Passage of the latest coronavirus relief measure gave Americans something to celebrate in the darkest hours of the pandemic. Surprisingly, the Intelligence Authorization Act (IAA) for 2021—which was included in the coronavirus law—also gave privacy advocates something to celebrate.
Early versions of this year’s IAA left much to be desired. PPSA, along with our allied pro-civil liberties organizations, stood against the worst of the overreaches found in early versions of the bill. With the support of our followers and strong coalition building, PPSA played a role in striking some of the most harmful aspects of the original version of the IAA.
First, the recently passed version of the IAA dropped the requirement for the creation of a Social Media Data and Threat Analysis Center.
This troubling idea, which contained no commensurate requirements for internal guardrails or guidelines, could have easily turned into the Political Threat Analysis Center. PPSA recognized this danger and joined with a number of like-minded organizations such as Demand Progress, FreedomWorks and the ACLU in writing a bipartisan letter to House leadership that played a meaningful role in the removal of this provision.
Second, the advocacy of our coalition might have also played a role in the dropping of an FBI informant hotline aimed at purported espionage activity by Asian-Americans. While the threat of spies sent or recruited by the People’s Republic of China is very real, PPSA is firm in its belief that a Stasi-style informant system risks doing more harm to civil liberties than good. Instead, PPSA supports the included requirement that the impacts of surveillance on the civil liberties of Chinese-Americans be studied annually.
Third, we won a major defensive victory when the final version of the IAA dropped language stating that it is “the sense of Congress” that intelligence agencies are authorized to conduct any needed surveillance not specifically precluded by law.
Such a provision would have essentially enshrined the worst interpretations of Executive Order 12333. While PPSA is thankful for the removal of this language, this is more of a Dunkirk than a D-Day. We must remain vigilant against those who view EO 12333 as a license for unfettered executive branch spying.
Overall, the state of surveillance in 2021 should give privacy advocates reason to feel optimistic. Meaningful change has been accomplished while harmful provisions have been prevented.
In the wake of the disgraceful attack on the U.S. Capitol, we point out that existing investigative tools are allowing law enforcement to arrest the rioters and ring leaders. We should be skeptical of any attempt to use that assault, as heinous as it was, as the basis for yet another anti-terrorism law that subverts the U.S. Constitution.
We’ve seen how effectively the federal government has bypassed that pesky Fourth Amendment requirement for a probable cause warrant by engaging in mass collection of call record data when nobody was looking … or now by simply buying our digital data from data brokers. A similar issue, really a national privacy crisis, is taking place at the local level with something called a “stingray.”
This is slang for a cell-site simulator, which tricks your cellphone into responding to it as if it were a cell tower. It is kind of the digital equivalent of an undercover agent posing as a friend who then snoops around on your phone when your back is turned. Using stingrays, local authorities can and do access data on phones in an area that can be as wide as two miles, sucking up data on everyone, not just the intended target. Authorities will tout it as a way to preempt terrorists and violent criminals, but it is often used by police in routine investigations of nonviolent crimes. In many jurisdictions, what would stop unscrupulous investigators from using stingrays to snoop on political opponents?
California is privacy-challenged in many ways, especially in its attitude toward the privacy of donors to causes that can be targeted for harassment and abuse. When it comes to stingrays, however, the Golden State has taken some reasonable steps. A 2015 California law requires local governments to hold public hearings to include some democratic oversight of how this technology is used in a community. Every state should have a similar law. Such hearings would provide one important forum for addressing the significant constitutional concerns from indiscriminate surveillance and data collection.
In defiance of this requirement, the city of Vallejo authorized its police chief to develop the department’s privacy and usage policy without a public hearing. The lack of public involvement perhaps accounts for Vallejo’s more free-wheeling invasion of privacy as compared to other California jurisdictions: Vallejo’s usage rate for its cell site simulator is approximately 60 percent higher than the usage of the city of San Jose’s police department, despite the fact that San Jose’s population is nine times larger than that of Vallejo.
Late last year, a California state court issued a final decision interpreting the state law in a writ of mandate requiring compliance with the public approval process for Vallejo’s stingrays. Superior Court Judge Bradley Nelson ruled:
“Because any policy’s personal purpose is to safeguard, within acceptable limitations, the privacy and civil liberties of the members of the public whose cellular communications are intercepted, public comment on any proposed policy before it is adopted also has a constitutional dimension.”
