Supreme Court Undermines Section 702
Supreme Court Undermines Section 702
A new U.S. Supreme Court decision could undermine the flow of Section 702 intelligence collection from Europe.
Section 702 allows the U.S. government to collect intelligence on people outside the U.S. with compelled help from communication service providers and is regarded as the crown jewel of American foreign intelligence collection.
Since 2000, successive data sharing agreements have facilitated transatlantic commerce by allowing the legal transfer of personal data from the EU to the United States. Section 702 collection from Europe relies on these data flows, and the intelligence program has been at the heart of legal challenges to the data sharing agreements.
The underlying principle on the EU side is that European companies should be able to transfer data overseas only if the recipient country has "essentially equivalent" privacy protections. More than 3,600 U.S. businesses are active in the current data sharing program.
Enter the U.S. Supreme Court, which ruled late last month that President Trump acted legally when he fired Commissioner Rebecca Slaughter without cause from the notionally independent Federal Trade Commission (FTC).
The Court decided that a law that stated commissioners could be removed only for "inefficiency, neglect of duty, or malfeasance in office" was unconstitutional.
As a result of this decision, Austrian privacy advocate Max Schrems, whose legal challenges have resulted in two previous EU-U.S. data sharing agreements being kiboshed, has taken aim at the current agreement, the EU-U.S. Data Privacy Framework (DPF).
Schrems argues that the Supreme Court's decision means "any independent executive authorities in the U.S. are unconstitutional." We never went to law school, but being able to fire people willy-nilly does seem to undermine the idea of an independent body.
The ramifications of the decision for EU-U.S. data transfers are potentially far-reaching.
One underlying requirement of the European Charter of Fundamental Rights is that personal data protections are "subject to control by an independent authority."
The European Commission implementing decision, which effectively endorses the DPF, specifically names the FTC and the U.S. Department of Transportation as certified organizations.
We'd be hard-pressed to argue that federal U.S. privacy protection law is as strong as Europe's, but since the 2000s the European Commission and the U.S. government have bent over backward to devise schemes that facilitate data flows.
This is illustrated by the two governments’ consistent efforts to create new schemes after previous iterations are struck down by European courts. It's a flat circle:
- The U.S. government and the European Commission develop and implement a new data transfer agreement.
- Max Schrems challenges the agreement in the Court of Justice for the European Union (CJEU).
- He wins.
- The scheme is invalidated.
- Proceed to step 1.
The CJEU invalidated Safe Harbor, the first such scheme, in 2015 and the second, Privacy Shield, in 2020.
The court is particularly concerned about protecting European citizens from U.S. intelligence collection activities. In the Schrems II decision that struck down Privacy Shield, the court noted that European citizens had no way to appeal U.S. Section 702 foreign intelligence collection in an "actionable" way before an independent court.
From the perspective of an American intelligence professional, this is ridiculous. Why should intelligence collection targets have judicial rights of appeal?
Even so, President Biden's administration tried to balance U.S. signals intelligence (SIGINT) collection against European human rights protections.
In 2022, Biden issued Executive Order 14086 on "Enhancing Safeguards for United States Signals Intelligence Activities." The executive order defined permitted national security objectives; explicitly ruled out some activities; required that everyone's privacy and civil liberties rights be taken into account, including those of foreigners; and mandated that intelligence collection be necessary and proportionate to meet a validated intelligence priority.
The executive order also set up a review and redress mechanism, the Data Protection Review Court. Although classification issues meant the court was unlikely to provide a complainant with a substantive response, its rulings were binding on the intelligence community.
The latest annual report of the U.S. intelligence community's Office of Civil Liberties, Privacy, and Transparency recorded just a single European complaint being made per this executive order in 2024.
At the time the executive order was issued, we called it "Kafkaesque, but good." In our view, it wouldn't materially change U.S. intelligence collection practices, but it reinforced that the U.S. and the EU had similar underlying principles of what constituted acceptable intelligence collection. From our article on the executive order (EO):
The EO explicitly prohibits certain SIGINT activities including suppressing legitimate privacy interests, suppressing dissent or free expression, and disadvantaging persons based on their "ethnicity, race, gender, gender identity, sexual orientation, or religion." It also rules out collection of "foreign private commercial information or trade secrets to afford a competitive advantage to United States companies and United States business sectors commercially."
So much of what is normal for Chinese APTs is explicitly banned! What would their APT crews do if they were banned from targeting Uyghurs, the Hong Kong protest movement and companies for intellectual property theft? They'd have to get new jobs!
We don't think U.S. intelligence collection practices have changed all that much in recent years, but there are good reasons to doubt the Trump administration's commitment to independent oversight.
When it comes to intelligence oversight, Trump dismissed three Democratic members of the Privacy and Civil Liberties Board (PCLOB) in January 2025, leaving it with just a single Republican member and consequently without a quorum. The PCLOB oversees the Data Protection Review Court and is one of the *ahem* "independent bodies" that the European Commission cited in its decision to approve the DPF.
Couple the Trump administration's actions with the Supreme Court's recent decision and we can see there might be reasons for concern. Schrems will also argue that this is a constitutional clash: EU treaty law demands independent supervisory authorities, but the U.S. Constitution now prohibits them.
Not everyone agrees with Schrems's argument, however. Austin Mooney, international privacy and cybersecurity partner at the law firm Dechert in Washington D.C., told Seriously Risky Business that he thought that it "seems like a stretch." Mooney says that the FTC's independence was not a central feature of the DFP or even of past efforts to challenge data transfers.
