Forget the Patriot Act – Here Are the Privacy Violations You Should Be Worried About

The ongoing debate over U.S. surveillance programs seemingly came to a head last night, when the Senate failed to extend controversial Section 215 of the USA Patriot Act, which expired at midnight. As we learned from Edward Snowden two years ago, Section 215 was the provision that the government secretly claimed provided authority for the bulk collection of Americans’ phone records — their telephone “metadata.” And although the government’s less-than-obvious interpretation of that statute was accepted by judges sitting on the largely secret Foreign Intelligence Surveillance Act (FISA) Court, it has since been repudiated by two different federal courts, one on the grounds that Congress had not in fact approved such a program and one on the grounds that, even if it had, such warrantless, suspicionless surveillance violates the Fourth Amendment to the U.S. Constitution.

For those reasons, and a host of others, the debate over what Congress should do with Section 215 as its sunset approached grew only more heated ahead of the deadline, provoking bitter disputes over the legal wisdom and practical necessity of the phone records program. Some privacy and civil liberties groups, joined by libertarian politicians such as Sen. Rand Paul (R-Ky.), supported outright expiration of the provision, arguing that the phone records program was both unnecessary and unconstitutional. At the other end of the spectrum, hardline conservatives, led by Senate Majority Leader Mitch McConnell (R-Ky.), backed a straight “reauthorization,” which would allow the program to continue for as much as two additional years before further reconsideration.

The Obama administration, along with a number of more moderate members of Congress, took more of a middle road, calling for the fairly modest reforms provided by the USA Freedom Act, which would replace the phone records program with a somewhat less open-ended (and somewhat better regulated) series of authorities for the government to obtain and review similar data — and which the House of Representatives overwhelmingly passed on May 13.

But whatever the merits of the competing sides in this debate, the larger problem is that this conversation has missed the forest for a very small — and largely irrelevant — tree. In fact, from the perspective of individual privacy rights, the phone records program is much less problematic than the government’s other authorities to conduct mass surveillance under Executive Order 12333 and the 2008 FISA Amendments Act. And so, in focusing on how to “fix” Section 215, we’ve given short shrift to the far more significant problems raised by these other authorities — and, just as importantly, the broader lessons we should be taking away from the surveillance reform conversation that Snowden started.

To understand the significance of these other authorities, it’ll help to describe their aims: Executive Order 12333, issued in 1981, is directed at the overseas interception of communications — both metadata and content — of non-citizens outside the United States, who, under a 1990 Supreme Court decision, categorically lack Fourth Amendment rights. The 2008 FISA Amendments Act was enacted to close a loophole that new technology had helped to create, where non-citizens outside the United States were nevertheless communicating through servers or other telecommunications infrastructure located stateside, which the government could not surveil under the executive order.

Ordinarily, the government needs a warrant before collecting the content of domestic communications, one based upon a judge’s determination that there’s good reason to believe a particular individual either is engaged in the commission of a crime or is an agent of a foreign power. But Executive Order 12333 and the 2008 FISA statute, by focusing on individuals who fall outside the Fourth Amendment, capitalize on the lack of constitutionally required individualized assessments and instead allow the government to engage in bulk collection of such information — as if it were using an industrial vacuum cleaner to pick up individual particles of dirt.

It’s easy to see how these authorities could cause diplomatic headaches (as, for example, with the contretemps surrounding U.S. surveillance of German Chancellor Angela Merkel’s cell phone). But most commentators have assumed that, at least legally, the validity of these programs turns on their overseas focus. After all, if the government is only targeting the communications of non-citizens outside the United States, what could possibly be the constitutional objection?

The answer, we now know, has everything to do with technology. Although the government is only allowed to “target” non-citizens outside the United States, it is inevitable, given how it collects information under both of these regimes, that the communications of U.S. citizens and non-citizens lawfully present in the United States will also be collected, albeit “incidentally,” as the government puts it. After all, when thousands of unrelated emails and other electronic communications are bundled together in a packet that travels through an Internet switch that’s physically located in the United States (for the 2008 statute) or overseas (for Executive Order 12333), it’s simply not possible for the government to only collect the communications between non-U.S. citizens and leave the others untouched, any more so than it’s possible for a vacuum to segregate particles of dirt.

