On an 11-4 vote, the Senate Intelligence Committee voted on Thursday to approve the FISA Improvements Act, a bill (perusable here) that adds new reporting requirements and post-hoc punishments while keeping the NSA's surveillance toolset completely intact. It takes the pencil lines of the surveillance state and writes them in ink. Backed by committee chair Sen. Dianne Feinstein of California, a long-standing and fervent champion of the intelligence community, the bill was never expected to significantly address the core concerns of NSA critics.
At this point, could any bill do better? It is no longer safe to assume that the NSA recognizes the boundaries we presume apply to it. We know that there are few technical limitations to its surveillance. We know that it steps around legal proscriptions. So how can the surveillance state be kept in check?
The leaks from Edward Snowden have consistently demanded we revise our understanding of what the government is actually capable of tapping. Dominoes keep falling: Phone call data, internet communitcation including email, geolocation information. We learned on Wednesday that the NSA — despite being granted subpoena-based access to data from Google and Yahoo — broke into the cables that connect their private servers anyway, a look through the window even though the door is unlocked. More alarming, the NSA intentionally undermined encryption standards, putting at risk a massive swath of online communication that, until this year, seemed all-but-unassailable.
We've previously outlined the systems that can be used to maintain your privacy online, but even those — like Tor, which earlier this month, was revealed to be an NSA target — may not be beyond the NSA's reach forever.
Prior to his seeking asylum in Russia, Snowden used an email service called Lavabit to send encrypted emails. The founder of that company, Ladar Levison, recently joined renowned cryptographers to work on a product called the Dark Mail Alliance. Their goal: build the "'next-generation' of private and secure email." It would encrypt both the message content and the metadata using private encryption keys.
But perhaps the most important step is the role the system's servers will play in the process. Lavabit shut down rather than turn over user data to the United States government when asked. The government can and does subpoena companies to turn over data, rendering any technological solution that relies on servers within the government's sphere of power vulnerable to legal challenges. Dark Mail Alliance will take at least two steps to avoid Lavabit's fate. "All Dark Mail emails passing over the company’s servers will be encrypted," Slate reports, "and it won’t hold the keys to decrypt them. Its servers will be located in Canada and Switzerland." That's a powerful combination, but it's not clear it is fool-proof. And as long as the NSA exists, it will work to erode that technical protection.
Advocates of the NSA's surveillance, like Feinstein, are quick to point out that what the NSA is doing is legal. It is overseen by (largely acquiescent) intelligence committees in the House and Senate. It is approved by the Department of Justice and White House. It is given a stamp of approval by the Foreign Intelligence Surveillance Court in a purposefully one-sided process. But, as American history has repeatedly shown, "legal" doesn't always correlate to "appropriate." And in this case, the assessment that the tools fall within the boundaries of the Fourth Amendment essentially hasn't been challenged before the Supreme Court.
The NSA says it wants to collect metadata on every phone call in the United States, and that the Patriot Act's Section 215 lets it do so. The FISC agrees. Therefore, these activies are legal — despite the author of the Patriot Act asserting that the data collection exceeds the boundaries of the law. Doesn't matter. The NSA and a secret court interpret the law to allow the NSA to conduct all of the activity that's mentioned in this article. A majority of members of Congress are not disposed to challenge this interpretation. There exist proposals that, unlike Feinstein's, would actually block certain NSA behavior, but they aren't likely to be make it into law without being watered down by amendments.
We reached out to staff attorneys from two of the organizations that have been most fervent in their critiques of the NSA's surveillance tools, asking them how, given the power, they'd revise the government's surveillance tools to ensure that public privacy was maintained. The question we posed: Knowing that the NSA is experienced at massaging laws to meet their needs, what legislation might prevent that?
Alex Abdo, staff attorney at the American Civil Liberties Union, advocated transparency above all else. "Our country's founders believed that tyranny could be prevented through checks and balances. I think the same holds true today." For that to happen, though, people need to know what's happening.
[I]t should mean that the public has access to significant or novel legal interpretations issued by the FISC. That would have gone a long way toward preventing the 215 program, because Congress and the public would have been able to judge the lawfulness and necessity of the government's programs for themselves.
"In short," Abdo said, "our privacy rights shouldn't be interpreted away in secret. … Secrecy has its place, but it should not be used as an excuse to keep any branch of government or the public out of the debate entirely. This type of solution is also key to long-term legitimacy."
In the 1970s, following revelations of domestic surveillance by the NSA — and rampant abuses by other intelligence services — the Church Committee was formed in the Senate in an effort to better determine the guidelines under which the agencies should operate. There were eventually other steps: the 1978 Foreign Intelligence Surveillance Act itself, which codified some of the committee's findings, and President Ronald Reagan's 1981 executive order extending the agencies' power while adding some new boundaries. (The vast majority of the NSA violations revealed in the Snowden leaks were violations of this order.)
Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, suggested revisiting the idea of forming a new Congressional commission to tackle these issues. "If Congress has the political will," he told us, "it can easily write language to stop bulk collection." But:
[T]o really be sure that Congress can legislate well, we really need a new Church Commission. … The key idea behind a new Church Committee would be to investigate first, and then legislate later with a better understanding. It may not result in restrictions that will be effective for all time, in light of technologies not dreamed about now, but it's the right thing to do now.
Neither Opsahl nor Abdo, you'll notice, are advocating specific proposals since without further exploration of what's actually happening, it's difficult to draw policy. The most important part of Opsahl's statement, though, is the first part. "If Congress has the political will." The Senate Intelligence Committee, in passing the tweaks encompassed in the FISA Improvements Act has shown a lack of will to try and figure out how to create new limits on the NSA's activity. But perhaps the most obvious example of a lack of will comes from Feinstein's House counterpart, Rep. Mike Rogers of Michigan. In a hearing this week, he confronted American University law professor Steve Vladeck, as reported by MSNBC.
Rogers: I would argue the fact that we haven’t had any complaints come forward with any specificity arguing that their privacy has been violated, clearly indicates, in 10 years, clearly indicates that something must be doing right. Somebody must be doing something exactly right.
Vladeck: But who would be complaining?
Rogers: Somebody who’s privacy was violated. You can’t have your privacy violated if you don’t know your privacy is violated.
This is a corollary to the Supreme Court's rejection, earlier this year, of a lawsuit targeting the NSA. The Court ruled that the plaintiffs weren't affected by the surveillance and therefore couldn't sue; assured by the government that those being watched would be told — and so could knowingly bring a suit — the Court threw out the case. It then turned out that the government wasn't informing people that NSA surveillance generated the evidence against them.
Rogers lacks the political will to figure out how to rein in the NSA so that the privacy of Americans using email or Google or Tor is ensured. The will to study the problem may emerge as leaks continue and political pressure builds. As Rogers might note, you can't fix your surveillance system until you know that your surveillance system needs to be fixed. Assuming it can be fixed at all.
Photo: Composite of Feinstein and recent Capitol protests. (AP)