[Editor’s Note: Just Security has been closely following the congressional proposals, including the USA FREEDOM Act, introduced in recent months aimed to curb the administration’s surveillance authorities.  Today, Harley Geiger of the Center for Democracy and Technology (CDT) writes in to explain why CDT and other privacy groups have dropped their support for the USA FREEDOM Act.  Also, don’t miss Jennifer Granick’s post from earlier today on how Congress has watered down the current reform proposal.]

The Center for Democracy & Technology, the Electronic Frontier Foundation, FreedomWorks, New America Foundation’s Open Technology Institute, Access, and other groups, have all publicly withdrawn their support of the USA FREEDOM Act (H.R. 3361). This is disappointing as many civil liberties groups strongly supported USA FREEDOM since its introduction last year.

The major sticking point for many of the groups is how the bill’s definition of “specific selection term” recently changed in the Rules Committee Manager’s Amendment. The version of USA FREEDOM that unanimously passed the House Judiciary Committee (HJC) and the House Permanent Select Committee on Intelligence (HPSCI) included a prohibition on bulk collection that rested heavily on this definition. Under the bill as reported by HJC and HPSCI, the government must base its demands for records on “specific selection term” when it is seeking information under Section 215 of the PATRIOT Act (50 U.S.C. 1861) and the pen/trap statute (50 U.S.C. 1842) – the authorities that the government previously used for nationwide collection of Americans’ phone and email records. The bill also extended this requirement to national security letter authorities.

As reported unanimously by House Judiciary and HPSCI, the definition was relatively clear and limited: Specific selection term was defined as “a term used to uniquely describe a person, entity, or account.” Though “entity” was a bit ambiguous, the civil liberties groups still felt that this was a reasonably effective ban on large-scale collection.

However, that definition was significantly watered down in a substitute amendment adopted by the House Rules Committee – the last stop before the Floor vote. The new definition is much more ambiguous: “Specific selection term means a discrete term, such as a term specifically identifying a person, entity, account, address, or device, used by the Government to limit the scope of information or tangible things sought pursuant to the statute authorizing the provision of such information or tangible things to the Government.”

What does that mean? Quite frankly, no one is entirely sure what this definition would authorize and prohibit. That’s the point. It’s deliberately ambiguous and open-ended. At its core, the definition boils down to “a distinct term used by the Government to limit the scope of information sought.” There’s no clear indication in the bill as to how much of a limit is required.

The ambiguity would not be so problematic if the government did not have a track record of creatively interpreting statutory language to broaden its surveillance activities – just as the government interpreted the phrase “relevant to an investigation” in Section 215 of the PATRIOT Act to authorize the collection of phone and email records of virtually everyone in the United States.

This new version of USA FREEDOM might still prohibit nation-scale collection of information such as the NSA’s telephony metadata program, because it’s difficult to argue that such broad collection is really limited. If nationwide surveillance is how one defines “bulk collection” – and it is for some lawmakers – then the bill probably ends “bulk collection.” However, the government can exploit the ambiguity of the new definition of “specific selection term” to authorize unacceptably large-scale surveillance.

For example, it’s entirely unclear whether the new definition of “specific collection term” would allow the government to use a state, city, or zip code as the basis for production of information. If the government demanded the email records of everyone in Salt Lake City, Utah, would that not be a limit on the scope of collection, as compared to nationwide surveillance? If the bill prohibits surveillance on that large a scale, it does not do so clearly, and clarity matters.

Adding the word “device” to the definition of “specific selection term” also opens up the potential for collection of large amounts of Internet communications that are not related to the particular target. For example, email messages pass through routers – which qualify as “devices” – as they traverse the Internet to their destination. The path an email takes is reflected in the routing information that accompanies the email, and that routing information can be used to identify the routers that handled the message. Some routers can handle the email messages of thousands, perhaps millions, of people. So permitting collection by device identifier does not effectively limit collection to particular targets or those targets’ personal devices.

Adding the word “address” to the definition of “specific collection term” creates additional ambiguity because it may include IP address. IP addresses once typically identified only one computer connected to the Internet. Today, though, many computers and users may be assigned a single IP address. For example, a Network Address Translation device used by Internet service providers can include thousands of the ISP’s users. If the bill meant to limit “address” to physical address, then this should be made clear.

Aside from the definition of “specific selection term,” the amended bill now includes ambiguous new minimization procedures for Section 702 of FISA (50 U.S.C. 1881a) – the legal basis for the PRISM and UPSTREAM programs – that arguably do more harm than good. They provide for minimization of communications that are “about” a target, as well as communications to or from the target. Contrary to the views of the FISA Court, Section 702 does not explicitly authorize collection of communications “about” a target, and none of the debate in Congress at the time this law was adopted suggests that it was designed to collect information other than communications to or from the target. Collecting communications “about” a target is done upstream by searching the communications of entire streams of Internet traffic for the target identifier. Under Section 702 of FISA, this is done without probable cause or permission of a judge. Instead of referring to Section 702 “about” collection in this bill, which implicitly signals Congress’ acquiescence to this kind of surveillance, Congress should clearly outlaw it in subsequent legislation.

But it’s too late to make more clarifications and substantive improvements in the House. The bill is headed for a House Floor vote less than 48 hours after it was significantly weakened. The full House will not have the opportunity to vote whether to keep the stronger language that unanimously passed out of HJC and HPSCI. A straight up or down vote on an ambiguous reform is all the House gets on an issue that sparked an international scandal.

Is this amended bill better than the status quo? Yes, but only because we learned this year how bad the status quo really is. It will likely be several years, if ever, before we learn what the new status quo will become.