Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,900 words, this briefing is about a 10-minute read.
At a Glance.
- US court rules that the FBI’s warrantless FISA searches violated Fourth Amendment.
- Growing politicization of the intelligence oversight board draws international concerns.
US court rules that the FBI’s warrantless FISA searches violated Fourth Amendment.
The News.
Last Tuesday, a court ruling was released to the public, stating that the FBI's use of the Foreign Intelligence Surveillance Act (FISA) Section 702 program violated constitutional rights. Presiding over the case, Judge DeArcy Hall ruled that “back door” searches violate the Fourth Amendment. In Judge Hall’s opinion, she rejected the government’s arguments that it was allowed to view the resident’s emails through Section 702 and that it was an unlawful search. In her opinion, Judge Hall wrote “a search that relies on an initial warrant or an exception to the warrant requirements is limited by its original justification.” Judge Hall continued writing “the court agrees that there is a ‘powerful’ public interest in allowing law enforcement to run queries for national security purposes - but public interest alone does not justify warrantless querying.”
Patrick Toomey, the deputy director of the American Civil Liberties Union’s (ACLU) National Security Project, commented on the ruling, stating: “As the court recognized, the [Federal Bureau of Investigation’s] rampant digital searches of Americans are an immense invasion of privacy, and trigger the bedrock protections of the Fourth Amendment. Section 702 is long overdue for reform by Congress, and this opinion shows why.”
This ruling was related to a 2011 court case, the United States (US) vs Hasbajrami. In this case, Hasbajrami was arrested before boarding a flight to Turkey because federal prosecutors stated he was aiming to travel to Pakistan “to join a terrorist organization, receive training, and ultimately fight against US forces and others in Afghanistan and Pakistan.” After arresting Hasbajrami, federal authorities used evidence acquired through FISA Section 702 to secure their conviction. However, after the conviction, the Justice Department disclosed that “some of the evidence it had previously disclosed from FISA surveillance was itself the fruit of earlier information obtained without a warrant pursuant to Section 702 of the FISA Amendments Act.”
The Knowledge.
Since its passage in 2008, FISA’s Section 702 has been one of the strongest and most controversial tools the intelligence community has used to collect, analyze, and share information related to national security threats. More specifically, Section 702 enables federal authorities to target non-United States persons who are reasonably believed to be located outside the US and gather intelligence on them and their communications if they are suspected to be a potential threat to national security. However, despite Section 702 requiring an oversight process and other major restrictions, these powers have faced substantial criticism from privacy advocates.
Critics of Section 702 have routinely argued that this power enables the US government to engage in mass and warrantless surveillance of both Americans and foreign persons. With these powers, critics have expressed how the intelligence community can listen in on phone calls, and access text messages, emails, and other electronic communications. Furthermore, these critics have emphasized that this collected information can all be obtained without a warrant and be used to prosecute people. Despite the heavy criticism associated with Section 702, the Section was not only reauthorized but also greatly expanded in early 2024 under the Biden administration. The reauthorization also enabled law enforcement to vastly expand the number of businesses and the number of individuals that can be spied on. Most impactful, was a new provision that expanded the types of carriers whose assistance the government could compel to carry out surveillance. In this new provision, the bill defined these new providers as “any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications.” While the bill did make some exemptions for establishments, like restaurants, hotels, and libraries, these new provisions greatly expanded the government’s ability to collect domestic communications.
The Impact.
With the courts having formally ruled that Section 702 is unconstitutional, the Trump administration will likely attempt to appeal the decision. Given the immense powers that Section 702 provides federal authorities and its recent reauthorization, this appeal will likely be a top priority for the Justice Department to pursue throughout early 2025 and has the potential to be a key Supreme Court case.
For privacy advocates, this ruling represents a substantial victory that will significantly impact what US intelligence officers can access and utilize when pursuing legal actions. On the other hand, it represents a major step back for the intelligence community and for prosecutors, who will undoubtedly have a significantly harder time gathering evidence and pursuing cases with the powers granted by Section 702.
Growing politicization of the intelligence oversight board draws international concerns.
The News.
Last week, President Trump ordered all of the Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) to resign. The Democratic members requested to resign include Chair Sharon Bradford Franklin, Edward W. Felten, and Travis LeBlanc. Since the board requires three members to operate, it will cease to function until the Senate confirms two other members to join Beth Williams, its current sole member.
With the resignations of all but one of the members of the PCLOB, concerns have been raised regarding how this dramatic reduction could impact the Trans-Atlantic Data Privacy Framework (TDPF). Silvia Lorenzo Perez, the European Union’s (EU) program director for security, surveillance, and human rights at the Center for Democracy and Technology, commented on the criticality of PCLOB. Perez stated that the TDPF “hinges on the PCLOB’s independence and operational capacity.” Perez continued by stating that “if the PCLOB is weakened or rendered non-functional, it undermines trust in the TDPF and the adequacy of protections for EU citizens’ data transferred to the US.”
