Tag Archives: Privacy

ARL Disappointed in Senate’s Passage of Flawed Cybersecurity Bill

On October 27, 2015, the U.S. Senate voted 74-21 to pass the flawed Cyberinformation Sharing Act (CISA), a slightly modified version from the bill that passed the House of Representatives earlier this year.  CISA, which purports to protect against data breaches, actually raises serious privacy concerns.  In passing CISA, the Senate unfortunately voted against a number of proposed amendments which would have strengthened user privacy.

Among other concerns, CISA will allow companies to expand monitoring of their users’ online activities and permits sharing of vaguely defined cybersecurity threats without adequate privacy safeguards.  It authorizes law enforcement that goes far beyond the scope of cybersecurity.

The Senate and House will now need to conference to resolve the differences between the two versions that passed.

 

Senate Judiciary Committee Hearing on ECPA Reform

Today, September 16, 2015, the Senate Judiciary Committee will host a hearing on “Reforming the Electronic Communications Privacy Act.”  The Electronic Communications Privacy Act (ECPA) was passed in 1986 and is badly in need of reform.  The law has not kept pace with evolving technologies and denies important privacy protections for electronic communications, allowing agencies to access documents or communications stored online that are older than 180 days without a warrant.  This outdated law has led to an absurdity that affords greater protection to hard copy documents than digital communication.

As libraries and universities move services into the cloud and more communications take place online, it is critical that Fourth Amendment protect information long considered to be private—including what individuals are reading or researching, and to whom they are talking—even in the digital world. The growth of the Internet has launched new forms of communications and changed the way individuals interact since ECPA’s enactment in 1986. ECPA reform would require warrant for content, extending Fourth Amendment protections to online documents.

The ECPA reform bill in the House of Representatives, known as the Email Privacy Act and introduced by Representatives Yoder (R-KS) and Polis (D-CO) currently has 292 co-sponsors, representing an overwhelming majority.   The Senate version, known as the Electronic Communications Privacy Act Amendments Act also has bipartisan support, was introduced by Senators Lee (R-UT) and Leahy (D-VT) and currently has 23 co-sponsors.  Today, the full Senate Judiciary Committee will consider what reforms to ECPA are necessary, with two panels.  The first panel will consist of government witnesses from the Department of Justice, Securities and Exchange Commission and the Federal Trade Commission.  The second panel has four witnesses representing the Tennessee Bureau of Investigation, Google, the Center for Democracy and Technology and BSA | The Software Alliance.

Twenty-nine years after ECPA’s passage, reform is long overdue.  Congress should bring these bills to a vote and pass ECPA reform to ensure that 4th Amendment rights are preserved in today’s digital world.  Hopefully, today’s Senate hearing is a step toward moving ECPA reform forward.

 

ARL Joins Amicus Brief in Surveillance Case, Wikimedia v. NSA

On September 3, 2015, ARL joined an amicus brief with other library associations and bookseller associations in Wikimedia v. NSA, a case that challenges warrantless surveillance.  The amicus brief, authored by the Electronic Frontier Foundation, was also signed on to by the American Booksellers Association, the American Library Association, the Freedom to Read Foundation, and the International Federation of Library Associations and Institutions.

The brief explains that the First Amendment is a broad guarantee that includes the ability to distribute and receive information, and to freely and privately associate.  Libraries have long advocated for and protected patron privacy, and the brief points out the importance of patron confidentiality including in the digital age.

The brief points out that protecting reader privacy is critical:

Providers of books and reading material such as libraries and booksellers are often uniquely positioned to assert readers’ First Amendment rights. Readers change or curtail their reading if they fear government scrutiny of their behavior, especially where the intrusion concerns reading material that is personally embarrassing, politically controversial, or otherwise revealing.

