Senator Patrick Leahy (D-NH) introduced the version of the USA Freedom Act on Tuesday.
Leahy’s bill, like the House’s, would still provide the NSA with access to enormous amounts of American phone data. Though it would require a judge to issue an order to telecos for “call detail records” based on a “reasonable, articulable suspicion” of association with terrorism or a foreign power, the NSA will be able to use that single order to obtain the “call detail records” of a suspicious entity, as well as those of entities in “direct connection” with it and entities in connection with those.
While that would permit the NSA to yield thousands of records off of a single court order, on a daily basis for six months, the NSA and the bill’s architects contend that it bans “bulk collection.”
Leahy’s bill would go further than the House version in narrowing the critical definition of “specific selection term,” a foundational aspect of the bill defining what the government can collect. The House definition is a “term specifically identifying a person, entity, account, address, or device,” which privacy groups have lambasted as unreasonably broad.
Seeking to plug that loophole, Leahy would prevent the NSA or the FBI from accessing a service provider’s entire clientele or a wholesale “city, state, zip code, or area code.”
Although the Leahy bill has the support of several civil libertarian groups and major tech firms like Facebook and Google, it does not revive some privacy proposals that those organizations considered crucial but the intelligence agencies and their advocates in Congress stripped from the House measure.
There are still some really big loopholes, as noted by emptywheel’s Marcy Wheeler:
Leahy’s bill retains the language from USA Freedumber on contact chaining, which reads,
(iii) provide that the Government may require the prompt production of call detail records-
(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and
(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;
Now, I have no idea what this language means, and no one I’ve talked to outside of the intelligence committees does either. It might just mean they will do the same contact chaining they do now, but if it does, why adopt this obscure language? It may just mean they will correlate identities, and do contact chaining off all the burner phones their algorithms say are the same people, but nothing more, but if so, isn’t there clearer language to indicate that (and limit it to that)? [..]
I remain concerned, too, that such obscure language would permit the contact chaining on phone books and calendars, both things we know NSA obtains overseas, both things NSA might have access to through their newly immunized telecom partners.
In addition, Leahy’s bill keeps USA Freedumber’s retention language tied to Foreign Intelligence purpose, allowing the NSA to keep all records that might have a foreign intelligence purpose.
That’s just for starters. She is also concerned about the vague language will still be used to allow bulk collection. She doesn’t think it’s strong enough
The question is whether this “agency protocol” – what Chief Justice John Roberts said was not enough to protect Americans’ privacy – is sufficient to protect Americans’ privacy.
I don’t think it is.
First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).
It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.
Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?
Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.
So CIA could (at least under this law – again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.
In other words, probably no different and potentially more lenient than what it does now.
And one more thing from Marcy: Leahy’s version still will allow the FBI uncounted use of backdoor searches:
I strongly believe this bill may expand the universe of US persons who will be thrown into the corporate store indefinitely, to be subjected to the full brunt of NSA’s analytical might.
But that’s not the part of the bill that disturbs me the most. It’s this language:
‘(3) FEDERAL BUREAU OF INVESTIGATION.-
Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.
The language refers, in part, to requirements that the government report to Congress [..]
These are back door searches on US person identifiers of Section 702 collected data – both content (iv) and metadata (v).
In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.
The FBI – the one agency whose use of such data can actually result in a prosecution of the US person in question.
We already know the government has not provided all defendants caught using 702 data notice. And yet, having recognized the need to start counting how many Americans get caught in back door searches, Patrick Leahy has decided to exempt the agency that uses back door searches the most.
And if they’re not giving defendants notice (and they’re not), then this is an illegal use of Section 702.
While the Senate version may be a good enough reason for some civil libertarians, privacy groups and technology firms to back, it still falls far short of what is needed to protect Americans’ constitutional rights and privacy.