The Privacy and Civil Liberties Oversight Board (PCLOB) recently released its report on Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), a surveillance authority that permits warrantless monitoring of non-US persons located abroad that is set to expire on December 31. The report is expansive, the result of a year-long effort. It includes both insightful new details about how FISA 702 is used — and has repeatedly been misused — as well as a thoughtful set of policy recommendations. Below are six key takeaways from the report, and how it will impact the debate over FISA 702:
1. The Report gives major momentum to the key issue of court approval for US person queries
The most critical feature of the PCLOB report is its recommendation that US person queries — meaning efforts by government officials to pull up the communications of US persons that were collected via FISA 702 — be subject to court approval. Addressing US person queries has been the central issue of the FISA 702 debate all year, and PCLOB’s conclusion provides significant momentum for reform.
There’s already ample evidence of why court approval is critical (although, as discussed below, PCLOB disclosed new revelations that make the case even stronger). Without it, FISA 702 has morphed from a foreign intelligence mechanism into a weapon for domestic surveillance. Protesters, political donors, lawmakers, journalists, a judge, and crime victims have all been subject to improper US person queries. The government’s go-to defense that such information was lawfully collected ignores the basic problem: FISA 702 is fundamentally different from other forms of surveillance in that “lawful collection” of Americans’ private communications occurs incidentally without a warrant. If the government is going to deliberately review and use those communications, independent court approval is essential not only as a basic constitutional principle but also to prevent abuse.
Additionally, PCLOB’s report is a resounding rebuke to claims made all year by the administration and intelligence community that court approval would be calamitous to operations. PCLOB has full access to classified materials and regularly interacts with the intelligence community – if there were persuasive evidence that court approval would be infeasible, PCLOB would have acknowledged it and tailored its recommendations accordingly. Instead, the majority rejected the intelligence community’s claims. According to the report, “The strongest examples of the value of U.S. person queries” are those involving victims (such as of cyberattacks). But as we’ve repeatedly highlighted, the government could often obtain the consent of victims to address these scenarios. And in limited scenarios where consent might not be obtained, the government could invoke an exigent circumstances exception, or work to quickly obtain court approval based on a showing that the query will return evidence of a crime.
Given PCLOB’s independence and expertise, its recommendation to require court authorization for US person queries should be persuasive to Congress and leave only the question of what standard should be required for such court authorization, which is examined below.
2. New revelations of abuse highlight why independent oversight is essential and must apply to the entire intelligence community
We have already known of a litany of misuses of FISA 702 to conduct improper US person queries in recent years. The PCLOB report adds to that record by detailing a series of previously undisclosed compliance violations under which US person queries were used to spy on the communications of:
- Romantic interests: In 2022, an NSA analyst conducted queries to acquire information on multiple individuals the analyst had met through an online dating service;
- Relatives amid a family dispute: In 2018, an FBI officer conducted queries of a family member who had “made allegations against another family member”;
- Criminal defense workers: In 2017 an FBI employee queried staff of a “defense counsel in a non-national security criminal prosecution”;
- Potential tenants: In 2022, multiple NSA analysts conducted queries to obtain information on a potential tenant of property they were renting;
- Peaceful protesters: Although queries of protesters have previously been documented, the PCLOB report provided alarming new details, noting “[i]n the reporting period covering November 2020 to December 2021, non-compliant queries related to civil unrest numbered in the tens of thousands,” and confirming improper queries focused on “non-violent civil protests.”
These revelations show that compliance problems are not limited to mistakes. They involve deliberate misconduct, with those conducting queries sometimes spying on individuals with whom they have personal, intimate relationships. Given the dangers of political surveillance, much of the debate has focused on queries related to sensitive categories of individuals, such as lawmakers. But it’s just as important to protect everyone from abuse, such as snooping by a spurned ex or a disgruntled family member.
Numerous recent misuses — occurring just last year — involve NSA staff. The FISA 702 debate has largely centered on the FBI due to its frequent compliance problems ( new internal rules have proven insufficient to prevent regular impropriety; last year the FBI averaged an estimated 20 improper queries per day). But as these new revelations show, abuse of US person queries can and does occur at other agencies. Unless court approval is required for all entities that conduct US person queries, we can expect such abuse to continue.
3. The standard for court approval of US person queries will be a critical issue for the FISA 702 debate
While PCLOB’s report recommends requiring court approval for US person queries, the Board left challenging questions ahead in terms of the standard for such approval, and how the process should function.
