The Massive Fine The EU Hit Meta With… Is Really About The NSA, Not Meta

from the privacy-or-privacy dept

You may have heard the news that the EU hit Meta with a $1.3 billion fine for violating EU “data privacy rules” and assumed that this was just Meta being Meta and being bad about your privacy. But that’s not really an accurate portrayal of what happened, and it hides how this fine is actually pretty problematic for a lot of reasons that have nothing to do with Meta whatsoever, and a lot to do with the NSA.

Also, it may actually be a total disaster for privacy.

And on top of that, it makes US politicians trying to ban TikTok over fears of China spying on users appear to be total hypocrites.

The Backstory:

Some background is in order. First, almost exactly a decade ago, Ed Snowden first revealed the existence of PRISM, which unfortunately was widely misreported in the original articles about it. The original reports suggested that it was a story of tech companies giving full access to their backend data for the intel community to search. The reality, which came out a few days later, was that it was more of a system for the intel community to request data via a (HIGHLY QUESTIONABLE) legal process, and for the companies to deliver that info. It was still extremely problematic, but not in the ways it was originally reported.

Still, the revelation of the program raised many reasonable concerns, including how it was that these very same companies who had been handling “data transfers” of EU user data to US data centers under what was called the data protection “safe harbor” agreement were doing so. Part of the safe harbor agreement between the US and the EU was that the US companies would protect the data of EU users, and this didn’t seem to be happening.

Privacy activist Max Schrems sued over this, and a few years later, the EU Court of Justice tossed out the “safe harbor” agreement between the US and the EU, saying that because of the PRISM revelations and NSA’s snooping, that the agreement did not comport with EU data protection laws. Sometime after this, the EU and the US came to a new agreement, which became known as the “privacy shield” to again allow data transfers from the EU to the US. But, as we noted, the problem wasn’t the agreement, the problem was the NSA’s surveillance. And if that didn’t change, we didn’t see how the “privacy shield” was any better than the privacy “safe harbor” agreement.

Once again, Schrems sued. And once again, the court said that the agreement was invalid. Last year, the US and the EU announced yet another deal on transatlantic data flows. And, as we noted at the time (once again!) the lack of any changes to NSA surveillance meant it seemed unlikely to survive yet again.

In the midst of all this, Schrems also went after Meta directly, claiming that because these US/EU data transfer agreements were bogus, that Meta had violated data protection laws in transferring EU user data to US servers.

And that’s what this fine is about. The European Data Protection Board fined Meta all this money based on the fact that it transferred some EU user data to US servers. And, because, in theory, the NSA could then access the data. That’s basically it. The real culprit here is the US being unwilling to curb the NSA’s ability to demand data from US companies.

So, this isn’t about Meta doing anything particularly egregious on its own (I mean, it likely has, but that’s not the crux of this ruling).

The Damage to Privacy

Of course, the end result of all this could actually be hugely problematic for privacy around the globe. That might sound counterintuitive, seeing as here is Meta being dinged for a data protection failure. But, when you realize what the ruling is actually saying, it’s a de facto data localization mandate.

And data localization is the tool most frequently used by authoritarian regimes to force foreign internet companies (i.e., US internet companies) to host user data within their own borders where the authoritarian government can snoop through it freely. Over the years, we’ve seen lots of countries do this, from Russia to Turkey to India to Vietnam.

And, now, because of this ruling, they (and others) can continue to justify the demands for privacy-destroying data localization by pointing to the EU decision.

There are different privacy interests at play here. And while some will cheer this on simply because it dings Meta/Facebook, the reality is that for much of the world, getting their user data out of their local country and onto Meta’s US servers actually is much more protective of their privacy.

Of course, there’s a simple way to solve much of this: the US could cut back on NSA surveillance. What a concept.

The Hypocrisy Issue

It’s kind of amazing that all this is playing out against the backdrop of bipartisan efforts all around the US to “ban TikTok,” claiming that there’s a (still unproven) direct link enabling the Chinese government to access TikTok data. Nevermind that the US has already pressured TikTok into localizing US user data in the US under “Project Texas” (which, as we’ve already described, might also undermine US national security).

So, just as we’re forcing TikTok to locate US user data in the US and freaking out that the Chinese government might access TikTok US user data… the EU is slapping Meta with a large fine and effectively forcing it to locate EU data in the EU and freaking out that the US government might access Meta EU user data.

Basically, we’re doing exactly what we’re freaking out and claiming China is doing. Maybe we should stop?

And, of course, there are some simple ways to fix this: seriously cut back the NSA’s access to data from US companies without a valid reason. The fishing expeditions need to stop. They were an affront to the 4th Amendment all along and now they’re having a large, negative impact on US internet companies.

And then, pass a real federal privacy law that is focused on actual privacy violations, not some nonsense that simply empowers the biggest companies (i.e., Meta) to gain more control over the market, and ends up with something silly and useless like more cookie popups.

But, instead, the US will go on freaking out about TikTok, pushing garbage, broken, fake “privacy” fixes (often on a state by state business where those laws will conflict with one another), and refusing to admit that maybe the powers we gave the NSA are the problem?

Filed Under: data localization, data protection, data transfers, eu, fines, hypocrisy, localization, nsa, prism, privacy, privacy shield, surveillance, us
Companies: meta

For The First Time In Probably Ever, The FBI Section 702 Abuses Are Trending Downward

from the and-it-only-took-us-15-years! dept

The FBI has never not been abusing its access to Section 702 collections. This collection includes communications, scooped up by the NSA during its so-called “foreign facing” surveillance. The thing about this collection is it also obtains communications from US persons to foreign individuals. The NSA can collect the latter, but not without grabbing the former.

This has worked out well for the FBI. It has access to this collection for its own purposes, which now include its counterterrorism work, which is focused mainly on generating terrorism-related arrests by generating terrorists to arrest.

The FBI can search this collection if it asks the FISA court nicely. This is supposed to be limited to national security interests and analysts are supposed to do everything they can to prevent accessing data and communications of non-targets in the United States. But it’s always been the other way. Back in 2014, when the Snowden leaks were first starting to surface, then-Director of National Intelligence James Clapper admitted both the FBI and CIA routinely accessed NSA collections using US persons as search terms. The CIA at least bothered to count how many times it did this. The FBI couldn’t be bothered to even do this. It simply said it believed the “number of queries is substantial.”

