Category Archives: Privacy & Security

EFF Joins ACLU in Amicus Brief Supporting Warrant Requirement for Cell-Site Simulators



EFF, ACLU, and ACLU of Maryland filed an amicus brief today in the Maryland Court of Special Appeals in the first case in the country (that we know of) where a judge has thrown out evidence obtained as a result of using a cell-site simulator without a warrant.

In the case, Baltimore Police used a Hailstorm—a cell-site simulator from the same company that makes Stingrays—to locate Kerron Andrews, the defendant. The police not only failed to get a warrant to use the device, they also failed to disclose it to the judge in their application for a pen register order. And it appears they even failed to tell the State’s attorney prosecuting Mr. Andrews’ case.

Luckily Mr. Andrews’ intrepid defense attorney suspected the police might have used a stingray and sent a discovery request asking specifically if they had. The prosecution stalled for months on answering that request, but, on the eve of trial, one of the investigators responsible for Baltimore PD’s stingrays finally testified in court not only that he’d used the device to find Mr. Andrews, but that he’d specifically not disclosed it in any report filed about Andrews’ arrest. The judge concluded the police had intentionally withheld information from Mr. Andrews—a clear violation of his constitutional rights.

This August, another Baltimore judge granted the defense’s request to suppress all evidence the police were able to get as a direct result of using the stingray. The judge held the use of the device without a warrant violated Andrews’ Fourth Amendment right to be free from unlawful searches and seizures. Unsurprisingly, the government appealed.

Cell-site simulators, also commonly known as IMSI catchers or stingrays, masquerade as legitimate cell phone towers, tricking phones nearby into connecting to the device instead of the tower operated by the phone company. This allows police to log the identifying numbers of mobile phones in the area and to pinpoint their locations. Police often use cell-site simulators when they are trying to find a suspect and know his phone’s identifying information.

As we learned from USA Today, the Baltimore PD has been using cell-site simulators extensively (and secretly) for at least the last eight years. A detective testified that Baltimore officers had used cell-site simulators more than 4,300 times since 2007. Like other law enforcement agencies around the country, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). And, like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public.

Stingrays are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship—in Mr. Andrews’ case the investigators used the Stingray to pinpoint his location to within a specific apartment. Stingrays can also be configured to capture the content of communications.

This is why it’s imperative that police not only obtain a warrant based on probable cause before using a cell-site simulator but also commit to minimization procedures, including immediately deleting information about all phones not covered by the warrant and limiting the time period during which the device is used. These are not novel or onerous requirements—the Wiretap Actrequires similar procedures. And in fact, both the Department of Justice and the Department of Homeland Security recently committed to following similar procedures whenever their agents use stingrays.

We hope the Maryland Court of Special Appeals will agree that the warrantless use of a stingray is unconstitutional and uphold the lower court ruling suppressing the evidence.

How Secure Are You Online: The Checklist

Think you do enough to secure your passwords, browsing, and networking? Prove it.

Not all computer security is about tin foil hats and anonymous browsing. Everyone who uses a computer has a horse in the security race. For the purpose of this post, we’re breaking down online security into four essential parts: passwords, browsers, at-home Wi-Fi and networking, and browsing on public Wi-Fi. Within those categories we’ll give you a checklist of everything you should do, from the bare minimum to the tin-foil-hat best.

Think you’ve done your due diligence with your security? Jump to any of the four sections below to see how you stack up (and boost your security where you may be lacking):

Password Security Checklist

How Secure Are You Online: The Checklist

Password security has been popping upa lotin the news recently, but how much you should care is entirely dependent on what you do online.

The Bare Minimum of Password Security

Just because you don’t use a lot of online services doesn’t mean you can neglect basic password security. Sure, you don’t need to take any complicated measures, but everyone should at least do a couple things.

  • Pick strong passwords: Regardless of what your password is for, it’s always good to pick a strong, random password. Don’t use your child’s name, or a birthday.
  • Use unique passwords for every site:Don’t ever reuse the same email and password combo on multiple services. It might seem like it doesn’t matter, but if a hacker gets your account information on one site, that means they can use that login information on every other site you’re registered at. Keep all your passwords different.
  • Use Should I Change My Password? to track security breaches: If you don’t keep up with tech news you probably don’t see most minor security breaches. To help out, the webapp Should I Change My Password? notifies you when a major service is hacked.

That’s the minimum you should do if you want to play it safe and secure with your passwords. But you can do better than that. Let’s step up your game.

Level Up: You’re a Password Pro

If you’re the type to conduct a lot of work online, then you need more complicated security measures. With that in mind, you should do the steps mentioned above, and a few other things.

  • Use two-factor authentication whenever possible: Two-factor authentication is a simple way to lock your computer to an account so you have to verify your identity when you log onto a different computer. Not all services have it, but Google, LastPass, Facebook, Dropbox, and more all do. Use it.
  • Use a password manager: We get it, you have a lot of passwords and you don’t want to remember them all. Instead of reusing the same junky password, a password manager is a simple way to save them all securely. We like LastPass, but KeePass, and 1Password are equally solid solutions.
  • Shut down and unlink services you don’t use: If you’re the type to try out a lot of different webapps or mobile apps then you probably have a ton of passwords scattered around everywhere. When you decide you don’t want to use a service anymore, remember to delete your account. This way, if the service is hacked you don’t have to fumble around trying to remember your login information. For added protection, make sure you clean up your app permissions on Facebook and Twitter.
  • Use misleading password hints: Finally, don’t answer password hints truthfully. Instead, you can use word association, or just pick a random response (that you’ll remember).

If you’re doing all of the above, your passwords are about as safe as they can get. Nice work, and stay vigilant!

Browser Security ChecklistHow Secure Are You Online: The Checklist

With all your passwords in check it’s time to ensure your browsing is both secure and private. Of course, many people don’t care about privacy, but security—even after your passwords are in order—is still important.

The Bare Minimum of Browser Security

Password security is just part of the battle. You also want to make sure your browser is secure. This is what everyone should be doing:

  • HTTPS Everywhere: You likely know by now that you should never hand over personal info unless you’re doing so over a secure connection (HTTPS in the browser URL). The HTTPS Everywhere browser extension highlights secure sites, and ensures you’re always on HTTPS whenever it’s available (including on social networks, shopping sites, and more).
  • Log out of your accounts: If you’re sharing a computer in a house full of people, or you do most of your browsing on a public computer, always remember to logout of any account you use. It’s a simple, obvious step, but it’s worth repeating to yourself until you remember. When you don’t log out of an account, you’re giving authorization to snoop.
  • Understand the basics of online fraud: Phishing scams, malware, and other nasty things are all easy to detect if you keep a cautious eye on what your browser is doing at all times. Be skeptical of odd emails, brush up on the FTC’s guide to identity theft, and don’t trust your personal information to any website that doesn’t use HTTPS.

The basics of browser security are great for most people, but if you want to keep advertisers and The Man off your back, you need to take a few more measures.

Level Up: Keep Everyone from Tracking You

We know that pretty much everyone is tracking your every move on the web. The data collected from your browsing is used for ads, targeted coupons, and plenty more. Let’s put a stop to that.

  • Adblock Plus: Adblock Plus isn’t just an ad blocking extension, it also helps keep the likes of Twitter, Facebook, and Google+ from transmitting data about you.
  • Ghostery: Ghostery is an extension that’s all about eliminating tracking cookies and plug-ins used by ad networks. With Ghostery installed, no advertiser can snoop on what you’re doing online.
  • Do Not Track Plus: Do Not Track is an extension that eliminates sites with Facebook and Google+ buttons from tracking you. By default, a data exchange happens when you visit a site with one of these buttons, even if you don’t click on them. Do Not Track stops that from happening.

The above extensions and measures can ensure you have a private and secure browsing experience. But if you really want to keep your browsing away from prying eyes, you have to go anonymous.

Next Level: Go Anonymous

Completely anonymous browsing isn’t for everyone, nor is it for every situation. However, it can come in handy when you’re torrenting, when you don’t want to give away your location, and if you just plain don’t like somebody watching over your shoulder. Here’s what you’ll need.

  • Tor Browser: Tor is the easiest to use anonymous browser. When you use Tor for browsing, you don’t get plugins, your traffic is automatically encrypted, and your browsing is always anonymous.
  • Use VPN services to secure everything you do: VPN services are a great way to create secure connections across the internet. Using a VPN means you’re encrypting all the data transferred online. We like Hamachi becauseit’s incredibly easy to use, but any of these five will do the trick.
  • Use BTGuard for anonymous torrenting: Peer-to-peer file sharing is great, but since it’s often used for piracy you might want to keep your downloads private. BTGuard does just that through a proxy server (which helps keep you anonymous). The service is $59.95 a year, but it’s worth it to avoid throttling from your Internet Service Provider.

Home Network Security Checklist

How Secure Are You Online: The Checklist

Once your internet data is secure it’s time to secure your data on your home computer. This means backing everything up, and keeping your network safe from prying eyes.

The Bare Minimum of Network Security

If you don’t use your computer for much more than browsing the web, creating a couple documents, and storing family photos, then you don’t need to do much to keep everything safe.

  • Keep your software up to date: Software updates aren’t just about adding new features, they’re often about patching security holes. Thankfully, the update process is very simple. On Windows, click the Start Menu > All Programs > Windows Update. On Mac, click the Apple menu, and choose Software Update. Both update programs run periodically on their own, but it’s always good to check for a new update if you hear about a security issue.
  • Change your router’s security settings: If you’re still running your router’s default settings, then pretty much anyone can get into your home network and peek in on your computers. It’s not hard to crack WEP passwords or WPA passwords, but you should at least enable a non-default password and network name on your router.
  • Backup your photos and documents: Perhaps you’re not all that worried about what would happen if your $200 computer dies because you don’t do that much with it. Still, chances are you have a resume or some vacation photos on the hard drive. Backing up those few important files is easy. Cloud storage like Dropbox, Box, and Skydrive take very little time to set up. Once you do, your few important documents will be saved online.
  • Prevent downloaded software from installing automatically: Malware often comes in the form of a download you don’t notice happening, but it’s easy to stop. On Windows, disabling AutoRun can stop around 50% of Malware threats, and all you need is the free software Disable Autorun. On Mac, downloads shouldn’t run automatically, but if you’re using OS X Mountain Lion you can set up GateKeeper (System Preferences > Security & Privacy > General) to only allow applications from the Mac App Store for added security.

These are just the basics. If your computer is your livelihood, you need to do a few more things to keep your data secure.

Level Up: You’re a Network Security Pro

Whether you work from home, or you’re simply on a work computer all day long, keeping your data secure and safe is important. On top of everything above, you also want to add a few more security measures.

  • Create automated backups with Crashplan: If your computer contains everything you need to work, then you need a solid full system backup solution. We like Crashplan because it’s cheap, automated, and works on every operating system.
  • Set folder specific permissions: If you’re sharing your computer with a household of people, but need to ensure your work documents are safe, then setting up permissions is the easiest way to do it. In Windows, right-click the folder, go to Properties, and open the Security settings. Then click the edit setting and select your user name to lock the folder to you. On Mac, right-click a folder, click Get Info, and change the settings under Sharing & Permissions. For extra security, you can easily set up encryption with Truecrypt.
  • Know how someone would break into your computer (and keep it from happening to you): It’s surprisingly easy to a Mac. Once you know how someone could get into your system, it’s relatively easy to prevent. On Windows, you can usually get away with a long password, and on Mac you can set up FireVault to secure your
    data (System Preferences > Security).
  • Upgrade your router’s security: As we mentioned above, hacking into a wireless network is incredibly easy. One way to secure your router is to upgrade its firmware with DD-WRT or Tomato. Upgrading your router cankeep you safe from at least one type of hack.

The above is more than enough for most people on their home network, but what about when you need to leave the house?

Public Wi-Fi Security Checklist

How Secure Are You Online: The Checklist

Using public Wi-Fi exposes everything you do online (and your computer itself) to anyone else on the network. We’ve shown you how people sniff out your passwords on public Wi-Fi before, and it’s suprisingly simple. Let’s stop that from happening to you.

Bare Minimum of Public Wi-Fi Security

Let’s say you occasionally check email on public Wi-Fi when your internet is down or you’re on vacation. You’re always tempting fate when you don’t completely lock down your computer, but here’s the minimum amount of effort you should always do.

  • Always use HTTPS: We mentioned HTTPS Everywhere above, but it’s worth repeating here. If you’re checking your email, or doing anything else with a password on a public network, always use HTTPS.
  • Turn off sharing: When you’re at home you might share your files with other people on your network. That’s great, but you don’t want that on public Wi-Fi. Disable it before you even connect. In Windows, open Control Panel, then head to Network and Internet > Network and Sharing Center. Then click Choose Homegroup and Sharing Options > Change Advanced Settings. Turn off file sharing, print sharing, network discovery, and the public folder. On Mac, open System Preferences > Sharing, and make sure all the boxes are unchecked.
  • Don’t connect to Wi-Fi unless you need it: This might seem like common sense, but if you’re not actually using the internet connection, turn it off. In Windows, right-click the wireless icon in the taskbar and turn it off. On a Mac, click the Wi-Fi button in the menu bar, and turn off Wi-Fi.

Doing these three things will keep most of your data secure when you’re just popping in to quickly check your email. If you’re using free Wi-Fi in a dorm or apartment building, you need a stronger solution.

Level Up: You’re a Public Wi-Fi Pro

If you’re on public Wi-Fi a lot, it’s best to really lock down and encrypt your data. In addition to the steps above (particularly turning off file sharing and HTTPS), you can lock out anyone pretty easily.

  • Encrypt everything with Hamachi and Privoxy: The easiest way to cut off outsiders from peeking into your private data when you’re on a public network is with the free VPN Hamachi, and the web proxy Privoxy. Setup isn’t much more complicated than a few clicks, and the end result is secure connections for all your browsing.
  • Encypt it further with an SSH SOCKS proxy: If you don’t want to use a VPN, another option is to roll your own SSH SOCKS proxy. This encrypts all your web browsing and redirects it through a trusted computer.

That’s all you really need to do when you’re on public Wi-Fi to keep your browsing encrypted and safe. However, you can take it another step and go completely anonymous.

Next Level: Grab Your Tin Foil Hat, We’re Going Untraceable

Perhaps you really don’t want anyone tracking what you’re doing on a public Wi-Fi network or worse, public computer. This sounds nefarious, but it’s handy for things like checking your bank account on a public computer.

The simplest way to go completely anonymous is with a custom build of Linux called Tails installed on a USB or CD. We’ve walked you through the setup process before and it’s very easy. With Tails you get a custom operating system with built-in anonymous browsing, encryption for email and chat, file encryption, and a ton of software. You can load Tails up on your own computer, or a public one. With Tails, you not only browse without leaving a trace, you also secure everything you do.

Security is important to everyone from the tech illiterate to the tech savvy. The precautions you decide to make are your own choice, but always keep in mind that you security online is just as important (if not more) than the security in your own home.



Browse Like Bond: Use Any Computer Without Leaving a Trace with Tails

If James Bond logs on to a computer, he doesn’t want to leave a bunch of files, cookies, or…Read more

DNA Evidence Can Be Fabricated, Scientists Show


AUG. 17, 2009

Scientists in Israel have demonstrated that it is possible to fabricate DNA evidence, undermining the credibility of what has been considered the gold standard of proof in criminal cases.

The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person.

“You can just engineer a crime scene,” said Dan Frumkin, lead author of the paper, which has been published online by the journal Forensic Science International: Genetics. “Any biology undergraduate could perform this.”

Dr. Frumkin is a founder of Nucleix, a company based in Tel Aviv that has developed a test to distinguish real DNA samples from fake ones that it hopes to sell to forensics laboratories.

The planting of fabricated DNA evidence at a crime scene is only one implication of the findings. A potential invasion of personal privacy is another.

Using some of the same techniques, it may be possible to scavenge anyone’s DNA from a discarded drinking cup or cigarette butt and turn it into a saliva sample that could be submitted to a genetic testing company that measures ancestry or the risk of getting various diseases. Celebrities might have to fear “genetic paparazzi,” said Gail H. Javitt of the Genetics and Public Policy Center at Johns Hopkins University.

Tania Simoncelli, science adviser to the American Civil Liberties Union, said the findings were worrisome.

“DNA is a lot easier to plant at a crime scene than fingerprints,” she said. “We’re creating a criminal justice system that is increasingly relying on this technology.”

John M. Butler, leader of the human identity testing project at the National Institute of Standards and Technology, said he was “impressed at how well they were able to fabricate the fake DNA profiles.” However, he added, “I think your average criminal wouldn’t be able to do something like that.”

The scientists fabricated DNA samples two ways. One required a real, if tiny, DNA sample, perhaps from a strand of hair or drinking cup. They amplified the tiny sample into a large quantity of DNA using a standard technique called whole genome amplification.

Of course, a drinking cup or piece of hair might itself be left at a crime scene to frame someone, but blood or saliva may be more believable.

The authors of the paper took blood from a woman and centrifuged it to remove the white cells, which contain DNA. To the remaining red cells they added DNA that had been amplified from a man’s hair.

Since red cells do not contain DNA, all of the genetic material in the blood sample was from the man. The authors sent it to a leading American forensics laboratory, which analyzed it as if it were a normal sample of a man’s blood.

The other technique relied on DNA profiles, stored in law enforcement databases as a series of numbers and letters corresponding to variations at 13 spots in a person’s genome.

From a pooled sample of many people’s DNA, the scientists cloned tiny DNA snippets representing the common variants at each spot, creating a library of such snippets. To prepare a DNA sample matching any profile, they just mixed the proper snippets together. They said that a library of 425 different DNA snippets would be enough to cover every conceivable profile.

Nucleix’s test to tell if a sample has been fabricated relies on the fact that amplified DNA — which would be used in either deception — is not methylated, meaning it lacks certain molecules that are attached to the DNA at specific points, usually to inactivate genes.

A version of this article appears in print on , on page D3 of the National edition with the headline: Scientists Show That It’s Possible to Create Fake DNA Evidence.

How (and why) to set up a VPN today

Marissa Mayer made Yahoo’s VPN famous by using it to check on the work habits of her employees. Lost amid today’s VPN conversation, however, is the fact that virtual private networks are much more than just pipelines for connecting remote employees to central work servers.

And that’s a damn shame, because VPNs can be helpful tools for protecting online privacy, and you need not be an office drone to enjoy their benefits.

A VPN, as its name suggests, is just a virtual version of a secure, physical network—a web of computers linked together to share files and other resources. But VPNs connect to the outside world over the Internet, and they can serve to secure general Internet traffic in addition to corporate assets. In fact, the lion’s share of modern VPNs are encrypted, so computers, devices, and other networks that connect to them do so via encrypted tunnels.

Why you want a VPN

You have at least four great reasons to start using a VPN. First, you can use it to connect securely to a remote network via the Internet. Most companies maintain VPNs so that employees can access files, applications, printers, and other resources on the office network without compromising security, but you can also set up your own VPN to safely access your secure home network while you’re on the road.

Second, VPNs are particularly useful for connecting multiple networks together securely. For this reason, most businesses big and small rely on a VPN to share servers and other networked resources among multiple offices or stores across the globe. Even if you don’t have a chain of offices to worry about, you can use the same trick to connect multiple home networks or other networks for personal use.

This diagram illustrates the difference between using an unencrypted connection and using a VPN-secured Internet connection at your average coffee shop.

Third, if you’re concerned about your online privacy, connecting to an encrypted VPN while you’re on a public or untrusted network—such as a Wi-Fi hotspot in a hotel or coffee shop—is a smart, simple security practice. Because the VPN encrypts your Internet traffic, it helps to stymie other people who may be trying to snoop on your browsing via Wi-Fi to capture your passwords.

Fourth and finally, one of the best reasons to use a VPN is to circumvent regional restrictions—known as geoblocking—on certain websites. Journalists and political dissidents use VPNs to get around state-sponsored censorship all the time, but you can also use a VPN for recreational purposes, such as connecting to a British VPN to watch the BBC iPlayer outside the UK. Because your Internet traffic routes through the VPN, it looks as if you’re just another British visitor.

Pick your protocol

When choosing a networking protocol for your VPN, you need worry only about the four most popular ones. Here’s a quick rundown, including the strengths and weaknesses of each.

Point-to-Point Tunneling Protocol (PPTP) is the least secure VPN method, but it’s a great starting point for your first VPN because almost every operating system supports it, including Windows, Mac OS, and even mobile OSs.

Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec) are more secure than PPTP and are almost as widely supported, but they are also more complicated to set up and are susceptible to the same connection issues as PPTP is.

Secure Sockets Layer (SSL) VPN systems provide the same level of security that you trust when you log on to banking sites and other sensitive domains. Most SSL VPNs are referred to as “clientless,” since you don’t need to be running a dedicated VPN client to connect to one of them. They’re my favorite kind of VPN because the connection happens via a Web browser and thus is easier and more reliable to use than PPTP, L2TP, or IPsec.

An SSL VPN server is designed to be accessed via Web browser and creates encrypted channels so that you can safely access the server from anywhere.

OpenVPN is exactly what it sounds like: an open-source VPN system that’s based on SSL code. It’s free and secure, and it doesn’t suffer from connection issues, but using OpenVPN does require you to install a client since Windows, Mac OS X, and mobile devices don’t natively support it.

In short: When in doubt, try to use SSL or OpenVPN. Keep in mind that some of the services highlighted in the next section don’t use these protocols. Instead, they use their own proprietary VPN technology.

Now, let’s talk about how to create and connect to your own VPN. If you want simple remote access to a single computer, consider using the VPN software built into Windows. If you’d like to network multiple computers together quickly through a VPN, consider installing stand-alone VPN server software.

If you need a more reliable and robust arrangement (one that also supports site-to-site connections), consider using a dedicated VPN router. And if you just want to use a VPN to secure your Internet traffic while you’re on public Wi-Fi hotspots and other untrusted networks—or to access regionally restricted sites—consider subscribing to a third-party hosted VPN provider.

Set up a simple VPN with Windows

Windows comes loaded with a VPN client that supports the PPTP and L2TP/IPsec protocols. The setup process is simple: If you’re using Windows 8, just bring up the Search charm, type VPN, and then launch the VPN wizard by clicking Set up a virtual private network (VPN) connection.

You can use this client to connect securely to other Windows computers or to other VPN servers that support the PPTP and L2TP/IPsec protocols—you just need to provide the IP address or domain name of the VPN server to which you want to connect. If you’re connecting to a corporate or commercial VPN, you can contact the administrator to learn the proper IP address. If you’re running your own VPN server via Windows, you can figure out the server’s IP address by typing CMD in the Search charm, launching the Command Prompt, and typing ipconfig. This simple trick comes in handy when you’re setting up your Windows PC as a VPN server, and then connecting to it so that you can securely, remotely access your files from anywhere.

Windows has a built-in VPN client, but you’ll need to provide the connection information (namely, the IP address) for the VPN server you want to use.

Quick note: When setting up incoming PPTP VPN connections in Windows, youmust configure your network router to forward VPN traffic to the Windows computer you want to access remotely. You can do this by logging in to the router’s control panel—consult the manufacturer’s instructions on how to do this—and configuring the port-forwarding or virtual-server settings to forward port 1723 to the IP address of the computer you wish to access. In addition, PPTP or VPN pass-through options need to be enabled in the firewall settings, but usually they’re switched on by default.

If you’re using Windows 7 and you need to connect to a VPN or to accept incoming VPN connections in that OS, check out our guide to setting up a VPN in Windows 7.


Use third-party software to create a VPN server

If you’d like to create a VPN between multiple computers to share files and network resources without having to configure your router or to dedicate a PC to act as the VPN server, consider using third-party VPN software. Comodo Unite, Gbridge, andTeamViewer are all decent, reliable, and (most important) free.

LogMeIn Hamachi is a simple, elegant, and secure VPN client that’s free for up to five users.

You can also use LogMeIn Hamachi for free with five or fewer users, but it’s good enough that if you have more than five PCs you want to link up securely—say, as part of your small-but-growing business—you should consider paying for the full service.

Go whole hog with your own VPN router

If you want to get your hands dirty while providing robust remote access to an entire network, or if you wish to create site-to-site connections, try setting up a router on your network with a VPN server and client. If you’re working on a budget, the cheapest way to set up your own dedicated VPN router is to upload aftermarket firmware that enables VPN functionality, such as DD-WRT or Tomato, to an inexpensive consumer-level router.

The ZyXel USG20W VPN router is a smart investment if you want to set up your own dedicated VPN at home or in the office.

You can also purchase a specially designed router (commonly called a VPN router) with a VPN server built in, such as the ZyXel ZyWall 802.11n Wireless Internet Security Gigabit Firewall (USG20W), Cisco Wireless Network Security Firewall Router (RV220W), or Netgear ProSecure UTM Firewall with Wireless N (UTM9S).

When you’re choosing a VPN router and third-party router firmware, make sure they support the VPN networking protocol you need for your devices. In addition, check the VPN router to verify how many simultaneous VPN users it supports.

Let a third-party VPN provider worry about it

If you merely want VPN access to cloak your Internet traffic while you’re using public Wi-Fi or another untrusted network, or to access regionally restricted sites, the simplest solution is to use a hosted VPN provider. Hotspot Shield is my favorite, as it offers both free and paid VPN services for Windows, Mac, iOS, and Android. HotSpotVPN,StrongVPN, and WiTopia are other paid services we’ve reviewed in the past.

The Onion Router is an excellent, free utility that anonymizes your Internet activity through a series of servers scattered around the world.

If you want to keep your browsing activity anonymous but can’t spare the cash for a paid VPN, check out the Onion Router, a network of servers that can anonymize your Internet traffic for free. Visit the TOR website and download the latest browser bundle, and then start browsing with the TOR extensions enabled. The software will encrypt your connection to the TOR server before routing your Internet traffic through a randomized series of servers across the globe, slowing your browsing speed but cloaking your online activity from prying eyes.

No matter how you choose to go about it, start using a VPN today. It takes a bit of work up front, but spending the time to get on a VPN is one of the smartest, simplest steps you can take toward making your online activities more secure.


Eric Geier Contributor

Follow me on Google+

Eric Geier is a freelance tech writer as well as the founder of NoWiresSecurity, a cloud-based Wi-Fi security service, and On Spot Techs, an on-site computer services company.

More by

FBI Taps Hacker Tactics to Spy on Suspects

Law-Enforcement Officials Expand Use of Tools Such as Spyware as People Under Investigation ‘Go Dark,’ Evading Wiretaps

Updated Aug. 3, 2013 3:17 p.m. ET

Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age.

Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals.

People familiar with the Federal Bureau of Investigation’s programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can’t be wiretapped like a phone, is called “going dark” among law enforcement.

The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.’s Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment.

The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said.

The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases.

Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer’s camera, according to court documents. The judge denied the application, saying, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people.

Since at least 2005, the FBI has been using “web bugs” that can gather a computer’s Internet address, lists of programs running and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example.

The FBI “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” said a former official in the agency’s cyber division. The tools are used when other surveillance methods won’t work: “When you do, it’s because you don’t have any other choice,” the official said.

Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the National Security Agency. The NSA gathers bulk data on millions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly.

Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren’t misused. “People should understand that local cops are going to be hacking into surveillance targets,” said Christopher Soghoian, principal technologist at the American Civil Liberties Union. “We should have a debate about that.”

Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said information about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which people discuss their work at private companies helping the FBI with surveillance.

A search warrant would be required to get content such as files from a suspect’s computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department’s primary authority on federal criminal surveillance law. Continuing surveillance would necessitate an even stricter standard, the kind used to grant wiretaps.

But if the software gathers only communications-routing “metadata”—like Internet protocol addresses or the “to” and “from” lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect’s property, he added.

An official at the Justice Department said it determines what legal authority to seek for such surveillance “on a case-by-case basis.” But the official added that the department’s approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata.

In 2001, the FBI faced criticism from civil-liberties advocates for declining to disclose how it installed a program to record the keystrokes on the computer of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt a document. He was eventually convicted.

A group at the FBI called the Remote Operations Unit takes a leading role in the bureau’s hacking efforts, according to former officials.

Officers often install surveillance tools on computers remotely, using a document or link that loads software when the person clicks or views it. In some cases, the government has secretly gained physical access to suspects’ machines and installed malicious software using a thumb drive, a former U.S. official said.

The bureau has controls to ensure only “relevant data” are scooped up, the person said. A screening team goes through all of the data pulled from the hack to determine what is relevant, then hands off that material to the case team and stops working on the case.

The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said.

Italian company HackingTeam SRL opened a sales office in Annapolis, Md., more than a year ago to target North and South America. HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system. The company declined to disclose its clients or say whether any are in the U.S.

U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed “0 day exploits”—meaning that the software maker doesn’t yet know about the security hole—for software including Microsoft Corp.’s Internet Explorer, those people said. Gamma, which has marketed its products in the U.S., didn’t respond to requests for comment, nor did Microsoft.

Write to Jennifer Valentino-DeVries at and Danny Yadron at

With Liberty to Monitor All

US Surveillance is Harming Journalism, Law, Democracy
For much of its history, he United States has held itself out as a model of freedom, democracy, and open, accountable government. Freedoms of expression and association, as well as rights to a fair trial, are protected by the Constitution, and US officials speak with pride of the freedom of the media to report on matters of public concern and hold government to account for its actions. Yet, as this report documents, today those freedoms are very much under threat due to the government’s own policies concerning secrecy, leak prevention, and officials’ contact with the media, combined with large-scale surveillance programs. If the US fails to address these concerns promptly and effectively, it could do serious, long-term damage to the fabric of democracy in the country.Specifically, this report documents the effects of large-scale electronic surveillance on the practice of journalism and law, professions that enjoy special legal protections because they are integral to the safeguarding of rights and transparency in a democracy. To document these effects, we interviewed 92 people, including 46 journalists and 42 lawyers, about their concerns and the ways in which their behavior has changed in light of revelations of large-scale surveillance. We also spoke to current and former senior government officials who have knowledge of the surveillance programs to understand their perspective, seek additional information, and take their concerns into account in our analysis.Whether reporting valuable information to the public, representing another’s legal interests, or voluntarily associating with others in order to advocate for changes in policy, it is often crucial to keep certain information private from the government. In the face of a massively powerful surveillance apparatus maintained by the US government, however, that privacy is becoming increasingly scarce and difficult to ensure. As a result, journalists and their sources, as well as lawyers and their clients, are changing their behavior in ways that undermine basic rights and corrode democratic processes.

Revelations of Large-Scale Surveillance

The United States government today is implementing a wide variety of surveillance programs that, thanks to developments in its technological capacity, allow it to scoop up personal information and the content of personal communications on an unprecedented scale. Media reports based on revelations by former National Security Agency (NSA) contractor Edward Snowden have recently shed light on many of these programs. They have revealed, for example, that the US collects vast quantities of information—known as “metadata”—about phone calls made to, from, and within the US. It also routinely collects the content of international chats, emails, and voice calls. It has engaged in the large-scale collection of massive amounts of cell phone location data. Reports have also revealed a since-discontinued effort to track internet usage and email patterns in the US; the comprehensive interception of all of phone calls made within, into, and out of Afghanistan and the Bahamas; the daily collection of millions of images so the NSA can run facial recognition programs; the acquisition of hundreds of millions of email and chat contact lists around the world; and the NSA’s deliberate weakening of global encryption standards.

In response to public concern over the programs’ intrusion on the privacy of millions of people in the US and around the world, the US government has at times acknowledged the need for reform. However, it has taken few meaningful steps in that direction.

On the contrary, the US—particularly the intelligence community—has forcefully defended the surveillance programs as essential to protecting US national security. In a world of constantly shifting global threats, officials argue that the US simply cannot know in advance which global communications may be relevant to its intelligence activities, and that as a result, it needs the authority to collect and monitor a broad swath of communications. In our interviews with them, US officials argued that the programs are effective, plugging operational gaps that used to exist, and providing the US with valuable intelligence. They also insisted the programs are lawful and subject to rigorous and multi-layered oversight, as well as rules about how the information obtained through them is used. The government has emphasized that it does not use the information gleaned from these programs for illegitimate purposes, such as persecuting political opponents.

The questions raised by surveillance are complex. The government has an obligation to protect national security, and in some cases, it is legitimate for government to restrict certain rights to that end. At the same time, international human rights and constitutional law set limits on the state’s authority to engage in activities like surveillance, which have the potential to undermine so many other rights.

The current, large-scale, often indiscriminate US approach to surveillance carries enormous costs. It erodes global digital privacy and sets a terrible example for other countries like India, Pakistan, Ethiopia, and others that are in the process of expanding their surveillance capabilities. It also damages US credibility in advocating internationally for internet freedom, which the US has listed as an important foreign policy objective since at least 2010.

As this report documents, US surveillance programs are also doing damage to some of the values the United States claims to hold most dear. These include freedoms of expression and association, press freedom, and the right to counsel, which are all protected by both international human rights law and the US Constitution.

Impact of Surveillance on Journalists

For journalists, the surveillance programs and a government crackdown on unregulated contact between officials and the press have combined to constrict the flow of information concerning government activity. An increase in the frequency of leak prosecutions, as well as the government’s implementations of programs—such as the Insider Threat Program—aimed at discouraging officials from sharing information outside the government, have raised the stakes for officials who might consider even talking to journalists.

Large-scale surveillance dramatically exacerbates those concerns by largely cutting away at the ability of government officials to remain anonymous in their interactions with the press, as any interaction—any email, any phone call—risks leaving a digital trace that could subsequently be used against them. This is particularly worrisome in light of changes to US law that allow intelligence information to be used more easily in criminal investigations, potentially allowing law enforcement to circumvent traditional warrant requirements.

Journalists told us that officials are substantially less willing to be in contact with the press, even with regard to unclassified matters or personal opinions, than they were even a few years ago. This can create serious challenges for journalists who cover national security, intelligence and law enforcement, and who often operate in a gray area—working with information that is sensitive but not necessarily classified, and speaking with multiple sources to confirm and piece together the details of a story that may be of tremendous public interest.

In turn, journalists increasingly feel the need to adopt elaborate steps to protect sources and information, and eliminate any digital trail of their investigations—from using high-end encryption, to resorting to burner phones, to abandoning all online communication and trying exclusively to meet sources in person. Journalists expressed concern that, rather than being treated as essential checks on government and partners in ensuring a healthy democratic debate, they now feel they may be viewed as suspect for doing their jobs. One prominent journalist summed up what many seemed to be feeling as follows: “I don’t want the government to force me to act like a spy. I’m not a spy; I’m a journalist.”

