Virtru Security Insights

Join 10,000+ Security Professionals Who Receive Our Content Every Month

Section 215 of the Patriot Act Expires June 1. Here’s What That Means for Email Privacy

May 30, 2015

Section 215 of the Patriot Act, which dramatically expanded the government’s ability to collect data on ordinary citizens, will die on June 1 if Congress doesn’t reauthorize it. Is this the beginning of a new era for Internet and email privacy? Or will we spend the next few years continuing to debate whether United States citizens are entitled to privacy?

To answer those questions fully, it’s important to know what Section 215 does and doesn’t do, and where the nation stands on privacy. At this point, the public has been drilled with terms like “bulk data collection,” “mass surveillance,” “telephony metadata” and “going dark.” Despite the news coverage, plenty of people still have questions: can the government get my phone records or listen into my phone calls without a warrant? Can they read my private Facebook messages? Should I be concerned about my email privacy?

There’s a lot of information out there, but there’s also a lot of misinformation.  The bottom line is that whatever happens to section 215, you still need to worry about e-mail privacy.  Section 215 involves bulk collection of telephone and other records, not the content of e-mails, which the NSA, FBI and other government agencies get using different legal authorities.  But before diving into the law itself, let’s take a look at the recent attempts to keep it alive — as well as the forces fighting its extension.

A Tale of Two Kentucky Conservatives

When the Patriot Act was signed into law 14 years ago, it was a much different time. We had just suffered the deadliest terrorist attack on US soil, and were recoiling from a national sense of trauma and urgency. With the loss of over two thousand lives, privacy suddenly didn’t seem as pressing a priority as security and defense against terror.

This isn’t to say that the Patriot Act, specifically Section 215, wasn’t without its detractors at the time. But those dissenting voices have become louder, and have emerged in corners the US wouldn’t have expected years ago. Over Memorial Day weekend, the fate of Section 215 appeared as though it hinged, at least partially, on the outcome of a battle of wits between two members of both the same party and the same state: Senator Rand Paul (R-KY), an outspoken voice for the newer, more libertarian-leaning side of the Republican party, and Senate Majority Leader Mitch McConnell (R-KY), representing the more traditional faction of the GOP.

In a sense, their showdown was emblematic of the cultural paradigm shift facing the country at large.

At issue was a two-month extension of Section 215, put forth by McConnell after he successfully filibustered the USA Freedom Act last week. The Freedom Act would have extended the Patriot Act, including Section 215, but it would have replaced bulk phone metadata collection with a new process that would have left the data in the hands of telecommunications providers. While NSA bulk data collection under the Patriot Act concerns phone records today, until 2011, the NSA had engaged in a similar program involving e-mail and Internet data under a different provision of the Patriot Act.  The Freedom Act amends this provision as well.  The Freedom Act enjoyed wide support and has stirred up a national conversation about Internet, mobile and email privacy.

With the Freedom Act shot down, McConnell then led a weekend vote to extend the Patriot Act unchanged, first by months, then weeks, then eventually by a single day. At every turn, Senator Paul lobbied his dissent, using his own filibuster power and the hashtag #StandWithRand to give voice to those demanding more privacy and less surveillance.

None of those extensions — not even the whittled down one-day extension — made it through. Even if they had, the NSA’s bulk collection program was teetering anyway, since a US Court of Appeals had declared the program illegal. In any event, after June 1, Section 215 will expire, unless Congress acts by then.

And according to Internet and email privacy advocates like the EFF, ACLU and a growing percentage of the Internet-using population, that’s a good thing.

The National Outlook on Internet and Email Privacy

Okay, so public opinion on topics like email privacy and data encryption is actually a little complicated. When you talk about using email encryption to protect your personal digital privacy, you still run into conversations like, “But why worry about surveillance if you have nothing to hide?”

Judging by national surveys, that attitude isn’t an unpopular one: according to a recent Pew study, nearly half of respondents think that it’s perfectly okay for the government to monitor people using encryption software to protect their data and email privacy. Additionally, 47% of respondents said they were either “not very concerned” or “not at all concerned” about bulk surveillance. After all, Section 215 is ostensibly here to protect us from terrorism and other heinous crimes. If you’re not trawling the internet for information that will help you build weapons or rob a bank, you’re in the clear, right?

