intelligence activities.” The program’s “broad scope and major impact on a leading national security concern suggests it meets the threshold for notification,” presumably to Congress.
 
So, to sum it up, something someone did in the intelligence community went off the rails. It might have been classified to prevent embarrassment. It might violate regulations or constitute mismanagement serious enough to merit investigation by the ODNI Inspector General. It has a broad scope and major impact on a national security concern, details of which are hidden by a government as ready as a squid to squirt black ink.
 
The government’s response brings to mind the title of Joseph Heller’s second novel, Something Happened. For certain, we can now say for our legal efforts that something happened in our government, and it wasn’t good.
 
The lesson here is that it defeats the purpose of the Freedom of Information Act when agencies pretend that a heavily redacted document constitutes a response. More to the point, when many Members of Congress seek information from the agencies, they often are confronted with similar obfuscation tactics.
 
Or, as one character says to another in Squid Game, “you won’t get caught if you hide behind someone.”

​In February, we quoted CATO Institute senior fellow Julian Sanchez that the evidence presented by special counsel John Durham against lawyer Michael Sussman shows an interesting trail that leads from academic researchers, to private cybersecurity companies and security experts, to government snoopers.
 
Sanchez said: “A question worth asking is: Who has access to large pools of telecommunications metadata, such as DNS records, and under what circumstances can those be shared with the government?”
 
Sanchez’s prescient questions received partial answers today from Sen. Ron Wyden. The Oregon senator released a letter he sent to the Federal Trade Commission asking the agency to investigate Neustar, a company that links Domain Name System (DNS) services of websites to specific IP addresses and the people who use them.
 
Such companies, Sen. Wyden wrote, “receive extremely sensitive information from their users, which many Americans would want to remain private from third parties, including government agencies acting without a court order.” Some websites cited by the senator that consumers may visit but would not want known are the National Suicide Prevention Hotline, the National Domestic Violence Lifeline, and the Abortion Finder service.
 
Sen. Wyden wrote that Neustar, under former executive Rodney Joffe, sold data for millions of dollars to Georgia Tech, but not for purely academic research. Emails obtained by Sen. Wyden purportedly show that the FBI and DOJ “asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings.”
 
Because Neustar obtained data from an acquired company – and that company explicitly promised to never sell users data to third-parties – Neustar violated that promise. Sen. Wyden says it is FTC policy that privacy promises to consumers must be honored when a company and its data change ownership.
 
“Senator Wyden provides sufficient reason for the FTC to open an investigation,” said Gene Schaerr, general counsel of Project for Privacy & Surveillance Accountability (PPSA). “But there is more reason for the judiciary committees of both houses of Congress to hold in-depth hearings. There are abundant signs that this story is just one example of a much bigger privacy crisis.”
 
Schaerr noted that intelligence and law enforcement agencies, from the Internal Revenue Service to the Drug Enforcement Administration, Customs and Border Protection, as well as the FBI, assert they can lawfully avoid the constitutional requirement for probable cause warrants by simply buying Americans’ personal information from commercial data brokers.
 
“Data from apps most Americans routinely use are open to warrantless examination by the government,” Schaerr said. “The Founders did not write the warrant requirement of the Fourth Amendment with a sub-clause, ‘unless you open your wallet.’ These practices are explicitly against the spirit and letter of the U.S. Constitution. Americans deserve to know how many agencies are buying data, how many companies are selling it, and what is being done with it.”

What could be more natural than posting one’s newborn or child’s performance at school online? The purpose of social media is to share, and it seems normal for parents to engage in “sharenting” about their children.
 
As with many things in the digital age, the seemingly innocuous can contain hidden threats. In The Wall Street Journal, Chelsea Jarvie and Karen Renaud detail just how dangerous it is for children to be on internet posts at all. Everything from your child’s name, to his or her pictures, birthdays, accomplishments, teachers, and pets can be retrieved and cataloged in a database.
 
It starts before one’s child is even born.
 
Parents commonly will post “images of their scans, with due dates included, to social-media sites. Both parents are usually tagged. The follow-up is a birth announcement, which normally includes the child’s full name, date of birth, time of birth, weight, and hospital. Milestones are next: the child’s first steps, first holiday, first pet, first word, best friend, favorite food.”
 