[…]

The resulting inhibition of expressive activity is not hypothetical: patrons care deeply about their intellectual privacy and avoid situations where they cannot preserve it. In Subpoena to Kramerbooks, the D.C. district court found that as a result of a grand jury subpoena for a patron’s book purchases, “[m]any customers have informed Kramerbooks personnel that they will no longer shop at the bookstore because they believed Kramerbooks to have turned documents over . . . that reveal a patron’s choice of books.” 26 Media L. Rep. (BNA) at 1601. Similarly, when the owner of the Tattered Cover bookstore challenged a search warrant for a customer’s purchase history, she testified she received an “‘enormous amount of feedback’ from customers about this case, including over one hundred letters from customers in support of the Tattered Cover’s position.” Tattered Cover, 44 P. 3d at 1050.

Additionally, the brief notes the rise in digital communications and interactions.  It emphasizes that the First Amendment rights apply in the digital world:

Just as libraries and booksellers have standing to challenge law enforcement access to patron records in the physical world so, too, do they have standing to challenge unwarranted access to digital records. Just as government intrusion on the freedom of inquiry causes First Amendment injury in the physical world so, too, does government surveillance cause injury in the digital world . . . By sweeping in and searching vast amounts of Internet traffic, upstream surveillance encroaches on the sensitive interactions between libraries and booksellers and their patrons—interactions that, as shown above, these entities have historically taken great pains to protect.

The full brief can be accessed here.

 

Coalition Asks President Obama to Pledge to Veto Cybersecurity Information Sharing Act (CISA)

Congress is currently considering the Cybersecurity Information Sharing Act of 2015 (CISA, S. 754), a bill that has serious implications for privacy and civil liberties.  While the bill purportedly is designed to strengthen cybersecurity, it contains significant flaws.  On Monday, July 27, ARL joined a coalition of organizations and security experts in sending a letter to President Obama asking for a pledge to veto CISA due to these concerns:

  • CISA fails to protect personal information.  CISA allows the sharing of vast amounts of personal data to be shared with government agencies.  It allows the sharing of personal and identifying information as a default measure.
  • CISA allows the use of information in investigations unrelated to cybersecurity.  CISA also allows for governments to use cyber threat indicators to investigate a wide range of crimes, including those that are not related to cybersecurity, such as robbery, arson, or trade secret violations.
  • CISA fails to maintain civilian control of domestic cybersecurity.  CISA would permit companies that operate in the civilian sector to share cyber threat indicators with any agency of the federal government, raising serious privacy concerns.
  • CISA permits countermeasures that could damage networks.  CISA would allow companies to deploy “defensive measures” or “countermeasures” that could damage networks that belong to innocent bystanders, even when they would otherwise be illegal under the Computer Fraud and Abuse Act.
  • CISA raises additional transparency concerns.  CISA would create a new exemption to the existing list of nine exemptions under the Freedom of Information Act (FOIA).

 

Three Provisions of the PATRIOT Expire; Senate to Vote on USA FREEDOM Act This Week

*Edited to include a link to the Center for Democracy and Technology (CDT) in-depth analysis of Senator McConnell’s proposed amendments to the USA FREEDOM Act*

Today, three key provision of the PATRIOT Act expired, including Section 215, known as the “library records” or “business records” provision.  While the Senate voted 77-17 on late Sunday evening — just hours prior to the midnight expiration of Section 215 and other provisions — to move forward with a vote on the USA FREEDOM Act, a final vote will not come until later this week due to Senate rules requiring additional time for debate.  Senator Paul’s (R-KY) earlier filibuster of the USA FREEDOM Act, which he argued did not go far enough in protecting privacy and civil liberties, delayed the process enough to result in at least temporary sunset of three provisions of the PATRIOT Act.

Section 215 has been used by the National Security Agency (NSA) to conduct mass surveillance, including bulk collection of phone metadata.  The Second Circuit recently ruled that this bulk collection exceeded the authority granted by Section 215.

