Privacy advocates face an uphill battle in their latest effort to rein in the National Security Agency’s controversial foreign surveillance program.
The American Civil Liberties Union and the Electronic Frontier Foundation, along with private attorneys, are trying to convince a powerful federal appeals court that the program is unconstitutional, violating people's Fourth Amendment rights because it allows the government to access millions of Americans’ communications without a warrant. But during oral arguments last week, they wrestled with tough questions from a senior judge who seemed skeptical about curtailing the government’s authority, which officials say is an essential tool for monitoring terrorists.
The case is significant because it could decide whether a legal challenge to Section 702 of the Foreign Intelligence Surveillance Act goes to the Supreme Court in the near future. Only a handful of federal courts and just one other federal appeals court have handled cases involving Section 702, and all have ruled in favor of the government-- meaning that a ruling against the government in this case would increase the likelihood of the high court weighing in. That’s what some critics of the program are hoping for, in part because the justices have recognized expanded privacy rights in a series of recent rulings challenging the government's digital surveillance powers.
“We’re waiting for a judge to stand up and look more closely at the arguments the government is making and have the courage to say, ‘This may be an important national security program, but what happened here doesn’t square with the Constitution,' ” said Elizabeth Goitein, co-director of the Brennan Center’s Liberty and National Security Program, which is not involved in the litigation. “If one court of appeals does that, there’s a chance that the Supreme Court can decide this, which ultimately needs to happen.”
But a problem for those challenging the program, she added, is that “these are national security cases, and the courts don’t want to go out on a limb here and be the first to say, ‘Hey, wait a minute, this looks unconstitutional.’”
Privacy advocates have fought for years to limit Section 702, under which the NSA collects emails and other communications from foreign intelligence targets located outside the United States. Billions of numbers of U.S. residents’ communications are swept up in the process and stored for years in law enforcement databases, where law enforcement can query them at any time in unrelated investigations.
And that’s precisely the issue before the U.S. Court of Appeals for the Second Circuit now. The case centers on Agron Hasbajrami, a U.S. resident living in New York, who was charged and convicted of providing material support to terrorism. After his 2013 sentencing, prosecutors revealed that they built the case against him on emails he exchanged with a foreigner who was being surveilled under Section 702. Hasbajrami claims the government violated his constitutional rights because it didn’t get a warrant before reading his communications.
In court last week, ACLU attorney Patrick Toomey told judges that the case cuts to the heart of problems with the NSA’s surveillance program. Toomey, who also argued on behalf of the EFF, said agents “across the government are reading and sifting through Americans’ Internet messages without getting any kind of individualized judicial approval.” The court could remedy this by requiring investigators to get a warrant when they want to query a person in a database containing the troves of communications scooped up under Section 702, he said.
Senior Judge Gerald Lynch seemed to struggle with that point. During an intense back-and-forth, he pressed Toomey about why the government should be restricted from looking at communications collected lawfully, especially “if we overhear during that conversation someone plotting a crime in the United States.”
“When a government agent is invited into a premises for some unrelated purpose and happens to see something in plain view that is evidence ... we don’t say, ‘Oh wait, my God, we have to get a warrant before that can be seized,’ ” Lynch said. “If it is plain that this is evidence of criminality, it can be seized, retained, used.”
Lynch raised the same concern with Michael Bachrach, an attorney for Hasbajrami, who agreed that there should be a warrant requirement.
“I’m sympathetic to that concept,” Lynch said, “but I’m having trouble understanding where [in legal doctrine] it would come from.”
Toomey noted that the government must seek a warrant before searching a seized cellphone in most cases under the landmark Supreme Court ruling Riley v. California from 2014. The same could apply here, he said.
The government's attorney, Seth DuCharme, contended the case was a "good example" of the type of warrantless surveillance that's reasonable under the Fourth Amendment. He urged the court not to "conceive of the program as a program that just scoops up information" and holds onto it indefinitely. "This case involved very, very focused attention by the U.S. government in real time or in close to real time on the communication of foreign persons who were involved in international terrorism," he said.
It's not clear how the judge will rule, of course. But Toomey said he walked away from the hearing confident. “These judges seemed well-versed in many of the mechanics of the surveillance,” he told me afterward. “It was heartening to see that, and it was revealed by the depth of their questioning.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “A State Department unit created two years ago to lead the U.S. fight against anti-democratic propaganda abroad, including Russian disinformation campaigns, still has not received millions of dollars in funding allocated to it by Congress,” HuffPost's Lauren Weber reported on Friday. “And even if some money comes through for the Global Engagement Center before the end of the fiscal year, it will now be just one-sixth of the amount originally directed to the center to counteract terrorist messaging and foreign efforts to influence elections.” The Global Engagement Center is supposed to be funded by money transferred from the Defense Department to the State Department.
Weber reported that Sens. Chris Murphy (D-Conn.) and Rob Portman (R-Ohio) last month introduced an amendment to direct $40 million to the State Department's unit, but their measure was not included in the Defense Department appropriations bill for fiscal 2019 that passed the Senate. “The State Department has a plan ready to execute on this funding and it’s long overdue for the Defense Department, with Congressional approval, to get this funding transferred,” Portman said in an Aug. 22 statement. “The fact that Russia continues to advance their disinformation efforts makes clear the need to ramp up these programs. Now is not the time for us to shortchange them through lack of funding.”