This situation has a direct effect on the public’s ability to obtain important information about government activities, and on the ability of the media to serve as a check on government. Many journalists said it is taking them significantly longer to gather information (when they can get it at all), and they are ultimately able to publish fewer stories for public consumption. As suggested above, these effects stand out most starkly in the case of reporting on the intelligence community, national security, and law enforcement—all areas of legitimate—indeed, extremely important—public concern.
Impact of Surveillance on Lawyers 

Lawyers face a different challenge. They have a professional responsibility to maintain the confidentiality of information related to their clients on pain of administrative discipline. They also rely on the ability to exchange information freely with their clients in order to build trust and develop legal strategy, which is especially important in the realm of criminal defense. Increased government surveillance undercuts these longstanding and central elements of the practice of law, creating uncertainty as to whether lawyers can ever provide true confidentiality while communicating electronically with clients.

Lawyers we interviewed for this report expressed the greatest concern about situations where they have reason to think the US government might take an intelligence interest in a case, whether it relates to the activities of foreign governments or a drug or terrorism prosecution. As with the journalists, lawyers increasingly feel under pressure to adopt strategies to avoid leaving a digital trail that could be monitored; some use burner phones, others seek out technologies they feel may be more secure, and others reported traveling more for in-person meetings. Some described other lawyers expressing reluctance to take on certain cases that might incur surveillance, though by and large the attorneys interviewed for this report seemed determined to do their best to continue representing clients. Like journalists, some felt frustrated, and even offended, that they were in this situation. “I’ll be damned if I have to start acting like a drug dealer in order to protect my client’s confidentiality,” said one.

The result is the erosion of the right to counsel, a pillar of procedural justice under human rights law and the US Constitution.

Uncertainty and Secrecy

Uncertainty is a significant factor shaping the behavior of both journalists and lawyers. The combination of the sheer number of surveillance programs, the complexity of the underlying legal regimes, and the lack of clarity as to their scale and scope renders it practically impossible for any layperson to discern which forms of communication and data storage are secure and when they may be reasonably subject to surveillance. Compounding matters, the government has failed fully to disclose the rules governing itscollection and use of information under the surveillance regime. Piecemeal access to this information only creates greater doubt.

The US government has an obligation to defend national security, yet many of its surveillance practices go well beyond what may be justified as necessary and proportionate to that aim. Instead, these practices are undermining fundamental rights and risk changing the nature of US democracy itself. It is time for the US to carry out significant reforms of its surveillance programs and other policies contributing to the harms documented in this report.

Human Rights Watch and the ACLU strongly urge the United States to:

  • end large-scale surveillance practices that are either unnecessary or broader than necessary to protect national security or an equally legitimate goal;
  • strengthen the protections provided bytargeting and minimization procedures;
  • disclose additional information aboutsurveillance programs to the public;
  • reduce government secrecy and restrictionson official contact with the media; and
  • enhance protections for national-securitywhistleblowers.


This report is based on interviews with 92 people in the United States, including journalists, lawyers, and current and former US government officials.[1] Because of the sensitive nature of the questions asked, many interview subjects spoke on background, preferring that their comments not be attributed to them by name. A couple elected to speak entirely off the record. Many of the interviews took place in or around New York City or Washington, DC. A large number were conducted by telephone, though it was not always possible to determine whether interviewees may have felt uncomfortable speaking entirely candidly over the phone.

We spoke with 46 journalists representing a wide range of news organizations, including both larger and smaller media outlets. The major outlets include the New York Times, the Wall Street Journal, the Washington Post, the Los Angeles Times, the Associated Press, Reuters, McClatchyThe New Yorker, National Public Radio, and ABC News. Most interview subjects either formerly covered or currently cover the US intelligence community, national security, or law enforcement. Most work in print, but some also work in television or radio. A few are or were editors or news executives. A significant number of the journalists are highly decorated; as a group, the interviewees for this report have won at least a dozen Pulitzer Prizes and many other prestigious journalism awards.

We interviewed 42 practicing attorneys, working in a variety of areas: criminal defense lawyers (including public defenders both at the federal and state level, and private defense attorneys representing a wide range of clients, including people charged with terrorism, drug, and financial crimes); judge advocates serving in the military and representing detainees at Guantanamo Bay; and lawyers engaged in complex civil litigation, representation of multinational corporations, and representation of foreign sovereigns.

Finally, we interviewed five current or former senior government officials with knowledge of the US government’s surveillance programs or related policies. These include a senior official within the intelligence community and a senior official within the Federal Bureau of Investigation (FBI). We repeatedly requested interviews with senior officials at the National Security Agency (NSA), but after initially stating they would consider our request, the agency’s representatives ceased replying to our correspondence.

I. Background: US

Surveillance, Secrecy, and Crackdown on Leaks

There are limits to the public’s right to know in national security [contexts], but many [people within the] intelligence community know that if we followed strict rules on [classified information], there’d be no discussion of national security at all.

—Steve Engelberg, editor-in-chief of ProPublica, January 30, 2014

In December of 2005, the New York Times reported that the NSA had been conducting warrantless surveillance on Americans since shortly after the terrorist attacks of September 11, 2001.[2] According to the Times, President Bush had authorized the NSA to listen in on phone calls and gather emails of US persons without warrants. A federal judge found that the warrantless wiretapping program blatantly violated both the US Constitution and the federal law governing surveillance for foreign intelligence and international counterterrorism purposes, the Foreign Intelligence Surveillance Act of 1978 (“FISA”).[3] That law established a court, the Foreign Intelligence Surveillance Court (“FISC” or “FISA Court”), specifically designed to issue such warrants.[4] FISA included specific provisions governing surveillance of three types of communications, which we define here as follows: “domestic communications” (which originate and terminate inside the United States), “international communications” (which originate or terminate inside the United States, but not both), and “foreign-to-foreign communications” (which both originate and terminate outside the United States).

Over the next several years, a series of stories revealed further details about the NSA’s spying activities.[5] The Bush administration over time imposed more restrictions on the warrantless wiretapping program, and some portions of the program were eventually authorized under FISC orders.[6] 

However, these restrictions prompted Congress to broaden FISA, including by allowing programmatic surveillance without court oversight over specific targets.[7] Further news reports surfaced, suggesting the NSA’s surveillance activities continued to broaden in scope, potentially to a problematic degree.[8] Nevertheless, the public debate died down significantly.

The current chapter in the NSA saga began on June 5, 2013, when the Guardian published a secret FISC order from April of 2013.[9] The order instructed the US telecommunications provider Verizon to turn over to the government (on a daily basis, for three months) the records on all calls in its systems. Specifically, the article noted that “the numbers of both parties on a call are handed over, as is location data, call duration, unique identifiers, and the time and duration of all calls.”[10] Many refer to the information Verizon had been ordered to turn over as “metadata”—data about communications or transactions, rather than the content of communications themselves (that is, the specific words uttered). Although the Guardian article described the collection of metadata rather than the content of phone conversations, it once again breathed life into the NSA controversy, illustrating through a rare, primary document that the NSA’s call-records program was remarkably broad and indiscriminate.

Within days, former NSA contractor Edward Snowden came forward as the source of the document.[11] Snowden, concerned by the NSA’s surveillance activities, had collected a large number of NSA files before leaving his position as a contractor for the agency, and shared them with members of the press. Since the Guardian article, a flood of subsequent stories have appeared in different media outlets, many apparently based on documents provided by Snowden. Collectively, they confirm much of what had been alleged before and reveal much more, illuminating the contours of a powerful and growing surveillance apparatus run by the US government. Specific reports have detailed a variety of surveillance programs aimed at different sorts of electronic information and communications, including the large-scale collection of:

  • metadata related to domestic phone calls;[12]
  • the actual content of Americans’international chats, emails, and voice calls, as well aselectronic documents shared internationally;[13]
  • business records related to Americans’international money transfers (for a program run by the CIA);[14]
  • massive amounts of cell phone location data;[15]
  • a since-discontinued program to trackAmericans’ internet usage and emailing patterns;[16]and
  • address books and contact lists frompersonal email and chat accounts around the world.[17]

There also have been reports that the government has eased the rules on sharing information gathered through surveillance (both internally, among different agencies, and with other governments),[18] and that it is secretly using information gathered through surveillance purportedly conducted for intelligence purposes in standard criminal investigations.[19] A further report detailed a government system for gathering all of an unnamed country’s phone calls (including calls made to and from the US, and calls made by Americans from or within the country).[20]

Legal Authorities

Governing Surveillance

The US government conducts different types of surveillance in different contexts. For example, federal law enforcement agents might seek a warrant from a judge to conduct targeted surveillance of a particular person suspected of a crime.[21]

The surveillance programs at issue in this report are generally introduced in the name of national security or intelligence rather than criminal law enforcement. Instead of trying to piece together facts about events that have already occurred, they aim to inform the government broadly and—in theory—help prevent future events like terrorist attacks. The programs disclosed by Snowden operate on a much larger scale than more traditional surveillance methods used for law enforcement purposes—collecting hundreds, thousands, or millions of records at a time. By its nature, large-scale surveillance often implicates the interests of many people who are not suspected of any wrongdoing.

Large-scale surveillance by the US government proceeds under a variety of legal authorities. The main authorities known to the public as of July 2014 are Section 215 of the USA PATRIOT Act (PATRIOT Act), Section 702 of the Foreign Intelligence Surveillance Act (FISA), and Executive Order 12,333.[22] In addition to these tools, the FBI also has the power to collect significant amounts of information relevant to national security investigations—without judicial oversight and sometimes in large quantities—using National Security Letters (NSLs).[23]

Surveillance under Section 215 of the PATRIOT Act

The phone call metadata program revealed by the Guardian in June 2013 operates under Section 215 of the PATRIOT Act (Section 215), which allows for the collection of “tangible things” or business records that are “relevant” to an authorized investigation.[24] A major point of controversy concerning Section 215 is that the FISA Court has clearly adopted a weak standard for relevance (and seemingly not in line with Congress’s intent) if it has concluded that Verizon should turn over metadata of all domestic calls on a rolling basis.Surveillance under Section 702 of FISASection 702 of FISA (Section 702) is a provision of federal law, created by the FISA Amendments Act (FAA), that permits the Executive Branch to issue year-long warrants for collecting the content of international communications and other data of persons reasonably believed to be outside the US, specifically to acquire broadly-defined foreign intelligence information. The FISA Court periodically approves the government’s “minimization procedures,” as well as ”targeting procedures” designed to ensure surveillance is targeted at non-US persons outside the US, but it does not issue specific warrants nor approve specific targets of surveillance.[25] Subject to minimization, the government can collect and use the international communications or internationally-shared data of Americans under Section 702. The government relies on Section 702 to collect communications from US service providers as well as to monitor fiber optic cables as they enter the United States, and both forms of surveillance involve the collection of US persons’ communications.[26] The targeting and minimization procedures that have been made public so far provide almost no protections for non-US persons under these programs.[27]Surveillance under Executive Order 12,333Executive Order 12,333 took effect when President Reagan signed it in 1981.[28] It has been updated from time to time, but it remains the primary executive order addressing US intelligence activities, especially those undertaken abroad. Like the minimization procedures discussed above, Executive Order 12,333 also provides some protections for US persons,[29] requiring (when it comes to US persons) that the intelligence community “use the least intrusive techniques feasible.” [30] Yet the US government is reported to be conducting large-scale surveillance under 12,333, such as “secretly breaking into the main communications links that connect Yahoo and Google data centers around the world.”[31] It appears, then, that the government has the power to collect large amounts of information even on US persons through the executive order.[32]

Privacy Protections under Existing US Surveillance Programs

US officials have argued that they have put effective mechanisms in place to protect privacy. They have pointed to two types of protections: “minimization” procedures and oversight mechanisms.

Minimization Procedures

The government has in various contexts adopted policies called “minimization procedures,” which are designed to limit its collection and use of information pertaining to “United States persons” (US persons) whether they are inside or outside the US.[33] In theory, minimization limits the collection or use of information on US persons; it does not appear to apply to any broad category of non-US person, or provide safeguards for their data or communications. Not all of the government’s minimization procedures are public, however, so it is impossible to know their full extent.[34]

Some of the surveillance programs also operate under some measure of court supervision—most notably, the FISC and its appellate counterpart, both composed of federal judges. However, those courts operate in secrecy and do not have any structures in place that would offer meaningful opposition or any kind of counterweight to government requests for approval of surveillance programs. Nor are most FISC orders made public. Indeed, the bulk collection of metadata under Section 215 was authorized by the FISC in secret, and the public did not know about it until years later.

The agencies involved in conducting surveillance also have internal positions for the purpose of promoting accountability, such as inspectors general or privacy and civil liberties officers, though it is unclear what role—if any—they have played in checking the surveillance programs revealed over the past year. Executive bodies such as the Privacy and Civil Liberties Oversight Board (PCLOB) also have some power to exercise oversight, but their recommendations are not binding.[35]

Both the US House of Representatives and the Senate have standing Committees on Intelligence and on the Judiciary, which are designed, in theory, to provide oversight over the intelligence community’s activities. However, much of what these committees do is itself secret. Moreover, effective oversight requires that the intelligence community candidly share information with these committees. As Senator Ron Wyden, from the Senate Intelligence Committee, has noted, senior officials have repeatedly made misleading statements about their activities in congressional hearings.[36] Senate Intelligence Committee Chairman Dianne Feinstein has also noted that the intelligence community has failed fully to inform the committee about its surveillance activities.[37]

The Current Surveillance


The Snowden revelations have prompted domestic and international debates about whether and how to reform US surveillance practices. Among US policymakers, most of that debate has focused on the impact of surveillance on privacy rights of US persons. The US government’s perspective is that its surveillance activities are lawful and necessary to protect US national security.

Even so, in response to public pressure, both President Barack Obama and the US Congress have expressed some willingness to consider reforms. In August of 2013, President Obama created the Review Group on Intelligence and Communications Technologies (President’s Review Group).[38] The group issued a report in December of 2013, recommending a series of reforms to US surveillance practices.[39] The PCLOB has also held hearings on the surveillance programs, recommending its own changes to Section 215 in a report it released in January of 2014.[40] The PCLOB issued a second report in July of 2014, recommending more modest changes to Section 702.[41]

In January of 2014, President Obama gave a speech in which he acknowledged the legitimacy of some concerns about government surveillance.[42] He vowed to make certain changes, such as shifting the storage of information from the bulk domestic metadata program to private companies.[43]

Most recently, Congress has debated legislation that would make some adjustments to Section 215 of the USA PATRIOT Act. In May of 2014, the House passed a version of what has been known as the “USA FREEDOM Act.” An initial draft of the bill contained provisions that would have constituted a significant step towards ending bulk collection of US persons’ phone records and metadata, but the version that the House finally passed was significantly watered down.[44] Many of the bill’s original sponsors and supporters now question whether the current version would prevent large-scale collection of business records or metadata in practice, defeating the objective of the bill.[45] As of July 2014, the Senate was contemplating similar legislation. Both bills are limited in that they fail significantly to address US surveillance under authorities other than Section 215.[46] As of this writing, there has yet to be any significant tightening of the legal authorities that facilitate an astonishing scale of government collection of metadata and communications content. Even were the USA FREEDOM Act to become law in some form, massive and largely indiscriminate collection of content appears set to continue under Section 702 and Executive Order 12,333.

More broadly, however, the debates in Congress and among relevant members of the Executive Branch have failed to account for a variety of costs of large-scale surveillance programs, including not only the implications of surveillance for individuals’ privacy rights, both inside and outside the US, but also the “chilling” or inhibiting effect surveillance can have on the exercise of freedoms of expression and association. Indeed, early research indicates that the revelations in 2013 and continuing to date have begun to have a chilling effect on private individuals’ electronic communications practices and activities.[47] And, as this report documents, surveillance can have a profound impact on the practice of journalism and law.

The Broader Context: Government

Secrecy and the Crackdown on Leaks

The increase in US government surveillance has come at the same time as an increase in criminal investigations and prosecutions of leaks, as well as the establishment of new government programs to prevent leaks of information or otherwise restrict government officials’ contact with the media.[48] These steps have raised further concerns over public access to information, particularly as many journalists, advocates, and even some members of Congress and the Executive Branch believe the government over-classifies information, prohibiting access to much information that is not actually sensitive.[49]


The power to classify US government information rests with the president, the vice president, the heads of federal agencies, and anyone else designated by the president, though only certain types of information may be classified.[50] Three levels of classification are available—top secret, secret, and confidential—calibrated to the seriousness of the expected harm to protected government interests like national security from publication of the information.[51]

In classifying information, officials are supposed to designate the length of time for which the information is expected to remain sensitive; in theory, much of the information that is currently classified should at some point become available to the public.[52] Of over 95 million classification decisions made by the federal government in 2012, however, the vast majority were “derivative” rather than “original”—meaning they involved reclassifying information that had previously been marked as classified.[53]

Officials found to have leaked classified information may face a number of penalties, ranging from administrative sanctions to criminal prosecution.[54] The Obama administration has pursued eight prosecutions of officials for allegedly releasing information to the press—an unprecedented number.[55] By contrast, since 1917 (when the Espionage Act—the law under which most leakers have been prosecuted—took effect), all previous administrations pursued three leak prosecutions combined.[56]

“Insider Threats”

In response to the leaks of information to Wikileaks by former US soldier Chelsea Manning, in October 2011, President Obama implemented the “Insider Threat Program” (or “ITP”).[57] The program requires training of federal employees to beware of insider threats—colleagues who may be inclined to leak classified information.[58] Failure to report suspicious activity by colleagues can result in hefty penalties, including loss of security clearance and criminal charges.[59] One guide on insider threats, prepared by the Defense Security Service—an agency of the Department of Defense that provides security support to various defense and federal agencies—lists a government worker’s “exploitable behavior traits” and attempting to work in private as “potential espionage indicators.”[60]

While the point of the program is ostensibly to limit leaks of classified information,[61] the ITP covers a wide range of government agencies (including, for example, the Peace Corps and the Department of Agriculture), and it makes clear that it sets out only minimum standards.[62] Agencies thus have flexibility to crack down widely, with potential implications for the ability of employees safely to discuss even unclassified matters with the press. Indeed, McClatchy reported that several agencies have already applied the policy to justify protecting such information.[63]

In reporting on sensitive areas, journalists often work with information that is not itself classified. Skilled journalists often assemble fragments of a story bit by bit without ever requiring a source to provide protected information. As a result, increased restrictions on the discussion of even unclassified information make it harder for journalists to gather the pieces of information that compose the whole picture.

Limiting Intelligence Officials’ Contact with the Media

Within the intelligence community, recent rules go even further. Director of National Intelligence James Clapper issued Intelligence Community Directive 119 in March of 2014, prohibiting intelligence community employees from all unauthorized contact with the press and requiring employees to report unauthorized or unintentional press contact on certain topics.[64] The Office of the Director of National Intelligence also updated its press rules (through ODNI Instruction 80.04) in April of 2014, requiring “pre-publication review” of certain information that any member of the intelligence community makes available to the public.[65] The range of topics that trigger pre-publication review include those that “discuss … operations, business practices, or information related to the ODNI, the IC, or national security,” and the rules do not distinguish between classified or unclassified information, or between information that is private and information that is already in the public domain.[66] Steve Aftergood, Director of the Federation of American Scientists’ Project on Government Secrecy, observed that the “newly updated Instruction will no doubt inhibit informal contacts between ODNI employees and members of the general public, as it is intended to do.”[67]

II. The Impact of Surveillance on Journalists

Every national security reporter I know would say that the atmosphere in which professional reporters seek insight into policy failures [and] bad military decisions is just much tougher and much chillier.

— Steve Coll, staff writer for The New Yorker and Dean of the Graduate School of Journalism at Columbia University, February 14, 2014

Numerous US-based journalists covering intelligence, national security, and law enforcement describe the current reporting landscape as, in some respects, the most difficult they have ever faced. “This is the worst I’ve seen in terms of the government’s efforts to control information,” acknowledged Jonathan Landay, a veteran national security and intelligence correspondent for McClatchy Newspapers.[68] “It’s a terrible time to be covering government,” agreed Tom Gjelten, who has worked with National Public Radio for over 30 years.[69] According to Kathleen Carroll, senior vice president and executive editor of The Associated Press, “We say this every time there’s a new occupant in the White House, and it’s true every time: each is more secretive than the last.”[70] Journalists are struggling harder than ever before to protect their sources, and sources are more reluctant to speak. This environment makes reporting both slower and less fruitful.

Journalists interviewed for this report described the difficulty of obtaining sources and covering sensitive topics in an atmosphere of uncertainty about the range and effect of the government’s power over them. Both surveillance and leak investigations loomed large in this context—especially to the extent that there may be a relationship between the two. More specifically, many journalists see the government’s power as menacing because they know little about when various government agencies share among themselves information collected through surveillance, and when they deploy that information in leak investigations.[71] “[Government officials have been] very squishy about what they have and [what they] will do with it,” observed James Asher, Washington Bureau Chief for McClatchy Co., the third largest newspaper group in the country.[72] One Pulitzer Prize-winning reporter for a newspaper noted that even a decrease in leak prosecutions is unlikely to help, “unless we [also] get clear lines about what is collectable and usable.”[73]

Others agreed. “I’m pretty worried that NSA information will make its way into leak investigations,” said one investigative journalist for a major outlet.[74] A reporter who covers national defense expressed concern about the possibility of a “porous wall” between the NSA and the Department of Justice, the latter of which receives referrals connected to leak investigations.[75] Jonathan Landay wondered whether the government might analyze metadata records to identify his contacts.[76] A national security reporter summarized the situation as follows: “Do we trust [the intelligence] portion of the government’s knowledge to be walled off from leak investigations? That’s not a good place to be.”[77]

While most journalists said that their difficulties began a few years ago, particularly with the increase in leak prosecutions, our interviews confirmed that for many journalists large-scale surveillance by the US government contributes substantially to the new challenges they encounter. The government’s large-scale collection of metadata and communications makes it significantly more difficult for them to protect themselves and their sources, to confirm details for their stories, and ultimately to inform the public.

In the 1970s, many journalists spoke with sources by phone, and the government already had the technological capacity to tap those calls if it so chose. But traditional forms of wiretapping or physical surveillance were time consuming and resource intensive. Today, so many more transactions are handled electronically that there exists a tangible, easy-to-store, easy-to-access record of a much larger proportion of any given person’s life: banking transactions, internet browsing, driving habits (though EZ Pass records, license plate cameras, and GPS systems), cell phone location and activity, emailing patterns, and more. Metadata can reveal intimate details about people, such as religious affiliations, medical diagnoses, and the existence of private relationships. Meanwhile, as more transactions have become digitalized, the government has acquired a much greater technical capacity to gather, store, analyze, and sift through electronic data.

Even with rapidly evolving techniques for conducting research and contacting sources, journalists expressed concern that widespread government surveillance constrains their ability to investigate and report on matters of public concern, and ultimately undermines democratic processes by hindering open, informed debate.

Losing Sources

One of the most common concerns journalists expressed to us was that their sources were drying up.[78] According to James Asher, “[Before] you’d start pulling the curtain back and more people would come forward. Many fewer people are coming forward now.”[79]

Journalists expressed diverse views as to when and why reporting conditions began to deteriorate. Some pointed to the attacks of September 11, 2001 and the subsequent expansion in the amount of information considered sensitive for national security purposes.[80] Others emphasized a cluster of stories that appeared in the media in 2005, including the first reports of the NSA’s domestic surveillance programs and confirmation of black sites in Poland.[81] The most common explanation, however, was a combination of increased surveillance and the Obama Administration’s push to minimize unauthorized leaks to the press (both by limiting government employees’ contact with journalists, such as through the Insider Threat Program, and by ramping up prosecutions of allegedly unauthorized leaks, as described above).[82] That trend generates fear among both sources and journalists about the consequences of communicating with one another—even about innocuous, unclassified subjects.[83]

Even sources who are not sharing classified information risk losing their security clearances and ability to work. Steve Engelberg, the editor-in-chief of ProPublica, described the security clearance that a source holds as their “driver’s license in the intelligence community.”[84] According to him, “[It’s] easy to lose it, at which point you can’t work.”[85] As a result, loss of a security clearance is a “big sanction.”[86] Scott Horton, who writes on national security for Harper’s Magazine, sees the risks to sources as a very real and tangible threat to their willingness to speak to reporters and to ensure effective reporting:

Reveal details about government activity and you may lose almost everything: your clearance, your position, and your pension. You may have to hire an attorney, and you may have your reputation destroyed in the press by their own counter-leaks, making it impossible to get a new job.[87]

Yet while loss of one’s security clearance, job, or pension can be serious enough, the risk of prosecution for leaking has never been higher.[88] “It is not lost on us, or on our sources, that there have been eight criminal cases against sources [under the current administration] versus three before [under all previous administrations combined],” observed Charlie Savage, a Pulitzer Prize-winning reporter for the New York Times.[89] That spike sends a message, even when prosecutions do not end in convictions. “I understand why they do it,” noted another Pulitzer Prize-winning reporter.[90] “Even the cases that blow up in [the government’s] face have the intended effect.”[91]

In February of 2014, Stephen Kim, who faced a leak prosecution, described the costs of the process:

This has been a huge blow for me and for my entire family. I had to give up a job that I had liked. It also destroyed my marriage. My family had to spend all of the money they had saved up and even sell their house to pay my legal fees. I hardly have any remaining assets. [92]

Although Kim eventually pleaded guilty to unauthorized disclosure of classified information, his description of the harm to himself and his family represents the setbacks anyone prosecuted might face, irrespective of the ultimate disposition of the case. Thomas Drake, who was also prosecuted by the Obama administration for leaking information to the press, reported similar costs. [93] The government dropped all of its major counts against Drake right before his trial was scheduled to begin, in exchange for a guilty plea to a minor misdemeanor, triggering harsh criticism from the judge for putting Drake through “four years of hell.” [94]

While sources’ employers sometimes have legitimate reasons for discouraging conversations about certain matters with the press, the stakes and the consequences have increased substantially in recent years, making conversations about declassified or innocuous subjects not worth the risk. One journalist described a source who was eventually fired when his or her employer found signs of the source’s initial contact with journalists a year earlier, even though the source had not leaked classified information.[95]

At the same time, the fact that senior government officials themselves routinely appear to authorize “leaks” of classified information has bred cynicism about the government’s claims that these prosecutions are merely about enforcing the law. “Of course, leaks that help the   government are sanctioned,” observed Brian Ross, chief investigative correspondent for ABC News.[96] Bart Gellman, senior fellow at The Century Foundation, and the winner of multiple Pulitzer Prizes, argued that official, sanctioned leaks reveal much more classified information than unofficial ones.[97]

Yet, beyond the leak investigations and administrative efforts to prevent leaks, many journalists said that the government’s increased capacity to engage in surveillance—and the knowledge that it is doing so on an unprecedented scale—has made their concerns about how to protect sources much more acute and real.

In fact, some believed that surveillance may be a direct cause of the spike in leak investigations. “It used to be that leak investigations didn’t get far because it was too hard to uncover the source, but with digital tools it’s just much easier, and sources know that.” observed Bart Gellman.[98] Peter Maass, a senior writer at The Intercept, concurred: “Leak investigations are a lot easier because you leave a data trail calling, swiping in and out of buildings, [and] walking down a street with cameras. It’s a lot easier for people to know where you’re going and how long you’re there.”[99] Charlie Savage raised a similar point: “[E]lectronic trails mak[e] it easier to figure out who’s talking to reporters. That has made it realistic [to investigate leaks] in a way that it wasn’t before.”[100] Peter Finn, the National Security Editor at the Washington Post, expressed concern that “the government’s ability to find the source will only get better.”[101]

A national security reporter made the link even clearer, stating that the Snowden revelations show that “[w]hat we’re doing is not good enough. I used to think that the most careful people were not at risk, [that they] could protect sources and keep them from being known. Now we know that isn’t the case.”[102] He added, “That’s what Snowden meant for me. There’s a record of everywhere I’ve walked, everywhere I’ve been.”[103] Peter Maass voiced a similar concern: “[The landscape] got worse significantly after the Snowden documents came into circulation. If you suspected the government had the capability to do mass surveillance, you found out it was certainly true.”[104]

Journalists repeatedly told us that surveillance had made sources much more fearful of talking. The Snowden revelations have “brought home a sense of the staggering power of the government,” magnifying the fear created by the increasing number of leak investigations.[105] Accordingly, sources are “afraid of the entire weight of the federal government coming down on them.”[106] Jane Mayer, an award-winning staff writer for The New Yorker, noted, “[t]he added layer of fear makes it so much harder. I can’t count the number of people afraid of the legal implications [of speaking to me].”[107] One journalist in Washington, DC, noted, “I think many sources assume I’m spied on. [I’m] not sure they’re right but I can’t do anything about their presumption.”[108]  As a result, she said, some remaining sources have started visiting her house to speak with her because they are too fearful to come to her office.[109] One national security reporter estimated that intelligence reporters have the most skittish sources, followed by journalists covering the Department of Justice and terrorism, followed by those on a military and national security beat.[110]

As a result, journalists report struggling to confirm even unclassified details for stories, and have seen trusted, long-standing sources pulling back. “I had a source whom I’ve known for years whom I wanted to talk to about a particular subject and this person said, ‘It’s not classified but I can’t talk about it because if they find out they’ll kill me’ [figuratively speaking].”[111] Several others have reported the sudden disappearance of formerly reliable sources, or the reluctance of sources to discuss seemingly innocuous and unclassified matters.[112] One decorated intelligence and national security journalist indicated that even retired sources are increasingly reluctant to speak.[113] Though firing or revocation of security clearances no longer worries them, they fear prosecution, and “now [they] have to worry that their communications can be reached on a basis far short of probable cause.”[114]

Though losing developed sources has proved frustrating to numerous journalists with whom we spoke, a number suggested that the largest challenge they face is reaching new sources. “Sources don’t just materialize,” noted Peter Finn. “They often are developed.”[115] That requires building trust, which can be a slow and difficult process.

Adding to the challenge of developing sources that are already skittish is the fact that surveillance makes it very difficult for journalists to communicate with them securely. Calling or emailing can leave a trail between the journalist and the source; and it can be difficult to get casual contacts to take more elaborate security measures to communicate. “[H]ow do you even get going?” asked Bart Gellman, referring to the challenge of making first contact with a new would-be source without leaving a trace. “By the time you’re both ready to talk about more delicate subjects, you’ve left such a trail that even if you start using burner phones or anonymous email accounts you’re already linked.”[116] A national security reporter noted, “[Ideally,] you bump into people. [That’s] tough to arrange, though, without [creating a] record…. [You] find yourself using phone and email to set up a chance to talk. If that’s completely forbidden, then we are really in trouble.”[117] As a result, according to Peter Finn, “both parties want to move faster toward a more direct relationship that requires less electronic contact.”[118]

Yet approaching sources in person from the outset can also be quite difficult. The time and effort required physically to locate specific sources can be prohibitive. Moreover, some sources simply do not want reporters to know their identities, so they “won’t necessarily want to meet face to face initially.”[119] That can push journalists back toward more conventional—and traceable—methods of making contact.[120] This sort of situation can leave reporters feeling “increasingly frustrated.”[121]

A couple of journalists reported trying to make the best of a challenging situation. “In some ways, this environment creates a closer alliance with sources,” observed Bart Gellman. “They’re being treated as adversaries by people they work for. You use whatever you have.”[122] Yet even the journalists who expressed these sorts of views did not regard such new opportunities as offsetting the growing challenges.[123] As a national security reporter summed up the matter, “We’re not able to do our jobs if sources are in danger.”[124]

Changing Journalistic Practices

In an attempt to protect their sources, their data, and themselves, many journalists reported modifying their practices—their tradecraft—for investigating stories, communicating with sources, and protecting their notes. The fact that journalists are profoundly altering their tradecraft is evidence of the impact of surveillance on their profession.

Yet significant uncertainty about which methods are effective, exacerbated by continued uncertainty about the scope and legal limits of US surveillance operations, leads to a variety of different approaches. Some journalists have changed their practices in response to specific tips they have received from government officials. “I was warned by someone at the Pentagon that it was easy to track my calls because I used the same number all the time,” reported a national security journalist.[125] Now he uses burner phones.[126] Brian Ross relayed a different tip he received: Start all international calls with, “I’m a US citizen. Aren’t you?”[127] (Ross’ tip refers to a prohibition against the “targeting” of US citizens for surveillance under Section 702.)[128] Others develop their techniques with the support of security experts.[129] Still others are operating blindly—speculating as to what works and what does not. As one investigative reporter put it put it, “You don’t know what you’re up against; you just take the precautions you can.”[130]

We found three broad types of changes in journalists’ behavior, all aimed at obscuring parts of the reporting process: increasing use of advanced privacy-enhancing technology, decreasing reliance on electronic tools, and modified use of conventional methods of protecting information and sources. Journalists often employ a combination of measures from all three categories.

