THE BLOG
12/17/2015 11:11 am ET Updated Dec 17, 2016

Surveillance After the USA Freedom Act: How Much Has Changed?

Blake Kent / Design Pics via Getty Images

by Shayana Kadidal, Senior Managing Attorney at the Center for Constitutional Rights

It has been two and a half years since Edward Snowden's disclosures revealed the massive scope of our government's bulk surveillance of global telecommunications. The first document to be published from Snowden's trove showed that the secretive Foreign Intelligence Surveillance Court had ordered Verizon to turn over logs of all calls made to and from its customers.

Of the many bulk surveillance programs Snowden brought to light, this "phone records" program has continued to attract the most attention, in part because its features -- surveillance of everyone in a well-defined set of American customers, under an identified statutory authority (section 215 of the PATRIOT Act) -- were tailor-made to be challenged in court.

Two such challenges were successful and provoked, after years of vigorous debate, a piece of reform legislation: this summer's USA Freedom Act, which shut down the phone records program two and half weeks ago. Anyone who watched this week's Republican presidential debate could be excused for thinking that significant changes to post-9/11 electronic surveillance practices have taken place thanks to the work of Congress.

But has anything really changed as a result of the court challenges and the changes in the law? I would argue that we have very little reason for comfort: that the NSA probably still collects bulk "metadata," like our phone records, that the government clearly still has access to such records even if it sits in the hands of private telecommunications companies, that bulk collection of the contents of our telecommunications is more or less unaffected, and that the main impact of the USA Freedom Act actually may have been to forestall review by the Supreme Court that might have given us more protection.

Let me step back to explain some basics. First, the law treats surveillance of the content of your communications (what you say on a phone call, what you write in an email) differently from data about the "when/where/to whom" of those communications. Simplifying wildly, the former generally requires a court order (a warrant) within the United States, though if there are links abroad, a law passed with Senator Obama's vote, the 2008 FISA Amendments Act, allows the Foreign Intelligence Surveillance Court to rubber stamp its collection in bulk. Surveillance under section 702 of the 2008 Act (the basis for the program called PRISM in Snowden's documents) is not significantly curtailed by the recent USA Freedom Act.

But what about the metadata surveillance? In some ways, metadata is more useful to the government than content because content generally requires labor-intensive human analysis to become meaningful to the intelligence agencies. In contrast, the records of who you talk to and when you talked to them can be very revealing when analyzed by computer -- like the social graph functions on Facebook, it can easily provide a complete map of all your personal associations and interests. Mass metadata gathering is less susceptible to the needle-in-a-haystack problem than mass content gathering, because it is so readily machine-analyzable.

The phone records orders issued by the Foreign Intelligence Surveillance Court were purportedly authorized by Section 215 of the PATRIOT Act. The successful legal challenges to the program (brought by the ACLU and a right wing libertarian group, in different federal courts) proved that the program was an abuse of those powers. The political debate generated by the disclosures and the lawsuits led to the USA Freedom Act in June 2015, and the Freedom Act's reforms included ending the bulk phone records gathering on November 29.

But, as even advocates of the Freedom Act note, there are many other ways in which the government could be sweeping in the same records. In part, that is because metadata isn't protected by the warrant requirement the same way the content of your phone calls is. In 1978 the Supreme Court decided that the list of phone numbers you dial is something you've voluntarily turned over to a third party (the phone company) for their use, and thus deserves less legal protection than the actual content of what you say during the calls. Even at the time, that was recognized as an untenable distinction, but it's not been repudiated by the Supreme Court in the 37 years since, and this "third party doctrine" now permits the government (at least according to the Justice Department) to subpoena almost anything: not just phone records but banking transaction records, where and when you use your credit cards, your web surfing habits, and on and on - pretty much anything shared with a corporate service provider.

So, even without Section 215 of the Patriot Act, and even without overly broad Foreign Intelligence Surveillance Court orders interpreting it to allow the phone records program, the government can grab these records from the phone companies or your bank or Google or any "third party" private company with just a subpoena (as Ted Cruz correctly pointed out to Marco Rubio in this week's debate). Those subpoenas, especially when in the form of "National Security Letters," will often be nearly impossible to challenge in court (even with the active cooperation of the telecom companies), and by eliminating the best-understood authority for such collection (the Section 215 orders leaked by Snowden), the USA Freedom Act may actually make it less likely that the Supreme Court, which has shown recent signs of skepticism about the "third party" doctrine, will actually get a crack at overturning the doctrine anytime soon.

So after two years of pretty active debate, we are where we started: the NSA collects or has ready access to everything -- content and metadata -- under legal authorities that seem to shift every two years or so. This legal game of whack-a-mole is made even more impossible to win by the courts: if the program is challenged by people (even lawyers) who merely fear being surveilled under it, without absolute proof that they are targets, the courts will dismiss their claims for lack of formal legal standing (See CCR v. Obama). In the rare instances where there is such proof (for example, due to accidental government disclosure), the courts will bar the evidence under the State Secrets doctrine. And in the rare cases when surveillance is used against a criminal defendant, the government seems to either create a false reconstruction of where the information came from, or simply interprets its disclosure obligations so narrowly that they cease to exist - meaning the defendants never know about the surveillance in order to be able to challenge it.

So despite the fact that some of the Republican debaters were up in arms about it, the USA Freedom Act actually has produced only very marginal gains for privacy: the call records program as we knew it has ended (though the government may be doing the same thing by different legal means), some subpoena recipients will be able to challenge gag orders stopping them from disclosing and publicly challenging them, and a public advocate of sorts has been created to make privacy arguments in the otherwise totally-secret Foreign Intelligence Surveillance Court. We shouldn't underestimate the symbolic value of Congress passing the first law actually cutting back the scope of surveillance since the post-Watergate era. But the current state of affairs is mostly depressing, especially in light of the floodlight on these issues gifted to us by Snowden.

Luckily, the most important battle in the surveillance wars was won years ago without anywhere near as much public scrutiny: the debate over whether to restrict encryption technology, lost by the Clinton administration in the late 1990s. For all its technical prowess, until the NSA can change the laws of physics, it won't be able to defeat simple encryption programs that are available for free all over the web. Even as cautious a figure as Snowden says as much: "encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." Though email's metadata is inherently vulnerable, a free Chrome/Firefox browser extension called Mailvelope can encrypt the body of your gmails to other users; a simple program called OTR (Off The Record) can do even better for google chat, and an iPhone/Android app called Signal allows for encrypted voice calls and messaging thru your phone to any of your contacts who've also installed it. These programs are all free and easy to install and use, and even if you don't worry about your own communications being the object of government interest, by using them you ensure that the mere fact of encryption won't make it easy for NSA to flag messages of activists and privacy hawks, and send a stronger message to the NSA than the passage of the Freedom Act ever could. The lesson of the last two years, and indeed of the 14 years since 9/11, is clear: stop waiting for the courts and Congress to save you, and instead, start engaging in self-help by using encryption.

Follow Shayana Kadidal on Twitter:
www.twitter.com/ShayanaKadidal