For context, this agreement was established in 2022 and created the following key principles:
- Allowing data to flow freely and safely between the EU and participating US companies.
- Creating a new set of rules and safeguards to limit access to data to only what is necessary and proportionate to protect national security.
- Creating a new two-tiered redress system to investigate and resolve European complaints about US intelligence authorities accessing data. This principle also mandates the creation of a Data Protection Review Court.
- The establishment of strong obligations for companies processing data from the EU which mandate them to self-certify their adherence to the Principles through the US Department of Commerce.
- Explicit requirements related to establishing monitoring and reviewing requirements.
The Knowledge.
Given the sudden dismantling of PCLOB, the future of the board and subsequently the TDPF remains uncertain. Since President Trump has not made any explicit comments about this board or this framework, it is unclear if this reduction is a permanent one or a situation where his administration intends to replace the former members with those more aligned with his policy stances. Nonetheless, this move does bring serious concerns regarding businesses working across both regions as the TDPF has been instrumental to international dealings.
Apart from forcing the majority of PCLOB to resign, the Trump administration has targeted many agency advisory boards and committees. These efforts have resulted in multiple boards having all of their members terminated including some high-profile groups, such as the advisory board that was investigating the Chinese hack of the US telecommunications industry. With these widespread terminations, a Department of Homeland Security official stated that “effective immediately, the Department of Homeland Security will no longer tolerate any advisory committee which push agendas that attempt to undermine its national security mission, the President’s agenda, or Constitutional rights of Americans.” Given how abrupt many of these resignations were, it is unclear how the Trump administration plans to address the many responsibilities these boards managed.
The Impact.
With the dismantling of PCLOB, the future of the TDPF is uncertain at best, and its dissolution has the potential to significantly impact US companies operating in the EU. Given the EU explicitly emphasizing the importance of both the PCLOB and TDPF, it would be surprising if the framework remained intact given the significant changes in US leadership. If the framework were to be dissolved, the event could have substantial ramifications for the US companies and the cost of doing business in the EU.
For companies that are actively transferring covered data from the EU to the US, businesses should evaluate the potential impacts if the TDPF were to be dissolved. Additionally, EU citizens should be prepared for US-based companies that transfer covered data to potentially pull their services from the EU if the agreement is dissolved.
Highlighting Key Conversations.
In this week’s Caveat Podcast, our team met with Max Shier, Optiv’s CISO, to discuss the newly released CMMC 2.0. For context, the CMMC, or the Cybersecurity Maturity Model Certification, is a Department of Defense program aimed at helping ensure compliance and maintain a standardization of cybersecurity requirements. With CMMC’s updated version, our team discussed how the revised version improves upon the original model and how people can maintain compliance as the program kicks off in 2025.
Additionally, as this week is Data Privacy Week, this time serves as a great reminder of the responsibilities that data collectors have to protect their customers’ collected data. Here are the four key areas that companies can and should prioritize immediately:
- Transparency. Companies should maintain transparency around AI use, data collection, data processing, and sharing activities.
- Choice. Companies should offer individuals choices about how their data is processed and used for marketing purposes.
- Control. Companies should offer users control over their data by offering a tailored experience that allows them to adjust their data-sharing preferences.
- Education. Companies should ensure that their employees can recognize what personal data is and the obligations they have when storing, accessing, and processing that data.
Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other Noteworthy Stories.
Trump signs new AI-related Executive Order.
What: Trump signed a new Executive Order (EO) mandating the creation of an artificial intelligence (AI) action plan.
Why: On Thursday, President Trump signed a new executive order (EO) that he hopes will “make America the capital in [AI].” Now signed, this order creates a 180-day deadline for creating an action plan that will “sustain and enhance America’s global AI dominance in order to promote human flourishing, economic competitiveness, and national security.”
Aside from this new order, reports have also emerged that the new administration plans to continue removing the policies and regulations that former President Biden created.
Perplexity AI submits an updated proposal to merge with TikTok.
What: Perplexity AI proposed a merger deal with TikTok that would allow the US government to take fifty percent of the stake in the new company.
Why: On Monday, Perplexity AI proposed a merger with the social media platform, TikTok, to form a new company and would allow the US government to maintain a substantial stake in the company once public. However, with its stake, the government would not have any voting power or a seat on the board. Perplexity now joins several other bidders to purchase the company including Elon Musk, Larry Ellison, and Jesse Tinsley.
Most notably, this proposed merger would not include TikTok’s algorithm.