The American Civil Liberties Union (ACLU) has put out a fresh call for tech companies to push for reform of the surveillance regime in the U.S., warning of the added urgency given new U.S. President Donald Trump — who has already been demonstrably hostile to foreigners’ privacy rights in his first few days in office.
Late last week one of the ACLU’s staff attorneys was cross-examined in the High Court in Ireland as an expert witness in a piece of litigation focused on Facebook’s use of a data transfer mechanism to authorize its processing of Europeans’ data in the U.S. The court hearing started last Tuesday and is expected to last for three weeks.
The complaint against Facebook pivots on whether US Government surveillance activity undermines European privacy protections — as the region’s top court, the CJEU, previously ruled to be the case regarding a prior data transfer mechanism (Safe Harbor).
The Irish High Court is considering whether to refer similar concerns about the legal robustness of so-called Standard Contractual Clauses (SCCs) — an alternative mechanism for authorizing EU-US personal data transfers — to the CJEU.
The Irish data protection commissioner is pushing for the referral, after reaching a provisional view in May 2016 that U.S. law does not adequately protect Europeans’ data. It’s not the only European body with serious concerns here, either.
Despite Facebook being the focus of the legal complaint, the case has much wider significance given scores of other companies also make use of SCCs to authorize transatlantic data flows — which means that should the mechanism fail, many businesses, not just Facebook, will need to change how they operate in order to comply with European law.
In a blog post discussing its role in the litigation, the ACLU makes this point, warning that: “If the European courts ultimately conclude that the U.S. surveillance regime lacks essential protections for E.U. citizens, companies like Facebook may have more difficulty transferring their users’ private data to the United States — at least until the U.S. adopts badly needed reforms to its surveillance laws.”
“There are several ways that tech companies could push for stronger protections for their users’ data in the face of U.S. government spying,” it adds, going on to suggest tech firms actively lobby members of Congress to enact surveillance reforms.
The ACLU is especially urging action on a portion of the Foreign Intelligence Surveillance Act (FISA) called Section 702 — which has been used by US intelligence agencies to justify collecting data in bulk, such as via the NSA’s PRISM program — noting that Section 702 is due to expire this year.
(PRISM refers to the program whereby US intelligence agencies apparently tap the customer data of a raft of tech companies, including Facebook, though exactly how they gain access to user data remains unclear, given all tech firms named in the Snowden disclosures as being part of PRISM claimed to have no knowledge of it.)
“Tech companies, including Facebook, make contributions to dozens of candidates for the House of Representatives and Senate, including politicians who have introduced anti-privacy measures in the past or have advocated for the resurrection of mass surveillance programs. The message to lawmakers should be clear: If they do not support pro-privacy policies, they should no longer expect to receive Facebook support. Surveillance reform must remain a high priority for tech companies,” the ACLU writes.
“Now that President Trump has the keys to the US surveillance state, it’s more important than ever that tech companies work with us in the fight for surveillance reform,” it adds.
TechCrunch contacted Facebook for comment — and to ask whether it supports the ACLU’s calls to reform US surveillance law — but the company declined to make a statement. “As is an on-going legal case, we are not able to comment on what was said in court,” said a spokeswoman.
Facebook makes use of both SCCs and the newer EU-US Privacy Shield for authorizing its EU-US flows of personal data. And is arguing in the Irish court that safeguards and remedies available in the U.S. for EU citizens vis-a-vis their data privacy rights are at least equivalent to those provided by the EU.
Late last week the ACLU’s Ashley Gorski was called as an expert witness in the Irish High Court action on behalf of privacy campaigner Max Schrems — who filed the original PRISM-related complaints against Facebook. (An expert report compiled for the court by Gorski can be found online here.)
In comments to the court, Gorski described the U.S. Judicial Redress Act as a “significantly flawed remedy for EU persons” on account of it being designed as an extension of the U.S. Privacy Act which she noted contains “several significant exemptions”, including for classified information.
