Privacy

Expanding on the International vs. U.S. Surveillance Law Comparisons

By Carrie Cordero
Tuesday, February 24, 2015, 10:00 AM

Following my post from last week  regarding how the debate over the Snowden disclosures has blurred the distinctions between national security surveillance authorities and consumer privacy law, Tim Edgar pointed out yesterday  that U.S. law is probably one of the most, if not the most, protective legal structures concerning government access to data for national security purposes than any other nation. Tim’s post invites additional analysis of international surveillance laws versus U.S. laws.

Some time ago, I had looked more in-depth at a few of the reports and comparisons Tim highlights. Here is some of what I found, followed by a cursory summary of certain aspects of the oversight implemented under FISA:

Two reviews done after the Snowden disclosures provide some insight into other countries’ national security surveillance laws and practices. In June 2014, global communications provider Vodafone released a law enforcement transparency report that included statistics regarding its compliance with government requests, as well as a legal annex analysing the laws requiring cooperation in 29 different countries.[1] The report covered disclosure for law enforcement and national security purposes, to the extent that the laws of a particular country allowed disclosure. Even for law enforcement requests, many local laws prohibited Vodafone from disclosing any information regarding compliance.[2]

The second report, issued by the Center for Democracy and Technology (CDT) in November 2013, analyzed the laws in 13 countries. Of the 29 countries covered by the Vodafone report and the 13 countries covered by the CDT report, six countries were covered by both reports: Australia, France, Germany, India, Italy and the U.K. To further complicate the analysis, even where recent research has attempted to find clarity, what different countries’ laws state in text, may vary from how the law is actually being implemented.[3]

The Vodafone report’s legal annex summarizing the laws in the 29 countries reveals that, with possible[4] limited exceptions, all of the countries assessed authorize surveillance for national security purposes based on ministerial, or what would be comparable to our executive branch, authority. For example, with respect to several of the countries that are more relevant to the current public debate, Australia, France, Germany, India, Netherlands, New Zealand, Turkey and the U.K. all appear to provide for ministerial approval of national security surveillance within their country. Unlike national security surveillance conducted inside the United States, approval by a neutral and detached magistrate is not required in those countries. Notably, German law provides for not only individualized surveillance, but “strategic interception” that appears broad in scope and allows the government to target a particular geographic region, not just an individual, organization or entity. German law also appears to authorize surveillance against a person other than a suspect (referred to as a “third person”) if the person is “reasonably suspected of receiving or forwarding messages intended for, or stemming from, the suspect.”[5]

In some circumstances, the Vodafone legal annex describes the absence of legal authority providing for national security surveillance in a particular country. While it is possible that this absence of law indicates that that country’s government is not permitted, and does not, engage in surveillance for national security purposes, it is also just as possible, if not more likely, that the absence of law indicates that the security or intelligence service has wide latitude to engage in national security or foreign intelligence surveillance. Further, there are some countries that require a provider, such as Vodafone, to provide direct access to their systems enabling the government to conduct surveillance via direct link. Most, but not all, of the countries covered in the Vodafone report, require a court order issued by a judge for surveillance conducted for law enforcement purposes.

Similarly, the CDT Report found that, “almost half of the [thirteen] countries studied do not have provisions requiring court orders for surveillance undertaken in the name of national security or for foreign intelligence gathering.”[6] The CDT report analyzed practices for government acquisition of content pursuant to electronic surveillance, access to stored communications, and access to transactional data. The CDT report found that most countries have high standards for electronic surveillance for law enforcement. The report notes that China and India, however, do not.[7] The report finds that Germany requires telecommunications companies to report customer data such as name, address and telephone number to a central governmental database; China “maintains almost unlimited and unfettered access to private sector data,” Brazil was exploring options to facilitate direct government access to telecommunications companies’ systems, and India has a “Central Monitoring System” enabling direct government surveillance without requiring cooperation of telecommunications providers.[8]

Although the Vodafone and CDT reports provide significant insight and analysis into many other countries’ laws and practices regarding the assistance that communications companies provide to government to facilitate law enforcement and national security surveillance, additional research is needed. In particular, given that certain additional countries not covered by these reviews may enjoy reputations as technology-industry friendly, considered analysis of the laws and practices for access to data for national security and law enforcement purposes of Switzerland, Sweden, Singapore, Finland and Denmark, as examples, would add to the international public discussion of these issues.

