The Reform Government Surveillance coalition has significant concerns with the FISA Amendments Reauthorization Act of 2017, H.R. 4478, as currently drafted.  Unless changes are made to the bill, Reform Government Surveillance opposes this legislation. 

Reform Government Surveillance continues to advocate for common sense legislation to reform Section 702 of the Foreign Intelligence Surveillance Act.  While we recognize that Section 702 provides the intelligence community with valuable national security tools, we also believe that any reauthorization of this authority should include reforms that further protect the privacy of all our users, increase accountability, and promote government transparency. 

Unfortunately, the bill does not meaningfully restrict the FBI from warrantlessly searching the content of Americans’ communications incidentally collected under Section 702.  Instead, the bill provides that the FBI “may” seek an order from the FISA court before accessing the contents of Americans’ communications – but the bill does not require such an order.  When combined with the broad exceptions in the legislation regarding the use of such information in criminal cases, these provisions provide little, if any, additional privacy protections.

The bill also fails to permanently codify an end to “abouts” collection by the government.  After the FISA Court raised serious privacy concerns about the NSA’s collection of communications that were “about” – rather than “to” or “from” – a communicant, the NSA halted this program.  Given the NSA’s acknowledgment that it is not able to conduct “abouts” collection in a way that adequately protects the privacy rights of all our users, Congress should make it clear in the law that the NSA cannot engage in such collection.

We are also concerned that the bill suggests that the government can target “a facility, place, premises, or property” for Section 702 surveillance.  Such targeting would be broader than what is currently authorized by the statute, and is contrary to prior statements by government officials regarding the use of Section 702 “abouts” collection.  In March 2014, for example, the General Counsel of the NSA stated to the Privacy and Civil Liberties Oversight Board that such collection was “selector-based, i.e. based on … things like phone numbers of emails.”  The government should not be using Section 702 to target entire facilities, places, premises, or properties – and this bill should not include language that could be used to justify such targeting.

Finally, expanding the definition of “foreign power” and “agent of a foreign power” to include individuals and entities engaged in “international malicious cyber activities” is potentially overbroad and unnecessary.  Importantly, changing the definition in Section 101 would affect not just Section 702, but also the scope of all the other surveillance authorities contained in FISA.  Such an important change could significantly broaden the scope of government surveillance, and should be made only after extensive consultation with the appropriate stakeholders in industry and civil society.  We urge the House Intelligence Committee to remove this provision so that such consultation can take place.

We look forward to working constructively with the House Intelligence Committee and others as Congress considers reauthorization of Section 702.

November 30, 2017

Reform Government Surveillance commends Chairman Goodlatte, Ranking Member Conyers, and other leaders of the House Judiciary Committee for introducing the bipartisan USA Liberty Act, H.R. 3989.  The USA Liberty Act includes significant improvements to U.S. surveillance law, particularly Section 702 of the Foreign Intelligence Surveillance Act, while preserving the ability of the intelligence community to protect national security. 

We applaud the efforts of Chairman Goodlatte and Ranking Member Conyers to craft common sense legislation that increases privacy protections, accountability, and transparency.  We will also continue to support additional reforms that further strengthen and improve the bill, and we look forward to working constructively with Chairman Goodlatte, Ranking Member Conyers, and other members of Congress toward that end.

Dear Leader McConnell, Speaker Ryan, Minority Leader Schumer and Minority Leader Pelosi:

The Reform Government Surveillance coalition (RGS) writes to share with you our priorities for this Congress with regard to reforming laws that govern when law enforcement and the intelligence community may access user data.  As you shape Congress’ agenda, we look forward to working with you on important legislation that has an impact on the information of billions of our customers around the globe.  

Our customers, both individual and corporate, no matter where they are located, expect us to protect the privacy and security of their data.  At the same time, law enforcement officials should have the resources that they need to better protect our communities.  As a result, we have adopted the following principles that we believe must define government surveillance laws in the U.S. and throughout the world:

Limiting Governments’ Authority to Collect Users’ Information - Governments should codify sensible limitations on their ability to compel service providers to disclose user data that balance their need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the Internet. In addition, governments should limit surveillance to specific, known uses for lawful purposes, and should not undertake bulk data collection of Internet communications.

Oversight and Accountability - Intelligence agencies seeking to collect or compel the production of information should do so under a clear legal framework in which executive powers are subject to strong checks and balances. Reviewing courts should be independent and include an adversarial process, and governments should allow important rulings of law to be made public in a timely manner so that the courts are accountable to an informed citizenry.

Transparency About Government Demands - Transparency is essential to a debate over governments’ surveillance powers and the scope of programs that are administered under those powers. Governments should allow companies to publish the number and nature of government demands for user information. In addition, governments should also promptly and publicly disclose this data.

