How the US conducts surveillance and investigation of electronic communication media–particularly the internet–is largely shaped by three pieces of legislation:
- Foreign Intelligence Surveillance Act (FISA)
- Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act)
- Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act (USA FREEDOM Act)
To give a very brief history, FISA was enacted in 1978–before the proliferation of the internet–and governed both the physical and electronic surveillance of primarily foreign powers and agents.
The Patriot Act, enacted shortly after the September 11, 2001 terrorist attacks, was essentially an amendment to FISA that expanded surveillance to individuals not directly linked to terrorist groups.
Many of the most controversial parts of the Patriot Act, particularly those dealing with bulk surveillance, expired in 2015 but were renewed in part or whole through the Freedom Act.
This FAQ will hopefully answer all of your questions about these three important pieces of legislation and how they affect online privacy.
- 1 What is FISA?
- 2 What is the Patriot Act?
- 3 What is the Freedom Act?
- 4 2020 Freedom Act reauthorization
- 5 What kinds of surveillance are authorized under FISA, the Patriot Act, and the Freedom Act?
- 6 Why are Patriot and Freedom Acts dangerous?
- 7 Are the Patriot and Freedom Acts effective at preventing terrorism?
- 8 How is the Freedom Act different from the Patriot Act?
- 9 Do the Patriot/Freedom Acts distinguish between US citizens and foreigners?
- 10 Do the Patriot and Freedom Acts cover investigations that do not deal with terrorism?
- 11 How does the NSA use the Patriot and Freedom Acts?
- 12 How does the FBI use the Patriot and Freedom Acts?
- 13 How does the CIA use the Patriot and Freedom Acts?
- 14 Which provisions of the Patriot and Freedom Acts were ruled unconstitutional?
- 15 What changes were made to the Patriot Act in 2006?
- 16 Which parts of the Patriot and Freedom Acts are permanent, and which parts must be reauthorized?
- 17 What is the FISA court (FISC)?
- 18 What is metadata?
- 19 How do I protect myself from government spying?
What is FISA?
The Foreign Intelligence Surveillance Act, passed by Congress in 1978, lays out the procedures for physical and electronic surveillance of foreign powers and agents. That includes US citizens and permanent residents suspected of espionage or terrorism.
The act provided judicial and congressional oversight of spying activities by intelligence agencies on foreign entities and US citizens suspected of working with them. Perhaps most importantly, it officially removed the need for a court order to spy on foreign powers. Judicial authorization is required to spy on a US citizen, but only within 72 hours after such spying has already begun.
To use FISA, a government entity must have probable cause that the subject is a foreign power or an agent of a foreign power.
FISA lays out guidelines for electronic surveillance (read: phone tapping), physical searches, access to business records, pen registers, and trap and trace devices.
What is FISA Section 702?
Section 702 is part of the Foreign Intelligence Surveillance Act added as an amendment in 2008. It allows intelligence agencies to collect foreign intelligence from non-Americans located outside the United States. But under the surveillance authority set up under this section, many Americans also have their communications swept up by surveillance programs operated by the FBI and NSA. The EFF argues this violates the Fourth Amendment’s protection against unreasonable searches and seizures.
FISA Section 702 came under the spotlight in late 2017 and early 2018, when it was up for renewal. After the House of Representatives voted to reauthorize Section 702, President Donald Trump alleged the act might have been used to spy on his election campaign. He reneged later that same morning, stating that the surveillance is necessary.
If Section 702 is not reauthorized by Congress, the surveillance programs under which it operates must shut down. These include the collection of emails and phone calls without a warrant.
Section 702 is not bulk collection, and by law it can only target non-US citizens outside of the United States. But Americans’ data can be gathered as part of “incidental collection.” To put it simply, if an American is communicating with anyone non-US citizen outside of the United States, their conversations can be monitored and recorded. This incidental collection is the major sticking point among privacy advocates, including the EFF and ACLU.
