Congress has just a month and a half left to decide what to do about a bunch of laws governing surveillance.
Most of the attention on this time crunch has focused on one provision of the PATRIOT Act scheduled to expire on June 1: Section 215, which authorizes the NSA's domestic phone dragnet, which aspires to collect all Americans' phone records. But Section 215 also authorizes a lot of other collection. Along with Section 215, the Lone Wolf provision (which for years the government claimed it had never used) and the Roving Wiretap provision (which the government secretly used in 2007 to conduct expansive surveillance) are also due to sunset. Congress will decide whether to reauthorize those provisions, permit them to lapse, or rush through a watered down version of USA Freedom Act (USAF), the bill reforming surveillance that failed to pass the Senate last year.
As an alternative, Congressmen Tom Massie and Mark Pocan are offering the Surveillance State Repeal Act, which would impose more meaningful limits on surveillance, but which thus far has attracted little support.
But the PATRIOT Act is not the only surveillance bill in play in the next few months. Even as Congress prepares to consider USAF, it will debate various versions of a cyber-information sharing bill. While all versions make it easier for government and private industry to share information related to cyber-attacks and require the government itself to disseminate information internally immediately, such sharing would do little to prevent most cyber-attacks, and are in no way the most important thing the government could do to rein in cyber-attacks. Plus, all these bills permit information collected in the name of cybersecurity to be used for a wide variety of other uses, including investigating a broad range of felonies. Because of the mismatch between the purported goal of preventing cyber-attacks and the lack of protections for Americans' privacy, Senator Ron Wyden called the Senate Intelligence Committee version of cyber-information sharing a surveillance bill earlier this month. "Any information-sharing legislation that lacks adequate privacy protections is not simply a cybersecurity bill, but a surveillance bill by another name."
But like USAF, these cyber-information sharing bills would give corporations immunity to share data that would otherwise be protected from disclosure to the government, with varying limits on how much personal information may be shared along with evidence of cyber-threats. USAF -- at least in its last incarnations -- offered immunity (and compensation) even for information sharing that did not involve good faith compliance with orders.
In other words, amid a general discussion of reforming surveillance, Congress is rushing to find new ways to give corporations less reason to challenge government information requests. That's important because -- for much of this sharing -- the government claims only the providers have standing to challenge an order in court. Each time the government grants corporations immunity for information sharing, then, it makes it far less likely they'll resist requests to share their customers' information.
And the rush to give corporations expanded immunity comes at a time when the government has had problems getting what it wants.
Take the phone dragnet, for example. While the court order to one subsidiary of Verizon, revealed by Edward Snowden almost two years ago, required the phone company to turn over all its phone records, for some reason the government has been unable to get all records of domestic cell calls in this manner, perhaps because Verizon doesn't keep what the government wants as business records (although parts of the government, including NSA, do access plenty of cell call data via other means). Immunity and compensation will give the government a way to expand the number of records potentially included in such surveillance. And at least in other programs where the telecoms keep records and perform analysis for the government -- such as the Hemisphere program in which AT&T uses call records and location data to identify suspects for the DEA and other agencies -- the companies access additional domestic data that would be unavailable for the government, which might happen under USAF as well.
Or take Internet records. Just 5 of roughly 180 Section 215 orders last year authorized the phone dragnet. The majority of Section 215 orders collected Internet data, probably including data showing Internet traffic flows and URL searches and complete profiles of what people do online (it's unclear whether these orders get targeted at individuals or larger groups or entire companies). Until 2009, the FBI got this data using National Security Letters, orders that required no judicial review and imposed no limits on what the FBI could do with the data. Now, the FISA Court not only reviews the applications, but also orders minimization procedures that impose some limits on what the FBI can do with the extraneous data from this collection (and given that it has imposed such procedures, there is extraneous data collected), meaning Section 215 -- reviled for its use with the phone dragnet -- actually provides Americans more protections than what the FBI had used to obtain this Internet data before. Given FBI's recent claims that it relies on Section 215 for its cyber-security investigations, there's a good chance some of this production could be obtained without court review if the cyber sharing bills pass. If so, then FBI could go back to keeping it all, and even expand its dissemination within the government.
That's not to say these bills offer Americans no benefit. The cyber-sharing bills might marginally improve protection against hackers. USAF would stop the government from holding onto a significant portion of all Americans' call records for five years, a really important benefit. Plus -- in some incarnations though not in others -- USAF would impose some limits on the volume of information the government can collect using Section 215, might expand transparency, and would take initial steps toward making the FISA Court more functional.
But the bills, likely, also involve shifting surveillance under new shells, to get more information, to undergo less court oversight, to share more data more broadly. This is the Intelligence Community's idea of "reform:" new ways to achieve the same results that have never proven to fulfill their stated purpose.
Nowhere in this reform process, for example, has Congress asked for a public accounting of the programs, not even with Section 215, which has never prevented a terrorist attack. Given that the cybersharing bills would do so little to prevent most hacks, it would be a good time to demand some evidence that the sharing will accomplish the goal ostensibly intended.
Meanwhile, by far the bulk of NSA's surveillance -- that collected under Executive Order 12333, which likely collects a great deal of Americans' Internet traffic and much of their international calls -- continues with no court oversight. And the FBI can continue to read the contents of Americans' communications collected under Section 702 using back door searches without a warrant or even a reason to suspect someone of wrong-doing.
The point is, the discussion of urgent efforts to reform surveillance -- short of passing something like the Surveillance State Repeal Act -- would do little to actually rein in surveillance. Not only is the Intelligence Community likely just shifting programs to hide them under new names. But no one is asking whether any of this spying does what it is supposed to do.