In contrast to the nations’ laws and rules governing national security surveillance within their own countries, as described in the Vodafone and CDT reports, the United States has a robust legal and oversight structure governing national security surveillance activities conducted inside the United States. Most countries today still conduct national security surveillance within their country under executive, or ministerial, approval alone. In the United States, prior to 1978, NSA and the FBI conducted surveillance activities for foreign intelligence purposes under Executive authority alone, too. In 1978, Congress passed the FISA which distinguished between surveillance that took place within the United States, and that which occurred outside our borders. Surveillance targeting non-U.S. persons that occurs completely outside the United States for foreign intelligence purposes is conducted pursuant to Executive Order 12333.[9] FISA requires that when electronic surveillance is conducted inside the United States, the government seek an order from the FISC based on probable cause. If the government seeks to conduct surveillance targeting a foreign agent or foreign power here in the United States, it must obtain FISC approval to do so. The Court may not issue an order targeting a U.S. person based solely on activities protected by the First Amendment to the Constitution. And, the Attorney General is required to report on the full range of activities that take place under the FISA, to the intelligence and judiciary committees in Congress. The law requires that the committees be “fully informed.”

FISA and its implementation processes in the Executive Branch contain a number of oversight checks and balances. Requests for collection authority generally proceed from the requesting agency to the Justice Department’s National Security Division, which reviews the requests for factual and legal sufficiency, and prepares the applications that are presented to the FISC. In certain types of cases, the requesting agency may prepare the initial draft of the application, which is then reviewed by the Justice Department. For cases that are handled by the FBI, the investigations and requests for surveillance or search authority must conform to the Attorney General’s Guidelines for FBI Domestic Operations.[10] The Justice Department is responsible for overseeing compliance with those procedures, including compliance with the conduct of National Security Investigations. Department of Justice attorneys periodically conduct oversight reviews of compliance with minimization[11] and other internal operating procedures at the requesting agencies.

Additional entities within the Executive Branch conduct oversight of FISA activities, with the degree of involvement depending on particular issues that may arise. Inside a particular Intelligence Community element, there are internal oversight and compliance personnel. For example, NSA’s activities are subject to review by its Offices of Compliance, General Counsel, new Civil Liberties Officer and Inspector General, for example. Within the Department of Justice, the Attorney General’s oversight responsibilities are generally carried out by the National Security Division. DOJ’s Inspector General may conduct oversight, as appropriate. The FBI is subject to oversight internally by its Offices of General Counsel, Compliance, Inspection Division, and, outside, the Department of Justice. The Office of the Director of National Intelligence, including its Office of General Counsel and Civil Liberties Protection Officer, have responsibilities for certain oversight, as discussed further below. In addition, the newly invigorated Privacy and Civil Liberties Oversight Board (PCLOB) conducts oversight on matters pertaining to the protection of civil liberties and privacy in the context of counterterrorism activities.

Oversight of Section 702 surveillance was developed following the addition of that section to the FISA in 2008. Section 702 authorizes the NSA to acquire the communications, for foreign intelligence purposes, of non-U.S. persons reasonably believed to be outside the United States. These are persons with no Constitutional protections, and yet, because the acquisition requires the assistance of a U.S. electronic communications provider, there is an extensive approval and oversight process. There is a statutory framework. Specifically, the Attorney General and Director of National Intelligence jointly approve certifications. According to declassified documents, the certifications are topical, meaning, the way the statute is being implemented, the certifications are not so specific that they identify individual targets; but they are not so broad that they cover any and everything that might be foreign intelligence information.[12] The certifications are filed with the FISC, along with targeting and minimization procedures. Targeting procedures are the rules by which NSA selects valid foreign intelligence targets for collection. Minimization procedures are rules by which NSA handles information concerning U.S. persons. The FISC approves these procedures. If it does not approve them, the government has to fix them. The Court reviews these procedures and processes annually. The Court can request a hearing with government witnesses or additional information in order to aid in its decision making process. Information about the 702 certifications are reported to the Congressional intelligence committees.