What is the Patriot Act?
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act was rushed through Congress and signed into law by George W. Bush shortly after the 9/11 terrorist attacks on October 25, 2001. The law covers a broad range of subjects including border security, detention of immigrants, funding for counter-terrorism, and, of course, surveillance.
Title II of the Patriot Act amended FISA and greatly expanded the scope of surveillance allowed under US law. Foreign intelligence information could now be gathered from both Americans and foreigners. Government agencies no longer needed to prove that a target is an agent of a foreign power. The maximum duration of surveillance and investigations were lengthened.
Any district judge in the United States could issue surveillance orders and warrants for terrorism investigations. The FBI gained access to stored voicemail through search warrants. The definition of wiretapping expanded to include communication over the internet and other electronic “packet switching” networks.
- Sneak and peak warrants came into existence with the passing of the Patriot Act, which allowed law enforcement to break and enter a premises without the owner’s consent and stealthily search the premises. Law enforcement can notify the receiver of the warrant after the fact.
- Roving wiretaps were implemented. A roving wiretap removes the need for a new surveillance order if a suspect throws away their phone or moves to a new address, for instance. It could also expand the scope of an investigation so that anyone who comes into casual contact with a suspected terrorist can be wiretapped.
- Under the Patriot Act, the FBI can order a person to produce documents to protect against terrorists or foreign spies without a court order. These documents range from business records to library registers.
- Intelligence agencies could conduct investigations on lone wolves. A lone wolf is a person suspected of engaging in terrorism-related activities but without any ties to terrorist groups.
What is the Freedom Act?
Many of the most controversial parts of the Patriot Act listed above were set to expire in 2015. The day before they expired, Congress passed the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection and Online Monitoring Act.
The USA Freedom Act renewed many of those expiring provisions through 2019, albeit with some new limits concerning bulk interception on telecommunication metadata about US citizens. Congress implemented these limits in reaction to Edward Snowden’s disclosures about bulk surveillance by the NSA on both US and foreign citizens, which prompted a public backlash against the agency.
The act reauthorized roving wiretaps and tracking of lone wolf terrorists.
While the legislators in support of the act argued the Freedom Act would reign in the power abuses allowed under the Patriot Act, many critics including privacy advocates say it will do little to change the overall surveillance situation in the United States.
Several key surveillance components of the Freedom Act were due to expire on December 15, 2019. But because Congressional attention was diverted to the COVID-19 pandemic, those provisions temporarily lapsed until May 2020.
The expiring components included the lone wolf and roving wiretap provisions. In May 2020, those provisions were expected to renewed by Congress until 2023. However, Trump withdrew his support and said he’d veto the bill due to concerns over allowing intelligence agencies too much freedom to investigate political campaigns. The House of Representatives withdrew the bill and are expected to propose a new one as of time of writing.
Three key amendments were proposed, two of which passed at least one chamber of Congress. None have been signed into law yet.
- One amendment in the re-authorization bill now requires the secretive FISA courts to allow a privacy watchdog participate in some of the surveillance deliberations. The amendment came in response to allegations that the FISA court was too lenient in granting approval to spy on associates of the 2016 Trump campaign. The amendment passed with bipartisan support.
- The second amendment stipulates the FBI may not seek FISA-authorized orders to obtain call detail records on an ongoing bases, a tangible thing where a warrant would typically be required, or cellular or GPS location information. It also requires the Department of Justice receive any information that might raise doubts about a FISA surveillance applications. Lastly, it broadens the criteria for when surveillance decisions made by a FISA court are declassified and requires the court’s opinions be declassified within 180 days.
- The failed amendment would have excluded web browsing histories and search queries from Section 215, which gives the FBI the authority to obtain “any tangible thing” without a warrant. It failed to pass in the Senate despite a majority 59 votes in favor, with four Senators missing the vote due to circumstances related to the COVID-19 pandemic. However, the amendment above could be interpreted to cover browsing histories and search queries.
