A Reasonable FISA Section 702 Compromise on U.S. Person Queries
What a reasonable compromise on U.S. person queries–one that accommodates legitimate arguments of each side–looks like.
Published by The Lawfare Institute
in Cooperation With
At the close of 2023, Congress extended the expiration date of Foreign Intelligence Surveillance Act (FISA) Section 702 in the must-pass National Defense Authorization Act (NDAA), kicking the proverbial can down the road until April 2024. FISA Section 702 is a critical national security authority, the expiration of which Biden administration officials say would result in a “self inflicted national security calamity.” The single biggest issue, among many others, is whether to restrict the conditions under which the FBI or other intelligence community components may query 702 collections for U.S. person communications.
The current state of affairs is very much in flux. Last month, Rep. Laurel Lee (R.-Fla.) introduced a new base bill, the Reforming Intelligence and Securing America Act (RISAA). A plan was in the works to bring the bill to the House floor on Feb. 15 with some type of amendment process. But after a House Rules Committee meeting, a spokesperson for Speaker Mike Johnson announced that in order to give Congress “more time to reach consensus ... the House will consider the reform and reauthorization bill at a later date.” Prior to the Rules Committee meeting, members of the Freedom Caucus had expressed the view that the RISAA does not do enough to protect against what they see as abuse by the executive to spy on Americans without a warrant. As reflected in competing bills that ultimately left FISA 702 reauthorization unresolved last year, there are some significant differences of opinion in this regard on the terms of reauthorization and reform.
As with most legislative efforts on divisive issues, no one will get everything they want. What might a reasonable compromise look like on the U.S. person query issue? Very similar to a recommendation offered by the Privacy and Civil Liberties Board (PCLOB), the government should be permitted to run these queries under its current standard and under its current process and then to take note of the number of hits. The government should also be permitted to look at the data retrieved from the query, but only the type of data that does not require a search warrant to compel a U.S. provider to disclose. In the absence of appropriate exceptions, to look at anything beyond that, the government must apply to the Foreign Intelligence Surveillance Court (FISC) for permission.
What follows are some substantive thoughts and a few more details on this compromise, examining how it accommodates legitimate arguments that each side makes.
The Conflict Over Queries for U.S. Person Information
One of the most controversial aspects of FISA Section 702 reform is whether the FBI or other members of the intelligence community should have to obtain a court order—under a probable cause or lower standard—before conducting queries of 702 databases designed to retrieve U.S. person information or information about a person in the United States (hereinafter “U.S. person queries”) when the government would normally be required to obtain a court order based on probable cause if compelling the information from a U.S. provider.
Consistent with the bill reported out by the House Permanent Select Committee on Intelligence last year, the RISAA does not require the intelligence community to obtain a court order before querying for U.S. person information. Instead, it prohibits the FBI from conducting U.S. person queries “that are solely designed to find and extract evidence of criminal activity,” with an exception for retrieving “information that could assist in mitigating or eliminating threat to life or serious bodily harm” or when “such query is necessary to identify information that must be produced or preserved in connection with a litigation matter or to fulfill discovery obligations in criminal matters under the laws of the United States or any State.” But as Jake Laperruque of the Center for Democracy and Technology explains, this prohibition doesn’t place significant limitations on the government because “[n]early all evidence-of-crime queries have a du[al] law enforcement and foreign intelligence purpose, and aren't affected by the bill.”
The RISAA significantly differs from the Government Surveillance Reform Act (GSRA) and the Protect Liberty and End Warrantless Surveillance Act (PLEWSA) on the warrant requirement. Absent certain exceptions, these two bills would require a probable cause warrant as specified in either Fed. R. Crim. P. 41 (which focuses on evidence of a crime) or Sections 105 or 304 of FISA (which focus on whether a person or entity is a foreign power or agent of a foreign power), before any intelligence community agency (not just the FBI) is permitted to run U.S. person queries, if a warrant would otherwise be required to compel production of the information from a provider for law enforcement purposes. A notable feature of this standard is that if, in the future, case law or statute imposes a warrant requirement to collect certain types of data (as Carpenter did for cell-site location information), the probable cause requirement would apply to these U.S. person queries for that data as well.