While the Senate will hold a vote on the USA FREEDOM Act later this week, passage in its current form is not assured.  Majority Leader McConnell (R-KY) has introduced four amendments, all of which would weaken the USA FREEDOM Act.  These amendments would 1) extend the transition period for agency compliance with the USA FREEDOM Act from 6 months to 12 months; 2) replaces the section creating an amicus curiae to the FISA court with one that is less effective; 3) substitute the USA FREEDOM Act in its current form, including a new notice requirement for data retention for companies that intend to retain call detail records for less than 18 months and; 4) substitute the USA FREEDOM Act with all of the above changes and also removes the provision regarding declassification of FISA court opinions.  The third and fourth amendments are complete substitutes of the House-passed version of the USA FREEDOM Act, essentially re-writing the bill with substantial amendments.  CDT has a great in-depth explanation of each amendment here.

Should any of these amendments be accepted, the House of Representatives would need to accept these changes before the bill can be sent to President Obama.  A number of Representatives have already criticized the USA FREEDOM Act as not going far enough to protect privacy and civil liberties and Senator McConnell’s amendments could be rejected in the House.

Efforts to weaken the USA FREEDOM Act, such as those advanced by Senator McConnell, should not be accepted.  The USA FREEDOM Act should be considered to be the bare minimum in a series of reforms to the NSA’s surveillance practices and efforts to change the bill should focus on strengthening, rather than weakening, protections for privacy.  Now that Section 215 and other provisions of the PATRIOT Act have expired, Congress must carefully consider what authorities it wants to grant the NSA and other federal agencies.  Congress is no longer considering extension or reauthorization of existing powers, but will be granting authority to federal agencies once again.  In doing so, ARL urges members of Congress to protect privacy and civil liberties in a meaningful way and ensure that the key protections advanced by the USA FREEDOM Act are not diminished.

ARL Joins Coalition Letter Opposing Two Flawed Surveillance Reform Bills

On Thursday, May 28, 2015, ARL joined a coalition of 51 companies, trade associations and civil society organizations to oppose the FISA Improvements Act of 2015, introduced by Senator Burr (R-NC), and the FISA Reform Act of 2015, introduced by Senator Feinstein (D-CA).  While these bills have been called a “backup plan” if the USA FREEDOM Act is not passed, it is clear that the two bills do not adequately address current surveillance practices and fail to protect privacy and civil liberties.

The letter points out that both bills fail to stop domestic bulk collection and would authorize a government-imposed data retention mandate on private businesses.  It also notes

. . . the FISA Improvements Act would permit domestic bulk collection b leaving unchanged the FISA Pen Register/Trap and Trace law, which was used for years to collect Internet metadata in bulk.  The bill explicitly leaves Section 215 of the PATRIOT Act unchanged for two years, despite recent public assurances by the NSA Director that a transition period longer than 180 days is not necessary.  In addition to this, the bill contains provisions that weaken whistleblower protections, expand surveillance power by granting the FBI The authority to obtain electronic communication transaction records without a court order, and make permanent provisions of the Patriot Act that are currently tied to a sunset date.

The letter concludes:

Section 215 of the PATRIOT Act is set to expire at 12:00am on June 1.  No legislation has passed the Senate, despite a clear demand for surveillance reform.  These proposals are unviable, ineffective and do not offer a path forward.  We strongly urge against consideration of the FISA Improvements Act or the FISA Restoration and Reform Act.

The Center for Democracy and Technology (CDT) has great one-pagers explaining the flaws of Senator Burr’s bill and Senator Feinstein’s bill.

Section 215 “Library Records” Provision Set to Expire on June 1

Last week, Senator Rand Paul (R-KY) engaged in a filibuster designed to stall consideration of a vote on the USA FREEDOM Act as well as Senator McConnell’s bill which would grant a clean reauthorization of certain expiring provisions of the PATRIOT Act, including the controversial Section 215, also known as the “library records” or “business records” provision.  Section 215 has been used by the National Security Agency (NSA) for bulk collection of phone metadata, a program which was recently ruled unlawful by the Court of Appeals for the Second Circuit.

