Note: Sen. Wyden’s remarks, as prepared for delivery, at the March 2 launch event for the new book American Spies, by Jennifer Granick.
I’m delighted that I was invited to speak at Jennifer Granick’s book launch. Jennifer, has been a leader in two areas I care deeply about — surveillance and fighting against the misuse of the Computer Fraud and Abuse Act against researchers and activists like the late Aaron Swartz. Over the decades, Jennifer has represented, pro bono, a who’s who of the computer security community, protecting them when they are threatened, and, as a result, ensuring that the public is not kept in the dark about the ways that their private information is vulnerable to malicious hackers and governments.
We’re here today, however, because of her great work on surveillance issues, and her insightful, deeply researched book, “American Spies”. This fireside chat with Jennifer and Charlie Savage features in effect the Lebron James and Damian Lillard of surveillance law.
One of the major challenges of our time is that Americans want both security and liberty. Instead, politicians are serving up policies that give them less of both.
Today, I’d like to address three sets of surveillance issues: issues that are the subject of legislation, issues that I expect to be the subject of legislation, and issues that are almost never the subject of legislation.
First among matters that are the subject of legislation is this year’s reauthorization of Section 702 of FISA, which was a subject of discussion earlier this week with the nominee to be DNI. This particular provision of FISA is slated to sunset at the end of this year. Without that check, there is almost never an opportunity for the full Congress to address whether even statutory surveillance authorities require additional checks and balances, or whether they are needed at all.
Now I accept that 702 has concrete value when it comes to gathering intelligence overseas about threats to the United States. What I do not accept is that this program also sweeps up large numbers of Americans’ communications, and allows the government to search them without a warrant. I call these backdoor searches.
As I’m sure everyone in this room is aware, I and other members of Congress have been trying for years to get the government to disclose to the public how many innocent Americans’ communications are swept up in Section 702 collection. How can law-abiding Americans have confidence about Section 702’s impact on their privacy if they don’t have this basic information?
The response to this concern has always been that that number doesn’t matter because, whatever it is, the communications of Americans are minimized, which means that information about Americans won’t be seen even if it’s collected. But that is clearly not always the case. For example, the NSA, CIA and FBI are all permitted to conduct searches of this data in search of Americans’ communications with no warrant and based on no particular suspicion. If we don’t know how many Americans’ communications are in this pool, we don’t know the full impact on Americans’ privacy from these searches. And, when the government develops an interest in particular Americans and their communications collected through Section 702, what meaning can we ascribe to prohibitions on the use of Section 702 for reverse targeting of Americans? Addressing this problem will be among the multiple reform efforts that Congress will need to tackle during this reauthorization process.
National Security Letters & Rule 41
National Security Letters also will also be debated on the Senate floor — not because of a sunset, but because DOJ is seeking an expansion of their authority. Last year, we had a fight to prevent the FBI from expanding their authority to obtain Electronic Communications Transactions Records without any court oversight. These records could include highly private information, including browser history, which is as close to a digital map of people’s private thoughts as exists. We were successful in pushing back, but I have no doubt we’ll see it again.
What about issues that I expect to be the subject of legislation? First among them is the need for Congress to carefully examine law enforcement agencies’ use of hacking and malware, which, I hope, will ultimately lead to the passage of a legal framework that strictly regulates this powerful surveillance capability. Last year, we fell short in the battle over Rule 41, and as a result, we were not able to restrict the FBI’s practice of hacking thousands of individuals located around the country, and in fact, around the world, pursuant to a single warrant. But this issue is only part of broader question that our country has not fully debated. If law enforcement agencies are going to use malware — in other words to hack into the computers, phones, webcams and microphones of Americans, such hacking needs to be pursuant to a narrow warrant, to strict judicial oversight, and law enforcement agencies must take steps both to limit collateral harm — to innocent Americans and to U.S. technology companies whose products the government is hacking — and be ready to clean up the mess when they do in fact hack innocent people or when their hacking tools fall into the wrong hands. This is an issue I intend to address head on.
Executive Order 12333
Which brings me to matters that are almost never the subject of legislation, specifically surveillance conducted under Executive Order 12333. Now every once in a while, we have some successes. Back in 2008, in the context of the FISA Amendments Act, I managed to ensure that a warrant was required for targeting Americans overseas. Previously, surveillance of Americans overseas was not even addressed in statute and the authority to approve it rested with the Attorney General under EO 12333. But that amendment was a rarity. The rest of the time, the public debate on 12333 surveillance has to be based on whatever internal guidelines and procedures the government chooses to make public.