Both of these bills also include some exceptions to the warrant requirement, which include exigent circumstances and exceptions that allow for the identification of victims of foreign cyber operations. The ability to identify and notify such victims has proved to be an important cybersecurity and national security tool enabled through queries of Section 702 collections. To this end, both bills recognize consent exceptions, which would allow entities that may be victims to consent to queries of 702 collections, along with exceptions for queries that use “a known cybersecurity threat signature as a query term” or that are conducted and used “for the sole purpose of identifying targeted recipients of malicious software and preventing or mitigating harm from such malicious software.” Both bills also allow for exceptions related to an emergency involving an imminent threat of death or serious bodily harm.
The consent and emergency exceptions may largely be symbolic since in both scenarios a warrant would not likely be required for law enforcement purposes in another context and thus would not be captured by the query limitation in the first instance. To avoid any confusion, it is, however, useful to make explicit that the authors of these bills intend for such exceptions to apply for U.S. person queries.
Opponents of the court order requirement mandated by these bills argue that it would unduly limit the government’s timely review of information it already collected lawfully and thus risks the “stovepiping” of information, which can hamper the government’s ability to connect the dots and prevent the next 9/11-like event. More specifically, the government may not be able to satisfy a probable cause standard for all U.S. person queries and thus could be prevented from looking at information already in its possession to detect when terrorists or other individuals who present a threat to national security are communicating with people inside the United States.
To address this concern, at least in part, Sen. Ron Wyden (D-Ore.), one of the primary authors of the GSRA, explained that the bill would “permit the government to use Section 702-acquired metadata to look for connections between a particular American and foreign terrorists and use any such connections as the building blocks of an investigation. If an American is actually in communication with malicious foreign actors, that information, along with whatever information led to the query in the first place, could be used to obtain a warrant or an emergency authorization to read their communications.”
While opponents of any requirement to get an order, which include the Biden administration, certainly raise a valid concern about the consequences of stovepiping, their rejection of an individualized court review for U.S. person queries underscores a broader, controversial proposition that what law enforcement or the intelligence community lawfully collects for one purpose should be available for all related purposes without additional scrutiny by a court. Given the government’s ability to collect, store, and analyze vast amounts of information, it is necessary to consider whether additional protections should be instituted for the “repurposing” of particularly sensitive data, even when initially collected lawfully. Such protections should not place an undue burden on the government. Part of the challenge of FISA Section 702 reauthorization and reform is agreeing on what constitutes an undue burden that would thwart necessary, legitimate access to and use of the data at issue.
An additional criticism of a court order requirement is that, to the extent it is a response to the FBI’s multiple querying abuses—which included running the names of suspects from the Jan. 6 insurrection and people protesting the death of George Floyd—separate court review simply isn’t needed. Some of my colleagues have argued that because these abuses “did not reveal an agency purposefully bent on violating U.S. civil liberties[,]” a warrant requirement is “non-responsive to the compliance issues that have arisen—responding mostly to imagined civil liberties issues that have not arisen.” That argument is, however, unlikely to satisfy those who are concerned about the replication of these past errors. Even if such errors don’t amount to purposeful, systemic abuse, and the FBI acknowledges the need to address them with stricter internal controls and accountability mechanisms, there are reasonable concerns that they can and will happen again without external review and control by a court.
A Middle Ground
These are thorny issues for sure. There may, however, be a middle ground, or at least the beginning of one, found in a report by the PCLOB. Prior to the release and introduction of the various reform bills, the PCLOB issued a comprehensive report about FISA Section 702. (And to be clear, this was not a unanimous report—out of five members, the two Republican members signed on to no part of the report, instead issuing a competing separate statement. The chair of the PCLOB, one of the three Democratic members, signed on to the report in full but also issued her own separate statement recommending a higher standard for U.S. person queries.)
The report prefaces a recommendation on U.S. queries with the statement that these queries are “not merely ancillary to the Section 702 program, but ha[ve] become a central feature of the program.” Offered as a compromise among competing interests of various stakeholders, the report recommends a two-step approach. First, the government should be allowed to run a U.S. person query under the same conditions as it may now, but may not look at the results returned from the query, other than noting how many hits there were, if any. Second, if the government wants to look at additional information surfaced by the query, it is required to obtain FISC approval.
