Privacy advocates split over new limits on foreign data retention

Privacy advocates split over new limits on foreign data retention
​A bill that’s expected to soon be signed into law by President Barack Obama will codify rules for collecting the communications of Americans, and privacy activists are split over whether it’s a step forward or back for reining in surveillance.

After a quick and quiet approval from Congress last week, Obama is slated any day to ink his name to the Intelligence Authorization Act for Fiscal year 2015, in turn allowing 16 branches of the US government to continue going about their respective intel-gathering activities.

One particular provision of the act, though — namely Section 309, Procedures for the Retention of Incidentally Acquired Communications — is being both condemned and condoned by onlookers who argue that it officially authorizes, for once, the collection of emails from innocent Americans, while also finally establishing a limit on how long that information can sit in the government’s mitts.

Under Executive Order 12333, signed into law by Ronald Reagan in 1981, departments within the American intelligence community are authorized to collect foreign communications absent a court order in the name of national security. Any communiqué from lawful US citizens can be swept up incidentally in the process, though, allowing for emails that are sent from Americans to individuals abroad to be legally acquired by departments like the National Security Agency under a White House mandate that until now has had little input from Congress.

Sec. 309, however, changes that. Once the president authorizes the intel act, a retention limit will be put in place to ensure that any private correspondence collected incidentally by the government is qsaved for no more than five years.

“Congress showed that it is willing to tackle the mass spying conducted under EO 12333 by inserting Section 309 into the bill,” Mark Jaycox, a legislative analyst for the Electronic Frontier Foundation, a California based digital rights group, wrote this week. “It’s one of the first times Congress has publicly stood up to spying covered by the Executive Order. It's a good sign, but it doesn’t go nearly far enough. The bill must usher in more vigilant — and public — Congressional oversight of EO 12333 and other NSA spying activities.”

Ken Chu, a spokesperson for Sen. Ron Wyden (D-Oregon), told the Washington Post that the lawmaker believes the provision falls short of placing any “meaningful new restrictions” on the NSA, but could set a precedent for “creating a legislative framework” for the Reagan-era executive order. And David Medine, the chairman of the Privacy and Civil Liberties Oversight Board, added to the paper that the clause constitutes “an important statement by Congress that it has the authority and is willing to step in and legislate in a realm that has largely been governed by the executive branch.”

Not everyone watching the bill soar through Washington is applauding, however. Rep. Justin Amash (R-Michigan), a congressman who came close to abolishing the NSA with an ultimately unsuccessful amendment that would have stripped the agency of funding had it passed, took to Facebook last week to share with followers a last-minute letter he sent to other lawmakers in an effort to have Sec. 309 struck from the bill.

“Supporters of Sec. 309 claim that the provision actually reins in the executive branch’s power to retain Americans’ private communications,” Amash wrote his colleagues. “It is true that Sec. 309 includes exceedingly weak limits on the executive’s retention of Americans’ communications. With many exceptions, the provision requires the executive to dispose of Americans’ communications within five years of acquiring them — although, as HPSCI [House Permanent Select Committee on Intelligence] admits, the executive branch already follows procedures along these lines.”

“In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications,” Amash added.

According to the lawmaker, Sec. 309 wasn’t brought to his attention until last Tuesday evening—only hours ahead of Wednesday’s vote in which the Intelligence Authorization Act won by a 325–100 vote.

“The Senate inserted the provision into the intelligence reauthorization bill late last night,” Amash said. “That is no way for Congress to address the sensitive, private information of our constituents—especially when we are asked to expand our government’s surveillance powers.”

“This whole thing is so upsetting to me,” John Napier Tye, a former State Department Internet policy official, told US News & World Report after the bill passed. “It is good that Congress is trying to regulate 12333 activities,” he said. “But the language in this bill just endorses a terrible system that allows the NSA to take virtually everything Americans do online and use it however it wants according to the rules it writes.”

In July, Tye wrote an editorial for the Washington Post in which he spoke harshly against the intelligence community’s use of EO 12333 and the lack of protections for Americans’ communications.

“’Incidental’ collection may sound insignificant, but it is a legal loophole that can be stretched very wide,” Tye warned. “Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all such communications — content as well as metadata — provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation. No warrant or court approval is required, and such collection never need be reported to Congress. None of the reforms that Obama announced earlier this year will affect such collection.”

According to Tye, Review Group on Intelligence and Communication Technologies assembled last year by Pres. Obama advised that the intelligence community adopt measures to ensure that “all data of US persons incidentally collected under such authorities be immediately purged unless it has foreign intelligence value or is necessary to prevent serious harm.” Twelve months after that panel produced their report, however, a five-year retention limit might be the only shot for now and imposing restrictions, albeit slight, on those incidental collections.