Portal de Periódicos da CAPES

Section 702 and the Collection of International Telephone and Internet Content

2015; Wiley; Volume: 38; Issue: 1 Linguagem: Inglês

0193-4872

Laura K. Donohue,

Legal Rights and Human Rights

C. Retention and Dissemination of Data One of the most concerning issues that arises in regard to the retention and dissemination of data obtained under Section 702 is that the NSA may indefinitely retain encrypted communications. In light of increasing public and private use of encryption, the exception may soon swallow the rule, resulting in fewer protections individual and consumer privacy. In addition, the NSA's minimization procedures allow incidental information to be kept, analyzed, and distributed if found relevant to the authorized purpose of the acquisition under one of two conditions: first, as containing foreign intelligence information, and, second, as containing evidence of a crime. (322) The former is anchored in traditional FISA and critical U.S. national security. The latter is similarly consistent with traditional FISA; however, lacking the same procedural protections that attend searches under Titles I and II of the statute, use of information obtained under Section 702 criminal prosecution raises important constitutional questions. 1. Retention of Encrypted Communications For domestic communications, the NSA retains information that contains technical data base information and data necessary to assess communications security vulnerabilities. (323) The minimization procedures explain that in the context of cryptanalytics, maintenance of technical data bases requires retention of all communications that are enciphered or reasonably believed to contain secret meaning. (324) Unlike unencrypted communications, which are retained five years from the date of the certification authorizing the collection (unless the NSA decides otherwise), encrypted communications may be retained any period of time during which encrypted material is subject to, or of use in, (325) For foreign communications of or concerning U.S. persons, the NSA retains encrypted material for a period sufficient to allow a thorough exploitation and to permit access to data that are, or are reasonably believed likely to become, relevant to a current or future foreign intelligence requirement. (326) There is no limit on the amount of time that encrypted information may be kept, as long as it continues to be subject to, or of use in, cryptanalysis. (327) The logic behind the default is that the government should not be forced to purge data merely because it does not hold the key or has been unable to break the code. Considering the likelihood that bad actors may try to use encryption to hide the contents of their communications, the intelligence community does not want to put itself at a disadvantage. The problem is that it is not just bad actors who encipher messages. U.S. citizens and private industry are increasingly using encryption to try to protect their materials and communications. Windows, instance, has an Encrypting File System that can be used to store information in an encrypted format. Systems like Pretty Good Privacy (PGP) can be set up and installed using a Firefox plugin, making it easy to encrypt e-mail. In March 2014, Google announced that it is now using https encrypted communications whenever users log in to Gmail, regardless of which Internet connection they are using. (328) Nicolas Lidzborski, Gmail's Security Engineering Lead explained: Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers--no matter if you're using public WiFi or logging in from your computer, phone or tablet. In addition, every single email message you send or receive--100% of them--is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers--something we made a top priority after last summer's revelations. (329) The irony of Google's actions in light of the NSA's retention policies is hard to miss: in part because the NSA was intercepting Gmail and reading it (at which point the agency was required under minimization procedures to eliminate irrelevant information), the company now encrypts all communications, with the result that the NSA can still collect Gmail, but it can now keep it indefinitely, simply because it is encrypted at the front end. …