As the years rolled on, the FBI continued to abuse its access. It did this so often the FISA court was forced to comment on it. (The FISA court, however, couldn’t be bothered to order the FBI to stop doing this.) An Inspector General’s report released in late 2022 simply confirmed what was already common knowledge: the FBI was accessing Section 702 collections illegally and, as was pointed out the FISA court three years earlier, for highly improper reasons… like vetting its own employees during security reviews.

Section 702 is up for renewal. And, for the first time in possibly ever, it may not make the final cut. Even in the midst of a steady stream of leaks from Snowden and others, Section 215 (the metadata collection) managed to be renewed, even if it did undergo a few minor alterations. Thanks to the former president and his insistence that there’s a “deep state” conspiracy targeting Trump and his acolytes, several Republicans have crossed the aisle to join privacy activists and woke liberals in calling for an end to this dragnet-empowering authority.

Having never faced a front quite this unified, the FBI has finally started taking complaints about its backdoor search abuses seriously. At least, that’s what the agency’s internal tallying tells us, as Charlie Savage reports for the New York Times.

In 2021, the bureau further changed its FISA practices ahead of the expected legislative fight over extending Section 702. For one, its computer systems now exclude both types of raw FISA information by default when agents are searching various databases, unless they choose to include them. It also bolstered training about the rules.

A report last month said the number of identifiers of Americans — like a name or email address — used by the F.B.I. to query the Section 702 repository fell sharply as a result, from nearly three million in 2021 to 119,383 last year.

If these numbers are to be believed, it took an act of extreme self-interest to compel the FBI to curb its abuses. The FISA court couldn’t do it. Its congressional oversight couldn’t do it. A couple of damning reports from the DOJ’s Inspector General couldn’t do it. Only when it appeared there might be the possibility of losing this collection entirely could the FBI be bothered to start handling its access more responsibly.

It’s the equivalent of a deathbed confession. No one should let the FBI off the hook for the years of abuse it engaged in before Congress started wandering into the surveillance state’s critical care unit with a DNR form in its hand. The safest assumption to make when the FBI’s past is taken into context is that the FBI will play nice until it receives another Section 702 extension and then go back to the way things were once the heat is off.

The most hopeful assumption is that these changes might stick. Changing policy is hard work. Backsliding, however, isn’t. Like any law enforcement agency, the least amount of time and effort goes into ensuring rights aren’t violated and that those who do violate rights receive severe punishment. A rule change that isn’t paired with sufficient deterrent is just another page in the employee manual — one that will be forgotten the moment anyone with any power stops thinking about it. While it’s nice to see the FBI actually rolling in with a sharp reduction in abusive searches, the smart money is on a regression to the mean.

Filed Under: backdoor searches, doj, fbi, fisa court, nsa, prism, section 702

Federal Court Says NSA PRISM Surveillance Good And Legal Because The Gov't Said It Was Good And Legal

from the 'those-DOJ-guys-are-real-straight-shooters' dept

Three years after its inception, a prosecution involving possibly unlawful FISA-authorized surveillance, hints of parallel construction, and a very rare DOJ notification of Section 702 evidence has reached a (temporary) dead end. The defendants challenged the evidence on multiple grounds — many of which weren’t possible before the Snowden leaks exposed the breadth and depth of the NSA’s domestic surveillance.

The federal judge presiding over the case — which involved material support for terrorism charges — has declared there’s nothing wrong with anything the NSA or FISA Court did, so long as the surveillance was authorized and possibly had something to do with national security. (via FourthAmendment.com)

First, the defendants — all accused of providing material support to Al Qaeda (remember them?) — asserted the constitutionality of the NSA’s upstream collections should be revisited in light of the Snowden leaks. The court [PDF] says these more-recent exposures are no reason to upset the precedential apple cart.

Controlling precedent decides this issue. In 2005, the Sixth Circuit rejected a Fourth Amendment challenge to FISA’s procedures. The court explained in Damrah that the defendant’s Fourth Amendment challenge lacked merit, as “FISA has uniformly been held to be consistent with the Fourth Amendment.” Damrah has not been overturned or altered in light of the public disclosures regarding PRISM and upstream collections. And consequently, Damrah forecloses Defendants’ constitutional challenge.

So, to add this all up: leaked documents from 2013 onward, exposing routinely-abused programs that massively expanded following the 2008 FISA Amendments Act, mean nothing when stacked up against a 2005 case predating the NSA’s admissions of surveillance abuse and the exposure of the FBI’s backdoor searches of domestic communications.

Furthermore, the court declares — based on documents provided by the government directly to the court, but not to the defendants (in ex parte hearings) — the FISA-authorized surveillance was on the up-and-up because the government provided documents declaring the FISA-authorized surveillance was on the up-and-up.

The court is sympathetic to those on the other side of the deck it helped stack, but only barely.

I recognize the challenge faced by a defendant in making a substantial preliminary showing that a FISA application contains a false statement when the defendant does not have access to the application. But the threshold burden exists nonetheless. […] And here, Defendants have failed to satisfy that burden.

Oddly, the court then decides, after pulling from a 2005 decision and ignoring every FISA-related development since then, that previous domestic surveillance violations by the FBI have no bearing on this case.

The Government’s errors from more than a decade ago [referring to a 2004 IG report about post-9/11 surveillance] do not amount to a substantial preliminary showing that an application for FISA collection relevant to this case contains a false statement which was knowingly or recklessly made and necessary to the finding of probable case.

Yes, this is true. These are not comparable things. But with the defendants unable to review the FISA applications, they’re left with the judge’s take as guided by government submissions — submissions the defendants are also unable to review or even argue.

As for the Fourth Amendment challenge to Section 702 surveillance generally, the court says there’s really no Fourth Amendment issues as this does not apply to “aliens in foreign territory.” The court goes even further, though, suggesting the collection of communications outside of the country does not even require a warrant, even if it “inadvertently” sweeps up Americans’ communications during the process.

Since the court has also unilaterally decided it can — unaided by anyone but the government — decipher the government’s FISA-related submissions, there are no due process violations even if the defendants are prevented from viewing, analyzing, or rebutting the claims made by the government during these ex parte sessions. In the end, there’s nothing left for the defendants to do but appeal, which will certainly happen what with the court dismissing out of hand the evidence provided by multiple leaked documents and documents officially released by the Director of National Intelligence. To buy the government’s claims of above-board surveillance in secret court sessions and declare those NATSEC Kosher seems like a very close-minded move that grants the government more deference than documents the government released publicly itself shows it has earned.

