FBI/Apple privacy fight left out a major player: the data carriers

In the conflict between government surveillance and individual privacy, it is not just the data on devices that is at stake. It is the data that travels to and from the devices. That is where the communications carriers come in

The recent standoff between Apple and the FBI over the agency’s demand that the company provide a way to unlock the iPhone of a dead terrorist, was "resolved" when the FBI “bought a tool,” according to Director James Comey.

But that, of course, didn’t resolve the fundamental, ongoing conflict between the government's need for digital surveillance capabilities to assist with law enforcement and national security on one side, and the American commitment to personal privacy on the other.

[ MORE FBI/APPLE ISSUES Many unanswered questions in Apple-FBI controversy ]

It also didn’t even address the role of a third major player in such conflicts: The carriers of the data on the Internet “backbone.”

But that role is now being addressed in Congress. A Senate Judiciary Committee hearing Tuesday included recommendations for amendments to the law that regulates government collection of data from communications carriers – the FISA Amendments Act (FAA).

The FAA is not up for renewal until the end of 2017, but committee Chairman Sen. Chuck Grassley (R-Iowa) said in his opening remarks that, “I’d like to begin the conversation about it well in advance of that.”

Not much gets to or from a smartphone, or any digital device, without the involvement of major Internet companies – like Microsoft, Yahoo, Google, Facebook, Paltalk, YouTube, AOL, Skype and Apple – whose infrastructure is used by hundreds of millions of people around the world to communicate, to search the Web, to shop, to do banking and any number of other things that involve the transmission of data.

The National Security Agency (NSA) under what is known as PRISM – an element of the Foreign Intelligence Surveillance Act (FISA) – has been able to request user data from those companies since 2007, and they were compelled by law to comply.

But among the explosive allegations in 2013 from former NSA subcontractor Edward Snowden was that the agency had also accessed the overseas, internal networks of U.S. companies in secret, collecting data in bulk.

The mission of the NSA is embedded in the words of FISA – the collection of foreign intelligence. But Snowden and other critics have been saying for years that since 9/11, it has also included the collection of data on American citizens, sometimes with the cooperation of American data carriers and sometimes without their knowledge.

To say that this made things awkward for companies that are forever promising their customers that, “your privacy is our highest priority” is an obvious understatement. First they denied knowing anything about PRISM, but later fought for the right to be able to acknowledge government data “requests” in the name of transparency.

They already had legal liability protection, however. Lee Tien, senior staff attorney with the Electronic Freedom Foundation (EFF), noted that in 2008, “Congress passed, and the president (Bush) signed, a bill that immunized the telecoms against any liability.

“That means the companies no longer have to worry about whether they’re acting lawfully, at least with respect to the privacy of their users. They only have to worry about satisfying the government’s requests,” he said.

None of multiple carriers contacted by CSO responded to requests for comment. But, with the "conversation" on the FAA under way, privacy advocates argue that government access to the data handled by those companies needs more explicit restrictions.

To accomplish that would require amending Section 702 of the FAA, which governs the collection of data by the NSA. Sen. Patrick Leahy (D-VT), ranking member of the committee, called Section 702 “an important tool” but also “extremely broad.” He said while it is aimed at foreign surveillance, “it sweeps up a sizeable amount of information about innocent Americans who are communicating with those foreigners.”

Elizabeth Goitein, co-director of the Liberty & National Security Program at the Brennan Center for Justice at New York University School of Law, was more specific.

She said under the current implementation of Section 702, the NSA is collecting vastly more than foreign intelligence.

To describe surveillance that acquires 250 million Internet communications a year as ‘targeted’ is to elevate form over substance,” she said. “And on its face, the statute does not require that the targets of surveillance pose any threat …”

That debate goes well beyond the hearing room. In a recent Hoover Institution essay, Mieke Eoyang, vice president of the National Security Program at the think tank Third Way, noted that the major telecoms and other communications companies are, “physical and legal gatekeepers (that) regulate government access to private information.”

In an interview, Eoyang added that this is not just a domestic issue. “Those companies, compete in a global market,” she said. “They want to safeguard national security, but must also reassure current and future customers, including those living overseas, that data privacy is a priority.”

miekeeoyang

Mieke Eoyang, vice president, National Security Program at Third Way

The Snowden revelations, she said, created a more adversarial relationship between the private and public sectors that needs to be repaired.

“If the government treats the companies as just another surveillance target to exploit, business leaders will view the government as yet another unauthorized user to keep out,” she wrote.

[ MORE ON CSO: The economics of back doors ]

Among her recommendations for amendments to the FAA is for the law to clarify that, “U.S. companies must filter data using court-authorized selectors (such as email addresses or phone numbers) before handing it over to government agencies.”

Currently, she said, it is not clear who controls the filtering of data, although Section 702 of the FAA authorizes government to conduct so-called “upstream” surveillance, which means collection of information before it has been filtered.

“Government has asserted that it doesn’t look at anything before the filter. But we don’t really know who owns the filter or who does the handoff,” she said.

“The question is one of technology. Does it allow the government to have access to the full stream of data before the filter? If so, there is a risk of abuse, or attempts to use the filter for a political purpose.”

But the implications go well beyond technology, of course. “Post-Snowden, these companies no longer have confidence in government,” Eoyang said. “They need to know that government is coming through the front door with an appropriate ticket, and not breaking in through the back door.”

Not everybody sees it that way, of course. While there is general agreement that limiting government access to the private data of U.S. citizens is a good thing, Eoyang’s proposed amendment still gets mixed reviews.

Eric Berg, an attorney at Foley & Lardner and a former Department of Justice attorney, said he doubted service providers want to be responsible for the filtering of data.

Not only does it depart from their core business, but it could also expose them to reputational damage or legal liability.

“While the idea of keeping the government one step removed from the data may have emotional appeal, the potential liabilities involved would be numerous and very likely unknowable,” he said.

ericberg

Eric Berg, attorney, Foley & Lardner

And in another Hoover Institution essay, also presented on the Lawfare blog, U.S. Naval Academy cyber studies professor and former NSA deputy director Chris Inglis, and Jeff Kosseff, assistant professor of cybersecurity law at the academy, argue that allegations that the NSA, “exceeded either the intent or the letter of its authorities” are nothing more than “widely circulated myths.”

They contend that Section 702 authorizes the collection of only, “foreign intelligence from non-U.S. persons who are not located in the United States, (is) overseen by all three branches of government and has an unprecedented system of checks and balances.”

And they wrote that according to the NSA, “Section 702 is its single most significant tool for identifying terrorist threats.”

Inglis, in an email interview, said that government, “can, and does, target the content of the communications of a legitimate foreign intelligence target, though the manner, location and techniques employed are constrained by various legislative, judicial, and executive branch statutes, orders and policies.”

He said since those communications are often “wrapped” in various Internet protocols or encryption schemes, the NSA is authorized to “unwrap” them, “to generate intelligence on legitimate foreign intelligence targets – generally characterized as ‘breaking codes.’”

Still, the language of Section 702 allows surveillance of those who are “reasonably believed” to be non-U.S. persons located outside the U.S. That, in any kind of legal setting, would seem to be leaving a good deal of wiggle room.

Tien says the problem goes well beyond that. “We have argued that 702, on its face, is unconstitutional because no court actually decides anything particular about the search/seizure of data – it only approves procedures for targeting, minimization, etc.,” he said. “Other executive branch officials – I think the director of national intelligence or the attorney general – issue the actual directives to providers. Section 702 is by no means a gold standard.”

And, he added, any meaningful oversight of government surveillance under Section 702 is impossible because the government, citing national security, “makes it nearly impossible to understand how these programs work or how they affect the public. If there were abuses, how would you or I know about them? We don’t even really know what the words of the statutes mean.”

Inglis contends that the more people learn about the constraints on U.S. intelligence collection, the more reassured they are. He cited a post from two years ago by Geoffrey Stone, a law professor at the University of Chicago, who served on the President's Review Group in late 2013, which made recommendations to the president about NSA surveillance and related issues.

Stone said he came to the task with “great skepticism” about the NSA, but came away much more impressed than he had expected with an agency that had not only thwarted numerous terrorist plots but also, “operates with a high degree of integrity and a deep commitment to the rule of law.”

This, he said, did not mean he thinks the public should trust the NSA. “It should never, ever be trusted,” he wrote, since, “distrust is essential to effective democratic governance.”

But he said he did believe that, “the NSA deserves the respect and appreciation of the American people.”

While the debate will likely continue well into next year, David Medine, chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), said at Tuesday’s hearing that if the Section 702 program is to continue, “it should be more protective of privacy and civil liberties.”

He proposed three amendments:

  • Require intelligence agencies to get FISA Court approval before querying information connected with a U.S. person’s identifier.
  • Restrict the collection of “upstream” data even after it has been filtered, to reduce the amount of “incidental” collection of information about U.S. citizens.
  • Require the NSA and other intelligence agencies to report the number of records of U.S. persons it collects annually to the Director of National Intelligence, Congress and other oversight agencies.

Eoyang, while she said the U.S. commitment to privacy is, "far greater than that of any other country around the world, including other western countries," said she believes amendments to the FAA are overdue.

“Business as usual is not sufficient,” she said. “There are things about the status quo that could bring a halt to U.S.-European electronic commerce, and that would be catastrophic to both economies.”

Indeed, Laura Donohue, a professor at Georgetown Law, in yet another Lawfare post, argued that, “the dichotomy between government collection and corporate collection is a false one … once a company has collected the data, it is available to government. The seam between corporate collection and government collection is highly porous.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Apple

More about AOLAppleBushCSODepartment of JusticeEFFFAAFacebookFBIFreedomGoogleHooverMicrosoftNational Security AgencyNSASkypeTechnologyYahooYork University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place