Surveillance and Encryption
Electronic surveillance generally refers to any activity whereby intelligence or police officials: (a) intercept communications in transit or (b) access stored communications. Encryption can make it more difficult for law enforcement to access these communications, while at the same time protecting user data from criminal hackers. How surveillance is regulated depends on the location, purpose, and target of the particular surveillance. When conducted abroad against foreigners, surveillance falls under the President’s constitutional authority as Commander-in-Chief. This is generally true regardless of the purpose of the surveillance. Accordingly, intelligence programs that collect information overseas are governed by the Constitution and executive order.
By contrast, any surveillance conducted inside U.S. territory must follow laws passed by Congress (although the president may add additional restrictions). When it comes to national security programs, the most important law is the Foreign Intelligence Surveillance Act (FISA). Under FISA, a secret court called the Foreign Intelligence Surveillance Court (FISC) must individually approve electronic surveillance of U.S. citizens or foreigners who are suspected of being a threat to national security (although the precise legal language is different). The FISC must also sign off on domestic intelligence activities that target foreigners overseas.
Most surveillance that occurs within U.S. territory is about normal criminal investigations, not national security. Here, Congress and the courts have imposed major restrictions on the ability of law enforcement agencies to gather electronic evidence. Most importantly, the Electronic Communications Privacy Act (ECPA) requires police investigators to obtain a court-approved search warrant before they can eavesdrop or gather private data.1 To this end, a law called the Communications Assistance for Law Enforcement Act (CALEA) lays out how telecommunications providers must help police enforce search warrants.
Shared Goals Build Mutual Trust
Any productive discussion of surveillance and encryption must begin by acknowledging that average citizens, industry leaders, and government officials share the same interest in improving society. That means striking a reasonable balance between fighting crime and terrorism, upholding the U.S. Constitution, and maximizing economic growth.
Disrupting and Prosecuting Terrorists and Criminals
First and foremost, government is supposed to protect the life, liberty, and property of its citizens. Officials in law enforcement and intelligence have a duty to apprehend the criminals and terrorists that threaten these basic rights. That means government agents need to identify who they should target for investigation and gather the information that justifies subsequent police, intelligence, or military action. Some degree of government surveillance is therefore necessary to keep the public safe. NSA surveillance authorized by FISA was critical to foiling a 2009 terrorist plot to bomb the subway in New York City.2
Upholding the Constitution and Individual Privacy
Most of the debate around electronic surveillance in the United States revolves around three key features of the U.S. Constitution. The first is a system of “checks and balances” which empowers each branch of government—legislative, executive, and judicial—with the ability to constrain the other two. The second is the First Amendment, which guarantees the freedom of expression. Finally, the Fourth Amendment generally requires that government agents obtain a judicially approved search warrant before they can search someone’s house, belongings, or—in many cases—electronic communications. When it comes to surveillance in the United States and against U.S. citizens, opposing sides in the debate all agree that these principles apply.
Boosting Economic Growth and Innovation
Economic success is the bedrock of American power. For the past century, incredible achievements by U.S. companies and their employees have allowed the United States government to boost revenue, build the world’s strongest military, and wield unprecedented diplomatic influence anywhere in the world. It is the policy of the U.S. government to ensure economic growth “by opening markets and leveling the playing field for American workers and businesses abroad.”3 In 2015, the largest U.S. technology firms drew 59% of their revenue from foreign sales.4 Thus, in today’s world, sound economic policy means improving the ability of U.S. firms to extend their reach into overseas markets.
Recent Tensions Have Undermined Trust
In recent years, three crosscurrents have generated an adversarial relationship between government agencies, U.S. technology companies, and consumers in the United States and around the world.
Criminals and Terrorists Are Using Technology to Hide
While modern computing and telecommunications have generated untold benefits for society, terrorists and criminals can use these technologies to evade detection and capture. Organizations like al Qaeda and ISIS use the Internet to spread their propaganda, attract recruits, and remotely plot terrorist attacks from relative safety.5 Their communications are needles in a massive haystack of global data. Even if intelligence agencies can single out their targets, terrorists can use encryption to make their messages unreadable.6 Law enforcement agents must confront sophisticated criminals who take advantage of the Internet and encryption.7 These technologies make it difficult for police to track and, should they successfully apprehend them, collect the evidence necessary to convict criminals.
For many years, this challenge has been manageable because only the most advanced terrorists and criminals were able to use complex technology. But in a post-Snowden world where many consumers worry about the privacy of their communications, many companies, such as Apple or WhatsApp, have made it far easier for the average consumer to use the same technology. According to some government representatives, this kind of default security means that even unsophisticated adversaries can take advantage of advanced technology and evade capture. Some officials have accused private companies of carelessly enabling criminals and terrorists.8 At the same time, security professionals say that the value of encryption in protecting data outweighs other risks.9
Perceptions of Government Abuse
At the same time, for many privacy advocates and civil libertarians, the Snowden affair provided concrete evidence that the U.S. government was abusing its power in conducting mass electronic surveillance. Leading members of Congress claimed that government attorneys misinterpreted a single word in the USA PATRIOT Act to authorize the collection of metadata (call information that does not include audio content, such as the number dialed and the duration of the call) on millions of Americans.10 Privacy groups and some Senators have suggested the FBI violated the Fourth Amendment by conducting warrantless searches of Americans’ data incidentally collected by the NSA under Section 702 of FISA.11 News stories suggesting that the NSA had tampered with products sold by U.S. companies and hacked into the internal networks of U.S. corporations spun accusations that the government was going behind the backs of technology executives who were otherwise willing to help disrupt criminals and terrorists.12
Despite multiple independent reviews that found no intentional abuse of statutory authority, the perception of government overreach remains, especially in the technology community. This has led many companies to assume a more adversarial stance toward law enforcement and the Intelligence Community.