The filibuster had bipartisan support and, due to its timing, could result in expiration of Section 215 which will sunset beginning on June 1.  In the early hours of Saturday, May 23, just before the Senate adjourned, a vote to move forward with the USA FREEDOM Act (a bill which ARL has supported) failed, as did McConnell’s reauthorization bill.  While Senator McConell’s bill initially proposed reauthorization for 5 years, he advanced attempts to reauthorize PATRIOT Act provisions for much shorter periods of two months, eight days, five days, three days and two days, ostensibly to give the Senate more time to craft a compromise on surveillance reform before expiration of Section 215 and other provisions.  Each of these attempts failed.

Senator McConnell is expected to call for another vote on Sunday, May 31, hours before provisions of the PATRIOT Act will expire.  It is unclear whether such a vote would be held for short-term reauthorization or on the USA FREEDOM Act, which fell just three votes shy of the 60 needed for cloture. Passing the USA FREEDOM Act in its current form, which has already been approved by the House of Representatives, is the only option that might completely avoid a sunset of Section 215 and other provisions. Even if Senator McConnell collects enough votes to approve a short-term reauthorization, it does not appear that the House will be able to hold a vote on such reauthorization. Likewise, if any amendments are made to the USA FREEDOM Act, the House would need to vote to approve these amendments. Because the House of Representatives is not scheduled to return until the afternoon of June 1, should a vote be required in the House, Section 215 as well as several other provisions will likely expire, even if it is for just a short period.

Reauthorization following a sunset of Section 215 would be therefore be seen as a new grant of authority rather than extension of existing authority.  Politically, this distinction could be an important one and policymakers must carefully consider whether a new grant of authority to allow broad surveillance practices is warranted and, if so, what privacy and civil liberty protections are in place.  ARL encourages members of Congress to protect privacy and civil liberty and ensure that meaningful reform of current surveillance practices are achieved in any new grants of authority.

Senator Rand Paul (R-KY) Filibusters USA FREEDOM Act; Future of Section 215 Uncertain

On Wednesday, May 20, 2015, Senator Rand Paul (R-KY) took the Senate floor to filibuster the USA FREEDOM Act.  While the Senate was considering a bill on trade promotion authority or “fast track” legislation, Senator Paul’s filibuster was intended to stall consideration of a vote of the USA FREEDOM Act.  Senate procedural rules mean that the Senate would not be able to take a procedural vote on the USA FREEDOM Act or Senator McConnell’s bill to allow clean reauthorization of Section 215 until at least Saturday, unless there is an agreement to shorten the addition 30 hours of debate permitted.

Senator Paul has been a sharp critic of government surveillance, including under Section 215 of the PATRIOT Act which is also known as the “library records” or “business records” provision.   This provision has been relied upon by the National Security Agency (NSA) to engage in bulk collection of telephone metadata, though the Second Circuit recently ruled that such bulk collection was unlawful under Section 215.  While the USA FREEDOM Act provides for new safeguards, Senator Paul has opposed the extension of Section 215 and other provisions of the PATRIOT Act.  Although he opposes the current text of the USA FREEDOM Act, Paul has announced his intention to offer several amendments to the legislation.

Senator Paul’s filibuster was supported by Senators Daines (R-MT), Lee (R-UT), Heinrich (D-NM), Coons (D-DE), Tester (D-MT), Cantwell (D-WA), Blumenthal (D-CT), Wyden (D-OR) and Manchin (D-WV).

paul-speech-wordle

Image: Word Cloud of Senator Paul’s Filibuster of USA FREEDOM Act, Joseph Hall (CC-BY)

Additionally, while Senator McConnell has now filed motions to proceed on the USA FREEDOM Act and his reauthorization bill, both would still need to clear the hurdle of 60 votes for cloture.  It is not clear whether there are enough votes for either bill.  While there have been suggestions that Congress could pass a very short-term reauthorization — for example, a two-moth reauthorization — to provide time to forge compromise legislation, the House may not be able to consider such legislation before the June 1 sunset.  There is, therefore, a possibility that Section 215 of the PATRIOT Act might sunset, which could greatly change the dynamic of the discussions on surveillance reform.  Should Section 215 sunset, any reform legislation would essentially be seen as granting or reinstating authorization for surveillance under this provision once again rather than simply extending existing authorities, thus changing the political dynamic and potentially creating a basis for stronger reform to protect privacy and civil liberties.

