On May 20, 2013, a young government contractor with an EFF sticker on his laptop disembarked a plane in Hong Kong carrying with him evidence confirming, among other things, that the United States government had been conducting mass surveillance on a global scale. What came next were weeks of disclosures—and official declassifications—as Edward Snowden worked with some of the world’s top news organizations to reveal critical facts about the National Security Agency vacuuming up people’s online communications, internet activity, and phone records, both inside and outside the U.S..
Groups like EFF had been fighting since long before 2013 to reveal and stop the dangerous mass surveillance conducted within the heart of the secretive national security apparatus. But after that summer, Snowden’s revelations acted like a flood light, allowing everyone to better see and understand what happens inside the black box of government surveillance of millions of innocent people in the US. and around the world. The tremendous amount of evidence slowed, if not stopped, the disingenuous denials that the government had made both publicly and privately in response to our allegations. The actual documentary evidence also helped us to better pinpoint our demands, our questions, and our legal tools.
There’s still much work to be done to rein in our overzealous national security state, break political gridlock, and end the extreme secrecy that insulates some of the government’s most invasive tactics.
Now, ten years after those pivotal revelations, what has changed? Some things are undoubtedly better–under the intense scrutiny of public attention, some of the National Security Agency’s most egregiously illegal programs and authorities have shuttered or been forced to end. The Intelligence Community has started affirmatively releasing at least some important information, although EFF and others have still had to fight some long Freedom of Information Act (FOIA) battles. Outside of government, companies and organizations have worked to close many of the security holes that the NSA abused, most prominently by encrypting the web.
But it’s not enough—not even close. There’s still much work to be done to rein in our overzealous national security state, break political gridlock, and end the extreme secrecy that insulates some of the government’s most invasive tactics. One of the most important of those is the upcoming fight to end mass surveillance conducted under the auspices of Section 702. EFF will be taking on that fight, and many others. Please join us!
But on this tenth anniversary, let’s take stock of what we’ve accomplished in stopping mass surveillance, mainly, but not entirely, in the U.S. Of course, any recitation of what the NSA does or does not do always has to have the caveat that, given the intense secrecy and classification system surrounding NSA activities, we only know what is on the public record.
But still, we can see both clear improvements and critical ongoing needs:
10 Years Later: What’s Improved?
Section 215 has Sunsetted
On March 15, 2020, Section 215 of the PATRIOT Act—a surveillance law with a rich history of government overreach and abuse—expired due to its sunset clause. For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them—more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships. In 2015, a federal appeals court held that NSA’s interpretation of Section 215 to conduct this surveillance dragnet was “unprecedented and unwarranted.”
We fought for, and obtained, an initial victory with the passage of the 2015 USA Freedom Act, which ended the daily “bulk collection” 215 orders. One of those orders, aimed at Verizon, was the first document released by the journalists working with Snowden.
Despite this critical step, however, the government continued to collect hundreds of millions of phone records—just not as part of wholesale daily bulk collection orders. And in 2018, the NSA was compelled to delete millions of records after it learned that some of the data had been collected from phone service providers without legal authority or authorization. Because it couldn’t stay within the law, the NSA shuttered the post-USA Freedom CDR program—and with Section 215 ending, so too ended its legal authority to ever be turned on again.
The government still has several other tools at its disposal to collect a vast amount of data on individuals. But, with the authorization for Section 215 currently revoked, and Congress having changed the former bulk daily collection process, the first revealed, and most attention-grabbing programs of the Snowden summer has ended.
We Encrypted the Web
Often we focus on the law and policies impacted by the Snowden revelations. But one of the biggest and best legacies of his efforts are neither: it’s that we actually encrypted the web. We—EFF along with many partners around the world at Let’s Encrypt and elsewhere—created a baseline of privacy (and security) protection for people around the world. While EFF and others had been trying to encrypt the web prior to the Snowden revelations, those revelations, especially the slides showing that the NSA was using the unencrypted traffic between the internal data centers of Google and Yahoo as a point of surveillance, gave jet fuel to the effort both inside of and outside of those companies. And, as of the end of 2021, we could declare victory.
