FISA 702: What Happened and What’s Next
It’s official: Section 702 of FISA has been extended until 2023. As we discuss below, the reauthorizing legislation made minimal changes to the statute but will provide transparency about how it has been and will be used going forward. We hope that the forthcoming information will support more substantive reform when Congress revisits the law six years from now, if not sooner. In fact, with their short deadlines, it’s possible that the the reports that the legislation requires will support 702 reform next year since other parts of FISA expire at the end of 2019 and the statute will be up for debate again.
In short, Section 702 authorizes the government to obtain annual, programmatic court orders from the FISA Court to target foreigners overseas for foreign intelligence surveillance. According to recent transparency reports, intelligence agencies selected approximately 106,000 targets last year. And while terrorism is the most frequently mentioned intelligence purpose for 702 wiretapping, it can also be used to collect information related to espionage, foreign governments and their employees, and the catch-all categories of national defense and foreign affairs. The rules governing target selection and how the resulting information is used are reviewed and approved by the FISA Court every year, although there is very little publicly available information about how this works as a practical matter. The FISA Court does not make any decisions about whether a particular party or entity is targeted. We’ve made extensive recommendations about how the statute could have been amended to better focus surveillance on bad actors and protect the information of innocent people caught up in the program.
S. 139 made two small substantive changes to FISA 702. First, it codified a permissive process for resuming “about” collection, where the National Security Agency (NSA) searches the content of communications for a targeted email address, phone number or other selector. In “about” collection, the NSA collects communications to which the target is not a even a party. Prior to enactment of S. 139, nothing in FISA Section 702 made any reference at all to “about” collection, and the practice remained secret until disclosed by Edward Snowden in 2013.
Because this type of collection was more likely to return wholly unrelated and purely domestic communications, the FISA Court instituted special privacy rules governing its use. When the NSA was unable to follow those rules, the practice stopped, with the possibility of resuming after court approval later. The bill simply memorializes this process, with a 30-day notice requirement to Congress so it may intervene and theoretically prevent its resumption. Congress should have just stopped this practice permanently, but instead has codified the status quo —if the NSA gets its compliance act together and the FISA Court signs off, the “about” program may start again. Watch for this notice this spring. The administration is set to obtain its next annual court order in late April, which is a logical restart point if the technical issues are resolved. Codification in S. 139 of a definition of “about” collection effectively removes any prospect of a statutory challenge based on a claim that “about” collection was not authorized by Congress.
The second change requires the Federal Bureau of Investigation (FBI) to obtain a court order – similar to a warrant – before accessing the content of communications when it is searching for a known US person in a predicated criminal investigation that has no foreign intelligence component whatsoever. This small change is not expected to change the way the FBI treats Americans’ information in any meaningful way. The FBI has explained that it regularly searches its 702 databases with Americans’ identifiers, looking for their communications only on the basis of a tip and long before formal investigations are opened. It is a far cry from the reform that CDT and others sought to close the backdoor search loophole, which will continue to permit the government to query Section 702 data for information about Americans, even though they cannot be targets of Section 702 surveillance.
There are three transparency provisions worth noting. First, Section 111 requires the Attorney General to brief the Intelligence and Judiciary Committees on whether and how the Department of Justice notifies people that 702 information and other information collected under FISA authorities is used against them in official proceedings. This includes the introduction of 702 evidence in a criminal prosecution—but also in all trials, hearings, and proceedings, conducted by any “court, department, officer, agency, regulatory body.” The notice requirements extend to any “aggrieved person” which includes Americans and non-citizens, as well as targets of surveillance and those who communicate with a target. Because the government has refused to explain how information derived from 702 surveillance is used to build cases, or is used to collect the same or similar information through other surveillance authorities, and therefore obscure the source of the information, this briefing is crucial. Regrettably, none of this has to be memorialized in writing, and none of it has to be made public.
Second, Section 112 requires the Justice Department Inspector General (IG) to audit the process by which the FBI queries US person information and uses it. The audit will include how the FBI handles searches for people whose nationality is not known, how the FBI ensures compliance with its internal querying procedures, and how the FBI uses queries in foreign intelligence investigations or criminal assessments. It also directs the IG to examine what is preventing the FBI from estimating the number of queries it conducts or the known US persons for which it searches.
Finally, Section 203 requires a report on “the challenges to the effectiveness of foreign intelligence surveillance,” due in October of this year. It covers several topics, but invites the government to explain how encryption is thwarting intelligence collection, whether difficulty in determining the location of targets or their data is a problem, and current or expected problems with getting information from telecommunication and other companies on a voluntary or compulsory basis. It closes with a request for suggested changes to FISA to improve collection abilities, and notes the report can be submitted to Congress in classified or unclassified form. Those who care about privacy should keep an eye on this one; it could easily become a roadmap for even broader legal authorities.
It’s important to note that in addition to these reports, Section 702 may be in the public spotlight before 2023 due to its effect on an international data transfer agreement called Privacy Shield. This agreement allows US companies doing business in Europe to transfer EU citizens’ data back to the US for storage or processing so long as they self-certify that they will comply with European privacy standards regardless of the data’s new home in the US. Privacy Shield, like its predecessor, the Safe Harbor, will be reviewed by the Court of Justice of the European Union, and the use of Section 702 to collect data on EU citizens from American companies will be considered. If Privacy Shield is suspended and an estimated 2,400 American technology companies lose access to the European market as a result, Congress may reconsider letting 702 continue as-is.
So there it is. The first congressional vote on Section 702 since the Snowden disclosures was disappointingly deferential to executive branch calls for a clean reauthorization. However, if the reports discussed above provide Congress with the detail it needs to make targeted and informed amendments, it’s possible we do not need to wait until 2023 to revisit some of these issues.