EFFecting Digital Freedom

by Jason Kelley

Edward Snowden's Revelations, Ten Years Later

In 2013, Edward Snowden broke the Internet - or rather, revealed that the Internet was already broken.  His disclosures about the NSA's secretive mass surveillance programs shook the very foundations of our thinking about online privacy and government spying.  EFF and others had been working for years to reveal anything we could about the NSA's ability to spy on people's online communications, Internet activity, and phone records, both inside and outside the U.S.  But the disclosures did more than just clarify what we suspected: after these revelations, we were able to better pinpoint our demands, our questions, and our legal tools.

We've had some big wins as a result.  In 2015, the NSA ended its program of bulk collecting Internet metadata, including email addresses of the sender and recipient, and IP addresses.  Senator Ron Wyden, a longtime digital rights advocate, and others who were granted access to the program under the limited congressional oversight that existed, helped kill this program (and ongoing pressure from litigation by EFF and others didn't hurt either).

Some of the programs Snowden revealed have sunset - like the dragnet surveillance program that collected billions of phone records documenting who a person called and for how long they called them.  And we've been able to receive classified rulings (heavily redacted) from the Foreign Intelligence Surveillance Court (FISC), which give us some insight on how and when it grants surveillance powers to the government and the reasoning which guides its decisions.

And the wins after Snowden's revelations aren't all legal.  Prior to 2013, much of the web was primarily served over unencrypted HTTP instead of HTTPS.  EFF, along with many partners around the world at Let's Encrypt and elsewhere, created a baseline of privacy (and security) protection for people around the world by encrypting the web, which was spurred on in part by the revelations of the NSA's surveillance.  Your support of EFF tools like Certbot and HTTPS Everywhere have helped us get there - over 90 percent of web traffic is now encrypted, and major browsers have deployed key features that put HTTPS first.  You can tell how effective this campaign has been by visiting any of the rare sites still served over HTTP, and seeing that your browser reminds you this data is insecure.

But there's a lot more to do.  In particular, we must end or at least radically reform Section 702, which is set to expire later this year.  Under Section 702 of the FISA Amendments Act of 2008, the government can conduct surveillance inside the United States by vacuuming up digital communications so long as the surveillance is directed at foreigners currently located outside of the United States.  Though the law prohibits intentionally targeting Americans, the NSA routinely ("incidentally") acquires innocent Americans' communications without a probable cause warrant.  Once collected, the FBI can then search through this huge database by "querying" the communications of specific individuals.

The Snowden revelations gave names to two of the key types of surveillance that the NSA conducts under Section 702: PRISM and Upstream.  It also made it easier for us to get data on just how many innocent Americans' communications are searched through these programs.  In 2021 alone, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans' communications through its "incidental" collections.

Section 702's authority persists to this day.  We did have another big win when one type of data collection under Section 702 was paused in 2017: "About," as opposed to "incidental," collection, was the scooping up of information when a target is merely mentioned, instead of communication specifically sent to or from a target.  If you email a friend in France and discuss a known terrorist, for example, the email could be included as "about" a target.  This collection ended after pressure from FISC (surprisingly) and groups like EFF and ACLjU, but much of Section 702's surveillance authority remained.

We still need to permanently end this kind of collection.  But that alone isn't enough.  We must end Section 702's surveillance powers entirely, or considerably reign in the NSA's backdoor data collection.  Currently, Congress has to renew Section 702 every few years.  It was last renewed in 2018 and is set to expire at the end of 2023.

This isn't a stale debate.  A new FISC court order unsealed earlier this year detailed massive violations of Americans' privacy by the FBI, underscoring why Congress must act.  That opinion showed that for years the FBI illegally accessed a database containing communications obtained under Section 702 and other FISA authorities more than 278,000 times, including searching for communications of people arrested at protests of police violence and people who donated to a congressional candidate.  The FISC ruling points out that the FBI is incapable of policing itself when it comes to trawling through the communications of Americans without a warrant: "There is a point at which it would be untenable to base findings of sufficiency untenable on long promised, but still unrealized, improvements in how FBI queries Section 702 information," the court wrote.  That point is now.  Clearly, the FBI has failed to comply with even the most modest reforms designed to limit the agency's surveillance powers.

The FISC ruling itself shows that the Foreign Intelligence Surveillance Court is incapable of protecting Americans from the FBI's unconstitutional searches of their communications.  The court has consistently approved and re-approved the agencies' ability to use Section 702.  In this opinion, it recognized that "compliance problems with the FBI's querying of Section 702 information have proven to be persistent and widespread."  Although the court suggested that further incidents might prompt limiting who within the FBI could access information obtained under Section 702, it imposed no other restrictions on the FBI besides those proposed by the agency itself.

If recent bills are any indication, many in Congress would be fine allowing FISC to continue offering these judicial rubber stamps.  And it would be fine allowing "about" collection to restart, and not only reauthorizing Section 702, but moving the goalpost for it to sunset down the road six more years.  That means now is the best opportunity for Congress to limit NSA surveillance.  This year we must push Congress to protect our communications, and our privacy, by ending Section 702.