Cybersecurity projects are just one way for the NSA to gather bulk data.


This week was a big one for anyone concerned with privacy and cybersecurity in the US. After a great deal of wrangling, Congress finally passed the USA Freedom Act. It has been lauded as the most significant (if not only) successful Congressional attempt to rein in NSA surveillance powers since the Foreign Intelligence Surveillance Act was introduced in 1978.

However, the NSA is still able to collect data on Americans under various means. Documents revealed this week suggested that an ongoing project to thwart cyber-attacks was among them.

The USA Freedom Act was the second attempt at a bill to reform surveillance powers in the US, post-Snowden. It specifically targeted the bulk collection of metadata records on phone calls made by US citizens, which has been going on since 2001, with sporadic evidence of newer measures.

The NSA collected bulk metadata on calls between Americans under Section 215 of the 2001 US Patriot Act. This section contained provisions that the NSA interpreted as appropriate for this bulk collection. A US court found this interpretation to be unconstitutional in May. At the end of that month, the court ruling looked like a bit of a red herring, because those provisions lapsed on midnight on May 31 anyway.

Congress had rushed to try and approve the USA Freedom Act, which redefined the rules for surveillance. It had failed to pass it by the time that the Patriot Act provisions lapsed, meaning that for a few hours, the NSA’s bulk collection went dark. But on Tuesday June 2, the House passed the law.

The USA Freedom Act extends the Patriot Act until 2019, but curtails the bulk collection of phone metadata under various instruments that were used by the NSA and other three-letter agencies. These included national security letters, business record requests, and pen registers.  Now, when the NSA collects such data, it must be done using a specific selection term such as person or account. The legislation explains that this is designed to limit the scope of information sought.

At least in theory, this is meant to stop any bulk records trawling, and restrict government agents to targeting only specific records.

Widespread surveillance remains

This bill creates two broad problems for privacy advocates, though. The first is that the NSA is already said to be starting up the bulk collection of phone metadata records again, thanks to a clause that allows the program to continue for 180 days after the passage of the Act.

The second is more wide-ranging. The Bill fails to address some specific provisions that privacy advocates say leave government agents able to collect far more than just phone call metadata.

One provision that these groups find the most egregious is Executive Order 12333 [PDF], a Reagan-era order that has the same status as a law, and which allows federal agencies to collect data without a warrant, just so long as it supports foreign intelligence. This includes data on American citizens.

Another is Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows for the gathering of communications content, rather than just metadata about it. Privacy advocates worry that the NSA adopts a deliberately broad view of 702 that enables it to gather bulk intelligence data on US residents as a by-product of foreign intelligence investigations.

This may, as the Guardian says, be a vindication of Ed Snowden’s campaign against egregious surveillance. But it is also merely a baby step along the road to more privacy for Americans. While the onus in the USA Freedom Act was on call detail records, this barely scratches the surface of the potential surveillance tactics that agencies could still engage in through creative interpretation of legal provisions.

Under these and other provisions, warrantless wiretapping of all sorts is still commonplace, and PRISM, the data collection system first revealed by Edward Snowden, shows little sign of going away. These activities, while usually directed towards foreign intelligence, also vacuum up vast troves of information about the communications of American citizens. These are then subject to data mining, in what intelligence-watchers call ‘backdoor searches’.

Just this week, news media reported that this incidental data could be collected under surveillance activities designed to help the NSA identify potential cybersecurity threats. In 2012, the FISA Court provided a certification allowing for the collection of data on individuals tied to malicious cyber activity. This was subsequently expanded to include matches for traffic signatures and IP addresses that could be related to hacking. The worry there for privacy watchers is that again, large amounts of incidental data could be collected and trawled.

Same data, different location

The other issue is that the call metadata is still accessible. This analysis by Ars Technica shows how the new measures merely shift the stewardship of the data from the NSA’s own systems to those of the telcos. While the imposition of selection terms stops the NSA from trawling for metadata on domestic phone calls, that data is still accessible.

One bright side for privacy watchers was the appointment of an amicus to provide some more oversight of the FISA Court. This court operates in secret and reviews applications for data acquisition by surveillance agencies for the purpose of foreign intelligence. However, advocates have complained that even this oversight could be limited thanks to potential restrictions in intelligence security clearance, and in the government’s role in the appointment of overseers.

What it all points to is that the passage of the Bill this week was a palpable hit for privacy groups, but may do little more than bruise the NSA’s pride. There are still bountiful provisions under which it can continue operations like PRISM – and those wishing to tackle those legally will face a long and arduous task. Privacy watchdogs are already mulling an attempt to reform the law and explicitly rein in the NSA’s backdoor searches to the point where only searches with a warrant are permitted.

In the meantime, Canada’s own controversial surveillance bill, C-51, goes to the Senate this coming Tuesday, June 9. Among other things, it would allow more information sharing powers about Canadians between multiple government agencies.

Image via Mike Licht, under CC license.