A year after Guardian journalist Glenn Greenwald launched Edward Snowden into the annals of history, the most significant change in law to result from the leaks may be a bill that actually weakens consumer privacy while hurting intelligence gathering for national security.
Lawmakers on Thursday held an open hearing on H.R. 3361, known as the Freedom Act, which was originally sponsored by Rep. James Sensenbrenner, R-Wis. Privacy advocates at first hailed the bill as a tough reform measure. But the final, loophole-laden version that won approval in the House did not include language that would have allowed tech companies to be more forthcoming, and far sooner, about the sorts of requests they receive from intelligence agencies.
The heads of several major tech firms, including Facebook’s Mark Zuckerberg, Google’s Larry Page and Apple chief Tim Cook, issued a statement on Wednesday calling the Sensenbrenner bill inadequate and underwhelming. “While the House bill permits some transparency,” they wrote, “it is critical to our customers that the bill allow companies to provide even greater detail about the number and type of government requests they receive for customer information.”
The bill shifts the burden of holding telephone metadata to phone companies, who collect it anyway for billing purposes. The National Security Agency currently holds the metadata it collects for five years, whereas phone companies hold it for a much shorter amount of time. The period varies depending on the data and the company, from a few months to a year and a half.
The main outcome of Thursday’s hearing was that the Intelligence Committee likely will want to insert language into the House bill to mandate that companies hold metadata for 18 months. The NSA would be able to access it under section 702 of the Foreign Intelligence Surveillance Act.
The question of how exactly outsourcing metadata collection to private companies protects Americans’ privacy seemed beyond the ability the lawmakers on the committee as well as the witnesses gathered before them to answer. Privacy advocates pointed out that under the altered version of the bill, NSA would not only be able to access the metadata under the murky workings of the FISA court, but could demand the data without court approval under special emergency circumstances.
“I believe it’s … not reform,” Sen. Mark Udall, D-Colo., remarked. He went on to say that the FISA provision provides flimsy protection for privacy and the current language in the bill allows intelligence workers too much leeway to demand documents and records. “The NSA has shown time and time again it will seize on any wiggle room in the law, and there is plenty of that in this bill,” he said.
Sen. Ron Wyden, D-Ore., pointed out that the bill doesn’t ban warrantless email surveillance and that the FISA statute lets NSA look through “a giant pile of communication” with little to no accountability or transparency. “As global communications get increasingly interconnected, this loophole will grow and grow and grow as a threat to the privacy of Americans,” he said.
Technology and industry experts have said that relying on phone companies to maintain metadata records for reasons other than billing poses raises security concerns.
In testimony before the committee, Verizon vice president and associate general counsel Michael Woods said that compelling telephone companies to hold customer metadata for purposes outside of normal business activity would not improve efficiency, would hurt his company’s relationships with its clients and would be costly (although he couldn’t say exactly how costly.) He, too, was mystified as to how mandating that phone companies hold consumer data for government agencies to peruse served the cause of privacy.
“If a company is required to retain data for the use of intelligence agencies, it is no longer acting pursuant to a business purpose. Rather, it is serving the government’s purpose. In this context, the company has become an agent or surrogate of the government. Any constitutional benefit of having the data held by private entities is lost when, by compelling retention of that data for non-business purposes, the private entity becomes a functional surrogate of the government,” he wrote.
Committee member Susan Collins, R-Maine, pointed out that the primary effect of turning phone companies into NSA deputies would be to increase the number of people allowed to look through private data. “Now we’re going to be asking those private sector employees to do queries that are now done by an extremely limited number of federal employees.”
Even Sen. Dianne Feinstein, D-Calif., who chairs the committee, acknowledged that while the provision seemed to address public discomfort about NSA surveillance, it didn’t actually work to improve privacy. Feinstein also acknowledged that the phone companies were less than enthusiastic partners.
“They don’t want to have to do this, but the public wants it,” she told Defense One.
National security hawks on the committee, such as Saxby Chamblis, R-Ga., also found little to like in the bill. Chambliss opined that the Freedom Act “fixes a lot of things that aren’t broken” and potentially endangered the intelligence community’s ability to gather crucial data to prevent terrorist attacks.
Stewart Baker, a former NSA general counsel, seconded that sentiment.
The Freedom Act, he testified, “is an effort to reject new technology. The fact is that data is getting cheaper to collect, to store and to analyze. This new technology is one of the most promising tools we have to find and thwart terrorists. The [bill] denies this tool to our intelligence agencies. And for what? Ending NSA’s program will not end bulk collection of data in the private sector or by government agencies using other authorities, here and abroad.”
The Judiciary Committee also will examine the bill, and Sen. Patrick Leahy, D-Vt., has signaled concern about the revamped measure’s privacy protections.