Stanford CIS

Congress quietly expands surveillance (again)

By Richard Forno on

As Congress winds down for the holidays, it delivers yet another lump of coal for the American people.

Contained in the 2015 Intelligence Authorization Act is a provision quietly inserted by the US Senate (just prior to voting) that authorizes the “acquisition, retention, and dissemination” of all communications data from U.S. citizens without a court order and then transferred to law enforcement for criminal investigations.

Once leaving the Senate, this proposed Act was passed in the House by a casual (and therefore intentionally unaccountable) 325-100 voice vote with no debate.  It now heads to the White House for a likely presidential signature.

In an impaassioned 'Dear Colleague' letter this week, Rep. Justin Amash (R-MI) notes that "Section 309 [of the Act] provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data."

Despite the presence of some restrictions on executive branch use of Americans' private communications, Amash observes that "In exchange for the data retention requirements that the executive already follows, Section 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications."  Moreover, Amash tells us that "The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations."

Criminal investigations, such as.....?

Reading this, I wonder how long before the entertainment industry convinces law enforcement agencies to take a very broad interpretation of "criminal investigations" when considering how to use these newly-enacted capabilities to conduct "criminal investigations" (into alleged copyright infringement?)  Or anything else, for that matter. Mass digital surveillance in the name of intellectual property protection was publicly refuted with SOPA; it also was strongly challenged in CISPA even as a function of cybersecurity --- but could this broadly-worded federal surveillance statute make it a very real possibility anyway?  After all, it wouldn't be the first time that online infringement and 'piracy' has been linked to national and/or homeland security concerns. Remember too that Hollywood is not beyond going to zany extremes to protect its business model -- in 2002, it wanted the ability to hack into home computers accused of hosting infringing material, and then more recently there were the Internet-breaking, privacy-invading SOPA and PIPA proposals.

Stealthily-enacted invasions of privacy are bad enough in the purported interest of national security; possibly extending such capabilities to support questionable commercial outcomes must not be allowed.

Happy Holidays, folks.