Respecting the Free Flow of Information - The ability of data to flow or be accessed across borders is essential to a robust 21st century global economy. Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or to operate locally.

Avoiding Conflicts Among Governments - In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved Mutual Legal Assistance Treaty — or “MLAT” — processes. Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.

Adopting policies that adhere to these principles is important for fostering our shared commitment to the privacy and security of our customers and their data, and for preserving the health of the Internet economy. Accordingly, the following legislative proposals are on RGS’ agenda for this Congress:

(1)  Passage of the Email Privacy Act:  As we have in the past, RGS companies strongly support passage of the Email Privacy Act.  The Electronic Communications Privacy Act (ECPA), which it would amend, was passed when email was virtually unheard of (and used almost exclusively by businesses) and “mobile” content on cell phones and tablets did not exist. We applaud the passage of the unanimously supported Email Privacy Act by the House of Representatives, and we look forward to continuing to work on reforming ECPA, including with respect to ECPA’s current regime for secrecy orders. When secrecy around a government warrant is needed, orders that require email providers to keep these types of legal demands secret should be the exception and not the rule.

(2)  A rights-protecting regime for when law enforcement asks for data across borders: Governments all over the world are adopting the position that they can request a suspect’s data regardless of the conflicts of law or international norms and treaties. This new reality is weakening trust in technology among business and consumers and is incentivizing foreign governments to consider data localization laws and other policies that would fragment the Internet and impede the flow of data and commerce across borders. At the same time, law enforcement needs mechanisms to lawfully obtain data for investigations and to protect their citizens. The MLAT process remains an important tool for this and should be modernized, but a complementary process is needed to respond to the increased number of requests for cross-border requests for digital information.

Last year, the Department of Justice sent to the House and Senate Judiciary Committees language that would enable law enforcement in another country to issue legal process for content data held by U.S. companies.  A country could only issue legal process directly to U.S. companies if it enters into an agreement with the United States that requires the requests that are issued by a foreign country to meet strong standards of transparency, oversight, and due process.  RGS supports legislation like this as long as it protects human rights and privacy rights (set forth in more detail here), and looks forward to working with policymakers and stakeholders on the introduction and passage of a bill that would meet these criteria.

(3)  Addressing the global nature of data under ECPA:  Last year, the United States Court of Appeal for the Second Circuit held that ECPA is not extraterritorial in its reach; in other words, a warrant issued under ECPA cannot be used to obtain data from a US company where that data is not stored in the US.  (Since then, a court in the Eastern District of Pennsylvania has held that ECPA warrants can be used to compel the production of user data stored abroad.) In order to protect the privacy of customers both in the US and worldwide, and to ensure that law enforcement can get the information that it needs pursuant to a lawful order, the International Communications Privacy Act was introduced last year by Senators Hatch, Coons, and Heller in the Senate and Representatives Marino and DelBene in the House. RGS supports the passage of ICPA and welcomes discussion about any other approaches to this issue that are workable from a technological perspective, protective of consumers’ privacy and due process rights, and able to meet the needs of law enforcement.

(4)  Reforming the expiring powers of Section 702 of the FISA Amendments Act of 2008:  Section 702 of the FISA Amendments Act expires at the end of 2017.  RGS would like to work with you, law enforcement, the intelligence community, civil liberties and privacy groups, and any other stakeholder to help improve oversight of and transparency of this authority.

Section 702 provides the legal underpinnings and judicial supervision for intelligence-gathering programs used by our intelligence community. As Congress moves towards reauthorizing these powers, we would support changes to Section 702 that enhance transparency, provide greater programmatic oversight, and strengthen protection of sensitive personal data. Among the reforms that we would like to work with you on are narrowing the type of information that can be collected under Section 702; requiring judicial oversight for searching the contents of 702 material for the communications of a US person (given that US persons are not the target of 702); allowing companies to disclose the number of requests they receive by legal authority; further declassification of FISA Court orders; and providing greater transparency around how the communications of US persons that are incidentally collected under Section 702 are searched and used, including how often it is “queried” using identifiers that are tied to US persons.

We look forward to working with you to help ensure that an appropriate balance is struck between the government’s need for critical information and people’s privacy and due process rights.  

Thank you very much, as always, for your hard work on these issues that are of central importance to our government and our economy.  

