Proton

A closer look at US warrantless surveillance programs

Section 702 of the Foreign Intelligence Surveillance Act has become notorious as the legal justification allowing federal agencies like the NSA, CIA, and FBI to perform warrantless wiretaps, which sweep up the data of hundreds of thousands of US citizens each year.

In April 2024, US Congress passed the (новое окно)Reforming Intelligence and Securing America Act(новое окно), extending Section 702(новое окно) until 2026 and dramatically expanding(новое окно) the definition of communications service providers that can be compelled to facilitate surveillance. An amendment that would have required a warrant before conducting surveillance on Americans failed on a 212-212 tie vote(новое окно) in the House of Representatives and a 58-34 vote(новое окно) in the Senate.

Section 702 is just one way the US government can spy on people without a warrant. It’s important to understand how US surveillance laws work since so many tech giants (and the data they collect) are subject to US law. Its requirements shape the policies of Big Tech companies like Google, Apple, Meta, and Microsoft, and thus have an outsized impact on the internet.

This article examines some of the most important privacy legislation and law enforcement policies in the US and how they impact privacy online.

The FISA court
The Section 702 loophole
National security letters
US government spying via Big Tech
Buying personal information
Does this impact Proton?

The FISA court

Before we can talk about Section 702, we must explain FISA and the FISA court.

In 1978, Congress passed the Foreign Intelligence Surveillance Act(новое окно) (FISA), forbidding the CIA and NSA from operating within the US. It also created a special, secret court, known as the FISA court(новое окно) (or the Foreign Intelligence Surveillance Court or FISC), which reviews requests from the federal government to conduct electronic surveillance on suspected terrorists and spies within the US.

There are several issues with the FISA court. First, it operates in almost complete secrecy(новое окно), issuing sealed court orders to companies that pressure them to secretly disclose their users’ information, such as the content and metadata of their messages and emails, or face legal consequences. Companies that receive such an order cannot publicly acknowledge receiving it until six months have passed. And companies cannot share even redacted versions of the orders(новое окно) they receive. All this secrecy makes effective oversight difficult, if not impossible.

This secrecy also exacerbates the second issue, which is that critics claim the FISA court is little more than a rubber stamp(новое окно) for the government’s surveillance program. Given that its role is to prevent government overreach, you would expect the court to approach each request with skepticism. And yet, in 2022, it only rejected seven out of 354 requests. In 2021, it rejected four of 456 requests. You can see the full statistics in the table below.

YearApplicationsOrders grantedOrders modifiedOrders denied in partApplications denied
202235424987167
2021456318113204

The good news, relatively speaking, is that even though this appears to be mostly a rubber-stamping exercise, FISA requests have trended down over the past several years. Unfortunately, this might be because US government agencies like the FBI can much more easily weaponize Section 702 to spy on Americans.

The Section 702 warrantless wiretap loophole

In 2008, Congress passed the FISA Amendments Act(новое окно), which includes Section 702. While the FISA court has its issues, most FISA requests are at least considered individually by a judge. However, Section 702 requests, which are a type of FISA request, are simply approved in batches, meaning the federal agencies don’t need to present the case for specific requests(новое окно).

Section 702 gives the US government the ability to monitor foreign nationals located outside the United States without a warrant; however, a “backdoor” permits warrantless surveillance to be extended to people in the US as well. The NSA (or some other three-letter agency) can simply name a foreign national outside the US as the nominal target. If that person speaks with a US citizen or someone in the US, those communications are swept up as well, even though such collection would normally require specific approval from the FISA court.

Section 702 enables agencies like the NSA to perform warrantless wiretaps on hundreds of thousands of individuals each year. This data is then compiled into one massive, searchable database. Unlike FISA court requests, the number of Section 702 requests are massive, as seen below. (All tables below are based on the Director of National Intelligence’s 2023 Annual Statistical Transparency Report(новое окно).)

Section 702 targets

20152016201720182019202020212022
94,368106,469129,080164,770204,968202,723232,432246,073

Given the prevalence of Section 702 surveillance, this ends up illegally capturing the communications of thousands of US citizens each year. The FBI’s use of this database shows an agency using this database to conduct mass surveillance without a warrant. The FBI accessed millions of communication records of US citizens and people living in the US, including protesters(новое окно), political donors(новое окно), and even a member of US Congress(новое окно).

Number of US person query terms (phone numbers, email addresses, etc.) the FBI used on Section 702 data, including content data and metadata

Dec. 2019 – Nov. 2020Dec. 2020 – Nov. 2021Dec. 2021 – Nov. 2022
852,8942,964,643119,383

As this shows, Section 702 has essentially given the US government the legal ability to access any communications it wants. The government used Section 702 to establish PRISM(новое окно), one of the mass surveillance programs exposed by Snowden, and force companies like Yahoo! to participate(новое окно). It continues to use Section 702 to send legal requests to US-based tech companies (Google, Meta, Apple, etc.) to harvest their users’ data.

