by Jim Dempsey, Executive Director, Berkeley Center for Law and Technology
The recent reauthorization of Section 702 of the Foreign Intelligence Surveillance Act was never in doubt. However, civil liberties advocates were disappointed when Congress failed to adopt an amendment requiring the government to obtain warrants before seeking information about US citizens in the repository of data collected under statue. More broadly, the debate failed to grapple with the risks of electronic surveillance in the era of globalization, expanding storage capacities, and big data analytics. Nevertheless, looking forward, the reauthorization set up the potential for fresh judicial consideration of a key constitutional question and yielded some opportunities for enhanced oversight of the 702 program.
It was widely accepted that activities conducted under Section 702 were effective in producing useful intelligence on foreign terrorism and other national security concerns. Chances for reauthorization were further boosted by the fact that the broad outlines of 702 implementation were, once you got past the incredible complexity of the statute, well within a reasonable interpretation of Congress’ words. The trust generated by express Congressional authorization was augmented, after the Snowden leaks, by substantial and ongoing public disclosures by the Executive Branch about the law’s implementation – more transparency than any government in the world has ever provided about a similar national security program.
The pros and cons of 702 have been extensively debated. Briefly, the statute authorizes the intelligence agencies to target non-US persons reasonably believed to be outside the US to acquire foreign intelligence information. The Attorney General and the Director of National Intelligence (DNI) issue directives to US providers of electronic communication services, requiring them to cooperate with the government in acquiring information. Such acquisitions may be conducted only in accordance with targeting and minimization procedures approved by the Foreign Intelligence Surveillance Court, which must find that they are consistent with the Fourth Amendment. Actual targeting decisions are not reviewed by any court, but are made by relatively low level personnel in the intelligence agencies.
As described by the Privacy and Civil Liberties Oversight Board, the criteria for targeting are quite generous: First, an intelligence analyst must determine that the target is a non-citizen outside the US. Second, the analyst must determine that collecting communications of the targeted person will likely yield foreign intelligence.
On the foreignness question, the targeting decisions are very rarely wrong, and generally data collected by mistaking a person’s nationality or physical location must be purged when the mistake is discovered.
On the question of foreign intelligence value, however, the standard in the targeting guidelines is very broad, and the presumption for what to do with over-collection is reversed: If, on initial inspection, the acquired communications are not found to contain foreign intelligence, or if they are never examined at all, they can still be retained under the minimization rules for a period of years and can be queried for foreign intelligence purposes (and by the FBI for criminal justice purposes too). These queries can be conducted with the names and other identifiers of US citizens.
This is where Section 702 starts to become worrisome. While 702 is targeted and is used to collect only a tiny percentage of the world’s communications, it still does involve massive scale. About 100,000 persons are targeted per year. This yields a lot of information. According to a FISA opinion cited by the PCLOB, in 2011, when the number of selectors was smaller than it is today, the government acquired 250 million Internet communications, in addition to telephone conversations. And much of this information relates to persons other than the targets. The Washington Post conservatively estimated that for each targeted person the communications of at least 9 other people are collected.
By definition, when the government is collecting the communications of a target, it is collecting the communications of those on the other end of the communications. Even when the government is targeting only non-citizens abroad, it is certain to collect communications to and from citizens and persons in this country -- persons not suspected of any wrongdoing and not suspected of communicating anything of intelligence value.
The government claims the authority to search those communications whenever a US citizen comes to its attention in circumstances justifying further examination. After all, the government argues, the very first step in any government investigation or analysis is to ask “Do we already have anything in our files about this person?” But searching the 702 repository means that the government is able to retrieve communications of a US person without a court order – communications that the government could not have targeted without a court order in the first place.
With one change so riddled with exceptions that it scarcely matters, Congress left the querying practices in place. But Congress did take one important step that could address the constitutional question: Is it a Fourth Amendment search, which normally requires a warrant, when the government queries a database of communications that have never been read or examined before? Orin Kerr, for one, has suggested it is a search.
We will find out within a year or so. The reauthorization bill amends 702 to require the government to adopt querying procedures and to submit them to the FISA court, which must assess whether they are consistent with the Fourth Amendment. That judicial inquiry will likely be aided by the institutionalization of the process for appointing amicus curiae attorneys to appear before the court in matters presenting significant questions of law. Judge Hogan considered the queries question in 2015 when reviewing the targeting and minimization procedures. He found the practice constitutional, but a new judge will have to take a look at the question again, in the context of the new querying procedures, which may yield an appeal to the Court of Review and possibly to the Supreme Court.
Also in the new law are three measures that could increase oversight of 702. One requires that the querying procedures include a technical procedure whereby a record is kept of each United States person query term used for a query. In the past, the FBI claimed that it could not count its queries of 702 data. Let’s hope that the Bureau does not try to exempt itself from this explicit requirement. Second, the reauthorization act requires extensive reporting to Congress if the government seeks to resume “abouts” collection, the controversial and now suspended practice of collecting communications that contain a reference to, but are not to or from, a target. Since abouts collection has been suspended, I think the government would have to seek explicit authority from the FISA court to resume it. The required reporting Congress on any move to renew abouts collection may induce another measure of caution. Third, the act requires the DOJ Inspector General to submit to Congress a report reviewing the FBI’s interpretation of, and compliance with, the required querying procedures. IG reports are no joke. I only wish that Congress had similarly required the IG for the Intelligence Community to do a similar report on practices at the National Security Agency.
Finally, the act requires the Attorney General and DNI to submit to Congress a report on “current and future challenges to the effectiveness of the foreign intelligence surveillance activities” authorized under FISA. Undoubtedly, the agencies will use this as another chance to complain about encryption and other Going Dark concerns. But a truly objective consideration of the effectiveness of electronic surveillance could benefit both civil liberties and national security. It may reveal that the government is spending more and more money acquiring more and more information with less and less value. Collecting less information on a more targeted basis may be more effective. Tightening the standards for targeting and for deleting collected data that appears useless would be two places to start. Demanding regular reviews of quality over quantity could afford a level of civil liberties protection.