Advanced Privacy and Security Technology

A significant number of journalists reported using various forms of encryption software for their communications with sources or colleagues, including emails, chats, texts, and phone calls, though it is far from clear how effective these methods are in the long run.[131] While proper use of encryption can protect the contents of communications, it will not obscure the identity of the correspondents, or the fact that they are communicating. As a result, if the government were to collect metadata concerning emailing patterns (as it did until 2011), then even encrypting domestic emails would only offer partial protection.[132]

Journalists also reported using special devices or software to encrypt and store data securely.[133] A couple endorsed the use of air-gapped computers—computers that never connect to the internet, or any unsecured network—for particularly sensitive material.[134] Steve Coll noted, however, that securing a computer to such a degree significantly limits its utility. “At that point, why have a computer at all?” he wondered. “You could just go to the store and buy an Olivetti typewriter.”[135]

Some journalists—including a few working on particularly sensitive materials—declined to discuss their full range of security measures.[136] Another noted that he tries to mask his records of purchases of advanced technology.[137]

On the other hand, some journalists actively avoid encryption, or use it with reservations. One prominent concern is that encryption is not entirely secure.[138] One national security reporter asked, “Will it save you in the end? Isn’t the NSA going to crack it, or get someone to give up the code?”[139] Steve Coll noted that he has been “interested in the debate about whether any encryption approach is effective.”[140]  According to some of the people he has looked to for information on the subject, the biggest worry is not that the NSA will find a way to crack encryption, but rather that one’s electronic “hygiene” in using it must be “excellent.”[141] In other words, one lapse in protecting encryption passphrases or hardware can provide others with direct access to sensitive data in unencrypted form. Bart Gellman noted similar challenges with Tor: “You forget to launch Tor once before logging onto the account, and you’re linked to it.”[142]

Another worry is that encrypting communications might only draw the government’s attention.[143] The NSA’s minimization procedures that have been made public allow its employees to seek permission from the Attorney General to retain encrypted communications even if they are purely domestic.[144] Scott Shane, an intelligence reporter for the New York Times, said that while he has used encryption in the past, he is “skeptical that it is a solution of significance.”[145] He noted that encrypted email “wasn’t even a speed bump” for prosecutors in some recent leak cases, “who even used that to suggest the source knew he was doing something wrong.”[146] Shane was referring to the prosecutions of Thomas Drake. Drake was suspected of leaking information to a reporter about wasteful spending at the NSA, and in their case against him, prosecutors highlighted his use of encrypted email (Hushmail) to communicate with the reporter.[147]

Eric Schmitt, a Pulitzer Prize-winning reporter for the New York Times who covers terrorism and national security, had similar misgivings. He observed that while certain sources might be better off using encrypted email, and journalists have begun using it among themselves and with some of their sources, “if you ask … government sources to do it, it brands them.”[148] Steve Aftergood suggested the same concern: “Maybe you’re drawing more attention to yourself by using it, suggesting the contents are sensitive.”[149] 

Several journalists highlighted another significant difficulty: In many instances, for encryption to work, both the journalist and the source must have some facility with the same encryption tool. Some journalists expressed doubts about their own ability to master encryption and related technologies.[150] Others noted that many would-be sources lack the technical savvy to approach journalists safely,[151] and even that using encrypted methods of communication with typical sources—as opposed to sources who already prefer to use encryption—might “spook” them. “They’re going to feel like they’re doing something wrong.”[152] Jane Mayer added, “Your source has to be really committed [to bother with advanced security measures].”[153]

Most journalists who use advanced technologies indicated that their outlets are willing to cover the financial costs of doing so.[154 Those costs are not overwhelming on the whole; there are open source (free) versions of certain encryption software, such as PGP, while other programs require a manageable subscription fee, like Silent Circle.

However, the use of advanced technologies does impose costs beyond the financial. They can take time to learn, and are often difficult to use. Journalists we spoke with characterized them as “a burden,”[155] “a huge tax on your time,”[156] and “cumbersome and slow.”[157] The perceived complexity of learning them imposes a barrier for some journalists.[158] While some outlets actively train select staff in the use of advanced technology,[159] others do not. Several journalists described teaching themselves new technologies on an ad hoc basis under their own initiative.[160]

Decreasing Reliance on Digital Technology

Both sources and journalists alike use a range of third-party service providers, including web-based email, social media services, or cloud-based storage. The revelations of the PRISM program [161] brought into stark relief the privacy and security risks associated with using US-based online service providers, who are subject to orders under Section 702 and other national security authorities. The lack of certainty about how data stored by these companies is protected undermines their convenience and cost-effectiveness.

For all of the influence of advanced technologies on the evolution of journalistic tradecraft, many journalists indicated that creating no electronic record is best. Even those who have made significant use ofadvanced privacy-enhancing technology held this view.[162] As one national security reporter summed it up, “any form of electronic communication just can’t be used for sensitive matters.”[163] Accordingly, many journalists have ratcheted back their use of technology.

Many journalists reported a strong preference for meeting sources in person in large part for reasons of security.[164] “I don’t think there’s anything ironclad you can do except [meet] face to face,” remarked Jonathan Landay.[165] “Maybe we need to get back to going to sources’ houses,” added Peter Finn.[166] Indeed, several journalists expressed a marked reluctance to contact certain sources by email or phone.[167] “[We] have to think about how to contact someone without leaving electronic cookies behind,” observed Steve Engelberg.[168] “[You] can’t call [sources] at work,” noted a New York-based investigative journalist. If you have misgivings about using a source’s cell phone or personal email, “[the] only thing that’s left is to go to their door.”[169]

The common view appears to be that meeting face to face with a source is better than calling, which in turn is better than emailing.[170] “Most assume emails can be intercepted or subpoenaed,” noted Eric Schmitt. Fewer worried that the government will intercept their domestic calls. “I doubt the NSA can get content of domestic calls without an active investigation,” noted one national security reporter, who said he has heard as much from “good sources.”[171] Peter Finn concurred: “I don’t think they could listen routinely to journalists.” (There have been no revelations of large-scale US government eavesdropping on purely domestic phone calls.)

Even so, when forced to call a source, a couple of journalists indicated a preference for using landlines over cell phones, noting how easily one can intercept the contents of a cell phone call.[172] “Almost anybody with the right equipment can eavesdrop on a cellphone call; landlines are more secure from snooping (though of course [the] government… can capture content with [a] wiretap),” observed Peter Maass.[173] Nevertheless, the US government continues to collect metadata information on landlines as well as cell phones, and as Maass noted, “The government doesn’t need to know what people are talking about—just that they’re talking. That can go a long way in supporting the prosecution’s case in a leak investigation.”[174]

Two journalists also indicated a growing affinity for using postal services to transmit documents rather than electronic means,[175]  though a third expressed concern about media reports that the US Postal Service has been photographing all of the mail it handles.[176] Even suggesting that sources use conventional mail rather than other means to communicate can scare away sources, however. Peter Maass described being approached by a would-be source, and urging that person to mail him information rather than sending it electronically. He never heard from the person again, and Maass suspects the reason is that “I made him aware of the danger of being connected to me. As a result, I lost that story.”[177]

Several journalists also suggested a preference for avoiding other technologies that create electronic trails or files. One trend is to use cash rather than credit cards when making purchases that relate to one’s reporting.[178] A couple of journalists also reported avoiding storing data in the cloud.[179] Steve Engelberg noted that he prefers to deal in hard copies and printouts—rather than electronic files—when working on drafts of stories related to national security.[180]

Other Strategies to Protect Sources

In addition to seeking security in a combination of more and less advanced technology, a number of journalists have adapted their use of conventional tools to make it more difficult to track down their sources through surveillance. One approach involves deliberately creating a misleading electronic trail. For example, one journalist described a colleague who calls a large number of possible sources before a story comes out in order to obscure the identities of those who actually provided information.[181] Another reported booking “fake” travel plans for places he never intended to visit.[182]

Journalists and sources have also made creative use of common technologies to hide their interactions. The most common such approach is to use “burner” phones—cell phones with limited identifiable links to the owner, and which one disposes of after a matter of days or weeks. A significant number of journalists described elaborate processes by which they managed to obtain such phones, limit their traceability, and make them operable for a short period.[183]

Others described a variety of similar techniques for sharing information with sources electronically while minimizing the trace left behind. Some detailed the inventive use of email accounts or phones, as well as tricks for hiding purchase records related to reporting activity.[184]

Journalists also have made efforts to better protect their information. Due to the traceability of GPS information from cell phones, and the possibility of turning cell phones into listening devices (even if they are off),[185] several journalists reported turning off cell phones or taking out their phone batteries before speaking with people in person, or even leaving phones behind altogether when visiting sources.[186] One journalist reported keeping his files “on a flash drive in [his] pocket all the time,” and taking additional precautions with his notes—such as writing them by hand and encoding them.[187] A couple of others have employed codes for discussing stories or sources, whether within an office or otherwise.[188] 

The large variety and complexity of these strategies illustrate the fear that journalists and their sources hold of government surveillance. Even in cases where the topic of discussion is innocuous and declassified, journalists and their sources are unable to converse freely, stymying effective reporting. Many of these techniques entail additional costs for journalists— not just the financial costs of additional technology and equipment, but perhaps even more burdensome costs in the time it takes for journalists to go through all the elaborate steps they now need to take to keep their sources protected.

Ongoing Uncertainty about Security

Even with all these burdensome and costly measures, many journalists expressed doubts about their power to protect sources and the level of security they are able to attain.

A national security reporter observed, “[I’m under] no illusion that [my approach] is foolproof, but it’s anything to protect [us] somewhat.” [189] A number of journalists seemed to recognize that their evolving tradecraft countermeasures are extremely limited. Jonathan Landay noted that certain steps he is inclined to take “may not be very successful, but you do whatever you can think of.”[190] Brian Ross was also skeptical of some of his steps, such as using codes within the office to discuss more sensitive matters. “We’re not very good at it; we’re not trained in cyphers and codes.”[191]

Not a single journalist we spoke with believed they could defeat the most focused efforts by the government to discern their activities. “If the government wants to get you, they will,” noted Adam Goldman, a Pulitzer Prize-winning reporter with the Washington Post. “We don’t have the technology [that] they do,” added Jonathan Landay.[192] While there are a number of steps one can take to limit exposure to large-scale electronic surveillance, observed Bart Gellman, “ if a first-rate intelligence agency decides to target you specifically and invest serious resources, there’s nothing you can do”[193] Accordingly, he described his tradecraft techniques as an attempt “to raise the cost of surveillance.”[194]

Another prominent journalist wondered whether the US government might fill its intelligence gaps on US persons by acquiring information—including, potentially, on journalists—from friendly foreign governments.[195] Indeed, it is publicly known that the US has an intelligence sharing agreement with the UK, Canada, Australia, and New Zealand—a group of countries collectively called the “Five  Eyes” [196] —and has worked closely with various other intelligence services.[197] As described in the next section, the US is known to have received intelligence about a US law firm’s communications with its client from the Australian intelligence service.[198] One senior intelligence official we spoke with noted that the US government can accept (though not solicit) intelligence about US persons from other governments even where the US is not permitted to gather that intelligence itself.[199]

A national security reporter put it this way: “It’s difficult, if you’re using any electronic communications, to do something that DOJ with a subpoena or the NSA couldn’t figure out. But you want to make the initial leak investigation more difficult to preclude a more sweeping inquiry.”[200] For example, burner phones “won’t thwart the NSA,” he argued.[201] “They’ll know [the phone is] always near [other phones linked to me.] But for sensitive calls, it’ll hopefully thwart the initial leak investigation.”[202] A Pulitzer Prize-winning reporter for a major newspaper agreed: “It’s really hard to leave zero trail and do your job.”[203]

Impact on News

Coverage, Public Accountability, and the Quality of Democratic Debate Increased surveillance, combined with the tightening of measures to prevent both leaks and (more broadly) government officials’ contact with the media, may be having a profoundly detrimental impact on public discourse. There are good reasons to believe that recent developments are reducing the amount and quality of news coverage of matters of public concern. They are also affecting the role that journalists have typically played in holding government to account for its actions, particularly when it comes to the intelligence sector.

Impact on News Coverage

Several journalists we spoke with asserted that the new challenges they face significantly impede news coverage of matters of great public concern.[204] Many journalists emphasized the extra time entailed by the new techniques they’re employing to protect their sources and communications.[205] “It’s a tax on my time,” noted Bart Gellman. “I could do double the work if I weren’t spending so much effort on encryption and a secure workflow between networked and air-gapped machines.”[206] Part of the delay results from using more advanced privacy and security technologies, which may involve trade-offs with convenience, and ensuring that sources do the same. Part of the delay also comes from the scaled back use of electronic communications or digital technology. “Mail is slow,” observed Martin Knobbe, a New York-based correspondent for Stern Magazine. “It can take two weeks to get an okay to meet someone [using mail].”[207] All things considered, “[i]t absolutely slows down coverage,” claimed Marisa Taylor.[208]

“Stories that could have been done have a much higher uphill climb,” observed Steve Engelberg.[209] With staff limitations, it is not always possible to undertake that climb simply because a story looks interesting or promising. “We have to pick our spots. It takes thought.”[210] While the additional time that goes into stories can also yield more nuance, these extra challenges arise at an inopportune time. Print-centered news outlets have struggled over the last several years, and may have fewer resources than in the past.[211]

Additionally, many journalists said the amount of information provided or confirmed by sources is diminishing. For one, sources are becoming less candid over email and phone. “I definitely see a trend of sources speaking at a different level of candor face to face [as compared to over the phone],” noted a national security reporter.[212] As a result, he acknowledged spending more time physically near where his sources work.[213] Others also confirmed traveling more (and spending the money that goes with that), or facing the difficult choice of how to pursue information if travel is not an option.[214]

As one might expect, sources are less willing to discuss sensitive matters, even where it is not clearly classified. “[There is] much greater reluctance from sources to talk about sensitive stuff,” asserted Scott Shane.[215] “There just isn’t a bright line between classified and not…. There’s a huge gray area. That’s where the reporting takes place. [But s]ources are increasingly unwilling to enter that gray zone.”[216]

Yet the effect is still broader. As a Pulitzer Prize-winning reporter put it, “People are increasingly scared to talk about anything.”[217] According to Jonathan Landay, source reluctance extends “even [to] something like, ‘Please explain the rationale for this foreign policy.’ That’s not even dealing with classified material; that’s just educating readers.”[218] Landay added, “There’s [also] a much greater constraint on the ability to get explanatory information about the views of people dealing with real issues before they get into the political levels of the government. That’s not classified. That’s not secret. At worst, that’s embarrassing.”[219] Jane Mayer put it differently. “What you’re losing now is spontaneity.”[220] As a result, we are “not getting spur-of-the-moment stories.” She also emphasized the motives of many government sources: “Most of these leaks are just criticism, frankly. [My sources] are very patriotic on the whole…. They’re not enemies of the state.”[221]

Bart Gellman put the size of the challenge into context: “I don’t feel like there’s a drought, but there are more challenges.”[222] Steve Engelberg agreed, noting that the surveillance revelations have “added a layer of complexity” to national security reporting, but have not shut it down completely.[223] 

The net result is a less informed public. It is “absolutely” the case that less information is reaching the American people, according to James Asher. Kathleen Carroll agreed. While she does not necessarily see a connection between leak investigations and surveillance, she also expressed concern over sources feeling especially skittish, noting that “People have to work harder, it takes longer, and you […] won’t have as many stories [until the landscape changes].”[224]

Impact on the Press’s Ability to Serve as a Check on Government Abuse

In recent decades, the press has played an important role in checking government, and in particular, the intelligence community.[225] That has not always been the case. Betty Medsger, a former Washington Post reporter whose series of stories in 1971 first revealed the FBI’s targeting of dissenters, recalled that there was “very little investigative work” before her articles appeared.[226] Even her FBI stories derived from documents stolen by activists, rather than through Medsger’s cultivation of sources inside the intelligence community. “I was given these files. I didn’t have clever techniques. Nobody was trying to develop inside sources until then.”[227]

Tim Weiner, a Pulitzer Prize-winning reporter for the New York Times, who also won a National Book Award for his history of the CIA, offered an earlier timeline for the development of investigative journalism on the intelligence community, observing that “serious investigative reporting into the CIA started in the mid-1960’s, and then seriously expanded a decade later.”[228] Phil Bennett elaborated:

The growth of the intelligence community and of a more critical, more adversarial press occurred in tandem, on overlapping timelines. Although there have been state secrets since the founding of the Republic, the current institutional structure that manufactures and protects those secrets emerged near the end of World War II and the beginning of the Cold War. For the most part, at first journalists did little to contest the government’s monopoly on secrets. But the Vietnam War led some journalists to see secrecy as a tool for the government to deceive the public. The Pentagon Papers case ratified this view. Disclosing government secrets then became a central part of the birth of modern investigative reporting. This has carried over to the digital era.[229]


Ultimately, the government’s own investigations into the intelligence community in the mid-1970s—most famously among them, the Church Committee in the Senate—provided a sound basis for ongoing and active investigative work by journalists on the intelligence community ever since.[230] Those inquiries revealed significant and widespread misconduct by the intelligence community dating back decades. By offering the public significant and early insight into objectionable practices by the FBI, Medsger’s stories formed a major part of the environment that gave rise to those investigations,[231] complementing pressure resulting from the Vietnam War and Seymour Hersh’s 1974 reporting on the CIA.[232]

But coverage of the intelligence community has recently (once again) become more challenging to undertake. “It seems to me that at some point it became very difficult again to cover these institutions and get inside sources,” Medsger observed.[233]

Many journalists who spoke to us expressed a strong commitment to their work, and were unwilling to be dissuaded from continued efforts to cover increasingly difficult beats. “I’m not in any way going to stop reporting,” remarked Adam Goldman. “In most cases, I am not the vulnerable one,” added Steve Aftergood.[234] Peter Maass also identified a silver lining: “Even though it’s harder, it’s also very exciting. We’re being given an amazing opportunity to do exciting work that could help shape society for years to come.”[235]

Nevertheless, the effects that surveillance and leak investigations have had on coverage are working to undermine effective democratic participation and governance. “What makes government better is our work exposing information,” argued Dana Priest, a Pulitzer Prize-winning national security reporter at the Washington Post.[236] “It’s not just that it’s harder for me to do my job, though it is. It also makes the country less safe. Institutions work less well, and it increases the risk of corruption. Secrecy works against all of us.”[237] Charlie Savage added, “National security journalism is especially important for a functioning, democratically accountable system.”[238] Steve Coll agreed as well, noting, “There’s a real loss to the public, the voters.”[239]

For James Asher, “The role of the press is to be challenging and critical.”[240] It is thus inherently important for journalists to seek out certain information that the government treats as sensitive and, when appropriate, share it with the public. Kathleen Carroll also emphasized the responsibility typically demonstrated by journalists who work on national security topics. “This is not a bunch of bratty journalists trying to undermine legitimate government operations,” she argued. Moreover, though she believes “that a government’s actions on behalf of the people it serves should be public, [m]ost news organizations [including her outlet, the Associated Press] will recognize that certain things the government is doing need to remain secret, at least for now. The disputes take place because the government idea of what should remain secret is much more sweeping.”[241]

Dana Priest defined the problem as follows:

The government is getting the balance between guarding  information and making it public wrong. They think anything classified should stay secret…. The question for me is what really needs to stay secret. The rules for that were set for the nuclear era. We have a new era now with old rules. The government should reverse it, and start by asking, ‘What needs to be secret?’[242]

A couple of journalists also expressed principled resistance to the prospect of undertaking so many evasive maneuvers to do their work. Scott Shane argued that “[a]s an American reporter, I should not be uneasy about the government targeting me to figure out my sources.”[243] Another reporter, who covers law enforcement and national security, noted that the need for additional secrecy has forced him to “start to act like a criminal.”[244] Brian Ross articulated a similar sentiment: “There’s something about using elaborate evasion and security techniques that’s offensive to me—that I should have to operate as like a criminal, like a spy.”[245] Adam Goldman, though he was less inclined to connect surveillance and leak investigations, also shared that view: “I don’t want the government to force me to act like a spy. I’m not a spy; I’m a journalist.”[246] He added, “What are we supposed to do? Use multiple burners? No email? Dead drops? I don’t want to do my job that way. You can’t be a journalist and do your job that way.”[247]

Certain statements by government officials have, indeed, suggested that journalists who report leaked information are engaged in criminal behavior. In January of 2014, Director of National Intelligence James Clapper called on “[Snowden] and his accomplices to facilitate the return of the remaining stolen documents that have not yet been exposed….” [248] As Snowden is not known to have had the assistance of others in obtaining the documents he later provided to the media, many interpreted that comment to refer to the reporters who had published stories based on the documents. [249]

Republican Representative Mike Rogers made another such remark only days later. [250] Rogers, Chairman of the House’s Permanent Select Committee on Intelligence (the primary House body tasked with oversight of the intelligence community), criticized journalist Glenn Greenwald for working with news outlets that paid for stories based on the Snowden documents. [251] Rogers accused Greenwald of “selling his access to information,” specifically “[f]or personal gain.” He concluded, “A thief selling stolen information is a thief.”

One former government official we interviewed made a similar comparison between leakers and burglars (though without directly criticizing journalists who receive and publish leaked information).

Scott Shane responded to that analogy at some length:

Informing Americans about the national security programs that they pay for and are carried out in their name is impossible without government officials who are willing to speak with reporters about them, within limits. The hard part, of course, is judging the proper limits. To compare the exchange of information about sensitive programs between officials and the media, which has gone on for decades, to burglary seems to miss the point. Burglary is not part of a larger set of activities protected by the Constitution, and at the heart of our democracy. Unfortunately, that mindset is sort of the problem.[253]

Several journalists likened the current reporting atmosphere to what one might find in more authoritarian countries. Peter Maass noted that he has worked under threat of surveillance abroad while covering the Soviet Union, the Balkans, and North Korea, and has thus been exposed to the need for evasion in reporting.[254] But he is “horrified and outraged” that the same concerns now apply here in the US.[255] Jonathan Landay reported that a number of his sources for a story in Jordan were called in for questioning after they spoke with him. “But I expect that to happen in Jordan.”[256] A national security reporter noted that the US government now causes him more concern than other governments that we expect to do surveillance. “A year ago, in our line of business, we were more worried about the Chinese government snooping to get an edge by collecting what we weren’t reporting. Now it’s a distant second to our own government.”[257]

III. The Impact of Surveillance on Lawyers and Their


I found it shocking to think that the US is doing this [surveillance]—and I was at DOJ before.

—A lawyer specializing in international dispute resolution at an international firm, April 1, 2014

Recent media reports confirm that large-scale electronic surveillance by the US government has been sweeping up vast amounts of private data and communications. That includes confidential information related to ongoing legal matters, and privileged communications between attorneys and their clients. Duty-bound to protect that information, and strategically disadvantaged if unable to do so, many attorneys describe surveillance as undermining their ability to advocate on behalf of their clients.[258]

At the most general level, as described by Maureen Franco, the federal public defender for the west district of Texas, “The Snowden stories confirm widely held suspicions and make us more nervous about using electronic communications.”[259] Worries about surveillance vary from one area of legal practice to another, but they are particularly pronounced among attorneys who defend clients from charges related to terrorism—including federal defenders who are assigned to such cases rather than choosing them. Yet attorneys in other areas expressed significant concern as well, including defense attorneys who handle drug cases, and even attorneys doing international or civil work. Specifically, lawyers expressed concern over their ability to satisfy their professional duty of confidentiality, maintain their attorney-client relationships, and effectively represent their clients.

Like journalists, attorneys are uncertain about whether it is even possible to protect their communications from government surveillance, and are confused about what steps they can—and may even be obligated—to take. The result is a less robust relationship between some attorneys and their clients, and a legitimate concern about the impact on due process rights in the criminal context.

Uncertainty and Confusion among Lawyers over How to Respond to Large-Scale US Surveillance

The legal community, perhaps even more so than the media, is plagued by uncertainty and confusion over the implications for their work of surveillance of the scope revealed during the last year. Part of that uncertainty derives from the widespread sense that we have yet to learn the full extent of the government’s surveillance powers, and what steps the intelligence community is taking to avoid scooping up attorney-client communications.[260]Part may also reflect the unsettled legal landscape regarding whether attorneys who are surveilled have legal recourse.[261]

The US government has stated that it applies certain minimization procedures to protect attorney-client communications.[262] Indeed, some of those procedures—which appear to limit NSA monitoring of communications under Section 702, if they are between someone under indictment in the US and their lawyer—were made public in June 2013 as part of one of the earliest Guardian stories based on the Snowden documents.[263]

But it is far from clear whether analogous procedures exist that apply to US surveillance under other authorities. Moreover, these procedures are little comfort to the many lawyers who represent individuals or companies not now under criminal indictment in the United States.[264] Indeed, in February 2014, new documents revealed that the communications of US-based law firm Mayer Brown with its client, the government of Indonesia, came under surveillance by an Australian intelligence agency, which in turn provided resulting intelligence to the United States.

The report prompted a letter from James R. Silkenat, president of the American Bar Association, to the NSA, expressing concern about reports of surveillance intruding on the attorney-client relationship.[265] Then-NSA Director General Keith Alexander responded, essentially restating public information concerning the NSA’s rules.[266] For example, Alexander noted that the NSA stops monitoring communications when they are discovered to be between someone “known to be under criminal indictment in the United States and an attorney who represents that individual in the matter under indictment” (though it keeps the portion of the exchange it has already gathered).[267] The NSA also seeks individualized review by the Office of General Counsel before disseminating to other agencies or offices “information constituting U.S. person privileged communications [such as those that arise between a person and his attorney].”[268]

A number of lawyers indicated that it is difficult to know what to make of the current landscape, and they are only beginning to confront the implications of large-scale electronic surveillance for their work. In reflecting about the risks posed by surveillance, Tom Durkin, a leading national security defense attorney, began to express worries about his metadata records for the first time during an interview with us: “I never thought about whether I wanted to leave a metadata trail until” he gave it some consideration at that moment.[269] He argued that it is too soon to comprehend the full range of implications of the Snowden revelations for the practice of law.[270] On the other hand, another litigator, who runs a private practice representing international clients, noted how significant the revelations have been for him: “I think everyone is starting to think about this.”[271] It takes time, however, because “we’re used to a world with sacrosanct communications between lawyers and clients.”[272]

Many attorneys were very concerned about surveillance, even if not necessarily up to date on recent developments. The following remarks are indicative of this anxiety. A federal defender who has been working on a terrorism matter noted: “I get the sense that once you represent someone accused of terror-related charges, someone in the government is always going to be interested.”[273] The defender added, “Everyone kind of jokes uncomfortably about it, particularly with the NSA stuff that’s been coming out.”[274] Linda Moreno, a defense attorney specializing in national security and terrorism cases, cited reports from “former CIA and FBI consultants” as the basis for part of her concern: “In their collection of metadata, I’ve been informed that the NSA filters for trigger words [like ‘Osama bin Laden,’ ‘jihad,’ and ‘Islam’]. In my law practice, those are words used in my  discussions with colleagues, experts, and potential witnesses.”[275]

A significant number of the lawyers who spoke with Human Rights Watch expressed worries about surveillance by the US government. Overall, criminal defense attorneys appear to be the most anxious. Much like journalists, they serve a crucial role in a democratic society, and one that is singled out for its importance in the US Constitution.[276] 

Interestingly, despite reports that Mayer Brown, a major corporate law firm, has had some of its confidential client information collected through surveillance by an NSA ally, concerns about surveillance did not appear as pronounced among the corporate lawyers with whom we spoke. One factor behind the disparity appears to be that large firms have been concerned about surveillance by other governments for a long time, and have had the financial resources to develop systems for protecting their information. For example, one information security officer at a major international firm indicated that the threat of large-scale electronic surveillance by the US government does not trigger any special security measure the firm does not already take to protect against other governments or independent hackers.[277] A partner in the litigation department at another large firm reported the same thing.[278] As indicated below, however, concerns about large-scale electronic surveillance have started to work their way into practice areas handled by some corporate firms, such as international arbitration.

More broadly, a number of legal organizations have begun to wrestle with questions surrounding the impact of surveillance on attorneys. These include the American Bar Association (ABA),[279] the New York City Bar Association,[280] the National Association of Criminal Defense Lawyers (NACDL),[281] and the National Lawyers Guild.[282] Nevertheless, as described further below, they have yet to reach a consensus around the precise implications of surveillance for lawyers’ professional responsibilities—and this lack of consensus highlights broader uncertainty.[283]

The Implications of Surveillance for the Professional Responsibilities of Lawyers

Lawyers practicing in the United States operate in a heavily regulated environment. They must comply with various rules of professional responsibility or risk penalties that can include suspension or even the loss of their license to practice law. Those rules generally include the obligation to maintain the confidentiality of information related to the representation of their clients, which attorneys regard as a core value of their profession.[284] Increasing surveillance by the US government introduces a serious ethical problem for attorneys, who are often professionally obligated to protect the contents of their communications, the nature of their legal research, and even the fact that they are communicating with a particular person or traveling to a particular place.[285]

For example, the American Bar Association maintains a set of Model Rules of Professional Conduct (Model Rules)—carefully sculpted guidelines that form influential, baseline standards for various jurisdictions that admit and regulate lawyers. The Model Rules stipulate that attorneys “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[286] While lawyers have long been expected not to disclose confidential client information without consent, the ABA modified the language of the applicable rule in 2012 to impose an explicit obligation on attorneys to take positive steps to protect the confidentiality of information concerning their clients and cases.[287]

According to Andrew Perlman, a professor at Suffolk University Law School who served as chief reporter of the ABA’s Commission on Ethics 20/20 and directs Suffolk’s Institute on Law Practice Technology and Innovation, the rule change followed general concerns about cybersecurity. [288] Perlman noted, however, that the wording of the rule is open-ended because the nature of security threats is constantly evolving. The obligation to protect client information applies across the board, and large-scale electronic surveillance can trigger the rule.[289]

“My take is that lawyers—especially those with clients whose legal matters may be of interest to the government—have legitimate concerns about government surveillance,” Perlman noted.[290]Those concerns, he added, are especially pronounced for attorneys dealing with clients located outside the United States.[291] Stephen Gillers, Elihu Root Professor of Law at NYU School of Law, and a widely recognized expert on legal ethics, agreed. As early as 2007, Gillers argued that mere knowledge that the government could collect and apparently was collecting Americans’ international communications without a specific warrant, and without meeting the conventional criminal standard of probable cause, was enough to preclude certain lawyers working on terror defense cases from using email, fax, and phone communications with people abroad.[292]

Yet, according to Gillers, “Obligations are [even] stronger on lawyers now [since the Snowden revelations].”[293] Since 2007, the public has learned more about the enormous power of the US government’s surveillance apparatus and some media reports have made clear that the US government has collected at least some confidential legal information. For example, in February 2014, reports surfaced that the government had—under FISA Court orders—wiretapped defense attorneys representing individuals accused of terrorism charges.[294] Even though the communications were privileged, the narrow minimization rules did not apply, so the government was able to listen to the recordings of the calls.[295] The same month, as noted above, another report based on a document provided by Edward Snowden revealed that a US-based corporate law firm, Mayer Brown, “was monitored while representing [the Indonesian] government in trade disputes with the United States.”[296] More specifically, the Australian Signals Directorate, the Australian analog for the NSA, surveilled communications between the Indonesians and their American lawyers, and then offered to share what it had collected with the NSA.[297]

Perlman emphasized that the new rule lays out a “reasonableness test”; [298] and the commentary elaborating on the ABA rule identifies several factors that lawyers must weigh in discerning the measures they are reasonably expected to undertake to protect their communications.[299] Those factors include (but are not limited to):

the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).[300]

Attorneys handling certain types of cases—such as those representing defendants in terrorism-related cases, foreign sovereigns, or major corporations whose business has significant implications for US economic interests—have legitimate reason for thinking the government may be especially interested in their communications. The risk of the collection and review of confidential case information by US government agents appears higher when handling such matters, imposing on them heightened professional responsibilities.

Attorneys handling cases that would seem to be of little interest to the government have a reason to be concerned as well, however, as they still must avoid needlessly exposing confidential information to  unauthorized parties. “Even if you aren’t doing sensitive work, you should be concerned about how much [information] is gathered,” said Jonathan Hafetz, an associate professor of law at Seton Hall University School of Law.[301] With the US government acquiring and retaining so much electronic data, many ways of communicating or storing information that would have been acceptable in the past are now known to be insufficient to preserve confidentiality.

One of the major concerns attorneys expressed to us relates to the scope of their professional responsibilities under the current surveillance regime.[302] As a result of recent surveillance revelations, a couple of attorneys reported feeling duty-bound to warn their clients that information related to their case may not remain private. Linda Moreno noted, “Given the now publicly admitted revelations that there is no privacy in communications, including those between attorneys and their clients, I feel ethically obligated to tell all clients that I can’t guarantee anything [they] say is privileged … or will remain confidential.”[303] Similarly, Nancy Hollander, who focuses on criminal defense including in national security contexts, has begun including a bolded auto-signature in her work-related emails with the same effect: “Warning: Based on recent news reports, it is possible that the NSA is monitoring this communication.”[304] Overall, however, without a clear sense of the boundaries of US government surveillance, and the effectiveness of various countermeasures, it is difficult to discern what steps lawyers might be obliged to take to protect their information.

Gillers cautioned lawyers about the use of phone, email, and text communications, noting that when it comes to electronic data, “it doesn’t matter what the vehicle is.”[305] An experienced criminal defense attorney observed similarly that, based on what we knew about US government surveillance programs before the Snowden leaks, overseas travel (instead of international electronic communication) was likely ethically required for attorneys handling certain types of cases.[306] Now, he argued, “Lawyers have to assume any electronic communication they have is going to be intercepted.”[307] Although the risk that poses will vary with the nature of the communications, and might be mitigated in some instances by security measures, lawyers need to treat the likely collection of electronic communications as a “fact of life.”[308]

Perlman did not go quite as far. In a March 2014 article, Perlman noted that the challenges of securing one’s electronic communications may (for now) create a gap between best practices and ethical obligation.[309] In an interview with us, he suggested that using encrypted email is probably not yet universally required of all lawyers. An attorney might, however, face discipline for removing from his office and subsequently losing an unencrypted flash drive containing highly sensitive client information.[310]

Significantly, the standard shifts with growing common awareness of the risks of certain forms of communication or file storage. Losing an unencrypted flash drive could result in discipline because, according to Perlman, “[i]n light of what we know, [carrying one around is] just too dangerous,” and further, “it’s easy to avoid the risk.”[311] The documents taken by Edward Snowden have demonstrated that an increasing number of electronic transactions are insecure, so “[a]s encryption gets easier, that might be something that becomes necessary, both as a matter of best practices and ethics,” Perlman observed.[312] James Connell III, a defense attorney for one of the Guantanamo detainees,agrees: “[It] won’t be long before some bar association says you can’t . . . send unencrypted emails.”[313] The same is undoubtedly true for other security measures as well.

