Intelligence Surveillance & Privacy

Summary: Recent Rulings by the FISC and FISCR

David Benger, Philip Chertoff, Erik Manukyan, Jacob Schulz, Chinmayi Sharma
Thursday, October 24, 2019, 7:29 PM

On Oct. 8, the Office of the Director of National Intelligence declassified two opinions released by the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR) relating to the FBI’s use of information collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Published by The Lawfare Institute
in Cooperation With
Brookings

On Oct. 8, the Office of the Director of National Intelligence declassified two opinions released by the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR) relating to the FBI’s use of information collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The procedures governing FBI access to 702 data, most notably about U.S. persons, were a critical topic of debate during the 702 reauthorization process in 2017. The reauthorization bill imposed new requirements on the FBI, and in response, the agency proposed revised targeting, minimization and querying procedures in March 2018. The following July, the court found several areas of noncompliance with the minimization and querying procedures, which the government sought to address in revised procedures submitted to the court in October 2018. The FISC nonetheless ruled that several areas fell short of statutory and constitutional requirements. The government appealed these findings and the FISCR affirmed the lower court, requiring the FBI to revise further their procedures. Below is a summary of the FISC and FISCR rulings.

The FISC

On Oct. 18, 2018, the FISC issued two reprimands of the government’s proposed 2018 procedures for the FISA Section 702 surveillance program. First, the court held that the FBI querying procedures were inconsistent with Section 702(f)(1)(B) requirements, codified at 50 U.S.C. §1881a(f)(1)(B), to keep records of each U.S.-person query term, which is a term used to retrieve unminimized data concerning a U.S. person located in 702 data storage systems.

Second, the court found that FBI minimization and querying procedures were inconsistent with the requirements in Section 702(e), Section 702(f)(1)(A) and the Fourth Amendment because they did not compel the agency to provide adequate justifications for queries using U.S.-person query terms. The FISC also found that the 2018 FBI minimization procedures, if applied to information collected through prior dockets of FISC-approved 702 surveillance, would likewise be inconsistent with the requirements of Section 702(e) and the Fourth Amendment to provide adequate justifications for queries using U.S.-person query terms.

The government appealed to the FISCR. The FISCR, however, affirmed the lower court’s decision. The court agreed with the FISC that the querying procedures were inconsistent with the Section 702(f)(1)(B) record-keeping requirements and did not address whether FBI procedures were also deficient from inadequate documentation of U.S.-person query terms.

Procedural History

On March 27, 2018, the attorney general and the director of the Office of National Intelligence (DNI) submitted 702 authorization certifications (2018 certifications) and their accompanying targeting, minimization and querying procedures to the FISC for approval, as required by Section 702(h). The 2018 certifications proposed to continue acquisitions as authorized in earlier 2016 certifications. The government also sought approval of amendments to prior authorizations, governing access to data collected in earlier dockets, to allow the 2018 minimization and querying procedures to apply to data collected in past and present dockets.

In this case, the court extended the review period to allow for participation from amici curiae Jonathan G. Cedarbaum, Amy Jeffress and John Cella, appointed as provided by §1803(i). After receiving briefings and hearing oral arguments, the court informed the government of three concerns regarding the submitted querying procedures of the FBI and the submitted minimization procedures of the CIA, the FBI, the National Security Agency (NSA) and the National Counterterrorism Center (NCTC):

(1) The querying procedures did not require documentation for the finding that a query using a U.S.-person query term satisfied the relevant standard (returning foreign intelligence information or evidence of a crime). The lack of documentation, especially in the light of reported instances of noncompliance with the standard, seemed unreasonable under the “minimization procedures” definition and possibly the Fourth Amendment.

(2) The querying procedures would not indicate if a query used a query term associated with a U.S. person, which would be inconsistent with the record-keeping procedures of Section 702(f)(1)(B).

(3) The querying and minimization procedures included exemptions for training functions and oversight that seemed unreasonably broad under the Fourth Amendment and FISA’s definition of “minimization procedures.”

In response, the government filed an amended submission on Sept. 18, 2018, which included amended minimization and query procedures, as well as an explanatory memorandum. The government provided adjustments and explanations to address the court’s concerns by doing the following:

(1) Narrowed the scope of the training and oversight exemptions in the querying and minimization procedures submitted by the FBI, the NCTC, the NSA and the CIA.

(2) Did not alter the FBI’s record-keeping requirement or require documentation on U.S.-person queries but explained the operational consequences of identifying queries using U.S.-person query terms and documenting why a U.S.-person query under the 2018 procedures met the applicable standard before viewing.

(3) Included a supplemental querying procedure for “categorical batch queries” (as opposed to individual queries) that would require FBI attorney approval before reviewing returned 702 information.

The court heard oral arguments for the new briefing on Sept. 18, 2018, and issued its opinion one month later.

