Updated FISA Legislation

On May 14, 2020 the United States Senate voted to renew surveillance powers of the Foreign Intelligence Surveillance Act (FISA). If approved by the House, and President Trump, it means U.S. law enforcement can access significant personal information. 

Enacted in 1978 during the Cold War, the United States authorized FISA. The Act gives more power to investigators for gathering evidence on threat actors.  In 2001, the act received a boost with the passing of the Patriot Act, allowing surveillance of U.S. residents. The Patriot Act also permitted access of digital data and record types that had not existed in 1978.  Since then, the majority of the Patriot Act provisions were renewed in 2015, under the Freedom Act. A breakdown of the Patriot Act, Freedom Act, and FISA provides more details on the laws and how they’ve evolved.  

What does FISA’s renewal mean for residents of the United States? What types of information can government investigators see under FISA? Are there measures can users take to proactively protect their privacy? Assuming FISA gets House approval, here’s what to keep an eye on.

What Information Can Law Enforcement Access under FISA? 

It’s one thing to know that U.S. law enforcement can access ‘intelligence’ of suspects and suspected groups. It’s another thing to understand how much information FISA opens the door to. With the Act’s renewal, investigation groups including the FBI, NASA and the CIA may access:

  • Physical records and documents: both in the home of suspects with a warrant, and records maintained by third-party agencies. 
  • Wiretapped communications, including call records, emails, voicemails and Video over IP providers such as Zoom or Skype. A new ‘roving wiretap’ authority enables surveillance against those who frequently change their phones. However, according to USA Today, restrictions have been added against the collection of GPS locations from call providers. 
  • Your online viewing habits and search queries. One item of debate with FISA was the possibility of an amendment to expressly forbid the collection of internet browsing history. According to Sara Morrison with Vox, this amendment was defeated by a single vote. 
  • Third-party records of suspect activity or suspect groups. These can include academic records from universities, lawyers, and even physicians. While HIPAA protects patient privacy, Section 164.510 allows for record disclosures under court order.  Library records, on the other hand, are exempt. In Libraries and the US Patriot Act, Values in Conflict, Chris Matz notes that thanks to resistance from librarians, the federal government has specifically cited them as exempt from National Security Letter requests.

What about the Call Records Program?

There’s one spot of good news with FISA’s renewal: in an analysis of FISA’s updates on Lexology, the organization Holland & Knight LLP notes the bill will now repeal authority for the collection of call detail records. That’s a very good thing: call detail records were used by NSA’s former call records program. The metadata collection previously permitted includes who calls are made to, from, their duration and date. 

How Can I Protect My Privacy?

Against an outline of FISA’s significant power, it’s easy to feel overwhelmed. The information accessible to officials is staggering. However, it is important to remember two things.

 First, the FBI cannot simply walk into your home and grab personal information. ‘Sneak and Peak’ searches, which allow officials to secretly search a premise and alert the owner after the fact, have been unconstitutional since 2007. Many other searches, such as requests for third parties to hand over information do need a warrant. This puts due process in place, although it rarely protects information. Statistics from the Electronic Privacy Information Center shows warrant requests are rarely rejected. Whether individuals will be notified of their information access is up to third parties. As of the Freedom Act, companies are no longer bound by a gag order not to disclose releases. 

Second, there are ways you can proactively protect your privacy and limit unauthorized spying. There are a number of tools and security best practices that can safeguard the integrity and confidentiality of your information.

Private Browsing & Its Limitations

The first thing many users turn to protect their browsing history is the ‘private browsing’ mode of their browsers. Certainly, it does offer some protection. Private browsing disables web cookies, which can track users across different websites. Private browsing also disables browser histories. Using a browser’s private mode means there’s no record in the browser of viewing activity on the user’s device.  Some browsers, including Firefox Focus, are set up with private browsing at default.

But beware: private browsing does not mean total privacy. Private browsing cannot protect the privacy of data collection off your device. Websites may be collecting personal information as part of the site’s analytics. This can include your IP address, country of origin, when you view particular pages, click on items, and how long you stay on the site. 

Another flaw of private browsing is that it cannot hide your web habits from internet service providers (ISPs). Unless you access the web over an encrypted connection, your ISP can see the data flow on its network. With private browsing, “it’s still very possible to see what you’ve been doing,” comments Lee Mathews with Forbes. “Routers, firewalls, and proxy servers could be keeping tabs on your browsing activities, and private browsing mode won’t get in the way of that.” This is why protecting privacy against browser surveillance requires more robust solutions.  

Check Your Phone Settings for Data Sharing

Many smartphone applications collect personal information when in use. Although law enforcement is restricted on GPS data from providers, there are no specifications limiting requests to third-party app developers. Depending on your phone and the application, it may be possible to limit the data you share.

If you have a phone using iOS, go to Settings > Privacy. Here, you’ll see a list of types of data applications request, including Location Services, Contact and Photos. Tapping a data type, you can set permissions for which apps can access the data. In the case of Location Sharing, you can turn off access to the data type.

If on Android, try Settings > Accounts. Depending on the app and account, you may have options to personalize settings and add more privacy. For example, clicking on Accounts > Google will bring up an option to “Manage your data and personalization.”

Unfortunately, turning off tracking alone rarely prevents your phone from leaking where you are. Google apps, for example, may still store your time-stamped location data, according to Marrian Zhou, Richard Nieva with CNET. Chris Smith with BGP notes that even with location off, Facebook can pinpoint your whereabouts with IP addresses, Wi-Fi and Bluetooth. In other words, turning off location data is only the start. 

