Critics have long argued that the government has wide latitude to conduct surveillance under broad approvals from the Foreign Intelligence Surveillance Court.
The US government does not need the approval of its secret surveillance court to ask a tech company to build an encryption backdoor.
The government made its remarks in July in response to questions posed by Sen. Ron Wyden (D-OR), but they were only made public this weekend.
The implication is that the government can use its legal authority to secretly ask a US-based company for technical assistance, such as building an encryption backdoor into a product, but can petition the Foreign Intelligence Surveillance Court (FISC) to compel the company if it refuses.
In its answers, the government said it has “not to date” needed to ask the FISC to issue an order to compel a company to backdoor or weaken its encryption.
The government would not say, however, if it’s ever asked a company to add an encryption backdoor.
A spokesperson for the Director of National Intelligence declined to comment.
The government relies on section 702 of the Foreign Intelligence Surveillance Act to carry out the bulk of its intelligence gathering and surveillance operations. Section 702 has long been seen as the “crown jewels” of the intelligence community’s legal powers. Under one application of the powers, the government appears to assert the authority to demand a tech company deliberately bypasses the encryption on one of its products. Last year, the FBI sought a court order — albeit under a different legal statute — to force Apple to alter the software on a dead terrorist’s iPhone to decrypt its data.
Critics have long argued that the government has wide latitude to conduct surveillance under broad approvals from the FISC.
Marcy Wheeler, a national security blogger, explained in a blog post last month that the FISC can approve an annual certification affirming that the government requires assistance from a US tech company, but it doesn’t require a description of what specific assistance is needed. That gives the government a wide range of powers to issue directives without any further approval or review from the FISC to collect intelligence.
A declassified but highly redacted FISC opinion from 2006 states that a directive must be signed off by both the attorney general and the director of national intelligence.
The admission comes just a few weeks before the controversial section 702 powers are set to expire. Congress has until December 31 to pass a new surveillance law, or the intelligence community risks losing its powers at the end of the annual certification cycle.
Several reform and reauthorization bills are under consideration by lawmakers.
Wyden, who sits on the Senate Intelligence Committee, last month opposed the committee’s own proposed bill, arguing that it “leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without [FISC] oversight.”
Wyden’s own bipartisan bill, supported by committee colleague Rand Paul (R-KY), would require the government to obtain approval from the FISC for each request for assistance.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.