Filed Under: 4th amendment, fisa, fisa court, fisc, mass surveillance, nsa, prism, privacy, surveillance

Basically All Big Tech Companies Deny Scanning Communications For NSA Like Yahoo Is Doing

from the getting-more-interesting dept

So, the big story yesterday was clearly the report that Yahoo had secretly agreed to scan all email accounts for a certain character string as sent to them by the NSA (or possibly the FBI). There has been lots of parsing of the Reuters report (and every little word can make a difference), but there are still lots of really big questions about what is actually going on. One big one, of course, is whether or not other tech companies received and/or complied with similar demands. So it seems worth nothing that they’ve basically all issued pretty direct and strenuous denials to doing anything like what Yahoo has been accused of doing.

Twitter initially gave a “federal law prohibits us from answering your question” answer — and a reference to Twitter’s well documented lawsuit against the US government over its desire to reveal more details about government requests for info. However, it later clarified that it too was not doing what Yahoo was doing and had never received such a request. Microsoft’s response was interesting in that it says it’s not doing what Yahoo is, but refused to say if it had ever received a demand to do so. Google said it had never received such a request and would refuse to comply if it had. Facebook has also denied receiving such a request, and, like Google, says it would fight against complying. This still leaves lots of unanswered questions about why Yahoo gave in. Again, historically, Yahoo had been known to fight against these kinds of requests, which makes you wonder what exactly was going on here.

Former GCHQ infosecurity guy Matt Tait has one of the more more interesting threads about this news, arguing (in some ways) that it’s both less and more than everyone is making it out to be. His basic argument is that this is an expansion of the PRISM program to include “about” targets. This has been discussed in the past, but under PRISM, the NSA could give tech companies “selectors” in the form of specific addresses and the companies were compelled to hand over emails “to” or “from” them — but according to the PCLOB’s report on the Section 702 program it did not include anyone emailing “about” the selector. Upstream collections (i.e., tapping the backbones from folks like AT&T) did include “about” selectors (and this information also flowed into other areas, enabling so called backdoor searches. And, as I speculated yesterday, Tait says that this latest news appears to be Yahoo now agreeing to use “about” selectors on its emails, which means that it’s still part of PRISM, with a massive expansion.

Tait then notes that if James Clapper wants to clear this up, he should state publicly whether or not “about” collection is a part of PRISM. And if that’s the case, he should also explain when and why PRISM was expanded to include this. But, of course, Clapper and the Intelligence Community tend not to want to explain very much of anything, leaving lots of people in the dark.

And, frankly, that’s stupid. The Intelligence Community thinks that this keeps “bad guys” on edge, not knowing what’s safe and what’s not. But that’s dumb. They mostly know to use more encrypted/secret means of communication when they need to. Instead, what you end up with is keeping the public on edge and not trusting services. I can almost guarantee that one of the early comments on this post will be some of you insisting that all the companies denying doing this are flat out lying. I don’t agree with that, because the companies don’t have a history of outright lying on things like this, but the way the NSA and other parts of the US government have repeatedly tried to pressure them and gag them, it’s much tougher to take anything at face value any more. And that’s not good for anyone.

Filed Under: about collection, about selectors, mass surveillance, nsa, prism, section 702, upstream
Companies: facebook, google, microsoft, twitter, yahoo

Snowden Docs Show NSA, New Zealand Spied On Pro-Democracy Activists

from the we-love-democracy,-not-so-much-those-who-advocate-for-it dept

The Intercept has published a few more documents from the Snowden stash — these ones detailing the NSA’s partnership with New Zealand’s top intelligence agency to place pro-democracy activists under surveillance.

As part of the spy mission, the NSA used its powerful global surveillance apparatus to intercept the emails and Facebook chats of people associated with a Fijian “thumbs up for democracy” campaign. The agency then passed the messages to its New Zealand counterpart, Government Communications Security Bureau, or GCSB.

One of the main targets was [Tony] Fullman, a New Zealand citizen, whose communications were monitored by the NSA after New Zealand authorities, citing secret evidence, accused him of planning an “an act of terrorism” overseas.

The “act of terrorism” claims were odd, considering Fullman’s activism was aligned with the New Zealand government’s own views: opposition to neighboring Fiji’s authoritarian ruler, Frank Bainimarama. Utilizing PRISM, the NSA intercepted Fullman’s Gmail and Facebook messages, along with gathering everything it could from his public postings — including this data on his apparently terrorism-related personal vehicle.

Both the NSA and its New Zealand partner have refused to comment on the misguided surveillance, stating only that everything done was performed lawfully.

The erroneous assumptions of terrorism seem to be linked to Fullman’s lifelong friendship with a top Fijian military official. Fullman grew up in Fiji, where he met Ratu Tevita Mara in the 1960s. Fullman moved to New Zealand while in his 20s before returning to take a government position in 2009. By that point, Mara had moved up in the military to a position as the Fijian army’s chief of staff. Mara, however, drew heat from the Fijian government for his opposition to the current regime.

Mara was dissatisfied with the leadership and, in May 2011, he became embroiled in a high-profile dispute with the Bainimarama regime. He was accused of plotting to overthrow the government and charged with uttering a seditious comment. He was hauled before a court, where he was threatened with imprisonment for allegedly uttering the words, “This government is fuck all.”

Mara fled Fiji, remaining in contact with Fullman, who also left Fiji after being questioned by local authorities about his relationship with Mara. A visit to New Zealand with Mara resulted in Fullman’s life being turned upside down.

At 7am on July 17, 2012, about a week after Fullman had returned to Australia from the trip to New Zealand, a team of more than a dozen Australian security agents and two Australian federal police detectives arrived at his sister’s home in Sydney looking for weapons and other evidence of the suspected plot.

They seized computers, phones and documents from the premises and confiscated Fullman’s passport on behalf of the New Zealand authorities. Teams of New Zealand Security Intelligence Service officers and police simultaneously raided Fullman’s former apartment in the Wellington suburb of Karori and the homes of at least three other Fiji Freedom and Democracy movement supporters in Auckland, seizing their computers and other property.

In addition, Fullman’s passport was revoked by the New Zealand government, which claimed Fullman was part of a group planning to violently overthrow the Fijian government. New Zealand’s intelligence agency asked the NSA for assistance in digging up info on Fullman and keeping him under surveillance. The documents published today make Tony Fullman the first confirmed target of the NSA’s PRISM surveillance.