Under this approach, the FISC would allow the government to look at the information if it establishes to the satisfaction of the FISC that doing so is “reasonably likely to retrieve foreign intelligence” or, in the case of the FBI, is “reasonably likely to retrieve evidence of a crime.” While this is the standard recommended by all three Democratic members, they do indicate that they would support Congress requiring the government to establish that there is probable cause to believe that the query will return evidence of a crime when a U.S. person query is designed to do so for at least one of its purposes. The PCLOB recommendation also calls for additional funding that this procedure may require.
Notably, “reasonably likely to retrieve foreign intelligence information or evidence of a crime” is the legal standard the government is currently applying internally when it evaluates if it has grounds to conduct a query in the first instance. The key difference between that and a court-order approach is that it would involve court review before the government is permitted to access the content retrieved. In other words, the government, based on its current standards and using its current procedures, could run the query first without seeking court authorization.
An added benefit of this process is that the government is able to rule someone or something out (assuming no hit), which is also of intelligence value and doesn’t expend additional government resources. It could also be that even if there is a hit, the metadata tells the government all it needs to know and there is no reason to go further.
There is, however, some ambiguity with respect to whether the PCLOB recommendation would allow the government to access metadata without first getting FISC approval. The recommendation states, “[I]f there is a hit on the U.S. person query term, the government would need to request FISC approval to retrieve the content of those results.” One way to interpret that statement is that FISC approval applies only to content, thus allowing the government to access metadata under the same legal standard it is currently applying without any additional FISC review. But the intent is not explicit and the interpretation is complicated by the fact that the definition of “content” in the FISA statute includes “any information concerning the identity of the parties to such communication,” although the PCLOB recommendation does not reference this definition. The minority members’ separate statement makes the observation that “as written, the requirement would apply to queries of metadata in addition to content, which would cripple the program by making it harder to distinguish U.S. persons from non-U.S. persons.”
With the inclusion of “as written,” the minority may have surfaced a drafting issue with the recommendation. Be that as it may, if Congress decides to proceed in a manner consistent with the PCLOB’s recommendation, it, in my view, should give the government permission to review information that would not require a warrant in the criminal context without FISC approval. This means, among other things, that the government can use much of the metadata in applications to the FISC for approval to review the content of the communications retrieved from the hit. The rest of this analysis proceeds from this premise.
Similar to the two bills, the PCLOB report also recommends two exceptions to the FISC approval requirement: “queries conducted with actual consent for the purpose of identifying communications related to victims and for exigent circumstances.” Some form of consent exception for queries to identify victim communications is part of the way in which FISA Section 702 will continue to provide important information for identifying and assisting victims of nefarious foreign cyber operations.
With respect to the issue of U.S. person queries, the PCLOB’s recommendation is a reasonable compromise given the various competing equities at issue. It provides a greater degree of privacy protection because an independent judge is reviewing whether the government has established the standard required by the law to access information retrieved from queries involving U.S. persons or persons in the United States. It also addresses concerns that the FBI will be hamstrung if it must get a court order every time it wants to run a U.S. person query. It frees the government and the courts from going through an order process in advance of doing every query, only to find that there are no results.
As previously noted, it has been argued that a warrant requirement for all U.S. person queries would be operationally unworkable and that the government may not reliably be able to meet a warrant requirement, especially when queries are conducted to retrieve foreign intelligence information. As stated in the report, the three majority PCLOB members share the view that “[t]he probable cause standard in the foreign intelligence context presents challenges as to how it can be consistently applied in the absence of a criminal law predicate, particularly since 702 databases are designed to compile foreign intelligence.” Balancing the relevant interests, the PCLOB recommendation with its lower legal standard is sensitive to the need for a process that won’t overwhelm or incapacitate the system, which would likely occur if the government had to satisfy a probable cause standard for every query.
