U.S. Cybersurveillance in the Post-Snowden Era

In 2013, Edward Snowden revealed to the public that the U.S. National Security Agency (NSA) was operating a massive, secret, cybersurveillance operation[1], thereby touching off a national debate regarding the permissibility and desirability of the NSA program[2]. In the ensuing years, both Congress and the American public debated fundamental issues regarding the relationship between the citizen and the government. Entwined up in these debates were issues relating to national security, especially the need to detect and apprehend potential terrorists, against the citizenry’s interest in privacy against governmental surveillance and intrusion[3].

Now that five years have passed since the Snowden disclosures, it is appropriate to reflect on how these societal debates have played out. In the interim, much has happened. In addition to the congressional and societal debates regarding whether government should be conducting such an operation, there have been efforts to litigate regarding the permissibility of that program. Further, the U.S. Congress has voted twice on the extent to which governmental cyber-surveillance should be allowed to continue[4]. This article analyzes how Congress and the American people have responded to the Snowden revelations.

§ 1 – Cyber-Surveillance at the Time of the Snowden Revelations

The program that Snowden revealed was massive. At the time, the NSA had a budget in excess of $10 billion per year[5], as well as 35,000 employees[6], and it was systematically collecting and storing huge amounts of data[7]. Among the data that it was collecting were cell phone call records, e-mails, text messages, credit card purchase records and information derived from social media networks[8]. In total, the NSA had intercepted some 182 million communication records[9]. The overwhelming majority of this cyber-surveillance was being conducted in secret, and the American public was previously unaware of the nature or scope of the NSA’s activities.

Even though the NSA’s surveillance operation was primarily focused on foreign intelligence targets, it inevitably swept up large numbers of records involving Americans[10]. The NSA claimed that it operation was focus on communications with “foreign intelligence value”[11] and on foreign intelligence targets[12]. Indeed, as President Obama boldly proclaimed, “Nobody is listening to your telephone calls.”[13] However, Obama admitted that, when Americans communicate with foreigners, the NSA may be able to target their communications[14]. Since there were literally billions of communications between U.S. citizens and foreigners per day, Obama’s reassurance provided little consolation to the American public.

The other major problem was that the NSA was collecting and storing large quantities of electronic information. In the process, the NSA was deceiving the public by publicly stating that it was not collecting data except under limited circumstances: when it believed that the recording or transcript contained “foreign intelligence information,” evidence of a possible crime, a “threat of serious harm to life or property,” or that shed “light on technical issues like encryption or vulnerability to cyber attacks.”[15] The reality was quite different. Taking advantage of the digital capacity to easily store large quantities of information, the NSA had established a data storage center which allowed it to collect, store and search huge quantities of information[16], and allowed it to routinely collect extraordinarily large amounts of information regarding virtually everyone[17].

The NSA’s governing legal structure is the Foreign Intelligence Security Act of 1978 (FISA)[18], which was originally conceived of as a way to respond to “foreign powers” or “agents of foreign powers” who are suspected of engaging in espionage or terrorism[19]. The term “foreign powers” was defined to focus on “groups” engaged in international terrorism[20]. However, the concept was later expanded to include so-called “lone wolfs” – a person who is engaging in or preparing for terrorist acts who does not have a connection to a foreign government or a terrorist group[21].

The Protect America Act of 2007 provided that communications that begin or end in a foreign country can be wiretapped without FISA supervision[22]. FISA also created the Federal Intelligence Surveillance Court (FICSC), and authorized it to issue surveillance warrants against foreign intelligence agents working inside the U.S. Warrants are issued ex parte, in secret, without adversarial proceedings, and the records of the proceedings are withheld from the public.

It is not clear how rigorously the FISC reviewed warrant applications. Over the years, FISC has issued tens of thousands of FISA warrants, and only denied a handful of requests. Those denials were appealable to the United States Foreign Intelligence Surveillance Court of Review, which also functioned in secret, but there have been few appeals[23].

Under pre-existing law, the NSA was allowed to eavesdrop on communications cables outside the U.S., as well as communications cables between foreign countries that passed through the U.S.[24]. FISA, Section 702, expanded the NSA’s authority by allowing the NSA to tap cables passing through the U.S., and by giving it the right to collect data directly from internet companies through a program called PRISM[25]. Although these programs were focused on collecting data regarding non-Americans, communications by Americans were inevitably swept up in the process[26].

§ 2 – Post-Snowden Alterations to the U.S. Cybersurveillance Program

Post-Snowden, have there been significant changes in the way that the NSA has functioned? While there have been changes, the alterations are perhaps not as dramatic as one might have anticipated. In the aftermath, Section 702 of FISA has not only survived, but was re-enacted during the Obama administration and the Trump administration[27]. The most recent re-enactment occurred in January, 2018[28]. Although these re-enactments were opposed by privacy advocates, and championed by national security hawks, the Trump era re-enactment passed easily (65 - 34 in the U.S. Senate)[29]. Privacy advocates did succeed in imposing certain limitations, but failed in their efforts to promote other limitations[30].