According to the documents viewed by The Intercept, the NSA couldn’t seem to decide how to classify its surveillance of Fullman, alternating between listing him as a “foreign government” target (even though Fullman no longer worked for the Fijian government) and a “counter-terrorism” target.

Months of surveillance efforts — shared with New Zealand intelligence operatives — produced nothing more than what could likely have been observed without all the intercepted emails/Facebook messages, harvested bank statements, and precise GPS data on Fullman’s Mitsubishi station wagon.

[T]here was not a single hint of any plans for violence or other clandestine activity.

It would soon become clear that there was no evidence to support the New Zealand authorities’ suspicions. And gradually, their case would fall apart.

Ten months after placing Fullman under surveillance and stripping him of his passport, New Zealand’s government returned it to him and declared him to be “no longer” of “national security concern.” This determination came two months after Fullman began taking legal action against the New Zealand government for its raid of his sister’s home and the cancellation of his passport.

That’s not the only bit of suspicious timing: Fullman believes the raid was politically-motivated.

Four days after the raids on Fullman and his fellow campaigners, New Zealand foreign minister Murray McCully traveled to Fiji for trade talks. Fullman believes that the timing was no coincidence — and that the raids targeting the pro-democracy group were used by the New Zealand government as a bargaining chip to curry favor with the Bainimarama regime. “The minister can go to Fiji and say, ‘look we saved you, let’s be friends again, let’s start talking about how we can help each other again’,” Fullman says. “It was part of the frame up.”

The New Zealand government may have felt its efforts fell into “no harm, no foul” territory after it reinstated Fullman’s passport and dropped its surveillance. But Fullman points out the high-profile raid it carried out damaged his reputation by erroneously linking him to an assassination plot. On top of that, Fullman is still subjected to additional security screening any time he travels. Fullman was never informed he was under surveillance by a foreign intelligence agency and he has never been compensated, much less apologized to, for his treatment at the hands of his own government.

The surveillance detailed here shows the NSA is willing to help foreign governments spy on their own citizens for politically-motivated reasons involving what would normally be considered protected forms of expression. It also shows that when governments do this sort of thing, they’re unlikely to admit any wrongdoing, even when they tacitly admit they placed the wrong person(s) under surveillance.

Filed Under: ed snowden, gcsb, new zealand, nsa, prism, snowden docs, surveillance, tony fullman

Expanding Unconstitutional Backdoor Searches Of Surveillance Data Is Easy: Just Change What Words Mean

from the some-language-tricks-and-funny-games dept

I already wrote a post about how the FISA Court rejected the arguments of the public advocate that it appointed to review the legality and constitutionality of the infamous backdoor searches. However, I wanted to put up a second post as well, digging a little deeper into what the ruling itself means, rather than just focusing on the public advocate part of it. Because it’s pretty scary. We already knew that, once that data was collected under the Section 702 PRISM program, the NSA opened it up to both the CIA and FBI to search on for other purposes.

However, as Elizabeth Goitein explains over at Just Security, even then there were some limitations:

 The Justice Department, having worked Section 702 into the foreign intelligence exception by certifying that the government?s targets were not Americans and that the surveillance had a foreign intelligence purpose, and having met the constitutional reasonableness requirement by noting that incidentally collected information about Americans would be ?minimized,? was allowing the FBI to run queries of Section 702 data to obtain information about Americans in ordinary criminal cases. Edward Snowden?s disclosures confirmed this practice, and the Privacy and Civil Liberties Oversight Board?s (PCLOB) report on Section 702 revealed that it was routine.

Many commentators (myself included) have noted that this loophole creates an end run around the warrant requirement in ordinary criminal cases. Until recently, however, there was at least one substantive limitation on the FBI?s ability to query Section 702 data. As reported by the PCLOB, the FBI?s minimization procedures provided that queries must be ?reasonably designed? to ?find and extract? either ?foreign intelligence? or ?evidence of a crime.? This was a far cry from the probable cause that would be needed to obtain a warrant, but it was something. The FBI, at least on paper, could not simply go on a fishing expedition through the warrantlessly obtained data.

But the details of this newly revealed ruling show that that limitation has gone away — basically because the FBI changed its own minimization procedures in part to pretend English words don’t mean what they really mean. In the past, the NSA has reinterpreted many English words to mean things different than their plain English meaning. In this case, the FBI has decided to redefine the word “query”:

Displaying the intelligence community?s penchant for defining well-understood terms to mean something entirely different, the FBI?s most recent minimization procedures, in the FISC?s words, ?clarify that a search of an FBI storage system containing raw-FISA acquired information does not constitute a ?query? within the meaning of the procedures if the user conducting the search does not receive access to unminimized Section 702-acquired information in response to the search.? This includes instances in which the search does return unminimized Section 702-acquired information, and the agent is notified of that fact but is not authorized to access the data. Because such searches are deemed not to constitute ?queries,? they presumably are not subject to the requirement that ?queries? must be reasonably designed to return foreign intelligence or evidence of a crime.

The new procedures also ?clarify? what happens if an agent performs a search that returns Section 702 information the agent is not authorized to access. In such cases, an agent who is authorized to access the information may re-run the search and determine whether the information ?reasonably appears . . . to be foreign intelligence information, to be necessary to understand foreign intelligence information, or to be evidence of a crime.? If so, the information is passed along to the original agent.

This ?clean team? approach is no substitute for a limitation on the initial search. It is analogous to claiming that searches of homes are not ?searches,? and thus do not require warrants, if the agents performing the search find nothing ? or if an elite team steps in to perform the search and can turn over what it finds to prosecutors only if it is evidence of a crime. Previously, the procedures did not allow fishing expeditions; now they do, and it seems somewhat beside the point that the fisherman only gets to keep the fish if he catches one.

Got that? A query is no longer a query and the FBI has much broader authority to do backdoor searches than was previously known. As the EFF notes in response to this, this seems to fly in the face of legal precedent and the Constitution:

This is a constitutional problem. Quite apart from the bait and switch opportunities it creates for the FBI, it’s like saying it’s OK for school officials to set up a drug testing program for non-law enforcement purposes, and then once it?s set up, they can completely abandon that purpose and start testing students to simply to put them in jail. Or that the government can set up a program to test pregnant women for drugs with a goal to get them into treatment, but also hand the information over to the police and use the threat of prosecution as additional leverage.

The Supreme Court rejected the latter scenario as unconstitutional in Ferguson v. City of Charleston in 2001. Other Supreme Court cases make clear that even holistic, programmatic assessments of Fourth Amendment “reasonableness”?like the one the FISC engages in here?must take into account the invasiveness of these programs. Searching vast databases containing the full content of emails and every website visited by nonsuspect Americans without a warrant is about as invasive as it gets.