House of Representatives Passes USA FREEDOM Act; Senate To Act Quickly

On Wednesday, May 13, 2015, the U.S. House of Representatives voted in favor of the USA FREEDOM Act, legislation that bans bulk collection under Section 215 of the USA PATRIOT Act as well as other authorities, such as the Foreign Intelligence Surveillance Act (FISA) pen/trap statute and national security letters (NSL) by an overwhelming majority of 338 to 88. ARL is pleased that the House of Representatives has passed stronger reform than its 2014 version and considers this development a step forward in surveillance reform.

Since 2006, the National Security Agency (NSA) has engaged in the practice of bulk collection of phone records under Section 215 of the USA PATRIOT Act, also known as the “library records” or “business records” provision. The 2015 USA FREEDOM Act, backed by the White House, specifically addresses this issue and prohibits bulk collection, only permitting limited surveillance orders that focus on a specific selection term. The Court of Appeals for the Second Circuit also addressed this issue recently, ruling that the NSA’s practice of bulk collection exceeded the authority under Section 215 and therefore unlawful.

The 2015 version of the USA FREEDOM Act passed by the U.S. House of Representatives also includes several amendments to the Foreign Intelligence Surveillance Court (FISC) and transparency measures, representing an improvement over the version passed during the last Congress. The bill will now go to the Senate and must be considered quickly, given the upcoming expiration date of certain provisions of the PATRIOT Act, including Section 215.

While the version passed today by the House of Representatives includes better reforms to surveillance practices than in the 2014 bill, the USA FREEDOM Act is just one step forward in a series of necessary reforms. The Court of Appeals for the Second Circuit’s recent unanimous decision that the NSA’s bulk collection practices exceeded the scope of authority granted under Section 215 demonstrates the egregiousness of the NSA’s interpretation of its authority and the willingness of FISC to approve such broad application of the law. Congress should take care to ensure that provisions under USA FREEDOM Act are not similarly interpreted in an overly-broad manner by the NSA to infringe on the privacy rights of those in the United States. ARL looks forward to continuing to work with Congress to ensure that privacy rights are respected and hopes that additional reforms will be made.

Court of Appeals Issues Landmark Ruling Against NSA Bulk Collection Practices

On May 7, 2015, the Court of Appeals for the Second Circuit ruled on the legality of the National Security Agency’s (NSA) bulk collection of telephone metadata. In a unanimous opinion, the court ruled that the NSA’s bulk collection of telephone records exceeds the authority granted under Section 215 of the USA PATRIOT Act, also known as the “library records” or “business records” provision.

The Second Circuit begins by recognizing that while telephone metadata does not reveal the content of the calls, this fact “does not vitiate the privacy concerns arising out of the government’s bulk collection of such data’ which can reveal a “startling amount of detailed information.” Telephone metadata

might reveal that an individual is: a victim of domestic violence or rape; a veteran; suffering from an addition of one type or another; contemplating suicide; or reporting a crime. Metadata can reveal civil, political, or religious affiliations; they can also reveal an individual’s social status, or whether and when he or she is involved in intimate relationships.

The court also notes that the more metadata collected, the more it can reveal private information.