To be sure, the U.S. government doesn’t dispute that it routinely collects the communications of U.S. citizens. Instead, it has argued that any potential for abuse is mitigated by so-called “minimization requirements” — procedural rules that require the relevant intelligence agency to take steps to avoid the improper retention and use of communications collected under these authorities.

The government’s defense, as we’ve come to learn, is flawed in two vital respects: First, as several since-disclosed opinions from the FISA Court have made clear, the government’s minimization requirements under the 2008 statute were often too skimpy, allowing the retention and use of information that both the statute and the Fourth Amendment prohibit. Second — and perhaps more importantly — even where the minimization rules were legally sufficient, there have been numerous instances in which government officials violated them, with the FISA Court only discovering the abuses after they were voluntarily reported by Justice Department lawyers. As a result, the government collected and retained a large volume of communications by U.S. citizens that neither Congress nor the Constitution allowed it to acquire.

More alarmingly, with regard to collection under Executive Order 12333, there isn’t any similar judicial review (or meaningful congressional oversight), which means that it has entirely been up to the government to police itself. As State Department whistleblower John Napier Tye explained last summer, there is every reason to doubt that such internal accountability has provided a sufficient check. In his words, “Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all … communications … provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation.”

To put the matter bluntly, whereas the Section 215 debate has addressed whether the government can collect our phone records, Executive Order 12333 and the 2008 FISA Amendments Act allow the government to collect a lot of what we’re actually saying, whether on the phone, in our emails, or even to our search engines. There is no question that, from a privacy perspective, these programs are far more pernicious than what’s been pegged to Section 215. There is also no question that such collection raises even graver constitutional questions than the phone records program. Whereas there is an open debate over our expectation of privacy in the metadata we voluntarily provide to our phone companies, there’s no doubt that we have an expectation of privacy in the content of our private communications.

Why, then, has all the fuss been around Section 215 and the phone records program, while the far more troubling surveillance authorities provided by Executive Order 12333 and the 2008 FISA Amendments Act have flown under the radar?

Part of it may be because of the complexities described above. After all, it’s easy for people on the street to understand what it means when the government is collecting our phone records; it’s not nearly as obvious why we should be bothered by violations of minimization requirements. Part of it may also have to do with the government’s perceived intent. Maybe it seems more troubling when the government is intentionally collecting our phone records, as opposed to “incidentally” (albeit knowingly) collecting the contents of our communications. And technology may play a role, too; how many senders of emails know where the server is located on which the message is ultimately stored? If we don’t realize how easily our communications might get bundled with those of non-citizens outside the United States, we might not be worried about surveillance targeted at them.

But whatever the reason for our myopic focus on Section 215, it has not only obscured the larger privacy concerns raised by these other authorities, but also the deeper lessons we should have taken away from Snowden’s revelations. However much we might tolerate, or even embrace, the need for secret government surveillance programs, it is all-but-inevitable that those programs will be stretched to — and beyond — their legal limits. That’s why it’s important not only to place substantive limits upon the government’s surveillance authorities, but also to ensure that they are subject to meaningful external oversight and accountability as well. And that’s why the denouement of Section 215 debate has been so disappointing.

This should have been a conversation not just about the full range of government surveillance powers, including Executive Order 12333 and the 2008 FISA Amendments Act, but also about the role of the FISA Court and of congressional oversight in supervising those authorities. Instead, it devolved into an over-heated debate over an over-emphasized program. Congress has tended to a paper cut, while it ignored the internal bleeding. Not only does the expiration of Section 215 have no effect on the substance of other surveillance authorities, it also has no effect on their oversight and accountability.

Reaching some degree of closure with regard to the phone records program may leave many with the impression that America has concluded a meaningful and productive national debate over surveillance reform. We haven’t. And although the 2008 FISA Amendments Act is also set to expire — on December 31, 2017 — the debate over Section 215 leaves little reason to believe that we’ll have it then, either.

Photo credit: Drew Angerer/Getty Images