September 4, 2014
|Majority Leader Harry Reid |
Minority Leader Mitch McConnell
|Chairman Patrick J. Leahy |
Ranking Member Charles E. Grassley
U.S. Senate Committee on the Judiciary
|Chairman Dianne Feinstein |
Vice Chairman Saxby Chambliss
U.S. Senate Select Committee on Intelligence
| Chairman Thomas R. Carper |
Ranking Member Tom Coburn
U.S. Senate Committee on Homeland Security and Governmental Affairs
Dear Majority Leader Reid, Minority Leader McConnell, Chairmen Leahy, Feinstein, and Carper, Ranking Members Grassley and Coburn, and Vice Chairman Chambliss:
As Congress begins its next work session, the undersigned civil liberties, human rights, and other public interest organizations are writing to urge the Senate to quickly pass the USA FREEDOM Act (S. 2685) without adding new data retention requirements, and without further consideration of the gravely concerning Cybersecurity Information Sharing Act of 2014 (CISA, S. 2588).
On July 30, 2014, many of the undersigned groups sent a letter to Congressional leadership voicing a unified statement of support for the new version of the USA FREEDOM Act (S. 2685).[i] Though further reform will still be needed, it is an important first step to reining in the National Security Agency’s (NSA) overbroad surveillance authorities.
As that letter explained, S. 2685 in its current form would provide significant transparency and privacy safeguards while preserving the tools intelligence agencies need to protect national security. The bill would prohibit “bulk” and limit large-scale data collection under the USA PATRIOT Act Section 215, the FISA pen register authority, and National Security Letter authorities. The bill would also enhance public reporting of surveillance orders by the private sector and the government, and reform the FISA Court to provide more accountability and transparency, including by appointing a special panel of civil liberties and privacy advocates to the court. Additionally, this version of the USA FREEDOM Act would permit the new call detail records (CDRs) authority under Section 215 to be used only for counterterrorism purposes, and avoid implicitly codifying controversial “about searches” under Section 702 of the FISA Amendments Act that implicate the privacy of millions of Americans. Based on these important improvements, a wide range of major technology companies and public interest groups spanning the political spectrum is eager for Congress to pass this legislation swiftly and without weakening the bill.
However, as we made clear in both our July 30 letter and our previous letter of June 18,[ii] the broad consensus in support of the USA FREEDOM Act among companies and advocacy groups would be severely disrupted if any new mandatory data retention requirement were added to the bill. Data retention requirements pose significant threats not only to privacy and civil liberties but also to data security, as stories of data breaches at major corporations like Target, Neiman Marcus, UPS, and major banks demonstrate.[iii]
There is no evidence that such a mandate is necessary to protect national security. Rather, as Attorney General Eric Holder and Director of National Intelligence James Clapper made clear in a letter earlier this week,[iv] and as NSA Deputy Director Richard Ledgett testified before the Senate Select Committee on Intelligence in June, the NSA does not need a new data retention requirement to maintain its current level of effectiveness. At the same hearing, Verizon’s Vice President and Assistant General Counsel Michael Woods stated unequivocally that Verizon would strongly oppose a new data retention requirement because it would be burdensome to business and pose a significant threat to Americans’ data and privacy.[v] We agree, and reiterate our strong opposition to the inclusion of any such mandate in the USA FREEDOM Act, which we urge the Senate to pass without delay.
Ironically, just as Congress is struggling to pass meaningful surveillance reform to rein in the NSA, the Senate Select Committee on Intelligence has approved a problematic bill that would give the NSA even more access to Americans’ data: the Cybersecurity Information Sharing Act (S. 2588). Dozens of members of the advocacy community have joined in three coalition letters to the Senate and to the President opposing that bill, which would authorize companies to share with the Department of Homeland Security broadly defined “cyberthreat indicators” from the communications of their users and subscribers. That information would be immediately and automatically disseminated to the NSA and a host of other government agencies. The companies would not be required to affirmatively look for and remove personally identifiable information that is not relevant to the threat before the information is shared. Among other problems, CISA also authorizes companies to monitor their customers’ activities on their networks and employ a range of dangerous countermeasures that could affect innocent Internet users.[vi]
Despite the serious privacy problems with CISA, especially in comparison with the last, more privacy protective, cybersecurity information sharing bill considered by the Senate, the Cybersecurity Act of 2012 (S. 3414), its proponents are urging that the Senate take it up in the limited time that remains after this August recess. Instead, the Senate should make passing the USA FREEDOM Act (S. 26285) a key legislative priority for September. Passing effective and comprehensive surveillance reform is necessary not only to protect our privacy, but also to restore the trust of Internet users around the world who rely on, and are relied upon by, the U.S. Internet industry. The USA FREEDOM Act, as reintroduced last month, would substantially advance both of those goals, whereas CISA would undermine them.
