In April, the U.S. Congress officially reauthorized and expanded Section 702 of the Foreign Intelligence Surveillance Act, the controversial law that allows intelligence agencies to spy on Americans’ communications without a warrant.
Harlo Holmes, David Huerta, Martin Shelton, and Davis Erin Anderson of the Digital Security Team at Freedom of the Press Foundation (FPF) sat down with FPF's Director of Advocacy Seth Stern to discuss the ramifications for journalists of the expansion of digital surveillance.
This is part two of our series of conversations about journalism, digital security, and the 2024 US election. Read part one here.
Davis Erin Anderson, senior digital security trainer: Wired recently published a piece called “How Donald Trump could weaponize US surveillance in a second term.” Is this an issue that we're mainly focused on regarding one candidate? Or should we expect some trouble ahead no matter what?
Seth Stern, director of advocacy: I think we should expect trouble ahead no matter what — it's just that the trouble in the event of a Trump win is a bit less predictable. And the reason for that, strangely enough, is that in a second Trump term, Trump would be empowered by certain actions taken by the Biden/Harris administration and this Congress that will make it easier than perhaps it was in the first Trump term to surveil and otherwise retaliate against journalists.
In, for example, the Reforming Intelligence and Securing America Act, or RISAA, the expansion of Section 702 of the Foreign Intelligence Surveillance Act, or FISA, and some others, you've got these pieces of legislation, these regulations, these court decisions, that you might think — if you want to give the Biden/Harris administration the benefit of the doubt — they intend at least to exercise these powers responsibly. It's difficult to give the Trump administration that benefit of the doubt, given current rhetoric about reporters, and also what Trump has promised to do if given a second term.
Harlo Holmes, chief information security officer and director of digital security: Historically, while we know that RISAA has to be reauthorized, underneath these laws are a number of individual technologies and tactics that are allowed and available to law enforcement under these provisions. These sorts of things often evolve in secret. And all we really see people voting on is whether or not those things can be used. Do you have any insight as to what we are actually watching people vote on when reauthorization happens again?
Stern: Reauthorization, I believe, is going to be up in two years. I don't know what new technologies might exist in two years that would enable more effective surveillance. But, as you say, the way the law is drafted is extremely broad. RISAA would allow any service provider to be essentially conscripted to conduct surveillance on behalf of the government.
When commentators and even members of Congress make statements on what that might mean, all they can do is speculate. Ron Wyden floated the possibility that a cleaning crew in an office building could be asked to implant a thumb drive in an office belonging to whatever tenant of the building that employs them. That's a basic illustration of how this type of surveillance could operate.
What concerns me is that there is no limitation to what could be utilized going forward. There have been promises by the bill sponsors to recognize that the reauthorization language is overbroad and subject to abuse. The promises to rein it in focus on who the legitimate targets might be — something narrower than any service provider. But nobody has suggested any technological parameters in terms of how this sort of surveillance could be conducted.
Holmes: In addition to these legal means of data collection, the Wired article doesn't go into too much detail about advertising-enabled intelligence, or ADINT. There is nothing on the books right now that prevents law enforcement from purchasing ad data about a particular target on the open market to gain information about their whereabouts, their interests, and their use of social media. Currently, the United States does not have any kind of guide rails on the operations of these data brokers. The advertising industry, which is very much embedded within the large platforms such as Google and Meta, et cetera, makes this information widely available and purchasable to anyone with a legitimate account.
Stern: The kind of data you're talking about can be used, for example, to determine where journalists were, where their sources were, and confirm the likelihood that those two individuals might have talked either virtually or physically in the same place at the same time. Law enforcement is not going to be able to obtain the substance of communications, but they can confirm who's talking to whom, potentially — and that might lead to that might enable further surveillance. My concern is that this enables an investigative step that can later allow the government to direct subpoenas to relevant parties.
Anderson: Speaking of surveillance tools, what technical capacities are available today that make the prospect covered in the Wired piece more urgent?
Dr. Martin Shelton, principal researcher: When purchasing ADINT, governments around the world don’t necessarily go through a standard legal process to get ahold of, say, your emails or any phone call data that they might otherwise need a warrant in order to obtain. FISA also sidesteps a lot of our standard warrant process, where the FBI is essentially making backdoor searches by claiming to target foreign targets and then, incidentally, getting access to Americans' information. That can include the contents of some of those phone calls, emails, and so on. And that's just the traditional types of communications, to say nothing of the many other types of communications that could be involved in this expansion that we have seen at FISA over this past year.
That's making me wonder: What do we see as the trend here, in terms of moving away from sending subpoenas to individual journalists while simultaneously moving to a place where governments are trying to target companies and service providers, and then not even get a warrant for the data that we're requesting from those service providers? It seems an awful lot like what we're looking at is the U.S. government trying to have its cake and eat it too.
Stern: I think that's an interesting framing. RISAA does not offer a transparent process like you would see, at least ideally, in getting a subpoena or a search warrant. In most cases, search warrants of journalists’ communications, devices, or files — at least when they're suspected of an offense involving newsgathering — are already prohibited under federal law in the Privacy Protection Act. Subpoenas at least provide for a transparent process and a day in court.
With this expansion of Section 702, the government can gain access to a journalist's conversations with a particular person — specifically, a foreign target — through, again, the thumb drive that the cleaning crew implements in the office.
Particularly when it comes to national security journalism, I would say you're right, Martin, that the government is sort of having its cake and eating it too, in the sense that it's going to claim, as Biden repeatedly has, to be an ally of the press, a friend of press freedom. The administration takes credit for policies that further press freedom by, for example, limiting subpoenas, while at the same time engaging in surveillance of the press through underhanded, less transparent methods. That said, when it comes to most forms of journalism, subpoenas, and search warrants remain the primary means by which the government or the courts can surveil journalists. National security journalism is a different ballgame. And that's where I think you're, unfortunately, onto something there.
Anderson: Where does information that feeds this type of surveillance come from in the first place?
David Huerta, senior digital security trainer: It comes from a lot of different places. Not only are we talking about the possibility of very sophisticated ad-based surveillance technology but also all the things that have been happening at Fort Meade (where the National Security Agency is based) between the Snowden leaks and now — and we don't get to the details because there hasn't been another Snowden.
There have been a lot of job listings on the NSA job board. They are hiring for exactly the kind of skill sets that you would want in order to build a Pegasus-like system. We can also see a lot of possibilities for “collect now, decrypt later”-type methods of surveillance, where you potentially see ISPs handing over TLS-encrypted internet traffic, which may become a concern if there’s a significant breakthrough in quantum computing technology and it allows Fort Meade to decrypt that traffic.
Holmes: All what we’ve discussed today comes down to what is within our threat model. When we think about what it's going to look like for a journalist covering an election, I see two things.
One is being prevented from being able to report. The U.S. Press Freedom Tracker (a project of FPF) mentions a number of cases where journalists are targeted. Law enforcement knows that journalists are going to be covering a specific rally or protest. They could preemptively arrest that person under shoddy pretenses so they can't actually go out and report. Where does the information come from, to recognize and identify that reporter on the ground in order to corral them and to keep them on the sidelines? Targeted surveillance. Has that reporter tweeted that they're going to be out there that day? What is their history of reporting? Can we expect them out there?
And then there's also the intimidation against not only journalists themselves but independent media organizations. Adversaries leverage the current sentiment around press freedom in order to find ways to intimidate reporters from media organizations that they represent based on an organizational stance on DEI, or their commitment to fair reporting on the war in Gaza, and other issues that government officials use as legislative pressure points.
From a digital security perspective, a lot of that comes from the run-of-the-mill tactics that we've seen for the past couple of years having to do with online harassment. In the immediate future, I feel that reporters have to be aware of the targets that are already painted on their backs.
Anderson: What can journalists do to mitigate some of the issues that we've raised here today?
Huerta: If you are reading this, chances are you're already using Signal. I can promise you that your friends who are covering elections in swing states are not. Maybe tell them about it.
Holmes: Keep your wits about you in terms of your engagement on social media. Definitely know that the way that we engage on X and on Facebook, on Threads and TikTok, is actively being mined in order to create dossiers on reporters who are especially prominent during coverage cycles. Prepare yourself for going out thereby taking care of your online footprint.
Shelton: I have been seeing quite a lot of coordinated harassment of individuals working with media organizations, to try to discredit them, typically by going through their work history or some of their social media history, in order to dig up information that could be seen as unfavorable to them, then sending it along, either to their bosses or to their colleagues. That's something that we want to keep our eyes out for in the media sphere. Recognize it for what it is: that people may try to discredit our colleagues, and that's something that we now have to stand up to.
Stern: We often recommend that, when journalists are aware of violations of their rights, report on them. This might not always be the right strategy; sometimes, in these circumstances, you might want to keep a sort of low profile. But if you're a journalist who is aware that your local police department is monitoring journalists on Twitter so that they can identify them at protests, and arrest them with flimsy pretexts, and you've got enough facts to report it as a news story, do so. If you don't have enough facts to report it as a news story, you can still file FOIAs, make phone calls, let the government officials know that you're on to them that you are investigating.
And, of course, always have your lawyers’ and editors’ phone numbers handy. Be aware of your resources. The Reporters Committee for Freedom of the Press has a legal defense hotline, and the Society of Professional Journalists has a legal defense fund. Know your rights and don't be afraid to politely assert them if the officer you're dealing with seems like they might be receptive to it, though there might also be circumstances where you just don't want to do that.