Damage to Attorney-Client Trust

One major concern expressed by attorneys is that their inability to guarantee the privacy of their conversations makes it much harder to build trust with their clients. “Normally to build trust you don’t want to start with a cautionary statement,” observed Shane Kadidal, senior managing attorney of the Guantanamo Global Justice Initiative at the Center for Constitutional Rights.[314] “If your clients see you uncomfortable communicating, they may resist telling you everything,” added one federal defender handling a terrorism case. “It just chills the conversation.”[315]

“Clients don’t tend to come to us with a deep sense of the social compact,” noted Ron Kuby, a prominent criminal defense and civil rights lawyer. “They need to be persuaded [to trust their lawyer].” That trust can be essential to the proper functioning of the adversarial process, and it is especially difficult to develop in criminal defense work. Kuby pointed out that many clients who have been charged with an offense are primed to be mistrustful.[316] Nancy Hollander reported increasingly skittish behavior by her clients, describing one who “won’t bring his phone to my office.”[317] Kuby confirmed that his clients have been less comfortable speaking by phone over the last few years, and he attributes that in part to growing awareness of surveillance by the US government. “It used to be that I could assure them that the government lacked the resources to focus on them. But these days it does have the resources—it can focus on everyone.”[318]

Josh Dratel, a renowned criminal defense attorney who has handled a number of terrorism cases, noted a similar phenomenon, pointing out that mistrust of the US government is especially high among people who do not originate in the US.[319] He cannot diminish that mistrust among his clients “without lying.”[320] Large-scale surveillance actually “licenses paranoia among outsiders,” significantly affecting how they interact with the legal system, including their own defense attorney. They are less likely, for example, to share essential information with their lawyers.[321] “As a result, I can help them less,” he concluded.[322]

Impact on Attorneys’ Ability to Effectively Represent Clients

Some attorneys reported feeling forced to change their practices because the government’s access to information about their communication patterns (including the contents of some of their work-related exchanges) compromises their strategy.[323] This concern is especially pronounced in contexts where the US government is an opposing legal party, such as in federal criminal cases. In those cases, the government has a genuine interest in the legal strategies employed against it, and the technical ability to gain insight into that strategy by searching through the many electronic records it holds.

The worry here is not so much that the government will explicitly introduce private, strategic communications in court—the attorney-client privilege recognized in US courts largely precludes that  possibility [324]—but rather that the government appears to have the power to discern and prepare in advance for the strategy an opposing attorney designs for a case. In general, “it would be a huge advantage to the government” to have access to such information,[325]  particularly since defense attorneys do not have any prospect of gaining similar access to the prosecution’s information.

Some attorneys also raised concerns about the safety of individuals they might seek to contact in preparing their defenses. For example, Major Jason Wright, an Army JAG who does work before the Guantanamo commissions noted,[326] “We are fearful that our communications with witnesses abroad are monitored,” and thus that attempts to build their case “might put people in harm’s way.”[327] “Every person you’re touching, you’re potentially poisoning,” agreed Ahmed Ghappour, a law professor at UC Hastings who directs the Liberty, Security, and Technology Clinic.[328]

A clinical law professor who handles national security matters also raised a related pedagogical concern: it might not be in the long-term interests of law students to appear on the radar of the NSA, and that might well happen if they spend a few months on a national security case while in a law school clinic.[329] Without additional detail about what information the government collects, and how it deploys that information, it is difficult to know how to assess these sorts of risks.

Finally, some attorneys expressed the broader concern that large-scale electronic surveillance—by introducing a further, massive power asymmetry between the government and its legal opponents—undermines the adversarial process, a core element of the US criminal justice system.[330] In addition to the possibility that surveillance can give the government insight into opponents’ legal strategies, it also provides an enormous but opaque tool for the government to gather evidence against defendants. Because some of this evidence gets collected through sensitive programs, or is considered classified, defendants may never learn how the evidence was obtained and, therefore, be unable to challenge its acquisition as unlawful.[331]

Changing Legal Practices

Many lawyers have long been suspicious about the security of certain forms of communication, even before recent revelations of large-scale electronic surveillance by the US government. “I always assume my phone conversations are being monitored,” reported Ron Kuby.[332] Tom Durkin said he had “assumed for years, because of the people I’ve represented” that the government had access to many of his conversations.[333] And email in particular is problematic because it can so easily be forwarded to third parties.[334]

Nevertheless, a significant number of the lawyers who spoke to us have reduced their reliance on electronic means of communicating or storing data specifically in response to concerns about ongoing surveillance programs. Several emphasized avoiding putting information into emails or discussing matters over the phone.[335] As Linda Moreno put it, “On the phone, we are constrained in our discussions with witnesses and even co-counsel on cases, mindful of government monitoring.”[336] One clinical law professor who handles national security matters insists that students working on those cases only perform work from inside a secure clinic office, minimizing the chance that they will save or transmit confidential information insecurely.[337]

Accordingly, lawyers face a choice similar to the one confronting journalists. Some have attempted to increase the security of their electronic tools; others have tried to forgo digital communications or storage tools altogether; and still others have attempted to combine both approaches. Whatever the preferred strategy, a number of attorneys indicated that they must try to do something. “Only a foolish person understands your communications can be intercepted and does nothing about that,” observed Rob Feitel, a former federal prosecutor who spent 22 years in the Department of Justice and who now specializes in defense work arising from international and complicated drug cases. “It’s no different from locking your office door.”[338]

As a result of their growing concerns about surveillance, several attorneys reported encrypting their email or other forms of electronic communications. [339] One lawyer described using air-gapped computers and more secure networks. [340] Another described how his law office maintains its own servers in large part to retain additional control over its data. While there are multiple reasons for his organization to maintain its own servers, some not obviously related to surveillance, this attorney noted that all of those reasons (including surveillance) blend together here because “the [government] is the adversary we’re worried about.” [341]


Not all of the attorneys we spoke with trust encryption. One noted that it can draw the government’s attention to one’s communications but may slow down attempts to understand the content.[342] Another suggested that before the Snowden leaks, he might have considered technological solutions to the challenge of protecting communications.[343] He has even used encrypted phone calls in the past, which at the time “seemed over the top.”[344] But now he is skeptical that such tools would even work. “Post-Snowden, I think we have to assume there’s no encryption the NSA can’t beat,” he argued, adding, “I don’t want a false sense of security.”[345]

One defense attorney reported relying exclusively on one particular form of communication that he considered more secure than others for privileged communications with remote clients.[346] “I don’t send any information by email, attachment, or phone. I don’t use Gchat or What’sApp for anything but ‘Hi, what’s up?’ I don’t even talk on Skype.”[347]

As with journalists, it is not only the contents of attorneys’ communications that matter; it can be important to protect even the fact that they are in contact with particular people. Further, it is not always possible to use advanced electronic security to correspond with the necessary parties, such as when communicating with clients, witnesses, or even co-counsel who lack the appropriate resources or technical sophistication.[348] Many attorneys believe that the only secure way to handle such communications is face-to-face.

Many lawyers also reported conducting more meetings in person—sometimes significantly more, and not just with clients, but with co-counsel and witnesses as well.[349] A lawyer specializing in international dispute resolution at an international firm noted that surveillance has intimidated some of her foreign clients, who, as a result, prefer not to communicate remotely, and instead “will only exchange sensitive information in secure rooms in embassies or outside the US.”[350] She reported having to travel more to accommodate that preference.[351]

Yet travel is both expensive and time-consuming, and thus is not always a viable option. Describing the prospect of traveling more to avoid vulnerable long-distance communications, one experienced criminal defense attorney observed, “[It] seems romantic the first time you do it, but after that it’s just a pain in the ass.”[352] “I can’t just jump on a plane and go visit witnesses in order to insure some type of confidentiality,” added Linda Moreno, noting that many of her cases have an international component.[353] Tom Durkin highlighted the same problem; describing a colleague who travels to Europe in order to speak face-to-face securely, he observed, “That’s a luxury we don’t often have.”[354]

Having co-counsel located in the US may not be materially better from a strategic point of view when lawyers do not trust the security of their domestic communications. Moreno elaborated:

I can’t tell you how often we [as co-counsel] have to tell each other, “It’ll have to wait a month [until I can see you in person].” Just on this trip [to New York, which allowed for the Human Rights Watch interview] my co-counsel on a pending federal case said, “I’ll talk to you when you get here.” . . . [Still,] sometimes there’s an urgency to brainstorming and we just say, we can’t run and hide. They’re listening to us anyway, but we have to do our work.[355]

Even increased local travel can pose problems. One federal defender handling a terrorism case reported meeting a client in person more frequently to avoid risky electronic communications. Although the client lives in the attorney’s area, he works during the week, so in order to discuss the case securely, the attorney must meet him on weekends.[356] While this is less cumbersome than traveling abroad might be, it is yet another burden that disproportionately affects the defense.

On the other hand, a number of criminal defense attorneys expressed principled resistance to modifying their practices to protect against possible intrusion by the US government.

“I’ll be damned if I have to start acting like a drug dealer in order to protect my client’s confidentiality,” asserted Tom Durkin. Another lawyer described the sorts of measures necessary to avoid some forms of government surveillance as “the kinds of techniques that would stand out to me if I wanted to do something illicit.”[357] Linda Moreno identified one possible basis for such feelings, noting, “Nobody practiced law like this 15 years ago unless you were a crook.”[358] Indeed, James Connell III pointed out that in choosing his security measures, he worries that particularly advanced techniques will look suspicious. “[As much as I want to be secure,] I don’t want to look like I’m doing something illegal,” he reported. “[There’s a] real balance that must be struck.”[359] Yet how to strike that balance remains unclear.

IV.The Government’s Rationale for Surveillance

President Obama has defended his administration’s leak investigations as essential to preventing leaks that could endanger US military and intelligence officials,[360] and the government insists that the surveillance programs at the center of the Snowden revelations both comply with the law and protect national security. “I continue to believe that there has been nothing that has come out in the last nine months that is in any way inconsistent with [the claim that everything we do is lawful],” noted one senior intelligence official, who also argued that by and large the programs are valuable for protecting national security.[361]

“These programs are important, vital and lawful,” argued Bob Deitz, who served as General Counsel for the NSA from 1998 to 2006, in an interview with us.[362] A senior FBI official concurred, adding, “What’s been revealed are intelligence-collection programs that were initially and originally focused on defending the country in a time of war with respect to the enemy that were undertaken in a manner pursuant to the law.”

We interviewed five current or former US officials with knowledge of the programs. They generally defended the programs as legal and important for national security. They also showed varying degrees of concern for or interest in the impact that the programs might have on the work of journalists and attorneys. Most were skeptical that the programs have affected journalists and did not appear to have considered seriously the possible effect on attorneys.

The Lawfulness of Current Surveillance Programs

Officials we interviewed argued that the Snowden revelations did not uncover government abuse of its surveillance powers. The senior FBI official observed, “You don’t have [evidence of] rampant disregard for the law.” He claimed that the programs revealed by Snowden are qualitatively different from those described in the findings of the Senate’s Church Committee (and its House counterparts) in the mid-1970s. (Those investigations—triggered by news reports of domestic spying by the intelligence community, and by concerns about the Watergate scandal[363]—uncovered widespread abuses by a number of government agencies, including the specific targeting of nonviolent political dissidents.) While the senior FBI official acknowledged that, under the current programs, there have been “mistakes—clear mistakes—that implicate the rights of Americans,” he did not regard recent revelations as uncovering willful misconduct.[364] Deitz essentially agreed, insisting that he “wouldn’t have spent eight to nine years overseeing lawlessness.”

The question of whether the programs fall within the letter of US statutory law has been discussed elsewhere.[365] And whether intelligence officials have engaged in willful misconduct[366] or whether oversight has been adequate[367] are questions that fall outside the scope of this report. However, our research strongly suggests that the US did not design the programs with protection of human rights foremost in mind.

When asked about the role of human rights law in shaping the surveillance activities of the US intelligence community, officials suggested it exists, but is limited. The senior FBI official acknowledged the significance of treaty-based human rights law, noting that “[t]reaties are the supreme law of the land,” and adding, “[i]f it’s the law, and it applies, we’ll enforce it.”[368] Yet he also pointed to challenges “operationalizing concepts from international law,”[369] and the comments of other officials suggested that a domestic legal analysis predominates.

“I don’t think that we have historically looked to international human rights law as having a substantial weight of its own, as opposed to … the kind of principles of freedom and dignity and individuality that it’s meant to incorporate,” noted the senior intelligence official.[370] A former DOJ official said that most of the internal legal assessments would take the form of a “primarily … constitutional analysis”—not an analysis that explicitly takes into account the language of applicable human rights treaties.[371] 

Officials repeatedly underscored the level of oversight constraining the American intelligence community. The senior FBI official emphasized “overlapping, extensive oversight by multiple entities,” including Congress, the courts, and (at least for the FBI) the Inspector General of DOJ. “I don’t think we get enough credit for the work that goes into that [oversight] process,” he added.[372] Deitz characterized the US intelligence community as “the most heavily overseen of any … in the world.”[373]

The senior intelligence official highlighted the same point, specifically in the context of the surveillance programs described in the Snowden documents. “The [congressional] intelligence committees know all this. They are on top of it and aware of it. We brief them hundreds of times a month on what we’re doing and what we’re discovering from what we’re doing … and contrary to what people think, they push back on us immensely.”[374]

The same official also highlighted “a general principle that we can’t ask [other governments] to do something that we can’t do. That’s embodied in Executive Order 12,333.”[375] As a result, he noted that “we can’t for example, ask GCHQ, ‘Hey, could you spy on this American who we are not allowed to spy on?’”[376] When asked if the US government can accept information from other governments that it cannot legally collect on its own, the official replied, “Sure…. And I don’t think there’s anything wrong with that.”[377] Sharing of that sort could include information on US persons.[378]

Whether the Programs Are

Necessary for National Security and Sufficiently Targeted “Throughout American history, intelligence has helped secure our country and our freedoms,” President Obama claimed in his January 2014 surveillance speech.[379] He went on to defend the current surveillance programs as an extension of that tradition. Citing the attacks of September 11, 2001, he elaborated:

We were shaken by the signs we had missed leading up to the [9/11] attacks—how the hijackers had made phone calls to known extremists and traveled to suspicious places. So we demanded that our intelligence community improve its capabilities, and that law enforcement change practices to focus more on preventing attacks before they happen than prosecuting terrorists after an attack…. And it is a testimony to the hard work and dedication of the men and women of our intelligence community that over the past decade we’ve made enormous strides in fulfilling this mission.[380]

Officials we spoke with generally shared this view, and also endorsed the scope of the surveillance programs. The senior intelligence official defended them at length, emphasizing that “[w]e don’t go out there, and . . . listen to every conversation that Frau Hoffman has with her husband about what kind of bratwurst to bring home for dinner tonight.” Instead, he claimed, “[t]he collection is all targeted in some sense at getting things that are legitimate foreign intelligence.” [381]

The challenge, he said, is that collecting intelligence to protect national security is a forward-looking exercise, unlike solving crimes. That requires collecting information with some uncertainty as to its ultimate utility. “We don’t know necessarily who we’re looking for or what we’re looking for; we may not even know the type of thing we’re looking for.”[382]

Additionally, “Al-Qaeda communications are flowing along exactly the same pipes as your communications are. So technologically, we need to be able to [identify and sort through those communications].” Naturally, “[i]f you’re listening for conversations of bad people, you are going to listen to and intercept some conversations of people who aren’t bad people. And that’s where the minimization comes in.”[383]

As noted in the Background section, agencies that conduct surveillance, like the NSA, will generally operate under a set of “minimization procedures”—broad guidelines shaping the way they can acquire, retain, disseminate, or use information they have the power to collect.[384] For example, the agency might set procedures that instruct employees, in certain circumstances, to redact personally identifying information of US persons found in intercepted communications. Those guidelines can be important because, as the senior intelligence official implied, the government collects a lot of information about people who are not suspected of doing anything wrong. It then sifts through much of that information, based in part on the terms of its minimization procedures. However, the government operates a large number of different surveillance programs, and we do not know the details of most of the minimization procedures that constrain them. Such procedures also seem to provide safeguards only for US persons—and even those appear to be very weak. What little is public about the procedures suggests that they place even fewer constraints on what the government may do with information and communications of non-US persons.

More generally, “I probably couldn’t defend every single [bit of] surveillance that is done out there as essential to national security. I think by and large though … it’s an apparatus that is set-up to [serve that function],” said the senior intelligence official.[385] As for the bulk metadata program under Section 215, he likened it to a “fire insurance policy” meant to provide a critical capacity that was absentbefore the 9/11 attacks.[386]

Officials on Whether the Snowden Disclosures Harmed National Security

While this was not a central focus of our research, it is worth noting that officials did not all agree on the impact that the Snowden disclosures might have had on US national security. Overall, Deitz condemned Snowden’s disclosures, claiming that “any professional in the intelligence world will say it’s the single most damaging set of leaks [they’ve ever seen].” The senior intelligence official, while disapproving of the leaks, took a more measured view, arguing that “it’s too soon to tell whether [these leaks are] going to have a measurable effect on our ability to protect the nation.” He added, “It’s only been 9 months since this started, so we can’t tell.” Still, he claimed that “particular targets [] have changed their methods of communications because of what’s been disclosed.” While “it’s very hard for us to know what we’re not seeing,” he argued that less information is available to the intelligence community as a result. NSA director Admiral Michael Rogers made a similar assessment in an interview with the New York Times, saying, “‘You have not heard me as the director say, ‘Oh, my God, the sky is falling.’” Aside from some diminished traffic along certain lines of communication, none of the concerned officials pointed to specific, concrete, and identifiable harms.

Whether the Programs Have a Chilling Effect on the Rights of Journalists, Lawyers, or Others

The officials we spoke with denied that the surveillance programs are intended to chill permissible activity. “I don’t think anybody rational has suggested these are intended to chill civil liberties,” said the senior intelligence official.[387] They also expressed skepticism that surveillance programs have caused any unintended, objectionable chilling effects.[388]

Officials distinguished between different kinds of chilling. For example, the senior intelligence official separated “rational” and “irrational” chilling.[389] “Journalists who suggest that their lives are at risk and they therefore have to take precautions to avoid being assassinated by the CIA, or journalists who suggest that they have to be concerned that their conversations are going to be monitored because of their journalism, that’s just a fantasy.” He added, “It’s our assessment that [these programs] are not having and should not have an undue chilling effect, and that frankly, to the extent that people are perceiving the chilling effect now, it’s largely due to misperception, sometimes intentionally fostered, about how the programs  work.” [390]

Deitz made a related but different distinction, dividing legitimate and illegitimate chilling.[391] When asked about the possibility that reporting has become more difficult, Deitz responded, “Leaking is against the law. Good. I want criminals to be deterred.”[392] Deitz analogized the chilling of sources to police deterrence of crime, which he called “legitimate” chilling. “Does a cop chill a burglar’s inclination to burgle? Yes.”[393]

Deitz’s comparison of leakers to burglars disregards the pervasive over-classification of information in the United States, and the strong public interest in learning about much of that information. Moreover, it is simply not applicable to much of the work done by journalists covering the government. As noted above, a significant proportion of the reporting that journalists do on sensitive areas involves assembling bits of information that are not classified to begin with.

As to the journalists’ worries that information acquired through surveillance could be used in leak investigations, a senior DOJ official largely dismissed concerns over the increase in leak prosecutions pursued by the Obama administration:

There have been a small number of prosecutions of individuals for unauthorized disclosures of classified information that reflects a very small percentage of the unauthorized disclosures of classified information that have occurred…. I am aware of no change in policy during the Obama Administration seeking to increase investigation and prosecution of unauthorized disclosures of classified information, and any marginal increase in the number of such prosecutions in recent years is not attributable to such a change nor necessarily indicative of future trends in this area.[394]

However, he did acknowledge that “it is possible (though not particularly likely)” that raw intelligence information collected under Section 702 or Executive Order 12,333 “could be identified by FBI as germane to such an investigation or referred to FBI by another agency for such an investigation.”[395]

The same official also explained that information collected or derived from electronic surveillance under FISA might make its way into criminal prosecutions as evidence against “an aggrieved person, provided that the aggrieved person and the court or other authority are notified that the government intends to use or disclose such information.”[396] Accordingly, he said, “information acquired or derived from FISA is used in some criminal prosecutions related to national security, such as counterterrorism or counterespionage matters, and could be used as well in criminal cases that do not have a nexus to national security.”[397]

Though the senior DOJ official indicated that information collected through Section 702 or Executive Order 12,333 is unlikely to be used in leak investigations, the possibility that it could be—and that it could be introduced as evidence—gives real substance to some of the journalists’ worries about leaving an electronic trail to their sources, especially where the journalists do research with an international dimension.

The Impact on Journalists

The officials were skeptical that surveillance has undermined reporting, or indeed, that anything else has either. “[People argue that] this mass surveillance apparatus is going to cause whistleblowers to dry up and not be willing to talk to reporters and there’s absolutely no indication of that in the press at all. There’s a steady stream every day of classified information coming out.”[398] More broadly, he observed, “We haven’t really seen … any measurable change in the journalistic output.”[399] As the senior FBI official put it, “The First Amendment seems quite alive and well in America today.”[400]

Two officials suggested that journalists have always complained about the challenges of reporting. According to Deitz, “These things rotate through Washington every few years. Nixon had an enemies list. It was a matter of prestige to be on it.”[401] The senior intelligence official argued similarly that “this is a constant dynamic, and I think that there is always going to be a flow of information to the press, and the press is always going to be complaining that they’re not getting enough of it.”[402]

When asked what would constitute sufficient evidence of a chilling effect to cause them concern, both Deitz and the senior FBI official expressed skepticism about the reliability of self-reports by journalists or others. Deitz in particular claimed that people could exploit assertions that they are now constantly on alert for surveillance to advance their interests, observing that “the press is used as much as it uses.”[403] He appeared to be suggesting that journalists speaking to us for our research have an incentive to exaggerate their concerns about surveillance. The senior intelligence official responded that “the immediate canary in the mine would be if all of a sudden stories about leaks of classified information stopped appearing in the newspapers.” [404] While he argued that he has seen no indication that less information has made its way to the media, he acknowledged that it would be “hard to measure” such a phenomenon.[405]

Some journalists independently spoke directly to this point. One suggested that a pair of sizable leaks in recent years—one by Chelsea Manning and one by Edward Snowden—may be obscuring the chilling effect in part, supplying two specific streams of classified information.[406] Indeed, some of the journalists we spoke with indicated that levying hefty penalties against suspected sources weeds out all but the most committed sources, creating an environment more suitable for occasional, massive leaks of highly sensitive information rather than more numerous, smaller disclosures of less sensitive information.[407] As Charlie Savage noted, journalists having more consistent access to a wider range of government agencies may be better for “shed[ding] light on democratic processes” than having a small number of concentrated leaks.[408] The government might prefer that situation as well.

The Impact on Lawyers and Their Clients

Government officials had somewhat less to say regarding the possibility that surveillance has a chilling effect on attorneys and their clients. The senior intelligence official observed that “this is not a new issue for lawyers, how to protect their communications in an electronic age,” indicating that he had seen it arise in private practice years ago.[409]

He elaborated:

Should lawyers communicate by email at all with their clients? … [Not doing so] imposes a little additional cost, but … if lawyers weren’t taking these kind of precautions beforehand, they probably should have been. So, I don’t know how much you can attribute to this particular issue.[410]

While the government does have some minimization procedures in place for attorney-client communications, as previously noted, those procedures do not clearly apply across all programs, and they appear to be limited to cases involving a client under indictment. Moreover, while these rules apply for the most part to direct communication between attorneys and their clients, attorneys are bound to protect information that extends far beyond their direct communications with clients, including nearly all information related to legal representation.

What the Government Should Do

The revelations of large-scale surveillance by the US have prompted discussion and a few modest steps towards reform by the President and Congress. However, for the most part discussion of reform has been dominated by concerns over intrusion on privacy rights. While the privacy concerns are pressing and important, there has been little public discussion of how the US should act to prevent a chilling of freedoms of the press, expression, and association, or damage to the attorney-client relationship.

As noted above, some of the officials we spoke to denied that there was any sort of inappropriate chilling effect. Those who acknowledged a chilling effect did not seem to think reform of government programs was in order, though two officials noted that the government has an obligation to allay concerns among the public, even if those concerns are grounded in misunderstandings about the government’s activity because of inaccurate or overwhelming press reports. When asked about whether the government might have such a duty, the senior intelligence official responded, “Totally. Totally.” He added, “If someone wants to write a report that criticizes us for not doing a good enough job of explaining what it is that we do, I’m totally there. I think we have not done a good enough job.”[411] The former DOJ official essentially agreed. “It’s incumbent on the Executive Branch to put people at ease.”[412]

Ultimately, the officials expressed varied responses to this  investigation. The senior FBI official voiced an interest in reviewing any evidence of chilling effects on rights that we identified.[413] Deitz, on the other hand, seemed to think the entire project was misguided.[414]

V. The Rights at Stake

The US surveillance practices revealed over the last year raise a wide variety of human rights concerns. The issue that probably has received the most attention in public debate so far is the impact of surveillance on the right to privacy of individuals across the globe and in the US, which Human Rights Watch and the ACLU have discussed at length in other reports and submissions.[415] However, the particular patterns described in this report—the effect of surveillance on journalists, attorneys and their clients—raise further concerns about the impact of surveillance on another cluster of related rights: freedoms of expression and association, freedom of the press, the public’s right to access information, and the right to counsel.[416]

Rights Affected by Surveillance’s Impact on Journalists

Both international human rights law and the US Constitution protect the freedoms of expression and association, as well as the right to  privacy.[417] Under both domestic and international law, freedom of expression can also include anonymous speech,[418] and freedom of association can apply both to the freedom of individuals to join and engage with civil society groups and to the right of government officials to interact with members of the press. Moreover, international standards governing freedom of expression protect not just the right to express views for advocacy purposes, but also the right of access to information, including the right to learn about the activities of government, and the right of journalists to pursue information for the public benefit.[419] The same international human rights standards allow limitation of these rights in the interest of national security, but any such restrictions must be necessary to the goal pursued, and proportionate to it.

International Human Rights Law and Standards on Freedom of Expression, Association, and Access to Information

In order for a democratic society to function, and in order for healthy debate over government policies to flourish, people must enjoy the fundamental rights to speak and associate freely, and to acquire information about matters of public concern. Without these, it becomes extremely difficult for the public to have an informed discussion about government policies and practices.

The US ratified the International Covenant on Civil and Political Rights (ICCPR) in 1992, making it binding on the US.[420] The treaty protects the freedom of expression (Article 19), encompassing the freedom of speech that is so prominent in US constitutional law. It also protects the freedom of association (Article 22),[421] and the right to privacy (Article 17).[422] Freedom of expression in the ICCPR also includes “the freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers.”[423]

Additionally, Article 26 of the ICCPR requires equal protection before the law for everyone, regardless of status.[424] As a result, the rights in the ICCPR apply equally to all, including noncitizens. Indeed, the UN Human Rights Committee (HRC), the body established by the ICCPR to review state reports and issue interpretations of the treaty, has reaffirmed that expression, association, and privacy are rights that do not admit of discrimination “between aliens and citizens.”[425]

The US has long maintained the position that the ICCPR imposes no extraterritorial obligations on states parties, and thus that the government’s obligations under the treaty do not extend beyond its own borders.[426] That position helps the US to justify implementing surveillance programs that are especially invasive of the rights of foreigners located abroad. Yet international bodies, including the HRC[427] and the Office of the High Commissioner on Human Rights,[428] have repudiated the idea that the ICCPR has no extraterritorial reach. Indeed, where a state can project its authority to intercept the electronic communications of persons outside its territory, it carries with it the obligation to respect privacy, freedom of expression, and other associated rights.[429]

In its General Comment 34, the HRC also observed that the freedoms of expression and association are related.[430] The rights to information and to freedom of expression are integral to group advocacy, political organizing, vindication of rights, civil society monitoring, and many other associative activities in a normal democratic society.

Further, the HRC has interpreted the language of Article 19 to establish a “right to access to information held by public bodies.”[431]
To give effect to the right, the Committee has stated that “States parties should proactively put in the public domain Government information of public interest. States parties should make every effort to ensure easy, prompt, effective and practical access to such information.” [432]

There is growing international recognition that the right to seek, receive, and impart information encompasses a positive obligation of states to provide access to official information in a timely and complete manner. For example, the Organization of American States (OAS) has stated that the right of access to official information is a fundamental right of every individual.[433]

Moreover, it is internationally recognized that the right of access to official information is crucial to ensure democratic control of public entities and to promote accountability within the government.[434]

The Human Rights Committee (HRC) has also specifically emphasized that press freedom—and the ability of the press to obtain information—is essential to ensure freedom of expression and the enjoyment of other rights:

It constitutes one of the cornerstones of a democratic society. The Covenant embraces a right whereby the media may receive information on the basis of which it can carry out its function. The free communication of information and ideas about public and political issues between citizens, candidates and elected representatives is essential. This implies a free press and other media able to comment on public issues without censorship or restraint and to inform public opinion.The public also has a corresponding right to receive media output. [435]

The freedom of expression guaranteed by the ICCPR is not absolute. The treaty builds in several possible limitations, including one for the protection of national security.[436] However, any such restrictions must be strictly cabined: as indicated by the text, the right “may … be subject to certain restrictions, but these shall only be such as are provided by law and are necessary … for the protection” of a listed state interest.[437]

As noted by the HRC, this language means that any restrictions on these rights must meet specific conditions: they must be “provided by law”; they must adhere to one of the purposes laid out in Article 19; and “they must conform to the strict tests of necessity and proportionality…. Restrictions must be applied only for those purposes for which they were prescribed and must be directly related to the specific need on which they are predicated.”[438]

Of particular interest, the HRC has also warned about the risks of government overreach in the name of national security, noting that States parties must ensure that provisions to protect national security are not invoked “to suppress or withhold from the public information of legitimate public interest that does not harm national security or to prosecute journalists, researchers, environmental activists, human rights defenders, or others, for having disseminated such information.” [439]

Since the adoption of the ICCPR, civil society groups, governments, and international institutions have also worked together to further develop legal standards that address the apparent tension between access to information and the protection of national security. Those standards, while not binding, are based on developing norms of international law and state practice, and provide informed, detailed, and legally persuasive guidelines for the interpretation of the proper scope of some of the rights that the ICCPR protects.

One set of such relevant standards, in wide use and grounded in international and comparative law, is the Johannesburg Principles on National Security, Freedom of Expression and Access to Information (Johannesburg Principles). [440] These principles provide that restrictions on expression based on national security “must have the genuine purpose and demonstrable effect of protecting a legitimate national security interest,” [441] which they define as protecting “a country’s existence or its territorial integrity against the use or threat of force, or its capacity to respond to the use or threat of force, whether from an external source, such as a military threat, or an internal source, such as incitement to violent overthrow of the government.” [442]

The 2013 Tshwane Principles on National Security and the Right to Information (Tshwane Principles) apply developing interpretation and jurisprudence of national and international bodies to the right to information. [443] The Tshwane Principles provide: “Everyone has the right to seek, receive, use, and impart information held by or on behalf of public authorities, or to which public authorities are entitled by law to have access.” [444]

The Tshwane Principles directly address the ICCPR limitations, recognizing that governments may need to keep certain information classified, including information with particularly strong implications for national security. [445] However, the Principles make clear that that the government bears the burden of proving that the restriction is permissible. To do so, it must show that: “(1) the restriction (a) is prescribed by law and (b) is necessary in a democratic society (c) to protect a legitimate national security interest; and (2) the law provides for adequate safeguards against abuse, including prompt, full, accessible, and effective scrutiny of the validity of the restriction by an independent oversight authority and full review by the courts.”[446]

Although the Tshwane Principles, unlike the Johannesburg Principles, do not define “national security,” they do recommend it be defined precisely in law in a manner consistent with a democratic society. The principles list a small, illustrative set of types of information that might legitimately be withheld from disclosure on national security grounds provided such nondisclosure is both necessary and proportionate to protect national security.[447] But they specifically list other types of information, which in practice are often withheld, where there is a strong presumption in favor of public disclosure.

Importantly, the Tshwane Principles also make clear that for some categories of information, there is an overriding public interest in disclosure, which means that the information cannot be withheld under any circumstances, because they are “of particularly high public interest given their special significance to the process of democratic oversight and the rule of law,”[448] These categories include information about gross violations of human rights or serious violations of international humanitarian law, [449] as well as state surveillance. [450]

Finally, the principles also provide that the disclosure by public personnel of certain categories of wrongdoing (such as human rights violations)—in other words, disclosures by whistleblowers—should be protected. [451] There is no question that the US government holds some information with grave, direct implications for the safety of the nation. To the extent that it does, the government is entitled—indeed, has a duty—to shield that information from the press and the public in order to protect national security. Yet, if it invokes national security as a basis for restricting information, then it needs to make the case that the restriction really is necessary and proportionate, and meets all of the other requirements outlined above.

There is also no question that the US government routinely classifies a broad array of information that, while convenient to keep confidential, is not a serious risk to national security.[452] Even much of the classified information released by Snowden may well fall into this category.

Unclassified information and personal opinions of federal employees are even less likely to be legitimately kept from the public on national security grounds. In fact, certain government agencies implementing their own version of the Insider Threat Program, such as the Peace Corps, may be hard-pressed to show that any information they seek to protect on national security grounds genuinely relates to national security in the precise sense contemplated by international human rights law.

Of course, there is a great deal of information that the US may be legitimately seeking to withhold on grounds that are unrelated to national security—such as international relations, public order, public health and safety, law enforcement, future provision of free and open advice, effective policy formulation, and economic interests of the state. However, the Tshwane Principles make very clear that even when these other justifications for restricting access to information are invoked, “they must at least meet the standards for imposing restrictions on the right of access to information” that apply to information implicating national security.[453] In other words, it is up to the US government to prove that such restrictions are strictly necessary to serve a legitimate interest, and that there are safeguards in place to prevent abuse.

As noted above, it is well established—and the government has often admitted—that over-classification is a problem within the US government.[454] Initiatives—such as the Insider Threat Program—that seek to prevent or punish disclosure of all classified information are by their nature overbroad, even though much classified information might be legitimately withheld. The same is true for directives that seek to restrict all unauthorized contact between officials and the media, or that discourage even the sharing of  unclassified information. Moreover, contrary to international standards, US law does not adequately protect those who disclose official wrongdoing or information of great public interest. Under the Espionage Act, for example, it is unclear whether the public interest in a disclosure may ever be available as a defense to charges.[455]

The surveillance programs of the US government have dramatically compounded this already serious problem by making it significantly more challenging for third parties—journalists and the public at large—to seek out information that the government withholds but that is of strong public interest and value to a democratic society. In this context, at least three separate rights are thus threatened by the current surveillance regime in the US: the right of government officials to share information through the press with the public; the right of journalists to acquire and share information about the operations of the US government; and the right of the public to access that information through the media. If the government refuses to disclose or declassify this information itself as a matter of official policy, the least it can do is permit its officials, the press, and the public to exercise the right to impart or seek out information that cannot legitimately be withheld.[456]

Through its consistent threat to pursue leak investigations, the US continues to impede the free exercise of that human right. And, as this report has shown, journalists and sources are afraid to disclose or discuss matters that should be legitimate topics of public debate because surveillance—combined with the harsh crackdown on leaks—increases the likelihood that the government will know about their conversations and may prosecute or otherwise sanction the  participants.

