Since the Snowden disclosures, it has been clear that the NSA conducts unconstitutional, dragnet surveillance of Americans’ international communications. However, it now appears that the NSA is using surveillance authorities to conduct an entirely new type of surveillance: requiring major companies to conduct mass e-mail wiretaps, which involve searching the content of all incoming traffic.
Last year, Yahoo, in response to a classified government order, scanned hundreds of millions of mail accounts for a “set of characters” or digital “signature” of a communications method purportedly used by a state-sponsored terrorist organization. The search was apparently performed on all messages as they arrived at Yahoo’s servers. All of this was done without input from Yahoo’s security team, potentially placing users’ security at risk and ultimately prompting the resignation of the company’s chief security information officer.
It appears that a secret court, the Foreign Intelligence Surveillance Court (FISC), approved the surveillance—or at least approved the general procedures the government used to identify its targets. There are conflicting reports on what authority the government relied on.
Unfortunately, the news stories and Yahoo’s cryptic response leave more questions than answers. Yahoo’s ability to disclose information about this classified government program may be limited. But the Obama Administration owes the public far more information about this spying program, especially if it is going to fulfill its promise of increased transparency. As a start, the Obama Administration and other major tech companies should publicly answer the following questions:
1. What authority did the government rely on in compelling Yahoo to search its customers’ emails?
The million-dollar question – which remains unanswered – is what legal authority the government relied on for its demand to Yahoo. Initial reports suggested that the government may have relied on Section 702 of the Foreign Intelligence Surveillance Act (FISA), a highly controversial provision enacted as an amendment to FISA in 2008. More recently, however, news reports have stated that the government obtained what is known as a “traditional” FISA order under Title I of the statute. In either scenario, the surveillance would reflect a dramatic shift in the public understanding of how these authorities are used. Title I authorizes the government to search the communications of a particular person or entity. But, if news reports are accurate, it would mean that the government is now using this law to require that companies scan the content of all users’ incoming emails.
2. What is the program’s legal justification and has it been reviewed?
Whether government is relying on Section 702 or Title I, it seems to have strayed far from the original congressional intent. What is the government’s legal justification for this type of surveillance? And, if the surveillance was authorized by the FISC, was the court aware that its order required Yahoo to search the emails of hundreds of millions of innocent users?
In the past, the government and FISC have engaged in legal gymnastics to justify mass surveillance. The public and Congress have the right to know if this is happening yet again. The Obama Administration should release all legal memoranda it relied on in conducting the Yahoo surveillance, and it should disclose any relevant FISC opinions regarding the surveillance. If no such FISC opinions exist then the public deserves to know, as that itself is cause for concern.
3. What types of content searches does the government believe it has the authority to conduct under Title I and Section 702, and are past statements about these authorities still accurate?
Intelligence officials have argued that surveillance programs conducted on U.S. soil are narrowly targeted because the government searches only for specific communication identifiers (like an email address) and not for keywords (like “bomb”). But the Yahoo story suggests that even this limitation may be falling to the wayside. If Yahoo conducted a broad search of its users’ incoming email for a “set of characters” or digital “signature,” that information may have been found in the content of communications. In other words, individuals may have been targeted not based on any preexisting suspicion about who they are or who they communicate with, but based solely on what they were communicating. Moreover, it is unclear whether this “signature” was used only by the target organization, or also by other wholly unaffiliated individuals. If the intelligence community is now engaging in this type of content-based surveillance, then the Obama Administration has a responsibility to set the record straight.
4. If the government relied on Section 702, did Yahoo attempt to filter out purely domestic communications?
Section 702 does not authorize the government to collect or search purely domestic communications. However, the stories contain no details about whether Yahoo made efforts to filter out purely domestic communications, and if so, how successful those efforts were. If such efforts were not made and the surveillance occurred under Section 702, then the Obama Administration should immediately disclose the number of purely domestic communications that were collected and searched under the order so that the public can fully assess the privacy implications.
5. If the government relied on Section 702, did the Privacy and Civil Liberties Board (PCLOB) know about this type of surveillance when they conducted their examination?
In 2014, the Privacy and Civil Liberties Board issued a report on Section 702. While we disagreed with many of the report’s conclusions, there is no doubt that the PCLOB declassified important information about Section 702 to facilitate a more robust debate. However, the PCLOB’s public report makes no mention of the types of demands that were purportedly received by Yahoo. If the PCLOB was unaware that this surveillance was occurring under Section 702, why were they not informed? If they knew, why was this information withheld from the public? Either way, this further calls into question the conclusions in the PCLOB report and the adequacy of existing oversight mechanisms.
6. How are other major companies interpreting their obligations under Section 702 and Title I?
Major companies like Google have issued statements saying they have never received the types of demands described in the Yahoo stories and reaffirming that they would challenge such a demand. While we applaud these companies for their statements, more information is needed to fully understand how the government is using its surveillance authorities. Specifically, we urge major technology companies to make publicly available information on how they interpret Section 702 and Title I, and to describe the types of demands that they believe clearly fall outside the statutes’ purview. In this way, companies can help to fill the information abyss left by the Yahoo story and the intelligence community’s lack of transparency.