This information is valuable material for hackers and scammers because such facts are most commonly used in online security questions. The first act of a hacker into your child’s online accounts is to scroll their Facebook history and find their first pet or birthday.
 
If this sounds far-fetched to you, Barclays Bank, a major UK bank, warned that by 2030, 7.4 million identity theft cases could occur every year as a result of sharing information online. And during pandemic lockdowns, this trend only got worse.
 
PPSA would add that hackers and commercial exploitation are not the only dangers children with compromised passwords will face as they get older. All their information is subject to being scraped by data brokers, who routinely sell our most personal information in bulk to government law enforcement and intelligence agencies. A little indiscretion at infancy by parents could lead to that offspring being spied upon by the government in adulthood.
 
One eye-popping statistic showed that “by their fifth birthday, the average child will have around 1,500 photos of themselves shared online. This means that by the age of 13, when children are allowed to use social-media sites themselves, there could already be almost 4,000 photos depicting them online.” With AI technology rapidly advancing, this treasure trove of photos online could be used to disastrous effect. Deep fakes — images, videos, GIFs, sounds, or voices manipulated to look or sound like someone else — of your child could be manufactured with ease and used against them.
 
As Jarvie and Renaud write, “this information is a ticking time bomb, and likely to result in an explosion of embarrassment and angst for our children as they grow up, as well as exposing them to identity theft.” Parents should consider that posting about their children’s lives could lead to disastrous consequences years later.

​The Project for Privacy and Surveillance Accountability today released training documents for U.S. Attorneys obtained from a Freedom of Information Act (FOIA) request to the Department of Justice. The results show that U.S. Attorneys are encouraged to “always” seek non-disclosure orders when surveilling Americans – and to “ask for it all!”
 
Armed with such non-disclosure orders (NDOs), prosecutors block service providers from informing Americans that their personal information, often in the cloud, has been searched by the government. It was already known that this was a common practice, but the documents from the U.S. Executive Office for United States Attorneys show that it is virtually required.
​

• In the FOIA filing, presumably representative documents from a federal district in Texas show that new U.S. Attorneys are told to “always” send an “NDO order” application with a warrant or subpoena.

 

• When seeking “location” data, new U.S. Attorneys are also directed to seek data for email, social media, and webhosting providers. 

 

• Finally, this training material encourages U.S. Attorneys to obtain all possible information rather than placing reasonable limits suited to the case, saying “If your case is ongoing, why not ask for it all!”

With no legal guardrails and in the face of departmental encouragement, why not, indeed?
  
The NDO Fairness Act, sponsored by Judiciary Chairman Jerry Nadler (D-NY) and Rep. Scott Fitzgerald (R-WI) passed the House of Representatives in June in a bipartisan voice vote. This law would restrain the use of NDOs, allowing Americans to be informed by service providers that they’ve been surveilled, with reasonable exceptions.
 
“In the 21st century federal prosecutors no longer need to show up to your office,” Chairman Nadler told his colleagues on the House Judiciary Committee in discussing the NDO Fairness Act. “They just need to raid your virtual office. They do not have to subpoena journalists directly. They just need to go to the cloud. And rather than providing Americans with meaningful notice that their electronic records are being accessed in a criminal investigation, the Department hides behind its ability to ask third-party providers directly. They deny American citizens, companies, and institutions their basic day in court and, instead, they gather their evidence entirely in secret.”
 
Nadler also noted that the executive branch had targeted journalists and their sources, as well as Members of Congress, their staffs, and their families.
 
Jim Jordan, the Ranking Member of the House Judiciary Committee, said “the laws and guidelines governing surveillance are opaque, antiquated, and easily skirted. Our system of warrants, subpoenas, national security letters, secret courts, and other tools at the government’s disposal must be brought in line with the constitutional considerations of basic due process.”

The NDO Fairness Act would insert necessary guardrails by amending 18 U.S.C. 2705 to:

• Require a written determination from the court finding a non-disclosure order necessary to prevent a substantially likely adverse result.
  
  
• Provide for strict scrutiny analysis to grant a gag order request under 18 U.S.C. 2705(b).
  
  
• Establish a 30-day limit for gag orders, with the opportunity for additional 30-day extensions.
  