Mooney added that Schrems "has a strong track record" challenging these frameworks, so both European and U.S. companies will be watching closely to see if current data transfer arrangements are once again thrown into disarray.
Another round in the on-again, off-again EU-U.S. data transfer agreement merry-go-round is kicking off.
CSE Tiptoes Out of the Cyber Closet
Canada's signals intelligence agency has taken another step forward in normalizing its use of offensive cyber capabilities by making more comprehensive disclosures than ever before in its latest annual report.
According to legislation that defines Communications Security Establishment Canada's (CSE) functions, active cyber operations "degrade, disrupt, influence, respond to or interfere with the capabilities, intentions or activities of a foreign individual, state, organization or terrorist group as they relate to international affairs, defence or security." These are also known variously in the Five Eyes as offensive cyber operations or cyber effects.
In this year's annual report, CSE details three such operations.
In the first operation, CSE worked with Five Eyes partners and law enforcement against a "notorious" ransomware-as-a-service group. Its operation disabled the group's infrastructure and deleted a large amount of stolen data advertised for sale on the dark web.
CSE also conducted operations to disrupt the trade in fentanyl precursors into Canada. The organization used its foreign intelligence capabilities to locate cybercriminals outside the country who were brokering the sale of precursor chemicals. It then used active cyber operations that "disrupted and diminished their ability to operate."
The report implied that CSE collected intelligence to identify key points of leverage so that this cyber operation could get the most bang for its buck.
In the final case study, CSE tackled a foreign extremist group spreading violent ideology and seeking to recruit Canadians to its cause. CSE says it used its SIGINT capabilities to analyze the group for weaknesses that could be used to disrupt its operations. It says that its cyber operation "successfully undermined the group’s credibility and limited their ability to radicalise and recruit new members."
These case studies sound similar in many ways to other Five Eyes operations. Last year Australia revealed a similar action targeting Russian bulletproof hosting company Zservers. Like CSE's various efforts, Australia's operation involved meticulous research and planning to get the biggest bang for its buck … it wiped Zservers's computers while its employees were out drinking so that the company's incident response would be impeded.
But while the operations themselves appear to share the same meticulous approach, how they are revealed to the public could not be more different.
Starting with its 2023-2024 report, the CSE began describing active cyber operations, increasing the level of detail in each subsequent report. That first report noted the organization had carried out a series of active operations that "helped to tackle cybercrime at its roots."
The sky didn’t fall in, so the 2024-2025 report included a bit more information. It said the organization used active cyber operations to counter a violent extremist organization, including by "damag[ing] the credibility and influence of key group leaders, reducing their ability to inspire and lead."
By contrast, Australian disclosures have been a bit more colorful, coming to light either in speeches or through the media via feature reports or documentaries. We do love the insights these types of disclosures provide.
But … why can't we have both—the media features that paint a striking picture of impressive, carefully orchestrated takedowns and annual reports that make the operations seem just another part of the daily grind?
Three Reasons to Be Cheerful This Week:
- ClickFix protection comes to the Opera browser: Opera announced it has rolled out protections against ClickFix attacks that compromise users by convincing them to execute malicious code on their own computers by pasting it from the clipboard into a terminal window. Opera's browser will intercept malicious commands and stop them from ending up in the clipboard. The uBlock origin ad blocker has also added some rules to stop ClickFix popups.
- CISA gets Mythos: The U.S. cybersecurity agency is using Anthropic's Mythos artificial intelligence (AI) model to audit government software for vulnerabilities, as reported by Reuters. These audits have already uncovered many vulnerabilities, per Reuters sources. Welcome to the bugpocalypse, CISA!
- Restaffing CISA may be on the cards: Over the past couple of weeks there have been a number of stories indicating that maybe the Trump administration will increase staffing levels at CISA. It's almost as if a once-in-a-lifetime avalanche of AI-discovered vulnerabilities may require more, not fewer, personnel to address.
Risky Biz Talks
In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq discuss the growing delta between lots and lots of bugs being discovered and the number of devastating hacks.
From Risky Bulletin:
All new cars to include a camera aimed at the driver's face: All new cars manufactured and sold in the EU and U.S. will have to include a mandatory infrared camera aimed at the driver's face, alarming some privacy groups.
The infrared camera tracks the driver's head position and eye movements and provides an alert when it registers the eyes going off the road.
The new regulation came into effect in the EU on Monday and will start next year in the U.S. In the EU, the new camera requirement is part of the bloc's second General Safety Regulation (GSR2), a broader swath of new safety rules introduced for the auto industry and designed to improve road safety.
[more on Risky Bulletin]
Android drops PIN guessing limit from 1,800 attempts to 20: Android 17, released last month, has shipped with stricter protections against lockscreen PIN and password guessing attacks.
Google has reduced the maximum number of failed attempts from 1,800 to 20, and the timeouts between failed attempts are now considerably more aggressive.
[more on Risky Bulletin]
FatFs bugs enable physical access attacks on a load of devices: The developers of a lot of industrial gear and smart devices will have their work cut out for them over the coming months and years to deploy protections against a set of newly discovered and unpatched bugs in the FatFs filesystem driver.
The seven bugs, discovered by security firm runZero, can allow an attacker to use a crafted filesystem image to cause a memory corruption that runs malicious code to jailbreak a targeted device.
All devices that use FatFs for their filesystems are impacted.
[more on Risky Bulletin]
