A hidden dispute over whether a data center for cloud computing must cooperate with a warrantless surveillance program prompted the House last week to add a mysterious provision to a bill extending the program, according to people familiar with the matter.
The disclosure helps clarify the intent behind an amendment that has alarmed privacy advocates as Senate leaders try to swiftly pass the bill, which would add two more years to a wiretapping law known as Section 702. The provision would add to the types of service providers that could be compelled to participate in the program, but it is written in enigmatic terms that make it hard to understand what it is supposed to permit.
Data centers are centralized warehouses of computer servers that can be accessed over the internet from anywhere in the world. In the cloud computing era, they are increasingly operated by third parties that rent out the storage space and computing power that make other companies’ online services work.
Even as national security officials described the provision as a narrow fix to a technical issue, they have declined to explain a classified court ruling from 2022 to which the provision is a response, citing the risk of tipping off foreign adversaries. Privacy advocates, for their part, have portrayed the amendment as dangerous, so broadly worded that it could be used to draft ordinary service people — like cable installers, janitors or plumbers who can gain physical access to office computer equipment — to act as spies.
Under Section 702, the government may collect, without a warrant and from U.S. companies like Google and AT&T, the communications of foreigners abroad who have been targeted for intelligence or counterterrorism purposes — even when they are communicating with Americans. Enacted in 2008, it legalized a form of the warrantless surveillance program President George W. Bush began after the terrorist attacks of Sept. 11, 2001.
Specifically, after the court that oversees national security surveillance approves the government’s annual requests seeking to renew the program and setting rules for it, the administration sends directives to “electronic communications service providers” that require them to participate. If any such entity balks, the court decides whether it must cooperate.
Last August, the government partly declassified court rulings centered on the dispute. The surveillance court in 2022, and an appeals court panel a year later, sided with an unidentified company that had objected to being compelled to participate in the program because it believed one of its services did not fit the necessary criteria.
The details were redacted. But according to the people familiar with the matter, who spoke on the condition of anonymity to discuss a sensitive matter, the judges found that a data center service does not fit the legal definition of an “electronic communications service provider” because it does not itself give its users the ability to send or receive electronic messages.
Unredacted portions in both rulings suggested that Congress update the definition if the interpretation was a problem. “If the government believes that the scope of Section 702 directives should be broadened as a matter of national security policy, its recourse is with Congress,” wrote Judge Rudolph Contreras, then the presiding judge of the surveillance court.
And the appellate panel noted that the definition invoked in Section 702 traces back to a law Congress wrote in 1986, meaning that it was “premised on internet architecture now almost 40 years old.” They added, “Any unintended gap in coverage revealed by our interpretation is, of course, open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”
In an interview, Matthew G. Olsen, the head of the Justice Department’s national security division, said the push for the provision was being driven by a way that communications technology had evolved since Congress wrote Section 702 in 2008. But he declined to address whether the rise of data centers was the specific catalyst.
“Over the past 15 years, there has been a shift from reliance on only a handful of major backbone internet providers,” he said. “As technology changes, we have to go back to the fundamental purpose of 702, which is about foreign adversaries who are using U.S. infrastructure.”
Mr. Olsen also stressed that the law only permits targeting the communications of foreigners abroad and that its use is subject to oversight by all three branches.
Privacy advocates have put forward a far more disturbing interpretation of what the provision might do. In recent days, for example, the office of a leading privacy-minded senator, Ron Wyden, Democrat of Oregon, has circulated a warning that the provision could be used to conscript someone with access to a journalist’s laptop to extract communications between that journalist and a hypothetical foreign source who was targeted for intelligence.
“Even if a law is pitched as addressing a specific situation, history shows that intelligence agencies will use every inch of authority Congress provides to spy on Americans,” Mr. Wyden said in a statement, calling the provision “a breathtaking expansion of Section 702, which should terrify anyone who cares about Americans’ rights.”
A co-sponsor of the provision, Representative Jim Himes of Connecticut, the ranking Democrat on the House Intelligence Committee, expressed frustration about such worries.
“The privacy groups — and I admire their commitment to civil liberties — but they have been suggesting that this is bringing back the Stasi,” he said in an interview. “What they are doing is massive exaggerating here, as they have done throughout the whole reauthorization process to try to generate fear.”
As lawmakers debated whether to renew Section 702, Mr. Himes and his co-sponsor, his Republican counterpart, Representative Michael R. Turner of Ohio, put forward an amendment to expand the definition of who could receive a directive. Under their changes, it would also encompass “any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications.”
Private advocates expressed dismay, saying that by its plain text, the amendment could be used to force companies that offer wireless internet service to customers — like coffee shops and hotels — to tap those networks for warrantless surveillance, scooping up Americans’ messages to and from foreign targets.
Mr. Turner and Mr. Himes ultimately narrowed the amendment, adding a series of carve-outs. Those include restricting directives toward entities that primarily serve as dwellings, community facilities, food service establishments or other public accommodations.
The amendment passed, 236 to 186.
Still, as the bill heads to the Senate, privacy advocates have warned that the wording remains unacceptably broad. Sean Vitka, policy director for the civil liberties group Demand Progress, said that even if the Biden administration did not intend to use the provision so expansively, there was no guarantee that a future administration would agree.
“This change can be used to turn innumerable scores of Americans into secret government spies, posing a severe threat to hundreds of thousands of big and small businesses and their many millions of customers, clients and users,” he said.
In theory, the Senate could further narrow the language to exclude the most alarming scenarios being floated by critics of the provision. In that case, however, the bill would have to go back to the House, and given the legislative calendar, there may be little time for that step.
Although Section 702 is written in a way that would allow the program to continue operating until early April 2025 even if the statute expires on Friday, Senate leaders appear determined to prevent any lapse in the law.
Source Agencies