And it’s not just the FBI that gets much broader access to these backdoor searches. Marcy Wheeler points out that the decision reveals that the NSA and CIA basically wrote themselves a note last summer saying that they no longer needed to follow minimization procedures… and the judge is cool with that. Here’s the paragraph in the ruling:

The NSA and CIA Minimization Procedures included as part of the July 15, 2015 Submission each contain new language stating that ?[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial, or legislative mandates.? See NSA Minimization Procedures at 1; CIA Minimization Procedures at 4-5. These provisions were not included in the draft procedures that were submitted to the Court in June 2015, but appear to have been added by the government thereafter. They are not discussed in the July 15, 2015 Memorandum.

As Wheeler notes, this is just the NSA and CIA deciding unilaterally that they can ignore minimization. The judge even pointed out that this move “could undermine the Court’s ability to find the procedures satisfy the above-described statutory requirement.” However, the judge, Thomas Hogan, then decides that this is kind of okay because government lawyers told him informally (yes, really!) that they don’t intend to abuse this very much:

The Court understands based on informal communications between Court staff and attorneys for the government that NSA and CIA intend to apply the similar provisions at issue here in the same narrow manner.

Wheeler has a lot more on this particular part of the ruling and how troubling it is. But, in short, it has also broadened the ability of the government to snoop through these massive troves of data. The reliance on informal promises not to take it too far mean very little. As former NSA and CIA director Michael Hayden has said, his job was to push up as close to the boundaries of what was legal as possible. Once Congress or the courts told him what was legal (or, in some cases, the President unilaterally), he would make use of that. Why would that not be the case here? Or, as Wheeler explains more vividly:

I?m not sure how that?ll be effective when President Trump decides he can pass an Executive Order requiring NSA to keep all the US person data it collects but not tell FISC about it, because the order they report on this to him is part of the minimization procedures they say they can blow off.

And, of course, none of this can be appealed, because even though there are the arguments from the public advocate (which didn’t include this last part about ignoring minimization), only the government itself can appeal a ruling, and they got everything they wanted here (and possibly more).

The only actual way to fix it at this point is for Congress to step in and rewrite the law, but the chances of that happening appear to be slim to none.

Filed Under: 4th amendment, backdoor search, backdoor searches, cia, definitions, fbi, fisa court, fisc, law enforcement, mass surveillance, nsa, prism, query, section 702

FISA Court Rejects Arguments By First Public Advocate To Argue NSA PRISM Backdoor Searches Are Unconstitutional

from the so-that's-a-shame dept

On Tuesday, the Office of the Director of National Intelligence released some redacted versions of three previously secret FISA Court rulings. There are a few interesting things in them, but one notable point, found in a ruling from last November regarding the NSA’s 702 PRISM program, is that the FISC took advantage of the provision in the USA Freedom Act to appoint a public advocate to argue on behalf of the public. One of the big complaints in the past, is that the FISA Court is no court at all. Only one side — the government — gets to present its case, and then the judges decide.

The USA Freedom Act, however, added the ability of the FISC to appoint a public advocate. Many have been quite reasonably skeptical about this — in terms of how often it would be used, who would be appointed and how seriously the FISC would take the public advocate. In this case, we see that the public advocate did, in fact, argue that parts of the PRISM program were unconstitutional… and the FISC then rejected that. In this case, the court appointed Amy Jeffress, a former federal prosecutor and DOJ official — which might make some skeptical of her willingness to actually advocate for the public — however, this ruling shows that she did, in fact argue that the program was unconstitutional (her actual arguments have not been released).

It appears that the FISC specifically asked Jeffress for her thoughts on the so-called “backdoor searches” that we’ve discussed before. Specifically, while the NSA is only supposed to collect info on non-US persons, it can collect and then hang onto a huge swath of information under the 702/PRISM program, including what’s referred to as “about” information (i.e., any information “about” a suspected terrorist — meaning your emails mentioning a terrorist could get sucked up). Historically, if the NSA came across any US person’s information this way they’re supposed to dump it. But through some twists and turns, these days the information gets kept… and is considered “incidentally” collected. Oh and the FBI and CIA then get access to all of that data as well for searching.

In this analysis, the FISC was examining how constitutional that whole thing is (and we’ll have another more detailed post on that as well). The FISC specifically asked Jeffress for an analysis of two specific issues here. Did either of the following two things violate the 4th Amendment: (1) the searches of the information collected in this manner that might return information concerning US persons, and (2) information that is preserved under this system for “litigation purposes” that might otherwise be required to be destroyed under so-called minimization rules. The second one is basically the issue that came up in some EFF cases, where the EFF is challenging the legality of the NSA collecting this data at all, but the NSA started deleting the data in question, because it’s required to delete data after five years. So there’s a question of whether or not that data can legally be kept, even if it needs to be kept for the lawsuit. On this, it appears the court is fine with holding onto data for such litigation preservation.

However, on question number (1), Jeffress apparently noted that the FBI being able to do these backdoor searches appears to go way beyond what’s allowed. Remember, this information was collected specifically for the purposes of national security. The whole 702 program was designed and approved on the basis that it was about national security. Yet, it appears that once the FBI gets its hands on it, it’s used for all sorts of other stuff. This is just what everyone had assumed before when first learning about these backdoor searches. Jeffress starts off by arguing that these kinds of searches simply go beyond what the law itself allows:

Amicus curiae Amy Jeffress has raised concerns regarding the querying provisions of the FBI Minimization Procedures…. Ms. Jeffress does not specifically assert that the querying provisions render the procedures inconsistent with the applicable statutory definition of minimization procedures. Nevertheless, she contends that the FBI Minimization Procedures “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.” …

However, the court doesn’t buy it:

The Court respectfully disagrees.

There is no statutory requirement that all activities involving Section 702 data serve solely a foreign intelligence national security purpose. To be sure, Section 702 was enacted to permit “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”… But even at the time of acquisition, the statute does not require the government to have as its sole purpose obtaining foreign intelligence information. Rather, the AG and DNI need certify only that obtaining foreign intelligence information is “a significant purpose” of the acquisition. Under the “significant purpose” standard, an acquisition under Section 702 is permissible “even if ‘foreign intelligence’ is only a significant — not a primary — purpose” of the targeting decision….