One commentator has argued that having a judge review an application knowing that there has already been a hit is “mostly privacy theater: A FISC judge is highly unlikely to disbelieve an affidavit that on its face asserts that a query is reasonably likely to retrieve foreign intelligence information.” This argument and other arguments suggesting that there is a “conceptual incoherence of requiring judicial review for the executive branch to look at information already lawfully in its possession” run roughshod over the well-established, foundational privacy protection of requiring an independent judge to conduct an individualized and particularized review to determine whether the government has met the standard the law requires to access sensitive information—in this case the communications of U.S. persons and people physically present in the United States. Opponents could say that such protections are necessary only when Fourth Amendment rights are at issue, which they argue is not the case here. But as I’ve noted before, whether such queries are separate searches for Fourth Amendment purposes is not a settled issue.
In any event, Congress is free to build in additional privacy protections without the need to render judgment on the Fourth Amendment question. And such additional protections are justified as a matter of policy: Because of the nature of the 702 collection authority, which does not require an individual application and review by a court at the outset, court review on the back end provides an added degree of privacy protections for communications involving U.S. persons. More broadly, as Congress grapples with regulating intelligence collection of sensitive information in the future, there is an argument to be made that building in additional protections on the back end can justify more liberal collection on the front end when a legitimate purpose can be articulated for the collection of the data.
And while reasonable minds can disagree on whether independent court review is necessary to prevent future abuses of the authority by the FBI, especially as RISAA and previous intelligence committee bills address the problems with more stringent, significant internal review mechanisms and reporting requirements, having a judge review the government’s rationale for accessing the content of communications is a better way of guarding against error and malice alike than leaving it to internal mechanisms. Having to present an application to a federal judge is a forcing function for dotting the i’s and crossing the t’s. It’s a moment when the government must stop and evaluate the metadata to determine if the “reasonably likely” standard that presumably justified the query at the beginning remains to justify a review of content and, more importantly, if a judge will agree.
Notwithstanding the fact that past compliance problems were mostly not intentional, but instead involved “divergent interpretations” over the applicable query standard and other technical problems, it is difficult to believe that access to the content from the problematic queries would have happened if court review had occurred before the government viewed the content of the communications, thereby mitigating the harm. Because the PCLOB standard is calibrated not to place an undue burden on the government, it is reasonable to leverage the power of independent court review against such error.
The “privacy theater” argument also incorrectly assumes that judges will be unable to understand the purpose and rationale for how Congress has balanced the equities and apply the law consistent with their role—which, in this case, would be to ensure that the government gets to review the information retrieved only if it meets the standard outlined in the law, when a query produces a hit. It suggests the federal judges who serve on the FISC will automatically defer to the affiant’s conclusion in the face of a 702 hit. A hit is not, in and of itself, proof that the government's original rationale for running the query meets the legal standard.
Several years back, the then-general counsel of the National Security Agency stated that “[t]he FISC represents the linchpin of Section 702 oversight on behalf of the judiciary, with responsibility for adjudicating all of the government's surveillance applications submitted pursuant to FISA.” He also asserted that the FISC hardly acts as a “‘rubber stamp’ for the government’s activities.”
Consistent with those statements, there’s no reason to think the FISC would perform the function of reviewing government applications to view information post-hit as a mere ministerial effort. Courts all over the country are presented with surveillance applications, accompanied by affidavits and other sworn assertions by government officials presented to meet the legal standard, and they provide meaningful review of those applications. One should expect the FISC judges to fulfill their role in this review as they do elsewhere.
None of the legislative proposals to date adopt the PCLOB’s recommendation. And it is not the perfect resolution for either side: It is neither the most privacy protective nor the most favorable to the government’s desire for efficiency and internal oversight of U.S. person queries. But it accommodates the legitimate arguments that each side makes and arrives at a solution that provides additional privacy protections while not overwhelming the system or unduly burdening the government’s ability to access the data at issue. It’s also worth noting that so long as there remains a 702 sunset of reasonably short duration, there will be an opportunity to revisit or recalibrate this balance based on a few years of experience.
As legislators look at how to resolve the divisive issue of U.S. person queries, the PCLOB recommendation is a reasonable compromise, or at least a reasonable place to start toward finding compromise.