We therefore urge the Senate to swiftly pass the USA FREEDOM Act (S. 2685) without any amendments that would weaken its protections or create any new data retention mandates, and without taking up the Cybersecurity Information Sharing Act (S. 2588) in its current form. The Senate cannot seriously consider controversial information-sharing legislation such as CISA without first completing the pressing unfinished business of passing meaningful surveillance reform.
Advocacy for Principled Action in Government
American Association of Law Libraries
American Booksellers Foundation for Free Expression
American Civil Liberties Union
American Library Association
Arab American Institute
Association of Research Libraries
Brennan Center for Justice
Campaign for Digital Fourth Amendment Rights
Center for Democracy & Technology
Competitive Enterprise Institute
The Constitution Project
Council on American Islamic Relations
Defending Dissent Foundation
Electronic Frontier Foundation
Freedom of the Press Foundation
Free Press Action Fund
Government Accountability Project
Honorable Bob Barr, Former Congressman
Human Rights Watch
National Coalition Against Censorship
New America’s Open Technology Institute
PEN American Center
Project on Government Oversight
Republican Liberty Caucus
The Rutherford Institute
[i] Letter from coalition to Senator Reid, et. al, concerning USA FREEDOM Act (S. 2685) (July 30, 2014) (on file with author), available at http://www.newamerica.net/sites/newamerica.net/files/program_pages/attachments/Coalition_Ltr_Supporting_S2685_USA_FREEDOM_Act_073014.pdf.
[ii] Letter from coalition to Senator Reid, et. al, concerning USA FREEDOM Act (H.R. 3361) (June 18, 2014) (on file with author), available at http://www.newamerica.net/sites/newamerica.net/files/program_pages/attachments/CoalitionLetterOnUSAFreedom.pdf.
[iii] Samantha Sharf, Target Shares Tumble As Retailer Reveals Cost Of Data Breach, Forbes, Aug. 5, 2014, http://www.forbes.com/sites/samanthasharf/2014/08/05/target-shares-tumble-as-retailer-reveals-cost-of-data-breach/; Elizabeth A. Harris, Nicole Perlroth, & Nathaniel Popper, Neiman Marcus Data Breach Worse Than First Said, NY Times, Jan. 23, 2014, http://www.nytimes.com/2014/01/24/business/neiman-marcus-breach-affected-1-1-million-cards.html; Laura Stevens, UPS Hit by Data Breach, Wall St. J., Aug. 20, 2014, http://online.wsj.com/articles/ups-warns-of-malware-intrusion-no-fraud-detected-1408567304; and Jordan Robertson * Michael Riley, JPMorgan, Four Other Banks Hit by Hackers: U.S. Official, Bloomberg, Aug. 27, 2014, http://www.bloomberg.com/news/2014-08-27/customer-data-said-at-risk-for-jpmorgan-and-4-more-banks.html.
[iv] Letter from Att’y Gen. Eric Holder and Dir. of Nat’l Intelligence James Clapper to Chairman Patrick Leahy, concerning the USA FREEDOM Act (S. 2685) (Sept. 2, 2014) (on file with author), available at https://d1ovv0c9tw0h0c.cloudfront.net/files/2014/09/2014-9-2-FISA-letter-from-AG-and-Clapper-to-Leahy-on-S.-2685-USA-Freedom....pdf.
[v] USA FREEDOM Act (H.R. 3361): Hearing Before the Senate Select Committee on Intelligence, 113th Cong. (June 2014), available at http://www.intelligence.senate.gov/hearings.cfm?hearingId=0cb5dc5497c5ffb2985cb30c4755265f.
[vi] Letter from coalition to Chairman Feinstein and Vice Chairman Chambliss, concerning Cybersecurity Information Sharing Act of 2014 (S. 2588) (June 26, 2014) (on file with author), available at https://cdt.org/insight/coalition-letter-states-opposition-to-cybersecurity-information-sharing-act/; Letter from coalition to Senator Reid, et. al, concerning Cybersecurity Information Sharing Act of 2014 (S. 2588) (June 26, 2014) (on file with author), available at https://www.aclu.org/sites/default/files/assets/6-26-14_--_cisa_sign-on_letter_final.pdf; and Letter from coalition to President Obama, concerning Cybersecurity Information Sharing Act of 2014 (S. 2588) (July 15, 2014) (on file with author), available at https://www.accessnow.org/page/-/Veto-CISA-Coalition-Ltr.pdf.