Although the Board’s official recommendation was that queries be approved if they are “reasonably likely” to return foreign intelligence information or evidence of a crime, the report stated that PCLOB would also support Congress requiring probable cause for any US person query “designed to retrieve evidence of a crime as at least one purpose of the query” (emphasis added). Given the FBI’s law enforcement role, this latter rule would likely impose a probable cause requirement for the vast majority of the Bureau’s queries. However, it would leave all NSA and CIA queries subject to the “reasonably likely” standard because those two agencies generally conduct queries to retrieve foreign intelligence information rather than to retrieve evidence of crime.
While imposing a probable cause requirement for queries designed, at least in part, to retrieve evidence of crime effectively would address the issue for many US person queries, it still would be insufficient to safeguard Americans’ privacy and prevent abuse when the query seeks only foreign intelligence information(1). Given how broadly foreign intelligence information is defined, the FISA Court could be forced to approve a range of problematic queries and fishing expeditions that meet the low standard of being reasonably likely to return foreign intelligence information. For example, depending on the circumstances, the following US person queries might all be approved under the “reasonably likely” standard :
- A journalist, based on their work reporting on global politics and elections;
- A Member of Congress, based on their role on the Foreign Affairs Committee;
- A high-profile CEO, based on their company’s sales to foreign markets;
- A religious leader, based on their work planning international events and convenings.
A proposed standard that allows the CIA and NSA to use the broad notion of retrieving foreign intelligence as a pretext for improper snooping is impermissible. As the PCLOB itself highlighted, personnel at these agencies have abused FISA 702; they should be held to rigorous standards when using it to read Americans’ private messages.
The best way to prevent abuse is with a probable cause standard for all US person queries. This would still allow the government to access information when there is sufficient basis to believe that US person queries will return evidence of crime, or when queries are focused on an agent of a foreign power.
In terms of process, PCLOB recommended that queries themselves could be made without court authorization, but that intelligence analysts would be barred from accessing any data responsive to the query unless court authorization was obtained. PCLOB proposed this method to reduce expenditure of resources and time spent going to the FISA Court. According to its report, only 1.58% of FBI queries return content. Based on the 204,090 US person queries it made last year, this would translate to 3225 instances in which court approval would be required annually, less than 9 per day on average. And, because a court authorization requirement would discourage the making of unwarranted queries of US persons, the number of requested court authorizations likely would be substantially less than that in practice. Such a structure should address the government’s complaint that court approval would be logistically impossible (especially if, as both the PCLOB report and former FBI General Counsel Jim Baker recently suggested, Congress provided new resources for judicial and agency staff in conjunction with a judicial approval rule).
4. PCLOB’s recommendations reflect growing consensus on other policies
Beyond the issue of court approval, PCLOB’s recommendations reflect a growing consensus in other areas, and hopefully a clear path forward for legislation.
First, PCLOB and the President’s Intelligence Advisory Board (PIAB) report presented nearly identical recommendations on narrowing the parameters of FISA 702 targeting. Targeting is currently authorized on such a broad basis that practically any non-US person abroad may be subject to FISA 702 surveillance, endangering privacy as a human right, and making it more likely innocent Americans’ communications will be swept up. As PCLOB notes, “Ordinary Americans may be in contact with Section 702 targets for business or personal reasons even if the Americans have no connection to, or reason to suspect, any wrongdoing by their foreign contacts and even when the government has no reason to believe the target has violated any U.S. law or engaged in any wrongdoing.” Overbroad targeting also jeopardizes US-EU data flow agreements; absent new statutory limits, the Court of Justice of the European Union may strike down the current framework, just as it did for the two prior agreements.
PCLOB calls for limiting targeting to the twelve “legitimate objectives” listed in last fall’s Executive Order on signals intelligence (Recommendation #1), and the PIAB report (specifically Recommendation #12) similarly calls for codifying this list. Codifying this list would prevent a president from unilaterally weakening or repealing it. Further, as PCLOB notes, codification would confer statutory jurisdiction on the FISA Court to ensure compliance. This is a common sense measure and should be essential to any reauthorization of FISA 702.
Additionally, the PCLOB report includes several recommendations for which Congress has already signaled strong support. In Recommendation #7, PCLOB supports numerous improvements to the FISA Court amici system: expanding cases the amici is involved in, providing access to needed materials, and allowing the amici to request appeal of decisions by the FISA Court and Foreign Intelligence Surveillance Court of Review. These policies closely mirror a 2020 proposal by Senators Leahy and Lee, which was approved as a Senate floor amendment by a resounding 77-19 vote.
PCLOB’s Recommendation #7 also supports requiring a “shot clock” for disclosing novel and significant FISA Court opinions, with opinions to be publicly released within 180 days of when they are issued. The 2015 USA FREEDOM Act requires such disclosure, but that law set no deadline. As a result, the government has repeatedly delayed disclosures for months beyond the time required for declassification review. This shot clock measure was included in legislation passed by both the House and Senate in 2020. The policy did not become law because Congress never reconciled the two versions of the bill into which it was included, however its inclusion reflects strong support for this measure.
