Letter to UN Special Rapporteur on Privacy concerning US surveillance issues

Prof. Joseph Cannataci
Special Rapporteur on the right to privacy
Office of the High Commissioner for Human Rights
Palais Wilson
Rue des Paquis, 52
1201 Geneva
Switzerland

Re: Visit to the United States of America

May 31, 2017

Dear Prof. Cannataci:

We welcome your upcoming visit to the United States of America in your capacity as the Special Rapporteur on the right to privacy. This letter focuses on a few issues in depth that we believe would be important for you to explore and address as part of your visit.

We have long concluded that as a consequence of its surveillance laws, policies, and practices, the United States is not in compliance with its obligations under the International Covenant on Civil and Political Rights (ICCPR), including the right to freedom from arbitrary or unlawful interference with privacy and correspondence (Article 17). We hope your visit will help advance the country’s respect for privacy and other fundamental rights where the treatment of communications and private data is concerned.

Although the summaries below go into some detail about specific legal authorities and concepts, we believe it is important to emphasize that the US executive branch has embraced a set of practices and theories that effectively allow it to avoid proper independent authorization, oversight, and accountability. The result is a system that provides a patina of law while giving rise to serious abuses or a risk thereof. At heart, many of the US’s intelligence gathering practices contravene the US’s treaty obligations under the ICCPR, failing the requirements of legality, necessity, and proportionality.

1. Executive Order 12333

One of our greatest areas of concern is Executive Order 12333 (“EO 12333”), which the executive branch issued in 1981 and which has since been amended on several occasions (most recently in 2008).[1] As a general matter, the order governs the US intelligence agencies’ activities, including the gathering of information through means such as communications surveillance. The order appears to grant free rein to the agencies to conduct surveillance of communications outside US borders of non-US persons.[2] It may also serve as the basis for the surveillance of US persons in some broad circumstances.[3]

EO 12333 remains largely uncodified and the legislature had no role in its adoption. In November 2013, the then-chair of the Senate Select Committee on Intelligence suggested that Congress also plays little or no role in overseeing surveillance that takes place under this authority, and Human Rights Watch is not aware of any change in this respect.[4] Additionally, surveillance under the order is not subject to judicial authorization or oversight, and the government believes it is not required to notify any individual—including a criminal defendant—that his or her communications have been surveilled under this authority.[5]

It has been reported that the US has used EO 12333 as the basis for vast surveillance programs around the world that have involved, among other things:

• The interception of hundreds of millions of text messages and billions of mobile telephone location updates daily;
• The interception of large quantities of data, including the content of communications, as it was being transmitted between non-US data centers belonging to major Internet companies; and
• The acquisition of records of all [mobile] telephone calls in five countries, and the acquisition of the content of those conversations in two of those countries.[6]

US government officials have implied that the government does not consider electronic information to have been “collected” until that information is processed in some way or examined by a human being.[7] This assertion is echoed in regulations that govern intelligence gathering activities by specific agencies: for example, “Data acquired by electronic means is ‘collected’ only when it has been processed into intelligible form.”[8] Significantly, this interpretation implies that the US may acquire vast stores of digital information without running afoul of the already limited safeguards against arbitrary “collection” of such information in US policy. This interpretation also affects how the US government views its obligations under Article 17 since the US believes it has not interfered with the right to privacy if personal data is acquired and stored in a database, but not yet processed by a human being.

Referring to EO 12333, a State Department whistleblower warned in 2014 that “some [US] intelligence practices remain so secret, even from members of Congress, that there is no opportunity for our democracy to change them.” [9] The whistleblower also appeared to suggest that the intelligence agencies might be using the order as the basis for warrantlessly capturing the audio of US persons’ telephone calls on a large scale.

The executive branch’s virtually unfettered power to conduct surveillance under EO 12333, its lack of accountability to Congress or other oversight bodies for actions taken under this authority, as well as the activities it allegedly conducts pursuant to this authority, undermine privacy rights and are likely to produce violations.

We urge you to raise these issues with both executive and Congressional leaders you meet, and to encourage consideration of narrowing the scope of EO 12333 and including in reporting requirements to Congress and the public.

2. Section 702 of the Foreign Intelligence Surveillance Act

Adopted by Congress in 2008, Section 702 of the Foreign Intelligence Surveillance Act (“FISA”) empowers the intelligence agencies to “target” non-US persons overseas for warrantless telephone or Internet monitoring. As confirmed by the Privacy and Civil Liberties Oversight Board in a 2014 report, the agencies operate at least two large-scale, warrantless surveillance programs pursuant to this provision.[10] One, “Upstream” scanning, allegedly involves the automated bulk searching of communications that flow over the Internet infrastructure that links the US to the rest of the globe.[11] The other, PRISM, enables the National Security Agency (“NSA”)—with the assistance of the Federal Bureau of Investigation (“FBI”)—to demand private communications such as e-mails and instant messages from US Internet companies without warrants. Documents disclosed by former NSA contractor Edward Snowden beginning in 2013 indicate that these companies include, among others, Internet giants such as Google, Apple, and Facebook.[12]

