On May 14, the Senate reauthorized the USA Freedom Act, which extends the expansive domestic surveillance powers contained in the Patriot Act.
The original Freedom Act had expired in March. Now that it has been reauthorized, it grants the FBI (and other law enforcement agencies) broad warrantless access to sensitive personal information, including Internet browsing and search history, for national security investigations.
This law restarts a massive domestic surveillance program that the US government can use to spy on its citizens with little oversight. This is a clear violation of the right to privacy.
Many articles have been written recently about this news, but few have analyzed the actual powers the legislation grants to surveillance agencies and what regular citizens can do to prevent their activities from being monitored. Here we break down what is happening, what you can do to protect your privacy, and how Proton products are designed to resist this type of intrusion.
What the Patriot Act means?
The reauthorized version of the Freedom Act is a continuation of the vast surveillance program that began under the Patriot Act. The original Patriot Act permitted the untargeted, bulk collection of a wide range of documents, records, and other kinds of personal data. The Patriot Act (specifically Section 215) allowed the collection of “…tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information.” This was the section that permitted the untargeted bulk data collection of phone call metadata that Snowden revealed in his 2013 whistleblower leaks.
The Freedom Act, which was signed in 2015 in response to the Snowden revelations, was designed to curtail some of the most flagrant abuses of the Patriot Act. It prohibits dragnet bulk data collection and introduces public advocates to FISA court proceedings who can argue against the proposed surveillance of individuals. (The FISA court, or Foreign Intelligence Service courts, oversees surveillance requests. Its proceedings are usually confidential.) However, Section 215 is still in force, which means that if the investigation pertains to national security, authorities can access vast amounts of your personal data, including your Internet browsing and search history.
The only check on the government’s surveillance powers is the supervision of the FISA court. This is a significantly lower threshold than a warrant. On May 13, the Senate rejected an amendment introduced by Senators Ron Wyden and Steve Daines that would have required authorities to get a warrant before they access your Internet browsing and search history. The final bill the Senate passed does contain an amendment (proposed by Senators Patrick Leahy and Mike Lee) that expands the role that outside legal experts can play in offering advice to the FISA court.
Still, Section 215 and the FISA courts represent grave threats to citizens’ privacy. They are also ineffective. One of the government’s own oversight boards found that information gathered under Section 215 has only led to one actionable lead in four years, and another study found that FISA courts have “widespread problems.”
The system is clearly broken.
How does this affect Proton?
As a Swiss company, we are not subject to US law. Any requests from US law enforcement must be reviewed and approved by the proper Swiss authorities before we can comply.
If the Swiss authorities do approve such a request, we must share the data they have requested. Because ProtonMail uses end-to-end encryption and zero-access encryption, we cannot access your messages, and because ProtonVPN has a strict no-logs policy, we have very little information to share. Proton also minimizes the amount of data we require to set up an account, and we allow users to make privacy-friendly payments via Bitcoin or cash.
US authorities could try to coerce the data centers that run our US VPN servers to give them access. However, because we do not keep logs of user activity, there is virtually no information on these servers that authorities could use. Still, we have implemented full-disk encryption on all our VPN servers, which secures all the software and configurations on them. This prevents the authorities from being able to steal servers’ certificates and redirect user traffic to servers they control.
Those that have additional privacy concerns can also connect to servers in the US via Secure Core, which routes your Internet traffic through a hardened server before sending it on to one of our VPN servers in the US. By routing your traffic through two VPN servers, you make it harder for authorities to match your online activity to your IP address.
How you can protect your privacy
There are practical steps you can take to prevent your data from being swept up in the US (or any other) government’s unwarranted surveillance, but first, you must understand who the government can collect what data from. Under Section 215, law enforcement authorities can go to your Internet service provider (ISP) and compel them to share your browsing history.
