Two clocks are ticking for US tech companies in the power centers of the modern world. In Washington, lawmakers are working to reform the Foreign Intelligence Surveillance Act (FISA) Section 702 before it expires on 31 December 2017. Section 702 is the main legal basis for US mass surveillance, including the programs and techniques that scoop up the data transferred by non-US individuals to US servers. Upstream surveillance collects communications as they travel over the internet backbone, and downstream surveillance (better known as PRISM) collects communications from companies like Google, Facebook, and Yahoo.
Image: EFF (CC-BY)
Both programmes have used Section 702’s vague definitions to justify the wholesale seizure of internet and telephony traffic: any foreign person located outside the United States could be subjected to surveillance if the government thinks that surveillance would acquire “foreign intelligence information”—which here means information about a foreign power or territory that “relates to […] the national defense or the security [or] the conduct of the foreign affairs of the United States.”
Without fixes to Section 702’s treatment of foreign users, the customers of American internet services will continue to have personal information and communications sucked up, without limit, into American intelligence agency databases.
Meanwhile, in Luxembourg, at the heart of the EU, the Court of Justice of the European Union (CJEU) is due to take a renewed look at how US law protects the privacy rights of European customers, and decide whether it is sufficiently protective for American companies to be permitted to transfer European personal data to servers in the United States.
The two ticking timers are inextricably linked. Last time the CJEU reviewed US privacy law, in Schrems v. Data Protection Commissioner, they saw no indication that the US mass surveillance programme was necessary or proportionate, and noted that foreign victims of surveillance had no right of redress for its excesses. US law, they stated, was insufficient to protect Europeans, and declared the EU-US Data Protection Safe Harbor agreement void, instantly shutting down a major method for transferring personal data legally between the US and Europe.
Now another similar case is currently weaving through the courts for review by the CJEU. Without profound changes in US law, its judges will almost certainly make the same decision, stripping away yet more methods that US Internet companies might have to process European customers’ data.
This time, though, it won’t be possible to fix the problem by papering it over (as the weak Privacy Shield agreement did last time). The only long-term fix will be to give non-Americans the rights that European courts, and international human rights law expect.
Sadly, no company has yet stepped forward to defend the rights of their non-American customers. At the beginning of November, Silicon Valley companies, including Apple, Facebook, Google, Microsoft and Twitter, wrote a lukewarm letter of support for the USA Liberty Act, characterising this troublesome surveillance reauthorisation package as an improvement to “privacy protections, accountability, and transparency.” The companies made no mention of the rights of non-Americans who rely on US companies to process their data.
The USA Liberty Act reauthorises the National Security Agency (NSA) surveillance programmes for six years and makes some adjustments to government access to American communications. But the bill fails to include any legal protections for innocent foreigners abroad. Instead, the bill offers a “sense of Congress” — a statement about Congressional intention with no legal weight or enforceability — that NSA surveillance “should respect the norms of international comity by avoiding, both in actuality and appearance, targeting of foreign individuals based on unfounded discrimination.”
Previous discussions of 702 reform included demanding better justifications for seizing data. The law could, at the very least, better define “foreign intelligence” so that not every person in the world could potentially be considered a legitimate target for surveillance.
Based on these ideas, the companies could call for substantively better treatment of their foreign customers, but they have chosen to say nothing. Why? It may be that they feel that it is unlikely that such protections would pass the current Congress. But such reforms definitely won’t pass Congress unless they are proposed or supported by major Washington players like the tech giants. Much of the existing statutory language of US surveillance reform, in the USA Freedom Act and now in the USA Liberty Bill, was unimaginable until advocates spoke up for it.
The other reason may be that it’s safer to keep quiet. If the tech companies point out that Section 702’s protections are weak, then that will draw the attention of the European courts, and undermine the testimony of Facebook’s lawyers in the Irish courts that everything is just fine in American surveillance law.
If so, the companies are engaged in dangerous wishful thinking, because that ship has already sailed. In the early stages of the current CJEU court case, in the Irish High Court, Facebook and the US government both argued that current US law was sufficiently protective of foreigners’ privacy rights. They lost that argument. And without US legal reform, they’re almost certain to lose at the CJEU, the next port of call for the case. The companies need to remember what that court said in the first Schrems decision:
“Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.
Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter of Fundamental Rights of the European Union.”
In other words, it’s not American business practices that need to change: it’s American law. Section 702 reform, currently being debated in Congress, is the Internet companies’ last chance to head off the chaos of a rift between the EU and the US. By pushing for improvements for non-US persons in the proposed bills renewing Section 702 (or fighting for Section 702 to be rejected outright), they could stave off the European court’s sanctions and reassure non-American customers that they really do care about their privacy.
There is still time, but the clocks are ticking. If America’s biggest businesses step up and tell Congress that the privacy of non-Americans matters, that reform bills like the Liberty Act must contain improvements in transparency, redress, and minimization for everyone, not just Americans, they’ll get an audience in Washington.
They will also be heard in the rest of the world. Since the Snowden revelations, non-American customers of US internet communication providers have repeatedly asked them: “How can we trust you? You say you have nothing to do with PRISM, and you zealously protect your users’ data. But how do we know when the US government comes knocking, you’ll have your foreign users’ backs?”
Standing up in D.C. and speaking for the rights of their customers would send a powerful message that American companies believe that non-American Internet users have privacy rights too, no matter what American lawmakers currently believe.
Staying quiet sends another signal entirely: that while they might prefer a world where the law protects their foreign customers, they’re unwilling to make a noise to make that world a reality. Their customers — and competitors — will draw their own conclusions.
This article was originally published at https://www.eff.org/deeplinks/2017/10/tech-companies-could-fight-non-us-surveillance.
A Coalition Says to Congress: End 702 or Enact Reforms (06.06.2016)
Europe’s Courts Decide: Does U.S. Spying Violate Europe’s Privacy? (03.10.2017)
(Contribution by Danny O’Brien, EDRi member Electronic Frontier Foundation)