Finally, the government has also run afoul of international standards by withholding from public view so many of the details about its surveillance programs. For example, the government has declined to make public many of its minimization procedures and whether they offer any genuine protection to journalists or lawyers in their interaction with sources and clients. Under the standards set forth in the Tshwane Principles and Johannesburg Principles, the US government ought to make public more information about its surveillance practices. Greater transparency would help to eliminate much of the uncertainty surrounding these programs, allowing for a more robust public debate about them, and possibly even helping to allay some of the fears described in this report.

US Constitutional Law

The First Amendment to the US Constitution establishes that “Congress shall make no law … abridging the freedom of speech, orof the press.” It also recognizes the freedom of association.[457]

In interpreting the Constitution, the Supreme Court has identified a link between privacy, freedom of association, and freedom of expression. In NAACP v. Alabama, the Court held that Alabama could not compel the NAACP to turn over its roster of rank-and-file members because doing so, given past discrimination and hostility toward the NAACP, would likely result in “a substantial restraint upon the exercise by [the NAACP’s] members of their right to freedom of association.”[458] In reaching that conclusion, the Court underscored its recognition of “the vital relationship between freedom to associate and privacy in one’s associations,”[459] and also observed that,

Effective advocacy of both public and private points of view, particularly controversial ones, is undeniably enhanced by group association, as this Court has more than once recognized by remarking upon the close nexus between the freedoms of speech and assembly. [Citations omitted.] It is beyond debate that freedom to engage in association for the advancement of beliefs and ideas is an inseparable aspect of the “liberty” assured by the Due Process Clause of the Fourteenth Amendment, which embraces freedom of speech. [460]

As for freedom of the press, the Supreme Court has held it is a “fundamental personal right[],”[461] though it is subject to limitations. For example, journalists may face liability for publishing inaccurate, defamatory items,[462] and may be subpoenaed to appear before grand juries.

Although there are some countries that penalize reporters who publish leaks of government secrets, the United States has not prosecuted reporters who published government secrets provided to them by government sources.[463] Some worry that journalists could be prosecuted under the Espionage Act of 1917, although there is also a strong argument that such prosecutions would require that the journalists act with specific intent to engage in espionage.

Yet the possibility that surveillance feeds the US government’s crackdown on leaks still raises constitutional concerns for journalists. As documented above, these forces jointly undermine freedoms of the press by frightening away sources and restricting the ways in which journalists may gather information. Moreover, in leak prosecutions, journalists may be compelled to identify their sources, as evidenced by the current legal battle for New York Times reporter James Risen’s testimony in the prosecution of Jeffrey Sterling.[464] Journalists may face imprisonment if they decline to testify when ordered to do so.[465] Forcing journalists to choose between imprisonment and revealing their sources clearly (and in one sense, literally) undermines the freedom of the press, at best intimidating sources and journalists, and at worst (when paired with imprisonment of the source) resulting in tangible punishment for both. Surveillance exacerbates journalists’ concerns that they will get “caught” doing their jobs and thus face a range of direct or indirect penalties.

The same factors also raise troubling First Amendment questions with respect to journalists’ sources themselves, as they are also entitled to freedom of speech. While that freedom faces a range of limits, sources have a right to express their opinions about less sensitive matters,[466] and, in some circumstances, even about matters the government deems to be classified. Even if the government wishes to require its employees to sign non-disclosure agreements,[467] such agreements cannot be too broad. As one district court has put it, “while the scope of government employees’ free speech rights may be in some ways narrower than those of private citizens, government employees do not relinquish their First Amendment rights at the door of public employment.”[468] More recently, Supreme Court Justice Sonia Sotomayor, writing for a unanimous court, noted that “[s]peech by citizens on matters of public concern lies at the heart of the 1st Amendment. . . . This remains true when speech concerns information related to or learned through public employment.”[469]

The DC Circuit Court of Appeals has outlined a balancing test for locating the limit of the government’s ability to censor its employees, holding that “restrictions on the speech of government employees must ‘protect a substantial government interest unrelated to the suppression of free speech.’ … [and] the restriction must be narrowly drawn to ‘restrict speech no more than is necessary to protect the substantial government interest.’” [470] In general, the government cannot legitimately prevent employees from disclosing unclassified information. [471]

Moreover, employees at agencies that disapprove of unauthorized press contact have a particular interest in being able to speak with the press anonymously. According to the Supreme Court, First Amendment protections do indeed extend to some measure of anonymous speech.[472] In particular, the Court has rejected certain ordinances and statutes that require speakers to identify themselves when those identification requirements would “tend to restrict freedom to distribute information and thereby freedom of expression.”[473]

Policies that seek to identify (and then punish) government officials for having contact with the press have the same effect. The increased leak prosecutions and the Insider Threat Program sharply curtail the ability of federal officials to express themselves, even with respect to unclassified information or mere opinions. Additionally, in the absence of clear information about how the government deploys surveillance information in its leak investigations, government sources harbor justifiable doubts about their ability to engage in constitutionally protected, anonymous contact with journalists without suffering administrative or legal penalties. While such policies may be defensible or even desirable to the extent that they protect especially sensitive information, our research indicates that in practice they reach much further. Officials fear punishment for mere association with the press, as well as for sharing unclassified yet valuable information about the operation of the government. As a result, they are less willing to speak to reporters, undercutting the flow of information to the public, and limiting the freedom of expression enshrined in the US Constitution.

Rights Implicated by Surveillance’s Impact on Attorneys

Both international human rights law and the US Constitution protect the right to counsel, which is commonly understood in both contexts to include the ability to communicate freely with one’s legal counsel—especially in the context of criminal prosecution. That understanding reflects wide recognition that impediments to the exchange of information between a defendant and his attorney can render the attorney’s legal counsel ineffective, directly undermining the purpose of the right to counsel in the first place.

International Human Rights Law and Standards

The ICCPR provides that a person charged with a criminal offense is entitled “to defend himself in person or through legal  assistance.” [474]

The treaty also defines a right for such a person “to communicate with counsel of his own choosing.” It is well established in international human rights law, including in the interpretation of the ICCPR specifically, that full confidentiality of communications is a requirement of the right to counsel.[475]

By engaging in large-scale and sometimes entirely indiscriminate collection of data, the US government falls short of its obligations under the ICCPR to respect the relationship between attorneys and their clients. In gathering so much data, it inevitably picks up confidential legal information as well, including attorneys’ domestic call records and the content of various other (typically international) messages and calls. As documented above, the mere fact that the government acquires and retains these materials, even if they are never used adversely, is enough to force lawyers toward more costly and less efficient practices, as they are under an obligation to keep that information confidential. In this way, the government’s surveillance programs impede the ability of attorneys to “perform their professional functions without … hindrance … or improper interference.”[476]

Further, a lawyer could well “reveal” confidential information improperly under the rules of professional responsibility if he or she takes inadequate steps to prevent that information from being picked up and stored in a government computer. Even if no unauthorized person actually reviews such information, at that point, the government has gained access to it. Moreover, the government cannot generally know if the information it has collected should be treated as confidential until it reviews it. Even treating information specially at that point, as the government may choose to do under various minimization procedures designed to protect US persons, will not undo the harm.[477] (Failure to treat confidential information specially might exacerbate the harm, however—for example, if the government were to share confidential information with prosecutors in the case against the defendant it concerns.) The salient solution is to engage in more narrow collection on the front end, specifically avoiding the collection of confidential information.

US Constitutional Law

The Sixth Amendment to the US Constitution also provides for a right to counsel.[478] A number of circuit courts have emphasized that the heart of this right encompasses the ability of defendants to communicate securely with their attorneys (though some limitations exist, especially for defendants in detention). For example, in United States v. Rosner, the Second Circuit held that “the essence of the Sixth Amendment right is, indeed, privacy of communication with counsel.”[479] In Caldwell v. United States, the DC Circuit Court of Appeals observed that “high motives and zeal for law enforcement cannot justify spying upon and intrusion into the relationship between a person accused of crime and his counsel.”[480] The Third Circuit offered a fuller explanation:

The fundamental justification for the sixth amendment right to counsel is the presumed inability of a defendant to make informed choices about the preparation and conduct of his defense. Free two-way communication between client and attorney is essential if the professional assistance guaranteed by the sixth amendment is to be meaningful.[481]

Given current US surveillance practices, countless defendants presently have justifiable reasons for doubting the security of their exchanges with counsel, especially (but by no means exclusively) if they are charged with offenses related to terrorism. Indeed, as this report documents, the situation has become so problematic that attorneys are feeling the need to issue new kinds of warnings to their clients about how they share sensitive information related to their cases. It is beyond the scope of this report for us to determine whether federal prosecutors have ever made use of intercepted confidential communications of defense counsel.[482] But surveillance practices are already interfering with trust and communication between attorneys and defendants, conflicting with the spirit of the right to counsel as articulated by numerous circuit courts and raising serious Sixth Amendment concerns.


Everyone has the right to communicate with an expectation of privacy, including privacy from unwarranted or indiscriminate surveillance by governments. This right, which can be restricted only for important reasons such as national security, is essential not just to individual freedom of expression, but to the fair and accountable functioning of a democracy. This report documents the threats that surveillance poses to two professions, vital to a democratic society, that depend on freedom of expression and confidentiality of communications: journalism and law. Those threats are exacerbated by over-classification and excessive government secrecy.

Acknowledging the limits of our knowledge about the details of existing US surveillance programs, we urge the US Congress and the President to adopt the recommendations listed below to limit the government’s surveillance activities, strengthen restrictions on the use of information collected through surveillance, increase transparency, and address problems linked to over-classification and leak investigations and prosecutions. The President has the power to make many of these changes unilaterally, and he should use that power without delay. Certain longer-term solutions will require a legislative response, and we urge Congress to act swiftly to provide one.

Narrow the Scope of Surveillance Authorities:

International law—including, in particular, the ICCPR—requires that the United States ensure that any interference with the rights to privacy and freedom of expression comply with the principles of legality, proportionality, and necessity for a legitimate aim, such as national security. This is true regardless of the nationality of the individuals affected. Moreover, in circumstances where a state exercises effective control over an individual or that individual’s exercise of rights, that state is also obliged to respect such rights even when the individual is located outside its territory.

Many US surveillance practices, as revealed since June 2013, are inconsistent with US obligations under international law and pose a particular threat to the rights to privacy and freedom of expression and access to information guaranteed by Articles 17 and 19 of the ICCPR. To bring its policies in line with the law, and to ensure the measure of privacy necessary for journalists, lawyers, and others who require confidentiality to perform their responsibilities free from undue interference,

the US should take the following steps:

  • End mass collection of business records andother information.
    • Among other steps, Congress should pass andthe President should sign legislation that would prohibit the mass orlarge-scale collection of communications metadata or other business records,whether under Section 215 or other authorities, such as pen register and trapand trace statutes. It should also ensure that any new legislation permit the acquisition of communications metadata only upon a showing of individualized suspicion. The President should also cease requesting authorization from the FISC for the large-scale acquisition of telephone metadata, or any other records. Finally, no requirement of compelled data retention for private companies should be imposed to substitute for present government collection and retention practices.
  • Narrow the purposes for which all foreignintelligence surveillance may be conducted and limit such surveillance toindividuals, groups, or entities who pose a tangible threat to nationalsecurity or a comparable state interest.
    • Among other steps, Congress should passlegislation amending Section 702 of FISA and related surveillance authoritiesto narrow the scope of what can be acquired as “foreign intelligenceinformation,” which is now defined broadly to encompass, among otherthings, information related to “the conduct of the foreign affairs of the United States.” It should be restricted to what is necessary and proportionate to protect legitimate aims identified in the ICCPR, such as national security. In practice, this should mean that the government may acquire information only from individuals, groups, or entities who pose a tangible threat to national security narrowly defined, or a comparable compelling state interest.
  • Establish clear limits on the circumstancesunder which government agencies may share information collected forintelligence purposes with law enforcement for criminal investigations, andensure that those limits are made public and are subject to review.
    • Law enforcement agencies should notgenerally have access to databases collected by intelligence agencies, absentsome decision by an independent tribunal that, by their terms, permissible lawenforcement searches otherwise comply with constitutional and international law standards relating to criminal cases.

Strengthen the Protections Provided by Targeting and Minimization


Much of the anxiety caused by the government’s surveillance programs stems from the permissiveness of the US government’s targeting and minimization procedures, which provide weak protections for US persons, and virtually none at all for non-US persons. Those procedures appear to allow easy access to and long-term retention of information of no significant value to a compelling state interest. The US should strengthen the targeting and minimization procedures that protect the privacy of all those whose information is swept into the government’s enormous databases. Toward that end, it should take the following steps:

  • Require prior review of targeting decisionsby a competent, independent, and impartial decisionmaker.
    • Under Section 702 and Executive Order12,333, executive branch officials hold the power to make unilateral targetingdecisions. Targeting decisions made under Executive Order 12,333 are notsubject to any independent review. And under Section 702, only the broaderprocedures for making those decisions—designed to ensure that the government is targeting non-US persons outside the US—are subject to periodic approval of the Foreign Intelligence Surveillance Court. The lack of independent targeting oversight is even more worrisome because the standards for approving targets under Section 702 and Executive Order 12,333 are much lower than in the law enforcement context. Congress should pass (and the President should sign) legislation modifying Section 702 and the executive’s authority under Executive Order 12,333 both to narrow the grounds for permissible surveillance (see above) and to require that individual targeting decisions be reviewed by an independent decisionmaker to ensure that any encroachment on any person’s rights is fully justified under constitutional and international law standards. Until such legislation takes effect, the Executive Branch should adopt targeting procedures that require individual targeting decisions to be approved by an independent decisionmaker.
  • Prohibit the “backdoor” searchesof communications collected, except pursuant to the same standards andprocedures that would justify surveillance in the first instance.
    • Presently the government claims the power tosearch through the information it collects under Section 702 (and perhapsExecutive Order 12,333) for the communications of individuals it could not havetargeted in the first place. The government should prohibit such backdoorsearches to cabin the harm that incidental or excessive collection can inflict.
  • Require the prompt destruction of allinformation collected that is not to or from a target, or that does not containinformation necessary to a legitimate aim (such as national security) furtheredby surveillance of the target.
    • In particular, such information should bedeleted from all government databanks rather than stored for a retention period(regardless of access). That deletion should be audited periodically by anindependent authority that reports publicly on the government’s retentionand deletion practices.
  • Prohibit the acquisition, retention,dissemination, or use of protected attorney–client communications orsimilarly confidential or privileged communications or information.
    • The NSA’s current minimization

    procedures for attorney-client communications acquired under Section 702 are both too narrow and too weak. If the government finds itself reviewing a communication between an individual known to be indicted in the US and an attorney representing that person in connection with the indictment, it must stop reviewing the communication. But the government may retain the communication and preserve any foreign intelligence information it has already discerned. Moreover, there is no protection for the myriad other forms of privileged attorney-client communications—which include communications relating to criminal proceedings that precede an indictment, criminal matters where the NSA does not yet know of an indictment, and civil matters—aside from the requirement that the NSA’s Office of General Counsel review proposed dissemination of such communications. There is also no protection for confidential, as opposed to privileged, information related to ongoing legal representation. The Executive Branch should implement minimization procedures that require the government to delete confidential or privileged attorney communications it gathers through its surveillance programs, without retaining, disseminating, or otherwise using information gleaned from reviewing them.

Disclose Additional Information about Surveillance Programs to the Public:

  • The secrecy surrounding USsurveillance authorities has greatly hindered the public debate about theprograms, and it has contributed to the uncertainty felt most acutely by thosewho rely heavily on the confidentiality of their communications, such asjournalists and lawyers. To allow for a more meaningful public debate, and to permit the public to understand the true scope of the government’s surveillance authorities, the United States should take the following steps:
  • Publish detailed, unclassified descriptionsof the scale and scope of signals intelligence conducted under all authorities,including Executive Order 12,333.
    • Among other steps, the Executive Branchshould report statistics on the number of requests for information thegovernment makes under Section 215, Section 702, and National SecurityLetters. Such reporting should include the total number of requests under specific legal authorities for specific types of data (content, subscriber information, or metadata), and the number of individuals affected by each as well as their status in the United States (citizens, residents, non-citizens). The President should also disclose detailed, unclassified descriptions of the scale and scope of signals intelligence collection practices pursuant to Executive Order 12,333 that affect both US persons and non-US persons, and clarify the extent to which foreign intelligence surveillance undertaken pursuant to Executive Order 12,333 implicates the private information of persons who are not suspected of any wrongdoing or of any connection to a national security threat.
  • Disclose all current and future targetingand minimization procedures for all agencies engaging in surveillance, subjectto only those redactions necessary to protect ongoing investigations orsensitive sources and methods.
    • Uncertainty about the government’sacquisition of information through its surveillance programs, and itssubsequent treatment and use of that information, underlies much of thereluctance of journalists and lawyers to engage in certain types ofcommunication and data storage. Publicizing significantly more information about how the government makes targeting decisions, as well as how it treats information it has gathered, is essential for allaying legitimate concerns about which activities are reasonably secure and which are not. The Executive Branch should promptly release all current targeting and minimization procedures with minimal redactions, and it should continue to release new, unredacted or minimally redacted procedures as they come into effect in the future.
    • Declassify or publish detailed descriptionsof all opinions of the Foreign Intelligence Surveillance Court, and establishan efficient means for doing so in a timely manner in the future.
    • Allow recipients of surveillance orders, whoare entrusted with the privacy and security of their users’ data,regularly to report statistics concerning government requests for information,including:
      • The number of government requests forinformation about their users made under specific legal authorities such asSection 215 of the USA PATRIOT Act, Section 702 of FISA, the various NationalSecurity Letter statutes, and others;
      • The number of individuals, accounts, ordevices for which information was requested under each authority;
      • The number of individuals, accounts, ordevices affected by those requests under each authority; and
      • The number of requests under each authoritythat sought communications content, basic subscriber information, and/or otherinformation.

Reduce Government Secrecy and Restrictions on Official

Contact with the Media: The government’s tendency to over-classify information relating to its surveillance activities contributes significantly to the lack of transparency about those activities. Its efforts to protect all of that information, including by imposing strict restrictions on contact between federal officials and the press, are contributing to journalists’ and sources’ fear of surveillance and harming the ability of the press to report on matters of public concern. Accordingly, the US should take the following steps:

  • Reform the classification system to preventover-classification and to facilitate prompt declassification of information ofpublic interest.
    • The Executive Branch should enact meaningfulmeasures to combat over-classification. It should impose new limits on thetypes of information that may be classified, significantly shorten the periodfor which information may be classified,[483] and implement a process to identify and expedite the declassification review of information of significant public interest. It should also impose penalties on agencies or officials that engage in over-classification.
    • Narrow administrative restrictions on theability of government officials to talk with others about matters of publicconcern.
    • Among other steps, the President should order a review of the Insider Threat Program to ensure that it is not leading to harmful outcomes, including by allowing agencies to create policies that interfere with the ability of federal officials to interact with the press on matters that are unclassified or that do not pose any significant, tangible risk to national security or to other critical state interests recognized in international human rights law. The President should also direct the revocation of Intelligence Community Directive 119 to permit non-designated intelligence community employees contact with the press (subject to typical restrictions on sharing classified information), and to remove the requirement to report contact with the press. Congress should conduct oversight hearings on the implementation of the Insider Threat Program and other government policies and programs that may be improperly inhibiting government officials’ communication with the media and restricting the public’s access to information.

Enhance Protections for National-Security Whistleblowers:

  • Those who disclose officialwrongdoing or information of great public interest to the media perform animportant service in a democratic society and should be protected. Similarly,journalists who report their disclosures should not be forced to divulge theirsources. Even if a revelation does not point to a clear violation of the law, the public disclosure of that information should not be prosecuted—and a leaker should have a defense against prosecution for divulging classified or confidential information—where the public interest in that information outweighs the harm to a state interest such as national security. Accordingly, the US should take the following steps:
    • Prohibit the prosecution of those who are not government employees or contractors for the receipt, possession, or public disclosure of classified information.
      • Journalism is not a crime, and treating itpotentially as such discourages everyday reporting essential to understandingthe operation of our government. The onus should be on the government to protect any legitimate secrets, not on journalists under the threat of serious criminal penalties. This would not insulate journalists from prosecution for other sorts of crimes, such as theft, hacking, or bribery.
      • The public disclosure of information shouldnot be prosecuted where the public interest in disclosure outweighs anyspecific harm to national security or a comparable state interest caused bydisclosure.
        • The public disclosure of information is not

        espionage and should not be prosecuted as such. Moreover, to the extent criminal penalties are sought for public disclosures, they should be available only for the disclosure of narrow categories of information defined by law, where disclosure would pose a real and identifiable risk of causing significant harm to national security or a comparable state interest. The law should also provide for a public interest defense in such cases. Under that defense, the public interest in disclosures relating to US government waste, fraud, corruption, or illegal activities should presumptively outweigh any legitimate interest in secrecy.

    • Strengthen legal protections for nationalsecurity whistleblowers, including contractors.
    • Strengthen federal law to provideintelligence and national security sector employees and contractors a) anenforceable right to report abuse internally and b) legal protection fromretaliation if they do so, in addition to the public interest defense recommended above. Pending the enactment of legislative guarantees, the President should forbid retaliation and prosecution against such employees and contractors and provide an independent channel for challenging such actions should they occur.


This report was researched and written by G. Alex Sinha, Aryeh Neier fellow with the US Program at Human Rights Watch and the Human Rights Program at the American Civil Liberties Union. Maria McFarland Sanchez-Moreno, US Program deputy director at Human Rights Watch, participated in some of the research interviews. Andrea Prasow, deputy Washington Director at Human Rights Watch, also participated in one of the research interviews and provided key contacts. Significant research, proofreading, and formatting assistance were provided by Samantha Reiser, Paul Smith, and Jeanne Jeong, associates in the US Program at Human Rights Watch; as well as Alex Simon-Fox, Erin Weber, Cassandra Kildow, and Phoebe Young, interns in the US Program at Human Rights Watch. Other US Program staff—including Clara Long, Grace Meng, Alba Morales, and Brian Root—graciously offered contacts and insight.

This report was reviewed at Human Rights Watch by Maria McFarland Sanchez-Moreno, US Program deputy director; Alison Parker, US Program director; Cynthia M. Wong, senior researcher on the Internet and human rights; Laura Pitter, senior national security researcher; Dinah PoKempner, general counsel; and Joe Saunders, deputy program director. At the American Civil Liberties Union, it was reviewed by Steven Watt, Human Rights Program senior staff attorney; Jameel Jaffer, deputy legal director and Center for Democracy director; Alex Abdo, Speech, Privacy and Technology staff attorney; Naureen Shah, legislative counsel; Gabe Rottman, legislative counsel and policy advisor; Neema Singh Guliani, legislative counsel; Michael W. Macleod-Ball, Washington Legislative Office chief of staff. Layout and production were managed by Grace Choi, publications director; Kathy Mills, publication specialist; and Fitzroy Hepkins, mail manager for Human Rights Watch.

Human Rights Watch and the American Civil Liberties Union wish to thank the journalists, attorneys, and others who generously shared their time—and in some cases, sensitive information about their experiences and practices—to ensure that this report properly captured their perspectives. We are especially grateful because many interviewees kindly fielded uncomfortable questions, which required them to lay bare their uncertainties about the adequacy of their professional practices for operating under the cloud of large-scale, electronic surveillance. Human Rights Watch and the American Civil Liberties Union would also like to thank those government officials who spoke to us about delicate matters related to ongoing surveillance programs, as well as the public affairs officers and others who facilitated those conversations.



[1] Note that the totals of each of the separate categories do not add up to 92 because at least one subject offered comments as a member of multiple groups.


[2] James Risen and Eric Lichtblau, “Bush Lets U.S. Spy on Callers Without Courts,” New York Times, December 16, 2005, (accessed July 8, 2014).


[3]Am. Civil Liberties Union v. Nat’l Sec. Agency, 438 F. Supp. 2d 754 (E.D. Mich. 2006), vacated on jurisdictional grounds, 493 F.3d 644 (6th Cir. 2007).


[4] “Bush Administration’s Warrantless Wiretapping Program,” Washington Post, February 12, 2008, (accessed July 8, 2014) (noting that the program was not subject to court oversight).


[5] For a chronology of the surveillance revelations during this period, see G. Alex Sinha, “NSA Surveillance Since 9/11 and the Human Right to Privacy,” Loyola Law Review, vol. 59 (2013), pp. 880-885.


[6] In January of 2007, President Bush announced changes to the controversial warrantless spying program, adding a role for the FISA Court. Dan Eggen, “Court Will Oversee Wiretap Program,” Washington Post, January 18, 2007, (accessed July 8, 2014). For more information, see also Office of the Inspectors General of the Department of Defense, Department of Justice, Central Intelligence Agency, National Security Agency, and Office of the Director of National Intelligence, “ Unclassified Report on the President’s Surveillance Program,” July 10, 2009, (accessed July 16, 2014), p. 30.


[7] In modifying the legal framework, Congress initially passed (and President Bush signed) the Protect America Act in 2007. That law expired in 2008, however, and Congress did not renew it. Instead, later the same year, Congress passed the FISA Amendments Act (FAA), which was renewed again in 2012 and remained in effect as of the time of this report’s publication. The FAA dramatically expanded the government’s authority to conduct warrantless surveillance of international communications (including communications originating or terminating inside the United States). For more details, see Sinha, “NSA Surveillance Since 9/11 and the Human Right to Privacy,” Loyola Law Review, pp. 883-888.


[8] For a description of the relevant legislative changes and subsequent surveillance revelations, see Sinha, “NSA Surveillance Since 9/11 and the Human Right to Privacy,” Loyola Law Review, pp. 883-892.


[9] Glenn Greenwald, “NSA collecting phone records of millions of Verizon customers daily,” Guardian, June 5, 2013, (accessed July 8, 2014).


[10] Ibid. Subsequent reports, including the Privacy and Civil Liberties Oversight Board report on Section 215, found that under current practice, cell phone location data is not in fact collected. See Privacy and Civil Liberties Oversight Board, “Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court,” January 23, 2014,  (accessed July 8, 2014), pp. 22-23.


[11] Glenn Greenwald et al., “Edward Snowden: the whistleblower behind the NSA surveillance revelations,” Guardian, June 9, 2013, (accessed July 8, 2014).


[12] Greenwald, “NSA collecting phone records of millions of Verizon customers daily,” Guardian, (accessed July 14, 2014).


[13] The key programs revealed are called “PRISM” and “Upstream.” Dominic Rush and James Ball, “PRISM Scandal: tech giants flatly deny allowing NSA direct access to servers,” Guardian, June 6, 2013, (accessed July 8, 2014); “NSA slides explain the PRISM data-collection program,” Washington Post, June 6, 2013, (accessed July 8, 2014).


[14] Charlie Savage and Mark Mazzetti, “C.I.A. Collects Global Data on Transfers of Money,” New York Times, November 14, 2013, (accessed July 8, 2014).


[15] The program revealed is called “CO-TRAVELER.” Barton Gellman and Ashkan Soltani, “NSA tracking cellphone locations worldwide, Snowden documents show,” Washington Post, December 4, 2013, (accessed July 8, 2014).


[16] Orin Kerr, “Problems with the FISC’s Newly-Declassified Opinion on Bulk Collection of Internet Metadata,” post to “Lawfare” (blog), November 19, 2013, (accessed July 8, 2014).


[17] Barton Gellman and Ashkan Soltani, “NSA collects millions of e-mail address books globally,” Washington Post, October 14, 2013, (accessed July 14, 2014).


[18] Charlie Savage and Laura Poitras, “How a Court Secretly Evolved, Extending U.S. Spies’ Reach,” New York Times, March 11, 2014, (accessed July 8, 2014).


[19] John Shiffman and Kristina Cooke, “Exclusive: U.S. directs agents to cover up program used to investigate Americans,” Reuters, August 5, 2013, (accessed July 8, 2014).

The program is called “MYSTIC,” and it employs a search tool called “RETRO.” Barton Gellman and Ashkan Soltani, “NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls,Washington Post, March 18, 2014, (accessed July 8, 2014).

Later reporting revealed that as of 2013, MYSTIC was operable in five countries, gathering voice data in the Bahamas and one other unnamed country, and gathering phone metadata in Mexico, Kenya, and the Philippines. Ryan Devereaux, Glenn Greenwald and Laura Poitras, “Data Pirates of the Caribbean: The NSA Is Recording Every Cell Phone Call in the Bahamas,” The Intercept, May 19, 2014, (accessed July 8, 2014).

On May 23, Wikileaks revealed the unnamed country inthe first report to be Afghanistan. “WikiLeaks statement on the mass recording of Afghan telephone calls by the NSA,” May 23, 2014, (accessed July 8, 2014).


[21] Under the 4th Amendment to the US Constitution, in order for the government to conduct a search of “persons, houses, papers, and effects,” the government must demonstrate to a judge probable cause that a search would reveal evidence of a crime or contraband. See U.S. Const. amend. IV.


[22] Section 215 and Section 702 are provisions of federal law, passed by Congress and signed by the president. USA PATRIOT Act (U.S. H.R. 3162, Public Law 107-56), Title II, Section 215; FISA Amendments Act of 2008, H.R. 6304, Title VII, Section 702. Executive orders are different; although they also have the force of law, and are subject to judicial review, the president can sign (or change or revoke) them unilaterally to help guide the operations of the Executive Branch. For the applicable executive order, see Executive Order 12,333, “United States Intelligence Activities,” December 4, 1981, (accessed July 9, 2014).


[23] NSLs operate like subpoenas except that they are not issued by judges. An FBI agent can issue them to seek metadata and other non-content information from third parties, without prior judicial authorization. Controversially, NSLs can be written to bar the recipient from discussing that he or she has been asked for information. While various forms of NSLs have existed for years, their use increased with the passage of the USA PATRIOT Act in 2001. None of the Snowden  revelations as of July 2014 concerned NSLs in any significant way.


[24] Human Rights Watch, “Comments for the Review Group on Intelligence and Communications Technologies,” October 11, 2013,


[25] The ACLU has summarized the implications of the various provisions in the FAA, including noting the breadth of permissible surveillance. For example, “[u]nlike surveillance under traditional FISA, surveillance under the FAA is not predicated on probable cause or individualized suspicion. The government’s targets need not be agents of foreign powers, engaged in criminal activity, or connected even remotely with terrorism. Rather, the FAA permits the government to target any foreigner located outside the United States so long as the programmatic purpose of the surveillance is to acquire ‘foreign intelligence information.’” See Submission of Jameel Jaffer, Deputy Legal Director, American Civil Liberties Union Foundation to Privacy and Civil Liberties Oversight Board, Public Hearing on Section 702 of the FISA Amendments Act, March 19, 2014, (accessed July 9, 2014), p. 5.

Further, “[n]othing in the Act requires the government even to inform the court who its surveillance targets are (beyond to say that the targets are outside the United States), what the purpose of its surveillance is (beyond to say that a “significant purpose” of the surveillance is foreign intelligence), or which Americans’ privacy is likely to be implicated by the acquisition.” See ibid., p. 9. Much information can be swept in “incidentally” in searches for information relating to targeted individuals, including communications of people who have no connection with the intelligence target.


[26] Rush and Ball, “PRISM Scandal,” Guardian,;

“NSA slides explain the PRISM data-collection program,” Washington Post,


[27] A report from July of 2014 revealed that “ordinary internet users, American and non-American alike, far outnumber legally targeted foreigners in communications intercepted by the [NSA] from U.S. digital networks.” Barton Gellman, Julie Tate, and Ashkan Soltani, “In NSA-intercepted data, those not targeted far outnumber the foreigners who are,” Washington Post, July 5, 2014, (accessed July 16, 2014).


[29] Executive Order 12,333, Part 1.1(d): Goals. Specifically, the order notes that agencies and departments should build in “full consideration of the rights of United States persons” while attempting to maximize the benefit of the country’s intelligence efforts. Ibid.


[30] Ibid., Part 2.4: Collection Techniques. The order does not provide much protection for non-US persons, except to limit searches of their personal property by the CIA. Ibid.


[31] Barton Gellman and Ashkan Soltani, “NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden Documents say,” Washington Post, October 30, 2013, (accessed July 9, 2014).


[32] For more information on Executive Order 12,333, see Mark Jaycox, Electronic Frontier Foundation, “Three Leaks, Three Weeks, and What We’ve Learned About the US Government’s Other Spying Authority: Executive Order 12333,”, November 5, 2013, (accessed July 9, 2014).


[33] US citizens, lawful permanent residents of the US, companies incorporated in the US, and “unincorporated association[s] a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence”all count as “US persons.” 50 U.S. Code § 1801 (i). The minimization procedures published by the Guardian in June of 2013 indicate that the definition of “US person” used by the NSA derives from the original language of the Foreign Intelligence Surveillance Act of 1978 (FISA). “Procedures used by NSA to minimize data collection from US persons: Exhibit B, full document,” Guardian, June 20, 2013, (accessed July 8, 2014), p. 2. For the original FISA definition, see 50 U.S. Code § 1801(i).


[34] We have submitted a Freedom of Information Act Request seeking remaining minimization procedures. To read the request, see Appendix.


[35] A number of individuals and groups have recently criticized the oversight of the intelligence community as inadequate, highlighting, for example, the limited role for the FISA Court, the lack of public transparency, and the strength of the PCLOB. See, e.g., Human Rights Watch, “Comments to the Privacy and Civil Liberties Oversight Board (PCLOB)”, August 1, 2013,;

letter from Human Rights Watch to President Obama Urging Surveillance Reforms, January 16, 2014,;

Jameel Jaffer, “Obama’s NSA Proposal Reveals Broken Oversight System,” Guardian, March 25, 2014, (accessed July 9, 2014); ACLU, “

Support Oversight of the Secret FISA Court,” (accessed July 9, 2014).


[36] Ron Wyden, “Statement at Senate Intelligence Committee’s Open Hearing,” January 29, 2014, (accessed July 9, 2014).


[37] Diane Feinstein, “Statement on Intelligence Collection of Foreign Leaders,” October 28, 2013, (accessed July 9, 2014).


[38] “About the Review Group on Intelligence and Communications Technologies,” Office of the Director of National Intelligence, accessed July 9, 2014,


[39] See Review Group on Intelligence and Communications Technologies, “Liberty and Security in a Changing World,” December 12, 2013, (accessed July 9, 2014).


[40] Privacy and Civil Liberties Oversight Board, “Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court,”

Both Human Rights Watch and the ACLU (working in conjunction with Amnesty International) submitted comments to the PCLOB, and provided someone to testify before the PCLOB as well. Human Rights Watch, “Comments of Human Rights Watch to the Privacy and Civil Liberties Oversight Board (PCLOB),” August 1, 2013,;

ACLU, “Submission to the PCLOB on US Surveillance and Human Rights Law,” April 16, 2014, (accessed July 9, 2014).


[41] Privacy and Civil Liberties Oversight Board, “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act,” July 2, 2014, (accessed July 9, 2014).


[42] “Obama’s Speech on N.S.A. Phone Surveillance,” New York Times, January 17, 2014, (accessed July 9, 2014). For commentary on that speech, see “Statement on US President Obama’s surveillance speech,” Human Rights Watch news release, January 17, 2014,


[43] He also imposed certain interim limits on the querying of that information, including requiring judicial oversight and limiting searches of targets’ contacts to those linked by two degrees of separation rather than three.


[44] In part this was a result of last-minute changes shortly before the vote. Andrea Peterson, “NSA reform bill passes House, despite loss of support from privacy advocates,” Washington Post, May 22, 2014, (accessed July 9, 2014). See also “US Senate: Salvage Surveillance Reform,” Human Rights Watch news release, May 22, 2014,


[46] The USA Freedom Act, as passed by the House, would modify a bulk phone metadata program authorized under Section 215 of the USA PATRIOT Act, and includes some provisions on NSLs. It does not significantly address various other authorities, like Section 702 of FISA, or Executive Order 12,333, which appear to lie behind most of the surveillance programs revealed thus far in the Snowden documents.


[47] E.g., Stephen Cobb, “New Harris poll shows NSA revelations impact online shopping, banking, and more,” We Live Security, April 2, 2014, (accessed July 9, 2014); Alex Marthews and Catherine Tucker, “Government Surveillance and Internet Search Behavior,” unpublished paper, March 24, 2014, (accessed July 9, 2014).


[48] The meaning of the term “leak” may vary by context, so for simplicity, we will use the term broadly to include the unauthorized disclosure of government information to the press, even if that information is not sensitive, as well as the release (whether authorized by a high-level official or not) of classified information without prior declassification. On this definition, “instant declassification”—the idea that a high-level official can properly declassify information simply by making it public—would still count as a leak. For more on “instant declassification,” see Jennifer K. Elsea, Congressional Research Service, “The Protection of Classified Information: The Legal Framework,” December 17, 2002, (accessed July 9, 2014), pp.11-14.


[49] E.g., Elizabeth Goitein and David M. Shapiro, Brennan Center for Justice, New York University School of Law, “Reducing Overclassification Through Accountability,” October 5, 2011, (accessed July 9, 2014); Human Rights Watch interview with Dana Priest, national security reporter at the Washington Post, Washington, DC, December 17, 2013; Human Rights Watch interview with Jane Mayer, staff writer for The New Yorker, Washington, DC, January 16, 2014.


[50] Executive Order 13,526 provides the current guidelines for the federal government’s classification and declassification of information. Elsea, Congressional Research Service, “The Protection of Classified Information,”,      p. 3.


[51] Ibid.


[52] Ibid., p. 4.


[53] Information Security Oversight Office, “Annual Report to the President 2012,” (accessed July 9, 2014), pp. 4, 7. For more, see David E. Pozen, “The Leaky Leviathan: Why the Government Condemns and Condones Unlawful Disclosures of Information,” Harvard Law Review, vol. 127 (2013), p. 575.


[54] Elsea, Congressional Research Service, “The Protection of Classified Information,”,  pp. 10-11.


[55] Leonard Downie Jr. with reporting by Sara Rafsky, Committee to Protect Journalists, “The Obama Administration and the Press,” October 10, 2013, (accessed July 9, 2014) (documenting the various leak prosecutions pursued by the Obama administration). At the same time, the administration continues to benefit from selective, authorized leaks to the press. For an in-depth look at the US government’s handling of leaks, see Pozen, “The Leaky Leviathan,” Harvard Law Review, p. 512. Note that the Obama administration inherited two of its eight prosecutions from the Bush administration.


[56] These are the widely accepted numbers, and the recent spike is not in dispute; however, there may be room for some disagreement at the margins. See Pozen, “The Leaky Leviathan,” Harvard Law Review, p. 537.


[57] Marisa Taylor and Jonathan S. Landay, “Obama’s crackdown views leaks as aiding enemies of U.S.,” McClatchy, June 20, 2013, (accessed July 9, 2014); “National Insider Threat Taskforce,” Office of the National Counterintelligence Executive, accessed July 9, 2014,


[58] Taylor and Landay, “Obama’s crackdown views leaks as aiding enemies of U.S.,” McClatchy,

Technically, the policy does not define “insider threats” in relation to classified information specifically, but the program is designed to protect classified information. See Office of the National Counterintelligence Executive, “National Insider Threat Policy,” (accessed July 9, 2014), p. 5.


[59] Taylor and Landay, “Obama’s crackdown views leaks as aiding enemies of U.S.,” McClatchy,–vmVHl


[60] Defense Security Service, “Insider Threats: Combating the ENEMY within your organization,” (accessed July 9, 2014), p. 2.


[61] Office of the National Counterintelligence Executive, “National Insider Threat Policy,”, p. 1. The policy applies to “all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the federal government); and all classified information on those networks.” Ibid.


[62] Office of the National Counterintelligence Executive, “National Insider Threat Policy,”, p. 5.


[63] Taylor and Landay, “Obama’s crackdown views leaks as aiding enemies of U.S.,” McClatchy,–vmVHl.


[64] Hadas Gold and Josh Gerstein, “Clapper signs strict new media directive,” Politico, April 21, 2014, (accessed July 9, 2014).


[65] Steven Aftergood, “ODNI Requires Pre-Publication Review of All Public Information,” Secrecy News, May 8, 2014, at (accessed July 9, 2014).


[66] Ibid.


[67] Ibid.


[68] Human Rights Watch interview with Jonathan Landay, national security and intelligence correspondent for McClatchy Newspapers, Washington DC, December 12, 2013.


[69] Human Rights Watch telephone interview with Tom Gjelten, correspondent with NPR, March 18, 2014.


[70] Human Rights Watch interview with Kathleen Carroll, Senior Vice President and Executive Editor of The Associated Press, New York, New York, May 8, 2014.


[71] E.g., Human Rights Watch interviews with Jonathan Landay, December 12, 2013, and an investigative journalist for a major outlet, New York, New York, January 23, 2014.


[72] Human Rights Watch interview with James Asher, Washington Bureau Chief for McClatchy Co., Washington DC, December 12, 2013.


[73] Human Rights Watch interview with a reporter, Washington, DC, December 17, 2013.


[74] Human Rights Watch interview with an investigative journalist for a major outlet, New York, New York, January 23, 2014.


[75] Human Rights Watch interview with a reporter who covers national defense issues, Washington DC-area, January 16, 2014.


[76] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[77] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[78] See also Leonard Downie Jr. with reporting by Sara Rafsky, Committee to Protect Journalists, “The Obama Administration and the Press,” October 10, 2013, (accessed July 9, 2014) (also documenting these concerns).


[79] E.g., Human Rights Watch interview with James Asher, Washington DC, December 12, 2013.


[80] E.g., Human Rights Watch telephone interview with Tim Weiner, reporter for the New York Times, January 31, 2014; Human Rights Watch interview with Barton Gellman, senior fellow at The Century Foundation, New York, New York, February 10, 2014.


[81] Human Rights Watch telephone interview with Philip Bennett, Professor at Duke University and former managing editor of the Washington Post, February 26, 2014; Human Rights Watch telephone interview with Tom Gjelten, March 18, 2014. Bennett said there is “no doubt in my mind” that a cluster of national security stories in 2005 rattled the government, and prompted it to crack down on the press. Gjelten reported beginning an extended leave from reporting in March of 2005. He encountered a radical shift in source cooperation upon his return in December of 2007. “[It was] like a whole different world.”


[82] These views are not mutually exclusive, and some journalists subscribed to multiple theories. Some journalists also reported limited concern about the effect of large-scale electronic surveillance by the US government or said that they had not observed a chilling effect, though that view was uncommon and in some cases reflected the journalist’s coverage areas. E.g., Human Rights Watch interview with a reporter covering the Supreme Court, Washington DC, January 15, 2014; Human Rights Watch interview with an investigative journalist most recently covering (among other things) state-level politics, Washington DC, January 17, 2014; Human Rights Watch telephone interview with Mark Bowden, author and Distinguished Writer in Residence at The University of Delaware, January 21, 2014.


[83] Again, for more, see Downie Jr. with reporting by Rafsky, Committee to Protect Journalists, “The Obama Administration and the Press,”


[84] Human Rights Watch interview with Stephen Engelberg, editor-in-chief of ProPublica, New York, January 30, 2014.


[85] Ibid.


[86] Ibid. McClatchy calls this a “career-killing penalty.” Marisa Taylor and Jonathan S. Landay, “Obama’s crackdown views leaks as aiding enemies of U.S.,” McClatchy, June 20, 2013,–vmVHl (accessed July 14, 2014).


[87] Human Rights Watch interview with Scott Horton, writer on national security for Harper’s Magazine, New York, New York, January 13, 2014.. For more on the costs associated with leak prosecutions, see also David E. Pozen, “The Leaky Leviathan: Why the Government Condemns and Condones Unlawful Disclosures of Information,” Harvard Law Review, vol. 127 (2013), p. 553.


[88] Agencies are also making many referrals to the Department of Justice that do not become full prosecutions. Human Rights Watch interview with Peter Finn, National Security Editor at the Washington Post, Washington DC, December 17, 2013. For some statistics on the number of leak investigation referrals, see Steven Aftergood, “‘Crimes Reports’ and the Leak Referral Process,” Secrecy News, Dec. 17, 2002, (accessed July 11, 2014). Newer statistics are difficult to locate.


[89] Human Rights Watch telephone interview with Charlie Savage, reporter for the New York Times, March 14, 2014.


[90] Human Rights Watch interview with a reporter, Washington, DC, December 17, 2013.


[91] Ibid.


[92] Steven Aftergood, “Stephen Kim Leak Case Heats Up,” October 23, 2013, Secrecy News, (accessed July 11, 2014). Kim was a contractor with the State Department who was accused of leaking classified information to Fox News reporter James Rosen in 2009. The information, derived from a top-secret intelligence report, described North Korea’s intentions to perform nuclear tests.


[93] For more on Drake’s case, see PBS interview with Thomas Drake, Frontline, December 10, 2013, (accessed July 16, 2014).


[94] Scott Shane, “No Jail Time in Trial Over N.S.A. Leak,” New York Times, July 15, 2011, (accessed July 11, 2014). The judge also called the government’s conduct “unconscionable.” See also Pozen, “The Leaky Leviathan,” Harvard Law Review, p. 553 (discussing the Drakecase).


[95] Human Rights Watch interview with Peter Finn, December 17, 2013.


[96] Human Rights Watch interview with Brian Ross, Chief Investigative Correspondent for ABC News, New York, New York, February 11, 2014. Law professor David Pozen calls this view “jaundiced but not unfounded.” Pozen, “The Leaky Leviathan,” Harvard Law Review, p. 562. One reporter for a newspaper similarly criticized what he sees as a “double standard in the government’s pursuit of [leak] prosecutions.” Human Rights Watch interview with a reporter, Washington, DC, December 17, 2013. Phil Bennett, a former managing editor of the Washington Post and now a professor at Duke University, recalled then Vice-President Dick Cheney disclosing a torrent of classified information to Bob Woodward just weeks after 9/11 that portrayed the continued terrorist threat to the country as high and describing the administration’s aggressive response without “triggering a leak investigation or explaining on what authority he was making the disclosures.” Human Rights Watch telephone interview with Philip Bennett, February 26, 2014.



Human Rights Watch interview with Barton Gellman, February 10, 2014.


[98] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[99] Human Rights Watch telephone interview with Peter Maass, senior writer at The Intercept, March 26, 2014.


[100] Human Rights Watch telephone interview with Charlie Savage, March 14, 2014.


[101] Human Rights Watch interview with Peter Finn, December 17, 2013. Note that Finn spoke on his own behalf, and not for the Washington Post.


[102] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[103] Ibid.


[104] Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[105] Human Rights Watch interview with Peter Finn, December 17, 2013.


[106] Human Rights Watch interview with Marisa Taylor, investigative reporter for McClatchy Newspapers, Washington DC, January 16, 2014.


[107] Human Rights Watch interview with Jane Mayer, staff writer for The New Yorker, Washington, DC, January 16, 2014.


[108] Human Rights Watch interview with a reporter in Washington, DC, (date withheld).


[109] Email from a reporter in Washington DC to Human Rights Watch, June 5, 2014.


[110] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[111] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[112] E.g., Human Rights Watch interviews with Steven Aftergood, Director, Federation of American Scientists’ Project on Government Secrecy, Washington DC, December 11, 2013, and Peter Finn, December 17, 2013.


[113] Human Rights Watch interview with a journalist (name, location, and date withheld).


[114] Human Rights Watch interview with a journalist (name, location, and date withheld).


[115] Human Rights Watch interview with Peter Finn, December 17, 2013.


[116] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[117] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[118] Human Rights Watch interview with Peter Finn, December 17, 2013.


[119] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[120] Ibid.


[121] Ibid.


[122] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[123] E.g., Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[124] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[125] Ibid.


[126] Ibid.


[127]Human Rights Watch interview with Brian Ross, February 11, 2014.


[128] “Procedures used by NSA to minimize data collection from US persons: Exhibit B – full document,” Guardian, June 20, 2013, (accessed July 11, 2014).


[129] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[130] Human Rights Watch interview with an investigative reporter, Washington, DC, November 19, 2013.


[131] Human Rights Watch interviews with multiple journalists (names, locations, and dates withheld).


[132] By using encryption in combination with the software Tor, some journalists may be able to hide their communication patterns in a way that encryption alone does not.


[133] Human Rights Watch interviews with multiple journalists (names, locations, and dates withheld).


[134] E.g., Human Rights Watch interviews with a national security reporter, January 14, 2014 and Steve Coll, February 14, 2014.


[135] Human Rights Watch interview with Steve Coll, February 14, 2014.


[136] Human Rights Watch interviews with Jonathan Landay, December 12, 2013; a national security reporter, Washington, DC, January 14, 2014; and Barton Gellman, February 10, 2014.


[137] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[138] E.g., Human Rights Watch interview with Steven Aftergood, December 11, 2013.


[139] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[140] Human Rights Watch interview with Steve Coll, February 14, 2014.


[141] Ibid.


[142] Human Rights Watch interview with Barton Gellman, February 10, 2014. See Section II, The Impact of Surveillance on Journalists, Footnote 132.


[143] E.g., Human Rights Watch interviews with an investigative journalist, Washington, DC, November 19, 2013, and a national security reporter, Washington, DC, January 14, 2014.


[144] Glenn Greenwald and James Ball, “The top secret rules that allow NSA to use US data without a warrant,” Guardian, June 20, 2013, (accessed July 11, 2014).


[145] Human Rights Watch telephone interview with Scott Shane, intelligence reporter for the New York Times, April 2, 2014.


[146] Ibid.


[147] “Former NSA Senior Executive Charged with Illegally Retaining Classified Information, Obstructing Justice and Making False Statements,” Department of Justice press release, April 15, 2010, (accessed July 14, 2014). He was indicted in 2010 on charges related to espionage and obstructing the investigation against him, but after a costly trial, had all charges dropped in exchange for a guilty plea to a misdemeanor for exceeding authorized use of a computer.


[148] Human Rights Watch interview with Eric Schmitt, reporter for the New York Times, Washington, DC, January 28, 2014.


[149] Human Rights Watch Interview with Steven Aftergood, December 11, 2013.


[150] At the same time, a growing number of intelligence and national security journalists are posting PGP keys on their Twitter pages, signifying to potential sources that they possess some useful level of technological sophistication.


[151] A couple of journalists flagged the development of secure drop boxes, which allow sources (with online instruction) to submit files to a news outlet without independently learning how to use encryption software. E.g., Human Rights Watch interview with Barton Gellman, February 10, 2014. See, e.g., The New Yorker Strongbox, accessed July 14, 2014,


[152] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[153] Human Rights Watch interview with Jane Mayer, January 16, 2014.


[154] Human Rights Watch interviews with Jonathan Landay, December 12, 2013; Peter Finn, December 17, 2013; a national security reporter, Washington, DC January 14, 2014; and Jane Mayer, Washington, DC, January 16, 2014; Human Rights Watch telephone interviews with a reporter who covers law enforcement and national security, February 4, 2014, and a journalist covering Afghanistan, March 18, 2014.


[155] Human Rights Watch interview with Steve Coll, February 14, 2014.


[156] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[157] Human Rights Watch interview with Jane Mayer, January 16, 2014.


[158] Human Rights Watch interview with an investigative journalist for a major outlet, New York, January 23, 2014.


[159] One journalist described having his name on a list to be supplied with some advanced technology by his outlet. Human Rights Watch interview with Eric Schmitt, January 28, 2014.


[160] Human Rights Watch interview with an investigative reporter, Washington, DC, November 19, 2013.


[161] For more on the PRISM program, see Section I, Background: US Surveillance, Secrecy, and Crackdown on Leaks, Footnote 13.


[162] E.g., Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[163] Ibid.


[164] E.g., Human Rights Watch interviews with Martin Knobbe, New York-based correspondent for Stern Magazine, New York, New York, January 13, 2014, and a reporter in Washington, DC (date withheld).


[165] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[166] Human Rights Watch interview with Peter Finn, December 17, 2013.


[167] E.g., Human Rights Watch interviews with a national security reporter, Washington, DC, January 14, 2014, and a New York-based investigative journalist, New York, March 24, 2014.


[168] Human Rights Watch interview with Stephen Engelberg, January 30, 2014.


[169] Human Rights Watch interview with a New York-based investigative journalist, New York, March 24, 2014.


[170] E.g., Human Rights Watch interview with a reporter, Washington, DC, December 17, 2013; Human Rights Watch telephone interview with Scott Shane, April 2, 2014.


[171] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[172] Human Rights Watch interview with Eric Schmitt, January 28, 2014; Human Rights Watch telephone interview with Peter Maass, March 26, 2014; email correspondence with Peter Maass, July 3, 2014.


[173] Human Rights Watch email correspondence with Peter Maass, July3, 2014.


[174] Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[175] Human Rights Watch interviews with Steven Aftergood, December 11, 2013, and Martin Knobbe, January 13, 2014.


[176] Human Rights Watch interview with an investigative journalist for a major outlet, New York, January 23, 2014. For background, see Ron Nixon, “U.S. Postal Service Logging All Mail for Law Enforcement,” New York Times, July 3, 2013,


[177] Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[178] E.g., Human Rights Watch interviews with Jonathan Landay, December 12, 2013, and a national security reporter, Washington, DC, January 14, 2014.


[179] Human Rights Watch interviews with an investigative journalist for a major  outlet, New York, January 23, 2014, and Stephen Engelberg, January 30, 2014.


[180] Human Rights Watch interview with Stephen Engelberg, January 30, 2014.


[181] Human Rights Watch interview with an investigative reporter, Washington, DC, November 19, 2013.


[182] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[183] Human Rights Watch interviews with multiple journalists (names, locations, and dates withheld).


[184] Human Rights Watch telephone interview with a journalist covering immigration issues, February 4, 2014; Human Rights Watch interviews with an investigative reporter, Washington, DC, November 19, 2013; Scott Horton, January 13, 2014; and Jonathan Landay, December 12, 2013. Peter Maass described one such common practice from Russia dating back at least 10 years ago. During a visit to Russia around that time, Maass watched an acquaintance borrow a stranger’s phone in a restaurant. The acquaintance wanted to make a sensitive call without having it traced back to him. When Maass asked him why the stranger would lend his phone so readily, the acquaintance replied, “We all do that now.” Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[185] Liz Klimas, “Report: The FBI Can Remotely Turn on Phone Microphones for Spying,” The Blaze, August 2, 2013, (accessed July 14, 2014).


[186] E.g., Human Rights Watch interviews with an investigative reporter, Washington, DC, November 19, 2013, and an investigative journalist for a major outlet, New York, January 23, 2014.


[187] Human Rights Watch interview with Scott Horton, January 13, 2014.


[188] Human Rights Watch interviews with Brian Ross, February 11, 2014, and Jonathan Landay, December 12, 2013.


[189] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[190] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[191] Human Rights Watch interview with Brian Ross, February 11, 2014.


[192] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[193] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[194] Ibid.


[195] Human Rights Watch interview with a journalist (name, location, and date withheld).


[196] Patrick Donahue and John Walcott, “U.S. Offered Berlin ‘Five Eyes’ Pact. Merkel Was Done With It,” Bloomberg, July 12, 2014, (accessed July 14, 2014).


[197] Maria McFarland Sanchez-Moreno, “What is the NSA Sharing with Other Countries?,” Al Jazeera America, January 24, 2014, (accessed July 14, 2014).


[198] James Risen & Laura Poitras, “Spying by N.S.A. Ally Entangled U.S. Law Firm,” New York Times, Feb. 15, 2014, (accessed July 14, 2014).


[199] For more on related statements by the same official, see Section IV, The Government’s Rationale for Surveillance.


[200] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[201] Ibid.


[202] Ibid.


[203] Human Rights Watch interview with a reporter for a major newspaper, Washington, DC, December 17, 2013.


[204] E.g., Human Rights Watch interview with Jane Mayer, January 16, 2014.


[205] E.g., Human Rights Watch interviews with a reporter, Washington, DC, December 17, 2013, and Adam Goldman, reporter with the Washington Post, Washington, DC, January 28, 2014.


[206] Human Rights Watch interview with Barton Gellman, February 10, 2014


[207] Human Rights Watch interview with Martin Knobbe, January 13, 2014.


[208] Human Rights Watch Interview with Marisa Taylor, January 16, 2014.


[209] Human Rights Watch interview with Stephen Engelberg, January 30, 2014.


[210] Ibid.


[211] Human Rights Watch interview with James Asher, December 12, 2013.


[212] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[213] Ibid.


[214] Ibid. Human Rights Watch interviews with Jane Mayer, January 16, 2014; Martin Knobbe, January 13, 2014; and Eric Schmitt, January 28, 2014. Human Rights Watch telephone interview with a reporter who covers law enforcement and national security, February 4, 2014.


[215] Human Rights Watch telephone interview with Scott Shane, April 2, 2014.


[216] Ibid.


[217] Human Rights Watch interview with a reporter, Washington, DC, December 17, 2013.


[218] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[219] Ibid.


[220] Human Rights Watch interview with Jane Mayer, January 16, 2014.


[221] Human Rights Watch interview with Jane Mayer, January 16, 2014


[222] Human Rights Watch interview with Barton Gellman, February 10, 2014.


[223] Human Rights Watch interview with Stephen Engelberg, January 30, 2014.


[224] Human Rights Watch interview with Kathleen Carroll, May 8, 2014.


[225] Human Rights Watch email correspondence with Tim Weiner, July 2, 2014.


[226] Human Rights Watch interview with Betty Medsger, former Washington Post reporter, New York, New York, January 24, 2014.


[227] Ibid.


[228] Human Rights Watch email correspondence with Tim Weiner, July 10, 2014. Weiner has written several books, including Legacy of Ashes: The History of the CIA, (New York: Anchor Books, 2008).


[229] Human Rights Watch email correspondence with Phil Bennett, July 10, 2014.


[230] Medsger’s stories appeared in 1971, the Watergate scandal occurred in 1972, Seymour Hersh published some major revelations about the CIA’s activities in 1974, and in 1975, both the executive and the legislative branches launched investigations into the intelligence community. For more on the chronology of these events, see G. Alex Sinha, “NSA Surveillance Since 9/11 and the Human Right to Privacy,” Loyola Law Review, vol. 59 (2013), pp. 871-873. For more on the story behind Medsger’s reporting, see Betty Medsger, The Burglary: The Discovery of J. Edgar Hoover’s Secret FBI, (New York: Alfred A. Knopf, 2014).


[231] Human Rights Watch interview with Betty Medsger, January 24, 2014.


[232] Human Rights Watch email correspondence with Tim Weiner, July 2, 2014.


[233] Human Rights Watch interview with Betty Medsger, January 24, 2014.


[234] Human Rights Watch Interview with Steven Aftergood, December 11, 2013.


[235] Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[236] Human Rights Watch interview with Dana Priest, national security reporter at the Washington Post, Washington, DC, December 17, 2013.


[237] Ibid.


[238] Ibid.


[239] Human Rights Watch interview with Steve Coll, February 14, 2014.


[240] Human Rights Watch interview with James Asher, December 12, 2013.


[241] Human Rights Watch interview with Kathleen Carroll, May 8, 2014.


[242] Human Rights Watch interview with Dana Priest, December 17, 2013.


[243] Human Rights Watch telephone interview with Scott Shane, April 2, 2014.


[244] Human Rights Watch telephone interview with a reporter who covers law enforcement and national security, February 4, 2014.


[245] Human Rights Watch interview with Brian Ross, February 11, 2014.


[246] Human Rights Watch interview with Adam Goldman, January 28, 2014.


[247] Ibid.


[248] Hadas Gold, “Clapper refers to Snowden ‘accomplices’,” Politico, January 29, 2014, (accessed July 14, 2014).


[249] Ibid.


[250] Josh Gerstein, “Intelligence chairman accuses Glenn Greenwald of illegally selling stolen material,” Politico, February 4, 2014, (accessed July 14, 2014).


[251] Ibid.


[252] For more on this comparison, see Section IV, The Government’s Rationale for Surveillance.


[253] Human Rights Watch telephone interview with Scott Shane, April 2, 2014.


[254] Human Rights Watch telephone interview with Peter Maass, March 26, 2014.


[255] Ibid.


[256] Human Rights Watch interview with Jonathan Landay, December 12, 2013.


[257] Human Rights Watch interview with a national security reporter, Washington, DC, January 14, 2014.


[258] Much information related to ongoing legal matters is confidential in the sense that attorneys must not reveal it without the client’s informed consent. This includes communications between attorneys and clients, the reasoning behind strategic decisions made pertaining to the case, and information an attorney learns about his client during the representation. The attorney-client privilege is narrower than the duty of confidentiality; it applies to specific sorts of communications, especially (but not exclusively) between attorneys and their clients. The privilege manifests itself primarily as a rule of evidence: privileged communications cannot be introduced in legal proceedings without the client’s consent. Respect for client confidentiality and the attorney-client privilege enables clients to trust their attorneys and facilitates open communication.


[259] Human Rights Watch telephone interview with Maureen Franco, federal public defender for the west district of Texas, March 14, 2014.


[260] As one American Bar Association (ABA) publication put it, “[G]iven the secretive nature of the NSA, as well as the United States Foreign Intelligence Surveillance Court that oversees its surveillance warrants, lawyers can’t even be sure of what is and what is not legal.” Victor Li, ABA Journal, “Tools for lawyers worried that NSA is eavesdropping on their confidential conversations,” March 30, 2014, (accessed July 14, 2014).


[261] In 2013, in a case that predated the Snowden revelations, the Supreme Court denied standing to people who felt obliged to change their practices to guard against surveillance undertaken pursuant to one specific legal authority, Section 702, because they could not demonstrate that their communications had actually been collected. For that ruling and its rationale, see generally Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013). New challenges are underway based on the Snowden revelations and related acknowledgments of surveillance by the government.


[262] Letter from NSA Director General Keith Alexander to ABA President James Silkenat, March 10, 2014, (accessed July 14, 2014).


[263] “Procedures used by NSA to minimize data collection from US persons: Exhibit B – full document,” Guardian, June 20, 2014, (accessed July 14, 2014), pp. 4-5.


[264] Nicolas Niarchos, “Has the NSA Wiretapping Violated Attorney-Client Privilege?,” The Nation, February 4, 2014, (accessed July 14, 2014).


[265] Letter from ABA President James Silkenat to NSA Director General Keith Alexander and NSA General Counsel Rajesh De, February 20, 2014, (accessed July 14, 2014).


[266] Letter from NSA Director General Keith Alexander to ABA President James Silkenat, March 10, 2014, The ABA acknowledged General Alexander’s response in a short public statement. American Bar Association, “ABA president responds to NSA letter regarding attorney-client privilege,” March 11, 2014, (accessed July 14, 2014).


[267] Letter from NSA Director General Keith Alexander to ABA President James Silkenat, March 10, 2014,, p. 3.


[268] Ibid., 2.


[269] Human Rights Watch telephone interview with Tom Durkin, national security defense attorney, March 6, 2014.


[270] Ibid.


[271] Human Rights Watch telephone interview with a litigator with a private practice representing international clients, April 7, 2014.


[272] Ibid.


[273] Human Rights Watch telephone interview with a federal defender handling a terrorism case, April 3, 2014.


[274] Ibid.


[275] Human Rights Watch telephone interview with Linda Moreno, defense attorney specializing in national security and terrorism cases, March 12 and in-person interview, New York, New York, March 20, 2014.


[276] One group of criminal defense attorneys operates under especially difficult circumstances in this respect. Attorneys defending detainees held at Guantanamo Bay, Cuba, have faced extreme difficulty in trying to protect the confidentiality of communications with their clients. All phones at the military base at Guantanamo are subject to surveillance; in February 2013 defense attorneys discovered listening devices disguised as smoke detectors in attorney client meeting rooms; all meetings with clients are monitored with cameras; in late January 2013, during a different Guantanamo hearing, the judge learned that some unknown government agency was monitoring the courtroom feed and could pick up conversations, even at a whisper, between attorneys and their clients at defense tables; and in mid-April last year, an enormous number of prosecution and defense files disappeared from the server that both legal teams are required to use to process the highly classified documents in the case. Human Rights Watch telephone interview with Michael Schwartz, Air Force JAG who does work before the Guantanamo commissions, March 11, 2014; Laura Pitter, “Listening In,” Foreign Policy, February 21, 2013, (accessed July 16, 2014); Jane Sutton, “Vanishing files delay Guantanamo hearings in 9/11 case,” Reuters, April 17, 2013, (accessed July 16, 2014). As a result of these and other obstacles to protecting attorney client confidences, Guantanamo attorneys had been forced to modify their practices independently of concerns about large-scale electronic surveillance. It is all the more striking that some of these attorneys have felt the need to modify their practices even further in light of the Snowden revelations. E.g., Human Rights Watch telephone interviews with James Connell III, defense attorney for one of the Guantanamo detainees, March 18, 2014, and Jason Wright, Army JAG who does work before the Guantanamo commissions, March 31, 2014.


[277] Human Rights Watch email correspondence with an information security officer at a major international law firm based in Los Angeles, California, April 8, 2014.


[278] Human Rights Watch telephone interview with a partner in the litigation department of a large firm, March 25, 2014.


[279] The ABA Journal published an article on the tools available to lawyers to protect against surveillance. Victor Li, “Tools for lawyers worried that NSA is eavesdropping on their confidential conversations,”

The ABA Litigation Journal also designated an entire issue to questions of surveillance. See generally ABA Litigation Journal, Spring 2014 issue, available at (accessed July 14, 2014).


[280] Brief for Association of the Bar of the City of New York as Amici Curiae Supporting Plaintiffs-Appellants, ACLU v. Clapper, Case No. 13 Civ. 3994 (WHP) (Mar. 13, 2014), (accessed July 14, 2014).


[281] The NACDL has held webinars on legal issues related to the introduction of surveillance information as evidence in criminal prosecutions. NACDL, “NACDL Hosts Educational Webinars on NSA and FISA,” November 25, 2013, (accessed July 14, 2014).


[282] The National Lawyers Guild put out a report in the spring of 2014 on its long history with government surveillance, and the effects of surveillance on the legal profession. Traci Yoder, National Lawyers Guild, “Breach of Privilege: Spying on Lawyers in the United States,” April 2014, (accessed July 14, 2014).


[283] For more on the professional responsibilities of lawyers operating under the threat of surveillance, see The Implications of Surveillance for the Professional Responsibilities of Lawyers, Section III.


[284] Human Rights Watch interview with Stephen Gillers, Elihu Root Professor of Law at NYU School of Law, New York, New York, April 7, 2014; Human Rights Watch telephone interview with Ron Kuby, criminal defense and civil rights lawyer, March 7, 2014.


[285] Affirmation of Professor Stephen Gillers, Ctr. for Constitutional Rights v. Bush, Case No. 06-cv-313 (June 30, 2006), (accessed July 14, 2014).


[286] American Bar Association Model Rules, Rule 1.6(c): Confidentiality of Information, (accessed July 14, 2014).


[287] American Bar Association, “August 2012 Amendments to ABA Model Rules of Professional Conduct,” (accessed July 14, 2014), pp. 5-7.


[288] Human Rights Watch telephone interview with Andrew Perlman, Professor at Suffolk University Law School, March 14, 2014.


[289] Ibid. See also Affirmation of Professor Stephen Gillers, Center for Constitutional Rights v. Bush, Case No. 06-cv-313 (June 30, 2006).


[290] Human Rights Watch telephone interview with Andrew Perlman, March 14, 2014.


[291] Ibid.


[292] Affirmation of Professor Stephen Gillers, Center for Constitutional Rights v. Bush, Case No. 06-cv-313 (June 30, 2006), paras. 3, 8.


[293] Human Rights Watch interview with Stephen Gillers, April 7, 2014.


[294] Niarchos, “Has the NSA Wiretapping Violated Attorney-Client Privilege?” The Nation,


[295] Ibid.


[296] James Risen and Laura Poitras, “Spying by N.S.A. Ally Entangled U.S. Law Firm,” New York Times, February 15, 2014, (accessed July 14, 2014).


[297] Ibid.


[298] Human Rights Watch telephone interview with Andrew Perlman, March 14, 2014.


[299] American Bar Association, “August 2012 Amendments to ABA Model Rules of Professional Conduct,” (accessed July 14, 2014), p. 7.


[300] Ibid.


[301] Human Rights Watch telephone interview with Jonathan Hafetz, Associate Professor of law at Seton Hall University School of Law, March 13, 2014. Hafetz noted that he became concerned after initial reports about NSA domestic surveillance in 2005, and that his concerns have only grown with the Snowden revelations.


[302] Human Rights Watch telephone interviews with Rob Feitel, defense attorney, March 7, 2014; and an experienced criminal defense attorney, March 10, 2014; Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014; Human Rights Watch telephone interview with Jonathan Hafetz, March 13, 2014.


[303] Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014.


[304] Email from Nancy Hollander, attorney, to Human Rights Watch, June 24, 2014.


[305] Human Rights Watch interview with Stephen Gillers, April 7, 2014.


[306] Human Rights Watch telephone interview with an experienced criminal defense attorney, March 10, 2014.


[307] Ibid.


[308] Ibid.

Andrew Perlman, “Protecting Client Confidences in a Digital Age: The Case of the NSA,” JURIST – Forum, March 4, 2014, (accessed July 14, 2014).


[310] Human Rights Watch telephone interview with Andrew Perlman, March 14, 2014.


[311] Ibid.


[312] Ibid.


[313] Human Rights Watch telephone interview with James Connell III, March 18, 2014.


[314] Human Rights Watch interview with Shane Kadidal, senior managing attorney of the Guantanamo Global Justice Initiative at the Center for Constitutional Rights, New York, New York, March 6, 2014.


[315] Human Rights Watch telephone interview with a federal defender handling a terrorism case, April 3, 2014.


[316] Human Rights Watch telephone interview with Ron Kuby, March 7, 2014.


[317] Human Rights Watch skype interview with Nancy Hollander, April 9, 2014.


[318] Human Rights Watch telephone interview with Ron Kuby, March 7, 2014.


[319] Human Rights Watch telephone interview with Josh Dratel, a criminal defense attorney who has handled numerous terrorism cases, October 11, 2013.


[320] Ibid.


[321] Ibid.


[322] Ibid.


[323] E.g., Human Rights Watch telephone interviews with an experienced criminal defense attorney, March 10, 2014; Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014; Human Rights Watch telephone interviews with Jonathan Hafetz, March 13, 2014, and a federal defender based on the West Coast, March 20, 2014.


[324] E.g., Human Rights Watch telephone interview with an experienced criminal defense attorney, March 10, 2014.


[325] Ibid.


[326] “JAG” stands for “Judge Advocate General,” and in this context refers to those who serve in the legal branch of the US armed forces.


[327] Human Rights Watch telephone interview with Jason Wright, March 31, 2014.


[328] Human Rights Watch telephone interview with Ahmed Ghappour, Professor of law at UC Hastings, October 8, 2013.


[329] Human Rights Watch interview with a clinical law professor who handles national security matters, New York, March 19, 2014.


[330] Human Rights Watch telephone interview with Tom Durkin, March 6, 2014.


[331] Human Rights Watch telephone interview with Josh Dratel, October 11, 2013. For more on the government’s use of evidence acquired through FISA or the FAA, see Human Rights Watch and Columbia Law School Human Rights Institute, Illusions of Justice: Human Rights Abuses in US Terror Prosecutions,, pp. 96-106.


[332] Human Rights Watch telephone interview with Ron Kuby, March 7, 2014.


[333] Human Rights Watch telephone interview with Tom Durkin, March 6, 2014.


[334] Ibid.


[335] E.g., Human Rights Watch telephone interviews with a New York-based national defense litigator, October 2, 2013; Josh Dratel, October 11, 2013; and a leading national security defense attorney, March 6, 2014; Human Rights Watch interview with Shane Kadidal, March 6, 2014; Human Rights Watch telephone interviews with Rob Feitel, March 7, 2014, and Ron Kuby, March 7, 2014.


[336] Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014.


[337] Human Rights Watch interview with a clinical law professor who handles national security matters, New York, March 19, 2014.


[338] Human Rights Watch telephone interview with Rob Feitel, March 7, 2014.


[339] Human Rights Watch interviews with multiple lawyers (names, locations, and dates withheld).


[340] Human Rights Watch interview with a lawyer (name, location, and date withheld).


[341] Human Rights Watch email correspondence with a lawyer (name, location, and date withheld), June 26, 2014.


[342] Human Rights Watch interview with an attorney (name, location, and date withheld). For more on why this is not an idle worry, see Jacob Appelbaum et al., “NSA targets the privacy conscious,” Das Erste, July 3, 2014, (accessed July 14, 2014).


[343] Human Rights Watch interview with a lawyer (name, location, and date withheld).


[344] Ibid.


[345] Ibid.


[346] Human Rights Watch telephone interview with a defense attorney (date withheld).


[347] Ibid.


[348] Human Rights Watch interview with a clinical law professor who handles national security matters, New York, March 19, 2014.


[349] E.g., Human Rights Watch interview with Shane Kadidal, March 6, 2014; Human Rights Watch telephone interviews with Rob Feitel, March 7, 2014, and Ron Kuby, March 7, 2014; Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014; Human Rights Watch telephone interviews with a lawyer specializing in international dispute resolution at a major international firm, April 1, 2014, and a litigator with a private practice representing international clients, April 7, 2014.


[350] Human Rights Watch telephone interview with a lawyer specializing in international dispute resolution at a major international firm, April 1, 2014.


[351] Ibid.


[352] Human Rights Watch telephone interview with an experienced criminal defense attorney, March 10, 2014.


[353] Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014.


[354] Human Rights Watch telephone interview with Tom Durkin, March 6, 2014. Subsequently, Durkin added, “But recently I was forced to do the same.” Human Rights Watch telephone interview with Tom Durkin, July 7, 2014.


[355] Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014.


[356] Human Rights Watch telephone interview with a federal defender handling a terrorism case, April 3, 2014.


[357] Human Rights Watch email exchange with a litigator with a private practice representing international clients, July 10, 2014.


[358] Human Rights Watch telephone interview with Linda Moreno, March 12, 2014 and in-person interview, March 20, 2014.


[359] Human Rights Watch telephone interview with James Connell III, March 18, 2014.


[360] On May 16, 2013, Obama offered a public explanation for his interest in stopping leaks of national security information. “Leaks related to national security can put people at risk. They can put men and women in uniform that I’ve sent into the battlefield at risk. They can put some of our intelligence officers, who are in various, dangerous situations that are easily compromised, at risk. . . . So I make no apologies, and I don’t think the American people would expect me as commander in chief not to be concerned about information that might compromise their missions or might get them killed.” Joint Conference, President Obama and Prime Minister Erdogan of Turkey, Washington, DC, May 16, 2013, (accessed July 14, 2014).


[361] Human Rights Watch interview with a senior intelligence official, April 15, 2014 (location withheld).


[362] Human Rights Watch telephone interview with Bob Deitz, General Counsel for the NSA from 1998 to 2006, April 1, 2014.


[363] For more on this sequence of events, see G. Alex Sinha, “NSA Surveillance Since 9/11 and the Human Right to Privacy,” Loyola Law Review, vol. 59 (2013), pp. 871-873.


[364] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014. The FBI official identified the mistakes as concerning “how NSA processed certain communications,” but he did not elaborate.


[365] For more on that discussion, see Brennan Center for Justice, New York University School of Law, “Are They Allowed to Do That? A Breakdown of Selected Government Surveillance Programs,” (accessed July 14, 2014), p. 3.


[366] For more on that possibility, see Andrea Peterson, “LOVEINT: When NSA officers use their spying power on love interests,” Washington Post, August 24, 2013, (accessed July 14, 2014).


[367] As noted in the Background section above, however, oversight mechanisms for the surveillance programs have received significant criticism recently, in part because various people involved in oversight have themselves expressed concerns. For more on some of that criticism, see Spencer Ackerman, “Fisa court documents reveal extents of NSA disregard for privacy restrictions,” Guardian, November 19, 2013, (accessed July 14, 2014).


[368] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014.


[369] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014.


[370] Human Rights Watch interview with a senior intelligence official, April 15, 2014 (location withheld).


[371] Human Rights Watch telephone interview with former DOJ official, April 10, 2014. The United States takes the position that “[n]othing in [the ICCPR] requires or authorizes legislation, or other action, by the United States of America prohibited by the Constitution of the United States as interpreted by the United States.” U.S. reservations, declarations, and understandings, International Covenant on Civil and Political Rights, 138 Cong. Rec. S4781-01 (daily ed., April 2, 1992),

The Human Rights Committee criticized this position in the concluding observations of its first review of the United States’ compliance with the ICCPR, noting, “The Committee regrets the extent of the State party’s reservations, declarations and understandings to the Covenant. It believes that, taken together, they intended to ensure that the United States has accepted only what is already the law of the United States.” Report of the Human Rights Committee, A/50/40, October 3, 1995,, para. 279.


[372] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014.


[373] Human Rights Watch telephone interview with Bob Deitz, April 1, 2014.


[374] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[375] Ibid.


[376] Ibid. “GCHQ” refers to Government Communications Headquarters, a British intelligence agency.


[377] Ibid.


[378] Ibid.


[379] “Obama’s Speech on N.S.A. Phone Surveillance,” New York Times, January 17, 2014, (accessed July 14, 2014).


[380] Ibid.


[381] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[382] Ibid.


[383] Ibid.


[384] For example, according to a senior DOJ official, “the FBI is the component of the Department of Justice that conducts electronic surveillance under FISA and therefore has minimization procedures governing the information that is acquired.” Email from senior DOJ official to Human Rights Watch, July 15, 2014.


[385] Ibid.


[386] Ibid.


[387] Human Rights Watch interview with senior intelligence official, April 15, 2014

(location withheld).


Human Rights Watch telephone interview with Bob Deitz, April 1, 2014, Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[389] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[390] Ibid.


[391] Human Rights Watch telephone interview with Bob Deitz, April 1, 2014.


[392] Ibid.


[393] Several journalists expected this sort of response, believing that the government actively intends for there to be a chilling effect. E.g., Human Rights Watch interviews with Dana Priest, national security reporter at the Washington Post, Washington, DC, December 17, 2013; Human Rights Watch telephone interview with Scott Shane, intelligence reporter for the New York Times, April 2, 2014.


[394] Email from senior DOJ official to Human Rights Watch, July 15, 2014.


[395] Ibid. The same official explained that the National Security Division of the Justice Department (NSD), which handles leak investigations, does not itself query such information, though the NSD “is responsible for obtaining authorization to conduct electronic surveillance under the Foreign Intelligence Surveillance Act (FISA) and representing the government before the Foreign Intelligence Surveillance Court.” Ibid.


[396] Ibid.


[397] Ibid.


[398] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[399] Ibid.


[400] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014.


[401] Human Rights Watch telephone interview with Bob Deitz, April 1, 2014.


[402] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[403] Human Rights Watch telephone interview with Bob Deitz, April 1, 2014.


[404] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[405] Ibid.


[406] Human Rights Watch telephone interview with Charlie Savage, reporter for the New York Times, March 14, 2014.


[407] E.g. Human Rights Watch interview with James Asher, Washington Bureau Chief for McClatchy Co., Washington, DC, December 12, 2013; Human Rights Watch telephone interview with Charlie Savage, March 14, 2014.


[408] Human Rights Watch telephone interview with Charlie Savage, March 14, 2014.


[409] Human Rights Watch interview with senior intelligence official, April 15, 2014 (location withheld).


[410] Ibid.


[411] Ibid.


[412] Human Rights Watch telephone interview with former DOJ official, April 10, 2014.


[413] Human Rights Watch interview with senior FBI official, Washington, DC, May 12, 2014.


[414] “The problem with organizations [like HRW and the ACLU] is that they’re monomaniacs,” he said, adding that such groups are blind to “shade[s] of gray” in public policy questions, a result he termed “ridiculous.” When our researcher insisted that both organizations genuinely seek to understand the government’s stances on these issues, Deitz replied, “Color me skeptical.” Human Rights Watch telephone interview with Bob Deitz, April 1, 2014.


[415] E.g., Comments of Human Rights Watch to the Privacy and Civil Liberties Oversight Board, August 1, 2013,;

Human Rights Watch, Letter to President Obama Urging Surveillance Reforms, January 16, 2014,;

Human Rights Watch and the Electronic Frontier Foundation Supplemental Submission to the Human Rights Committee During its Consideration of the Fourth Periodic Report of the United States, February 14, 2014,;

Human Rights Watch, Joint Submission to OHCHR Consultation in Connection with General Assembly Resolution 68/167: “The Right to Privacy in the Digital Age,” April 1, 2014,

Privacy and Civil Liberties Oversight Board Public Hearing on Section 702 of the FISA Amendments Act, Submission of Amnesty International & American Civil Liberties Union, March 19, 2014, (accessed July 17, 2014);

American Civil Liberties Union, “Privacy Rights in the Digital Age: A Proposal for a New General Comment on the Right to Privacy under Article 17 of the International Covenant on Civil and Political Rights, Draft Report & General Comment,” March 2014, (accessed July 17, 2014).


[416] There is a strong and well-recognized connection between privacy and freedom of expression in that inadequate protections for the former can seriously undermine the latter. For sources recognizing that connection, see, e.g., UN Human Rights Council, “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression,” Frank La Rue, A/HRC/23/40, April 17, 2013, (accessed July 14, 2014) paras 24-27.

The US government’s interest in promoting freedom of expression online around the world thus relies significantly on the presence of sufficient privacy protections. For the government’s own statement about its interests in promoting freedom of expression online, see US Department of State, “Diplomacy in Action: Internet Freedom,” (accessed July 14, 2014).


[417] The US Constitution does not mention privacy by name, but the right finds roots in the 4th Amendment ban on “unreasonable searches and seizures.” U.S. Const. Amend. IV.


[418] For more on anonymous speech in human rights law, see UN Human Rights Council, “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression,” Frank La Rue, A/HRC/23/40, April 17, 2013,, paras. 88-90.


[419] International Covenant on Civil and Political Rights (ICCPR), adopted December 16, 1966, G.A. Res. 2200A (XXI), 21 U.N. GAOR Supp. (No.16) at 52, U.N. Doc. A/6316 (1966), 999 U.N.T.S. 171, entered into force March 23, 1976, ratified by US on June 8, 1992, art. 19.


[420] Ibid. Although the treaty is binding, people cannot bring individual lawsuits based solely on the treaty in US courts.


[421] Ibid., art. 22.


[422] Ibid., art. 17.


[423] Ibid., art. 19. According to Manfred Nowak, no state was in favor of a narrow reading of this article in drafting the treaty, so “there can be no doubt that every communicable type of subjective idea and opinion, of value-neutral news and information, of … political commentary regardless of how critical, … is protected by Art. 19(2).” Manfred Nowak, U.N. Covenant on Civil and Political Rights: CCPR Commentary (Arlington: N.P. Engel, 1993), p. 341. The right also appears in the Universal Declaration of Human Rights (UDHR) and the American Declaration of the Rights and Duties of Man. See Universal Declaration of Human Rights (UDHR), adopted December 10, 1948, G.A.Res. 217A(III), U.N. Doc. A/810 at 71 (1948), art. 19; American Declaration of the Rights and Duties of Man, adopted April 1948, Ninth International Conference of American States, art. IV.


[424] ICCPR., art. 26.


[425] UN Human Rights Committee, General Comment 15: The position of aliens under the Covenant, U.N. Doc. HRI/GEN/1/Rev.1 (April 11, 1986), para. 7; see also Submission of Amnesty International USA and the American Civil Liberties Union to Privacy and Civil Liberties Oversight Board, Public Hearing on Section 702 of the FISA Amendments Act, March 19, 2014, (accessed July 14, 2014), p. 13.

The Human Rights Committee (HRC) is a group of experts tasked by the UN with monitoring the implementation of the ICCPR. Its General Comments are the most authoritative interpretations of state obligations under the treaty, though states do not always adopt the HRC’s views.


[426] For more on the US position, see Harold Koh, Office of the Legal Advisor, Memorandum Opinion on the Geographic Scope of the International Covenant on Civil and Political Rights, October 19, 2010, (accessed July 14, 2014), pp. 1-2.


[427] Human Rights Committee, “Concluding observations on the fourth periodic report of the United States of America,” CCPR/C/USA/CO/4, April 23, 2014, (accessed July 14, 2014), para. 4, noting, “The Committee regrets that the State party continues to maintain the position that the Covenant does not apply with respect to individuals under its jurisdiction, but outside its territory, despite the interpretation to the contrary of article 2, paragraph 1, supported by the Committee’s established jurisprudence, the jurisprudence of the International Court of Justice and State practice.”)


[428] UN Human Rights Council, “The right to privacy in the digital age: Report of the Office of the United Nations High Commissioner for Human Rights,” A/HRC/27/37, June 30, 2014, (accessed July 14, 2014), para. 34.


[429] Ibid.


[430] UN Human Rights Committee, General Comment 34, Article 19: Freedoms of opinion and expression, U.N. Doc. CCPR/C/GC/34 (2011), para. 4, (noting “freedom of expression is integral to the enjoyment of the rights to freedom of assembly and association.”)

Ibid., paras. 18 and 19.


[432] Ibid., para. 19.


[433] Organization of American States, Declaration of Principles on Freedom of Expression, October 19, 2000,, prin. 4.

For explanatory background on the principles, see Organization of American States, Background and Interpretation of the Declaration of Principles,

The Inter-American Commission on Human Rights (IACHR) adopted the declaration at its 108th regular sessions in October 2000. Ibid. In adopting the declaration, the IACHR interpreted Article 13 (freedom of expression) of the American Convention on Human Rights, which the US has signed though not ratified, to include the right of access to official information. Ibid. Other regional and international institutions have made similar statements. For examples of such statements, see, e.g., Joint declaration by Ambeyi Ligabo, U.N. Special Rapporteur on Freedom of Opinion and Expression, Miklos Haraszti, OSCE Representative on Freedom of the Media, and Eduardo Bertoni, OAS Special Rapporteur for Freedom of Expression, December 6, 2004, (accessed July 14, 2014). See also United Nations Economic and Social Council, Commission on Human Rights, Civil and Political Rights, Including the Question of Freedom of Expression: The Right to Freedom of Opinion and Expression. Report of the Special Rapporteur, Ambeyi Ligabo, submitted in accordance with Commission resolution 2003/42, (New York: United Nations, 2003); IACHR, Report on Terrorism and Human Rights, OAS/Ser.L./V/II 116, Doc. 5 rev. 1 corr. October 22, 2002, (accessed July 14, 2014), para. 281.

Although a narrower interpretation of the right of access to information has prevailed in Europe, the European Court of Human Rights, interpreting Article 8 (private and family life) of the European Convention, has found that individuals have the right to obtain information held by the government if such information affects their private lives, and that the government’s storage of that information therefore interferes with their rights to privacy and family life guaranteed by the Convention. The European Court has also established that governments may not restrict a person from receiving information that others wish or may be willing to impart. European Court of Human Rights, Leander v. Sweden, no. 10/1985/96/144, February 1985, paras. 48 and 74; European Court of Human Rights, Gaskin v. United Kingdom, no. 2/1988/146/200, June 1989, para. 49; and European Court of Human Rights, Guerra and others v. Italy, no. 116/1996/735/932, February 1998, paras. 53 and 60. The European Court’s reading finds support in Principle 3 of the Declaration of Principles on Freedom of Expression. Organization of American States, Declaration of Principles on Freedom of Expression, October 19, 2000,, prin. 3.


[434] For discussion of these connections, see Organization of American States, Declaration of Principles on Freedom of Expression,, prin. 1. In Europe this has been recognized since the early 1980s. Toby Mendel, “Freedom of Information: An Internationally protected Human Right,” Comparative Media Law, January-June 2003, pp. 13-19,  (accessed July 14, 2014).

The Inter-American Court of Human Rights held in 1985 that effective citizen participation and democratic control, as well as a true debate in a democratic society, cannot be based on incomplete information. Understanding freedom of expression as both the right to express oneself, and the right to obtain information, the Inter-American Court of Human Rights held that “freedom of expression is a cornerstone upon which the very existence of a democratic society rests. It is indispensable in the formation of public opinion. It represents, in short, the means that enable the community, when exercising its options, to be sufficiently informed.

Consequently, it can be said that a society that is not well informed is not a society that is truly free.” Inter-American Court of Human Rights, “Compulsory Membership in an Association prescribed by Law for the Practice of Journalism (Articles 13 and 29 American Convention on Human Rights),” Advisory Opinion OC-5, November 13, 1985, para. 70. The OAS General Assembly has held in 2003, 2004, and 2005 that access to official information is an indispensable requirement for a democracy to work properly, and that states have an obligation to ensure access to information. OAS General Assembly Resolution on Access to Official Information: Strengthening Democracy, AG/Res. 1932 (XXXIII-O/03), June 10, 2003, (accessed July 14, 2014); OAS General Assembly Resolution Access to Official Information: Strengthening Democracy, AG/Res. 2057 (XXXIV-O/04), June 8, 2004,(accessed July 14, 2014); and OAS General Assembly Resolution on Access to Official Information: Strengthening Democracy, AG/RES. 2121 (XXXV-O/05), May 26, 2005, (accessed July 14, 2014).


[435] UN Human Rights Committee, General Comment 34, Article 19: Freedoms of opinion and expression, U.N. Doc. CCPR/C/GC/34 (2011), para. 13.


[436] Limitations may also be permissible for the protection of public order, public health or morals, or the rights and freedoms of others.For a list of those limitations, see, e.g., ICCPR, art. 12. Our analysis focuses on the national security exception because that is the public justification for the surveillance programs and the crackdown on leaks. The Human Rights Committee has also acknowledged the national security limitation on the right to freedom of expression. UN Human Rights Committee, GeneralComment 34, Article 19: Freedoms of opinion and expression, U.N. Doc. CCPR/C/GC/34 (2011), para. 21. Legal scholars argue that the same limitations apply to rights guaranteed by Article 17 (right to privacy), even though the text does not list any exceptions or limitations. As one example, see, e.g. Manfred Nowak, U.N. Covenant on Civil and Political Rights: CCPR Commentary, 2d rev. ed. (Kehl am Rhein: Engel, 2005), p. 381.UN Human Rights Council, “Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism,” Martin Scheinin, A/HRC/13/37, December 18, 2009, (accessed July 15, 2014); UN Human Rights Council, “Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression,” Frank La Rue, A/HRC/23/40, April 17, 2013, (accessed July 15, 2014)


[437] ICCPR, art. 19(3), at 52.


[438] UN Human Rights Committee, General Comment 34, Article 19: Freedoms of opinion and expression, U.N. Doc. CCPR/C/GC/34 (2011), para. 22.


[439] Ibid., para. 30.


[440] The Johannesburg Principles on National Security, Freedom of Expression and Access to Information (Johannesburg Principles), November 1996,   (accessed July 14, 2014).


[441] Ibid., Principle 1.2.


[442] Ibid., Principle 2(a).


[443] The Tshwane Principles have the same legal standing as the Johannesburg Principles, providing an influential interpretation of the standard, under international law, for balancing access to information with the protection of national security.


[444] The Global Principles on National Security and the Right to Information (Tshwane Principles), June 12, 2013, (accessed July 14, 2014), Principle 1(a).


[445] Ibid., Principle 9(a)(i)-(v).


[446] Ibid., Principle 3.


[447] Specifically, the Principles list five categories that cover “on-going defense … operations”; “weapon systems”; “specific measures to safeguard the territory of the state” (or other critical strategic assets); “operations, sources, and methods of intelligence services” geared toward protecting national security; and “information concerning national security” that was provided by other states or bodies under a guarantee of confidentiality. Ibid., Principle 9ai-v.


[448] Ibid., Principle 10.


[449] Ibid., Principle 10(a). Such information, which includes “crimes under international law, and systematic or widespread violations of the rights to personal liberty and security,” “may not be withheld on national security grounds in any circumstances.” Ibid., Principle 10(a)(1). Information related to less serious violations of human rights or humanitarian law remains “subject to a high presumption of disclosure.” Ibid., Principle 10(a)(2).


[450] Ibid., Principle 10(e).


[451] Ibid., Principles 37-41.


[452] Even the government acknowledges that over-classification occurs. E.g., Ben Rhodes, “The President Signs H.R. 533, The Reducing Over-Classification Act,” The White House Blog, October 7, 2010, (accessed July 14, 2014).

The Office of the Director of National Intelligence, “Intelligence Community Classification Guidance Findings and Recommendations Report,” January 2008, (accessed July 14, 2014), p. v. “Pentagon Acknowledges, Combats Overclassification,”

Secrecy News, November 1, 2004, (accessed July 14, 2014).


[453] Tshwane Principles, Principle 2(b).


[454] For more, see Footnote 452.


[455] For more on this question, see, e.g., Laura Pitter (Human Rights Watch), “Dispatches: Snowden Case Highlights Need for Whistleblower Reform,” January 7, 2014,; Human Rights Watch, “US: Protect National Security Whistleblowers,” June 18, 2013,


[456] Other portions of the Johannesburg Principles also support this conclusion. For example, “[p]rotection of national security may not be used as a reason to compel a journalist to reveal a confidential source.” Johannesburg Principles, prin. 18. Additionally, expression can be punished, under the principles, only if it is “intended to incite imminent violence,” “likely to incite such violence,” and tightly connected to the “likelihood or occurrence of such violence.” Johannesburg Principles, prin. 6.


[457] In the First Amendment to the US Constitution, the freedom to associate derives from the language guaranteeing “Congress shall make no law … abridging … the right of the people peaceably to assemble, and to petition the Government for redress of grievances.” U.S. Const. amend I.


[458] Nat’l Ass’n for Advance. of Colored People v. Alabama, 357 US 449, 462 (1958).


[459] Ibid. at 462.


[460] Ibid. at 460.


[461] For example, journalists may face liability for publishing inaccurate, defamatory items. Lovell v. City of Griffin, 303 U.S. 444, 450 (1938). They may also be subpoenaed to appear before grand juries.


[462] Branzburg v. Hayes, 408 U.S. 665, 683 (1972) (“Although it may deter or regulate what is said or published, the press may not circulate knowing or reckless falsehoods damaging to private reputation without subjecting itself to liability for damages, including punitive damages, or even criminal prosecution. See NewYork Times Co. v. Sullivan, 376 U.S. 254, 279-280 (1964); Garrison v. Louisiana, 379 U.S. 64, 74 (1964); Curtis Publishing Co. v. Butts, 388 U.S. 130, 147 (1967) (opinion of Harlan, J.,); Monitor Patriot Co. v. Roy, 401 U.S. 265, 277 (1971).”).


[463] The case of Julian Assange could become an exception if the US were to act on threats made by some US officials. For more on Assange’s case, see Ed Pilkington, “Julian Assange to file fresh challenge in effort to escape two-year legal limbo,” Guardian, June 18, 2014, (accessed July 14, 2014).


[464] For more on Risen’s situation, see Dylan Byers, “Supreme Court rejects James Risen appeal,” Politico, June 2, 2014, (accessed July 14, 2014); “US: Don’t Press Charges Against New York Times Reporter,” Letter from Kenneth Roth to Attorney General Holder, June 4, 2014,


[465] “US: Don’t Press Charges Against New York Times Reporter,” Letter from Kenneth Roth to Attorney General Holder,


[466] See generally, Snepp v. US, 444 U.S. 507 (1980). These restrictions can apply to the sharing of classified information, which federal employees often (if not always) agree to keep secret.


[467] For an example, see Department of Homeland Security, Non-Disclosure Agreement, (accessed July 14, 2014).


[468] Stillman v. Dep’t of Defense, 209 F. Supp. 2d 185, 217 (D.DC 2002).


[469] Lane v. Franks, 573 U. S. ____ (2014). For more on the case, see David G. Savage, “Supreme Court gives public workers 1st Amendment shield,” Los Angeles Times, June 19, 2014, (accessed July 14, 2014).


[470] McGehee v. Casey, 718 F.2d 1137, 1142-43 (DC Cir. 1983) (citations omitted).


[471] For example, one district court explicitly has recognized that former government employees have “a First Amendment right to publish unclassified information.” Stillman, 209 F. Supp. 2d at 217. Indeed, as the DC Circuit has interpreted its own test, “[t]he government may not censor [unclassified materials or information obtained from public sources], ‘contractually or otherwise…’ [and t]he government has no legitimate interest in censoring unclassified materials.” McGehee, 718 F.2d at 1141 (citations omitted).

Talley v. California, 362 U.S. 60 (1960) (striking down a city ordinance that banned the distribution of any handbills omitting identifying information of the people who produced or distributed them); McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995) (striking down a similar state statute).


[473] Talley, 362 U.S. at 64.


[474] ICCPR., art. 14(3)(d). It also provides for the right “to have legal assistance assigned to him, in any case where the interests of justice so require, and without payment by him in any such case if he does not have sufficient means to pay for it.” Ibid.

Human Rights Committee, General Comment 13, Article 14: Administration of justice, U.N. Doc. HRI/GEN/1/Rev.9 (2003) para. 9 (Interpreting the ICCPR as requiring “counsel to communicate with the accused in conditions giving full respect for the confidentiality of their communications,” and noting, “[l]awyers should be able to counsel and to represent their clients in accordance with their established professional standards and judgement without any restrictions, influences, pressures or undue interference from any quarter.”); see also Human Rights Committee, General Comment 32, Article 14: Right to equality before courts and tribunals and to a fair trial, CCPR/C/GC/32 (2007), para. 34 (noting, “Counsel should be able to meet their clients in private and to communicate with the accused in conditions that fully respect the confidentiality of their communications.”).

Numerous UN guidelines likewise require “full confidentiality” of communications. E.g., Body of Principles for the Protection of All Persons under Any Form of Detention or Imprisonment, adopted December 9, 1988, UN GAOR Res. 43/173 at 298, 43rd Session, 76th plenary meeting, UN Doc. A/43/49 (1988), principles 18(3)(4), 43 UN GAOR Supp. (Nº 49); Basic Principles on the Role of Lawyers, adopted by the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, August 27-September 7, 1990, U.N. Doc. A/CONF.144/28/Rev.1 at 118 (1990), principles 8, 22; Standard Minimum Rules for the Treatment of Prisoners, UN Economic and Social Council resolution 663 C (XXIV), July 31, 1957 and resolution 2076 (LXII), May 13, 1977, para. 93. See also Inter-American Commission on Human Rights, Principles and Best Practices on the Protection of Persons Deprived of Liberty in the Americas, 131st Sess. Mar. 3-14, 2008, principle 5.


[476] Basic Principles on the Role of Lawyers, adopted by the Eighth United Nations Congress on the Prevention of Crime and the Treatment of Offenders, Havana, 27 August to 7 September 1990, U.N. Doc. A/CONF.144/28/Rev.1 at 118 (1990),, principle 16.

According to their own terms, these principles were “formulated to assist [UN] Member States in their task of promoting and ensuring the proper role of lawyers, should be respected and taken into account by Governments within the framework of their national legislation and practice.” The terms of these principles, while not legally binding, are highly influential in defining the terms of US’s human rights obligations under the ICCPR.


[477] For more on the government’s treatment of attorney-client communications collected through surveillance, see Section IV, The Government’s Rationale for Surveillance.


[478] Specifically, the Sixth Amendment stipulates that “In all criminal prosecutions, the accused shall enjoy the right …. to have the assistance of counsel for his defense.” U.S. Const. amend. VI.


[479]United States v. Rosner, 485 F.2d 1213, 1224 (2d Cir. 1973).


[480]Caldwell v. United States, 205 F.2d 879, 881 (DC Cir. 1953).


[481] United States v. Levy, 577 F.2d 200, 209 (3d Cir. 1978). This principle, however, has limits. For example, in Weatherford v. Bursey, a case involving a confidential government informant who attended early meetings between the defendant and his attorney, the Supreme Court ruled that there was no violation of the defendant’s Sixth Amendment rights.

Significantly, a dissent by Justices Marshall and Brennan urged the court to adopt a strict per se prohibition on interference with the relationship between defendants and their attorneys. Weatherford v. Bursey, 429 US 545, 561 (1976) (Marshall, J., dissenting). One factor in the ruling was that the defendant had invited the informant to the meetings; another, more important for present purposes, is that the informant did not pass on relevant information to the prosecution.

As the majority opinion phrased it: “As long as the information possessed by [the government’s informant] remained uncommunicated [to the prosecution], he posed no substantial threat to [the defendant’s] Sixth Amendment rights. Ibid., pp. 556-57. The situation attorneys and their clients face under large-scale electronic surveillance differs materially in several respects, but one difference is particularly relevant: neither the defendant in Weatherford nor his attorney had any reason to suspect government interference in their relationship because they did not know there was a government agent at the meetings; with large-scale electronic surveillance, both defendant and attorney have reason to fear their conversations are being recorded.


[482] Such a practice might very well violate the Constitution. See Weatherford v. Bursey, 429 US 545 (1976) (offering the relevant holding).


[483] Mike German and Jay Stanley, ACLU, “Drastic Measures Required: Congress Needs to Overhaul U.S. Secrecy Laws and Increase Oversight of the Security Establishment,” July 2011, (accessed July 17, 2014), p. 48.

Table of Contents

© 2015 Human Rights Watch

Human Rights Watch |


Lisa Jones, Girlfriend of Undercover Policeman Mark Kennedy: ‘I thought I Knew Him Better than Anyone’


The most traumatising time of Lisa Jones’s life began when she agonised for months over the true identity of her boyfriend. They had been together for six years and she loved him “totally, completely, more than anyone”.

“He was the closest person in the world to me,” she says. “The person who knew me better than anybody else. I thought I knew him better than anyone else knew him.” But she had begun to suspect that he was lying about who he really was.

This is the first interview “Lisa”, who wants to retain her anonymity, has given to the media. Only now, five years later, does she feel ready to describe how she has been devastated by the deception. She speaks eloquently, though the pain is still evident. Her boyfriend, Mark, always had a slightly mysterious side to him. In their last few months together his behaviour was, at times, erratic; but at other times, their relationship was blissful.

