Wednesday, 15 February 2017

Closing Section 702 “Backdoor Search Loophole” Also Means Companion Reforms to Use Restrictions

With FISA Section 702 set to expire at the end of the year, Congress will soon move to a debate over reform and reauthorization for the first time since the Snowden revelations. Undoubtedly, one high-profile reform proposal will be closing the “backdoor search loophole.” Doing so would prohibit government queries deliberately seeking out Americans’ communications without first obtaining a warrant, an essential step forward. Closing the backdoor search loophole alone, however, would still permit the FBI to use Section 702 to jumpstart domestic criminal investigations via keyword queries. Such searches—necessary in the foreign intelligence context—could also be used to return a range of Americans’ communications. 

In order to be effective at protecting privacy and due process rights, closing the backdoor search loophole must also be paired with additional restrictions on using Section 702 data for domestic criminal investigations.

Imposing use limits on foreign intelligence information raises legitimate concerns over recreating the “Wall” that was removed after the 9/11-attacks to facilitate information sharing. As I have argued previously, ending the practice of stove-piping and removing the Wall—as recommended by the 9/11 Commission—made sense for the limited goal of sharing foreign intelligence in order to better understand national security threats. The problem is that absent this Wall, Section 702 allows not only for the appropriate sharing of national security information between agencies, but also the problematic unrestricted use of military and intelligence information for domestic law enforcement. 

The goal of Section 702 reforms should be to restore a proper balance, achieving security purposes while limiting unnecessary incursions into substantive rights. Allowing Section 702 data to be shared for legitimate foreign intelligence and counterterrorism purposes, and used to investigate and prosecute a limited set of serious crimes, might be a reasonable policy. Permitting domestic law enforcement to access and use that data to investigate any crime is another matter entirely.

The current rules are inadequate to prevent Section 702 information—gathered for foreign intelligence purposes—from being co-opted for domestic policing. Although ODNI created law enforcement use limits for Section 702 in 2015, these rules create broad, non-exclusive exceptions to the ODNI limits and only apply to in-court use of Section 702-derived evidence, with no limit on investigative use. In other words, at least in theory, an investigation for any crime could be built upon warrantless Section 702 surveillance that captured Americans’ communications. 

The FBI Section 702 Minimization Guidelines give further credence these concerns. The FBI is permitted to use Section 702 data to open or support investigations of any federal crime, including nonviolent offenses, and the Guidelines state that it is an “encouraged practice” for FBI personnel to search potentially relevant and available databases, including FISA data, “in making an initial decision to open an assessment” of domestic criminal activity. Then-Privacy and Civil Liberties Oversight Board Chairman David Medine cautioned that even when “the FBI has absolutely no suspicion of wrongdoing … they're just sort of entitled to poke around [in Americans’ communications obtained via Section 702] and see if something is going on.”

This idea that law enforcement can “poke around” and do anything with lawfully collected information is unreasonable and at odds with basic privacy rights. In passing Section 702, Congress created additional privacy risks for Americans; it did so for a specific foreign intelligence purpose and not with the expectation that a limited foreign intelligence tool would be used freely for domestic law enforcement, overriding stronger Congressional limits in that sphere. While the government disputes the notion that 702 information is frequently used for routine law enforcement, the FBI does not make those numbers publicly available. And the fact remains that under the existing statute the practice is perfectly legal.

Importantly, the FBI Minimization Guidelines only require that queries be designed to extract foreign intelligence information or criminal evidence, and do not limit use of terms that are likely to return sensitive or selective information.  The FBI Minimization Guidelines label religious, political, and media activities as “sensitive information,” but do not prevent targeted searching—the Guidelines permit retention, dissemination, and use of any “sensitive information” so long as it appears to be evidence of any crime, and do not comment on or in any way limit use of “sensitive information” as a query term.  This rule may prevent retention of non-illicit, embarrassing “dirt,” but it does nothing to prevent selective prosecution.  With the existing rules, language connected to protest organizations, religious groups, or press activity could be the basis of a keyword search. This could serve as a “sifting tool” to target groups, facilitating the opening or support of criminal investigations against members of those groups who might be engaged in any illicit activity. The attendant risks of court disclosure of sensitive intelligence information may provide some practical limitations against low-level crimes. The primary method for that limitation, however, are notice requirements to the defendant when the government uses 702 information court. In the past, the Department of Justice had maintained that derivative evidence from 702 did not trigger the notice requirement at all. While that policy has been changed, it is entirely possible the prior interpretation could be restored without public knowledge.

And efforts by criminal defense attorneys to uncover and challenge such derivative use of Section 702 will be strongly limited by two factors. First, the government could reintroduce parallel construction tactics to obscure the potential role in Section 702 in an investigation, as the Drug Enforcement Agency systemically did to hide its use of Intelligence Community intercepts to launch criminal investigations. Second, the Department of Justice could imitate its “stingray strategy,” whereby for years it blocked challenges against the use cell-site simulators in investigations through careful concealment tactics and dropping cases where stingray use was most likely to be revealed and challenged

With these factors combined, in the future federal law enforcement may see little practical risk or disincentive in using Section 702 extensively for domestic criminal use, including regarding low-level crimes with no connection to national security.

Furthermore, where important privacy values are at risk, we should not rely on informal constraints. If we agree that Section 702 information should not be used in the investigation of low-level crimes—or for any domestic crimes unrelated to terrorism or posing an imminent harm to human life—then we should expressly prohibit the practice by law. These are sensible reforms, and those who object to them should explain why it would ever be appropriate to engage in these practices instead of merely asserting additional protections are unnecessary.

The U.S. intelligence community itself has supporting separating foreign intelligence surveillance from law enforcement in other contexts and the precedent shows that such use restrictions can still comport with national security needs. PPD-28 restricts any use of data collected in “bulk” via Executive Order 12333 other than a set of six national security objectives, a policy recently lauded by former Direction of National Intelligence James Clapper. Further, new rules for expanded access to raw EO 12333 data permit the FBI to query such data using US person identifiers only for foreign intelligence and counterintelligence purposes, not domestic crimes. Finally, as previously noted, ODNI has already imposed some restrictions on law enforcement use of Section 702 collected data.

Use restrictions would reasonably limit law enforcement without recreating the Wall or disrupting the foreign intelligence value of Section 702. The existing ODNI rule could provide the basis for a statutory reform acting as a companion to the “backdoor search loophole” fix, although several revisions are necessary.  First, the list of exempt crimes should limited to a set of specific enumerated offenses to provide clarity and prevent overbroad interpretations.  Second, the rule should apply to both investigations and in-court use; closing this “fruit of the poisonous tree loophole” is essential given the risks of undiscovered derivative use. The Cybersecurity Information Sharing Act’s use restrictions—which in part permit use of data received “solely for the purpose of preventing, investigating, disrupting, or prosecuting” a set of listed offenses—could serve as an effective model to achieve this (although, naturally, the specific offenses would differ).

Such limits would be consistent with the foreign intelligence objectives of Section 702 and permit FBI use for critical cases to protect national security, while preventing the risk of abuse and co-opted use for low-level crimes totally unrelated to Section 702’s purpose. Use limits are certainly not a complete solution to the problems that Section 702 surveillance poses, but they would do much to remedy the serious privacy and due process concerns that the law raises for Americans.  In protecting against abuse that might occur in spite of a limit on U.S. person queries and protecting civil liberties without impairing the foreign intelligence and national security objectives of 702, use limits would be an essential companion reform to closing the backdoor search loophole. 



from Closing Section 702 “Backdoor Search Loophole” Also Means Companion Reforms to Use Restrictions

No comments:

Post a Comment