Privacy SOS

The FBI is on the cusp of obtaining three extremely dangerous new powers

In recent months, the FBI has taken to the press and to congress to complain about how the increasingly widespread adoption of end-to-end encryption in commercial technologies like the iPhone and Whatsapp is resulting in an intelligence blackout, a process the feds call “going dark.” But three items in the news over the past few weeks make clear that the debate about encryption is only one aspect of a larger FBI campaign to expand its access to and exclusive control over huge quantities of extremely sensitive information about us. Despite FBI Director James Comey’s claims, the problem isn’t that the government has insufficient access to information about us; it’s that officials have too easy access to too much information. And soon, if we don’t act to stop these power grabs, the imbalance of power between ordinary people and the state—wherein the secretive intelligence agencies know everything about us while we know next to nothing about them—will grow worse.

If the FBI gets its way, it will soon possess expansive new authorities allowing agents to obtain and use sensitive biometric information about millions of people, get ahold of revealing details about our internet use without warrants, and hack into and remotely control our computers. The FBI’s history of flagrant, rampant, and unapologetic abuse and dishonesty strongly suggests that congress should reject these expansions of executive authority, but it’ll be up to us to make sure they choose liberty over fear. If the FBI’s is the only voice making noise about these issues, we are in for some really bad law.

FBI wants to exempt its massive biometrics database from the Privacy Act

Last month, the Department of Justice quietly published a proposed rule change that would exempt the FBI’s Next Generation Identification (NGI) database from the Privacy Act of 1974. The FBI’s NGI contains faceprints, fingerprints, iris scans, gait information, scent information, voiceprints, and other biometric data—as well as personal information and tattoos, markings, and scars—about millions of people throughout the United States. The database contains records from people who have been arrested, as well as from job applicants who undergo FBI background checks—that is, millions of people not convicted of crimes, let alone serious crimes. Biometric data are particularly sensitive because unlike addresses, passwords, and Social Security Numbers, you can’t easily change your face, gait, fingerprints, or voice. So if the FBI gets ahold of your biometric information, it’s got you for life.

Despite the seriousness of the government’s quest to collect all of this information about so many people, the DOJ now wants to exempt the FBI’s NGI database from the existing—albeit paltry and difficult to enforce—Privacy Act requirements. Namely, the DOJ wants to allow the FBI to:

  • Make judgments about people based on information in the database, even if it isn’t accurate, timely, or relevant;
  • Bar ordinary people from accessing information about them held in the NGI;
  • Bar people from correcting inaccurate information held about them in the NGI; and
  • Provide itself immunity so that ordinary people cannot sue if the FBI violates their rights or breaks the law using the NGI system.

As cities nationwide begin adopting facial recognition technologies, the FBI will undoubtedly put to great use its massive repository of information collected from arrestees, job applicants, and others unlucky enough to be included in its files. Whether or not the FBI should maintain such a system is a question we should debate. But at the very least, the FBI should be required to do due diligence to make sure the information is accurate—and should face legal consequences if it is not, or if the information is used in a way that violates the law. Congress must act to subject the FBI’s use of biometric data to far more scrutiny than even the Privacy Act requires, but at bare minimum, existing privacy law must apply to this extremely serious expansion of state power.

FBI wants access to your internet records without a warrant

Meanwhile, the FBI is seeking congressional authority to expand its power to use secretive ‘National Security Letters’ (NSLs) to obtain sensitive internet browsing information about people in the United States and abroad. NSLs are glorified administrative subpoenas, which is another way of saying “A piece of paper a prosecutor fills out and hands to a corporation, demanding information about you.” No judge ever sees the subpoenas, let alone approves them. For years, the FBI has been the target of criticism related to its use of NSLs, even from the DOJ’s own Inspector General. As my former colleague Michael German wrote for the ACLU in 2007, an Inspector General report found

that the FBI reported false information to Congress because poor internal management and a disturbing lack of accountability within the FBI make it impossible for anyone to know how many of these letters have been issued, and what information may have been collected with them. Even more disturbingly, [the report found] the FBI intentionally circumvented the law to gain access to records that weren’t even relevant to any authorized FBI investigation. But the information gathered by these methods is permanently retained.

