Spy law reauthorization postponed to avoid tough privacy votes
- By Derek B. Johnson
- Feb 26, 2020
A House Judiciary Committee vote to reauthorize the USA Freedom Act was abruptly postponed Feb. 26 after reports surfaced that Rep. Zoe Lofgren (D-Calif.) planned to introduce five privacy-related amendments.
Lofgren's office confirmed her intentions to FCW, but declined to provide insight into the substance of the amendments that will be offered. Lofgren has been among the most vocal critics of the law and has led several charges among House Democrats in recent years to reform the Call Detail Records (CDR) program and other surveillance programs.
The decision to postpone the markup comes the same day the Privacy and Civil Liberties Oversight Board released a long-awaited report reviewing the legality and usefulness of the CDR program. That partially-redacted report concluded that there was no evidence the program was intentionally abused, but also found it rarely provided new or unique information, despite years of intelligence officials claiming the program was essential to national security.
According to the board's report, the program was cited in 15 intelligence reports over the four years it operated, a number that the National Security Agency itself descried as "extremely low for a program of this duration, especially in light of the performance of other collection authorities" like Section 702. Worse, those reports largely duplicated intelligence gleaned from other agencies and provided unique information in just two of those instances, causing the board to write that "it is facially unclear which information in them would have been unavailable without the USA Freedom Act CDR program."
Along the way, it experienced "a series of compliance incidents" stemming from the over-collection of call records beyond what was legally permitted, and the report details a dozen notices filed by NSA to the Foreign Intelligence Surveillance Court between 2016 and 2019 regarding compliance and data integrity issues. An internal review found that inaccurate call records were used to support at least four applications to the FISA court, resulting in notification to the court and a recall of intelligence report that relied on the data.
The NSA has pointed the finger at unnamed telecoms for the oversight, and the board determined that the incidents "were inadvertent, not willful."
"While we found no intentional attempts to collect more data than authorized, unintentional over-collection, triggered by anomalies in the first-hop data returned by providers, proved a recurrent problem," the board wrote. "The program involved a complex, machine-to-machine technical architecture, with limited human intervention once initial, court-approved selection terms entered the system. One side effect was that errors in the data could 'cascade' across large numbers of records, with lagging human awareness."
Additionally, a tool used by NSA employees to query multiple datasets and metadata records produced an "anomalous side-effect" that resulted in the incorrect tallying of queries made through the program. The board found that the program's reliance on automated software to sort and sift through large amounts of record data played a significant role in the anomalies.
"The lesson is not that Congress should prescribe the precise technical mechanisms by which surveillance authorities may be implemented, or that automated, iterative mechanisms will never be appropriate," the board concluded, later adding. "The point, rather, is that a program may present qualitatively different implications for privacy, civil liberties, and compliance if implemented using an automated, machine-to machine architecture with limited human intervention, than if it relies on human-to-human fulfillment of one-off requests."
The NSA and the White House are pushing for the program's renewal, but a number of lawmakers across the political spectrum, from Lofgren to Senate Judiciary Chair Lindsey Graham (R-S.C.), have expressed skepticism about the usefulness of the program and questioned whether it gives the federal government too much power to spy on U.S. persons.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.