The “Backdoor Search Loophole” Isn’t Our Only Problem: The Dangers of Global Information Sharing
This piece was originally published in Just Security in November 2017.
The upcoming expiration of Section 702 of the Foreign Intelligence Surveillance Act (FISA) has launched a fresh wave of debate on how the statute’s “backdoor search loophole” allows the U.S. government to access Americans’ communications by searching information gathered on foreign intelligence grounds without a warrant. But while discussion about domestic information sharing is important, a critical element of the debate is missing: the privacy risks posed by globalinformation sharing between the United States and foreign powers. Like its domestic analog, global information sharing may also permit the U.S. government to access and search Americans’ data without appropriately accommodating their constitutional rights.
The U.S. is party to a number of international information-sharing arrangements—the most prominent being the Five Eyes alliance. Born from spying arrangements forged during World War II, the Five Eyes alliance facilitates the sharing of signals intelligence among the U.S., the United Kingdom, Australia, Canada, and New Zealand. These sharing arrangements are memorialized in the United Kingdom-United States Communication Intelligence (UKUSA) Agreement.
Still, little is known about the legal frameworks governing intelligence sharing among the Five Eyes. The UKUSA Agreement has been amended several times, but the most recent publicly available version dates back to 1955. That version of the agreement indicates that the Five Eyes are to share, by default, the “products” of “operations relating to foreign communications,” as well as the methods and techniques relating to such operations. An appendix to the agreement further indicates that the Five Eyes are to share “continuously, currently, and without request” both “raw” (i.e. unanalyzed) “traffic” in addition to analyzed “end product.”
Our limited understanding of how intelligence sharing might operate, particularly in the digital era, is informed by the U.S. government’s intelligence programs under Section 702. Through “Upstream” surveillance, the NSA undertakes bulk interception of Americans’ international communications, including emails and web-browsing content, as they transit the cables, switches, and routers that constitute the internet “backbone.” The NSA then searches these communications using tens of thousands of “selectors,” or keywords. Media reports have revealed that the NSA has access to a U.K. bulk surveillance program similar to “Upstream,” which intercepts internet traffic as it flows through the undersea cables landing in the U.K. We do not know the extent to which the U.K. intelligence agencies have similar access to information stored within Section 702-derived databases. However, media reports have revealed that the Five Eyes (as well as other foreign partners) have access to databases storing information collected through various NSA programs, including MARINA, a metadata repository, and XKEYSCORE, which uses hundreds of servers around the world to store information acquired under various NSA programs.
Intelligence sharing raises significant privacy concerns. Technological advances have dramatically changed both communication methods and signals intelligence capabilities since 1955. The development of new technology, especially the internet, has transformed the way we communicate with each other and increased the amount of information that can be collected by orders of magnitude. As our communications have evolved, intelligence agencies have developed more advanced ways to acquire, store, analyze, and share this information. They can intercept in bulk communications and data transiting the internet. Computers permit revelatory analyses of types and amounts of data that were previously considered meaningless or incoherent. And the internet has facilitated remote access to information, easing sharing between agencies.
Critics of Section 702 note that the NSA’s intelligence operations targeting foreigners could sweep in millions of Americans’ private communications. It is possible that under the UKUSA Agreement, the NSA both shares this information with foreign governments and receives U.S. persons’ communications that foreign agencies collect. It is not clear, for example, how the Five Eyes exchange raw signals intelligence intercepted in bulk—“continuously, currently, and without request”—while constraining access to the data of their respective citizens.
The scarcity of information about the Five Eyes alliance compounds these privacy concerns. The U.S. government has not explained how the UKUSA Agreement currently operates, the types of information that the U.S. government accesses, or the rules that constrain U.S. intelligence agencies’ access to and dissemination of Americans’ private communications.
This lack of transparency weakens the oversight and accountability mechanisms available to check global intelligence sharing. Absent additional information regarding the UKUSA Agreement and Five Eyes alliance, Americans must rely on a 60-year-old, likely outdated, document; veiled government statements; and media reports to understand how their privacy might be implicated by foreign intelligence practices. Adding to this concern is that while the Five Eyes alliance is the best known intelligence sharing arrangement, the U.S. is also party to many more.
Privacy International, together with Yale Law School’s Media Freedom & Information Access Clinic, is currently pursuing litigation under the Freedom of Information Act to obtain the updated text of the UKUSA Agreement and its minimization procedures. To date, however, the NSA, the agency primarily responsible for signals intelligence, has not yet disclosed any responsive records. (A similar request to the U.K.’s Government Communications Headquarters (GCHQ)—the British signals intelligence agency—was denied on grounds that GCHQ is entirely exempt from the U.K.’s freedom of information framework.)
Privacy advocates concerned about Section 702 should therefore broaden their attention to the privacy risks inherent in global information sharing. The U.S. government should make available the text of the current version of the UKUSA Agreement, as well as related implementing procedures. It should also make public subsequent revisions to the UKUSA Agreement and other agreements governing intelligence sharing with foreign parties. And to the extent that these documents reveal that the U.S. government receives Americans’ information without appropriate procedural safeguards, lawmakers should demand additional privacy protective restrictions.
As Congress turns its attention to Section 702, we should not ignore the privacy risks posed by longstanding international intelligence sharing practices that proposed domestic reforms will not touch. Without more information about the legal underpinnings of these agreements, and how they operate in practice, we cannot adequately protect the privacy of Americans and foreigners alike.