What your ISP can see depends on what precautions you take. If you visit an HTTP website (one that does not use transport layer security), your ISP will be able to see pretty much everything you do on that site. However, now that most Internet traffic is HTTPS-encrypted, your ISP’s view of your browsing is limited. If you visit a site that uses HTTPS, your ISP will only be able to see the DNS name and the IP address of the site you are on.
Example: You are reading this blog post at https://protonvpn.com/blog/patriot-act-surveillance. Because our website is HTTPS-encrypted, your ISP only sees that you are visiting https://protonvpn.com.
However, if you do not protect your DNS requests (e.g., by using DNS over HTTPS), your ISP will be able to figure out which pages you visited.
The easiest way to prevent Freedom Act surveillance is with a VPN
To protect your browsing history, use a trustworthy VPN service like ProtonVPN. When you connect to ProtonVPN, the only thing your ISP sees is that you are connected to one of our VPN servers. They cannot see what websites you visit while you are connected. We also encrypt your DNS requests so that no one can use them to figure out which sites you visited.
Authorities can also try to access personal data from services that track your online activity. These companies closely follow your browsing history by adding various trackers and beacons to the websites you visit. They use this information to show you targeted ads. While Google is the most prominent actor, it is not the only one. There are also many shady marketing companies that maintain massive databases and sell your data to third parties. Two good defenses against advertising cookies and trackers are the Privacy Badger (developed by the Electronic Frontier Foundation) and uBlock Origin tracker-blocking browser extensions. Together, these will block the majority of advertisers trying to track your browsing. (You can also turn on your browser’s Do Not Track option.) You should also use your browser’s Incognito Mode/Private Window feature. Your browser will forget the websites you visited and delete the cookies you accumulated once you close it if you use one of these private sessions.
To prevent authorities from accessing your search history, you should use a search engine that does not collect personal information, like duckduckgo.com.
Another way you can protect your privacy online is to connect to the Tor network using the Tor browser.
To recap, if you want to protect your data, you should:
- Use a trustworthy VPN, like ProtonVPN.
- Download Privacy Badger and uBlock Origin.
- Use the Incognito Mode/Private Window setting in your web browser.
- Use a privacy-focused search engine like DuckDuckGo.
- Or connect to the Tor network.
Privacy is a fundamental right
Renewing the Freedom Act without putting in place due process protections is a violation of the fundamental right to privacy. It enables the US government to spy on its citizens with little due process or oversight.
We understand the need for and support responsible law enforcement. Citizens everywhere deserve to live in safety and security on and offline, which requires diligent law enforcement. But writing laws that violate basic human rights is not a solution. On the contrary, such laws tend to erode the rule of law and typically foster bad practices, such as corruption.
This continues a troubling trend of Western democratic countries passing laws that flagrantly violate their citizens’ privacy. The UK’s Investigatory Powers Act, Australia’s Assistance and Access Bill, and the EU’s proposal for gathering electronic evidence are all backward steps that undermine the right to privacy, which is fundamental to maintaining any democracy.
Because the Senate added an amendment to the law, it must go back to the House of Representatives for approval. If you are a US citizen, you should call or write to your state representative to tell them that you support both the Wyden-Daines and Leahy-Lee amendments to H.R. 6172 – The USA FREEDOM Reauthorization Act of 2020.
While it is too late to prevent the reauthorization of the Freedom Act, if the House of Representatives adds the Wyden-Daines amendment to their version of the bill, it would force a second vote in the Senate. This means there is still a chance we can make authorities get a warrant before they access Internet browsing and search history. And the House needs to confirm the Leahy-Lee amendment to shed light into the FISA court process and let outside legal experts offer their assessments and advice.
In a way, the Patriot Act is responsible for the creation of Proton. After hearing the Snowden revelations, our founders were inspired to create a private email service that protects everyone’s communications. Now that the Patriot Act is being renewed, we are here to help our users protect their freedom and privacy.
Follow us on social media to stay up to date on the latest ProtonVPN releases:
To get a free ProtonMail encrypted email account, visit: protonmail.com