The purposes for which the government may monitor communications under Section 702 are broad and provide a great deal of latitude: the executive branch need only certify that “a significant purpose” of the surveillance is to obtain “foreign intelligence information.”[13] The latter term is expansively defined to include, for example, “information with respect to a foreign power or foreign territory that relates to … the conduct of the foreign affairs of the United States.”[14]

Surveillance under Section 702 must formally “target” a non-US person outside of the United States, such as a French national in France.[15] While the Foreign Intelligence Surveillance Court (“FISC”) must annually approve targeting and other procedures that are intended to provide certain protections for US persons,[16] neither the FISC nor any other independent body authorizes or reviews individual targeting decisions or is obligated to ensure that the human rights of non-US persons are respected. (The FISC itself is a problematic body, as many of its operations are secret.)[17]

Moreover, though the executive branch claims its acquisition of information is “targeted,” Section 702 appears to authorize the government to capture a potentially very large number of communications “incidentally.”[18] When the Washington Post evaluated a set of 160,000 leaked e-mails and instant messages the agencies had gathered under Section 702, it found that 90 percent of the account holders to whom the communications belonged were not the “targets” of this surveillance.[19]

We believe Section 702 does not comply with the US Constitution and therefore violates the “legality” prong of the right to privacy. Additionally, while an elaborate set of rules and decisions formally govern surveillance under the law,[20] they do not require judicial review of the monitoring on an individualized basis, permit unnecessary and disproportionate interferences with privacy rights, do not include adequate safeguards against discriminatory decision-making, and do not provide meaningful access to an effective remedy. We are also concerned about the potentially disparate impact of these activities on US immigrants and border communities.[21]

Section 702 expires at the end of 2017 and the debate about whether to reauthorize the law, and in what form, is under way among US policymakers. It is also under challenge in a lawsuit in which Human Rights Watch was a plaintiff.[22] We encourage you to meet with members from the House and Senate Judiciary Committees, as well as civil society and industry groups, to discuss concerns about the law and how to ensure it comports with international human rights standards.

3. Intelligence-sharing Agreements

EO 12333 allows the Director of National Intelligence to “enter into intelligence and counterintelligence arrangements and agreements with foreign governments and international organizations.”[23] These agreements do not require the approval of the legislature.

Although the executive branch has released certain historic documents concerning an agreement between the US and the United Kingdom,[24] and Edward Snowden disclosed to journalists a memorandum of understanding suggesting that the US shares raw surveillance data with Israel,[25] we are unaware of any intelligence-sharing arrangements whose current scope or details the government has made available to the public.

In a 2014 interview with Human Rights Watch, a senior US intelligence official claimed that the government is permitted to receive intelligence concerning US persons from foreign States even in circumstances where it would be illegal for the US to conduct the surveillance itself, although the authorities cannot request such intelligence.[26]

More recently, during the Senate Select Committee on Intelligence’s confirmation hearing for Mike Pompeo, now CIA Director, Senator Ron Wyden stated:

Absent a specific request from the CIA, a foreign partner, company, organization or individual may nonetheless provide the CIA with the results of extensive cyber operations or other surveillance, including targeted collection against, or bulk collection that includes the communications of U.S. persons. That information could include the communications of U.S. political figures and political activists, leaders of nonprofit organizations, journalists, religious leaders, businesspeople whose interests conflict with those of President Trump, and countless innocent Americans.[27]

While the information provided by the senior intelligence official and Wyden focuses on US persons, there are no publicly known strictures that would prevent these remarks from being equally accurate with respect to non-US persons.

As has been widely reported, the US has historically had close intelligence-sharing arrangements with other Anglophone allies (known as the “Five Eyes”) as well as with many other state partners.[28] Such intelligence-sharing is a staple of counter-terrorism and law enforcement cooperation. However, these arrangements are almost always a function of executive policy rather than legislation, and the details are withheld from the public.

Human Rights Watch is concerned that the nearly complete opacity of the US’ intelligence-sharing arrangements with other states, as well as the apparent lack of oversight by independent bodies, some of these arrangements may entail or facilitate violations of fundamental rights on a significant scale. We urge you to emphasize to officials in the Administration and Congress that the lack of information and oversight of these arrangements can enable a subversion of domestic controls on state surveillance that would safeguard privacy rights (of both US and non-US persons), and violate the principle of legality.

4. Parallel Construction

In 2013, Reuters reported that a “secretive” unit within the Drug Enforcement Administration (“DEA”), the Special Operations Division, was furnishing tips to US law enforcement agents based on intelligence surveillance data, while instructing those agents to create an alternative explanation for how they found any resulting evidence—thus concealing the original tip.[29] This practice, known as “parallel construction,” prevents criminal defendants (and, potentially, even judges) from discovering the true origins of information employed in the investigations in their cases, and thus from challenging the lawfulness of its collection or dissemination under these authorities.