“The NSA effectively has exempted itself from the most significant protections afforded to individuals in the Privacy Act,” she said. “So… the Judicial Redress Act doesn’t… have the force that… the court may believe that it has based on some of the expert declarations.”
In her report she also argues against Facebook’s position, asserting that U.S. law fails to provide adequate safeguards for Europeans’ data protection rights on account of an “extremely permissive” surveillance regime, which also offers “no viable avenue to obtain meaningful redress for the rights violations resulting from this surveillance”.
On Section 702, she writes that it “effectively exposes every international communication — that is, every communication between an individual in the United States and a non-U.S. person abroad — to potential surveillance”, noting for example that it authorized the NSA’s Upstream surveillance program (which directly taps Internet infrastructure to siphon data).
“Through Upstream surveillance, the NSA has generalized access to the content of communications, as it indiscriminately copies and searches through vast quantities of personal metadata and content,” she writes. “Based on the public information concerning the scope of Upstream surveillance, I believe that there is a substantial likelihood that this surveillance results in the NSA’s accessing, copying, and searching of data transmitted from Facebook Ireland to Facebook in the United States.
“While some or all of this data may be encrypted, that would not prevent the NSA from copying, examining, and seeking to decrypt the intercepted Facebook data. As noted… above, when the agency collects encrypted communications under Section 702, it can retain those communications indefinitely, and public disclosures indicate that the NSA has succeeded in circumventing encryption protocols in various contexts.”
Gorski’s report also looks at the role of Executive Order 12333, signed by former US president Ronald Regan in December 1981, as the “primary authority under which the NSA gathers foreign intelligence”.
“Despite its breadth, surveillance under EO 12333 has not been subject to meaningful oversight by either the U.S. Congress or U.S. courts,” she argues. “Surveillance programs operated under EO 12333 have never been reviewed by any court. Moreover, these programs are not governed by any statute, including FISA, and, as the former Chairman of the Senate Intelligence Committee has conceded, they are not overseen in any meaningful way by Congress.
“EO 12333 and its accompanying regulations place few restrictions on the collection of U.S. or non-U.S. person information. The order authorizes the government to conduct electronic surveillance abroad for the purpose of collecting ‘foreign intelligence’ — a term defined so broadly that it appears to permit surveillance of any non-U.S. person, including surveillance of their communications with U.S. persons.”
Gorski argues that limitations on how the U.S. government can use data collected in bulk for surveillance purposes are “broadly defined” — resulting in the data being very broadly searchable, and the NSA being able to deploy “a wide array of keywords” to sift data it has acquired in bulk (aka “bulk searching”).
“Even “targeted” forms of EO 12333 surveillance are extremely permissive, as the executive order authorizes the government to target non-U.S. persons abroad for virtually any “foreign intelligence” reason, broadly defined,” she adds.
“Recent disclosures indicate that the U.S. government operates a host of large-scale programs under EO 12333, many of which appear to involve the collection of vast quantities of U.S. and non-U.S. person information. These programs have included, for example, the NSA’s collection of billions of cell-phone location records each day; its recording of every single cell phone call into, out of, and within at least two countries; and its surreptitious interception of data from Google and Yahoo user accounts as that information travels between those companies’ data centers located abroad.”
On PPD-28 — an executive branch directive issued by US president Obama in January 2014, which was viewed favorably by EC officials because it imposed certain constraints on use of bulk collected comms data, and on the retention and dissemination of the comms of non-U.S. persons — Gorski’s view is that the directive is ineffective, arguing it has “few meaningful reforms” that can also “easily be modified or revoked by the next U.S. President”.
Of PPD-28’s list of limitations, she writes: “Taken together, these categories are very broad and open to interpretation, and they effectively ratify the practice of bulk, indiscriminate surveillance.”
She also points out that its limitations do not extend to “other problematic types of mass surveillance”, such as data acquired in bulk and held for a short period — e.g. via the NSA’s Upstream program.
