At midnight on Saturday, the National Security Agency ended one of its most notorious spying programs. This is only a tiny victory. The NSA’s sprawling, inefficient surveillance apparatus is still a privacy threat.
The bulk phone records collection program was banned in the USA Freedom Act, a law that curbed some domestic spying. This program allowed the NSA to collect metadata from American citizens’ calls en masse. Now, instead of collecting phone metadata in an expansive dragnet, the USA Freedom Act requires the NSA to first make a “specific query,” like a name, or a device number.
The USA Freedom Act didn’t make sweeping reforms. It nipped one program and left most others intact. The NSA stopped this particular program at the last possible moment because it would’ve broken the law by keeping it running a second longer—and it stopped knowing that it had plenty of other options for warrantless spying.
Remember PRISM? The clandestine internet-spying program where the NSA bulk collected internet communications from companies like Google, Apple, and Facebook? The one even a Republican Congressman who championed the Patriot Act called “more than the Patriot Act allows?”
PRISM gives the NSA access to a vast amount of data, from records of Skype calls and Gchat logs to unflattering unposted selfies. The only filter the agency uses to make sure it isn’t illegally spying on people within the US is asking an analyst if they’re 51 percent confident that the surveilled person is outside the US.
PRISM was never shut down. Somewhere in America a bunch of NSA analysts are PRISMing like Edward Snowden was a fever-dream twinkle in their spyin’ eyes.
PRISM’s not our only problem. The NSA shut down a bulk email metadata program called Stellarwind in late 2011, years after Bush Administration officials fought about its legality. But instead of not analyzing large amounts of domestic data, the NSA looked for alternate routes to it. Documents obtained by the New York Times earlier this month show that the NSA found other ways to continue to obtain and analyze domestic personal data even after it stopped Stellarwind.
One way was straight up abandoning a domestic spying rule: Before 2010, NSA analysts were only allowed to do large-scale graph analysis on foreign data. After 2010, NSA analysts could use domestic emails, texts, and other private online conversations in these graphs.
The USA Freedom Act ruined one of the NSA’s favorite justifications for its spying program by blocking it from using Section 215 of the Patriot Act, which it had used to explain its phone data collection. But it can lean on several other dubious justifications to allow sweeping surveillance.
“Most obviously, there’s Section 702,” Electronic Frontier Foundation staff attorney Andrew Crocker told me. That’s Section 702 of the Foreign Intelligence Surveillance Act, and it gives the NSA authority to collect internet communications on (you guessed it) foreigners. The NSA uses it to justify stuff like Stellarwind. It was introduced in 2008, and it’s not up for renewal until 2017.
Another justification is even older. Reagan signed Executive Order 12333 to authorize foreign intelligence investigations back in 1981, and it has been a boon to upstream surveillance cheerleaders. The beauty of 12333 is in its empty, flexible language: Any information “incidentally” collected during an intelligence gathering mission focused outside the US—even if it’s the entire email history of a Minnesota teen or every iCloud photo from a Chicagoan’s iPhone—is fair game.
These loopholes and broad interpretations of orders are not totally unnoticed in Congress. “I will continue to push for reforms to section 702 of the Foreign Intelligence Surveillance Act – like closing the backdoor searches loophole,”Sen. Ron Wyden (D-Ore.) told Gizmodo in a statement. “And I believe Congress needs to take a hard look at collection conducted under Executive Order 12333 as well to ensure it is not abused to circumvent laws or violate Americans’ civil liberties. As long as Americans keep demanding policies that protect both their security and their liberty, you can expect to see more reforms in the future.”
I want to emphasize here that this isn’t a situation where the NSA occasionally got a few US citizens’ private communications scooped up as it bagged a bunch of terrorists, like stray lobsters scooped up here and there in a shrimp boat’s net full of shrimp. (I don’t know how to fish, but you get my point. Also, I want shrimp.) For the email surveillance program, for instance, tens of thousands of Americans who were not suspected suicide bombers or manic gunmen or anything other than regular people with computers had their personal digital lives open for dissection.
These fishing expeditions suck, and they’re not over.