A week after Prism, much remains unclear

News & Analysis
A week after Prism, much remains unclear

Remember when the world didn't know what Prism was? Those were the days. While privacy advocates, civil libertarians, and technologists had suspected or posited the existence of an extensive surveillance regime operated by the U.S. government, few knew the details and the extent of the operation.

Undoubtedly, we know more now than we did a week ago about the National Security Agency's covert operations and how the agency routinely spies on nearly anyone in the world. The public, many of whom were unaware of the mass surveillance conducted by intelligence agencies, or mislead by statements from government officials, are now part of a critical and concrete debate about what privacy actually means in the 21st century.

The debate about Prism, while valid, does not even come close to looking at the whole picture, and the extent and vast powers granted to the U.S. government when it comes to the mass surveillance of the entire world. The Prism programme, while scarily titled, is actually enabled by a frightening law with a much more banal name -- FISA § 1881a (aka FISAAA §702). See our briefing on this legal framework.

Still we need to clarify the debate around the past week's revelations.

1. Am I not protected by the fact that the U.S. Government claims this is all constitutional?

No. If you are a U.S. person, you cannot forget that last week's first revelation, regarding access to all communications 'metadata', applies specifically to you. This means that the record of potentially every phone call made in the U.S. is tracked by the U.S. Government. The order placed upon Verizon Business Services was focused on domestic uses. There is not yet a constitutional protection of 'metadata'.

If we are talking about Prism, then matters actually get worse. Prism isn't limited to 'metadata', but allows for much, much more. The law around Prism permits the U.S. Government to get access to any data held by electronic service providers. Photos, videos, reports, spreadsheets, emails, records, check-ins and location information, likes, favourites, ... all information held by U.S. service providers is acessible. If you are a non-U.S. person, then you're in trouble: the Fourth Amendment of the United States does not apply to anyone outside of the U.S. who is not a U.S. citizen. If you are a U.S. citizen, the Government needs to show that they didn't mean to get the information about you.

We know that in order to conduct extensive surveillance of data held by U.S. companies, the U.S. government secretly submits a certification to the Foreign Intelligence Surveillance Court (FISC) for approval. Once the certification is approved, and sometimes prior to approval, the government can issue a directive for immediate compliance to any electronic communication service provider. No warrant is required, and the main purpose of the certification appears to be to provide assurances that only non-U.S. persons, outside of the U.S., will be targeted.

However, the nature of this approval process remains unclear. We know this process exists, but we do not know what they approve, what they grant access to, and under what conditions. Strangely enough, the FISC has approved of the release of a 2011 court opinion that deemed some of the NSA's actions unconstitutional under FISA. If released, we will hopefully get a better glimpse into the secret court's thinking, and what they consider to be constitutional.

2. This is for combatting terrorism, right?

Because this process is carried out in secret, we do not know anything, really, surrounding the requests made to the FISC. That's because everything, from initial requests for authorisation, to any appeal, to the method of acqusition, must be kept confidential.

But the short answer is 'no', as the law that would allow for Prism states that these powers aren't limited to terrorism or national security. The U.S. government is permitted to obtain "foreign intelligence information", which is a broadly defined in such a way that could capture political speech of those outside the U.S.

3. What access did the U.S. government have to Internet Service Providers, telecoms, and companies like Google, Facebook, and Twitter? Can they refuse?

While the focus on the Prism controversy was on specific companies, they actually can obtain information from any telecommunications service or online service provider. The level of that access -- in terms of frequency, volume of information -- remains unknown. Essentially though, any and all services we use on the internet are subject to this, and companies have practically no ability to push back against demands from the government. While they may file an objection, their objection will likely fail given that the enabling law grants enormous powers to the Government and non-U.S. citizens outside the country have no Fourth Amendment protections. If the legal framework is rigged, the government is operating within it, and companies are not liable for turning over the information, then how can they actually refuse?

4. What is the method of collection or interception that the NSA is using?

We still do not know exactly how the U.S. Government collects the information they are seeking. The question remains: How are they accessing this data? While it was initially reported that they had direct links into servers, the waters have been muddied over the past week and we are still unclear how they actually obtain their information. It's been reported that Google actually handed over data to NSA through secure FTP or in some cases by hand. We need to know more about what other companies do and what are the common practices. Further, the law allows the government to compel a company to build a direct link into their systems, if the government deems it necessary in order to obtain the information.

5. Are there rules regarding how collected information should be retained or disclosed?

There are no rules regarding how the collected information is retained or disclosed with regards to non U.S.-persons.

But, a communication between someone within the U.S. to someone outside, no matter where it orginated, could be swept up incidentally, meaning that Prism and FISA §1881a DOES apply to U.S. citizens. The only rules around how collected information is retained or disclosed applies to U.S. persons, which are supposed to limit or prevent their information from being collected.

6. How does this get fixed?

A lot of pressure has to be placed to compel the U.S. Government to change its laws. First, if it is to continue to be the home of leading internet industry companies, it must ensure that the law protects the data these companies hold, without regard to where those companies' users are in the world. That is, the Fourth Amendment protections must be extended to non-U.S. persons. Second, the legal framework must be narrowed to allow only the collection of information that is vital to U.S. national security, which does not include how foreign political organizations may comment on U.S. foreign affairs. While the NSA's purpose may be to gather the world's communications for the U.S. Government, it must not be empowered to deputize U.S. companies to do this on their behalf. It transforms the internet from a freedom-enabling environment into a goldmine for U.S. interests.