Nor does FISA foreclose any examination or use of information acquired pursuant to Section 702 that lacks a purpose relating to foreign intelligence. It is true that the govemment’s minimization procedures must be “reasonably designed in light of the purpose and technique of the [collection], to minimize the . . . retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information,” and must limit the dissemination of nonpublicly available information identifying unconsenting United States persons to certain circumstances…. Notwithstanding these requirements, however, FISA states that the minimization procedures must also “allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.” … Hence, FISA does not merely contemplate, but expressly requires, that the government’s procedures provide for the retention and dissemination of Section 702-acquired information that is evidence of crime for law enforcement purposes. This requirement applies whether or not the crime in question relates to foreign intelligence or national security.

The counter argument to this, from Jeffress, appears to be that this is a misreading of the law in question. While it does say such information may be retained and disseminated for the purpose of law enforcement, that doesn’t mean that bulk collection data can be queried for the purpose of law enforcement. This is an important distinction. Jeffress’ reading of the law is basically “okay, if in the process of going through this for legitimate foreign intelligence purposes you ALSO come across evidence of domestic criminal activity, you don’t need to ignore it and can pass it on to law enforcement.” But that’s worlds away from what we actually have today, which is that the NSA basically says “boo, terrorism!” and collects a ton of useless information, but then lets the FBI trawl through for any evidence of criminal behavior.

Unfortunately, the FISC just doesn’t see that argument.

It would be a strained reading of the definition of minimization procedures to permit FBI personnel to retain and disseminate Section 702 information constituting evidence of a crime implicating a United States person for law enforcement purposes, but to prohibit them from querying Section 702 data in a manner designed to identify such evidence. And such an interpretation would lead to anomalous results: FBI personnel who came across one communication acquired under Section 702 that incriminates a United States person perhaps because it was responsive to a query for foreign intelligence information would be prohibited from running queries tailored to identify additional communications obtained under Section 702 pertaining to the same criminal activity, even though Section 1801(h)(3) explicitly authorizes the retention and dissemination of such information for law enforcement purposes.

This seems like a stretch to me. There are lots of situations where law enforcement may be able to lawfully access some information, but not lawfully access other information. Hell, under the scenario described, it seems like the FBI could use the information obtained from a legitimate national security query to then issue a subpoena or warrant for the other information, since we’re mostly talking about information held by 3rd parties anyway.

Jeffress also made the constitutional arguments… which also fell flat.

Amicus curiae Amy Jeffress urges the Court to reconsider its prior Fourth Amendment assessments and to reach “a different conclusion” in light of the provisions of the FBI Minimization Procedures, discussed above, permitting agents and to query the Section 702-acquired information in the possession using United States-person information for the purpose of finding evidence of crimes unrelated to foreign intelligence…. Ms. Jeffress asserts that without additional safeguards, such querying is inconsistent with the requirements of the Fourth Amendment:

The querying procedures effectively treat Section 702-acquired data like any other database that can be queried for any legitimate law enforcement purpose. The minimization procedures do not place any restrictions on querying the data using U.S. person identifiers. . . . As a result, the FBI may query the data using U.S. person identifiers for purposes of any criminal investigation or even an assessment. There is no requirement that the matter be a serious one, nor that it have any relation to national security. . . . [T]hese practices do not comply with . . . . the Fourth Amendment.

According to Ms. Jeffress, the querying provisions of the FBl Minimization Procedures should be revised to “require a written justification for each U.S. person query of the database that explains Why the query is relevant to foreign intelligence information or is otherwise justified,” or in some other manner that provides additional protection for the United States- person information in the FBI’s possession.

The court rejects this — and also rejects Jeffress’ claim that each search by the FBI should get its own 4th Amendment scrutiny — saying the whole program can be judged as one. The reason for rejecting the constitutional claim, however, is pretty weak. It basically says, well, the government has to balance national security with privacy and in this case, it’s okay. It also notes that there are some limitations on what the FBI can look at and also the fact that the FBI has rarely actually found evidence of criminal activity while trawling through the database (though I fail to see how that impacts the constitutional question at all…).

So, it does look like Jeffress put forth a decent argument… but the court simply didn’t buy it. That’s obviously going to happen, but the real question is whether or not the FISC will ever take the arguments of a public advocate seriously.

Filed Under: 4th amendment, amy jeffress, cia, fbi, fisa court, fisc, mass surveillance, minimization, nsa, prism, public advocate, section 702

Court Dismisses Wikimedia's Lawsuit Over NSA Surveillance

from the not-over-yet dept

Back in March, we noted that Wikimedia was suing the NSA over its mass surveillance program under Section 702 of the FISA Amendments Act. This is the part of the law that the NSA uses to justify its “upstream” collection — which lets the NSA partner with backbone providers like AT&T and tap their fiber lines at entry/exit points from the country and sniff through all the traffic. The problem in many lawsuits concerning NSA surveillance is that it’s been difficult for the plaintiff to satisfy the requirements necessary to get “standing.” That is, can the plaintiff prove that he/she/it had rights violated by the program. Many earlier attempts failed, because they just presented stories of “well, the NSA is collecting everything, so…” and the courts have said that’s not enough, since it needs to be shown that the plaintiff, in particular, was a target.

Wikimedia (and the ACLU, who is helping with the case), believed they had a smoking gun that could grant them standing. The following slide, which was revealed by Ed Snowden:

See that Wikipedia logo? Wikimedia Foundation and the ACLU argued that this presented evidence that the NSA was targeting Wikipedia users, and thus the Wikimedia Foundation had standing.

Unfortunately, so far, it’s not working. Earlier today, the court tossed out the lawsuit, saying that Wikimedia did not present enough evidence to prove it has standing. The court, not surprisingly, relies heavily on the Supreme Court’s ruling in Clapper v. Amnesty International, in which SCOTUS rejected Amnesty’s similar claim by saying the organization failed to prove it had standing, since it couldn’t prove its team was caught up in dragnet surveillance. Of course, famously, to get to that ruling, the US government flat out lied to the Supreme Court (something it has since admitted), claiming (incorrectly) that if information collected via such surveillance was used in criminal cases, the defendants would be told about it.

But, no matter, the court says that under the Clapper ruling, Wikimedia does not have standing, and basically argues that this case really is no different than that one. It rejects the idea that, thanks to Snowden, we now know a lot more about the NSA’s surveillance program, basically saying that it’s still too speculative.

