A Comprehensive Look at the FISC Order Legal Analysis
Recently, the government unsealed a November ruling by the Foreign Intelligence Surveillance Court (FISC).
Published by The Lawfare Institute
in Cooperation With
Recently, the government unsealed a November ruling by the Foreign Intelligence Surveillance Court (FISC). Under Section 702 (codified at 50 U.S.C. § 1881a) of the Foreign Intelligence Surveillance Act (FISA), the Attorney General and Director of National Intelligence may authorize intelligence gathering on persons located abroad, without a warrant. But first they must submit written certifications to the FISC of compliance with particular targeting procedures (isolating non-US persons actually located outside the US) and minimizing procedures (ensuring minimal surveillance of US persons in the course of the foreign surveillance). Because Section 702 gives authorization for one year, the government must annually submit reauthorization certifications to the FISC if it wants to continue surveillance on a particular target.
The now-unsealed November FISC order (Order) approves reauthorization certifications submitted by the government in July 2015. The particular certifications have been annually resubmitted since 2008. Order at 4. But the latest submission sought to modify the minimization procedures. Id.
Because the government alone makes the certifications, the 2015 USA Freedom Act amendments to FISA provide that the FISC may appoint an amicus curiae if it believes that the review “presents a novel or significant interpretation of the law.” 50 U.S.C. § 1803(i)(2). Notably, this was the first time the court did so. It appointed Amy Jeffress, former Counselor to the Attorney General for National Security and International Matters, as an amicus to address the legality of particular minimization procedures—the querying of information obtained under section 702 (the searching of bulk email data) and the preservation for litigation of information that would otherwise be destroyed pursuant to the minimization procedures. Specifically, Jeffress was asked to address whether these procedures are consistent with FISA’s minimization requirements and with the Fourth Amendment.
The court first examined changes to the targeting procedures—largely implemented in response to recommendations by the Privacy and Civil Liberties Oversight Board, the independent government agency tasked with representing civil liberties interests in national security. The court found no problem with the modest targeting procedures modifications. Order at 10-12.
Statutory Compliance
The court then turned to the minimization procedures, analyzing them first for statutory compliance. FISA defines minimization procedures for electronic surveillance at section 1801(h): procedures developed by the government “that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, or nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” But 1801(h)(3) allows “retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or dissemination for law enforcement purposes.”
First the court tackled the issue of retention of Section 702-collected data for litigation. The “litigation hold provision” allows NSA and CIA to preserve for litigation—on request from DOJ—information that would otherwise be destroyed pursuant to minimization procedures, often due to age. The FISC had previously asked the government to develop generally applicable rules rather than rely only on piecemeal requests to the FISC. Although the revised procedures are redacted from the Order, the government and amicus agree that the new procedures conform to FISA. Id. at 16. The court similarly found no problems with revised minimization procedures that enhance protected for attorney-client information gather under 702, and that allow the government to retain encrypted information, subject to particular requirements. Id. at 18, 20.
New language in the minimization procedures provides that “[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial, or legislative mandates.” According to Judge Hogan, the “apparent breadth of these new provisions” is reason for “pause.” Id. at 21. He questioned whether this provision constitutes “specific procedures” as required by FISA. But Judge Hogan was convinced that “the government does not intend to apply these provisions as broadly as their language would arguably permit.” Id. at 22. In reference to similar language in previous procedures, the government had assured the court that neither executive branch orders nor general congressional mandates would trigger the language. In permitting the language to stand, Judge Hogan explained that the court specifically construes the provision “to include only those mandates containing language that clearly and specifically requires action in contravention of an otherwise-applicable provision of the requirement of the minimization procedures,” such as that which “might be found in a court order requiring the government to preserve a particular target’s communications beyond” an age-off date. Id. at 23. To ensure compliance, the court issued a reporting requirement if the provision is invoked. Id. at 78.
Finally the court turned a statutory analysis of the querying provisions of the minimization procedures. Judge Hogan found that the NSA and CIA querying provisions modifications—requiring particular findings regarding likelihood of returning foreign intelligence—“serve[] to further reduce the risk that Section 702-acquired information concerning United States persons will be used, or even accessed, for improper purposes.” Id. at 26. The FBI’s minimization procedures querying provisions are different than the other agencies, and allow the FBI to search for “evidence of a crime.” Id. at 27. The FBI applies the same standard to information implicating US and non-US persons, and to not only metadata but also contents of communications. Further, FBI minimization procedures don’t require particular factual justifications for a search, and non-FISA-trained agents can conduct queries—those agents would not see actual results but only a positive “hit.” Id. at 28. The modified minimization procedures clarify that the agent without FISA access must obtain supervisor approval and the assistance of a FISA-trained agent to rerun the search.