  
• Require notice be given to the customer within 72 hours of the expiration of the delay, including what information was disclosed.
  ​
• Allow providers to contest gag orders in court.

 
“The direction to ‘always’ seek an NDO with a subpoena or warrant – and to ‘ask for it all’ – should spur the Senate to follow suit and pass the NDO Fairness Act,” said Bob Goodlatte, former Chairman of the House Judiciary Committee and PPSA Senior Policy Advisor. “This strong stand by the House now puts the spotlight on senators to pass this reasonable restraint of the government’s ability to thumb through our personal information.”

​In a new low for the FBI’s processing of Freedom of Information Act (FOIA) requests, the Bureau now states it believes it does not need to keep searching for records after locating a single potentially responsive record. This is contrary to both the FOIA statute and common sense. If the FBI were correct, every FOIA requester would be entitled to just a single record, and countless government activities would remain hidden from the public. 
 
This is the latest disappointing response from the FBI. We recently reported that the FBI asserts – in response to our request for FBI records of opinions from the Foreign Intelligence Surveillance Court (FISC) and its court of review – that it cannot locate these court opinions on its revised computer system. As excuses go, this is a dog-ate-my-homework level of sophistication.
 
Now we’re forced to appeal the FBI’s non-response response to our FOIA request for information on all the Bureau’s records on FISC opinions.
 
The FBI’s hungry dog is still at work: they’ve responded to our request by also stating that it located a single record and then stopped searching. In the FBI’s mind, it “expeditiously” released “documents” that fulfilled PPSA’s request. But there were no “documents,” plural. The FBI produced only one document, with 40 pages of this one document redacted to the point of unintelligibility. And the FBI didn’t even try to find anything else. In our administrative appeal, PPSA told the FBI’s Director of Information Policy:
 
“Discontinuing a search after finding a single, previously-released record is evidence of a search that was not reasonably calculated to uncover all responsive documents. This is made clear by the FBI’s statement that PPSA could also request an ‘additional search for records.’ That is not PPSA’s job; PPSA already submitted a request for all responsive records.”
 
As for the redactions in this one document, PPSA has demanded that the FBI provide it additional information to justify the redactions. When an agency redacts an entire document, requesters like PPSA are at an obvious disadvantage in trying to challenge those withholdings. To recycle a famous legal quote, the government is “holding a grab bag and saying, ‘I’ll give you this if you can tell me what’s in it.’”
 
We fully expect the FBI to be disingenuous. But we are hopeful that the FBI’s Director of Information Policy will at least be embarrassed by the thinness of the FBI’s recent excuses.

The Internet of Things (IoT), long promised, is already here. It is happening incrementally – from coffee makers, to cars, to refrigerators – that send voluminous quantities of our personal information to the cloud. As the IoT knits together, consumers need to know how our information is being collected.
 
Most people are unaware that refrigerators, washers, dryers, and dishwashers now often have audio and video recording components. By 2026, over 84 million households will have smart devices, each one a node within a seamless web of personal information. But how will this storehouse of personal data be regulated?
 
Looking ahead to the growing hazards of the near-future, Sen. Maria Cantwell (D-WA), and Sen. Ted Cruz (R-TX), introduced the Informing Consumers about Smart Devices Act. This legislation would require the Federal Trade Commission to create reasonable disclosure guidelines for products that have video or audio recordings.
 
“Most consumers expect their refrigerators to keep the milk cold, not record their most personal and private family discussions,” Sen. Cantwell said.
 
We would make the larger point that Americans shouldn’t have to think about what they say or do in the presence of their appliances. (Although it would be nice to have a smart refrigerator that slaps our hand after 9 p.m.) The greater issue is that all the data that apps, and perhaps now our smart appliances, extract from us can be accessed by government agencies without any need to obey the constitutional requirement to obtain a warrant. All an agency needs to do to obtain our personal information is to purchase it from a private data broker.
 
That’s all the more reason to pass the Fourth Amendment Is Not For Sale Act.

​The Electronic Frontier Foundation, an indispensable pioneer of surveillance accountability, has just released a powerful new version of its Atlas of Surveillance that gives Americans insight into the myriad surveillance technologies that are being used by more than 5,500 law enforcement agencies, across all levels of government, to watch Americans in all 50 states.
 