One scholar who has followed this closely is Marilyn Fidler, who reports that “California law is the only state I encountered in my research that mandates a comprehensive, public governance process at the local level, which I have argued is particularly important to regulating police surveillance.”
No doubt public hearings are necessary for transparency and democratic oversight. But this should not be a substitute for clear information on the scope and uses of this technology, as well as on what rules are in place to ensure use of stingrays are used within constitutional bounds. This is especially needed given that the ACLU reports the use of stingrays by at least 14 federal agencies.
The FBI has long sought to get around the encryption of data in our personal digital devices. It has tried, and often failed, to coerce Apple and other companies to give it a backdoor into our devices. As the ACLU notes, “between our emails, text messages, location information, social media activity, and more, our cellphones hold almost our entire lives.”
That is why the ACLU was more than a little alarmed to learn of the FBI’s Electronic Device Analysis Unit (EDAU), an in-house team capable of breaking into our personal devices. ACLU reports it has discovered public records that indicate that EDAU appears able to access encrypted information from a locked iPhone.
Concerned, the ACLU filed a Freedom of Information Act request to the Department of Justice and the FBI seeking records about EDAU and its activities. What it received in response was a “Glomar” response – which refuses to confirm or deny the existence of any such records.
This is peculiar. After all, ACLU learned of EDAU through public documents. So such documents are known to exist. The FBI has no basis to deny ACLU’s request.
The ACLU then took the next logical step. Yesterday, it asked a federal court to intervene and order DOJ and the FBI to turn over all responsive documents relating to the EDAU.
ACLU said: “We’re demanding the government release records concerning any policies applicable to the EDAU, its technological capability to unlock or access electronic devices, and its requests for, purchase of, or uses of software that could enable it to bypass encryption.”
The FBI might claim authority to surveil cellphone data with probable cause warrants as required by the Constitution. If that’s the case, then, why the secrecy? There is no reason for the FBI to withhold information about the scope and duties of this new unit.
Many civil liberties organizations have long asserted that facial recognition software could have a disparate impact on minorities. If that sounds like a stretch, consider the revelation that Chinese telecom giant Huawei and several other major Chinese tech firms developed software for that country’s ubiquitous facial recognition system to identity and track people with Uighur origins, the Turkic Muslim people in that country’s far west.
The independent research and watchdog group, IPVM, reports that Huawei inadvertently posted documents revealing its racist software in an online corporate interoperability report. In reaction, Antoine Griezmann, a major French soccer star and Huawei brand ambassador cut his ties to Huawei. A senior Huawei executive in Denmark has also resigned in protest.
This revelation reminds us of the ubiquitous nature of surveillance in China, and the potential for misuse of technology in our own country.
PPSA Sues Six Intelligence Agencies to Produce Records: Have NSA, FBI, CIA Surveilled Members of Congress Who Oversee Them?
The Project for Privacy and Surveillance Accountability (PPSA) today filed suit against the Department of Justice and FBI, the Office of the Director of National Intelligence, the National Security Agency, the Central Intelligence Agency and the Department of State seeking records that would reveal if these agencies have been surveilling current and former Members of Congress with oversight responsibility of these agencies.
Almost fifty Members are named as being potentially surveilled in the lawsuit. They range across all political leanings, from House Intelligence chairman Adam Schiff to former Rep. Trey Gowdy, from Vice President-elect Kamala Harris to Sen. Marco Rubio.
PPSA had filed Freedom of Information Act (FOIA) requests with these six agencies as early as January 27, 2020. The law requires these agencies to give a timely and substantive response, either the prompt release of the requested documents, or an explanation of why these records are excluded from a FOIA request by statute.
“Their silence speaks volumes,” said Gene Schaerr, PPSA general counsel. “They clearly do not want to answer our requests.”
The FOIA request concerns two intelligence practices under the Foreign Intelligence Surveillance Act (FISA) and its Section 702, which allows foreign surveillance but forbids spying on “U.S. persons” located inside the United States.