Plaintiffs cannot provide a sufficient factual basis for their allegations because the scope and scale of Upstream surveillance remain classified, leaving plaintiffs to prop their allegation of actual injury on suppositions and speculation about how Upstream surveillance must operate in order to achieve the government’s “stated goals.” Indeed, plaintiffs cite the government’s “stated goals” in nearly every facet of their argument…. It is, of course, a “possibility” that the NSA conducts Upstream surveillance in the manner plaintiffs allege, but this “bare assertion” is unaccompanied by “factual matter” that raises it “above a speculative level,” and hence does not establish standing.

The court notes that the “speculative chain” may be “shorter” than in the Clapper case, but “it is a chain of speculation nonetheless.”

The court also rejects the claim that since it’s been revealed that the NSA does “about” searches in addition to “to” and “from” searches, that reveals much more broad searches. If you don’t recall, one of the revelations is the fact that the NSA can run queries not just on something like “emails to or from Osama bin Laden” but also “emails about Osama bin Laden” which obviously would include a much larger set of content to sniff through. The court doesn’t think this matters very much:

… plaintiff’s contention that “about surveillance” is like the hypothetical government agent reading every piece of mail misses the mark. Unlike the hypothetical government agent reading every word of every communication and retaining the information, “about surveillance” is targeted insofar as it makes use of only those communications that contain information matching the tasked selector.

In short… it’s not a problem that the NSA sniffs through everything to find all the emails about Osama bin Laden, because it’s not using the data in all the ones it rejects. Besides, the court argues, the argument is still highly speculative.

Finally, the court looks at a few specific arguments for why Wikimedia and some of the other plaintiffs have more direct evidence that situate themselves differently. First, there’s lawyer Joshua Dratel, who is somewhat well known for taking some rather high profile cases, such as handling Ross Ulbricht’s defense over the Silk Road arrest, or defending the widow of Boston Marathon bomber Tamarlane Tsarnaev. Two other clients were Agron Hasbajrami and Sabirhan Hasanoff — and in both cases, the government has admitted those two were subject to Section 702 surveillance. From there, the ACLU argues this means that Dratel’s communications were almost certainly swept up and looked at by the NSA as well. However, the court doesn’t buy it, saying that while it may be true that Dratel’s communications were likely swept up, there’s still not enough evidence that it was swept up by the 702 upstream program that the lawsuit is about:

Plaintiffs in this case… do not allege facts that plausibly establish that the information gathered from the two instances of Section 702 surveillance was the product of Upstream surveillance. In neither of Dratel’s cases did the government indicate whether the information at issue was derived from PRISM or Upstream surveillance, and no factual allegations in the AC plausibly establish that Upstream surveillance–rather than PRISM–was used to collect the information. Moreover, given what is known about the two surveillance programs, it appears substantially more likely that PRISM collection was used in these cases…

The court is probably right here. There are two major surveillance programs under 702. The “Upstream” program that taps the backbone and then PRISM, in which a list of big internet firms agree to hand over certain information pursuant to a FISA court ruling rubber stamp telling them to hand over that information. And it is actually likely that the part of 702 that was used on Dratel’s clients was of the PRISM variety. But the “well, you were surveilled under this other program using the same authority…” reason to dump this argument seems pretty weak. Because it still means surveillance of dubious legality under the same legal authority.

Then there’s the case of Wikimedia, who argues that given the government’s “stated goals,” and the vast amount of traffic going to Wikipedia, it’s all but certain that Wikipedia has been swept up in the Upstream collection. The court still isn’t buying it:

Plaintiffs’ argument is unpersuasive, as the statistical analysis on which the argument rests is incomplete and riddled with assumptions. For one thing, plaintiffs insist that Wikimedia’s over one trillion annual Internet communications is significant in volume. But plaintiffs provide no context for assessing the significance of this figure. One trillion is plainly a large number, but size is always relative. For example, one trillion dollars are of enormous value, whereas one trillion grains of sand are but a small patch of beach. Here, the relevant universe for comparison purposes is the total number of annual Internet communications, a figure plaintiffs do not provide–nor even attempt to estimate–in the AC. Without defining the universe of the total number of Internet communications, it is impossible to determine whether Wikimedia’s alleged one trillion annual Internet communications is significant or just a drop in the bucket of all annual Internet communications.

Moreover, plaintiffs conclude that there is a greater than 99.9999999999% chance that the NSA has intercepted at least one of their over one-trillion communications on the bases of an arbitrary assumption, namely that there is a 0.00000001% chance the NSA will intercept any particular Internet communication. Plaintiffs provide no basis for the 0.00000001% figure, nor do they explain why the figure is presented as a conservative assumption. Plaintiffs seem to presume a string of zeroes buys legitimacy. It does not. Indeed, a closer look reveals that the number of zeros chosen by plaintiffs leads conveniently to plaintiff’s desired result. If three more zeros are added to plaintiffs’ figure (0.00000000001%), the odds that at least one of Wikimedia’s one trillion annual communications is intercepted drops to approximately 10%. If four more zeros are added (0.000000000001%), the odds that at least one of Wikimedia’s communications is intercepted drops to 1%. In short, plaintiffs’ assumption appears to be the product of reverse engineer; plaintiffs first defined the conclusion they sought–virtual certainty–and then worked backwards to find a figure that would lead to that conclusion. Mathematical gymnastics of this sort do not constitute “sufficient factual matter” to support a “plausible allegation.”

Ouch.

The court also rejects the idea that this kind of ruling means that the Upstream program can never face judicial review, pretending that the fact that the FISA court reviewed it (without any adversarial party) is enough… and (again, incorrectly) that criminal defendants prosecuted with information collected under the program can challenge said collection. And, yes, it’s true that the DOJ has now said that it will start informing defendants, but it didn’t for years.

The ACLU is, not surprisingly upset by the ruling, and I imagine it will be appealed soon.

Filed Under: fisa amendments act, joshua dratel, prism, section 702, standing, surveillance, upstream, wikipedia
Companies: aclu, wikimedia foundation

NSA Screws Up Another Thing: EU Court Of Justice Throws The Internet For A Loop In Ending Safe Harbor

from the well,-now-what? dept

A couple of weeks ago we wrote about the fact that it appeared that the EU Court of Justice was likely to throw out the EU-US data protection safe harbor as invalid, following a case brought over the NSA’s snooping on US tech companies — and now it has happened. The “the EU-US data protection safe harbor” may sound boring, but it’s actually been fairly important in making sure that US internet companies can operate in Europe. It’s been under attack for some time from those who feel that these American companies don’t take European privacy interests seriously enough, but it’s really the NSA and its idiotic “collect it all” mentality that has brought the whole structure crashing down. Many will celebrate this, but probably for the wrong reasons. As it stands right now, this result is undoubtedly bad for the internet. What happens next is key. If you want to blame anyone… blame the NSA. And if the US wants to fix this mess, it needs to stop mass surveillance.