Signed,

Reform Government Surveillance

cc: 

The Honorable Bob Goodlatte, Chairman, House Judiciary Committee

The Honorable John Conyers, Ranking Member, House Judiciary Committee

The Honorable Devin Nunes, Chairman, House Intelligence Committee        

The Honorable Adam Schiff, Ranking Member, House Intelligence Committee

 The Honorable Chuck Grassley, Chairman, Senate Judiciary Committee

The Honorable Dianne Feinstein, Ranking Member, Senate Judiciary Committee

 The Honorable Richard Burr, Chairman, Senate Intelligence Committee

 The Honorable Mark Warner, Vice Chairman, Senate Intelligence Committee

RGS Statement on The Email Privacy Act

Reform Government Surveillance applauds Reps. Yoder, Polis, Goodlatte, Conyers, and all of the original cosponsors for reintroducing the Email Privacy Act.  The Email Privacy Act is crucial to modernizing our outdated laws – written when cell phones and email were rarely used – and making sure that all of our content has the protection of the Fourth Amendment.  The bill passed the House unanimously last year, and pushing the bill to final passage will be one of our top priorities this Congress.

Governments must avoid conflicts of laws to ensure people’s data is protected and avoid a race to the bottom for everyone’s rights; we are encouraged by discussions between the US and UK. A strengthened legal framework must value privacy and human rights while ensuring law enforcement can do its important work. We look forward to continuing discussions with all stakeholders on such a framework.

RGS Principles 

Governments have increasingly adopted the position that they can get people’s data regardless of the law in affected countries or international norms and treaties. This new reality is weakening trust in technology among business and consumers, and undermining national privacy laws enacted by democratic governments. At the same time, law enforcement agencies around the world need mechanisms to lawfully obtain data for investigations and to protect their citizens. The Mutual Legal Assistance Treaty (MLAT) process remains an important tool for this and should be modernized, but a complementary modern process is needed to respond to the increased demand for cross-border requests for digital information that allows new innovations to flourish, enables governments to protect their citizens, and provides a coherent legal framework that ensures human rights and individual privacy are protected. 

In developing a complementary process that address this issue, the following principles are important: 

1.

A strong and principled process. Providers in one jurisdiction should be allowed to respond directly to a request for content from a government where it does business provided there are agreements in place between governments that ensure privacy rights and legal processes are protected. The requests should be limited to cases where the information is sought in connection with an investigation of a serious crime, and the process should not be used for bulk collection, general intelligence gathering, or where the need is not proportionate to the request.

2.

Strong human rights standards. Countries should only get the benefit of this new process when their laws and practices meet international standards on human rights and privacy. These standards include providing basic fair trial rights, prohibiting torture, and ensuring that surveillance laws afford adequate privacy protections to individuals whose data they are seeking. Whether a country’s laws and practices meet those standards must be determined through an objective, transparent, and credible process. And, the request should be authorized by an independent and impartial process on a showing that there is a strong factual basis demonstrating the need for the information, and that the request is narrowly tailored. 

3.

Strong transparency and accountability requirements.  The framework should promote accountability through transparency. There should be periodic reviews to ensure that countries are using the process and the information they obtain appropriately. Similarly, there should be an independent oversight mechanism to regularly ensure that they meet the basic requirements. This can, of course, be reinforced through public information about the requests submitted to providers under the agreement. Requesting countries should publish annual reports regarding the number, type, and temporal scope of the data requests they issue under this framework. Providers also should be allowed to publish the same information on the requests they receive. 

The need for such a framework has been discussed by a range of stakeholders. For example, the proposal by law professors Jennifer Daskal and Andrew Woods contemplates a mechanism to govern cross-border requests. We look forward to working on implementing these principles with stakeholders around the world.

I. Defining Encryption and other Key Terms 

Encryption is the conversion of readable data into a form that can only be understood be read by those who know how to decode it.   It can consist of a code that is as simple as scrambling letters in a routinized way or as complicated as sets of symbols and numbers that are dictated by algorithms.  Examples of encryption go back to ancient Egypt, and carry forward through WWII (the German “Enigma” machines, for example) to the present day. Encryption in the electronic communication context is “decoded” only by those who have electronic “keys” to decode the communications.

A Server is a computer program or a storage unit that provides different types of functions for people’s contents.  We commonly think of a server as a computer that physically stores electronic data.  Servers can store data for individuals, for small businesses, or, in the case of the cloud, for millions of people who use email services such as Gmail, Yahoo!, or Microsoft email.

Metadata is data about data and would include things like to/from information in an email and date and time of a communication.  

An algorithm, in the context of encryption, is a general set of mathematical rules for transforming regular text, or “plaintext,” into encrypted content.

A key is a specific set of instructions used to apply the algorithm to a data or information.  The strength of the key defines the strength of the encryption.

An app is specific software that allows you to perform certain tasks.  They are available both for desktops and mobile devices.  Examples of popular apps include Facebook and LinkedIn, as well as messaging apps like those that come already on smartphones.  

