With the 20th anniversary of 9/11 having recently passed, this article aims to briefly outline the history of the post-9/11 data surveillance apparatus operated by the United States, how it impacts the international community, including Australia, and whether the surveillance apparatus has been effective in preventing further terrorist attacks.
In the immediate aftermath of the 9/11 terrorist attacks, the United States Congress enacted sweeping legislation that expanded the counterterrorism data surveillance framework in direct response to perceived intelligence shortfalls. The Foreign Intelligence Surveillance Act 1978 (FISA) is the principal piece of legislation underpinning most surveillance activities conducted by the US globally. However, three critical pieces of legislation amended FISA post-9/11: the USA PATRIOT Act 2001, FISA Amendments Act 2008 and USA FREEDOM Act 2015. These provided various government entities, including the National Security Agency (NSA), broader data surveillance powers across existing and emerging communication technologies. The acceptance and proliferation of bulk data surveillance was largely unchallenged until 2013 when Edward Snowden, an NSA contractor, disclosed documents which exposed the true scope of the US intelligence community’s data surveillance activities.
The US Data Surveillance Framework
Under FISA, a specialised secret court, the FISA Court (FISC), was established to hear applications for various surveillance warrants and activities related to classified information. The purpose behind this was to reduce potential unauthorised disclosures and avoid typical procedural or evidential requirements. The FISC is composed of Federal District Court judges who are appointed by the Supreme Court Chief Justice and serve seven-year terms. Application hearings are typically conducted secretly and ex parte before a single judge with at least one judge available 24/7 to authorise emergency applications.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 (PATRIOT Act) was enacted in October 2001 immediately following 9/11 and was the first major expansion of communications surveillance since 1978. Regarding bulk data surveillance, section 215 allowed specified government entities to require the production of ‘business records’ or ‘any tangible thing’ from any legal person subject to US jurisdiction for an investigation to protect against international terrorism or clandestine intelligence activities. Upon application, a FISC judge could make an ex parte order which compelled listed persons to release any specified records. These orders facilitated bulk surveillance since the requirement for investigating international terrorism was general and interpreted as not requiring identification of a specific investigation.
FISA Amendments Act 2008
The FISA Amendments Act 2008 introduced section 702, which allows the FISC to grant orders for collection of broader datatypes, including internet communications, without targeted non-US persons being specifically identified. This provision was justified on two grounds. First, technological changes (notably widespread internet communications) demanded that surveillance authorities were technology-neutral, thereby allowing for ‘platform hopping’ which refers to tracking targets and collating data across numerous communication channels. Second, existing legislation did not draw a distinction between US persons with constitutional protections under the Fourth Amendment and non-US persons who were not constitutionally protected. Without this distinction, resource-intensive legal processes were being unnecessarily applied to surveillance of non-US persons to ensure operations were constitutionally sound in case US persons were ‘incidentally’ surveyed. Section 702 was due to expire at the end of 2012 but was extended until December 2017.
In 2013, the Guardian revealed two broad surveillance programs conducted by the NSA based on unauthorised disclosures of classified documents by Edward Snowden:
- Call Detail Records (CDR) Program – This involved the collection of bulk telephone metadata (not recordings of call conversations) including date, time, duration, location, text records and participating phone numbers. Under section 215 at the time, FISC orders allowed the NSA to indiscriminately collect nearly all CDRs generated by specified telecommunication companies and subsequently retain and analyse these CDRs for extended periods of time. This program captured both foreign and wholly domestic communications. Reports indicate the NSA CDR Program has been non-operational since 2019 (at 354).
- PRISM and Upstream – PRISM involved selector terms (including ISP or email addresses) being sent to communications providers who were forced to disclose communications relating to selector terms. The NSA received all PRISM data and select portions were passed onto the CIA and FBI. Upstream targeted communications infrastructure operators and, under FISC orders with selector terms, compelled ‘back-door access’ to stored communications data held by major US technology companies including Google, Microsoft, Facebook and Apple.
