Congress (House & Senate) just passed (amidst the release of the torture report and the Gruber hearing) an amendment to the annual intelligence agencies’ budget bill (HR 4681, Section 309) that makes it legal to:
- Collect all electronic communications from everyone in the world
- Store all of that data for at least 5 years
- Store the data indefinitely if it’s encrypted or evidence of a crime (presumably until a supercomputer can break the encryption, assuming that hadn’t happened within 5 years)
- Disseminate the data (presumably at the inteliigence agencies’ own discretion, e.g. to your local police or the DEA)
So everything that Edward Snowden exposed about the NSA and other agencies secretly collecting Americans’ own communications is now (pending the President’s signature) completely legal.
SEC 309. PROCEDURES FOR THE RETENTION OF INCIDENTALLY ACQUIRED COMMUNICATIONS
(a) DEFINITIONS.—In this section:
COVERED COMMUNICATION.—The term “covered communication” means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage.
“Covered communication” means all phone and electronic communications, no matter whether captured in transit or from storage.
(b) PROCEDURES FOR COVERED COMMUNICATIONS.
(1) REQUIREMENT TO ADOPT.—Not later than 2 years after the date of the enactment of this Act each head of an element of the intelligence community shall adopt procedures approved by the Attorney General for such element that ensure compliance with the requirements of paragraph (3).
All intelligence agencies must adopt these new requirements within 2 years after approval of the Attorney General.
(3) PROCEDURES.— (A) APPLICATION.—The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order […], subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitations in subparagraph (B).
This new law applies to collection of data that is not already covered by a court order, subpoena, etc. In other words: all electronic communications that intelligence agencies were not yet legally permitted to collect.
Intelligence agencies are now permitted to acquire, retain and dissmeninate all of those (newly legal) collected communications, but they must delete them after 5 years unless otherwise noted in subparagraph (B).
(B) LIMITATION ON RETENTION.—A covered communication shall not be retained in excess of 5 years, unless—
All covered communications can be retained for at least 5 years.
Intelligence agencies can retain covered communications for more than 5 years if:
(i) the communication has been affirmatively determined, in whole or in part, to (constitute foreign intelligence or counterintelligence or is necessary to (understand or assess foreign intelligence or counterintelligence;
The communication is “foreign intelligence” or “counterintelligence”.
(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;
The communication is evidence of a crime and is retained by a law enforcement agency.
(iii) the communication is enciphered or reasonably believed to have a secret meaning;
The communication is encrypted. At all.
This means every single iMessage, all web purchases, every single web page loaded over HTTPS, any OTR chats, bank transactions or purchase histories. All of it can be retained indefinitely because it is encrypted.
(iv) all parties to the communication are reasonably believed to be non-United States persons;
Everyone involved in the communication is not American.
This isn’t much of a change from the status quo, but it’s in black and white now in case anyone doubted: if you are not American and your cleartext communications fall into the hands of US intelligence at any point for any reason, they can be retained indefinitely.
(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the date such retention is extended under this clause;
The communication could protect someone’s life, in which case there’s strangely more oversight than usual, requiring the retention extension to be cleared with the intelligence committee in Congress.
(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional intelligence committees on an annual basis;
Retention is necessary for technical or compliance reasons.
or (vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing—[…]
Retention is deemed necessary by the head of the intelligence agency and they notify the intelligence committee in Congress describing why it needs to be retained for national security, for how long, what’s being retained and “the measures the element of the intelligence community is taking to protect the privacy interests of United States persons”.
As if it would matter at all after 5 years.