A Trojan Horse in a House Intel Committee Bill Massively Expands FISA 702 Surveillance
Snuck into bill is text that could conscript a huge range of businesses for mass surveillance
Tucked away near the end of the bill the House Intelligence Committee reported on December 7 (H.R. 6611, the “HPSCI bill”) is a provision that would dramatically expand surveillance under the controversial Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), which sunsets on December 31 unless reauthorized. Section 504 of the bill, innocuously captioned “Definition of Electronic Communications Service Provider,” would expand the types of entities that can be compelled to disclose internet communications whether in storage or in transit.
FISA 702 permits the U.S. government to compel communication service providers to disclose for foreign intelligence purposes the communications of persons reasonably believed to be non-U.S. persons abroad. No warrant is required; a belief that the communications relate to U.S. foreign affairs or national security is sufficient. Under current FISA 702, only entities that provide communication services like email, calls, and text messaging can be compelled to disclose these communications.
As FISA Court amicus and longtime practitioner Marc Zwilligener and his colleague Steve Lane have already noted, the HPSCI bill would upend the current system, enabling the government to compel anyone with mere access to the equipment on which such communications are stored or transmitted to disclose those communications. That could include personnel at coffee shops that offer WiFi to their customers, a town library that offers public computer internet services, hotels, shared workspaces, landlords and even AirBNB hosts that offer WiFi to the people who stay there, cloud storage services that host but do not access data, and large data centers that rent out computer server space to their clients.
The provision is intended to reverse a rare decision of the FISA Court of Review (FISCR), which had rejected the government’s claim that a service that a company provided fit within the scope of Section 702. In its effort to override the FISCR ruling, the HPSCI bill has opened Pandora’s Box.
Because FISA 702 does not merely give the government power to compel production of communications but rather to require that businesses “provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition,” [emphasis supplied] the government could use this new section to compel changes to the infrastructure and operations of some of the business entities listed above. For example, a provider of computer co-location services whose business model is to rent out and to service space on which its clients place their computer servers could be compelled to engineer its service to facilitate such access. In addition, because the HPSCI bill’s expansion is designed to pull in entities that do not currently even have access to communications, the extent of this forced restructure could be severe.
Such a shift not only affects American businesses, it is also likely to spur on overcollection and improperly sweep in Americans’ communications. The expansion would likely facilitate compelled “Upstream” collection from these entities, a technique in which the government demands access to the entire stream of communications data, rather than obtaining only the communications to and from surveillance targets. It may be difficult for businesses that have access to equipment on which communications are stored and transmitted, but have never had to access the communications themselves, to ensure that only the data of Section 702 targets is turned over to the government. Instead, they may be compelled to turn over entire communication streams or permit the copying and dragnet scanning of all the data on a server they host. Upstream collection performed by sophisticated giant telcos who operate the Internet backbone already has a fraught history of overcollection, including sweeping in wholly domestic communications (such as through multi communication transaction and “Abouts” collection). Forcing businesses that do not by practice even access communications to comply with FISA 702 orders—including Upstream orders—is reckless, and very likely to cause domestic communications to be improperly collected.
Finally, this provision will deal a serious blow to global competitiveness of U.S. businesses. The U.S. intelligence surveillance reform has generally moved towards restricting unnecessary collection. Centering intelligence surveillance on specific intelligence needs as opposed to dragnet surveillance allows American businesses to attract a global user base without compromising security. The signals intelligence executive order that President Biden issued in October of last year is an example of this trend.
The HPSCI bill takes intelligence surveillance reform in the opposite direction. By expanding the obligation to assist with warrantless surveillance to any entity that can access equipment that stores or transmits communications, it puts some large U.S. players in the data business at risk. Their global customers, knowing that this expansion of the law will subject the data they store with U.S. businesses to warrantless government access, will find other equipment providers in other countries with whom to store their data.
Despite subtly framing itself as an innocuous provision that would add a short technical line to the definition of “Electronic Communications Service Provider,” Sec. 504 of the HPSCI bill drastically expands FISA 702 surveillance, harming a wide broad of American businesses as well as endangering the privacy of Americans communications. Congress should reject this measure, and the HPSCI bill as a whole, which expands FISA surveillance precisely when it should be reformed and reined in.
