"The government has painted all this with a veneer of legality," said Trevor Timm, a digital rights analyst at EFF, "but in our minds, there is a huge question about whether it is lawful and constitutional. Even the author of the Patriot Act (U.S. Rep. Jim Sensenbrenner, R-Wisc.), says the phone metadata collection violates the law that he wrote."
Indeed, Sensenbrenner was quoted recently saying that the law was never intended to permit the kind of dragnet collection now ongoing, but to prevent it. He has said those defending it are, "spewing a bunch of bunk."
Rebecca Herold, CEO of The Privacy Professor, agrees that, "it certainly seems they are stretching applicability of the laws beyond the limits of their intentions," but added that part of the problem is that the laws, "were already written in a very vague and subjective manner."
Timm said EFF has "huge problems with this law because it is targeted at groups instead of individuals. It's using a lower threshold than probable cause. And these cases are decided by the FISA court in complete secrecy with no opposing counsel, so there is no pushback. Beyond that, the authority of the FISA court is through sweeping legal opinions on the Fourth Amendment that the public hasn't seen. We just think that's not democratic."
Timm said privacy advocates are not at all surprised at the recent revelations, but said they carry more weight because they are not just the statements of whistleblowers, but actual government documents. He said that might allow cases challenging the law, and the interpretation of it, to go forward.
Herold said she is surprised that Microsoft agreed to decryption, which she said amounts to "tampering with files. That would be like not only stealing someone's locked diary, but also then taking it to the manufacturer of the diary and having them break the lock open for you."
Weis and Todd Thiemann, PrivateCore's vice president of marketing, said the company takes no position on the legitimacy of the laws now being used to compel online providers to allow government surveillance. But, Weis said there is at least a way for end users to make the government come directly to them, rather than get their information from a service provider without their knowledge. His firm, through the use of virtualization and cryptography, "can take an untrusted server and create a secure environment on the CPU. The rest of the system can be compromised, but you'll still be protected."
That, he said, means the end user not only has the encryption keys, but that the government cannot get access to them by taking a snapshot of the server's memory.
Sign up for CIO Asia eNewsletters.