måndag, juni 10, 2013

Does FISA grant direct access to the servers of internet service providers?

A key question is whether FISA grants direct access to the servers of internet service providers. It is always difficult for legal scholars to analyse the law in foreign jurisdictions, in this case US law. I have for some time sought the provision in FISA which obligates communication service providers (CSPs) to grant NSA access to their fibre optic cables. In the Verizon court order disclosed by the Guardian there is a reference to 50 USC § 1861 but that provision concerns the production of tangible things such as records, but arguably not direct access to fibre optic cables or the entire network of a CSP. I believe that the relevant provision needs to be sought elsewhere in FISA.

In Sweden the relevant provision is to be found chapter 6 section 19(a) of the Electronic Communications Act (2003:389). It provides that the CSPs (such as TeliaSonera and Bahnhof) are under an obligation to transfer all cable communication crossing Swedish borders to certain “interaction points” (black boxes), which may include communication where the sender or receiver is in Sweden. See also section 4.3.1 in this article.
 

I thing that I have now found the relevant provision in FISA. It is 50 USC § 1881a (see also section 702 of the FISA Amendments Act)

(h) Directives and judicial review of directives
(1) Authority  
With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—
(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and 
(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.
See also the subsections on challenges to directives.
(4) Challenging of directives
(A) Authority to challenge  
An electronic communication service provider receiving a directive issued pursuant to paragraph (1) may file a petition to modify or set aside such directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition. 
[...]
(5) Enforcement of directives
(A) Order to compel  
If an electronic communication service provider fails to comply with a directive issued pursuant to paragraph (1), the Attorney General may file a petition for an order to compel the electronic communication service provider to comply with the directive with the Foreign Intelligence Surveillance Court, which shall have jurisdiction to review such petition.
(B) Assignment  
The presiding judge of the Court shall assign a petition filed under subparagraph (A) to 1 of the judges serving in the pool established under section 1803 (e)(1) of this title not later than 24 hours after the filing of such petition.   
(C) Procedures for review  
A judge considering a petition filed under subparagraph (A) shall, not later than 30 days after being assigned such petition, issue an order requiring the electronic communication service provider to comply with the directive or any part of it, as issued or as modified, if the judge finds that the directive meets the requirements of this section and is otherwise lawful. The judge shall provide a written statement for the record of the reasons for a determination under this paragraph.
I believe that the interpretation of the term "electronic communication service provider" is crucial. Should it be interpreted narrow to only include CSPs such as Verizon and ATT (comparable with TeliaSonera and Bahnhof) or a more broad interpretation that also includes other internet service providers such as Google, Facebook, Microsoft and Skype? From the reaction of the latter companies and US Government it appears as the provision is interpreted narrowly. If this is true, the US Government would make a great favour to it self and this debate if it made the relevant court orders (and interpretation of such orders) public.  This is not only of interest to the American public, we have some Google, Facebook, Microsoft and Skype users in Sweden as well.

In comparison, I find the Swedish law more clear on this matter, it only concerns cables crossing Swedish borders, not servers of other internet service providers (Facebook has servers in Sweden, see this article).

I would be happy for any US scholars to correct any errors in this post on FISA.

Update 1. Marcus Jerräng pointed me to the fact that the US Director of National Intelligence (DNI) makes an explicit reference to section 702 of FISA in relation to the PRISM program which suggests a broad interpretation. At the same time the DNI is describing it in terms of "targeted acquisition". Is this a contradiction? The access can arguably be broad at the same time as the subsequent targeting of specific individuals (i.e. collection and storage of content data at the NSA) is narrow. That is how understand the operations of the FRA (the Swedish counterpart to the NSA).

Update 2. I have now found a blog post of Orin Kerr, professor at the George Washington University Law School, an expert on computer crime law and internet surveillance. He writes the following:
It sounds like the PRISM program is the way of implementing the statute [FISA Amendments Act of 2008], now codified at 50 U.S.C. 1881a
In other words, the PRISM program is legal.

Update 3. Here is a very interesting paper written by Joris Van Hoboken, Axel Arnbak and Nico Van Eijk, They also discuss the PRISM program in relation to FISA 50 USC 1881a (section 702).

1 kommentar:

Fredrik Sundgren sa...

AP has an interesting article about the PRISM program and NSA surveillance in general.