In December 2023, US President Joe Biden signed the annual National Defense Authorization Act into law, after the bill had passed both the House and Senate. In addition to providing monetary and military support to Ukraine and Israel, the Act renewed the surveillance authority under Section 702 of the Foreign Intelligence Surveillance Act until April 2024.
FISA Section 702 allows US intelligence agencies to surveil the communication of non-US nationals without a warrant. If its authorisation had not been renewed, it would have expired at the end of 2023.
The law received bipartisan support, indicating a strong consensus in the American political establishment to allow the massive collection of the personal communications of internet users across the world.
The warrantless surveillance enabled by FISA Section 702 stands in contrast to requirements for the surveillance of US citizens and residents, for which law enforcement agencies need to prove “probable cause”, a reasonable suspicion that the person committed a crime, in a court of law.
However, US intelligence agencies like the Central Intelligence Agency and National Security Agency are empowered to collect and use electronic communications of non-US nationals directly when a “significant purpose” of the surveillance operation is to obtain “foreign intelligence information”.
The US intelligence community claims that FISA Section 702 is “indispensable to US national security” and has helped thwart attacks by terrorists and hostile state actors. However, by their own admission, US intelligence agencies also use FISA to advance goals unconnected to US national security, including to “advance US foreign policy priorities around the world”.
The vague standard to employ foreign surveillance under the provision has meant that FISA Section 702, in essence, authorises mass electronic surveillance of the entire world population, as US-based technology companies dominate the online communication market.
The official transparency statistics released by the US intelligence community state that in 2021, more than 230,000 people were the direct targets of such orders. In reality, the number of individuals affected is much larger. For example, if communications are collected from your email account, they not only reveal information about you, but potentially about the hundreds of people that you contacted or were contacted by.
Such “incidental” collection on American non-targets of FISA Section 702 is a topic of heated public debate in the US.
The Federal Bureau of Investigation regularly accesses this data and runs queries on it for domestic law enforcement purposes, potentially violating the right against unreasonable search and seizure guaranteed to US citizens and permanent residents by the Fourth Amendment of the country’s constitution. In fact, over three million US persons were surveilled by the Federal Bureau of Investigation in a single year using data collected under FISA Section 702.
Despite repeated requests from members of the US Congress and civil rights organisations, the US Intelligence Community has failed to produce even an estimate of the total number of US citizens and permanent residents and non-US nationals affected by incidental collection.
An estimation technique devised in 2022 by researchers at the Center for Information Technology Policy at Princeton University (including one of the authors) was included as a transparency measure in a recent reauthorisation bill introduced in the US Senate, but was omitted from the National Defense Authorization Act.
The fact that millions of US citizens and permanent residents were spied on in a single year by the Federal Bureau of Investigation because of data collected through this surveillance authority indicates the total number of affected persons across the world could be in the order of tens of millions.
This mass surveillance operation of the US is an issue that touches upon international politics and law. As legal scholar Arindrajit Basu argued, “the vulnerability and powerlessness of an individual whose data is being surveilled by humans or machines located in another territory is precisely the sort of scenario that the tenets of international law, in particular international human rights law, were designed to shield against.”
Indeed, the Human Rights Committee of the United Nations and the International Court of Justice have affirmed that the International Covenant on Economic, Social and Cultural Rights – which includes the right to privacy and right to freedom of expression – “is applicable in respect of acts done by a State in the exercise of its jurisdiction outside its own territory”.
Most states accept this position, except the US and Israel, which remain in an isolated minority. This stance partly explains American indifference to the rights of non-US persons. Nevertheless, international human rights can inform data protection laws to shield against mass surveillance of the world by the US.
For example, in July 2020, the Court of Justice of the European Unioninvalidated data transfers from the EU to the US, primarily because of the concerns around US surveillance laws. The European Union’s data protection regulations maintain that any transfer of personal data of EU citizens to any other jurisdiction is permissible only when that jurisdiction has safeguards equivalent to those in the EU.
This forced the US government to create a Data Protection Review Court to redress infringements of Europeans’ privacy by the US intelligence community. However, the composition and secretive nature of this court may not pass muster in European courts.
Or consider Brazil, which under the presidency of Dilma Rousseff and on the back of the whistleblower Edward Snowden’s revelations of US mass and targeted spying programmes, lambasted the US government at international platforms. This was possible because Brazil passed domestic privacy-protecting legislation with strong safeguards against state surveillance.
Unfortunately, India does not have either the European Union’s coherent legal framework or Brazil’s moral authority to justify similar actions, even though the number of internet users in India outnumber the combined populations of Brazil and the European Union.
Although the Digital Personal Data Protection Act empowers the Indian government to notify jurisdictions to which Indians’ personal data cannot be transferred, it fails to set any standard for such decisions.
Indian nationals are also not protected from mass surveillance by the Union government due to the absence of judicial review or procedural safeguards.
This effectively hinges the privacy of Indians on the Union government’s whims – both in the case of surveillance of Indians by foreign governments and by the Indian government itself. Perhaps those living in glass houses have realised that they should not throw stones.
Gurshabad Grover is a member of the Progressive International secretariat. Anunay Kulshrestha is a doctoral candidate at the Center for Information Technology Policy at Princeton University.