The case was brought by Max Schrems, an Austrian privacy activist who argued that the NSA’s PRISM surveillance program (a program that resulted from Section 702 of the FISA Amendments Act, and enables the NSA to request certain information from internet companies, once approved by the FISA Court) violates the safe harbor. The safe harbor itself was established back in 2000 in order to allow internet companies to transfer data from Europe back to the US, with a promise that the privacy of that data would be kept at a similar level as if it were in Europe. The process for getting such safe harbor protections is something of a joke (we’ve gone through it here at Techdirt), and mostly involves throwing money at an organization that takes money to make sure your policies comply with the safe harbor requirements. Like so many regulations, it really seems to only serve to shift money to those who make sure you comply.

Still, losing those safe harbors can really shake up the internet — and not necessarily in a good way. While I’m sure some (probably short-sighted) privacy advocates will cheer on this result, it’s going to make a mess of things for the time being. Europe has been working on a new data protection directive to update the old one (which the safe harbor is based on) and early indications are that it will be a mess, and potentially hazardous to free speech rights. In addition, the US and EU have been trying to negotiate a new data protection safe harbor anyway, and that hasn’t been going smoothly, and this will continue to throw a wrench into things.

Big companies will likely be able to negotiate their way around this, but there will likely be some legal flareups in one or two countries, creating a mishmash of jurisdictional confusion over privacy rights. Smaller internet companies will now face much greater threats in doing business in Europe. Even worse, some are going to use this as an opportunity to try to fragment the internet, demanding companies keep data locally within country borders — which actually will create more targets for mass surveillance, rather than fewer. Chances are that little will change in the immediate future — as many companies will just keep right on doing what they’re doing and hoping no one really cares. But the potential for people to bring lawsuits could shake things up.

In the specific case here, the Court of Justice found that the safe harbor was invalid, and thus it did not stop Irish officials from considering Schrems’ complaint that Facebook violated his rights in making data available to the NSA. So that specific case still needs to move forward and should be interesting to watch.

In short, though, this is yet more damage directly done by the NSA and the US’s ridiculous attitude towards mass surveillance, without any concern at all to the economic costs that such mass surveillance creates for US companies. As the EFF notes in its response to the news, the US brought this on itself with its idiotic mass surveillance efforts. This end result is a mess that could lead to greater fragmentation of the internet, which won’t do anything to better protect people’s privacy (and, actually, might make it more exposed). The only logical way forward is to move away from mass surveillance and towards a more comprehensive view of privacy that takes into account the public’s rights — including the right to free expression. Danny O’Brien at EFF sums it up nicely:

That would certainly force the companies to re-think and re-engineer how they manage the vast amount of data they collect. It will not, however, protect their customers from mass surveillance. The geographic siloing of data is of little practical help against mass surveillance if each and every country feels that ordinary customer data is a legitimate target for signals intelligence. If governments continue to permit intelligence agencies to indiscriminately scoop up data, then they will find a way to do that, wherever that data may be kept. Keep your data in Ireland, and GCHQ may well target it, and pass it onto the Americans. Keep your data in your own country, and you’ll find the NSA?or other European states, or even your own government? breaking into those systems to extract it.

What will change the equation is for states, including and especially the United States, to realize that dragnet surveillance undermines their national security and the global security of our data. It has economic consequences, as regulators, companies and individuals lose trust in Internet companies and services. It has political consequences as nations vie to keep data out of the hands of other countries, while seeking to keep it trackable by their own intelligence services.

There’s only one way forward to end this battle in a way that keeps the Internet open and preserves everyone’s privacy. Countries have to make clear that mass surveillance of innocent citizens is a violation of human rights law, whether it is conducted inside their borders or outside, upon foreigners or residents. They have to bring their surveillance programs, foreign and domestic, back under control.

The ruling today is not a win for privacy. It creates a bigger mess, but it’s one that needs to be cleaned up at the source, and that’s where governments (and not just the US government) are going with mass surveillance. Unfortunately, there doesn’t seem to be any indication that this is what’s going to happen. Instead, expect the US and EU to try to paper over this by coming up with a new safe harbor plan that won’t change anything, but which may just be more expensive for companies. That’s a mistake. There’s a way to fix this mess and it’s to stop mass surveillance.

Filed Under: data protection directive, eu court of justice, eu us data protection safe harbors, eucj, mass surveillance, max schrems, nsa, prism, privacy, safe harbors, section 702, surveillance
Companies: facebook

Amazon Finally Joins The Transparency Party: Notes That It Did Not Join PRISM

from the yes,-but... dept

Earlier this year, we noted that Amazon was alone among the giant internet companies in refusing to publish a transparency report providing details on government requests for information. Amazon was also absent from the legal fight that many big tech companies filed against the government over the right to disclose such information (a fight that only Twitter is still fighting).

Finally, however, late on Friday, Amazon joined the party with its first ever Transparency Report (though it tries to cover up the fact that it’s the first time it’s ever done this by calling it the company’s “bi-annual report.”) In an accompanying blog post, however, the company plays up its privacy fighting bona fides — something many privacy advocates had long questioned — by highlighting that it “never participated in the NSA’s PRISM program” and that it had challenged government subpoenas for information:

Where we need to act publicly to protect customers, we do. Amazon never participated in the NSA?s PRISM program. We have repeatedly challenged government subpoenas for customer information that we believed were overbroad, winning decisions that have helped to set the legal standards for protecting customer speech and privacy interests. We also advocate in Congress to modernize outdated privacy laws to require law enforcement to obtain a search warrant from a court to get the content of customer communications. That?s the appropriate standard, and it?s the standard we follow.

That may be true, but it’s also been true that Amazon has been noticeably absent from a variety of efforts to stop government surveillance — including many that involve nearly every other big internet company. Hopefully this move, joining the rest of these companies in producing a transparency report, is a step towards being even more engaged on these issues as well. Given just how much infrastructure now runs on Amazon’s web services platform, it needs to be a stronger champion for privacy and against unnecessary surveillance.

Filed Under: nsa, prism, transparency, transparency reports
Companies: amazon