Here are a few of the key forms of surveillance authorized under FISA, the Patriot Act, and the Freedom Act:
- Records searches expand the government’s ability to look at records on an individual’s activity being held by third parties.
- Secret searches expands the government’s ability to search private property without notice to the owner.
- Intelligence searches expand a narrow exception to the Fourth Amendment that had been created for the collection of foreign intelligence information.
- “Trap and trace” searches expands another Fourth Amendment exception for spying that collects “addressing” information about the origin and destination of communications, as opposed to the content.
- Physical searches and telecommunication surveillance are both authorized under the Patriot Act, Freedom Act, and FISA.
- Telecommunication surveillance includes wiretapping phones, accessing voicemail, intercepting emails and text messages, and wiretapping VoIP calls (such as Skype).
- The FBI can force doctors, libraries, bookstores, universities, and Internet service providers to hand over information on their clients and customers.
Roving wiretaps, sneak-and-peak warrants, national security letters, and lone wolf surveillance are among the most controversial provisions set out in the Patriot Act.
Why are Patriot and Freedom Acts dangerous?
FISA, the Patriot Act, and the Freedom Act include many provisions that are arguably unconstitutional, specifically violating the First and Fourth Amendments.
In terms of the First Amendment, which guarantees freedom of speech, law enforcement under the Patriot Act can prohibit the recipients of a search from telling others about the search. Furthermore, the FBI can authorize investigations of American citizens for exercising their freedom of speech, such as writing an editorial or reading a certain book.
As for the Fourth Amendment, which stipulates the government cannot conduct a search without a warrant and probable cause, both of those stipulations are effectively out the window when it comes to much of the bulk interception data collected. Law enforcement also no longer needs to provide prior notice to the recipient of a warrant before searching their property.
Beyond the constitutional implications, FISA, the Patriot Act, and the Freedom Act also grant law enforcement a huge amount of unchecked power without any judicial review. Targets of an investigation no longer need to be agents of a foreign power, nor do authorities require probable cause. Judges do not have the authority to reject applications for such investigations.
Are the Patriot and Freedom Acts effective at preventing terrorism?
The government hasn’t been able to provide any examples where the NSA’s bulk data collection played a key role in thwarting a terror plot. Multiple reviews of the program by groups and individuals with access to classified information concluded the program isn’t as much of a boon to national security as its defenders claim.
An opinion piece co-authored by a US Congress Senator and Representative, published in Politico, described the reasons for reigning in bulk surveillance activities in the Patriot Act when passing the Freedom Act:
“The intelligence community has failed to justify its expansive use of [the FISA and Patriot Act] laws. It is simply not accurate to say that the bulk collection of phone records has prevented dozens of terrorist plots. The most senior NSA officials have acknowledged as much in congressional testimony. We also know that the FISA court has admonished the government for making a series of substantial misrepresentations to the court regarding these programs. As a result, the intelligence community now faces a trust deficit with the American public that compromises its ability to do its job. It is not enough to just make minor tweaks around the edges. It is time for real, substantive reform.”
How is the Freedom Act different from the Patriot Act?
The Freedom Act extends many of the would-be expired provisions of the Patriot Act, but with more limitations due to public scrutiny in the wake of the Edward Snowden revelations regarding bulk surveillance and interception.
Under the Patriot Act, law enforcement agencies can collect business records–phone logs, flight manifests, and much more–so long as it was “relevant” to a national security investigation. This power was abused by the NSA in particular to collect huge troves of phone records to find links between suspects. Proponents argued that such a huge database was necessary in order to spot patterns that could lead to the prevention of terrorist acts. The government has not been able to provide any examples of where such bulk surveillance played a key role in stopping a terrorist plot.
Public backlash against bulk surveillance of American citizens prompted changes in the Freedom Act. The NSA and other agencies can now only request company records regarding a specific person, account, or device. The agency must show that the entity is associated with a foreign power or terrorist group.