EFF is a notable leader in watching the watchers. In September, PPSA examined EFF’s helpful highlighting of marketing slides about the potential for Fog Technology to track people to their homes.
 
This Atlas of Surveillance, begun with the help of journalism students at the University of Nevada, Reno, recently hit a threshold of 10,000 data points, making it a robust – though not yet complete – survey of which surveillance technologies are being used in which communities.
 
We entered results for the District of Columbia to give it a try.

• The D.C. Metropolitan Police has automated license plate readers, maintains a registry of private and personal surveillance cameras, has a gunshot detection system, uses “video analytics” that can identify people in crowds, and since 2003 has owned cell-site simulator technology (stingrays) that can spoof cell towers and trick cellphones into divulging data.

 

• Choosing a small city at random – San Angelo, Texas – we find that the San Angelo Police Department has one drone, body cameras, and a partnership with Amazon’s Ring camera home surveillance, allowing it to ask for surveillance video from customers on the service’s Neighbors app.

 
John Stuart Mill, quoting the Roman satirist Juvenal, asked: Quis custodiet ipsos custodes? The Atlas of Surveillance gives us confidence that we can at least begin to watch the watchers.
 
University of Nevada, Reno, interns did a professional job of integrating public documents, crowdsourced information, and news articles to compile this atlas. Kudos to EFF and to their UNR student partners. Be sure and check the Atlas to see how you’re being watched in your community.

​Republicans of the House Judiciary Committee recently released a 1,000 page report concerning the creeping politicization of the Federal Bureau of Investigation and the Department of Justice. The report describes the “FBI’s Washington hierarchy as ‘rotted at its core’ with a ‘systemic culture of unaccountability.’”
 
Though it was drafted by House Republicans, Democrats should be worried enough about the scale and scope of abuses to jointly investigate at least some of the reports’ allegations.
 
Internet conspiracy theories notwithstanding, the report demonstrates all the valid reasons to be concerned about the integrity of the FBI. Michael Horowitz, the Inspector General of the U.S. Department of Justice, called out the rampant abuses, noncompliance, and mishandling that goes on daily within the Bureau. That such criticism comes from a senior official, a Democrat, now serving in President Biden’s Administration, should demonstrate the bipartisan nature of these concerns.
 
Under the Foreign Intelligence Surveillance Act (FISA), the FBI is authorized to examine data likely to return foreign intelligence information. Sometimes, U.S. citizens or residents get incidentally caught up in calls, texts, or emails with a targeted foreigner. In these cases, oversight should ensure constitutional rights are protected. One would expect in such a system, then, that “incidental” collections of U.S. person information would be modest.
 
According to information from the Office of the Director for National Intelligence, however, the FBI conducted an estimated 3,394,053 U.S. person queries in 2021. This is a staggering increase over the approximately 1,324,057 U.S. person queries conducted in the previous year.
 
The Foreign Intelligence Surveillance Court (FISC) disclosed numerous instances in which the FBI queried acquired information for criminal investigations and reviewed content results without first obtaining court permission. Judge James E. Boasberg, then-presiding judge of the FISC, concluded that “the Court is concerned about the apparent widespread violations …”
 
Most familiar is the FBI’s abuse of its FISA authority to illegally surveil former Trump campaign associate Carter Page. IG Horowitz reported “17 significant ‘errors or omissions’ and 51 wrong or unsupported factual assertions in the applications to surveil Page.” An FBI lawyer went so far as to manufacture evidence presented to a judge to support surveillance against Page. The Justice Department was later forced to admit that the whole basis for this secret surveillance of a presidential campaign aide was flawed. But by then, the damage to civil liberties was done.
 
The FBI may also be maintaining the technological capacity to unleash “zero-click” spyware programs, including NSO Group’s Pegasus. The U.S. Commerce Department has put Pegasus’ developer, NSO Group, on a list of foreign companies that restricts the ability of U.S. companies to work with it, but that didn’t stop the FBI from obtaining, testing, and retaining it for later use.
 
In March, members of the Judiciary Committee wrote to FBI Director Wray seeking documents and information relating to the FBI’s acquisition, testing, and uses of NSO Group’s spyware. The FBI has provided none of the requested documentation, while concerns about its intentions with such a dangerous piece of spyware only grow.
 
