Security
Headlines
HeadlinesLatestCVEs

Headline

The NSA Is Lobbying Congress to Save a Phone Surveillance 'Loophole'

The National Security Agency has urged top lawmakers to resist demands that it obtain warrants for sensitive data sold by data brokers.

Wired
#web#git#intel#auth#sap#ssl

An effort by United States lawmakers to prevent government agencies from domestically tracking citizens without a search warrant is facing opposition internally from one of its largest intelligence services.

Republican and Democratic aides familiar with ongoing defense-spending negotiations in Congress say officials at the National Security Agency (NSA) have approached lawmakers charged with its oversight about opposing an amendment that would prevent it from paying companies for location data instead of obtaining a warrant in court.

Introduced by US representatives Warren Davidson and Sara Jacobs, the amendment, first reported by WIRED, would prohibit US military agencies from “purchasing data that would otherwise require a warrant, court order, or subpoena” to obtain. The ban would cover more than half of the US intelligence community, including the NSA, the Defense Intelligence Agency, and the newly formed National Space Intelligence Center, among others.

The House approved the amendment in a floor vote over a week ago during its annual consideration of the National Defense Authorization Act, a “must-pass” bill outlining how the Pentagon will spend next year’s $886 billion budget. Negotiations over which policies will be included in the Senate’s version of the bill are ongoing.

In a separate but related push last week, members of the House Judiciary Committee voted unanimously to advance legislation that would extend similar restrictions against the purchase of Americans’ data across all sectors of government, including state and local law enforcement. Known as the “Fourth Amendment Is Not For Sale Act,” the bill will soon be reintroduced in the Senate as well by one of its original 2021 authors, Ron Wyden, the senator’s office confirmed.

“Americans of all political stripes know their Constitutional rights shouldn’t disappear in the digital age," Wyden says, adding that there is a “deep well of support” for enshrining protections against commercial data grabs by the government “into black-letter law.”

The extent to which the NSA in particular uses data brokers to obtain location and web-browsing data is unclear, though the agency has previously acknowledged using data from “commercial” sources in connection with cyber defense. Regardless, the NSA’s lawyers have authored extensive guidelines for acquiring commercially available data, particularly when it belongs to US companies or individuals. Some of the rules prescribed by the agency’s lawyers remain classified.

The NSA did not respond to multiple requests for comment.

A government report declassified by the Office of the Director of National Intelligence last month revealed that US intelligence agencies were avoiding judicial review by purchasing a “large amount” of “sensitive and intimate information” about Americans, including data that can be used to trace people’s whereabouts over extended periods of time. The sensitivity of the data is such that “in the wrong hands,” the report says, it could be used to “facilitate blackmail,” among other undesirable outcomes. The report also acknowledges that some of the data being procured is protected under the US Constitution’s Fourth Amendment, meaning the courts have ruled that government should be required to convince a judge the data is linked to an actual crime.

The US Supreme Court has previously ordered the government to obtain search warrants before seeking information that may “chronicle a person’s past movements through the record of his cell phone signals.” In the landmark Carpenter v. United States decision, the court found that advancements in wireless technology had effectively outpaced people’s ability to reasonably appreciate the extent to which their private lives are exposed.

A prior ruling had held that Americans could not reasonably expect privacy in all cases while also voluntarily providing companies with stores of information about themselves. But in 2018 the court refused to extend that thinking to what it called a “new phenomenon”: wireless data that may be “effortlessly compiled” and the emergence of technologies capable of granting the government what it called “near perfect surveillance.” Because this historical data can effectively be used to “travel back in time to retrace a person’s whereabouts,” the court said, it raises “even greater privacy concerns” than devices that can merely pinpoint a person’s location in real time.

Crucially, the court also held that merely agreeing to let data be used “for commercial purposes” does not automatically abrogate people’s “anticipation of privacy” for their physical location. Rather than apply this view to location data universally, however, the government has allowed defense and intelligence agencies to assume a contradictory view, as their activities were not a factor in Carpenter’s law enforcement-focused ruling.

A growing number of American lawmakers have argued in recent weeks that the US intelligence community is itself more or less facilitating the erosion of that privacy expectation—that location data is protected from unreasonable government intrusion—mainly by ensuring it isn’t.

Andy Biggs, who chairs a subcommittee on federal government surveillance in the House of Representatives, says the federal government has “inappropriately collected and used Americans’ private information” for years. A whole range of agencies, including the Federal Bureau of Investigation and the Drug Enforcement Agency, have been exploiting “legal loopholes,” he says, to avoid oversight while amassing “endless amounts of data.”

A senior advisory group to the director of national intelligence, Avril Haines, the government’s top spy, stated in the report declassified last month that intelligence agencies were continuing to consider information “nonsensitive” merely because it had been commercially obtained. This outlook ignores “profound changes in the scope and sensitivity” of such information, the advisors warned, saying technological advancements had “undermined the historical policy rationale” for arguing that information that is bought may be freely used “without significantly affecting the privacy and civil liberties of US persons.”

Haines’ office did not respond to multiple requests for comment. In a statement last month, the director said she was working to implement key recommendations from her advisors and believed that Americans should be given “some sense” of the policies affecting the collection of their personal data. Much of the framework for dealing with commercial purchases by the intelligence community would be disclosed publicly when it is eventually finalized, she said.

The practice of paying businesses to spy on US citizens is one of several concerns lawmakers say they’ll be exploring this fall during what’s slated to be a long and heated debate over one of the government’s most powerful surveillance tools: Section 702 of the Foreign Intelligence Surveillance Act.

The Mozilla Foundation joined the chorus of civil society groups calling for reforms of the 702 program today, saying FISA’s current process is “overbroad” and “restricted only by weak legislation and executive orders that, experience has shown, do not create real accountability.”

Wired: Latest News

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity