On May 14, the Senate reauthorized the USA Freedom Act, which extends the expansive domestic surveillance powers contained in the Patriot Act.
The original Freedom Act had expired in March. Now that it has been reauthorized, it grants the FBI (and other law enforcement agencies) broad warrantless access to sensitive personal information, including Internet browsing and search history, for national security investigations.
This law restarts a massive domestic surveillance program that the US government can use to spy on its citizens with little oversight. This is a clear violation of the right to privacy.
Many articles have been written recently about this news, but few have analyzed the actual powers the legislation grants to surveillance agencies and what regular citizens can do to prevent their activities from being monitored. Here we break down what is happening, what you can do to protect your privacy, and how Proton products are designed to resist this type of intrusion.
What the Patriot Act means?
The reauthorized version of the Freedom Act is a continuation of the vast surveillance program that began under the Patriot Act. The original Patriot Act permitted the untargeted, bulk collection of a wide range of documents, records, and other kinds of personal data. The Patriot Act (specifically Section 215) allowed the collection of “…tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information.” This was the section that permitted the untargeted bulk data collection of phone call metadata that Snowden revealed in his 2013 whistleblower leaks.
The Freedom Act, which was signed in 2015 in response to the Snowden revelations, was designed to curtail some of the most flagrant abuses of the Patriot Act. It prohibits dragnet bulk data collection and introduces public advocates to FISA court proceedings who can argue against the proposed surveillance of individuals. (The FISA court, or Foreign Intelligence Service courts, oversees surveillance requests. Its proceedings are usually confidential.) However, Section 215 is still in force, which means that if the investigation pertains to national security, authorities can access vast amounts of your personal data, including your Internet browsing and search history.
The only check on the government’s surveillance powers is the supervision of the FISA court. This is a significantly lower threshold than a warrant. On May 13, the Senate rejected an amendment introduced by Senators Ron Wyden and Steve Daines that would have required authorities to get a warrant before they access your Internet browsing and search history. The final bill the Senate passed does contain an amendment (proposed by Senators Patrick Leahy and Mike Lee) that expands the role that outside legal experts can play in offering advice to the FISA court.
Still, Section 215 and the FISA courts represent grave threats to citizens’ privacy. They are also ineffective. One of the government’s own oversight boards found that information gathered under Section 215 has only led to one actionable lead in four years, and another study found that FISA courts have “widespread problems.”
The system is clearly broken.
How does this affect Proton?
As a Swiss company, we are not subject to US law. Any requests from US law enforcement must be reviewed and approved by the proper Swiss authorities before we can comply.
If the Swiss authorities do approve such a request, we must share the data they have requested. Because Proton Mail uses end-to-end encryption and zero-access encryption, we cannot access your messages, and because Proton VPN has a strict no-logs policy, we have very little information to share. Proton also minimizes the amount of data we require to set up an account, and we allow users to make privacy-friendly payments via Bitcoin or cash.
Detailed information is available in our privacy policy for Proton Mail and Proton VPN.
US authorities could try to coerce the data centers that run our US VPN servers to give them access. However, because we do not keep logs of user activity, there is virtually no information on these servers that authorities could use. Still, we have implemented full-disk encryption on all our VPN servers, which secures all the software and configurations on them. This prevents the authorities from being able to steal servers’ certificates and redirect user traffic to servers they control.
Those that have additional privacy concerns can also connect to servers in the US via Secure Core, which routes your Internet traffic through a hardened server before sending it on to one of our VPN servers in the US. By routing your traffic through two VPN servers, you make it harder for authorities to match your online activity to your IP address.
How you can protect your privacy
There are practical steps you can take to prevent your data from being swept up in the US (or any other) government’s unwarranted surveillance, but first, you must understand who the government can collect what data from. Under Section 215, law enforcement authorities can go to your Internet service provider (ISP) and compel them to share your browsing history.