Well, then there’s the other half of respondents. A recent Reddit AMA with Jameel Jaffer of the ACLU and Edward Snowden showed no shortage of support for the pair’s efforts to get the word out about Section 215 and end bulk data collection. Another poll, this time conducted by the ACLU, showed that only 34% of respondents thought the Patriot Act should be renewed as it is currently written, and that concern about government surveillance is bipartisan: over half of both Republican and Democrat respondents favor modification of the Patriot Act, and 71% of independent voters want to see the law changed.

Those respondents have recently gotten a leg up from the US Circuit of Appeals. In early May, a second circuit panel comprising three federal judges ruled that mass surveillance under section 215 is unlawful, challenging the current state of bulk data collection from cell phone records, email messages, social media messages and more.

So while certain polls seem to paint a picture of an American public either ambivalent or divided about issues involving Internet, mobile and email privacy, there seems to be a growing movement to change Section 215 of the Patriot Act, whether that means letting it sunset quietly on June 1 or at least substantially alter it so that intelligence agencies don’t have what’s essentially a blank check for conducting mass surveillance.

But what, exactly, are these agencies allowed to do under the current law? To understand if and why Section 215 should expire, and what that would mean for mobile, Internet and email privacy, you need to take a closer look at the law — both how it was intended and how it’s been practiced.

What is Section 215 of the Patriot Act?

Section 215 is actually an amendment to Title V of the Foreign Intelligence Surveillance Act of 1978, or FISA. Section 215 strikes out three sections of FISA (501, 502 and 503) to replace them with newly revised provisions. With only 562 words, Section 215 isn’t a huge chunk of legislation, but its impact and implications are enormous. (You can read the full text of Section 215, as well as the complete Patriot Act, here.)

This controversial section of the Patriot Act gives the Director of the FBI, or “a designee of the Director,” the ability to order “the production of any tangible things” (this includes “books, records, papers, documents and other items,” according to the law) to aid in anti-terrorism or anti-espionage investigations, as long as those investigations aren’t based on “activities protected by the First Amendment.”

Under the letter of the law, there are a few limitations on this power: intelligence committees in both chambers of Congress must review all of these requests on a semiannual basis,” including the “total number of applications,” and “the total number… granted, modified, or denied.”

If you read through the full text of Section 215, a few conversation points seem conspicuously missing. There’s nothing in the actual wording that says anything about ordering huge batches of phone data from telecommunications providers and no mention of “mass surveillance.” Even before you get into batch data collection, many find it disquieting that the FBI director, or “designee[s] of the Director,” can order data pertaining to an individual based not on a search warrant but on a suspicion of terrorism or “clandestine intelligence activities.”

Of course, the idea that these “business records” may include metadata pertaining to your weekly phone calls to your mom is even more disconcerting. What makes it more confusing is that Section 215 isn’t really the whole story, even though it’s the story getting press right now.

The FISA Amendments Act of 2008

When it comes to amending FISA, Section 215 isn’t the only gig in town, which is why its expiration may not bring the Internet, mobile and email privacy revolution some of us may hope for. The broad surveillance the public associates with programs like PRISM actually have more to do with the FISA Amendments Act of 2008.

The stated purpose of the FISA Amendments Act of 2008 is to provide authority to intelligence agencies to monitor electronic communications outside of the United States, in case those communications may reveal information that can help catch terrorists or spies. It’s with the signoff from these FISA amendments that PRISM, the controversial surveillance program under which the government can collect data from companies like Verizon and Facebook, can operate. While PRISM only targets “non-US persons located outside the United States” directly, data pertaining to folks inside the US borders may be “incidentally acquired” (The Atlantic).

In other words, they’re casting their nets overseas, but domestic data might still be caught up in it. This is not an “oops” – in our increasingly connected world, it’s the inevitable result of a broad law that allows the government to monitor anyone outside the country.