As has been reiterated by Republicans, Democrats, and President Biden’s own Inspector General, there is serious cause for concern about the agency’s hierarchy, culture, and use of its authorities.
 
We all have a stake in these investigations.

Last week PPSA appealed a federal district court decision denying our motion under the Freedom of Information Act (FOIA) to force the FBI to produce records concerning the agency’s “unmasking” of various Members of Congress. Although the legal issue in this case may seem technical and abstruse, the legal question PPSA presents is important to Americans’ ability to hold our government accountable for surveillance directed at all of us. 
 
These are the kinds of overarching, important concerns behind our FOIA requests. But such larger issues are often subsumed along the way in legal wrangling. These cases often center around the government’s efforts to avoid responding to a FOIA at all.
 
At first blush, the FOIA process seems straightforward. You might imagine that: PPSA files a FOIA request seeking records concerning surveillance practices, training, or procedures to a given government agency; the request is transmitted to the relevant agency component; and then the agency produces responsive records a few weeks later and we publicize them. After all, that is what FOIA requires.
 
But things are never so easy with FOIA. Government agencies routinely employ delaying tactics and denials to frustrate and exhaust even the most persistent requesters. In addition to simply ignoring requests, FBI and other agencies rely on a judicially invented doctrine called the Glomar response to claim that they are not even required to confirm or deny the existence of records about a given subject. Elsewhere, agencies claim that they don’t need to comply with FOIA because it would be too burdensome, as if digital search engines had yet to reach government record-keeping.
 
Such responses were meant by Congress to be rare exceptions to the rule. In practice, they’ve become the rule.
 
In the face of such obstructionism from officialdom, PPSA always takes the long view. A FOIA request is just the opening play in a long set. A denial, often on Glomar grounds, is the customary result. Once we receive an official denial to our request (usually long past the statutory deadline), PPSA then files an administrative appeal. Barring a satisfactory result (which is rare), we take the agency to court.
 
So we were not surprised when a judge on the U.S. District Court for the District of Columbia upheld the government’s argument that it cannot respond to a FOIA request we filed in 2020.
 
PPSA had asked for documents concerning government identification, or “unmasking,” of 48 sitting and former members of congressional intelligence committees in their communications from 2008 to 2020. Predictably, the government pled “Glomar,” and the judge agreed. So we are appealing.
 
In another case, PPSA was surprised when a request for FBI records of opinions from the Foreign Intelligence Surveillance Court (FISC) was denied because – the FBI asserted – it cannot locate these court opinions on its revised computer system. As excuses go, this is a dog-ate-my-homework level of sophistication. This is where flabber goes to meet with gasted. If the FBI truly cannot locate FISC opinions directed at the Bureau, we are truly in trouble.
 
In this instance, PPSA is pursuing an administrative appeal to DOJ’s Office of Information Policy. The appeal is couched in the customary legalese, but the gist of it is: “C’mon guys, this last one doesn’t pass the laugh test.”
 
Following FOIA requests on their long journeys is a tough, gritty business. But, as they say, it may be a dirty job, but someone has to do it.

In Christopher Nolan’s magnificent movie The Dark Knight, Bruce Wayne presents his chief scientist, Lucius Fox, with a sonar technology that transforms millions of cellphones into microphones and cameras. Fox surveys a bank of screens showing the private actions of people around the city.
 
The character, played by Morgan Freeman, takes it all in and then declares the surveillance to be “beautiful, unethical, dangerous … This is wrong.”
 
What was fiction in 2008 became reality a few years later with Pegasus: zero-click spyware that allows hackers to infiltrate cellphones and turn them into comprehensive spying devices, no sonar needed. A victim need not succumb to phishing. Possessing a cellphone is enough for the victim to be tracked and recorded by sound and video, as well as to expose the victim’s location history, texts, emails, images, and other communications.
 
This spyware created by the Israeli NSO Group might have originally been developed, as most of these surveillance technologies are, to catch terrorists. It has since been used by various dictatorships and cartels to hunt down dissidents, activists, and journalists, sometimes marking them for death – as it did in the cases of Jamal Khashoggi and Mexican journalist Cecilio Pineda Birto.
 