The re-enactments limited NSA’s cybersurveillance authority in important respects. For one thing, Congress limited the NSA’s authority to engage in the bulk collection of metadata from Americans’ phone calls[31]. Under the program, as it existed before the Snowden revelations, large telecom companies were required to hand over “metadata” (e.g., information regarding phone numbers and the duration of calls) to the NSA, but were not required to turn over the content of phone conversations. Nevertheless, the NSA was bulk collecting information from providers such as Verizon[32]. And, of course, the worry was that the NSA might indiscriminately search through the bulk collection. Although the 2015 law allowed the NSA to continue accessing metadata[33], the law provided that the data would remain with the telecom service providers rather than being collected and stored by the NSA[34]. In order to gain access to such information, the NSA was required to seek a court order giving it access to specific records[35].

The NSA was also authorized to engage in surveillance regarding so-called “upstream” collections of information from telecommunications companies like AT&T and Verizon[36]. In other words, the NSA collected emails and texts that crossed U.S. borders, including messages that mentioned identifying terms (e.g., email addresses) related to “foreigners who the agency was spying on even though the messages were not to or from those targets.”[37] Before Snowden’s revelations, the NSA’s collection of this information was permitted under the FISA Amendments Act of 2008, but was largely unknown by the American public[38], and the government took steps to convince the courts that these upstream communications were permissible under the U.S. Constitution and statutory requirements, and that such “about” communications were an important tool in fighting terrorism: “Under the proposed method of conducting electronic surveillance, then, N.S.A. will be in a position not only to learn information about the activities of its targets, but also to discover information about new potential targets that it may never have otherwise acquired.”[39] Of course, one of the problems with this “about” collection system was that it snagged “tens of thousands of purely domestic emails each year.”[40]

Despite the firestorm of controversy raised by the Snowden revelations, Congress chose not to end the upstream program in its 2015 re-authorization[41]. However, in 2017, the program was terminated in 2017 by the NSA rather than by Congress, following the FISA court’s conclusion that it was being conducted unconstitutionally[42]. The problem was that the collection program had been used to gather information about Americans when the NSA was not supposed to have been searching for information related to Americans[43]. Voluntarily, the NSA chose to limit its collection of upstream internet messages to those that are sent directly to or from foreign intelligence targets, forgoing collection of messages that simply reference those targets[44].

The 2015 amendments also did not prohibit the NSA’s so-called PRISM program, a so-called “downstream” method of collecting information sent over the internet. Under the PRISM program, the NSA was able to gain direct access to the servers of online providers such as Google, Facebook, Microsoft and Yahoo[45]. However, the PRISM system does not collect “about” communications[46]. The official said the intelligence court’s presiding judge, Judge Rosemary M. Collyer, has now authorized the agency to use Americans’ identifiers to query the newly captured upstream internet messages, too, for future intelligence investigations. Privacy advocates refer to this practice as the “backdoor search loophole” and want Congress to require the government to obtain a warrant to search for Americans’ incidentally collected information within the warrantless surveillance repository[47].

The 2018 re-enactment did make one significant change regarding the use of surveillance data. One problem with Section 702 was that, although federal law enforcement agents were allowed to examine databases related to foreign targets, there was a risk that the NSA would use this information to obtain information about Americans who have corresponded with those foreign targets[48]. Under the re-enactment, although the NSA was allowed to continue viewing surveillance data related to Americans without a court order, provided that the data relates to counter terrorism, counterintelligence or counterespionage, they were not free to use that information in ordinary criminal cases without first obtaining judicial approval[49].

Conclusion

The Snowden revelations touched off a fire-storm of controversy regarding governmental cybersurveillance operations. In the U.S., although the surveillance operation continues, it has been curtailed somewhat. The U.S. government no longer bulk collects and stores millions of items of information. But it’s secret surveillance operation, and many of its components, continue.

Despite the changes that occurred in the post-Snowden era, governmental cyber-surveillance remains a significant issue. For example, in 2017, WikiLeaks broke another story showing that governmental cyber-surveillance continues[50]. In particular WikiLeaks revealed that the U.S. government has developed an array of mechanisms that allow it to break into “Apple and Android smart phones,” as well as “Windows computers, automotive computer systems, and even smart televisions.”[51] Apparently, there were at least 14 flaws in Apple’s operating system for phones and tablets, and two dozen flaws in the Android system, and these flaws could leave individual phones vulnerable to being snooped on[52]. While these flaws did not enable the government to gather information en masse, they did enable the government to pry into individual phones, computers and smart televisions[53].