Thus far, none of the Internet providers who have issued statements in support of the latest incarnation of USA Freedom Act (which I’m calling USA F-ReDux) have mentioned that they will be getting expansive immunity and compensation for helping the government spy on you.
Along with two other features, Google argues USA F-ReDux would,
[E]nd the bulk collection of communications metadata under various legal authorities. This not only includes telephony metadata collected under Section 215, but also Internet metadata that has been or could be collected under other legal authorities.
I find that an interesting way to describe the bill, particularly given that Google calls this “modernizing” surveillance, not limiting it.
Congress Has Only A Few Weeks Left to Modernize Surveillance Laws
Both the government and some providers used that same language — “modernize” — during the FISA Amendments Act, too. Sure, that was partly because it accommodated the law to growing Internet reliance. USA F-ReDux will do that too, to the extent it allows the government to obtain metadata for things like Google Meet-Ups and other VOIP calls and Internet messaging, which the government needs if it really wants dragnet coverage. FAA also involved deputizing Internet providers so that their data could not longer be collected in bulk by phone companies.
Modernizing surveillance, they called that.
And as I’ve just begun to lay out, this bill will set up a system similar in many respects to PRISM, where the government would go to the provider to get what they wanted on a target. Under PRISM, what the government wanted quickly expanded. Within 6 months of the roll-out of PRISM, the government was already asking for 9 different types of data from providers like Yahoo, apparently spanning Yahoo’s four business functions (meaning email, information services, data storage, and Yahoo internal functions).
Here, as with FAA, the government will go to providers to get what they want. And given that the bill permits the government to ask providers to chain on non-Call Detail Record session identifiers (things like cookies and location data), the government will benefit from, though not directly access, some of the same data that the government started obtaining under PRISM. And while I would hope the FISA Court would exert some oversight, I would also bet the government will make increasingly expansive claims about what constitutes a “session identifier” that can be used to chain (we know that, overseas, they chain on address books and photographs, for example).
And in one way, USA F-ReDux is worse than PRISM. Unlike FAA, USA F-ReDux will feature an added role for a Booz-type contractor compiling all this data, possibly in some cloud somewhere that would be about as safe as all the documents Edward Snowden took, to make it easier to chain across providers.
This is what Google celebrates as “modernization.”
But let’s go back to Google’s representation of this as ending bulk collection of, “Internet metadata that has been or could be collected under other legal authorities.”
We’ve long discussed the Section 215 dragnet as covering just calls made by phone companies (though Verizon’s Counsel, in a hearing last year, noted that the government would have to get VOIP if it wanted full coverage).
But that’s not true. As I reported the other day, at least one of the phone metadata dragnets was collecting VOIP metadata. Google’s VOIP metadata. In fact, the only known use of the DEA dragnet involved a US user subscribing to Google calls.
In other words, the Shantia Hassanshahi case is important not just because it led to us learning about the DEA dragnet, but because it revealed that (in addition to Google’s Internet metadata being collected under PRTT illegally for years), Google’s VOIP data also got sucked up in at least one phone dragnet.
Google doesn’t like other people being able to spy on its customers.
But now that USA F-ReDux will return it to the position of having the monopoly on spying on its customers, it calls this “modernization.”