FBI/Apple privacy fight left out a major player: the data carriers

In the conflict between government surveillance and individual privacy, it is not just the data on devices that is at stake. It is the data that travels to and from the devices

FBI/Apple privacy fight left out a major player: the data carriers
Cory Doctorow (CC BY-SA 2.0)

The recent standoff between Apple and the FBI over the agency's demand that the company provide a way to unlock the iPhone of a dead terrorist, was "resolved" when the FBI "bought a tool," according to Director James Comey.

But that, of course, didn't resolve the fundamental, ongoing conflict between the government's need for digital surveillance capabilities to assist with law enforcement and national security on one side, and the American commitment to personal privacy on the other.

It also didn't even address the role of a third major player in such conflicts: The carriers of the data on the Internet "backbone."

But that role is now being addressed in Congress. A Senate Judiciary Committee hearing Tuesday included recommendations for amendments to the law that regulates government collection of data from communications carriers -- the FISA Amendments Act (FAA).

The FAA is not up for renewal until the end of 2017, but committee Chairman Sen. Chuck Grassley (R-Iowa) said in his opening remarks that, "I'd like to begin the conversation about it well in advance of that."

[ MORE FBI/APPLE ISSUES Many unanswered questions in Apple-FBI controversy ]

Not much gets to or from a smartphone, or any digital device, without the involvement of major Internet companies -- like Microsoft, Yahoo, Google, Facebook, Paltalk, YouTube, AOL, Skype and Apple -- whose infrastructure is used by hundreds of millions of people around the world to communicate, to search the Web, to shop, to do banking and any number of other things that involve the transmission of data.

The National Security Agency (NSA) under what is known as PRISM -- an element of the Foreign Intelligence Surveillance Act (FISA) -- has been able to request user data from those companies since 2007, and they were compelled by law to comply.

But among the explosive allegations in 2013 from former NSA subcontractor Edward Snowden was that the agency had also accessed the overseas, internal networks of U.S. companies in secret, collecting data in bulk.

The mission of the NSA is embedded in the words of FISA -- the collection of foreign intelligence. But Snowden and other critics have been saying for years that since 9/11, it has also included the collection of data on American citizens, sometimes with the cooperation of American data carriers and sometimes without their knowledge.

To say that this made things awkward for companies that are forever promising their customers that, "your privacy is our highest priority" is an obvious understatement. First they denied knowing anything about PRISM, but later fought for the right to be able to acknowledge government data "requests" in the name of transparency.

They already had legal liability protection, however. Lee Tien, senior staff attorney with the Electronic Freedom Foundation (EFF), noted that in 2008, "Congress passed, and the president (Bush) signed, a bill that immunized the telecoms against any liability.

"That means the companies no longer have to worry about whether they're acting lawfully, at least with respect to the privacy of their users. They only have to worry about satisfying the government's requests," he said.

None of multiple carriers contacted by CSO responded to requests for comment. But, with the "conversation" on the FAA under way, privacy advocates argue that government access to the data handled by those companies needs more explicit restrictions.

To accomplish that would require amending Section 702 of the FAA, which governs the collection of data by the NSA. Sen. Patrick Leahy (D-VT), ranking member of the committee, called Section 702 "an important tool" but also "extremely broad." He said while it is aimed at foreign surveillance, "it sweeps up a sizeable amount of information about innocent Americans who are communicating with those foreigners."

Elizabeth Goitein, co-director of the Liberty & National Security Program at the Brennan Center for Justice at New York University School of Law, was more specific.

She said under the current implementation of Section 702, the NSA is collecting vastly more than foreign intelligence.

To describe surveillance that acquires 250 million Internet communications a year as ‘targeted' is to elevate form over substance," she said. "And on its face, the statute does not require that the targets of surveillance pose any threat …"

That debate goes well beyond the hearing room. In a recent Hoover Institution essay, Mieke Eoyang, vice president of the National Security Program at the think tank Third Way, noted that the major telecoms and other communications companies are, "physical and legal gatekeepers (that) regulate government access to private information."

In an interview, Eoyang added that this is not just a domestic issue. "Those companies, compete in a global market," she said. "They want to safeguard national security, but must also reassure current and future customers, including those living overseas, that data privacy is a priority."


Mieke Eoyang, vice president, National Security Program at Third Way

The Snowden revelations, she said, created a more adversarial relationship between the private and public sectors that needs to be repaired.

"If the government treats the companies as just another surveillance target to exploit, business leaders will view the government as yet another unauthorized user to keep out," she wrote.

[ MORE ON CSO: The economics of back doors ]

Among her recommendations for amendments to the FAA is for the law to clarify that, "U.S. companies must filter data using court-authorized selectors (such as email addresses or phone numbers) before handing it over to government agencies."

Currently, she said, it is not clear who controls the filtering of data, although Section 702 of the FAA authorizes government to conduct so-called "upstream" surveillance, which means collection of information before it has been filtered.