Lock Everything and Keep Device Security Up-To-Date

The jury is still out if law enforcement should have permission to access locked devices. As Zac Freeland with Vox writes, it’s a complex issue that depends on a patchwork of laws and court decisions, many that predate the technology. Law enforcement may, for example, have a warrant to use specialized password cracking tools like GrabKey and Cellebrite. They may not even need access to your device at all, if the information they want is stored in the cloud. But locking down your devices can still make things more difficult, and can certainly protect data from the eyes of those without the legal or technical know-how to crack it open. Likewise, if your system or device is up to date, it becomes harder for third parties to install spyware or remotely access the system by a back door.

When Messaging, Use a Service with End to End Encryption

Texting friends? Short message systems, including those built into smartphones are very popular. It’s a quick and efficient way to communicate with another party, particularly if there’s no need for detail. Unfortunately, texting also has a privacy disadvantage. Others can intercept those messages, either when sent or collected in a log. Jas Dhaliwal with Avast explains. “The problem is that SMS sends your data unencrypted, so if your texts are ever compromised, they can be read right away.”  To protect the privacy of your texts, you’ll want End to End Encryption (E2EE). This means sending an encrypted message that only the intended receiving party can decrypt. 

Fortunately, you have lots of options. Among them, Signal, a cross-platform messenger popular with privacy advocates. Other options include Viber, and Telegram. Even the well known WhatsApp offers E2EE, although the application has had vulnerabilities in the past. 

Remove Sensitive Information From Phone Bills

While the Call Records Program may be on a halt, there’s still a lot of information that can be accessed by looking at your phone bill. The Consumer Federation of California recommends contacting your telecommunications provider. Ask them to remove call details from your bills, including duration, numbers that dialed in and the number you dialed from. 

Check Your VoIP Settings and Turn off Recordings

Many VoIP providers, including Zoom and Skype, permit the recording of video conference calls. In some industries like customer service, this capability is extremely valuable. It allows for analysis if things go wrong, evidence of decisions, or may even be part of staff training. But there’s a downside: thanks to FISA, if digital recordings of the call exist, law enforcement can make a request.

Check with your VoIP provider on how to turn off call recording, and ask when calling others they do the same. If using VoIP to call a service, ask if the call will be recorded. In some industries and locations, the organization may ask for consent before proceeding with the call. According to the American Physical Therapy Association for example, some states require consent before VoIP may be used in healthcare.

Encrypt Documents and Devices

Encryption is a must-have for privacy protection: both protecting devices and documents at rest, and when data is in transit. In a nutshell, encryption is like locking your information in a safe no one can open unless they have the key. With encryption, information is unreadable to unwanted parties, unless they have the key to decrypt the data. As Kayla Matthews with the Smart Data Collective writes:

“On a smartphone, for example, encryption apps can make it virtually impossible, or at least exceptionally challenging, for any unauthorized person to access your information.”

Encryption is also very easy to employ. Most hardware, software and applications support encryption of data; many offering it as an option to their users. Depending on the provider, you can choose to encrypt sensitive documents, emails, VoIP calls, portable devices, and texts. 

Comparitech offers a number of guides to help you understand more about encryption types and how they can be employed. 

These include:

Use a VPN or Tor

Want to protect all information in transit, hiding it from unwanted third parties and your online provider? There’s a reason why Virtual Private Networks, or VPNs, are increasingly popular. VPNs establish a secure, encrypted tunnel between your device and the server you wish to access. For third parties attempting to listen in, the encryption makes any information unreadable. VPNs can also hide critical data, such as location, or connect to proxy servers, concealing your identity hidden. 

Be sure, however, to do your homework before selecting a provider. Writing for Mashable, Monica Chin notes that free VPNs are notorious for selling the data that moves across their network, and even some paid VPNs maintain user logs. 

Tor encrypts information much like a VPN, but takes privacy a step further by making the digital trail untraceable. Dennis Anon with Privacy.Net explains it like this:

“When a user is connected to Tor (often through the Tor browser), their outgoing internet traffic is rerouted through a random series of at least three nodes (called relays) before reaching its destination (the website the user wants to visit). Your computer is connected to an entry node, and the final node traffic passes through is the exit node, after which it reaches its destination (the website you want to visit). Incoming traffic is rerouted in a similar manner.”

To date, TOR is not illegal in the United States. For more information see Best VPNs for Tor users to maximize privacy

Consider Servers Outside The United States

While FISA offers law enforcement more power to access information, it’s still limited by a significant obstacle. FISA only applies to data stored in the United States. In some cases, moving your data to servers outside the United States will take them outside FISA jurisdiction, although beware: it depends on the company you’re dealing with.

For example, since FISA’s renewal became public, encrypted email provider ProtonMail is reminding its user base via Twitter their emails are still secure. ProtonMail, after all, is an encrypted email provider that uses servers in Switzerland. On the other hand, international cloud companies with operations in the U.S., including Microsoft, Google and Amazon don’t always have the option of saying no. 

In 2018, the U.S. enacted the CLOUD Act. Zhenya Mocheva with CloudSigma writes that the CLOUD Act “allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.”

A word of caution, however: if using servers outside the United States, check the laws where the server is located. An email platform with servers in China, for example, is under no obligation to share intelligence with the FBI… but that information would be accessible to Chinese authorities under the Cybersecurity Law of the People’s Republic of China. Taking data outside of FISA’s jurisdiction after all, does not limit the surveillance laws of other countries with information entering or leaving their borders.