What your ISP can see depends on what precautions you take. If you visit an HTTP website (one that does not use transport layer security), your ISP will be able to see pretty much everything you do on that site. However, now that most Internet traffic is HTTPS-encrypted, your ISP’s view of your browsing is limited. If you visit a site that uses HTTPS, your ISP will only be able to see the DNS name and the IP address of the site you are on.
Example: You are reading this blog post at https://protonvpn.com/blog/patriot-act-surveillance. Because our website is HTTPS-encrypted, your ISP only sees that you are visiting https://protonvpn.com.
However, if you do not protect your DNS requests (e.g., by using DNS over HTTPS), your ISP will be able to figure out which pages you visited.
The easiest way to prevent Freedom Act surveillance is with a VPN
To protect your browsing history, use a trustworthy VPN service like Proton VPN. When you connect to Proton VPN, the only thing your ISP sees is that you are connected to one of our VPN servers. They cannot see what websites you visit while you are connected. We also encrypt your DNS requests so that no one can use them to figure out which sites you visited.
Authorities can also try to access personal data from services that track your online activity. These companies closely follow your browsing history by adding various trackers and beacons to the websites you visit. They use this information to show you targeted ads. While Google is the most prominent actor, it is not the only one. There are also many shady marketing companies that maintain massive databases and sell your data to third parties. Two good defenses against advertising cookies and trackers are the Privacy Badger (developed by the Electronic Frontier Foundation) and uBlock Origin tracker-blocking browser extensions. Together, these will block the majority of advertisers trying to track your browsing. (You can also turn on your browser’s Do Not Track option.) You should also use your browser’s Incognito Mode/Private Window feature. Your browser will forget the websites you visited and delete the cookies you accumulated once you close it if you use one of these private sessions.
To prevent authorities from accessing your search history, you should use a search engine that does not collect personal information, like duckduckgo.com.
Another way you can protect your privacy online is to connect to the Tor network using the Tor browser.
To recap, if you want to protect your data, you should:
- Use a trustworthy VPN, like ProtonVPN.
- Download Privacy Badger and uBlock Origin.
- Use the Incognito Mode/Private Window setting in your web browser.
- Use a privacy-focused search engine like DuckDuckGo.
- Or connect to the Tor network.
Privacy is a fundamental right
Renewing the Freedom Act without putting in place due process protections is a violation of the fundamental right to privacy. It enables the US government to spy on its citizens with little due process or oversight.
We understand the need for and support responsible law enforcement. Citizens everywhere deserve to live in safety and security on and offline, which requires diligent law enforcement. But writing laws that violate basic human rights is not a solution. On the contrary, such laws tend to erode the rule of law and typically foster bad practices, such as corruption.
This continues a troubling trend of Western democratic countries passing laws that flagrantly violate their citizens’ privacy. The UK’s Investigatory Powers Act, Australia’s Assistance and Access Bill, and the EU’s proposal for gathering electronic evidence are all backward steps that undermine the right to privacy, which is fundamental to maintaining any democracy.
Because the Senate added an amendment to the law, it must go back to the House of Representatives for approval. If you are a US citizen, you should call or write to your state representative to tell them that you support both the Wyden-Daines and Leahy-Lee amendments to H.R. 6172 – The USA FREEDOM Reauthorization Act of 2020.
While it is too late to prevent the reauthorization of the Freedom Act, if the House of Representatives adds the Wyden-Daines amendment to their version of the bill, it would force a second vote in the Senate. This means there is still a chance we can make authorities get a warrant before they access Internet browsing and search history. And the House needs to confirm the Leahy-Lee amendment to shed light into the FISA court process and let outside legal experts offer their assessments and advice.
In a way, the Patriot Act is responsible for the creation of Proton. After hearing the Snowden revelations, our founders were inspired to create a private email service that protects everyone’s communications. Now that the Patriot Act is being renewed, we are here to help our users protect their freedom and privacy.
