I have been given permission by Daniel Melin, who works as strategical advisor at Skatteverket (Swedish IRS), to republish parts of his posts from his private LinkedIn-page about the American surveillance act known as FISA702 and how it affects Swedish citizens. The text will be in translated form as I want to keep this blog in English.
What is FISA702 and why is it important enough for me to sit here on a friday afternoon and write about it? A tl;dr version is that any data that is procesed by an American company (disregardless of potential citizenship or geolocation of the data) is by law allowed to be viewed or read by american three-letter agencies such as NSA, FBI, or CIA in its entirety, without any court order or obligation to inform the ´Victim´. The victim here is a general term used to describe either an individual person, an organization, or a governmental institution.
The actual content of the law says:
Notwithstanding any other law, the President, through the Attorney General, may authorize electronic surveillance without a court order under this subchapter to acquire foreign intelligence information for periods of up to one year if the Attorney General certifies in writing under oath that the electronic surveillance is solely directed at the acquisition of the contents of communications transmitted by means of communications used exclusively between or among foreign powers, as defined in section 1801(a) (1), (2), or (3) of this title.
An electronic surveillance authorized by this subsection may be conducted only in accordance with the Attorney General’s certification and the minimization procedures adopted by him.
With respect to electronic surveillance authorized by this subsection, the Attorney General may direct a specified communication common carrier to:
(A)furnish all information, facilities, or technical assistance necessary to accomplish the electronic surveillance in such a manner as will protect its secrecy and produce a minimum of interference with the services that such carrier is providing its customers; and
(B)maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the surveillance or the aid furnished which such carrier wishes to retain.
FISA702
Let’s summarize this far; Without any court approval or resposibility to inform the NSA is allowed to carry out data collection and espionage targeting foreign countries via American companies and then store the data for as long as they want.
The motive and purpose of the law can be read in FISA Amendments Act of 2008 Section 702:
One of the primary purposes in enacting the FAA was the creation of a new way for the US Government to compel providers of electronic communications services to assist the Government in acquiring foreign intelligence information concerning non-US persons located outside the United States.
Certification 2008-A: Targeting Directed at Foreign Governments and Similar Entities
This collection will be accomplished by a variety of means at switches and other parts of the infrastructure of companies that provide electronic communications services to people abroad from within the United States.
The collection will seek to acquire foreign intelligence information concerning foreign governments, factions thereof and similar types of entities, and also states that a list of the entities that will be targeted is included as “Exhibit F” **
NSA may disseminate to CIA unevaluated data that comes from collection pursuant to this certification and that CIA requests in order to carry out its clandestine espionage and counterintelligence activities abroad.
NSA may also disseminate to FBI, at FBI’s request, unevaluated data that comes from collection pursuant to this certification.
** Sweden is one among the countries included in “Exhibit F”
So any American company is obliged to aid NSA in collecting the data which thereafter can be freely shared with CIA and FBI. In addition to be stored indefinetively.
What does it mean for individuals?
In short, if you live with modern technology that have any ties to an american company, you are lawfully being under surveillance by a foreign state. Google Home? Microphones that always listens to you. Smartphones with cameras..? Cozy.
What does it mean from a nation state perspective?
Any state using Windows or Microsoft Onedrive / Google drive / or any other cloud storage alternatives don’t have anything to hide. Not anymore at least. And the cherry on top of it? The citizens of the state pay for the service.
What does it mean for companies in regards to R&D, business, and trade secrets?
That theft of technology and trade secrets is now legal as long as it touches american technology for either communication or storage.
This is the ugly truth of FISA702.
Given FISA702, any american company operating within Tech or Cloud will never be able to be compliant with Article 28.1 in GDPR and Article 8 of the Charter of Fundamental Rights of the European Union, and Article 16 of the Treaty on the Functioning of the European Union provide that everyone has the right to the protection of personal data concerning him or her.