The court then turned to the facts of the case and summarized the background of the NSA’s bulk collection practices. The NSA has conducted bulk collection of telephone metadata under Section 215 since at least May 2006. The government had collected the data and made “queries” on particular phone numbers that it believed to be associated with a foreign terrorist organization, as well as three “hops,” meaning that the contacts of the contacts of contacts of the original number queried were also looked at. In January 2014, the government limited the number of “hops” from three to two. Additionally, the government required a Foreign Intelligence Service Act Court (FISC) to make a determination that a reasonable articulable suspicion standard had been met, rather than allowing designated NSA officials to determine whether this suspicion existed. The Privacy and Civil Liberties Oversight Group concluded in a 2014 report that the NSA’s program “was inconsistent with §215, violated the Electronic Communications Privacy Act, and implicated privacy and First Amendment concerns.”

After finding that the plaintiffs in the case had standing and the court was not precluded from hearing the case, the Second Circuit turned to the merits of the case and focused on the argument that the program exceeded the authority granted to the government by Section 215.

Section 215 permits the government to apply for “an order requiring the production of any tangible things” provided that they are “relevant to an authorized investigation (other than a threat assessment) . . . to protect against international terrorism or clandestine intelligence activities.” The Second Circuit ruled that while Section 215 “sweeps broadly,” the NSA practices ignore the provision’s statutory limits.

First, while the Second Circuit agreed that the “relevance” standard is generous and Section 215’s use of the term is analogous with the term “relevance” used in the context of a grand jury subpoena, this term is not without its limits. With the NSA’s current bulk collection practices, “The records demanded are all-encompassing; the government does not even suggest that all of the records sought, or even necessarily any of them, are relevant to any specific defined inquiry.” The government argued that the records are “relevant” because they may allow the NSA to identify information that is relevant in the future, but “such an expansive concept of ‘relevance’ is unprecedented and unwarranted.” The court summarizes the government’s argument that “there is only one enormous ‘anti-terrorism’ investigation and that any records that might ever be of use in developing any aspect of that investigation are relevant to the overall counterterrorism effort.”

The Second Circuit points out that warrants and subpoenas for other programs are limited to particular individuals or corporations under investigation as well as specific time periods in stark contrast to the NSA’s program which do not have similar limits:

The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created. The government can point to no grand jury subpoena that is remotely comparable to the real-time data collection undertaken under this program.

The Second Circuit further notes that term relevant “does not exist in the abstract” and that “§215 does not permit an investigative demand for any information relevant to fighting the war on terror, or anything relevant to whatever the government might want to know.” Instead, it applies only to documents “relevant to an authorized investigation.” Allowing the NSA’s practices to proceed would “require a drastic expansion of the term ‘relevance.’”

Section 215 not only limits collections to what is relevant to an authorized investigation, but also provides that such investigation must not be a “threat assessment.” Thus, the court states, “Congress clearly meant to prevent §215 orders from being issued where the FBI, without any particular, defined information that would permit the initiation of even a preliminary investigation sought to conduct an inquiry to identify a potential threat in advance.” The NSA’s practices are “‘irreconcilable with the statute’s plain text.’”

Turning to the argument that Congress “ratified” the NSA’s practices by reauthorizing Section 215 in 2010 and 2011, the court noted that “Congressional inaction is already a tenuous basis upon which to infer much at all, even where a court’s or agency’s interpretation is fully accessible to the public . . .But here, far from the ordinarily publicly accessible judicial or administrative opinions that the presumption contemplates, no FISC opinions authorizing the program were made public prior to 2013.” Thus, “Congress cannot reasonably be said to have ratified a program of which many members of Congress – and all members of the public – were not aware.” The Second Circuit rejected the argument that Congress “ratified” the bulk collection practices because “these circumstances would ignore reality . . . it is a far stretch to say that Congress was aware of the FISC’s legal interpretation of §215 when it reauthorized the statute in 2010 and 2011.”

Finding that the program was not permitted under Section 215, the Second Circuit declined to rule on whether the NSA’s bulk collection also violated the Fourth Amendment. The court does, however, point to the “seriousness of the constitutional concerns.” It also notes that Congress has been debating the program and that a new version of the USA FREEDOM Act has been introduced into the U.S. House of Representatives and Senate but, “we do not purport to express any view on the constitutionality of any alternative version of the program.”