The secret FISA court released an opinion stating that in the 2016 election cycle some Americans had their names upstreamed, in violation of government policy. That opinion described the upstreaming of Americans as raising a “serious Fourth Amendment issue.”
The list of 48 current and former members of committees with intelligence oversight responsibility includes:
In an unprecedented step, the Centers for Disease Control is requiring states to enter into data-use agreements that will share personal information of people receiving the coronavirus vaccine with the federal government. The CDC is calling for the handover of information on vaccinated people, including their names, addresses, dates of birth and ethnicities.
There are undoubtedly sound public health reasons for wanting to know this information. But the government must weigh those benefits against concerns both practical and privacy-related. First, there is the worry expressed by New York Gov. Andrew Cuomo that such a list will prompt some groups, such as undocumented immigrants, to be unwilling to receive a vaccine.
Also of concern is the potential for misuse of this data. What exactly are the internal safeguards and guarantees that CDC can make that this information will not be used for any purposes outside of public health? The federal government should ensure that agencies such as ICE or the IRS will not be able to access this information. Otherwise, a vaccine registry would be decidedly unhealthy for privacy.
This is a developing issue that PPSA will continue to follow.
The secret court of the Foreign Intelligence Surveillance Act (FISA) behaves more like an administrative agency than an actual court. CATO scholar Julian Sanchez archly describes the FISA docket history, which includes only requests for surveillance that have been approved, as a “history of yes.”
For those who want to know more about this secret court, how it operates, how its judges are chosen, how the FISA system reinforces the “ideological hegemony” that favors surveillance, we recommend this podcast in which the Electronic Frontier Foundation’s Executive Director Cindy Cohn and its Director of Strategy Danny O’Brien interview CATO scholar Julian Sanchez.
Sanchez makes the case for bringing more technical advice to the court, as well as speaking in favor of a measure PPSA has long been in favor of – the inclusion of independent, outside experts to represent civil liberties interests before FISA judges. This measure, advanced by Sens. Mike Lee and Patrick Leahy and promoted by PPSA, received 77 votes in the Senate before being derailed in the House.
For anyone looking for a better understanding of FISA and its secret court, this EFF podcast with CATO scholar Julian Sanchez is an excellent resource.
Our online search history includes some of our most sensitive personal information – our private medical issues, our religious and political beliefs, our associations with people and causes. Yet the Director of National Intelligence recently revealed that the government has interpreted the Patriot Act as giving the FBI authority to collect logs showing who has visited particular web pages.
In the past, the government has relied on Section 215 of the Patriot Act – which allowed warrants to be waived under an elastic standard of national security – to view “business records,” including website visits. Yet this past spring, Congress allowed Section 215 to lapse altogether.
In the wake of that development, Charlie Savage of The New York Times recently reported that on Nov. 25, Sen. Ron Wyden (D-OR) received a letter from John Ratcliffe, Director of National Intelligence, correcting an earlier letter that stated that none of 61 orders issued under Section 215, before its expiration, by the Foreign Intelligence Surveillance Court in the past year involved tracking web browsing. In his revision, Director Ratcliffe said that one of the orders did involve collection of logs from a foreign country to a U.S. web page.
As usual with the surveillance bureaucracy, we are left with more questions than answers.
Did the FBI collect web browsing data before last year?
With the expiration of Section 215, is the FBI collecting web browsing data now under a different authority?
With an agency tracking foreign visits to a U.S. website, how does it treat the incidental collection of data on U.S. persons that would inevitably be revealed during such tracking?
If you follow these issues, you know not to hold your breath for answers to questions like these from the bureaucracy. Perhaps the best response would be to put the so-called Daines-Wyden amendment back on the table, a measure that received 59 votes in the Senate, one short of that body’s requirement for adoption. This measure, with Sen. Steve Daines (R-MT) in a bipartisan partnership with Sen. Wyden, would make it illegal for the government to surveil our online information, including web browsing and geolocation histories.
PPSA has followed the growing practice of the federal government to get around the Constitution’s pesky requirement for a probable cause warrant. Several agencies and the military are accessing Americans’ digital data the old fashioned way – they just buy it from data brokers.
