Feds logged website visitors in 2019, citing Patriot Act authority

Feds logged website visitors in 2019, citing Patriot Act authority

The federal government gathered up visitor logs for some websites in 2019, the Office of Director of National Intelligence disclosed in letters made public this week. And the feds cited authority derived from a provision of the Patriot Act to do it.

Director of National Intelligence John Ratcliffe confirmed these actions in a November 6 letter to Sen. Ron Wyden (D-Ore.), part of an exchange (PDF) first obtained and published by the New York Times.

The exchange begins with a May 20 letter from Wyden to the ODNI asking then-director Richard Grenell to explain if and how the federal government uses section 215 of the Patriot Act to obtain IP addresses and other Web browsing information. At the time, the Senate had just passed legislation re-authorizing the law. Wyden was among the privacy advocates in the Senate pushing to amend the law to prevent the FBI from using Section 215 to obtain users’ search and browsing histories, but his measure did not succeed.

Ratcliffe’s response to Wyden, six months later, said that the FBI did not use section 215 authority to harvest Internet search terms, and he added that of the 61 orders issued in 2019 (prior to the law’s expiration in March of this year), none involved “the production of any information regarding Web browsing or Internet searches.”

However, on November 25, Ratcliffe sent another letter to Wyden to “amend” his previous response. As it turns out, one of those 61 orders did indeed result in the FBI gaining access to “information that could be characterized as information regarding ‘Web browsing.'” Specifically, federal investigators collected log entries for “a single, identified US Web page” showing IP addresses that accessed it from “a specified foreign country.” The document names neither the site nor the country in question.

The amended letter “raises all kinds of new questions, including whether, in this particular case, the government has taken steps to avoid collecting Americans’ Web browsing information,” Wyden said in a statement. The senator added, “the DNI has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future,” and he urged Congress to pass an amendment he proposed earlier this year.

What now?

The Patriot Act, including section 215, was first adopted in October, 2001, in the wake of the September 11 attacks. Section 215 specifically allows the FBI to obtain an order from a secret court known as FISA—the Foreign Intelligence Surveillance Court—to collect any records it deems relevant to a national security investigation. This particular provision of law rocketed to visibility after Edward Snowden made his infamous leaks way back in 2013. In 2014, the list of records subject to collection under section 215 included not only phone and Internet data, but also some library records, tax returns, some medical records, financial information, credit card purchases, and a whole litany of other data points.

The broad authority granted to federal investigators under section has remained controversial in the years since it entered the public awareness. Section 215 expired in March, however, and still has not been renewed.

The Senate passed its version of a re-authorization bill on May 14. Wyden and Sen. Steve Daines (R-MT) had initially put forth a bipartisan amendment that would limit the government’s ability to conduct warrantless searches of America’s browsing and search histories. Their measure received 59 votes, but in the hyper-partisan, dysfunctional modern era that did not put them over the 60-vote threshold necessary to avoid filibuster, and the amendment failed. The bill the Senate did pass, 80-16, did not include that privacy provision.

We have a bicameral legislature, and so the House was making progress on its version of a bill by May 26, with strong support from Rep. Zoe Lofgren (D-Calif.) and Rep. Warren Davidson (R-Ohio) to add a privacy amendment in line with the one that didn’t make it into the final Senate bill. On May 27, however, President Donald Trump threw the whole process into chaos when he abruptly urged Republicans not to support a reauthorization at all.

That proved to be more or less the end of the matter for, apparently, this entire Congress. It remains unclear to what degree the upcoming administration of President-Elect Joe Biden will pursue the matter, especially as the party makeup of the incoming Senate will not be known until after the January 5 runoff election in Georgia.

https://arstechnica.com/?p=1727701