Once the certifications are in effect, attorneys from the Department of Justice’s (DOJ) National Security Division and attorneys and civil liberties officials from the Office of the Director of National Intelligence (ODNI) review the NSA’s targeting decisions and compliance with the rules. They conduct reviews at least every 90 days. During that 90 day period, oversight personnel are in contact with NSA operational and compliance personnel. Compliance incidents can be discovered in one of at least two ways: NSA can self-report them, which it does; or, the DOJ and ODNI oversight personnel may discover them on their own. Sometimes NSA does not report a compliance incident in the required time frame. Then the time lag in reporting may become an additional compliance incident. The DOJ and ODNI compliance teams write up semi-annual reports describing the results of their reviews. The reports are approved by the Attorney General and Director of National Intelligence, and provided to the FISC and to Congress. According to a declassified report, in August 2013, for a six-month period in 2012, the rate of error for NSA’s compliance under Section 702 collection was .49% - less than half of one percent. If we subtract the compliance incidents that were actually delays in reporting, then the non-compliance rate falls to between .15-.25% - less than one quarter of one percent.[13] The government should declassify additional of these reports, or summaries of them, in order to enable the public to assess, on an ongoing basis, whether the oversight of Section 702 continues to reveal a low margin of error.

The oversight and compliance mechanisms described above are far from exhaustive; instead, these are examples of specific structures and processes that pertain to some of the FISA activities under discussion.

[1] Law Enforcement Disclosure Report, http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html, and accompanying Legal Annexe, available at http://www.vodafone.com/content/dam/sustainability/2014/pdf/operating-responsibly/vodafone_law_enforcement_disclosure_report.pdf. The Vodafone report analyzed laws in the following 29 countries: Albania, Australia, Belgium, Czech Republic, Democratic Republic of Congo, Egypt, Fiji, France, Germany, Ghana, Greece, Hungary, India, Ireland, Italy, Kenya, Lesotho, Malta, Mozambique, Netherlands, New Zealand, Portugal, Qatar, Romania, South Africa, Spain, Tanzania, Turkey, and the United Kingdom.

[2] Vodafone report noting that Vodafone was not permitted to disclose statistics regarding compliance with lawful requests in Albania, Egypt, Hungary, India, Ireland, Malta, Netherlands (for national security information), Qatar, Romania, South Africa, Turkey, and the United Kingdom, at http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html.

[3] CDT report (“In many countries, the published law appears to say something different from what governments are reportedly doing.”)

[4] The description of Belgian law indicates that the authorization of the Director-General of the State Security must obtain the concurrence of the “Administrative Commission” for national security surveillance, although the composition and structure of this Commission is not detailed in the report. The description of Greek law is implies that there may be a court approval requirement, although it may also be that Greek law is silent on this issue. Finally, the description of Portuguese law indicates that Portugal may have strong protections in place, such as requiring authorities to go through a prosecutor, even in the national security context, although, it may also be that certain national security practices are not addressed in the law.

[5] See Vodafone Legal Annex (section on Germany).

[6] CDT report at 2.

[7] CDT report at 2.

[8] CDT report at 5.

[9] Executive Order 12333, as amended, Federal Register Vol. 40, No. 235 (December 8, 1981), amended by EO 13284 (2003), EO 13355 (2004), and EO 13470 (2008)), available at http://www.dni.gov/index.php/about/organization/ic-legal-reference-book-....

[10] The Attorney General’s Guidelines for FBI Domestic Operations (September 29, 2008), available at http://www.justice.gov/ag/readingroom/guidelines.pdf. The FBI has extensive internal rules implementing the Attorney General’s guidelines, which are issued in the FBI’s Domestic Investigations and Operations Guide (DOIG), available at http://vault.fbi.gov/FBI%20Domestic%20Investigations%20and%20Operations%....

[11] NSA’s minimization procedures for surveillance conducted pursuant to Executive Order 12333, as well as its minimization procedures for Section 702 acquisition, are now publicly available. See United States Signals Intelligence Directive (known as USSID 18) (January 25, 2011), available at http://www.dni.gov/files/documents/1118/CLEANEDFinal%20USSID%20SP0018.pdf. See also Exhibit B, Minimization Procedures Used by the National Security Agency in Connection with Acquisition of Foreign Intelligence Information Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, As Amended (October 31, 2011), available at http://www.dni.gov/files/documents/Minimization%20Procedures%20used%20by....

[12] NSA Director of Civil Liberties and Privacy Office Report, “NSA’s Implementation of Foreign Intelligence Act Section 702,” (April 16, 2014) at 2, available at http://www.dni.gov/files/documents/0421/702%20Unclassified%20Document.pdf.

[13] Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to section 702 of the Foreign Intelligence Surveillance Act, Submitted by the Attorney General and the Director of National Intelligence, Reporting Period June 1, 2012-November 30, 2012 (August 2013), available at http://www.dni.gov/files/documents/Semiannual%20Assessment%20of%20Compliance%20with%20procedures%20and%20guidelines%20issued%20pursuant%20to%20Sect%20702%20of%20FISA.pdf.