DEA training materials disclosed in response to a subsequent Freedom of Information Act request confirm this practice and discuss legal and policy rationales for it.[30] Other government documents, as well as a senior DEA official quoted by Reuters, suggest that the technique is so longstanding that it may have become a “bedrock concept.” One now-declassified 1983 document suggests that the practice dates back years. It addressed the “problem” of “how to maximize dissemination to and use of intelligence by law enforcement agencies while maintaining appropriate security standards for that intelligence.” One aspect of this “problem,” according to the document, arose from “federal criminal procedures which enable a defendant to seek through a discovery motion relevant information regarding any evidence presented by the prosecution.”[31] As a solution to the problem, the document explicitly contemplates recommending:

[I]ntelligence support processes for drug enforcement that will enable drug agencies to develop intelligence independently and reduce the likelihood that intelligence sources and methods will be regarded essential to a criminal defendant’s case; in effect, build a firebreak in the evidentiary trial [sic] leading to sources and methods.[32]

We fear that viewing the defendants’ prospective access to intelligence-based evidence as a problem, rather than a right, may remain current and widespread within US intelligence and law enforcement agencies. We are concerned that practices such as parallel construction—which, according to the same senior official quoted by Reuters, is employed “every day”—undermine fair-trial rights and risk weakening the integrity of the US criminal justice system overall. The issue merits far greater congressional, judicial, and public scrutiny than it has received. We look forward to discussing it further with you during your visit, and hope it will be an issue you raise with law enforcement officials you meet, including in the FBI, DEA, and Department of Justice.

5. Encryption[33]

Concerted advocacy by industry, information security technologists, and digital rights organizations successfully opposed efforts in the US to weaken encryption last year. When media organizations released a “discussion draft” of Senators Dianne Feinstein and Richard Burr’s Compliance with Court Orders Act in April 2016, widespread criticism of the bill’s negative effects on cybersecurity, privacy, and other rights led the sponsors to decline to formally introduce the proposal.[34] The bill would have required technology companies to provide access to encrypted information in an “intelligible format” (that is, unencrypted) if asked to by a court. The bill does not specify how companies would have to unscramble encrypted information, but it would have effectively forced a range of companies to build in a “back door” to bypass encryption and other security features in products.

However, the delay in formal introduction of this bill appears to have been only a temporary reprieve. US law enforcement officials continue to pressure major tech companies to roll back security improvements they have begun to adopt, including end-to-end encrypted chat applications and default disk encryption, and demand legislation to mandate exceptional access.[35] Although President Barack Obama declined to pursue legislation, he also failed to take a strong stance against encryption backdoors—or any firm position on the matter.[36] On several separate occasions before former FBI Director James Comey’s dismissal, including in testimony before Congress, Comey raised the need for some “solution” to widespread encryption.[37] Senators Feinstein and Burr also reportedly circulated a revised draft of their anti-encryption bill in September, though the exact details haven’t been made public.[38]

In short, we believe it very likely that various quarters of government, federal and state, will continue to demand that companies weaken encryption and allow exceptional law enforcement access to encrypted communications. Forcing companies to remove end-to-end encryption will weaken security for all Internet and mobile phone users, while being ineffective at keeping encryption out of the hands of determined malicious actors.

In the digital age, strong encryption is essential for the enjoyment of the right to communicate anonymously and privately. Online communications flow over Internet networks that are inherently vulnerable to covert and unwanted monitoring by state and non-state actors. Our digital data is also increasingly stored remotely with cloud service providers, whom we rely on to ensure data is not breached without authorization.

Privacy online in the twenty-first century hinges entirely on strong encryption. And unfortunately, weak or partial encryption provides not just weak or partial protection, but no protection at all to well-equipped intelligence agencies and capable hackers. Thus, the ICCPR requires that any limits on strong encryption, including a state mandate to require decryption of data, must be provided in law, proportionate, and necessary for a legitimate aim. In our advocacy with the US government on the issue, we have argued that a requirement of assured decryptability for all online communications, including the billions that involve no suspicion of threat to public order or national security, could not be proportionate and has never been shown to be necessary. The law, including human rights law, does not view every member of society as a suspect when speaking online.

We urge you to raise the importance of strong encryption for the protection of privacy and other human rights with federal and state law enforcement officials and Congressional policymakers as part of your US visit.

There are, of course, many other issues relating to other aspects of privacy as well as privacy and digital technology that are both of concern to Human Rights Watch and deserving of your attention. We are happy to facilitate your visit in any way we can, including by convening a meeting with other NGOs, and by meeting with you in person, either in advance or at the time of your visit. An appendix of our reports and work relevant to your visit is attached.

Sincerely,