PATCHED: Some security experts are skeptical about Google's Titan security key. The device, which Google started selling last week, essentially offers the physical equivalent of two-factor authentication, The Washington Post's Hayley Tsukayama reported on Friday. “To use Google's key, you first set it up to work with your Google account or other supported service to act as a second security backstop when you log in,” Hayley wrote. “After you enter your user name and password, you’ll be asked to hit a button on your key to show that it’s really you.”
However, “several senior security experts, including the former chief information security officer (CISO) of Facebook, are concerned about the devices, with some pointing to how the keys are actually produced by Feitian, a Chinese company,” Motherboard's Joseph Cox wrote on Friday. “Multiple experts talking to Motherboard called for Google to be more transparent around these keys, amidst pressing, albeit currently unsubstantiated, concerns they could be leveraged by the Chinese state to hack users.”
My colleague Hayley reported that “Google has said that the hardware that provides the keys' security is sealed before it heads to the manufacturer to guard against supply chain attacks.” But Alex Stamos, former chief information security officer at Facebook and now a fellow at Stanford University, told Motherboard that Google ought to disclose more information. “I think it would be great if they documented their supply chain process,” Stamos said, as quoted by Cox.
PWNED: “A federal government transparency website made public dozens, if not hundreds, of Social Security numbers and other personal information in a design error during a system upgrade,” CNN's Tal Kopan reported on Monday. “The error, on a Freedom of Information Act request portal, was fixed after CNN alerted the government to the situation. For weeks prior, however, individuals' sensitive personal information was available on the public-facing database unbeknownst to them or the government.” In some cases, the error also exposed data such as dates of birth, identification numbers for immigrants and other sensitive information.
Nuala O'Connor, president and chief executive of the Center for Democracy and Technology, said the glitch was “a really significant mistake,” CNN reported. “These sorts of data points allow people to engage in identity theft or some kind of harassment, or other malicious behavior,” O'Connor, a former chief privacy officer at the Department of Homeland Security, told Kopan. “It puts potentially already vulnerable people at greater risk.”
— More cybersecurity news:
— “The top Democrats on two House committees accused Republicans on Friday of selectively leaking to the press sensitive communications that could put a ‘confidential human source’ at risk,” The Post's Ellen Nakashima reported. “Rep. Elijah E. Cummings (D-Md.), ranking Democrat on the House Oversight Committee, and his counterpart on the Judiciary Committee, Rep. Jerrold Nadler (D-N.Y.), also accused Republicans of ‘cherry-picking’ portions of emails and text messages between British ex-spy Christopher Steele and Justice Department official Bruce Ohr to bolster a narrative that they were part of a conspiracy to undermine the Trump campaign in 2016. The Democrats’ concerns, outlined in a letter to Judiciary Committee Chairman Bob Goodlatte (R-Va.) and Oversight Committee Chairman Trey Gowdy (R-S.C.), arose out of an interview with Ohr that Republican members of the two panels conducted Tuesday.”
— “A majority of the 25 most-populous U.S. cities now have cyber insurance or are looking into buying it, according to a Wall Street Journal survey,” the Wall Street Journal's Scott Calvert and Jon Kamp reported on Tuesday. “A ransomware attack on Atlanta earlier this year—one of the biggest reported breaches of a city’s network—served as a warning to officials everywhere of the constant barrage from hackers. Cities and even library systems are being hacked more often than people realize, but many heard about Atlanta.” The Journal reported that Dallas, San Diego, Denver and Detroit have cyber-insurance but have not filed claims. “Some cities—including New York, Chicago and Philadelphia—declined to say whether they have cyber insurance,” Calvert and Kamp wrote. “Some, like San Antonio, have cyber coverage through an existing property policy. Others say they are self-insured, which can entail creating a special fund to cover losses.”
— More cybersecurity news from the public sector:
— A Google employee hacked the door to his office. “Last July, in Google’s Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard,” Forbes's Thomas Brewster wrote on Monday. “Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions. When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office.”
Tomaschik's work exposed weaknesses in technology from the company Software House, which was in use at his office. “This issue was addressed with our customers,” said a representative for Johnson Controls, which owns Software House, Brewster reported. “Tomaschik told Forbes the flawed Software House tech was likely to be deployed widely, inside and outside Google, as there are only a handful of companies making such office controls,” Brewster wrote. “That means that all manner of other businesses could be open to attack by hackers-turned-robbers.”
— More news about cybersecurity vulnerabilities:
- Senate Intelligence Committee hearing on foreign influence operations on social media platforms tomorrow.
- House Energy Committee hearing titled “Twitter: transparency and accountability” tomorrow.
- Senate Foreign Relations subcommittee hearing on China tomorrow.
- Two House Homeland Security subcommittees hold a joint hearing on cybersecurity threats to the U.S. aviation sector on Sept. 6.
- 9th annual Billington CyberSecurity Summit in Washington on Sept. 6.
Myanmar judge sentences Reuters reporters to prison:
Massive fire engulfs 200-year-old museum in Brazil:
British Army plays “Respect” as Aretha Franklin tribute: