Skip to Content

Government Surveillance

The Secret Law Key That Could Unlock a Pandora’s Box of Uncurtailed Government Surveillance

To resolve the debate over which entities can be compelled to disclose user information under FISA 702, the Senate version of the Intelligence Authorization Act takes an unprecedented approach: make it a secret. 

Co-authored with CDT Intern Divya Vatsa

Congress recently expanded the types of entities that can be compelled to assist with surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) so as to dramatically increase the scope of potential surveillance. At the time, key legislators promised to revisit the types of entities subject to FISA 702 directives to rein it back in. The Senate has now proposed to do that but in a way that would make secret the scope of entities subject to FISA 702. Although narrowing the types of entities that can be compelled to assist with this surveillance is a necessary and positive step, the reliance on secret law to do so is a highly problematic approach that Congress should address by pressuring the Intelligence Community to declassify information that would permit the Congress to legislate in the light of day.

Background

In response to the Intelligence Community (IC)’s request for more authority to obtain communications without a warrant, Congress passed FISA 702 in 2008. It authorizes the government to compel electronic communication service providers (ECSPs) to disclose specific users’ communications content and metadata, whether stored or in transit, so long as the person or entity targeted for surveillance is a non-U.S. person reasonably believed to be abroad. Importantly, because foreign individuals communicate with Americans, any online communications of Americans to or from FISA 702 targets are also disclosed to the government under FISA 702 surveillance without a warrant. 

The balance FISA 702 seeks to strike between national security interests on the one hand and privacy rights on the other hinges in part on the type of entity deemed to be an ESCP. The definition of ECSP in FISA 702 effectively limits the scope of surveillance authorized under the statute: if a company’s service does not fit within the definition of ECSP, the company cannot be compelled to assist with FISA 702 surveillance on that service. Further, the definition of ECSP alerts the public of which services are subject to this broad surveillance authority, and it alerts companies offering those services that they may be directed to release a user’s communications. 

The Evolution of ECSP’s Definition

ECSP was first defined in FISA 702 to cover companies that directly facilitate and can access communications, like Google, AT&T, and Meta. In April of this year, however, the Reforming Intelligence and Securing America Act of 2024 (RISAA), drastically broadened the definition of ECSPs to include any entity or person that has access to equipment on which communications are stored or on which communications are transmitted. With limited exceptions for restaurants, hotels, dwellings, and community facilities, any business that provides WiFi could qualify as an ECSP under the new definition. 

This change was made in response to losses the IC suffered in cases decided in 2022 by the Foreign Intelligence Surveillance Court and in 2023 by the Foreign Intelligence Surveillance Court of Review. Those courts ruled that a company which had received a FISA directive did not properly fall under the definition of ECSP, and therefore could not be compelled to release data to the government. The name of the company and the type of service it offered were redacted from the decisions for national security reasons. The IC insisted that RISAA include an amendment to expand the ECSP definition to cover this entity, while not disclosing the name of the entity nor the nature of the services it provides. 

Congress accommodated the IC with an exceedingly broad definition, which immediately set off alarm bells from experts and civil society. In response to the public’s reaction, Congress included limited exceptions for restaurants, hotels, etc. However, even under that limitation, the ECSP definition could be applied to any business landlord – leading to continued criticism. To blunt these concerns and help quickly shepherd RISAA through the Senate, Senator Mark Warner (R-VA), Chairman of the Senate Select Committee on Intelligence (SSCI), promised to revisit the FISA 702 definition of ECSP during SSCI’s consideration of the annual Intelligence Authorization Act (IAA).

Narrowing RISAA’s Expansion of ECSP, But Hiding Its Scope

To his credit, Senator Warner has followed through on his promise. Under his leadership, the SSCI voted to amend the IAA to limit the expansion in the ECSP definition that Congress adopted in RISAA to newly cover only the type of entity that was the subject of the FISC and FISCR decisions. Because this narrows the scope of FISA 702 surveillance, it improves the law and its substance should be included in any compromise the House and Senate reach on the IAA. 

The problem is that the entity discussed in those decisions is classified. And instead of calling for declassification so that the entity’s name or the type of service it offered could be publicly described in the bill, the SSCI allowed for it to remain secret: the bill simply defines ECSPs as including the type of entity at issue in the FISC and FISCR decisions, without providing any further clarity.

The Problems with Secret Law

Thus while substantively narrowing the types of entities that can receive FISA 702 directives, this update effectively hides from the public which businesses will be responsible for responding to FISA 702 directives and thus the full breadth of FISA 702 surveillance. The danger of concealing the breadth of surveillance is especially acute in the FISA 702 context because of the lack of a warrant process: no judge or independent arbiter authorizes FISA 702 directives, and therefore, unlike other intrusive surveillance conducted in the U.S., no court assesses in advance whether the entity on which a FISA 702 surveillance directive is served must comply with it based on the ECSP definition. Court review after the surveillance directive is served will be stymied because the companies that could challenge directives in court won’t know if they have a basis for challenging the directive because they do not fit within the ECSP definition. The Senate version of the IAA indicates that they would receive a “summary” of the services at issue in the FISC and FISCR decisions, but the summary could be vague and generalized because it need not meet any standard. Companies thus will be hard pressed to challenge directives in court — a process that is already onerous, expensive, and conducted in a closed proceeding. 

In general, given the lack of public transparency and accountability, legislators and advocates have cautioned against secret law. For example, the trend of agencies seeking legal advice from the DOJ’s Office of Legal Counsel (OLC) through informal, written advice rather than through formal opinions that can be obtained by the public through Freedom of Information Act requests has been criticized because it undermines public trust in agency actions. In addition, severe public backlash against secret interpretations of laws such as the Patriot Act led to the USA Freedom Act, which outlawed the bulk domestic surveillance that the law had been secretly interpreted to authorize, and to the requirement that significant FISC opinions be made public.

This type of secrecy regarding surveillance conducted within the U.S. is without precedent. Other surveillance statutes clearly describe the entities that can be compelled to assist with surveillance. Further, secrecy regarding the permissible scope of surveillance conducted in the U.S. of people abroad is very different from other secrecy that has been tolerated in U.S. statutes. For example Congress appropriates funds annually in a “Black Budget” in which the dollar amount of the line items in the appropriations bill (but not the total amount) are kept secret. 

The IAA definition of ECSPs creates secret law in an unprecedented manner both at a general and specific level – it brings secret language directly into the statutory text. It codifies secret criteria that define the entities that might be subject to compelled disclosure and compulsory government action. Establishing such criteria without basic public understanding of its bounds is worrying for democratic accountability and protection of constitutional rights. In order for proper oversight to occur, Congress and external civil society stakeholders need to be able to evaluate the law. And in order to hold lawmakers accountable, voters need the ability to see and respond to the laws their representatives are creating.

Allowing the scope of surveillance to be defined in secret also creates a dangerous precedent for the IC to seek other secret laws in the future that expand surveillance, further amplifying the risk of abuse. If secret rules for when surveillance may occur becomes a standard practice in the name of national security, public trust in privacy protections will erode. This will have a chilling effect on free expression. The need for transparency in laws is particularly acute in the national security context: because the facts and particular applications of surveillance are likely to be classified in most if not all cases, the only level of public accountability comes from knowing the applicable law that governs national security activities. If those laws too are secret, national security agencies and officials can too easily act in ways that citizens would not countenance.

Transparency Instead of Secret Law

Congress must reconsider the definition of ECSP to more appropriately balance national security interests with the need for accountability and with privacy rights and expectations. The most straightforward path would be for the IC to declassify the type of entity described in the FISC and FISCR opinions, as 20 civil society groups including CDT recommended last month. This should happen now, so Congress can account for this information in the ECSP definition in the IAA, or in other legislation to which it is attached. Declassification would be consistent with the Principles of Transparency for the Intelligence Community, which commit the IC to “Provide appropriate transparency to enhance public understanding of … the laws, directives, authorities and policies that govern the IC’s activities.” Nor is there any reason to think that publicly describing the type of entity would damage national security – after all, each of the other types of ECSPs subject to 702 are set forth in public law. 

The move by the SSCI to narrow the scope of FISA 702 surveillance by narrowing the definition of ECSP in RISAA was a step in the right direction. But to do it by creating secret law and powerful precedent for more secret law in the future is a highly problematic way to proceed. FISA 702 sunsets in April 2026 unless Congress reauthorizes the program. Failure of the IC to declassify the types of entities subject to FISA 702 surveillance could threaten the IC’s efforts to secure FISA 702 reauthorization.