President Review Group's Recommendations: FISA-Related Proposals

The President Review Group's ("PRG") Report, released last week, makes nearly four-dozen individual recommendations related to foreign intelligence surveillance, privacy, civil liberties oversight responsibilities, cybersecurity, and the organization of the intelligence community. In this post I'll summarize and compare recommendations that address activities authorized under the Foreign Intelligence Surveillance Act to the two major legislative proposals put forth earlier this fall. These dueling bills are co-sponsored by Senate Select Intelligence Chair Diane Feinstein and Ranking Member Saxby Chambliss ("Feinstein-Chambliss"), in one case, and Senate Judiciary Committee Chair Patrick Leahy and Rep. James Sensenbrenner ("Leahy-Sensenbrenner"), in the other. The specific recommendations pertaining to FISA in the Report run the gamut: from the substantive scope of collection under Section 215 and Section 702 to the authorization process for obtaining individual orders, from the nature of proceedings before the FISC to transparency and disclosures as to FISA activities. The recommendations even cover---a bit surprisingly---the appointment process to the Foreign Intelligence Surveillance Court (FISC). What is particularly interesting is the quite different approach the Report takes to mitigate issues addressed in Leahy-Sensenbrenner and Feinstein-Chambliss, and its attempts to address matters into which both of these bills don't delve. The Substantive Scope of FISA Section 215 The Report's first recommendations address the authority upon which the telephony metadata collection program stands. Ultimately, the PRG recommends (Recommendation #5) doing away with that specific program altogether and adopting a system in which a third party or the telecommunications providers themselves maintain the metadata, and the government then queries those datasets with a Section 215 order. This proposal would, of course, likely eliminate one major draw for the program's existence---the ability to query one database containing many companies' records---and would require additional legislation in order to compel providers to maintain such data. But the Report also proposes revisions to limit the scope of Section 215 more generally. Its very first recommendation suggests shifting responsibility to a FISC judge for making the determination that the information sought in the application is "relevant" to an authorized investigation and that the subsequent order is "reasonable in focus, scope, and breadth." In comparison, the Feinstein-Chambliss bill would retain the telephony metadata program, and would merely write the FISC-enacted rules governing NSA queries of the data ("reasonable, articulable suspicion," etc) into law. Leahy-Sensenbrenner's language, by contrast, is closer to that sought by the PRG: it would limit collection under Section 215 to situations in which a statement of facts show that the sought-after items are "relevant and material" to obtain foreign intelligence or to protect against international terrorism/clandestine activities, and the materials "pertain" to a foreign power or agent of one, or the activities of a target who is a suspected agent of a foreign power, or someone in contact with a known or suspected agent of a foreign power. Leahy-Sensenbrenner's "pertain" language is perhaps less restraining than the PRG's "reasonable in focus, scope, and breadth," but both head in the same direction: limit or prohibit bulk collection under Section 215. More broadly, the PRG proposes a general government rule against collecting personal information for future data mining for foreign intelligence purposes (Recommendation #4), and suggests that the president convene a study to assess distinctions between metadata and other data (Recommendation #6). These larger issues aren't addressed in the Leahy-Sensenbrenner or Feinstein-Chambliss bills. The PRG also recommends revising the acquisition of National Security Letters (NSLs), an issue that Leahy-Sensenbrenner also attempts to address. NSLs are analogous to administrative subpoenas, and seek basic customer information from communications providers, financial institutions, and credit agencies. NSLs are issued by the FBI, upon certification by the Special Agent in Charge of a field office that the information is "relevant" to an authorized investigation. The PRG seeks judicial review of the NSL process, and prefers that that judge's findings be similar to those it proposes for Section 215 orders: that the materials are "relevant" and "reasonable in focus, scope, and breadth" (Recommendation #2). As to watching over the use of NSLs, the PRG wants the same oversight, minimization, retention and dissemination standards that are required for Section 215 orders (Recommendation #3). Leahy-Sensenbrenner, by contrast, would leave in place the current certification process, and its sponsors prefer instead to sunset the authorization for NSLs in June 2015, so as to prompt a full-throated debate to take place as part of FISA reauthorization more generally. (Feinstein-Chambliss doesn't address the issue of NSLs.) Section 702 and Non-U.S. Person Data The PRG's proposals that pertain to collection under Section 702 specifically focus on two issues: U.S. person data and clarification of authorities. One of the most substantial 702-specific proposals (Recommendation #12) relates to how NSA handles U.S. person data intercepted during such a collection: The PRG wants it purged, unless it has foreign intelligence value. That recommendation also seeks a prohibition on the use of that information against the U.S. person in any "proceedings"---taken to mean likely both court and administrative proceedings. The PRG also prohibits searching the contents of communications collected under 702 to identify a U.S. person ("reverse targeting") unless it is to prevent death or serious bodily harm, or in cases in which a warrant has been issued. Another PRG recommendation is to permit NSA to have limited authority to continue collection of foreign persons under surveillance abroad once they enter the U.S. (Recommendation #15). What is perhaps the most groundbreaking of all the PRG recommendations appears in the Section 702 reform chapter: Recommendation #14 proposes that the U.S. government apply the Privacy Act of 1974 in the same manner to both U.S. and non-U.S. persons.  The Privacy Act states as follows: "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains . . ."  The PRG would treat U.S and non-U.S. persons as "individuals"---something that doesn't happen these days, at least not government-wide.  To be sure, there's some precedent for the PRG's proposal. Already, the Department of Homeland Security applies the Privacy Act's requirements to non U.S. persons and U.S. persons alike, so far as concerns databases maintained by the Department's many components---the Transportation Security Administration, the Customs and Immigration Services and so on. DHS's mission-specific explanation for this is quite rational: to protect the integrity of its data, to follow international law norms of reciprocity and mutuality, to build trust with travelers, enhance the ability to share information with foreign counterparts, and ultimately, to protect U.S. person data when in the hands of foreign entities. The remainder of the PRG's 702-related tweaks (Recommendation #13) aren't really tweaks at all---in that they mostly reaffirm the current process for how 702 collection occurs, and don't really propose to alter that collection's scope. The PRG says that surveillance under Section 702 is authorized, that it's directed exclusively at protecting the national security of the U.S. or our allies, it is not directed at illicit or illegitimate ends (including such things as collecting trade secret to give to U.S. industry), and that there is no dissemination of foreign person information if the information is not relevant to legitimate intelligence purposes. More reaffirmation: that targeting of foreign persons mustn't be based solely on First Amendment activity (religion, speech, you know), and that it is subject to careful oversight. Generally speaking, Feinstein-Chambliss and Leahy-Sensenbrenner wouldn't alter the substantive reach of 702 collection much, either. They would, however, seek to restrict access to the databases, with Feinstein-Chambliss requiring a showing that the purpose of the inquiry is to obtain foreign intelligence or information necessary to understand that intelligence. Leahy-Sensenbrenner, on the other side, seeks to restrict the collection of purely domestic communications, and impose limits on searching for U.S. person's communications except when that information would help that person when their life is threatened, or when authorized by consent. That bill also seeks to prevent, like the PRG's proposal to prohibit reverse-targeting of U.S. persons, something the government claims it does not do. And Feinstein-Chambliss, like the PRG, has a provision to permit continued surveillance on a target that enters the United States while surveillance is under way. With a few exceptions, the PRG's substantive recommendations for Section 702 are generally mild, and seek to fill in some holes as to the treatment of U.S. person data swept up in the course of collection. One exception is the PRG's rather aggressive proposal regarding privacy policy---that the entire U.S. government follow DHS's lead in applying the Privacy Act equally to non U.S. and U.S. persons; it's not clear that DHS's mission objectives would obtain in other parts of the U.S. government. The PRG's recommendations for Section 215 collection are pretty bold, too: the group wants to end the bulk telephony metadata collection program and diminish the chances of a future dataset from coming into existence. Contrast all this with Feinstein-Chambliss and Leahy-Sensenbrenner. The Leahy-Sensenbrenner language would likely effectively end the bulk telephony metadata program under 215, but is not as aggressive in accomplishing that objective as the PRG recommendation is. Feinstein-Chambliss approach both 702 and 215 programs, as does Leahy-Sensenbrenner toward 702 programs from another angle, by imposing rules on analysts. There are some other parallels in Leahy-Sensenbrenner and the PRG proposals, particularly with regards to the way U.S. person data is used, and on the prohibition on reverse-targeting. FISC Procedure The PRG attempts to address how FISC proceedings take place (#28). It seeks to move away from the ex parte nature of today's FISC proceedings, and introduce an "advocate," along similar lines as the Feinstein-Chambliss "amicus" and the Leahy-Sensenbrenner "advocate." The PRG heeds the concerns raised by some commentators about the demographics of current appointees to the FISC (lots of Republican-nominated judges, and Chief Justice Roberts gets to pick them all), and suggests a new approach to address those concerns. The PRG, in reviewing the many declassified FISA materials, notices a few shortfalls: the FISC seems to be wanting in more technological expertise, and it has little mandatory transparency built into its system. Regarding the former issue, the PRG advocates for greater resources to be made available. It also suggests that FISC opinions and materials be redacted and made available to the public in a more timely manner. Adversarial Proceedings Like the two major bills, the PRG wants to authorize another party to argue before the FISC. In its case, a "Public Interest Advocate," who could be appointed by the FISC in a particular proceeding, or appoint himself or herself, as the individual would receive updates regarding the status of applications. The PRG leaves open the specific bureaucratic location of the advocate's office with one caveat: it must not be under the FISC itself. Nor does the PRG contemplate the selection process and qualifications for an appointment to this position. The big dispute among the major reform proposals is not whether to add opposing counsel to the FISC, but how---that is, whether the advocate ought to serve as more of a permanent, institutional actor or instead as an amicus appointed by the court ad hoc to add a perspective in a given case. On this point, the PRG comes down on the side of more dramatic reform. The general scheme parallels the more-particularized proposal in Leahy-Sensenbrenner, which gives the office it creates more authority to insert itself into particular proceedings than does the Feinstein-Chambliss bill; the latter's "amicus" would have to appointed each time by the FISC. Leahy-Sensenbrenner also goes into greater detail as to the qualifications (five Special Advocate nominees from the Privacy and Civil Liberties Board, one of which is appointed by the Chief Judge of the FISCR for a five-year term), but the general idea is the same: eliminate the one-party nature of FISC proceedings. Picking the Judges The PRG touches on judge matters, too.  The data on FISC judge selections: ten of the eleven FISC judges were appointed by Chief Justice John Roberts, and those ten were all nominated by Republican presidents. The PRG's solution? Require the entire Supreme Court to select FISC judges. Essentially, the justices would each appoint FISC judges, filling the vacancies with district or appeals judges residing within the judicial "circuits"---federal judicial regions---over which individual justices have supervisory authority. Neither Leahy-Sensenbrenner nor Feinstein-Chambliss alter the way FISC judges are selected. But other bills, including one co-sponsored by Senator Ron Wyden, would change the procedure up a bit. The Wyden bill would require a nomination by the chief judge of the circuit to the chief justice; if that name is rejected, the chief judge would propose two alternates, from which the Chief Justice would be required to pick one. The thrust of these two approaches is a bit similar: shift the responsibility to a person who presumably (due to more frequent contact with the circuit) knows the judges better and diffuse the appointment authority beyond the person of John Roberts. Disclosure and Transparency One theme that permeates all of the PRG's FISA-related proposals is the need for greater transparency and disclosure. Currently, FISA disclosure and reporting requirements are minimal, but the FISC has been more proactive since the Snowden disclosures in providing more detail on its orders; at the same time, the executive branch has declassified more court opinions and materials related to FISA activities. In several places, the PRG seems to acknowledge the legitimacy of the government's activities (like its language regarding Section 702 collection), and simply urges more communication about those authorities. The PRG has other specific proposals, including one that would move some compliance duties out of the responsible intelligence agencies and into a new agency. A New Auditor for the Intelligence Community The PRG is adamant about the need to broaden the authority of the Privacy and Civil Liberties Oversight Board (PCLOB). First, it proposes a position for a privacy and civil liberties policy official, whose responsibilities would fall under both the National Security Staff as well as the Office of Management and Budget (#26). The second proposal is to create a new administrative agency, entitled the "Civil Liberties and Privacy Protection Board"---a PCLOB 2.0--- tasked with overseeing the Intelligence Community's foreign intelligence and counterterrorism activities taking place under FISA. The entity would field the reports of Intelligence Community whistleblowers; house an office for technology assessment; and perform some compliance operations currently assigned to NSA or other intelligence agencies (Recommendation #27). This last task, the PRG argues, would be analogous to the role that private auditing firms play for public companies, although the PRG doesn't specify the particular activities that, say, NSA might pass on to the CLPPB for its collection programs. The PRG also wants to reverse the presumption in favor of classification for surveillance activities. For those programs that are unclassified, the PRG wants transparency and disclosure to the public (Recommendation #7).  The PRG advocates for public disclosure of data on a regular basis, distributed by both the government (Recommendation #10) and the providers (Recommendation #9), about all forms of FISA surveillance, as well as NSLs, unless the release of the data threatens national security. The PRG envisions future surveillance programs of a comparable magnitude to the telephony metadata program, and suggests that they remain classified only if there is a compelling government interest in doing so, and if the efficacy of the program would be "substantially impaired" as a result of the enemies' being apprised of it (Recommendation #11). Neither Leahy-Sensenbrenner nor Feinstein-Chambliss suggest shifting the compliance responsibilities of intelligence agencies to an external body. The thrusts of those proposals are toward more general data reported on a regular basis to Congress and the public, and more particular Inspector General audits of intelligence community activities. Court Records When it comes to FISC and NSL records, the PRG here, too,  favors more disclosure and reversing the presumption of secrecy in national security letter orders and FISA orders---suggesting that nondisclosure orders should only be issued when a judge finds that information's revelation would threaten the national security (Recommendation #8).  (Recall that the PRG would subject NSLs to a new judicial review process.)  The PRG would also put a time limit on the validity of nondisclosure agreements, proposing that judicial reauthorization would be required after 180 days. Both bills call for annual reports to Congress and the public release of aggregate numbers of applications and orders, and of the numbers of U.S. persons targeted under all forms of FISA surveillance.  Feinstein-Chambliss would amend the semiannual Attorney General report requirements to include summaries of compliance incidents and significant legal interpretations of FISA. Leahy-Sensenbrenner would have those significant interpretations of FISA turned over to Congress and to the public, and key decisions summarized publicly when the decisions themselves cannot be released. Leahy-Sensenbrenner lastly calls for public disclosure of appeals to the FISC Court of Review; the public advocate established by the legislation would be empowered to petition for public disclosure as well. Thus, as above, there's a broad consensus---here, around adding more mandatory reporting about activities occurring under FISA authority.  But, as above, there are some significant differences.  On balance,  the PRG's transparency proposals seem to be more sweeping than comparable provisions in Leahy-Sensenbrenner and Feinstein-Chambliss.