Fortunately, there is some information available to the public. In its last days, the Obama Administration released the CIA’s 12333 guidelines and the Intelligence Community’s procedures for the sharing of raw signals intelligence collected by the NSA. Other examples include rules for how the CIA handles bulk signals intelligence, which can be found on the CIA’s website.
Unfortunately, what these procedures and guidelines demonstrate is the leaders of the Intelligence Community have enormous power to decide what can be collected, and how it is used, shared with other government agencies and retained. This is one of the reasons why it matters so much who is leading the Intelligence Community and why assurances that they will “follow the law” are often besides the point. There is no “law” when it comes to EO 12333 and the guidelines give the Intelligence Community flexibility to make decisions about the scope of surveillance. And, of course, those decisions get made in secret. The public explanations of this potentially vast surveillance program amount to two words: Trust us.
Take the “raw” signals intelligence procedures, which state that the content of communications, which can include those of Americans, can be shared with various intelligence agencies so long as a “high-level” official from one of those agencies asks and a “high-level” official from the NSA approves. And once these communications are in the hands of, say, the CIA, their use is often up to the agency.
And that takes us back to the authorities of the Attorney General who, under the “raw” signals intelligence procedures, can authorize searches of communications that are to, from, or about an American for the purposes of targeting that American so long as the Attorney General determines that the American is an agent of a foreign power or an officer or employee of a foreign power. This was the unchecked Executive Branch authority my 2008 amendment removed when it required the government to get a warrant to target an American overseas. This authority is even broader because it also applies to Americans here in the United States. The only distinction is that this authority, currently resting with the Attorney General, applies to communications that have already been collected. But more and more, that distinction is becoming meaningless. We are living in a world of almost limitless capabilities for bulk collection of digital communications — collection that can sweep up untold numbers of innocent Americans. In this world, there may be little difference between going out and collecting something new and searching through what we already have.
The capacity to collect the most politically sensitive communications of American politicians, political activists, or journalists is also apparent. One need only look at the Russian hacking of the DNC to understand this. And the American government can end up with this kind of information in all kinds of ways — it could collect it directly, it could collect it back from a foreign adversary, or it could be given it by those who collected it. For example, what if the Russians, rather than providing the results of their hacking to Wikileaks, gave it to the Trump Administration. What checks and balances would apply to how the administration could use it? Where do we look for answers? Not in statute, but in the 12333 guidelines.
Unfortunately, the CIA’s recently released guidelines provide little direction for situations like these. Bulk collection is authorized. And even when something called “exceptional handling requirements” is required, for example when the collection is anticipated to include “significant in volume, proportion, or sensitivity,” the CIA may search for Americans’ communications.
And what about the Russia scenario? I asked Director Pompeo about his during his confirmation process. This is what he said: “In very limited circumstances,” the “manner in which a foreign power collected the information could be so improper that it would not be appropriate for the CIA to receive, use, or further disseminate the information.” That didn’t sound like someone particularly concerned about the privacy or political implications of a scenario like the one I discussed, so I followed up. What would those “very limited circumstances” be? He responded that it was “highly fact-specific.”
That pretty much sums it up. Where the rules end, the “fact-specific” decisions get made, without checks and balances and without public awareness.
Since this forum was titled “modern surveillance under the Trump Administration,” I’ve tried to describe how these concerns intersect with an administration whose respect for norms, rules and accountability has yet to be demonstrated. Consider, for example, then-candidate Trump’s encouragement of Russian hacking of Secretary Clinton, or his statement about that hacking that he would “love to have that power.” As I’ve outlined, the checks and balances standing in the way of that power are not what they should be.
But let me finish on a more hopeful note. As we learned when we passed the USA FREEDOM Act, Americans, when they learn about overreach in the area of surveillance, expect their members of Congress to push back. It has happened in the past; it will happen again. We just need to make sure that they get the information they need, which is why I am fighting every day to get more information about surveillance declassified and released to the public.
And that leaves all of you. Sometimes the privacy implications of surveillance authorities are readily apparent, such as with the collection of phone records of millions of innocent Americans pursuant to a secret interpretation of the Patriot Act. But these issues are sometimes legally or technically complex. The expertise that you all bring to these matters, and the on-line distribution of your analysis, is critical, if members of Congress and the public are to be well informed, and appropriately vigilant as we face this new day.