News Reports and Government Proposals Hurt U.S. Technology Industry
The Snowden disclosures claimed to describe how the U.S. government collects data on millions of non-U.S. citizens in bulk—not just metadata, but also the content of their conversations. President Obama’s surveillance review group acknowledged that intelligence activities could cause “severe” harm to U.S. competitiveness in the global technology market.13 Indeed, the Snowden disclosures spooked foreign consumers of U.S. products, particularly in Europe and South America, where companies and governments began cancelling contracts with American firms and turning to foreign providers.14 European regulators have begun scrutinizing the relationship between U.S. companies and intelligence agencies, transforming consumer discontent abroad into a potentially distressing legal obstacle to cross-border data flows.
This backlash contributed to a push by some U.S. companies to introduce encryption as a default security function, which can make it difficult for any entity—except the owner of the device—from accessing encrypted information. Even if law enforcement gets a lawful court order demanding that the manufacturer of the device provide access, the company itself is locked out. In some cases, this means that government agents cannot easily obtain evidence without the help of a suspect, who might be unwilling to cooperate. In some cases this has led the government to seek out third parties who can exploit existing vulnerabilities to access required data.
Congress is moving to address this situation in a variety of ways. Senators Richard Burr and Diane Feinstein have sponsored a proposal that requires companies to provide any information requested by a lawful court order in a format that is legible to the requesting government agency. This would prohibit any company from using encryption that prevents it from accessing any data belonging to one of its customers.15 Most major technology companies and trade associations oppose the measure as bad not only for security, but for technological innovation and economic competitiveness.16 Alternatively, Senators Michael McCaul and Mark Warner have proposed legislation to establish a Commission on Digital Security, which would be designed “to collectively address the larger issue of protecting national security and digital security, without letting encrypted communications become a safe haven for terrorists.”17
We Need Solutions to Decrease Tensions and Restore Mutual Trust
This trust gap has created a situation where industry and government, once close partners in the fight against criminals and terrorists, have begun to launch rhetorical and legal attacks against one another. This adversarial relationship is bad for national security. We need commonsense policy changes that better protect civil liberties and American industry, while preserving appropriate government access to vital information for security purposes.
USA Freedom Act Was a Start
After the Snowden affair broke in the summer of 2013, the U.S. government acknowledged that it was using Section 215 of the USA PATRIOT Act to collect the domestic phone records of millions of Americans, without having to show that each person was under investigation for foreign intelligence reasons. Privacy groups and leading members of Congress claimed that the executive branch had stretched the meaning of the law. In 2015, Congress passed the USA FREEDOM Act. Among other things, USA FREEDOM amended Section 215 to require that the government obtain a separate court order every time it wants an individual’s domestic phone records. However, this only ended the bulk collection of telephone metadata, which amounts to everything about a call except the audio content. Other laws, such as the Electronic Communications Privacy Act (ECPA) or the Foreign Intelligence Surveillance Act (FISA), address when and how the government can actually listen to phone calls and read Internet messages.
We Need to Reform Section 702 and EO 12333
As discussed in the background, FISA governs national security surveillance that involves eavesdropping on the content of communications. A special part of FISA, called Section 702, allows the NSA to use infrastructure inside U.S. territory to spy on telephone and Internet data that enters, exits, or passes through the United States. A court must authorize it, but the legal standard is much more deferential to the NSA than a typical search warrant. The NSA can only use Section 702 to target foreigners who are overseas, but if a U.S. person talks to a foreign target, the NSA can collect that conversation.
The statute is sufficient if one is only concerned about the NSA. Section 702 gives the Intelligence Community valuable counterterrorism tools and institutes unprecedented controls on the data its agencies collect. But in the initial drafting of Section 702, policymakers did not thoroughly review two potential downsides of the law: (1) its impact on U.S. electronic communications companies and (2) the use of the information by the U.S. government in non-national security, criminal investigations. As Congress contemplates whether to reauthorize Section 702, which expires in December 2017, it must consider how to improve the law to mitigate these harms.
But even reforming Section 702 will not be enough to restore trust. Executive Order 12333 governs all intelligence activities that actually take place overseas. It says that if the U.S. government grabs electronic data stored abroad by a U.S. corporation, that company does not get any protections. The company is not given notice, nor are they guaranteed a right to challenge the collection. This is why, to this day, 12333 can be read to provide authority to the Intelligence Community to access the data of American firms overseas, without the consent of the target companies. Changing this will be an important step to changing the relationship between the U.S. technology industry and the government tasked with protecting it.
The civil liberties groups, industry leaders, and government officials currently wrangling over surveillance and encryption share core values. As they explore new technologies that might improve privacy, consumer security, and national security, industry and government should strive for solutions that accommodate these vital objectives: protecting the public, upholding the law, and ensuring a bright future for the U.S. economy in the 21st century.