Just being able to calmly purchase toilet paper feels like reason enough to celebrate these days. But one thing a lot of people won’t be cracking champagne over this month is the renewal of the Patriot Act/USA Freedom Act — and its terrible inclusion of a provision to allow government collection of Americans’ internet browsing and search histories without a warrant.
That is, if Congress gets its collective shit together and passes it to the Oval Office for a signature. Right now, the Act has crossed the Senate and is going back to the House, with a fight over amendments already boiling over.
Yet, it was the one amendment that didn’t pass which has privacy fans ready to break their champagne bottles on a rock and use them as shivs. That amendment, from Senator Ron Wyden, would have specifically excluded internet browsing and search history from what the government is allowed to collect.
Wyden’s amendment would have countered Senate GOP Majority Leader Mitch McConnell’s amendment, which “will expressly permit the FBI to warrantlessly collect records on Americans’ web browsing and search histories,” reported Daily Beast with the scoop. The outlet added, “In a different amendment, McConnell also proposes giving the attorney general visibility into the ‘accuracy and completeness’ of FBI surveillance submissions to the secret Foreign Intelligence Surveillance Act (FISA) Court.”
To recap: McConnell added warrantless surveillance of Americans’ browsing and search, Wyden countered it with the Senate version of LOLNO, and then Wyden’s amendment failed by just one vote. Engadget senior editor Richard Lawler pointed out that “Washington senator Patty Murray would have voted yes, but was still flying back to D.C. when the votes were cast.”
“Under the McConnell amendment, Barr gets to look through the web browsing history of any American—including journalists, politicians, and political rivals—without a warrant, just by saying it is relevant to an investigation,” Wyden told Daily Beast.
Citing the Wyden-Daines amendment, Rep. Zoe Lofgren said that “it’s now the House’s responsibility to curb this violation of Americans’ rights,” Politico reported. “I know it’s still within our grasp as lawmakers to push for the significant privacy reforms we need.”
Because we have enough past experience that this kind of surveillance will be abused, and accountability, like Elvis, has left the Capitol building, the pushback on 2020’s version of NSA-PRISM is big enough to almost allow us a decadent sliver of hope. Organizations from the ACLU and DuckDuckGo to HumanRightsWatch and the NAACP have asked lawmakers (including Speaker Pelosi) to urgently add Wyden’s changes.
All of this is why you probably saw a bunch of histrionic headlines fly by saying the US government was going to play collect-them-all with our searches for “how to get off this planet” and our visits to websites about how to become an expat and not catch COVID-19 in ten easy steps. They weren’t wrong. But there are some interesting things you should know about how this kind of collection will probably be done.
You’re not alone if you instantly envisioned a giant NSA/FBI data warehouse in the middle of some ominous Fallout desert scene, where all of the country’s (and probably the world’s) phone calls were being Hoovered up and stored. So much data that it’s searched by agents and AI, sadly dispelling everyone’s favorite, the personal FBI agent meme.
This is probably the same fantasy some of the internet data surveillance ghouls are salivating over right now — Facebook-level access to our internet lives (Facebook being just a different flavor of slobbering ghouls). But why do the (surveillance) work when others have done it for you? I’m sure McConnell and company are thinking of it like how they’ve seen humans on TV simply go to the store for whatever it is that humans eat and drink. In this case the stores would be Google, Apple, Microsoft, and everyone else who has authorities showing up with warrants for internet search and browsing data. Just go to Big Browser! They’ll have whatcha need.
Those channels are already there: they are among the same government spying and data surveillance/collection problems for consumers and at-risk groups that existed before. Right now, there’s a step that must be satisfied unless those authorities want to be turned away by the people at those companies whose jobs it is to look at a warrant and say “yes this warrant is acceptable” or “nice try pal, this is not what you say it is.” (All of which ends up essentially paraphrased in company transparency reports.)
As Patriot Act/USA Freedom stands now, this step would be removed.
Interestingly, one “Big Browser” company has a feature that’s a useful tool in this context. Like the way Apple can’t “read” your iPhone’s data (specifically, Apple can’t decrypt it), Google can only share what it can “read.” You can password protect your Chrome data by following the instructions here.
Anyway, to validate the concerns a lot of you are having about your surveillance and privacy defenses, it’s important to know that the company running your browser goes on your Patriot Act 2020 “adversary” list. Even though, in this instance, companies like Apple and Google (etc.) are the ones having changes forced on them -- putting them in a position that’s sure to destroy user trust at scale. Engadget reached out to Apple and Google for comment on this matter and did not receive a response by time of publication.
Now, I know some of you are reading and saying, that’s it, I’m just going to use DuckDuckGo from now on, I know for a fact they oppose this and they’ve got my back. DuckDuckGo, a VPN, and a full-body condom ought to do it. Except you’ll need a VPN that already doesn’t cooperate with FISA warrants. It’s possible. Interestingly, NordVPN’s Warrant Canary has strong language stating it has never handed over user data. But to order those body condoms, you still need internet access.
That’s why your internet service provider (ISP) should probably go higher on your Patriot Act 2020 “adversary” list than Big Browser. Last year, the Federal Trade Commission launched an investigation into AT&T, Comcast, Google Fiber, T-Mobile, and Verizon after “T-Mobile, Sprint, and AT&T were selling their mobile customers’ location information to third-party data brokers despite promising not to do so,” according to Ars Technica. And in case you didn’t know the background on it, the EFF proved in court that “Verizon Wireless, Sprint and AT&T [participated] in the NSA’s mass telephone records collection under the Patriot Act.”
(If you want to get into the details of ISPs, DNS, and protecting data in that context, check out what Mozilla is trying to do in The Facts: Mozilla’s DNS over HTTPs)
In infosec lingo, when it comes to Patriot Act 2020, your ISP is an attacker in a privileged position. And right now we depend on the internet for, well, almost our very lives. Lives which require privacy — a human right.
2020 is many things, and one of those things seems to be an agonizingly long version of the infamous “Leave Britney Alone” video, except it’s us, and we’re at the tear-streaked breaking point over our data privacy. Now that we’re essentially trapped online most of our waking hours, we feel more used, stressed, poked, prodded, extorted, angry, tricked, and helplessly subjected to violations about our data than ever. It’s exhausting at a time when everything seems exhausting.
For now, we can focus on how to control the things we can, like doing privacy self-checks or take inventory of app settings. We get to know tools like VPNs and start to use things that end-to-end encrypt our communications -- we practice doing things that shore up our defenses a bit more than before.
While we do that, we’ll have to flex one of the less popular survival skills -- we wait. The ghastly changes to the Patriot Act, a thing that was already a shambling disaster of failed protections and rights violations, may still face a challenge or two before getting an Oval Office signature. Though even if McConnell’s amendment doesn’t squeak through this time, we now know that lawmakers at the top want an unprecedented, Facebook-level of spying and control over our online lives.
We just thought that trajectory was the stuff of implausible video games and far-out films -- which, turns out, are a lot less entertaining to live through.