Unfortunately, despite the abuses, the US Congress has not only repeatedly reauthorized Section 702, but it has now given spy agencies even more power. Under the latest reauthorization, traditional communications providers like ISPs and email companies could still be forced to participate — in addition to anyone with physical access to a target’s communications infrastructure. That list could include landlords, restaurants that offer WiFi, hotels, and more. Every public router you’ve ever used could be turned into an NSA listening post.

National security letters are another warrantless wiretap tool

National security letters (NSLs) allow the FBI to request data without ever getting a warrant or submitting that request to judicial review. To pass the FBI’s internal standard to issue an NSL, an FBI agent just has to attest that the information it seeks is relevant to national security.

NSLs also include gag orders, preventing the companies that receive them from disclosing the request. Again, the secrecy surrounding NSLs makes oversight difficult and almost ensures overreach. The FBI only allows 7% of reviewed NSLs to be made public, continuing an unnecessary veil of secrecy that all but ensures their misuse. An FBI internal audit(новое окно) found over 1,000 violations where FBI agents received more information than they were legally allowed to. The FBI uses ambiguous language(новое окно) in their requests in an attempt to get companies to overshare rather than risk a protracted fight with the Bureau.

While less common than Section 702 requests, thousands of NSLs are sent to Big Tech companies each year.

US government conducts spying via Big Tech

In many ways, the US government has effectively outsourced its surveillance to Big Tech companies and data brokers. Because of the fact that Big Tech companies are all American companies, they are subject to all the US laws mentioned above. Combined with the fact that all Big Tech companies have large-scale data harvesting as a critical part of their business models, the US government has ready access to the largest mass surveillance system ever devised. You can see how much data the US government requests from Big Tech companies and the tools it uses to do so by looking at Big Tech transparency reports.

Google(новое окно), Meta(новое окно), and Apple(новое окно) have all broken out FISA requests and NSLs in their transparency reports. Because of the secrecy surrounding these tools, they can only give broad ranges of how many of each request the company received (they can only provide a range of how many accounts were affected and cannot disclose this information until at least six months after the request was received). For simplicity’s sake, the table below shows the absolute minimum number of accounts that have been affected by surveillance. While this is likely an undercount, it still represents a massive invasion of privacy.

Corporate-assisted surveillance in 2022

 FISA (non-content) requests FISA content requestsNSLs
Google50,000200,0003,000
MetaNA290,000500
Apple74,00068,0001,004
Non-content requests refer to metadata. Content requests refer to access to actual messages, emails, and other communications.

In some cases, these companies push back on government overreach, but unfortunately the US legal system doesn’t give these companies much of an option.

US agencies buy data to avoid seeking warrants

The proliferation of surveillance capitalism pioneered by Google and Facebook has also led to the rise of data brokers, which store and sell all kinds of sensitive personal information, including location data. This massive amount of data available for sale means US government agencies no longer need to obtain warrants for data, when they can simply just buy it. Departments that have been caught buying this information include the US Treasury(новое окно), NSA(новое окно), FBI(новое окно), Department of Homeland Security(новое окно), Immigration and Customs Enforcement(новое окно), and many others.

Much of this data would normally require a warrant to access under the Fourth Amendment, but data purchasing has become a billion dollar business that the federal government actively participates in. And because these data brokers compile their information from dozens of sources, they can be impossible to avoid.

Does this impact Proton?

Proton is based in Switzerland(новое окно), which has a long history of neutrality; is located outside of US, EU, and NATO jurisdictions; and is not a member of any binding intelligence-sharing agreements, such as the Five Eyes, Nine Eyes, or Fourteen Eyes agreements(новое окно) or NATO intelligence programs(новое окно). Proton’s Swiss domicile means we are not subject to any of the US laws mentioned above in this article.

We believe this neutrality is important in ensuring that all users on Proton are protected, irrespective of any geopolitical considerations. Proton’s use of end-to-end encryption(новое окно) also further ensures that Proton cannot be used to spy on behalf of governments, as we ourselves don’t have access to your data.

We have also been actively strengthening privacy protections of the Swiss laws that we are subject to. For example, in 2021, we won an important court case(новое окно) that ruled that email services aren’t telecom providers and thus aren’t subject to their data retention requirements. Proton VPN(новое окно) is similarly shielded from logging obligations and cannot be forced to log.

In the current legal environment, it’s impossible for a US service provider to offer meaningful privacy guarantees. Companies in neutral jurisdictions such as Switzerland will always be able to offer greater privacy than an American tech firm. 

But that doesn’t mean it’s not worth fighting for the right to privacy. If you live in the US, you should challenge your representatives and senators to block renewal of Section 702. As the latest reapproval battle has shown, people are now demanding an end to mass surveillance. Proton will continue to join their voices.

Статьи по теме

A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
en
  • Новости о продуктах
  • Proton Pass
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
en
  • Новости о конфиденциальности
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
en
  • Советы о конфиденциальности
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
en
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.
A cover image for a blog announcing that Pass Plus will now include premium SimpleLogin features
en
We're changing the price of new Pass Plus subscriptions, which now includes access to SimpleLogin premium features.
Infinity symbol in purple with the words "Call for submissions" and "Proton Lifetime Fundraiser 7th Edition"
en
It’s time to choose the organizations we should support for the 2024 edition of our annual charity fundraiser.