As a first step in the overhaul of NSA surveillance policies, the US government recently reached a deal with tech firms allowing them to report more information regarding the quantity of FISA requests and National Security Letters (NSLs). FISA requests, established under the Foreign Intelligence Surveillance Act of 1978, authorize electronic surveillance to obtain intelligence information regarding foreign affairs. NSLs, on the other hand, are subpoenas that demand non-content information such as telephone metadata or transactional records relevant to national security investigations. The new provision allows for greater transparency through the disclosure of the number of FISA requests and NSL subpoenas they received.
However, the new disclosure policy is far from transparent. The provision allows companies to disclose the number of NSL subpoenas they received, but only in increments of 1,000. Alternatively, they can publish the total number of FISA requests and NSLs together in increments of 250. The companies can only release these reports once every six months. An exact number of FISA requests and NSLs could be dangerous – for a small tech company with few clients, a terrorist would know with high probability that they were being surveilled if the company reported a single FISA request. However, if a company reports 0–999 requests, the actual number of requests could be 1 or 999 – a difference of almost three orders of magnitude. This huge range provides users with almost no relevant information about the number of requests – while many people might be comfortable with 1 NSL or FISA request for a certain company, they may not be comfortable with 999 requests.
Google chose to disclose their NSLs and FISA requests separately in batches of 1,000. The report indicates that there were 0–999 non-content FISA requests,0–999 content FISA requests, and 0–999 NSLs for every 6-month period between January 2009 and June 2013, while the range of users and accounts affected by the requests varied from the 0-999 range to to the 12,000-12,999 range.
The coarse granularity of these transparency reports makes them more translucent than transparent. These lackluster efforts by the government to reform surveillance transparency reports are an unpromising start to President Obama’s pledge made during his 2014 State of the Union address. Obama said that he “will reform our surveillance programs because the vital work of our intelligence community depends on public confidence, here and abroad, that privacy of ordinary people is not being violated.” Even though the surveillance measures help to deter and sometimes stop terrorist attacks, we must be careful as a nation to not trample our own laws in the Constitution to do so.
The deal was intended to help the NSA regain the public’s trust in their surveillance programs. What the government really needs is stricter rules regarding the circumstances under which they can demand private data from companies. This would allow investigations of serious national security threats to continue while respecting the reasonable warrant clauses in the Fourth Amendment and PATRIOT Act. While threats to national security should be taken seriously, the quantity of National Security Letters to companies is concerning. AT&T alone was forced to give information on between 4,000 and 4,999 customer accounts in 2013. Are there more than 4,000 AT&T clients that pose a threat to national security? This scale of surveillance is strikingly similar to that of the Second Red Scare in the 1950s – giving up privacy for large-scale surveillance only reinforces the distrust between citizens, companies, and the government that was the original purpose of the surveillance revisions.