As amicus, Jeffress argued that the FBI procedures “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.” Id. at 30. But Judge Hogan concluded that, at the acquisition stage, the statute doesn’t require “solely a foreign intelligence national security purpose,” but rather only that gathering foreign intelligence is a “significant purpose.” Id. at 31. Further, the later examination of such information need not have any purpose related to foreign intelligence—at least as far as the statute is concerned. The court found that the section 1801(h)(3) exception for “evidence of a crime” in fact “expressly requires” the government to construct procedures for retaining such section 702 information. Id. at 32. And importantly, according to the court, Jeffress’s argument that the statute restricts searches for “crimes unrelated to foreign intelligence,” “finds no support in the statutory text”: “It would be a strained reading of the definition of minimization procedures to permit FBI personnel to retain and disseminate Section 702 information constituting evidence of a crime implicating a United States person for law enforcement purposes, but to prohibit them for querying Section 702 data in a manner designed to identify such evidence.” Id. at 33. Because the information is acquired pursuant to the NSA targeting procedures that are related to foreign intelligence, the later querying by the FBI of that data for other purposes doesn’t undermine the statute. The court held that the FBI minimization procedures comply with FISA.
Fourth Amendment Compliance
The court separately analyzed whether the targeting and minimization procedures comport with the Fourth Amendment. First Judge Hogan noted the general proposition that the Fourth Amendment does not require the government to obtain a warrant before conducting surveillance on “foreign powers or agents of foreign powers” (including US persons) located abroad. Id. at 36-37. Because information gathered “pursuant to Section 702 falls within this ‘foreign intelligence exception’ to the warrant requirement of the Fourth Amendment,” the court determined that it need only analyze whether the targeting and minimization procedures are “reasonable.” Id. at 37. If they are reasonable—determined by “‘balanc[ing] the interests at stake’ under the ‘totality of the circumstances’”—they conform to the Fourth Amendment. Because the Section 702 data includes communications with US persons “when those non-targeted persons are parties to a communication that is to or from” a target—the court acknowledged that there are individual Fourth Amendment implications. Id. at 38-39.
Jeffress as amicus argued that the FISC should reconsider its previous determination that the targeting and minimizing procedures adequately protect that interest, especially “in light of the provisions of the FBI Minimization Procedures . . . permitting agents and analysts to query the Section 702-acquired information in the FBI’s possession using United States-person information for the purpose of finding evidence of crimes unrelated to foreign intelligence.” Id. at 39 (quoting Amicus Brief at 22). Jeffress argued that the current procedures are not adequately protective to satisfy the strictures of the Fourth Amendment—in fact, she argued, the “minimization procedures do not place any restrictions of querying the data using U.S. person identifiers.” She argued that the FBI should be required to provide a written justification for each query, much like the NSA already does.
Judge Hogan found these to be concerns not previously addressed by the FISC. But, after considering the arguments, Judge Hogan concluded that “the FBI’s querying practices do not render the government’s implementation of Section 702 inconsistent with the Fourth Amendment.” Id. at 40. Significantly, Jeffress argued that each “query” is a separate search under the Fourth Amendment and so must be independently assessed, but the court agreed with the government that it must show only that the “program as a whole” is “reasonable under the Fourth Amendment.” FISA, according to the court, requires only that the FISC examine the constitutionality of the procedures as a framework: “That approach requires the Court to weigh the degree to which the government’s implementation of the applicable targeting and minimization procedures, viewed as whole, serves its important national security interests against the degree of intrusion on Fourth Amendment-protected interests that results from that implementation.” Id. at 41. On balance and under the totality of the circumstances, the procedures are reasonable and thus comply with the Fourth Amendment. In particular, Judge Hogan noted that “the purpose of permitting queries designed to elicit evidence of ordinary crimes is not entirely unconnected to foreign intelligence”—in fact, it may produce valuable connections that aid national security. Id. at 42. Further, the querying procedures are reasonably protective and the FBI is only permitted to query particular subsets of Section 702 data. Plus, Judge Hogan noted, the government maintains that it rarely obtains hits from this data anyway: “Hence, the risk that the results of such a query will be viewed or otherwise used in connection with an investigation that is unrelated to national security appears to be remote, if not entirely theoretical.” Id. at 44.