The Uniting and Strengthening America By Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act 2015(FREEDOM Act) became law in June 2015. It was passed in response to the Snowden affair and attempted to address perceived issues with the NSA’s bulk surveillance activities. The Act prohibited bulk CDR programs by amending section 215. It also required that applicant agencies seeking ongoing disclosure orders must demonstrate to FISC that:
- there are reasonable grounds to believe that the records sought are relevant to investigations (based on specific selector terms); and
- there is a reasonable, articulable suspicion that the specific selection terms are associated with a foreign power, or an agent, engaged in international terrorism or activities in preparation thereof.
As of 2021, section 702 continues to validly authorise numerous surveillance operations and section 215 expired in March 2020 having not been reauthorised by Congress.
The continued operation of section 702 means that regardless of location, internet and telecommunications are capable of being subject to US data surveillance. This is particularly the case when services are provided by US headquartered companies or relying on US based servers. All communications of non-US persons are potentially subject to both targeted and bulk surveillance.
Jurisdictions such as Australia, which have historically limited (if any) personal data protections for cross-border transfers, are particularly vulnerable. Additionally, Australia has recently passed the Telecommunications Legislation Amendment (International Production Orders) Act 2021 (Cth) which facilitates further US access to personal data through international production orders. Australia’s willingness to facilitate US surveillance stands in stark contrast to the approach in the European Union which, through the General Data Protection Regulation and recent Schrems II decision of the CJEU, has substantially restricted the capacity for both businesses to export data and US agencies to conduct surveillance operations legally within the EU.
Given that the US and Australia appear wedded to continued international data surveillance programs, it is worth questioning whether such programs have actually been effective in achieving stated objectives – namely prevention of terrorist attacks and improved national security. In the aftermath of the Snowden Affair, the Privacy and Civil Liberties Oversight Board (PCLOB) was established to conduct investigations into the legality, operations and results of US surveillance activities. Despite section 215 programs operating for 13 years, the PCLOB concluded in 2014 that ‘…we have not identified a single instance involving a threat to the US in which the [CDR] program made a concrete difference in the outcome of a counterterrorism investigation’ (p 11).
A second report, released in 2020 evaluated the CDR program conducted between 2015 and 2018. It found that despite collecting over a billion individual records, the information obtained only led to one incident of the FBI opening an investigation (p 2). Other NSA reports provided mostly redundant information (p 80). Hence, across the 18 years of section 215’s operation, no information was gathered which directly prevented a terrorist attack or provided meaningful information that had not been obtained through other means.
Compared to the conclusions on the effectiveness of section 215, the PCLOB found section 702 programs collect information that has ‘been valuable and effective in protecting the nation’s security and producing useful foreign intelligence’ (p 2). The PCLOB observed section 702 programs ‘led to the discovery of previously unknown terrorist plots directed against the US’ and ‘enabled the thwarting of specific terrorist attacks’ (p 109). An example is communications surveillance of ISIS’s second-in-command, Haji Iman. The US intelligence community spent over two years searching for Iman and were ultimately successful in locating him based almost exclusively on intelligence gathered under section 702.Information from section 702 bulk surveillance was the catalyst that identified approximately 30 previously unknown terrorist operatives and/or plots between 2008 and 2014. Section 702 has helped the US intelligence community learn about the ‘membership, leadership structure, priorities, tactics, and plans of international terrorist organizations’ (p 107).
On balance, it appears that US data surveillance is somewhat effective in achieving global counter-terrorism security objectives and, by virtue of operating for 20 years, is a necessary evil of the post-9/11 world. However, this does not mean that the proportionality to risk or appropriateness of the breadth of data surveillance programs conducted by the US against non-US persons should not be challenged. The continued concentration of and reliance on data surveillance activities conducted by the US should be a concern for the international community, including Australia. It diminishes local capabilities and unnecessarily exposes Australians’ personal data to excessive US surveillance in a way which is not proportionate to the terrorism risk currently faced.
Tooru Nishido holds a Bachelor of Laws (Honours I) and Bachelor of Economics from the University of Queensland with an academic research background focussing on the intersection of technology, data and national security.