"Government has asserted that it doesn't look at anything before the filter. But we don't really know who owns the filter or who does the handoff," she said.

"The question is one of technology. Does it allow the government to have access to the full stream of data before the filter? If so, there is a risk of abuse, or attempts to use the filter for a political purpose."

But the implications go well beyond technology, of course. "Post-Snowden, these companies no longer have confidence in government," Eoyang said. "They need to know that government is coming through the front door with an appropriate ticket, and not breaking in through the back door."

Not everybody sees it that way, of course. While there is general agreement that limiting government access to the private data of U.S. citizens is a good thing, Eoyang's proposed amendment still gets mixed reviews.

Eric Berg, an attorney at Foley & Lardner and a former Department of Justice attorney, said he doubted service providers want to be responsible for the filtering of data.

Not only does it depart from their core business, but it could also expose them to reputational damage or legal liability.

"While the idea of keeping the government one step removed from the data may have emotional appeal, the potential liabilities involved would be numerous and very likely unknowable," he said.


Eric Berg, attorney, Foley & Lardner

And in another Hoover Institution essay, also presented on the Lawfare blog, U.S. Naval Academy cyber studies professor and former NSA deputy director Chris Inglis, and Jeff Kosseff, assistant professor of cybersecurity law at the academy, argue that allegations that the NSA, "exceeded either the intent or the letter of its authorities" are nothing more than "widely circulated myths."

They contend that Section 702 authorizes the collection of only, "foreign intelligence from non-U.S. persons who are not located in the United States, (is) overseen by all three branches of government and has an unprecedented system of checks and balances."

And they wrote that according to the NSA, "Section 702 is its single most significant tool for identifying terrorist threats."

Inglis, in an email interview, said that government, "can, and does, target the content of the communications of a legitimate foreign intelligence target, though the manner, location and techniques employed are constrained by various legislative, judicial, and executive branch statutes, orders and policies."

He said since those communications are often "wrapped" in various Internet protocols or encryption schemes, the NSA is authorized to "unwrap" them, "to generate intelligence on legitimate foreign intelligence targets -- generally characterized as ‘breaking codes.'"

Still, the language of Section 702 allows surveillance of those who are "reasonably believed" to be non-U.S. persons located outside the U.S. That, in any kind of legal setting, would seem to be leaving a good deal of wiggle room.

Tien says the problem goes well beyond that. "We have argued that 702, on its face, is unconstitutional because no court actually decides anything particular about the search/seizure of data -- it only approves procedures for targeting, minimization, etc.," he said. "Other executive branch officials -- I think the director of national intelligence or the attorney general -- issue the actual directives to providers. Section 702 is by no means a gold standard."

And, he added, any meaningful oversight of government surveillance under Section 702 is impossible because the government, citing national security, "makes it nearly impossible to understand how these programs work or how they affect the public. If there were abuses, how would you or I know about them? We don't even really know what the words of the statutes mean."

Inglis contends that the more people learn about the constraints on U.S. intelligence collection, the more reassured they are. He cited a post from two years ago by Geoffrey Stone, a law professor at the University of Chicago, who served on the President's Review Group in late 2013, which made recommendations to the president about NSA surveillance and related issues.

Stone said he came to the task with "great skepticism" about the NSA, but came away much more impressed than he had expected with an agency that had not only thwarted numerous terrorist plots but also, "operates with a high degree of integrity and a deep commitment to the rule of law."

This, he said, did not mean he thinks the public should trust the NSA. "It should never, ever be trusted," he wrote, since, "distrust is essential to effective democratic governance."

But he said he did believe that, "the NSA deserves the respect and appreciation of the American people."

While the debate will likely continue well into next year, David Medine, chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), said at Tuesday's hearing that if the Section 702 program is to continue, "it should be more protective of privacy and civil liberties."

He proposed three amendments:

  • Require intelligence agencies to get FISA Court approval before querying information connected with a U.S. person's identifier.
  • Restrict the collection of "upstream" data even after it has been filtered, to reduce the amount of "incidental" collection of information about U.S. citizens.
  • Require the NSA and other intelligence agencies to report the number of records of U.S. persons it collects annually to the Director of National Intelligence, Congress and other oversight agencies.

Eoyang, while she said the U.S. commitment to privacy is, "far greater than that of any other country around the world, including other western countries," said she believes amendments to the FAA are overdue.

"Business as usual is not sufficient," she said. "There are things about the status quo that could bring a halt to U.S.-European electronic commerce, and that would be catastrophic to both economies."

Indeed, Laura Donohue, a professor at Georgetown Law, in yet another Lawfare post, argued that, "the dichotomy between government collection and corporate collection is a false one … once a company has collected the data, it is available to government. The seam between corporate collection and government collection is highly porous."

This story, "FBI/Apple privacy fight left out a major player: the data carriers" was originally published by CSO.

Copyright © 2016 IDG Communications, Inc.