Her report goes on to consider barriers to Europeans’ being able to successfully seek redress for rights infringements resulting from the US surveillance regime, with Gorski arguing the government “routinely seeks to prevent individuals from obtaining redress for Section 702 and EO 12333 surveillance through civil litigation in U.S. courts”.
On this she says the U.S. government has invoked and interpreted the “standing” and “state secrets” doctrines in such as way as to block any adjudication of the lawfulness of its surveillance regime.
“Because virtually none of the individuals who are subject to either Section 702 or EO 12333 surveillance ever receive notice of that surveillance, it is exceedingly difficult to establish what is known as “standing” to challenge the surveillance in U.S. court,” she writes. “Without standing to sue, a plaintiff cannot litigate the merits of either constitutional or statutory claims.”
“Because Section 702 and EO 12333 surveillance is conducted in secret, the U.S. government routinely argues to courts that plaintiffs’ claims of injury are mere “speculation” and insufficient to establish standing,” she adds, pointing to a 2013 ruling in the U.S. Supreme Court that Amnesty International USA and nine other plaintiffs lacked standing to challenge Section 702 “because they could not show with sufficient certainty that their communications were intercepted under the law”.
Another challenge in October 2015, brought by Wikimedia and others to Section 702 surveillance, was dismissed by a U.S. district court on the same grounds — i.e. that the plaintiffs lacked standing.
She further argues the U.S. government has “increasingly sought to use the state secrets privilege not merely to shield particular information from disclosure, but to keep entire cases out of court based on their subject matter”.
“To date, as a result of the government’s invocation and the courts’ acceptance of the standing and state secrets objections described above, no civil lawsuit challenging Section 702 or EO 12333 surveillance has ever produced a U.S. court decision addressing the lawfulness of that surveillance,” she writes.
Another of her points is that the U.S. government has generally taken the position that non-U.S. persons located abroad have no right to challenge surveillance under the U.S. Constitution — dubbing that a “significant” detail, given the crux of the legal challenge (i.e. whether or not Europeans are getting ‘essentially equivalent’ protection for their rights under US law).
She also touches on one of the newer developments vis-a-vis US-EU privacy law: the creation of an Ombudsperson position, as part of the Privacy Shield agreement reached between the EU and the US to replace the invalidated Safe Harbor mechanism.
While this addition is one of the changes the European Commission has pointed to to argue its view that Privacy Shield is legally robust, Gorski’s take is that the Ombudsperson’s “legal authority and ability to provide meaningful redress are severely limited”.
“Even where the Ombudsperson does find that data was handled improperly, she can neither confirm nor deny that the complainant was subject to surveillance, nor can she inform the individual of the specific remedial action taken,” she argues.
“There is no indication that the Ombudsperson can in fact require an executive-branch agency to implement a particular remedy. Nor is there any indication that she is empowered to conduct a complete and independent legal and factual analysis of the complaint — e.g., to assess whether surveillance violated the Fourth Amendment, as opposed to simply examining whether surveillance complied with the relevant regulations.”
She also questions the independence of the position, given the Ombudsperson is part of the State Department — and therefore “not entirely independent from the intelligence community” against whose operations it will be fielding complaints.
“In short, an individual who complains to the Ombudsperson is extremely unlikely to ever learn how his complaint was analyzed, or how any non-compliance was in fact remedied. He also lacks the ability to appeal or enforce the Ombudsperson’s decision,” she adds.
In a sign of how much high level political concern is being attached to the legal challenge, the U.S. government last year applied to be an amicus in the case — and was granted this status, with the judge writing the country has “a significant and bona fide interest in the outcome of these proceedings”.
While, a new tougher General Data Protection Directive is due to come into force in Europe next year — which may also have ramifications for the rules around authorizing transatlantic data flows.
This post was updated with additional details of Gorski’s testimony