PPSA reported earlier this year that the FBI had purchased a license for Pegasus but has been keeping it locked away in a secure office in New Jersey. FBI Director Christopher Wray has assured Congress that the FBI was keeping the technology for research purposes. Now, Mark Mazzetti and Ronen Bergman of The New York Times have updated their deep dive into FBI documents and court records about Pegasus produced by a Freedom of Information Act request.
 
PPSA waded through these now-declassified documents, half of each page blanked out by censors. What we could see was alarming.
 
One document, dated Dec. 4, 2018, pledged that the U.S. government would not sell, deliver, or transfer Pegasus without written approval from the Israeli government. The letter certified that “the sole purpose of end use is for the collection of data from mobile devices for the prevention and investigation of crimes and terrorism, in compliance with privacy and national security laws.”
 
Since many in the national security arena and their allies assert that executive order EO 12333 gives intelligence agencies unlimited authority, the restraining influence of privacy and national security laws is questionable. And true to form, the FBI documents show that the agency did, in fact, give serious consideration to using Pegasus for U.S. criminal cases.
 

• After testing Pegasus, FBI officials put together presentations that highlighted the risks and advantages of the spyware, along with the procedural and technological steps needed to operationalize it. The FBI’s Criminal Investigative Division (CID) issued a lengthy memorandum in March 2021 that advocated the use of Pegasus “under certain specific conditions.” The CID later issued proposed guidelines for prosecutors in using the spyware to prepare prosecutions.
  ​
• On July 22, 2021, a senior official in the FBI Science and Technology Branch informed the Operational Technology Division to “cease all efforts regarding the potential use of the NSO project.” One such memo had the subject line: “FULL STOP on potential [Pegasus] use.”

 
Why the turnaround? It was at time that a critical mass of Pegasus stories – with no lack of murders, imprisonments, and political scandals – emerged in the world press. That is surely why the FBI left this hot potato in the microwave. One wonders, however, what to make of the attempt of a U.S. military contractor, L3Harris, to purchase NSO earlier this year? If the FBI was out of the picture, was this aborted acquisition an effort by the CIA to lock down NSO and its spyware menagerie? And if the CIA has found some other route to possess this technology – and to be frank, they’d be guilty of malfeasance if they didn’t – is the agency staying within its no-domestic-spying guardrails in deploying this invasive technology? Recent revelations of bulk surveillance by the CIA does not inspire confidence.
 
Nor can we discount what the FBI might do in the future. Despite the FBI’s decision to avoid using the technology, Mazzetti and Bergman report that an FBI legal brief filed in October stated: “Just because the FBI ultimately decided not to deploy the tool in support of criminal investigations does not mean it would not test, evaluate and potentially deploy other similar tools for gaining access to encrypted communications used by criminals.”
 
No doubt, targeted use of such technologies would catch many fentanyl dealers, human traffickers, and spies. But as Lucius Fox asks, “at what cost?”

​Thomas Germain on Gizmodo has an alarming piece on research from two app developers, Tommy Mysk and Talal Haj Bakry, who claim that despite Apple’s explicit promise to allow you to turn off all tracking, Apple still tracks you.
 
Apple advertises its ability to turn off iPhone tracking on its privacy settings. But according to Mysk and Bakry, after turning off tracking, Apple continues to collect data from many iPhone apps, including the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytic control and other privacy settings had no discernable effect on Apple’s data collection.
 
“Opting-out or switching the personalization options off did not reduce the amount of detailed analytics that the app was sending,” Mysk told Gizmodo. “I switched all the possible options off, namely personalized ads, personalized recommendations, and sharing usage data and analytics.” Apple still continued to track.
 
What could be at stake for consumers? Germain wrote:
 
“In the App Store, for example, the fact that you’re looking at apps related to mental health, addiction, sexual orientation, and religion can reveal things you might not want to be sent to corporate servers.”
 
Germain concedes that Apple may not be using this information, but it is impossible to know since Apple has not responded. Perhaps a hint of an answer was foreshadowed by Craig Federighi, Senior Vice President of software engineering, when he recently told The Wall Street Journal that “quality advertising and product privacy could coexist.”
 
That is far too vague to explain how Apple’s explicit privacy promises work in the real world. PPSA calls on Apple to provide a full explanation of how it treats digital privacy.