There are now signs of concern about this practice within the government. A report today reveals that the Department of Homeland Security’s Inspector General is probing the department’s use of purchased data to track Americans without a warrant. This audit seeks “to determine if the Department of Homeland Security (DHS) and its components have developed, updated, and adhered to policies related to cell-phone surveillance devices.”
This probe was revealed in a response to a letter sent by a group of senators, including privacy champion Sen. Ron Wyden (D-OR). The probe will examine whether DHS’s practices lie within the boundaries set by the landmark Supreme Court case, Carpenter v. United States, which requires the government to obtain a warrant to search cell phone location information. This latest audit comes in addition to a previously known inquiry by the Treasury Department’s Inspector General aimed at similar practices in the Internal Revenue Service.
We have recently seen the government’s circumvention of the Fourth Amendment by purchasing data from private companies that gather all sorts of information about U.S. persons from their cellphones, location-tracking apps, and other interactions with the internet. Turns out that such pay-to-play voyeurism by the government also has a more sinister anti-religious aspect to it, wrapped in the never-to-be-criticized claim of national security.
Examples: A Muslim prayer app that tells the user when to pray and points to Mecca … A religiously oriented Muslim dating site … and a non-religious app that people use as a level for putting up shelves in their homes … all of these digital services generate granular movement data about the user that can be deanonymized in a snap. And now it is in the hands of the Pentagon.
This is a disturbing and deceptive turn, especially in light of recent jurisprudence. In 2018, the U.S. Supreme Court ruled in Carpenter that the government is required to obtain a warrant before accessing the historic location data of American citizens captured by our devices and apps. The ruling, however, has a loophole the size of a cell tower. The government can simply purchase that same information from data brokers without even seeking a warrant. A recent Harris Poll survey found that 77 percent of Americans believe such snooping should require a warrant. Nevertheless, the practice is common and there are signs it is growing more popular with agencies, from the Department of Homeland Security to the IRS, and now the military U.S. Special Operations Command.
While the potential for infringing Americans’ privacy is obvious, the government’s secretiveness about these practices has made tracking down real-world examples difficult. A Motherboard investigative report from Vice into the U.S. military’s use of location data purchased by two defense contractors shows exactly how simply opening the federal wallet allows the government to sidestep a Supreme Court ruling.
Moreover, targeting people by religion is inextricably tied to activities protected under the First Amendment. Data gleaned from the app Muslim Pro, billed as the “Most Popular Muslim App,” is derived from over 98 million users worldwide. Muslim Pro provides Quranic readings, reminders for daily prayers, as well as locating the direction of Mecca. The military is also accessing the dating app Muslim Mingle.
If the war on terror justifies this intrusion in the lives of American Muslims (many of whom embraced their new country after fleeing extremism), what about Orthodox Jews who violate the New York Mayor’s orders concerning pandemics? What about Christians who espouse doctrines that go against official government policy concerning abortion? Would the government be justified in scraping data from Bible.com or Torah.com?
Military spokespeople are quick to point out the data is used only for overseas operations and that all proper procedures for protecting Americans’ constitutional rights are being followed, but we have heard such unsupported assurances before from the FBI and others. They have often given us reason not to take them on faith. Given that millions of Americans are undoubtedly using this app, how exactly does the military ensure the privacy of Americans here or abroad? How does it know a target it is tracking abroad is not a U.S. citizen?
“We could absolutely deanonymize a person,” one source told Vice.
Likewise, how can the military ensure that this data purchased through a backdoor is not used against American citizens in other ways? And do they even try to do so? There is documented use of purchased data by the Department of Homeland Security, as well as by the Internal Revenue Service; and, despite the military’s protestations, there are no clear constitutional standards for how this data is collected, stored and used.
Muslim Pro users who are American citizens have a constitutional right to freely practice their faith. Their use of a faith-based app should not open them up as targets for warrantless surveillance, any more than similar uses by Jews and Christians.
Sens. Mike Lee and Patrick Leahy have addressed the need to bolster First Amendment activities by including independent, outside experts to review government surveillance requests. Also, Sens. Ron Wyden and Rand Paul will soon introduce a measure, “The Fourth Amendment Is Not for Sale” Act, that will restrict the extent to which the government can use purchased data to compromise our privacy.