Follow us on social media to stay up to date on the latest Proton VPN releases:
Twitter | Facebook | Reddit | Instagram
To get a free Proton Mail encrypted email account, visit: proton.me/mail
I’m an American. My whole life has been lived here. Even now, with all this lasting covid, fear-based nonsense, our privacy has little to no meaningful protections from the FBI and their satellite entities (individual state bureaus of investigation, local law enforcement signatories and private duty surveillance subcontracts like MVTrace) …. I spent half of the day today troubleshooting companies like schoology and google who have no respect for privacy and thwart every other attempt I make to encrypt my daughters data and network traffic during this virtual school nonsense. Her school experience is, thanks to google largely data non-protected while she is required by law to be logging in from home instead of being present and social like normal, functional humans should be doing. So I routed all of it through a ProtonVPN-configured router and a proton vpn server not far from where I live. Schoology is turning off her login periodically because they don’t like it. It makes me crazy, and I’m not exposing her data. Thanks so much to you guys at proton vpn for what you do and for allowing me a few shreds of privacy and dignity, if only from my ISP and some others. If I had it my way I’d be in Switzerland raising my daughter.
As an American, I am grateful for the services your company provides. Congress, as usual, continues to show a blatant disregard for the privacy of its citizens. It’s more important than ever that those who are aware of the problems have the necessary tools available to protect their rights, such as the right to privacy. It’s clear that the US will not be following in the steps of Europe and adopting an equivalent of the GDPR anytime soon.
Hello Axel,
You make a good point. The US is woefully behind the EU and other countries (like Brazil) when it comes to giving users more control over how their data is used. The GDPR is far from perfect, but it has been a step in the right direction. Unfortunately, the US seems to be going further in the wrong direction. Between the reauthorization of the Patriot Act and the two bills currently in the US Congress (EARN IT and the LAED Act), privacy is under attack in the US. All Americans that are concerned should reach out to their representatives and remind them that the right to privacy is one of the corner stones of a strong, healthy democracy.
I’m new to Protonmail; my web browser is Safari. You recommend Incognito Mode/Private window setting, Privacy Badger and uBlock origin for more private browsing. Can you tell me how to accomplish this?
I guess this is more of a ProtonMail question than ProtonVPN, but pertains to this act. If I send encrypted emails via ProtonMail and my recipient is not using ProtonMail, will authorities be able to see my messages if they seize my recipient’s information?
Yes, if your recipient’s service provider is ordered to provide decrypted emails to the authorities, they will be able to see your messages as well. (That is, unless you are using our “Encrypt to Outside” feature.) However, if both you and your recipient use ProtonMail, the messages will be automatically end-to-end encrypted and Proton will not have the technical ability to decrypt your messages. And both of your mailboxes will be stored in Switzerland, under the protection of Swiss privacy laws.
I can not thank Protonmail VPN enough for giving us these servers in order to preserve some form of freedom and thank you for posting your opinions on the unbelievable abuse of power by western countries, in particular, the United States, where I reside.
In a once free, and open society, a democrat-republic Jefferson wrote of, what I assumed was a beacon of human rights, one of the most free countries in the world, it seems the only one’s enjoying these given rights is Congress, the agencies and department of defense, as well as Silicon Valley, and all contractual counterparts such as IARPA and DARPA/FEISTA (JAPAN).
What was Congress thinking, when selling out the American people, yet standing before C-SPAN Live, camera’s rolling, portraying themselves as representatives of the Constitution and the American people they we’re elected to represent and serve? I’m utterly ashamed, embarrassed and disgusted that the Patriot Act was even considered.
I sincerely extend my apologies to the rest of the world. As an American, I did not pay enough attention to the political events occurring in my nation’s capitol. It’s a true disgrace by a nation of traitors to mine and every American’s Constitution and Bill of Rights. Human rights be damn.
Useful info, and I’ve already implemented many of the steps outlined: am a happy ProtonVPN & email paid subscriber, I use Privacy Badger, and I use the Brave Browser.
But the biggest thumbs up: Digital Privacy IS A FUNDAMENTAL RIGHT!
Thanks for your hard work.
thank you for the update! I am happy to be a paying customer for Proton products. And this; by and far, has become a more crucial product then ever before.
Thanks Proton!