The FBI collected huge quantities of information about thousands of people, misrepresented these facts to congress (another way of saying that is “lied to congress”), and most astonishingly, despite saying that NSLs were indispensable tools in their counterterrorism toolkit, “the FBI reported 153 criminal proceedings resulting from 143,074 NSL requests.” That means the expansive authority the FBI claimed was so vital to its work only produced actual prosecutions in .1% of cases— a number disturbingly close to zero. At the same time, an IG review of just 77 NSL cases found FBI violations in 22, or in 29% of cases examined. These numbers paint a bleak picture of the FBI’s activity, and make it clear why the Bureau has so misrepresented the truth about its use of NSLs to congress: The truth ain’t pretty.

Despite its terrible record, the FBI now wants congress to give it the power to demand even more information using NSLs. Among the types of records the FBI wants included in its NSL authority are the following, via the Open Technology Institute:

  • Account number

  • Login history: Reveals when and from where an Internet user signed into an online account.

  • Types of service (and means of payment): This could reveal:

    • An Internet user’s credit card and bank account information;
    • The types of services a person uses, such as social media accounts like on Facebook or online dating websites; email service providers, including those that provide added privacy and security features like end­-to­-end encryption; and entertainment and news services like Spotify, Netflix, and newspaper subscriptions.
  • IP Address or other network address, including temporarily assigned addresses: This could reveal:

    • Location information that can be traced back to an IP address, revealing where the Internet user is geographically, and information concerning all IP addresses on a network, subject to the requirements of the USA FREEDOM Act.
    • An Internet user’s identity when combined with other easily accessible information, and occasionally on
      their own.
  • Communication addressing, routing, or transmission information, including network address translation information: This could reveal:

    • An Internet user’s browsing history, including the specific pages they visit, and the name of the web host
      (ex. what articles someone reads on the Politico or New York Times websites, what medical conditions
      they research on WebMD, which items they shop for on Amazon.com or what they watch on Netflix);
    • The size of a web page, which can indicate whether it contains videos or photos;
    • The link an Internet user clicks in order to be redirected to another web page;
    • E­mail metadata: sender; receiver(s); time of email; subject line (DOJ currently considers this content but
      the amendment includes no limitation); size of e­mail; possibly the presence, size and type of attachments;
    • Location information concerning the recipient of a communication;
    • The network an Internet user is connecting from (ex. home, work, public, or at a business).
  • Session times and durations:This could reveal information like what time and how long an Internet userspends on an online dating website, or on a website providing medical advice or substance abuse support.

Whenever we find out detailed information about how the FBI has used its NSL authority, the transparency does not reflect well on the Bureau. Nonetheless, congress is poised to approve a dangerous expansion of the power to include all the records above. Perhaps our elected officials need to be reminded of the 2007 IG report finding that the FBI lied to congress and that, despite the FBI’s assurances, NSLs led to prosecutions in close to zero percent of cases?

FBI wants to be able to hack, remotely monitor, install malware on computers

Finally, the FBI is close to obtaining long sought after authority to obtain warrants enabling them to remotely monitor, hack into, or otherwise access information on computers anywhere in the world, even if there’s no reason to believe the person who owns the computer is engaged in criminal activity. Unless congress acts before December 1, 2016, Rule 41 of the Federal Rules of Criminal Procedure will allow judges to authorize warrants granting law enforcement the power “to use remote access to search electronic storage media and to seize electronically stored information located within or outside” the judge’s jurisdiction. This isn’t just a minor procedural matter, as the phrase “rule change” suggests—it would have far-reaching consequences for the future of digital security, anonymity, and privacy. The Stop Mass Hacking Act (SMH Act), bipartisan legislation proposed by Senators Ron Wyden and Rand Paul, would stop the rule change from going into effect. It’s critical that the bill pass before December 1, or else the FBI will have a brand new and fantastically dangerous new tool in its information-collection arsenal.

All three of these power grabs are happening as the FBI Director goes around the country telling the people and the press that his agents are obstructed by encryption technologies, and that congress should act to put a stop to strong digital security. Many of the issues implicated by the FBI and DOJ’s actions in these spaces are complex, and don’t lend themselves to soundbites or one line slogans. But it’s more important than ever that we pay close attention, and tell our elected officials what we think about these issues.

It only takes a small group of committed people to change the world, so don’t get disillusioned. Instead, spread the word about what you’ve read here, and tell congress how you feel about the FBI gaining all these new powers, largely in the dark and absent public debate.

© 2017 ACLU of Massachusetts.