Ending the Internet Metadata Collection Program
In 2015, the NSA ended its program which bulk collected internet metadata, including email addresses of the sender and recipient and IP addresses. This was one of a number of programs which collected raw data from internet companies and online service providers. Public reports indicate that ending this program was largely the result of concerns raised by Senator Wyden and others who were granted access to the program under the limited congressional oversight that existed. Of course, the ongoing pressure from EFF’s litigation and that of others didn’t hurt either.
The Release of FISC Rulings (Finally)
The Foreign Intelligence Surveillance Court was created by the Foreign Intelligence Surveillance Act in 1978 and was intended to serve as judicial supervision of domestic surveillance done by the U.S. government against foreign agents. For decades, the court’s secretive rulings on how and when it grants surveillance powers to the government and the reasoning which guides its decisions have been kept under the lock and key of classification. But in 2015, spurred by the Snowden revelations, Congress passed the USA FREEDOM Act which, among other modest reforms, required the FISC to begin releasing “significant opinions.” From this, the public began to see more about how the mass surveillance worked and how the government consistently failed to abide by even it’s own lax standards.
EFF filed FOIAs seeking the opinions and the fight continued. At first the DOJ took the position that only decisions after passage of USA FREEDOM were covered. It took seven years but finally, in 2022, the government changed course and we received seven heavily redacted classified rulings from the court.
Another reform in the USA FREEDOM ACT was authorizing the appointment of independent “amici” to assist the FISC and provide an independent perspective to a court that normally only hears one-sided presentations by the government. The Amici are five special advocates appointed by the court who are called upon whenever the court is considering a novel or significant construction of law. The amicus is meant to advocate for the protection of civil liberties and privacy, educate the court on intelligence collection or communications technologies, and answer any questions the court may have. While the amicus process has yet to bear significant fruit, taking even this small step to bring balance to the infamously one-sided FISC process is a good step.
“About” Collection Ended (At Least Temporarily)
One of the most pernicious portions of Section 702 mass surveillance is called “about” collection. As its name indicates, these are collections of information based upon the content of the communications and whether a target is merely mentioned, instead of communication specifically sent to or from a target. So, for example, if you email a friend in France and in the content discuss Osama Bin Laden, the email could be included as “about” a target.
This collection was paused by the NSA in 2017 amid pressure from the FISC and civil liberties concerns raised in the litigations by EFF and the ACLU. While permanently forbidding this kind of collection remains necessary (see below), stopping this collection is a success.
Other Countries Have Ruled Against Mass Surveillance
Much has happened around the world as well. While we are not here including an exhaustive list, several are worth mentioning. In 2019 and 2020 respectively, South Africa and Germany both banned forms of bulk data collection. In South Africa, the High Court found that “no lawful authority has been demonstrated to trespass onto the privacy rights or the freedom of expression rights of anyone, including South Africans whose communications cross-cross the world by means of bulk interception.”
Concerning the collection of communications between Germans and people abroad, the German Constitutional Court ruled that mass surveillance of telecommunications outside of Germany conducted on foreign nationals is unconstitutional.
And in the European Courts, our friend and EFF Award winner Max Schrems has brought litigation that has, multiple times now, found that Facebook did not sufficiently protect the information of Europeans from the NSA.
10 Years Later: What Are We Still Fighting For?
Gutting or Ending Section 702
In 2021 alone, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans’ communications.
In Fall 2023, Congress will get a chance to seriously reform or end Section 702 of FISA in light of its impending sunset. Section 702 allows the government to conduct surveillance inside the United States by vacuuming up digital communications so long as the surveillance is directed at foreigners currently located outside of the United States. It also prohibits intentionally targeting Americans. Nevertheless, the NSA routinely (“incidentally”) acquires innocent Americans’ communications without a probable cause warrant. Once collected, the FBI can search through this massive database of information by “querying” the communications of specific individuals.