A device, as discussed below, can be both a mobile device (such as a phone or a tablet) and a desktop computer or laptop.

II. Different Types of Encryption/How Encryption Works

Encryption is not new.  It has been available for personal computing on certain operating systems (including those produced by Apple and Microsoft) for many years, and before that, was generally available for both written and oral communication when such communication is over a wire.

End-to-end encryption works by having each party to a communication create a pair of keys, one of which they keep completely private, and one of which, called the “public key,” is shared. Messages between two people using an encrypted app or other can only be unlocked by the recipient’s unique private key. In practical terms, this means that the content of those transmissions can only be unlocked with access to the private key, which is protected on the communication device. Such data would include device-to-device messaging and app-to-app messaging. The Internet Service Provider (ISP), in general, cannot unlock that data.

Device encryption refers to the encryption of data on one’s own mobile device. It works by incorporating an encryption key into the security password on each person’s device (note that device encryption is available both for mobile and desktop devices). Device and end-to-end encryption work similarly, but technologically, they are separate functions. If you are utilizing device encryption on your smartphone, for example, either by default or by opting into it, this means that even the data that is sitting on your phone is fully encrypted while it is sitting there. That would include encryption of financial information, health information, or other sensitive information that a person stores locally on her phone and that isn’t backed up to a cloud or shared, as well as certain messages on messaging apps and device-to-device messages. It could also include emails that haven’t been sync’d with an email provider (such as Gmail or Yahoo!) and haven’t been backed up to a cloud.

Service-provider encryption occurs when a provider, such as a cloud storage provider, encrypts the data for the user.  In this scenario, the provider holds the encryption key and the relevant and legal policy question is when that provider can be obliged to turn over that key to a third party.

III. The Value of Encryption

Encryption protects individual’s data and preserves the free flow of information.  Encrypted products and services are widely available across the globe. Recently, experts identified 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total number of encryption products.

Encryption Reduces Cybercrime

-          Cybercrime costs the US $100 billion annually, and the global economy $445 billion each year.  Encryption is one of the primary recommended tactics for reducing cybercrime.  This is why its use has been recommended by the FBI, as well as network security experts. 

Encryption Protects Users’ Sensitive Personal Data

-          Encryption helps keep consumer’s financial, health, educational, and other sensitive data safe from those who would use it to do harm. Credit and debit card fraud alone cost over $16 billion in 2014 and will exceed $35 billion in 2020.  Encryption also helps to protect people’s data in the event of a data breach.

Encryption Protects and Fosters Free Expression

-          Encryption protects free expression around the world, especially in regimes where governments seek to punish people who speak out against violent leaders and repressive laws.

-          Reducing the efficacy of encryption in the U.S. will force users to keep their data on foreign platforms

IV. Encryption and Law Enforcement Access to Data

-          Encryption does not necessarily prevent law enforcement from pursuing investigations.  Even if data is encrypted on a device, it may be available through other means.  For instance, it may be available through valid legal process if it was backed up to the cloud or a cloud-type environment (such as a private company’s exchange servers, in the case of an employee’s emails). For these services, Internet companies or the owner of the server hold a key to unlocking this data, if it is encrypted at all. This is so that customers can, for example, restore their data if they lose it from their device.  In the case of third-party apps, there is often a corresponding service that third-party apps provide, and data may be requested from them.

-          In addition, end-to-end encryption generally does not encrypt metadata, which continues to be available to law enforcement and the intelligence community when the metadata holders are presented with valid legal process.

-          Several commentators have recently observed that while encryption may make certain discrete pools of information difficult for law enforcement to access, in other areas, law enforcement has more access to data than ever before.  Such data includes but is far from limited to social media, the camera and microphone technology provided by hundreds of objects as they become part of the Internet of things, and fitness and other wearables.  Many new “wired” objects will have Internet Protocol (IP) addresses that would be accessible to law enforcement with valid legal process.

Reform Government Surveillance companies are supporting Apple in the current litigation. As technology companies, we want to keep people safe, we want to stop crime, and accordingly, we cooperate with law enforcement in ways that are consistent with the law.  But we do not believe that the law allows the government to demand that a company create new software that supplies a backdoor to a secure technology.

Reform Government Surveillance members believe that the National Commission on Security and Technology Challenges is an important option to consider in the debate about law enforcement access to encrypted content.  Given that there are no ‘backdoors’ into encrypted systems or devices that would also maintain the security of what’s on those systems and devices, we hope that a commission can engage in a thoughtful dialogue that respects the security of users and their information, while ensuring that law enforcement has tools to fight crime and terrorism.  We hope that same thoughtful dialogue will occur as the Commission looks at other issues related to law enforcement access to data in light of new technologies and their global reach.