The Freedom Act also requires intelligence agencies to be more transparent about the data they are collecting. Tech companies are no longer subject to gag orders that prevent them from informing customers when their private data is given to the feds.
Finally, the Freedom Act allows citizens to lobby FISC, the surveillance-specific court set up under FISA. Those civil liberties advocates can force the government to declassify major opinions from FISC judges.
While the Freedom Act is an improvement on the Patriot Act in terms of individual liberty and privacy, it still does not go far enough. The government can still bend the rules to collect information on a large scale. The lone wolf and roving wiretap provisions were effectively renewed and left untouched.
Do the Patriot/Freedom Acts distinguish between US citizens and foreigners?
When FISA was first instituted, it focused solely on foreign powers and agents of foreign powers. While an agent of a foreign power could conceivably be a US citizen, a law enforcement or intelligence agency would have to show probable cause before investigating them. Spying on a US citizen or permanent resident required judicial authorization within 72 hours after an investigation begins.
The Patriot Act expanded FISA to include terrorism on behalf of groups not specifically backed by a foreign government. That includes US citizens suspected of terrorism.
Under the Patriot Act, a government agency can force any US citizen or company to divulge records that they own or have access to. Obviously, it cannot do the same for foreign companies. The American government can, however, force an American residing abroad to divulge information and subsequently require they don’t disclose these actions.
Information that travels across borders, either due to outsourcing or establishing servers in other countries, also falls under the jurisdiction of the NSA. This eventually caused the collapse of the Safe Harbour agreement between the US and Europe following the Snowden revelations. Safe Harbour ensured that information travelling between the US and EU would fall under the same strict privacy protections, but the NSA violated this stipulation by collecting bulk data owned by foreign citizens.
Do the Patriot and Freedom Acts cover investigations that do not deal with terrorism?
Yes. In the 10 years following the enactment of the Patriot Act, the Washington Post reports it was used in 1,618 drug-related cases and only 15 terrorism cases. By 2014, out of over 11,000 sneak-and-peak warrant requests, only 51 were used for terrorism.
How does the NSA use the Patriot and Freedom Acts?
In 2006, after the Patriot Act got a bit of an overhaul (see below), the National Security Agency used it to justify bulk metadata collection of phone records for millions of Americans. After the Freedom Act reformed the Patriot Act in 2015, this program should be reigned in to an extent so that subjects of surveillance must be somehow linked to terrorist activities.
The NSA also uses the Patriot Act to force tech and telecommunication companies to hand over private information. Under the law, the NSA can bar the recipient of the warrant from discussing the warrant with anyone. The Freedom Act in effect removed such gag orders.
How does the FBI use the Patriot and Freedom Acts?
The Federal Bureau of Investigation (FBI) can search telephone, e-mail, and financial records without a court order. Law enforcement agencies’ access to business records, including library and financial records, expanded.
The FBI availed of sneak-and-peek warrants, roving wiretaps, and access to documents that reveal the patterns of U.S. citizens.
How does the CIA use the Patriot and Freedom Acts?
Unlike the FBI, the CIA is technically an intelligence agency and not a law enforcement agency, and it primarily focuses on foreign powers. Even so, the Patriot Act permits gathering information on U.S. citizens from school records, financial transactions, internet activity, telephone conversations, information gleaned from grand jury proceedings, and criminal investigations to be shared with the CIA.
This information can be shared with the CIA from the FBI or NSA without a court order.
The Patriot Act also gives the head of the CIA power to manage the collection of intelligence information gathered in the US.
Which provisions of the Patriot and Freedom Acts were ruled unconstitutional?
A federal judge in New York ruled that a key component of the USA Patriot Act is unconstitutional because it allows the FBI to demand information from Internet service providers without judicial oversight or public review. Specifically, the court ruled against the use of “national security letters” (NSL), which do not require court orders and prohibit targeted companies from discussing the demands made of them.