In 2021 alone, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans’ communications. Congress and the FISA Court have imposed modest limitations on these “backdoor searches,” but according to several recent FISA Court opinions, the FBI has engaged in “widespread violations” of even these minimal privacy protections.
The Snowden revelations gave names to two of the key types of surveillance that the NSA conducts under Section 702: Prism and Upstream. Upstream has been central to EFF’s litigation, as we had direct evidence about it long before we knew its name. If 702 ends, both of these two programs should end along with them.
As noted above, any reform of Section 702 should also permanently revoke the now defunct authorization to conduct “about” collection, which was paused by the NSA in 2017 amid civil liberties concerns. These are collections of information not sent to or from a target but are communications “about” or which make reference to a surveillance target.
Fighting Barriers to Standing in Court and the Disclosure of “Secret Evidence”
Since the original passage of FISA in 1978, private parties have been empowered to sue over national security surveillance that violates their rights, including through a mechanism for courts to consider classified evidence while preserving national security. But in lawsuit after lawsuit, the executive branch has sought to avoid these procedures, and the judiciary, including the Supreme Court, has adopted cramped readings of the law that create a de facto national security exception to the Constitution.
The result is that even when the facts of a surveillance program are widely known—as with Upstream surveillance conducted under Section 702—courts too often refuse to find that individuals harmed have standing to sue. That was the case in EFF’s flagship lawsuit, Jewel v. NSA, where the Supreme Court allowed our case to be dismissed because a lower court found common knowledge to be classified. It deemed it a “secret” that the mass spying programs that everyone has known about since at least the Snowden documents came to light in 2013 involved the nation’s two largest telecommunications carriers.
We need Congress to fix this mess by explaining that FISA always meant what it says: that secrecy should not be a complete bar to litigating the constitutionality of mass surveillance, and that courts should not create new justifications to avoid reaching these issues.
EO 12333 Surveillance
Much of the spying that the NSA does overseas is conducted under the auspices of Executive Order 12333. This directly impacts people around the world, but also Americans whose communications can and often are included and then analyzed, including with a tool called XKEYSCORE. As the Guardian reported in 2013 based upon Snowden’s revelations, XKEYSCORE gives analysts the power to watch—in real time—anything a person does on the Internet. There are serious issues raised by this tool and by 12333 more broadly. Despite consistent calls for reform, however, very little has occurred and 12333 mass surveillance, using XKEYSCORE and otherwise, appears to continue unabated. The Privacy and Civil Liberties Board (PCLOB), a government agency intended to advise the executive branch on privacy and civil liberties, issued a disappointing report, after much delay, which prompted an appropriately critical response from PCLOB member Travis LeBlanc. We still need to have a serious conversation not only about NSA spying in the U.S. but about it’s much bigger collection and analysis and use with very little oversight, all around the world.
Congress Still Needs to Take Privacy Seriously
Congress’s relationship to privacy comes when it’s politically expedient and disappears as soon as members feel as if they could be too easily painted as being soft on crime or national security. Despite calls over the last few years for federal legislation to reign in big tech companies, we’ve seen nothing significant in limiting tech company’s ability to collect data (then accessed by the NSA via Prism), or regulate biometric surveillance, or close the backdoor that allows the government to buy personal information rather than get a warrant, much less create a new Church Committee to investigate the intelligence community’s overreaches. It’s why so many cities and states have had to take it upon themselves to ban face recognition or predictive policing, or pass laws to protect consumer privacy and stop biometric data collection without consent.
It’s been 10 years since the Snowden revelations and Congress needs to wake up and finally pass some legislation that actually protects our privacy, from companies as well as from the NSA directly.
EFF is member supported. If you would like to make a contribution in honor of the wins we have achieved this last decade and to support the fights still ahead of us, please visit eff.org/donate.