A disagreement that was kept under wraps regarding whether a data center for cloud computing should comply with a surveillance program without a warrant has led to the inclusion of an undisclosed provision in a bill that extends the program, as per sources familiar with the situation.
The disclosure provides clarity on the purpose of an amendment that has raised concerns among privacy advocates, as Senate leaders work towards the swift passage of a bill extending the wiretapping law, Section 702, for two more years. The amendment aims to expand the scope of service providers that can be compelled to participate in the program. However, its wording is cryptic, making it difficult to discern its intended permissions.
Data centers serve as centralized warehouses for computer servers, enabling access to them from anywhere in the world via the internet. In the current era of cloud computing, these data centers are commonly managed by third-party providers who offer storage space and computing power to facilitate the functioning of various online services for businesses.
National security officials have characterized the provision as a targeted solution to a specific problem. However, they have refrained from disclosing a classified court ruling from 2022 that prompted this provision. Their reasoning is that revealing this information could potentially tip off foreign adversaries. On the other hand, privacy advocates have expressed concerns about the amendment, arguing that its wording is so broad that it could potentially be used to recruit ordinary individuals, such as cable installers, janitors, or plumbers who have access to office computer equipment, as spies.
The government has the authority, under Section 702, to gather communications from foreign individuals abroad who have been targeted for intelligence or counterterrorism purposes. This is done without a warrant and involves collecting data from U.S. companies like Google and AT&T, even when these individuals are communicating with Americans. Section 702 was enacted in 2008 to legalize a warrantless surveillance program that was initiated by President George W. Bush after the September 11, 2001 terrorist attacks.
After the national security surveillance court approves the government’s annual requests to renew and establish rules for the program, the administration issues directives to electronic communications service providers, requiring their participation. If any of these entities refuse to cooperate, the court will decide whether they are obligated to do so.
In August of last year, the government made the decision to partially declassify court rulings related to the ongoing dispute. The surveillance court, in 2022, and a subsequent appeals court panel, ruled in favor of an unnamed company that had objected to being forced to participate in the program. The company argued that one of its services did not meet the required criteria.
According to anonymous sources familiar with the matter, the judges found that a data center service does not meet the legal definition of an “electronic communications service provider” because it does not enable its users to send or receive electronic messages. Although the details have been redacted, these sources reveal that this conclusion was reached during the discussion of a sensitive issue.
In both rulings, it was suggested that Congress should update the definition if the interpretation was causing any issues. Judge Rudolph Contreras, who was presiding over the surveillance court at the time, wrote that if the government believed that the scope of Section 702 directives needed to be expanded for national security reasons, it should address this matter with Congress.
The appellate panel observed that the definition used in Section 702 originates from a law that Congress drafted in 1986. This indicates that the definition is based on internet architecture that is nearly four decades old. The panel also acknowledged that any unintentional gaps in coverage, as revealed by their interpretation, can be revisited by the government branches responsible for statutory revision. These branches possess the necessary competence and constitutional authority to address any shortcomings in the legislation.
During an interview, Matthew Olsen, the head of the Justice Department’s national security division, acknowledged that the need for the provision stemmed from advancements in communications technology since the drafting of Section 702 in 2008. However, he did not comment on whether the proliferation of data centers had played a significant role in driving this change.
According to the expert, there has been a notable change in the past 15 years regarding our dependence on a few major backbone internet providers. He emphasizes the need to revisit the core objective of Section 702, which is to address the use of U.S. infrastructure by foreign adversaries.
Olsen emphasized that the law strictly allows the targeting of foreign communications abroad and ensures that its usage is under the supervision of all three branches.
Privacy advocates have raised concerns about the potential implications of the provision. One particularly worrisome interpretation suggests that it could be utilized to compel an individual with laptop access, such as a journalist, to retrieve and disclose communications between themselves and a hypothetical foreign source targeted for intelligence purposes. Senator Ron Wyden, known for his strong stance on privacy matters, has also expressed apprehension about this possibility.
According to Senator Wyden, intelligence agencies have a track record of taking advantage of any authority given to them by Congress in order to conduct surveillance on American citizens. He expressed concerns about the provision, stating that it represents a significant expansion of Section 702 and should alarm anyone who values the rights of Americans.
Expressing frustration over such concerns, Rep. Jim Himes of Connecticut, the ranking Democrat on the House Intelligence Committee, who also co-sponsored the provision, emphasized his discontent.
In an interview, he expressed his admiration for the privacy groups and their dedication to civil liberties. However, he also pointed out that they are exaggerating the situation by comparing it to the Stasi, which is a massive overstatement. Throughout the reauthorization process, they have consistently used fear tactics to generate anxiety.
During the discussions on the renewal of Section 702, Himes, along with his Republican co-sponsor, Rep. Michael Turner of Ohio, proposed an amendment to broaden the scope of individuals eligible to receive a directive. Their amendment sought to include “any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications.”
Private advocates are expressing their dismay over the plain text of the amendment, as they believe it could potentially be misused to compel wireless internet service providers, such as coffee shops and hotels, to engage in warrantless surveillance. This would involve accessing and monitoring the messages of American individuals that are transmitted to and from foreign targets.
Turner and Himes eventually narrowed down the amendment by incorporating a number of exceptions. These exceptions include limitations on directives issued towards entities that primarily function as residential properties, community facilities, food service establishments, or other public accommodations.
The amendment was approved by a vote of 236-186.
Privacy advocates have raised concerns about the broad wording of the bill as it progresses to the Senate. Sean Vitka, policy director for the civil liberties group Demand Progress, emphasized that while the Biden administration may not have the intention to utilize the provision extensively, there is no guarantee that a future administration would share the same perspective.
According to the concerned individual, this alteration has the potential to transform countless Americans into covert government informants, posing a significant risk to both large and small businesses, as well as their extensive customer bases.
The Senate has the potential to narrow down the language in order to exclude the most concerning scenarios that critics of the provision are raising. However, if such changes were made, the bill would need to be sent back to the House. Considering the current legislative calendar, there might not be sufficient time for this additional step.
Section 702, despite being written in a manner that permits the program’s operation until early April 2025, Senate leaders are resolute in their efforts to avoid any interruption in the law’s validity.