A panel of federal judges on the Second Circuit Court of Appeals ruled the NSA’s bulk data collection program is not authorized under the Patriot Act. The judges ruled that the law doesn’t allow the government to collect domestic phone records.
In 2007, a judge ruled sneak-and-peak warrants unconstitutional after a wrongly-jailed suspect of the Madrid train bombings had his home secretly examined by the FBI.
What changes were made to the Patriot Act in 2006?
The Patriot Act was renewed and revised by Congress in 2006. It added more judicial oversight, granting recipients of subpoenas the right to challenge an order not to discuss the case publicly. Still, recipients had to wait a year and comply with the subpoena in the meantime. This was further revised in the Freedom Act in 2015 (see above).
The 2006 revisions stopped the FBI demanding the names of lawyers hired by recipients of government requests for information.
Libraries were no longer subject to requests for records.
Information sharing between law enforcement and intelligence agencies was expanded.
Strict punishments were imposed on crew members who impede law enforcement officers trying to board their ships.
After the Patriot Act was renewed, the NSA used it to justify bulk metadata collection of phone records of millions of Americans. The NSA was already doing this to some extent prior to the renewal, but it did not justify its actions under the Patriot Act until 2006.
When the Patriot Act was renewed in 2006, 14 out of 16 of its provisions were made permanent.
Roving wiretaps, tracking of lone wolf terrorists, and the power to demand records from businesses and institutions must be reauthorized by Congress every four years. These provisions now fall under the Freedom Act rather than the Patriot Act.
What is the FISA court (FISC)?
The United States Foreign Intelligence Surveillance Court is a federal US court set up under FISA. The court oversees law enforcement and intelligence agency surveillance and issues warrants to track and monitor foreign spies. Requests are most often made by the NSA and FBI, the bulk of which are kept secret.
As an example, a top secret order from the court was leaked by Edward Snowden. It required a Verizon subsidiary to provide daily call records, domestic and international, to the NSA.
The nature of the court’s business makes it a secret court, acting without anyone other than the government and judge present. This lack of transparency has led to heavy criticism about the court’s lack of oversight. It has been known to rubber stamp warrant requests, though supporters deny that accusation.
What is metadata?
Metadata is information about the content of data, but not the contents of the data itself. When it comes to the Patriot Act, metadata often refers to information gathered through the NSA’s bulk surveillance program, most notably call records.
The NSA insists that it does not collect or analyze the calls themselves, but only the call metadata. That means it is not listening in on a call, but the agency does record the time, location, callers, devices, and other information on the general public, whether or not they have ties to terrorist groups. The most notorious bulk metadata collection program, PRISM, was run by the NSA.
When it comes to internet surveillance, metadata can include timestamps, IP addresses, devices, browser signatures, email addresses, and much more. Metadata does not include the content of internet traffic or communications such as emails or text messages.
How do I protect myself from government spying?
Protecting yourself against bulk surveillance requires a multi-pronged approach. Encryption is key. Encrypt your internet traffic, computer files, emails, and other communications. Encryption scrambles the contents of a file or message so only trusted parties can access it.
A good starting point is to employ a reputable VPN. A VPN encrypts all the incoming and outgoing traffic on an internet-connected device, then routes it through a middleman server in a location of the user’s choosing. This creates a secure tunnel that the government cannot decrypt or trace.
Alternatively, you could opt for Tor. Tor is a free anonymous proxy service operated by volunteers around the world. You internet traffic is routed through multiple Tor “nodes”, which change randomly upon each web page request. Tor is much slower than a VPN, but more anonymous. The easiest way to use Tor is by installing the Tor Browser. You can read up on how to do that and more on our Tor beginner’s guide.
Beyond that, check out our big list of free privacy apps that will guard your privacy against the government, corporations, internet service providers, and hackers.