In what she describes as a “constant see-saw from one state to another”, she oscillated between “desperately, desperately” wanting to believe the story he had told her about himself, and wondering whether he had completely deceived her about a fundamental part of his life.

Reduced to a “very fragile” state, she struggled with her dilemma: “Am I fighting to save this relationship or am I trying to figure out who he is? I am either putting my energies into this relationship or I am investigating him – I can’t do both.”

The truth was not disclosed to her by him. Instead she and her friends found out through their own detective work and a chance discovery.

Assistant commissioner Martin Hewitt apologises for undercover officers’ relationships

They established that he was Mark Kennedy, an undercover policeman who had been sent to spy on her circle of activist friends. For seven years, he had adopted a fake persona to infiltrate environmental groups. Their unmasking of him five years ago kickstarted a chain of events that has exposed one of the state’s most deeply concealed secrets.

Back then, the public knew little about a covert operation that had been running since 1968. Only a limited number of senior police officers knew about it. Kennedy was one of more than 100 undercover officers who, over the previous four decades, had transformed themselves into fake campaigners for years at a time, assimilating themselves into political groups and hoovering up information about protests that they had helped to organise.

More than 10 women have discovered that they had relationships with undercover policemen, some lasting years, without being told their true identity.

On Friday it was announced that police had agreed to give a full apology and pay compensation to Lisa and six other women for the trauma they suffered after being deceived into forming intimate relationships with police spies.

Lisa, for her part, welcomed the apology. But it comes more than a decade after Kennedy’s mission began. “No amount of money or ‘sorry’ will make up for the lack of answers about the extent to which I was spied upon in every aspect of my most personal and intimate moments,” she says.

Kennedy first infiltrated a group of environmental campaigners in Nottingham in 2003. The fake persona he chose was that of a long-haired, tattooed professional climber by the name of Mark Stone. Among campaigners, he earned the nickname “Flash” as he always seemed to have a lot of money.

In the autumn of 2003, Lisa met Kennedy when he visited Leeds, where she was living. Then in her early 30s, she had for some years been active in environmental, anti-capitalist, and anti-nuclear campaigns. Her first impressions were that he was “very charming, very friendly and familiar in a way that was quite disarming”.

Mark Kennedy at Glastonbury festival in 2008, in a picture taken by Lisa Jones
Mark Kennedy at Glastonbury Festival in 2008, in a picture taken by Lisa Jones

Kennedy had a number of sexual relationships while undercover. The longest was with Lisa. “During his deployment, he spent more time with me than anybody else, and probably more time than everyone else together,” she says. He “slotted very easily” into her group of friends, who went climbing in their spare time. He got to know her family. When her father died, Kennedy was in the mourners’ car with her. “He was the one who held me as I cried through the night, and helped me pick myself up again after that,” Lisa says.

He would go away every few weeks – the longest time was three months – working, but kept in regular contact through phone calls, emails and texts. They went abroad together, sometimes just the two of them, cycling or climbing, and sometimes for protests. Over time, he gained a reputation as a committed environmental activist. But secretly, he was passing back to his police handlers information about the protesters and their political activities.

His covert mission was terminated in October 2009 when he was summoned by his handlers to a meeting at an anonymous truckstop. That month, he disappeared abruptly from his house in Nottingham. In the weeks before his disappearance, he had been agitated and distant with his friends. Lisa recalls: “He had quite an emotional crash, it seems. Some days he would not get out of bed – that was very, very out of character. He was usually quite bright and chirpy, an early riser type, an energetic person, but he was upset quite a lot of the time. I would comfort him. It really felt to me that I was seeing him through a difficult time, and a breakdown. He leant on me very heavily.”


He appeared to be very paranoid. The police had raided his house after he was arrested at a protest, and he said he was worried they were delving into his background and income. He said he needed a break and was going to go to the US to stay with his brother for a while. Lisa says that the day before he flew, he “was behaving very, very strangely”, claiming that he was being followed.

“When he went, I was really, really worried about his sanity. I thought he had properly lost it. I kept saying to him that this looks to me as if you are not coming back. He had sold his car, apparently left his job and half-cleared out his house. The other half I had to do.”

In January 2010, he mysteriously reappeared. What Lisa and the other campaigners did not know at that time was that Kennedy was quitting the police to avoid being assigned to a humdrum desk job. But he had not discarded his fictional persona of “Mark Stone”, and continued to be involved in political campaigns. He has admitted that he was employed by a clandestine private security firm that was paid by commercial firms to monitor protesters.

To Lisa, however, he was “different, volatile, up and down a lot of the time. Obviously he was being much less supervised, much less directed, and I just don’t think he knew what he was doing at that time. He was rudderless. I was still so bruised from him losing his marbles and disappearing that I was in some ways waiting for an explanation, somehow trying to figure out what was going on with him, and whether he was alright.

“I always knew that Mark had a slight air of mystery. I knew there was something that one day he might open up about – something that had happened.”

The key discovery that eventually led to Kennedy’s exposure was made by Lisa when the two of them were on holiday in a van in July 2010.

Mark Kennedy on holiday in Italy in 2010
Kennedy on Holiday in Italy in 2010

“We were having this really blissful holiday in Italy. We were up in the mountains, just the two of us. He had gone off for a cycle ride, and I was looking in the glove box for some sunglasses. I guess that there was maybe a bit of me that was a little unsure about what was going on with him. I was rooting around and I saw his passport.”

The old passport was in the unfamiliar name of Mark Kennedy. But there was something even more chilling in there: “The thing that made my stomach come into my mouth was seeing that he had a child. The character of Mark Stone wasn’t one that would have had a child. That’s such a big thing to have happened, and to have known somebody that long and have them not mention that they had a child, that’s enormous.”

She found a mobile phone that he did not seem to use much, and found emails from two children, calling him dad. “I did not know what to think. I remember feeling that the world was suddenly a really long way away. I just remember that the mountains were pulsating and swimming around me.”

It was the first time she considered that he might be an undercover cop, but quickly dismissed it as something she thought only existed in films. When Kennedy came back from his cycle ride, “I really did not know what to say to him. I was terrified about what the answer would be, and what it would mean. I just did not say anything for about two days. He knew there was something wrong. He was trying to be very nice to me and figure out what was upsetting me. I did not sleep. He slept and I paced. I remember watching the sunrise and being sick.”

She confronted him in a bar on what was his real birthday. She demanded to know about his son. “He visibly crumpled. He said, ‘I can tell you, but not here’, and we went off.”

Back in their van, he recounted a story it seems he had tucked away for years, to be used if his fictional persona was ever challenged. He said he had been a drug runner, that his close associate had been shot in front of him, and that he had promised to look after the dead man’s children, who had come to think Kennedy was their real father.

“I was desperate for an explanation that sounded plausible. Fantastical as it now sounds in the retelling, one of the reasons it seemed plausible was the amount of emotion that poured out of him when he told me,” Lisa says. It seemed as if he had finally opened up, after all the hints of a dodgy past.

“I held him as he cried for about eight hours, through the night. We sat up and talked. He cried and I cried. It felt like we had really shared something, so I really did not analyse the facts at that point particularly strongly.”

But for the rest of the summer, she had nagging feelings that his story did not add up. She challenged him but he always had an answer. She swung between believing their relationship was “better than ever, and thinking something still is not right”.

In September, they had another happy holiday in Italy. “I was floating on air when we came back.” A week later, she was visiting a friend who was, by chance, doing ancestry research online. She did not know what came over her, but she asked the friend to look up Mark Stone’s birth certificate. Nothing came back.

With her friends’ help, she started to dig into his life. She still could not believe he was a policeman, thinking: “He has been with me for so long – there’s absolutely no way they would put a cop in for that long.”

She yearned to find some new piece of information that would provide an explanation and clear her suspicions about him. For a few weeks, she went about her life, talking regularly on the phone to Kennedy but feeling she was “in this little bubble where nothing was real”. Eventually they found a birth certificate for Kennedy’s son, which recorded Kennedy’s occupation as being a police officer.

Now she wanted him to explain. He was pretending to be in the US, but she had found out that he was actually in Ireland with his children and estranged wife. At her insistence, he returned late one night to a house in Nottingham, where she and a group of friends began to question him.

For what felt like hours, he refused to admit anything. Then one of the group asked him directly when he had joined the police. He confessed, and later cried. The others left Lisa alone with him. She was shocked. “I wanted him to stay. I knew that the moment he left, the whole world was going to change. I was just trying to delay the moment.”

Mark Kennedy in 2011, after he had left the police force
Mark Kennedy in 2011, after he had left the police force. Photograph: Phillip Ebeling for the Guardian

Kennedy went on to sell his story to the media and to work for a US security firm after he was unmasked in October 2010. Lisa set about trying to put her life back together. Her experience with Kennedy “made her feel very small”, but the other women in the legal action have been a valuable source of support.

Lisa, who comes across as warm-hearted and thoughtful, rejects suggestions that she could have unmasked Kennedy earlier or that his deception was no different from those of many other cheating husbands.

The difference, she says, is that his deception was supported by the resources of the state. Undercover officers who infiltrated political groups were issued with fake documents, such as passports, driving licences and bank records that would help to fortify their fabricated alter egos. “I had no chance of seeing through that kind of training and infrastructure.”

But he was rumbled, she points out, after he quit the police and no longer had their support. He had had to hand back the paperwork – including the passport bearing his fake identity of Mark Stone.

Lisa has found it difficult to come to terms with the feeling that she had no free will during her relationship with Kennedy. A “faceless backroom of cops” controlled his movements, deciding when he could go away with her, or which demonstrations they could go on. “I just have this feeling that someone else made all the decisions, and it was not me, and it was not even him.”

A series of revelations has persuaded the home secretary Theresa May to order a public inquiry into the conduct of the police spies. This inquiry could reveal far more of the police’s secrets when it starts to hear evidence in public next year. It is expected to examine how, for example, the undercover officers spied on the family of murdered teenager Stephen Lawrence and stole the identities of dead children.

Lisa does not want to pin too much hope on the inquiry uncovering the truth of Kennedy’s espionage and his relationship with her. “There are so many more questions than answers in this whole thing that I don’t think I am ever going to be in a position where I feel like I know what went on and what it all meant, and that there’s nothing more to wonder about.”

She asks herself how much he genuinely loved her. “It is an endless, endless question that I will always be wondering about. That will always keep me awake at night.”

She has been left with a “crushing disappointment and sadness”, feeling that her ability to trust others and form relationships has been shattered. “I have lost a lot of optimism about all kinds of things,” she says. “Just the idea that the world is a good place, that love exists, that love is possible for me.”



Hackers Remotely Kill a Jeep on the Highway – With Me in It

by Andy Greenberg  I   Security  I  I  6:00 AM

If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. This might be the kind of software bug most likely to kill someone. – CHARLIE MILLER


I WAS DRIVING 70 mph on the edge of downtown St. Louis when the exploit began to take hold.

Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.

As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display: Charlie Miller and Chris Valasek, wearing their trademark track suits. A nice touch, I thought.

The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. The result of their work was a hacking technique—what the security industry calls a zero-day exploit—that can target Jeep Cherokees and give the attacker wireless control, via the Internet, to any of thousands of vehicles. Their code is an automaker’s nightmare: software that lets hackers send commands through the Jeep’s entertainment system to its dashboard functions, steering, brakes, and transmission, all from a laptop that may be across the country.

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.”1

Charlie Miller (left) and Chris Valasek hacking into a Jeep Cherokee from Miller's basement as I drove the SUV on a highway ten miles away.
Charlie Miller (left) and Chris Valasek (right) hacking into a Jeep Cherokee from Miller’s basement as I drove the SUV on a highway ten miles away. Whitney Curtis for WIRED

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.
I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop.

Wireless Carjackers

This wasn’t the first time Miller and Valasek had put me behind the wheel of a compromised car. In the summer of 2013, I drove a Ford Escape and a Toyota Prius around a South Bend, Indiana, parking lot while they sat in the backseat with their laptops, cackling as they disabled my brakes, honked the horn, jerked the seat belt, and commandeered the steering wheel. “When you lose faith that a car will do what you tell it to do,” Miller observed at the time, “it really changes your whole view of how the thing works.” Back then, however, their hacks had a comforting limitation: The attacker’s PC had been wired into the vehicles’ onboard diagnostic port, a feature that normally gives repair technicians access to information about the car’s electronically controlled systems.

A mere two years later, that carjacking has gone wireless. Miller and Valasek plan to publish a portion of their exploit on the Internet, timed to a talk they’re giving at the Black Hat security conference in Las Vegas next month. It’s the latest in a series of revelations from the two hackers that have spooked the automotive industry and even helped to inspire legislation; WIRED has learned that senators Ed Markey and Richard Blumenthal plan to introduce an automotive security bill today to set new digital security standards for cars and trucks, first sparked when Markey took note of Miller and Valasek’s work in 2013.

As an auto-hacking antidote, the bill couldn’t be timelier. The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment.

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

Miller attempts to rescue the Jeep after its brakes were remotely disabled, sending it into a ditch.
Miller attempts to rescue the Jeep after its brakes were remotely disabled, sending it into a ditch. Photo:  Andy Greenberg WIRED

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.


From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

After the researchers reveal the details of their work in Vegas, only two things will prevent their tool from enabling a wave of attacks on Jeeps around the world. First, they plan to leave out the part of the attack that rewrites the chip’s firmware; hackers following in their footsteps will have to reverse-engineer that element, a process that took Miller and Valasek months. But the code they publish will enable many of the dashboard hijinks they demonstrated on me as well as GPS tracking.

Second, Miller and Valasek have been sharing their research with Chrysler for nearly nine months, enabling the company to quietly release a patch ahead of the Black Hat conference. On July 16, owners of vehicles with the Uconnect feature were notified of the patch in a post on Chrysler’s website that didn’t offer any details or acknowledge Miller and Valasek’s research. “[Fiat Chrysler Automobiles] has a program in place to continuously test vehicles systems to identify vulnerabilities and develop solutions,” reads a statement a Chrysler spokesperson sent to WIRED. “FCA is committed to providing customers with the latest software updates to secure vehicles against any potential vulnerability.”

Unfortunately, Chrysler’s patch must be manually implemented via a USB stick or by a dealership mechanic. (Download the update here.) That means many—if not most—of the vulnerable Jeeps will likely stay vulnerable.

Chrysler stated in a response to questions from WIRED that it “appreciates” Miller and Valasek’s work. But the company also seemed leery of their decision to publish part of their exploit. “Under no circumstances does FCA condone or believe it’s appropriate to disclose ‘how-to information’ that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems,” the company’s statement reads. “We appreciate the contributions of cybersecurity advocates to augment the industry’s understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.”

The two researchers say that even if their code makes it easier for malicious hackers to attack unpatched Jeeps, the release is nonetheless warranted because it allows their work to be proven through peer review. It also sends a message: Automakers need to be held accountable for their vehicles’ digital security. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers,” Miller says. “This might be the kind of software bug most likely to kill someone.”

In fact, Miller and Valasek aren’t the first to hack a car over the Internet. In 2011 a team of researchers from the University of Washington and the University of California at San Diego showed that they could wirelessly disable the locks and brakes on a sedan. But those academics took a more discreet approach, keeping the identity of the hacked car secret and sharing the details of the exploit only with carmakers.
Miller and Valasek represent the second act in a good-cop/bad-cop routine. Carmakers who failed to heed polite warnings in 2011 now face the possibility of a public dump of their vehicles’ security flaws. The result could be product recalls or even civil suits, says UCSD computer science professor Stefan Savage, who worked on the 2011 study. “Imagine going up against a class-action lawyer after Anonymous decides it would be fun to brick all the Jeep Cherokees in California,” Savage says.2

For the auto industry and its watchdogs, in other words, Miller and Valasek’s release may be the last warning before they see a full-blown zero-day attack. “The regulators and the industry can no longer count on the idea that exploit code won’t be in the wild,” Savage says. “They’ve been thinking it wasn’t an imminent danger you needed to deal with. That implicit assumption is now dead.”

471,000 Hackable Automobiles

Miller and Vasalek’s exploit uses a burner phone’s cellular connection to attack the Jeep’s internet-connected entertainment system. Photo: Whitney Curtis for WIRED

Sitting on a leather couch in Miller’s living room as a summer storm thunders outside, the two researchers scan the Internet for victims.

Uconnect computers are linked to the Internet by Sprint’s cellular network, and only other Sprint devices can talk to them. So Miller has a cheap Kyocera Android phone connected to his battered MacBook. He’s using the burner phone as a Wi-Fi hot spot, scouring for targets using its thin 3G bandwidth.

A set of GPS coordinates, along with a vehicle identification number, make, model, and IP address, appears on the laptop screen. It’s a Dodge Ram. Miller plugs its GPS coordinates into Google Maps to reveal that it’s cruising down a highway in Texarkana, Texas. He keeps scanning, and the next vehicle to appear on his screen is a Jeep Cherokee driving around a highway cloverleaf between San Diego and Anaheim, California. Then he locates a Dodge Durango, moving along a rural road somewhere in the Upper Peninsula of Michigan. When I ask him to keep scanning, he hesitates. Seeing the actual, mapped locations of these unwitting strangers’ vehicles—and knowing that each one is vulnerable to their remote attack—unsettles him.

When Miller and Valasek first found the Uconnect flaw, they thought it might only enable attacks over a direct Wi-Fi link, confining its range to a few dozen yards. When they discovered the Uconnect’s cellular vulnerability earlier this summer, they still thought it might work only on vehicles on the same cell tower as their scanning phone, restricting the range of the attack to a few dozen miles. But they quickly found even that wasn’t the limit. “When I saw we could do it anywhere, over the Internet, I freaked out,” Valasek says. “I was frightened. It was like, holy fuck, that’s a vehicle on a highway in the middle of the country. Car hacking got real, right then.”

That moment was the culmination of almost three years of work. In the fall of 2012, Miller, a security researcher for Twitter and a former NSA hacker, and Valasek, the director of vehicle security research at the consultancy IOActive, were inspired by the UCSD and University of Washington study to apply for a car-hacking research grant from Darpa. With the resulting $80,000, they bought a Toyota Prius and a Ford Escape. They spent the next year tearing the vehicles apart digitally and physically, mapping out their electronic control units, or ECUs—the computers that run practically every component of a modern car—and learning to speak the CAN network protocol that controls them.

When they demonstrated a wired-in attack on those vehicles at the DefCon hacker conference in 2013, though, Toyota, Ford, and others in the automotive industry downplayed the significance of their work, pointing out that the hack had required physical access to the vehicles. Toyota, in particular, argued that its systems were “robust and secure” against wireless attacks. “We didn’t have the impact with the manufacturers that we wanted,” Miller says. To get their attention, they’d need to find a way to hack a vehicle remotely.

Charlie Miller.
Charlie Miller. Photo: Whitney Curtis for WIRED
Chris Valasek.
Chris Valasek. Photo: Whitney Curtis for WIRED

Congress Takes on the
So the next year, they signed up for mechanic’s accounts on the websites of every major automaker and downloaded dozens of vehicles’ technical manuals and wiring diagrams. Using those specs, they rated 24 cars, SUVs, and trucks on three factors they thought might determine their vulnerability to hackers: How many and what types of radios connected the vehicle’s systems to the Internet; whether the Internet-connected computers were properly isolated from critical driving systems, and whether those critical systems had “cyberphysical” components—whether digital commands could trigger physical actions like turning the wheel or activating brakes.

Based on that study, they rated Jeep Cherokee the most hackable model. Cadillac’s Escalade and Infiniti’s Q50 didn’t fare much better; Miller and Valasek ranked them second- and third-most vulnerable. When WIRED told Infiniti that at least one of Miller and Valasek’s warnings had been borne out, the company responded in a statement that its engineers “look forward to the findings of this [new] study” and will “continue to integrate security features into our vehicles to protect against cyberattacks.” Cadillac emphasized in a written statement that the company has released a new Escalade since Miller and Valasek’s last study, but that cybersecurity is “an emerging area in which we are devoting more resources and tools,” including the recent hire of a chief product cybersecurity officer.

After Miller and Valasek decided to focus on the Jeep Cherokee in 2014, it took them another year of hunting for hackable bugs and reverse-engineering to prove their educated guess. It wasn’t until June that Valasek issued a command from his laptop in Pittsburgh and turned on the windshield wipers of the Jeep in Miller’s St. Louis driveway.

Since then, Miller has scanned Sprint’s network multiple times for vulnerable vehicles and recorded their vehicle identification numbers. Plugging that data into an algorithm sometimes used for tagging and tracking wild animals to estimate their population size, he estimated that there are as many as 471,000 vehicles with vulnerable Uconnect systems on the road.

Pinpointing a vehicle belonging to a specific person isn’t easy. Miller and Valasek’s scans reveal random VINs, IP addresses, and GPS coordinates. Finding a particular victim’s vehicle out of thousands is unlikely through the slow and random probing of one Sprint-enabled phone. But enough phones scanning together, Miller says, could allow an individual to be found and targeted. Worse, he suggests, a skilled hacker could take over a group of Uconnect head units and use them to perform more scans—as with any collection of hijacked computers—worming from one dashboard to the next over Sprint’s network. The result would be a wirelessly controlled automotive botnet encompassing hundreds of thousands of vehicles.

“For all the critics in 2013 who said our work didn’t count because we were plugged into the dashboard,” Valasek says, “well, now what?”

Chris Valasek.
Chris Vasalek. Photo: Whitney Curtis for WIRED

Congress Takes on Car Hacking

Now the auto industry needs to do the unglamorous, ongoing work of actually protecting cars from hackers. And Washington may be about to force the issue.

Later today, senators Markey and Blumenthal intend to reveal new legislation designed to tighten cars’ protections against hackers. The bill (which a Markey spokesperson insists wasn’t timed to this story) will call on the National Highway Traffic Safety Administration and the Federal Trade Commission to set new security standards and create a privacy and security rating system for consumers. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car,” Markey wrote in a statement to WIRED. “Drivers shouldn’t have to choose between being connected and being protected…We need clear rules of the road that protect cars from hackers and American families from data trackers.”

Markey has keenly followed Miller and Valasek’s research for years. Citing their 2013 Darpa-funded research and hacking demo, he sent a letter to 20 automakers, asking them to answer a series of questions about their security practices. The answers, released in February, show what Markey describes as “a clear lack of appropriate security measures to protect drivers against hackers who may be able to take control of a vehicle.” Of the 16 automakers who responded, all confirmed that virtually every vehicle they sell has some sort of wireless connection, including Bluetooth, Wi-Fi, cellular service, and radios. (Markey didn’t reveal the automakers’ individual responses.) Only seven of the companies said they hired independent security firms to test their vehicles’ digital security. Only two said their vehicles had monitoring systems that checked their CAN networks for malicious digital commands.

UCSD’s Savage says the lesson of Miller and Valasek’s research isn’t that Jeeps or any other vehicle are particularly vulnerable, but that practically any modern vehicle could be vulnerable. “I don’t think there are qualitative differences in security between vehicles today,” he says. “The Europeans are a little bit ahead. The Japanese are a little bit behind. But broadly writ, this is something everyone’s still getting their hands around.”

Miller (left) and Valasek demonstrated the rest of their attacks on the Jeep while I drove it around an empty parking lot.
Miller (left) and Vasalek demonstrated the rest of their attacks on the Jeep while I drove it around an empty parking lot. Photo: Whitney Curtis

Aside from wireless hacks used by thieves to open car doors, only one malicious car-hacking attack has been documented: In 2010 a disgruntled employee in Austin, Texas, used a remote shutdown system meant for enforcing timely car payments to brick more than 100 vehicles. But the opportunities for real-world car hacking have only grown, as automakers add wireless connections to vehicles’ internal networks. Uconnect is just one of a dozen telematics systems, including GM Onstar, Lexus Enform, Toyota Safety Connect, Hyundai Bluelink, and Infiniti Connection.

In fact, automakers are thinking about their digital security more than ever before, says Josh Corman, the cofounder of I Am the Cavalry, a security industry organization devoted to protecting future Internet-of-things targets like automobiles and medical devices. Thanks to Markey’s letter, and another set of questions sent to automakers by the House Energy and Commerce Committee in May, Corman says, Detroit has known for months that car security regulations are coming.

But Corman cautions that the same automakers have been more focused on competing with each other to install new Internet-connected cellular services for entertainment, navigation, and safety. (Payments for those services also provide a nice monthly revenue stream.) The result is that the companies have an incentive to add Internet-enabled features—but not to secure them from digital attacks. “They’re getting worse faster than they’re getting better,” he says. “If it takes a year to introduce a new hackable feature, then it takes them four to five years to protect it.”

Corman’s group has been visiting auto industry events to push five recommendations: safer design to reduce attack points, third-party testing, internal monitoring systems, segmented architecture to limit the damage from any successful penetration, and the same Internet-enabled security software updates that PCs now receive. The last of those in particular is already catching on; Ford announced a switch to over-the-air updates in March, and BMW used wireless updates to patch a hackable security flaw in door locks in January.
Corman says carmakers need to befriend hackers who expose flaws, rather than fear or antagonize them—just as companies like Microsoft have evolved from threatening hackers with lawsuits to inviting them to security conferences and paying them “bug bounties” for disclosing security vulnerabilities. For tech companies, Corman says, “that enlightenment took 15 to 20 years.” The auto industry can’t afford to take that long. “Given that my car can hurt me and my family,” he says, “I want to see that enlightenment happen in three to five years, especially since the consequences for failure are flesh and blood.”

As I drove the Jeep back toward Miller’s house from downtown St. Louis, however, the notion of car hacking hardly seemed like a threat that will wait three to five years to emerge. In fact, it seemed more like a matter of seconds; I felt the vehicle’s vulnerability, the nagging possibility that Miller and Valasek could cut the puppet’s strings again at any time.

The hackers holding the scissors agree. “We shut down your engine—a big rig was honking up on you because of something we did on our couch,” Miller says, as if I needed the reminder. “This is what everyone who thinks about car security has worried about for years. This is a reality.”

Update 3:30 7/24/2015: Chrysler has issued a recall for 1.4 million vehicles as a result of Miller and Valasek’s research. The company has also blocked their wireless attack on Sprint’s network to protect vehicles with the vulnerable software.

1Correction 10:45 7/21/2015: An earlier version of the story stated that the hacking demonstration took place on Interstate 40, when in fact it was Route 40, which coincides in St. Louis with Interstate 64.

2Correction 1:00pm 7/27/2015: An earlier version of this story referenced a Range Rover recall due to a hackable software bug that could unlock the vehicles’ doors. While the software bug did lead to doors unlocking, it wasn’t publicly determined to exploitable by hackers.

Phreaked Out: Car Hacking

In this episode of “Phreaked Out,” top security researchers in the the field of car hacking highlight security holes in automobile technology. In the simplest terms, hackers have discovered how to unlock a vehicles doors and to relieve you of documents or valuables. However, the researchers show how an experienced hacker can access your vehicles main computer system and take remote access of the automobile, including steering, accelerating, braking and cutting the ignition.  These exploits have gone unaddressed by American  auto manufacturers who are becoming increasingly aware of the threat.

Counterintelligence: Elicitation Techniques

Download print version (pdf)

This brochure is an introduction to elicitation and elicitation techniques. Understanding the techniques and the threat may help you detect and deflect elicitation attempts.

Elicitation is a technique used to discreetly gather information. It is a conversation with a specific purpose: collect information that is not readily available and do so without raising suspicion that specific facts are being sought. It is usually non-threatening, easy to disguise, deniable, and effective. The conversation can be in person, over the phone, or in writing.

Conducted by a skilled collector, elicitation will appear to be normal social or professional conversation. A person may never realize she was the target of elicitation or that she provided meaningful information.

elicitation techniques brochure cover graphic: people talking outdoors.

Many competitive business intelligence collectors and foreign intelligence officers are trained in elicitation tactics. Their job is to obtain non-public information. A business competitor may want information in order to out-compete your company, or a foreign intelligence officer may want insider information or details on US defense technologies.

Elicitation Defined

The strategic use of conversation to extract information from people without giving them the feeling they are being interrogated.

Elicitation attempts can be simple, and sometimes are obvious. If they are obvious, it is easier to detect and deflect. On the other hand, elicitation may be imaginative, persistent, involve extensive planning, and may employ a co-conspirator. Elicitors may use a cover story to account for the conversation topic and why they ask certain questions.

Elicitors may collect information about you or your colleagues that could facilitate future targeting attempts.

Elicitation can occur anywhere— at social gatherings, at conferences, over the phone, on the street, on the Internet, or in someone’s home.

Elicitation is Not Rare

men talking

It is not uncommon for people to discover information about a person without letting on the purpose. For example, have you ever planned a surprise party for someone and needed to know their schedule, wish list, food likes and dislikes or other information without that person finding out you were collecting the information or for what purpose? The problem comes when a skilled elicitor is able to obtain valuable information from you, which you did not intend to share, because you did not recognize and divert the elicitation.

Why Elicitation Works

A trained elicitor understands certain human or cultural predispositions and uses techniques to exploit those. Natural tendencies an elicitor may try to exploit include:

  • A desire to be polite and helpful, even to strangers or new acquaintances
  • A desire to appear well informed, especially about our profession
  • A desire to feel appreciated and believe we are contributing to something important
  • A tendency to expand on a topic when given praise or encouragement; to show off
  • A tendency to gossip
  • A tendency to correct others
  • A tendency to underestimate the value of the information being sought or given, especially if we are unfamiliar with how else that information could be used
  • A tendency to believe others are honest; a disinclination to be suspicious of others
  • A tendency to answer truthfully when asked an “honest” question
  • A desire to convert someone to our opinion

For example, you meet someone at a public function and the natural getting-to-know-you questions eventually turn to your work. You never mention the name of your organization. The new person asks questions about job satisfaction at your company, perhaps while complaining about his job. You may think, “He has no idea where I work or what I really do. He’s just making idle chat. There’s no harm in answering.” However, he may know exactly what you do but he relies on his anonymity, your desire to be honest and appear knowledgeable, and your disinclination to be suspicious to get the information he wants. He may be hunting for a disgruntled employee who he can entice to give him insider information.


There are many elicitation techniques, and multiple techniques may be used in an elicitation attempt. The following are descriptions of some of those techniques.

Assumed Knowledge: Pretend to have knowledge or associations in common with a person. “According to the computer network guys I used to work with…”

Bracketing: Provide a high and low estimate in order to entice a more specific number. “I assume rates will have to go up soon. I’d guess between five and 15 dollars.” Response: “Probably around seven dollars.”

Can you top this? Tell an extreme story in hopes the person will want to top it. “I heard Company M is developing an amazing new product that is capable of …”

Confidential Bait: Pretend to divulge confidential information in hopes of receiving confidential information in return. “Just between you and me…” “Off the record…”

Criticism: Criticize an individual or organization in which the person has an interest in hopes the person will disclose information during a defense. “How did your company get that contract? Everybody knows Company B has better engineers for that type of work.”

people seated at outdoor cafe

Deliberate False Statements / Denial of the Obvious:Say something wrong in the hopes that the person will correct your statement with true information. “Everybody knows that process won’t work—it’s just a DARPA dream project that will never get off the ground.”

Feigned Ignorance: Pretend to be ignorant of a topic in order to exploit the person’s tendency to educate. “I’m new to this field and could use all the help I can get.” “How does this thing work?”

Flattery: Use praise to coax a person into providing information. “I bet you were the key person in designing this new product.”

Good Listener: Exploit the instinct to complain or brag, by listening patiently and validating the person’s feelings (whether positive or negative). If a person feels they have someone to confide in, he/she may share more information.

The Leading Question: Ask a question to which the answer is “yes” or “no,” but which contains at least one presumption. “Did you work with integrated systems testing before you left that company?” (As opposed to: “What were your responsibilities at your prior job?”)

Macro to Micro: Start a conversation on the macro level, and then gradually guide the person toward the topic of actual interest. Start talking about the economy, then government spending, then potential defense budget cuts, then “what will happen to your X program if there are budget cuts?” A good elicitor will then reverse the process taking the conversation back to macro topics.

Mutual Interest: Suggest you are similar to a person based on shared interests, hobbies, or experiences, as a way to obtain information or build a rapport before soliciting information. “Your brother served in the Iraq war? So did mine. Which unit was your brother with?”

Oblique Reference: Discuss one topic that may provide insight into a different topic. A question about the catering of a work party may actually be an attempt to understand the type of access outside vendors have to the facility.

Opposition/Feigned Incredulity: Indicate disbelief or opposition in order to prompt a person to offer information in defense of their position. “There’s no way you could design and produce this that fast!” “That’s good in theory, but…”

Provocative Statement: Entice the person to direct a question toward you, in order to set up the rest of the conversation. “I could kick myself for not taking that job offer.” Response: “Why didn’t you?” Since the other person is asking the question, it makes your part in the subsequent conversation more innocuous.

Questionnaires and Surveys: State a benign purpose for the survey. Surround a few questions you want answered with other logical questions. Or use a survey merely to get people to agree to talk with you.

Quote Reported Facts: Reference real or false information so the person believes that bit of information is in the public domain. “Will you comment on reports that your company is laying off employees?” “Did you read how analysts predict…”

Ruse Interviews: Someone pretending to be a headhunter calls and asks about your experience, qualifications, and recent projects.

finger on a keyboard

Target the Outsider: Ask about an organization that the person does not belong to. Often friends, family, vendors, subsidiaries, or competitors know information but may not be sensitized about what not to share.

Volunteering Information / Quid Pro Quo: Give information in hopes that the person will reciprocate. “Our company’s infrared sensors are only accurate 80% of the time at that distance. Are yours any better?”

Word Repetition: Repeat core words or concepts to encourage a person to expand on what he/she already said. “3,000 meter range, huh? Interesting.”


Deflecting Elicitation Attempts

Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.

You can politely discourage conversation topics and deflect possible elicitations by:

  • Referring them to public sources (websites, press releases)
  • Ignoring any question or statement you think is improper and changing the topic
  • Deflecting a question with one of your own
  • Responding with “Why do you ask?”
  • Giving a nondescript answer
  • Stating that you do not know
  • Stating that you would have to clear such discussions with your security office
  • Stating that you cannot discuss the matter

If you believe someone has tried to elicit information from you, especially about your work, report it to your security officer.

“If we desire respect for the law, we must first make the law respectable.” – U.S. Supreme Court Justice Louis D. Brandeis

%d bloggers like this: