Its predecessor, the Patriot Act, garnered outrage and changed security policy globally. What should we expect from the Freedom Act, hastily passed last week?
Ed Ferrara is a principal analyst at Forrester Research, where he serves security and risk professionals.
The Freedom Act adds a higher burden of proof for agencies seeking to place a U.S. citizen, group or company under surveillance. The updated legislation will no longer require private firms to retain data such as subscriber phone records and more clearly defines the rationale required to allow surveillance activities.
Here are some of the bigger changes between the Patriot Act and the Freedom Act that Forrester sees -- and what you need to be aware of:
1. The Freedom Act repeals one of the most contentious provisions of the Patriot Act.
Privacy advocates and libertarians were angered by the indiscriminate nature of the government's collection process with respect to American citizens' phone records. However, an independent panel determined it had not helped significantly in the counterterrorism effort. The collection and storage of the data will be the responsibility of the telecommunication companies, who use the data for billing purposes. This allows the government to skirt the illegalities of it collecting and owning the data and clearing the way for the legal bulk collection of data by private industry, to be subpoenaed by federal law enforcement during a targeted investigation.
2. Metadata now falls under the stewardship of the telcos - and the FCC.
Under the Patriot Act, the National Security Agency could retain metadata for five years. Now that the data is under the stewardship of the telecommunication companies. That falls under Federal Communications Commission regulation and the FCC says telcos must delete customer data after 18 months. Thus, not only will NSA not have the data itself; it will have access to it (via subpoena) for a third of the time.
While the chair of the FCC has the power to change the retention schedule to match the five years NSA used, Forrester believes it's likely the FCC will leave the data storage requirement alone or shorten it to 90 days to match the FISA court, which will effectively gut the usefulness of the data for law enforcement purposes.
3. Roving wiretaps become simpler to obtain.
The new provision requires applications to the FISA court to be specific and prohibits the request from including broad geographic regions or the identification of an electronic communications or computing service. Before the Patriot Act, law enforcement needed individual warrants for each phone and communication device.
4. U.S. tech companies now have recourse to contest government requests.
There is a general understanding that the FBI and NSA cannot conduct their domestic surveillance activities without the assistance of U.S. companies. The reality is the private sector controls most of the cyberinfrastructure the FBI and NSA need to conduct surveillance.
However, some companies have pushed back on surveillance requests. PRISM, the bulk data collection program, was challenged in 2013 by Google, LinkedIn, Microsoft, Twitter and Yahoo, and this trend may continue. In 2014, telcos such as AT&T, Sprint and Verizon expressed concern about surveillance programs to U.S. government officials. This new law will give these companies recourse for challenging the federal government when they feel the request is invalid.
5. New legal counsel will now plead for civil liberties before the FISA court.
It is still the FISA court that reviews and grants federal warrant requests. However, the new law also makes the FISA court process a bit more transparent and adds privacy advocate counterarguments to the court's process. Prior to the Freedom Act's passage, the FISA court heard only the government's argument for getting the data, not a counterargument for protecting it.
Forrester recommends keeping your data protection plans intact. Although the Freedom Act outlaws the bulk collection of phone records, U.S. intelligence agencies still have broad authority to collect information on potential terrorists. This means that the plans laid prior to Patriot Act expiration need to remain in place either to cooperate with government and law enforcement or to protect customer data using encryption, and other appropriate means.
(Image via Brandon Bourdages/ Shutterstock.com)
NEXT STORY: How to Secure WordPress in 10 Steps