5. It is critical to go beyond FISA 702 to avoid surveillance whack-a-mole
While PCLOB’s review was limited to FISA 702, the report provides a warning sign on why it is critical for Congress to enact broader reforms. The report notes, “In some circumstances, the government may be able to use E.O. 12333 … to obtain information similar to that collected under Section 702.”
If reform is limited exclusively to FISA 702, the government might simply divert some surveillance to Executive Order 12333 (EO 12333). That’s why CDT and many other organizations have cited the importance of protection for Americans from EO 12333 surveillance — such as a consistent court approval rule for US person queries regardless of whether the collection source was FISA 702 or EO 12333 — as a component of any reauthorization. Similarly, reforms should close the data purchase loophole, which is used to circumvent court approval requirements for acquiring Americans’ sensitive information, such as location data and communications metadata.
If Congress does not address these issues alongside FISA 702, it may simply be playing surveillance whack-a-mole for years to come.
6. The Board’s dissent fails to show that requiring court approval of US person queries would cause harm
Two Members of PCLOB split from the Board and filed a dissent. The dissenters get it wrong from the jump, with the second sentence of their statement falsely claiming “Unlike in 2014, the Board does not speak with one voice.” In reality, in 2014 PCLOB similarly split 3-2 on the central issue of US person queries, although in a flip of this report, the two dissenting members recommended court approval while the three-member majority opposed it. Since then, the litany of improper US person queries has caused the Board majority’s view to evolve, and based on the conduct of recent years, call for court approval.
But while the dissent strongly clashes with the majority on this issue, its objections suffer from the same fundamental problem that the administration’s arguments have had all year. Although they demonstrate the value of US person queries, they provide no evidence or examples that persuasively demonstrate that court approval would hinder operational needs.
The dissent mentions three specific examples of US person queries (all previously disclosed by the government). First, it references two cases focused on victims: one involving potential kidnapping and assassination plots that may target an individual US person the government has identified, and the other concerning Iranian hackers targeting a particular US official. But as I explained when these examples were first presented by the administration this summer, obtaining the consent of the victim is often a straightforward alternative to seeking court approval in these cases; alternatively, the government could obtain court approval based on a showing that the query will return evidence of a crime. The dissent also cites an example — previously raised in the PIAB report — involving a hostile power targeting a US person to acquire sensitive information relating to weapons of mass destruction. As I discussed in reaction to the PIAB report, these circumstances would not trigger the requirement for probable cause-based court approval that has been proposed because it merely involved the use of metadata (showing who communicated with whom), rather than content. (According to the PIAB report, “The queries returned results that confirmed contact with officers from the threat country”; the PCLOB dissent states the impact in near identical terms, “results confirmed that the U.S. person had been in contact with officers from the first threat country.”)
Beyond these three specific examples, the dissent also refers to the value of US person queries in relation to cyberattacks, but these scenarios are addressed by both factors listed above: Metadata queries — which would not require probable cause under the proposed reform — are sufficient to discover irregular network traffic and the source of breaches, and the government can obtain consent from targeted companies for any queries of content that are needed. Even if consent could not be obtained, the government could obtain a warrant by demonstrating to the court that the queries would return evidence of a crime, a feasible standard when pulling up communications on a cyberattack (and if the nature of the attack required an especially swift response, an emergency exception would be available, as with all other warrants). Finally, the dissent posits that a warrant requirement would thwart US person queries made to determine whether a US person communicating with foreign agents is a hostile asset or merely an unwitting target. Yet the dissent fails to identify circumstances in which requiring court approval would prevent queries from being conducted within an acceptable timeframe. The PIAB report previously cited just one example within this category, but went on to acknowledge that the government secured a FISA Title I warrant to monitor the individual under scrutiny, debunking the notion that acquiring court approval is infeasible.
For such vociferous opposition to court approval for US person queries, the failure of both the administration and the PCLOB dissent to identify even a single genuine example of how such a rule would be incompatible with operations speaks volumes.
PCLOB’s report should set Congress on a path of action regarding FISA 702. There is a growing consensus on a number of issues, and PCLOB has shown where Congress’ focus belongs: FISA Court approval is essential for US person queries, and the chief question to address is whether such approval should require probable cause. In the remaining months of 2023, there will be vigorous debate on these issues. Hopefully, the result of that debate will be a new law that significantly improves protections for civil rights and civil liberties.
(1) Foreign intelligence information is broadly defined to include any information that, if concerning a United States person, “is necessary to— (A) the national defense or the security of the United States; or (B) the conduct of the foreign affairs of the United States.” (50 USC 1801(e)(2)).