On 13 May, the US House of Representatives passed the latest version of the USA Freedom Act – the most prominent piece of legislation to have been introduced in the US in the wake of the Snowden revelations. The bill has had a long and complicated legislative history that we have traced over the past two years and it still needs to be approved by the Senate. If passed it would end the bulk collection of domestic phone metadata that was the subject of the very first Snowden revelation.
This NSA presentation from 2011 gives an overview of anonymising technologies, including Tor: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.
This undated GCHQ presentation describes Tor Hidden Services and potential attacks against them: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.
This undated GCHQ presentation proposes a deanonymisation attack against Tor users based on the collection of data from exit nodes owned by the agency: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.
The US Senate and House of Representatives have worked on multiple versions of a USA Freedom Act of 2014, in response to Edward Snowden’s disclosure and subsequent international debate regarding the NSA’s vast surveillance powers and capabilities. After the House passed a watered-down version that didn’t address major civil liberties concerns, Senator Patrick Leahy of Vermont introduced a new version of the bill on 29 July 2014 that improves upon previous versions and would end bulk collection of phone data.
In a statement introducing the new version, Sen. Leahy tacitly credited Edward Snowden with its inception:
More than a year ago, the world first learned startling details about the massive scope of the National Security Agency’s (NSA) surveillance programs. Since then, the American people and all three branches of government have been debating the same fundamental questions about the extent of government power that the Framers considered when crafting the Constitution.
Various civil liberties, privacy advocates and journalists have since weighed in: the ACLU, the EFF, and the New York Times, among others, endorse Sen. Leahy’s newest bill, conceding that it isn’t perfect but arguing that it’s a step in the right direction. The Times writes, “Over all, the bill represents a breakthrough in the struggle against the growth of government surveillance power. The Senate should pass it without further dilution, putting pressure on the House to do the same.”
The bill comes just ahead of Congress’s August recess, so it might not be voted on until September. After the Senate passes it, both houses must agree on a merger of the two versions or the House would need to vote on the Senate’s newer version.
What the bill would change
The USA Freedom Act of 2014 would ban the NSA’s bulk collection of phone metadata under Section 215 of the USA PATRIOT Act, meaning it would, as the Times writes, “stop the flow of telephone data into the computers of the National Security Agency, keeping the information with the phone companies, where it belongs.”
It would also improve the FISA court process. The EFF lauds two changes:
First, we were pleased to see that it creates a special advocate position that will serve as an amicus in the court and is intended to advocate for civil liberties and privacy.
Second, it directs the Office of the Director of National Intelligence, in consultation with the Attorney General, to declassify “significant” FISA Court opinions. We would have preferred that this process be overseen directly by the Attorney General, with input from the FISA Court itself. On the other hand, the new USA FREEDOM bill actually defines “significant” (the original USA FREEDOM bill did not), and this definition includes any novel interpretation of “specific selection term.”
Civil liberties and privacy journalist Marcy Wheeler cautions (in a post that she later expands upon) that the bill “improves the FISA Advocate (but not necessarily enough that it would be meaningful).” She is “not convinced that makes [the bill] an acceptable improvement off of the status quo” — she considers it an improvement over previous versions of the bill, but “that’s not saying much.”
What it wouldn’t change
The EFF writes that the bill “does not adequately address Section 702 of the FISA Amendments Act, the problematic 2008 law that the government argues gives it the right to engage in mass Internet surveillance”, nor does it “affect Executive Order 12333, which has been interpreted by the NSA to allow extensive spying both on foreigners and U.S. citizens abroad.”
Expounding on what it lacks, the ACLU says:
Improvements need to be made to further narrow the definition of SST, provide strict time frames for destroying all data on innocent people, eliminate loopholes that could be exploited to avoid disclosing relevant information in FISC opinions, and grant the special advocate greater authority to proactively participate in intelligence court proceedings.
Jennifer Granick of Just Security laments:
USA Freedom would not end back door searches. It would require NSA and CIA to count the number of times they do it and report to Congress. But it exempts the FBI from the reporting requirement.
However, Senators Mark Udall and Ron Wyden have “pledged to work to further strengthen the bill’s privacy protections and to close the backdoor search loophole in current law that allows the NSA and other intelligence agencies to search Americans’ private electronic communications without a warrant.”
Sen. Leahy emphasises the bill’s unprecedented nature:
If enacted, this bill would represent the most significant reform of government surveillance authorities since Congress passed the USA PATRIOT Act 13 years ago. This is an historic opportunity, and I am grateful that the bill has earned the support of the administration, a wide range of privacy and civil liberties groups, and the technology industry.
But, as the ACLU frames the bill’s omissions: “we’re running a marathon and this bill only gets us to mile five,” but it’s a start.
The EFF writes:
The USA FREEDOM Act of 2014 is a real first step because it creates meaningful change to NSA surveillance right now, while paving the way for the public to get more information about what the NSA is doing. We believe that this legislation will help ensure that the NSA reform conversation in Congress continues, rather than shutting it down.
The ACLU is similarly looking ahead:
if all the stars align, and the president signs a bill that provides real reform, millions of records that would have been vacuumed up under existing law will remain safe from government collection.
And then Congress can start work on the next NSA reform bill.
A coalition of digital rights groups, media organisations, online platforms and activists have annouced a worldwide day of action against NSA surveillance on 11 February. The Day We Fight Back will take place two years after the enormous international and online protests that saw down SOPA and PIPA and will honour the memory of Aaron Swartz, one of the moving spirits behind those protests, who took his own life in January 2013.
Supporters are encouraged to change their online avatars and embed a banner on their websites. Other plans for the day are being discussed on a dedicated subreddit.
A 49-page research paper from the Cryptanalysis and Exploitation Services summer programme: see the Washington Post article Secret NSA documents show campaign against Tor encrypted network, 4 October 2013.