Advertisement
News

The New NSA Reform Bill Would Give the Government Even More Power to Spy on Your Smartphone

On Wednesday, the US House of Representatives passed a bill to rein in the NSA's dragnet phone surveillance programs. But as the debate moves to the Senate, it's not clear whether we're debating a phone dragnet or an internet one.

by Marcy Wheeler
15 May 2015, 5:00am

Wisconsin Republican Rep. Jim Sessenbrenner, who authored the USA Freedom Act. Photo by The Leadership Conference on Civil and Human Rights via Flickr

On Wednesday afternoon, the House passed the USA Freedom Act by large margins 383 to 88. What happens now—specifically, what the Senate will do—is anyone's guess.

The bill, authored by Wisconsin Republican Congressman Jim Sensenbrenner and New York Democrat Jerry Nadler, would replace the existing phone dragnet operated under Section 215 of the PATRIOT Act. Currently, the NSA aims to obtain the records of all American's phone calls every day, and holds on to those records for five years, querying under limited circumstances. Under the USA Freedom Act, telephone providers would instead hold onto the records, and the government would submit queries on individual accounts to get daily data on ingoing and outgoing calls and connected accounts.

USA Freedom Act also includes some other limited surveillance reforms, including requiring the government to release limited statistics on the government's use of surveillance programs, and at least a summary of significant decisions made by the Foreign Intelligence Surveillance (FISA) Court. It would also create an "amicus" panel of attorneys that the court could consult on in more significant decisions, but from whom the government can still withhold important information.

In addition to these limited changes, though, the bill also provides new goodies for the intelligence community, including emergency authority to obtain data before submitting an application to the court, and a "roamer" authority that allows the NSA to continue wiretapping foreigners for 72 hours after they enter the US. The current version of the bill also includes several measures unrelated to surveillance, like extending the maximum penalty for those convicted of providing material support for terrorism and extending the definition of an acceptable spying target to include those who "conspire with" or "abet" suspects involved in weapons proliferation.

On its face, surveillance hawks should embrace USA Freedom Act, particularly in light of a Second Circuit court decision issued last week that found that Congress had not intended Section 215 to authorize a dragnet of every American's phone records. The court's opinion, written by Judge Gerard Lynch, suggested that the court probably would find the dragnet unconstitutional if Congress doesn't end it, so it is likely lawmakers will need to alter the program with reforms similar to those in the USA Freedom Act anyway.

Watch: Shane Smith Interviews US Defense Secretary Ashton Carter

Perhaps most importantly, for surveillance hawks, USA Freedom Act appears to close certain gaps that have arisen in the NSA's data collection USA Freedom Act appears to permit the collection smart phone records—that is, records of communication that is sent across the Internet, as well as phone calls facilitated by telecoms providers.

To understand why there's a gap, some history is in order. Back when the NSA started this dragnet as part of an illegal wiretap program the agency collected both phone and Internet metadata from telecom companies, though at first the Department of Justice didn't consider the different legal implications of collecting data sent via the Internet from that sent as phone calls.

Once lawyers at the Justice Department finally did consider that question, they realized there were legal problems with collecting such records without a warrant—likely because it's hard to collect Internet metadata without also collecting content. That's because communications sent across the Internet are chopped up into little bits called "packets" with addressing information—the metadata the government wants to collect—as well as some content that's included with each little bit.

When the FISA Court first authorized the Internet dragnet in 2004, it dealt with this legal problem by limiting the categories of information the NSA could collect from Internet communications. But within the first months of the program, the NSA violated those limits, and continued to do so until finally, in the fall of 2009, the agency finally admitted that every single record they had collected over the past five years included data that did not fall within FISA's category restrictions.

The FISA Court shut down the Internet dragnet down for about nine months, until around July 2010, when the NSA convinced the chief FISC judge to restart and expand the dragnet. In the interim, the NSA appears to have moved some of its collection of Internet metadata to two other authorities, data collected overseas and PRISM. And so, a year after restarting the Internet dragnet, NSA shut it down its Internet dragnet again.

As far as we know, ever since then, the NSA has used very different legal approaches to collect phone records and Internet records.

Motherboard: US Companies Are Throwing a Fit Because They're Losing Control of the Internet

That appears to be reflected in the phone dragnet orders, which FISC specifies apply only to "telephony metadata," that is, presumably, the metadata for calls transferred as calls, rather than those transferred as online content. But most people don't make many telephone calls anymore. Increasingly, they rely on call and texting programs like Skype and iMessage, which are transmitted via the Internet, sometimes all the way down to your private WiFi router in your home.

Sources speaking to the Wall Street Journal, the Washington Post, the New York Times, and the Los Angeles Times have been complained about gaps in the phone dragnet for well over a year, with some suggesting that the NSA gets as little as 20 percent of the phone traffic in the US, though those anonymous sources never explained the source of the gap.

One potential impact of that gap was exposed during the Boston Marathon attack trial. Witness testimony revealed that Dzhokhar Tsarnaev had no telephony phone records in the weeks leading up to the attack, because his account had been shut down for non-payment. Rather than calling his brother on his AT&T iPhone to plan the attack, Tsarnaev used Skype.

And because wannabe terrorists tend to be younger, and are often immigrants, it follows that they might disproportionally communicate via Internet messaging services, rather than calls transmitted via phone providers. That means any phone records program—dragnet or targeted—that doesn't include Skype (and iMessage, and other online messaging functions) would be largely useless.

After attending a secret intelligence briefing this week, Senator Bob Corker described the existing phone dragnet as such. "Malpractice is the best word I can use to describe the amount of data that is actually being collected in the metadata program. Corker told the Christian Science Monitor. "It's beyond belief how little data is a part of the program and type of data especially if the goal is to deal with terrorists."

Senate Intelligence Committee Chair Richard Burr seemed to suggest the debate about Section 215 was about Internet metadata the other day, when he claimed in a Senate colloquy that Section 215 authorizes a dragnet for IP calls—though his office later claimed Burr had misspoke and deleted the comment from the congressional record.

Unlike Section 215, the USA Freedom Act appears to include those IP packets; unlike current FISC orders, nothing in the bill is limited to "telephony." Indeed, the House Judiciary Committee's report on the bill notes that when a request is made for call records on an account, "an electronic mail address or account also qualifies as an 'account' for purposes of the bill." The report also specifies that the bill does not permit the prospective chaining on Internet routers suggesting it does envision accounts accessed through the Internet.

While it's true that committee's bill report refers to obtaining call detail records from "telephone companies," it doesn't define that term. Phone manufacturers—like Apple, Google, or Microsoft—are all, to greater or lesser degrees, classified as phone companies, both as hardware manufacturers and software providers, even if they're not telecoms companies.

But instead of embracing the USA Freedom Act for closing those gaps, surveillance hawks instead appear to be aiming to get Congress to approve a full-blown Internet and phone dragnet going forward. For example, after attending that secret briefing on the program on Tuesday night, Senator Bob Corker has been arguing the government needs to vastly expand the dragnets, even while refusing to explain what the NSA does not collect because it remains classified. Which is why no one knows what will happen in the Senate over the next several days. It's not even clear whether we're debating a phone dragnet, or an Internet one.

Marcy Wheeler an an independent journalist who writes about national security and civil liberties.Follow her on Twitter.

Tagged:
spying
SURVEILLANCE
Politics
nsa
congress
senate
Prism
surveillance state
Vice Blog
telephone surveillance
House of Representatives
Patriot Act
Foreign Intelligence Surveillance Court
Foreign Intelligence Surveillance Act
USA Freedom Act
NSA reform