Furthermore, the court found that compliance and implementation issues reported by the government do not undermine the procedures’ congruity with the statutory or constitutional requirements. Judge Hogan reminded us that “the controlling norms are ones of reasonableness, not perfection,” particularly in the face of a “large and complex endeavor such as the government’s implementation of Section 702”: “Given the number of decisions and volume of information involved, it should not be surprising that occasionally errors are made.” Id. at 45-46. The court went on to discuss a notable exception to the general assessment that the agencies correct errors efficiently: the failure of the FBI to establish review team for attorney-client communications as required by the minimization procedures. The procedures generally mandate that if a target is charged with a federal crime, a team uninvolved with that prosecution is established to review all communications and purge those that are privileged attorney-client communications. In 2014, the FISC identified a pattern of non-compliance with these procedures and required the FBI to provide more information on training and oversight efforts. Id. at 49. Although the court was satisfied by the certifications, non-compliance persisted. The government claims it to be the result of individual failures and confusion. In response to the court’s concern at an October 2015 hearing on the latest certifications, the FBI explained its new efforts at compliance, including additional training and review. Id. at 51-52. Although the court was unprepared to find that this instance of noncompliance raised statutory or Fourth Amendment barriers, it “strongly encourage[ed] the government to try to identify any remaining instances of non-compliance as quickly as possible,” and noted that it anticipated a follow-up hearing in early 2016 to review the state of compliance.
Finally, Judge Hogan turned to NSA’s purge procedures. The court was troubled by the revelation that NSA does not completely purge information on the “Master Purge List,” but rather retains a second copy of some information in another database. Id. at 58-59. NSA explained that this was the result of a system error and that it was working on a fix: “Given the government’s representation that the NSA is working to correct this error in [redacted] purging process, the Court does not believe the incomplete purges in this system prevent it from finding that the NSA Minimization Procedures comply with the [statutory requirements] and the Fourth Amendment. Nevertheless, the Court expects the government to resolve this issue expeditiously, and it anticipates receiving an update on this issue . . . in early 2016.” Id. at 59-60. In the next 15 heavily-redacted pages, the court assessed the revelations in NSA submissions that it retains some information that is subject to purge for the purposes of “collection avoidance”—for instance, it retains the information that a non-US person is in fact in the US for the purposes of making sure it doesn’t continue to target that person. However, 50 U.S.C. § 1809(a)(2) makes it a criminal offense to disclose or use information that resulted from unauthorized electronic surveillance. Although “the Court does not believe that the aforementioned issues related to [redacted] and [redacted] preclude a finding that the NSA Targeting Procedures and Minimization Procedures, taken as a whole, comply with the applicable statutory and Fourth Amendment requirements,” the court did “expect, however, to hear more from the government about how it is applying the destruction requirements of those procedures to Section 702 requirements . . . in early 2016” and noted that “at least on the current record,” it could not conclude that the retained information conforms with § 1809. Id. at 77.
A Few Thoughts
As with many of the FISC opinions, Judge Hogan seems pretty outcome-oriented. For instance, Judge Hogan’s ends-justifies-the-means response to the Fourth Amendment challenge—noting that a search for criminal evidence might lead to helpful information concerning national security—appears to reflect little regard for the Fourth Amendment’s foundational roots. Last week, Marcy Wheeler blasted Judge Hogan’s reasoning in the opinion; she argued that while Judge Hogan “imposed a worthwhile new reporting requirement” on the FBI queries, “that’s still a very far cry from conducing a fair assessment of whether FBI’s back door searches are constitutional.”
While we are heartened by the fact Judge Hogan solicited participation by a non-government lawyer acting as amicus, at the end of the day, it seems to have had little impact on his ultimate decision. The Order contains a not-insignificant amount of hand waving in an area that deserves more rigorous reflection.
And to make matters potentially worse, this kind of relaxed reasoning may go back some years. Today, Charlie Savage offers some helpful insight on the origin of FBI’s database search protocols. He notes that the 2014 PCLOB report revealed that the FBI did not then even require an open criminal investigation as a prerequisite to querying the raw data. That the extension of leeway to agents dates backs even further, though. Savage explains that in 2011, the FBI revised its internal guidelines and granted agents “greater leeway” to search through raw FISA data on FBI systems “even when they were not actively investigating anything, but rather whenever they are ‘initially processing a complaint, observation, or information.’” So, we have been living under some form of this loose approach by the FBI since at least 2011. Well, at least due to the public release of this opinion and Savage’s fine reporting, we now have a better insight into the realities of the loose handcuffs the FBI places on itself.