I’ve been wrestling with an idea on electronic surveillance reform, and when I recently consulted with Benjamin Wittes about it, he encouraged me to post here and seek the feedback of Lawfare’s readership. So here goes my maiden Lawfare post: a modest proposal for reform of the legal authorities under which NSA collects communications content from U.S. technology companies.
Even if the USA Freedom Act had moved forward on the Senate floor during the lame duck session, it would not have been sufficient to address all the concerns raised in the current electronic surveillance debates. The USA Freedom Act focuses on limiting collection of data on Americans here in the US under Section 215 of the PATRIOT ACT, and as such, it’s a crucial reform.
Under existing statutes on electronic surveillance, Section 215 and the FISA Amendments Act (FAA), the government can compel cooperation from the companies that hold the data under certain statutory conditions. Both of these statutes authorize collection programs that the companies are aware of and must participate in. In these programs, the government knocks at the front door to get the data it needs.
But reforming these programs doesn’t address another range of problems---those that relate to allegations of overseas collection from US companies without their cooperation.
Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”
As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform. Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.
Without commenting on the accuracy of these media reports, the perception is still a problem even if the media reports of these government collection programs are not true---or are only partly true. The tech industry believes them to be true, and more importantly, their customers at home and abroad believe them to be true, and that means they have huge impact on American business and huge impact as well on the relationship between these businesses and an intelligence community that depends on their cooperation.
So, how should we think about reforms in response to this series of allegations the Executive Branch can’t, or won’t, address? How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.
As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas. Under the FAA, we have a statutory regime that creates judicial oversight and accountability to conduct electronic surveillance outside the US for specific purposes: foreign intelligence (or traditional espionage), counter-terrorism, and prevention of WMD proliferation. It addresses protections for both non-US and US persons. It creates a front-door, though compelled, relationship under which the intelligence community can receive communications contents without individual warrants but with programmatic judicial oversight.
FAA exclusivity would say to the rest of the world that when the US conducts bulk electronic surveillance overseas, we are doing so for a particular, national security purpose. The FAA structure with FISC review provides an independent check that the statutory purposes are met. Through transparency agreements with the government, the American companies are able to provide their customers with some sense of how many requests are made.
This would not change the 12333 authorities with respect to non-US companies. It would also not change 12333 authorities when the Executive Branch seeks to obtain the information in some other way than through the US company (i.e. breaking into the target’s laptop, parking a surveillance van outside their house, sending a spy, etc.).
Some have asked me what would happen if foreign companies tried to set up shop here in the US to seek these protections. I need to refine this part further, but would look to other statutory regimes that need to define the nationality of companies, like the Foreign Corrupt Practices Act, or the CFIUS process. Executive Order 12333 itself offers a partial answer, defining a US person to include “a corporation incorporated in the United States, except for a corporation directed and controlled by a foreign government or governments.”
Others may argue that FAA provides inadequate civil liberties protections. This proposal says nothing about the adequacy of that statute. What it says is that for data held by an American company about a target that is not a US person, the checks within FAA are stronger than those under 12333 acting alone.
I’m also not suggesting that this reform will shut down all surveillance activities – something I’d personally oppose---nor will it address the full range of civil liberties concerns. It’s not intended to. It simply aims to restore the belief that when American companies are acting overseas, they bring with them American values, including those of privacy protections.
That’s my thinking at this point. And my thinking on how to address the authorities of 12333 vis-à-vis American companies has shifted based on consultation with others in the field. I’m very interested in feedback, particularly from those who have been FISA practitioners and who can help me work through operational impacts of going this route.
Mieke Eoyang is the Director of the National Security Program at Third Way, a center-left think tank. She previously served as Defense Policy Advisor to Senator Edward M. Kennedy, and a subcommittee staff director on the House Permanent Select Committee on Intelligence, as well as as Chief of Staff to Rep. Anna Eshoo (D-Palo Alto).