Even if Section 215 expires come June, the FISA Amendments Act is sticking around until December 31, 2017, so don’t ditch your data and email encryption technology just yet. However, given the lack of congressional support for McConnell’s extensions on Section 215, we’re starting to see a shift in how lawmakers perceive the importance of mobile, Internet and email privacy. One of the most vocal spokespeople for this shift in thinking is also a candidate for the 2016 presidential elections, which speaks to how politically viable it is to defend privacy these days.

What Happens if Section 215 Expires?

First of all, it’s starting to look pretty likely that Section 215 will expire in June since, in the words of Senator Barbara A Mikulski (D-Maryland), “We don’t have it together to pass a new law.” Given a week of approving one bill, filibustering that bill, failing to override the filibuster, and then filibustering every subsequent extension offered by McConnell, legislators have been busy, though they haven’t been productive. Unless someone pulls a Hail Mary pass, Section 215 is likely to sunset in a few days.

Cool. So then what?

Actually, the change has already begun. Intelligence agencies have been winding down their bulk metadata collection efforts in advance of Section 215’s expiration. That means that the government will, ostensibly, stop collecting enormous quantities of US phone call data, including phone numbers and timestamps. It seems at this point, the public — not to mention lawmakers on both side of the aisle — have made their voices heard.

But while the most controversial applications of Section 215 will likely die with its expiration, we’re still not in the clear when it comes to mobile, Internet and email privacy. Section 215 was one leg holding up surveillance programs like PRISM, but the rest of the Patriot Act, as well as the FISA Amendments Act, still live on. Things may even get worse – we remain concerned that the government will pressure companies to provide “back doors” to user data, and crack down on warrant canaries?

While the expiration of Section 215 is significant, any change involving the way the government operates tends to be slow and gradual, and there are always ways around an obstacle. Remember that PRISM, enabled partially in 2008 by the FISA amendments, came just in time to replace the more controversial warrantless wiretapping going on in the early-to-mid 2000s.

With the infrastructure already in place to gather data on millions of phone call and email records, intelligence agencies still have the technological wherewithal to get the data they want, when they want it. Legislative boundaries can make it more difficult, but where there’s a will, there’s a way. It’s totally possible that in fifteen or twenty years’ time, we’ll have finally crossed the bridge over to being a more privacy-centric culture than a more hawkish, security-centric culture, but until that shift is complete, it’s important to stay proactive with your own Internet, mobile and email privacy practices.

For those concerned about national security, take heart. One thing that probably won’t happen as a result of Section 215’s expiration is a weakened defense against terrorists and other criminals. The FBI has even admitted that with the expansion of surveillance abilities under the Patriot Act, bulk collection didn’t result in “any major case developments.”

Encryption is Key Privacy

The expiration of Section 215 of the Patriot Act will definitely be a win for privacy advocates, but it’s not a hole-in-one. As we’ve seen from the debate over the USA Freedom Act and the attempted extensions of Section 215, there is still a strong contingent in the US in favor of a more proactive security policy, even if it means sacrificing privacy. If you want more mobile, Internet or email privacy, you’re going to have to be proactive about it, at least for the time being. That means using strong data and email encryption wherever possible.

Encryption offers some of the best protection not only for your data and email privacy, but also for your own security. With email encryption, you’re protecting your inbox against snooping eyes as well as hackers and cybercriminals. And with Virtru, you don’t need any special tech know-how or hours of free time to set up email encryption. You simply download the free browser extension, go to your inbox, and hit a switch. Instant protection.

The national conversation around data and email privacy is slowly shifting, and the expiration of Section 215 of the Patriot Act gives us reason to be optimistic. There’s no reason you should have to sacrifice your privacy just to use the technology that allows people all over the world to communicate with each other and do business. What we hope for is a future that is both private and secure by default. That requires a new way of thinking — one that prioritizes both privacy and convenience — and a new crop of applications, technologies and standards leading the way.

Ready to get proactive about your email privacy? Download Virtru today.

BEFORE YOU LEAVE

Stay Up to Date With the Latest in Digital Privacy

Subscribed! 

[if lte IE 8]
[if lte IE 8]

You're one step away from a personalized walkthrough.

Thank You for Your Interest

Which product are you interested in?

REQUEST A DEMO

REQUEST A DEMO

We'll reach out to schedule a time.