Review of Targeting Procedures and Scope of Acquisition

The court first restated the purpose behind Section 702 targeting procedures, emphasizing its goal to (a) limit targeting to persons outside of the United States and (b) prevent intentional acquisition of communications with senders and recipients located in the United States.

The NSA sometimes acquires “multiple communication transactions” (MCTs) during upstream collection. MCTs are bundles of communications containing multiple messages transiting the internet. Upstream collection refers to the collection of data from foreign and domestic major internet cables and switches.

Prior to March 17, 2017, the NSA acquired communications, including MCTs, that contained references to a particular selector (such as a target’s email address or phone number) even if the sender or recipient was not a selector. Collection of “communications that contain a reference to, but are not to or from, a target of an acquisition authorized” is called “abouts” collection. If a single email within an MCT contained a reference to a selector, the entire MCT could be acquired under “abouts” collection, including additional email messages that were wholly unrelated to any target.

Because of the heightened risk of collecting information of or concerning U.S. persons with no foreign intelligence value, restrictions were placed on the NSA’s retention, use and dissemination of information acquired through upstream collection, including a prohibition on queries using U.S.-person identifiers as query terms.

Starting in October 2016, during that year’s certification process, however, the government disclosed that the NSA had been violating that query prohibition more than previously stated. The government, subsequent to the 2016 certificates renewal, chose to stop acquiring “abouts” communications to address that noncompliance. This also applied to MCT acquisition, limited to situations where the 702 target was a sender or recipient of the entirety of the MCT. All upstream internet information collected was subsequently destroyed.

In the 2017 FISA Reauthorization Act, the amendment 702(b)(5) imposed a limitation on the acquisition of “abouts” collection. It required the attorney general and the DNI to make a formal report to Congress before resuming “abouts” collection. Congress would then have a 30-day review period before it approved or disapproved.

The court appointed amici to address the following questions concerning potential applicability of the “abouts” limitation to information proposed for acquisition in the 2018 certifications:

(1) Do the FISA Reauthorization Act Section 103(b) preconditions on acquiring “abouts” communications apply only to the discontinued acquisition method?

(2) If no, do any forms of acquisition conducted under the 2018 certifications involve acquisition of “abouts” communication?

The court concluded, based on briefing of the government and amici, that the “abouts” limitation applies to both upstream and downstream collection.

The specific role of Section 103 of the FISA Reauthorization Act was to codify the NSA prohibition on upstream “abouts” collection. The court, based on substantial agreement between amici and the government, concluded that the submitted procedures would enable upstream collection to be conducted in a manner that complied with the “abouts” limitation.

The court adopted one of the amici recommendations regarding upstream collection: that the government should be required to report on how it will comply with the “abouts” limitation when it tasks any new selector for upstream collection. The court also directed the government to include within such a report any steps taken to ensure that a new type of selector will only acquire communications to or from a target. If compliance problems arise, the ruling stipulates, the government should notify the court.

The government and amici disagreed, however, on whether the “abouts” limitation applied to downstream collection. The government argued that Congress intended the “abouts” limitation to apply only to upstream collection. The government specifically pointed to the Senate Intelligence Committee report that identified Section 103 as codifying the intelligence community’s “current prohibition” on “abouts” upstream collection. Likewise, the House Intelligence Committee’s report stated that Section 103 was intended only to codify current procedures. While amici conceded strong evidence of congressional intent with regard to upstream “abouts” collection, they argued Congress may not have been on notice as to what kinds of information are acquired under Section 702. This conclusion was based on observations from the 2008 FISA Amendments Act litigation and by the absence of discussion of certain kinds of information in the legislative history.

The court ultimately concluded that it was not in the position to assess congressional understanding of data and that any analysis should start with the plain meaning of the text. By the court’s interpretation, the text of Section 702(b)(5) did not distinguish between upstream and downstream collection, only whether collection contains a reference to a target. It considered that the application of the limitation to both upstream and downstream collection was not absurd and was not contradicted by the legislative history. The court ultimately held that the “abouts” limitation did apply to downstream collection.

The amici also expressed concern that certain targeting procedures might allow for downstream acquisitions that violate either the spirit or letter of the limitation. However, the court concluded that safeguards governing downstream acquisition did comport with the limitation. The court ordered the government to provide additional information on certain types of acquisitions to determine whether they would be subject to the “abouts” limitation and are otherwise properly authorized, to which the government agreed.

Ultimately, the court found that the submitted FBI and NSA targeting procedures did comport with the requirements of Section 702(d)(1) and the Fourth Amendment.

Review of Querying and Minimization Procedures

The 2017 FISA Reauthorization Act required the attorney general, in consultation with the DNI, to adopt querying procedures for collected data and to provide those procedures for FISC review. The act also specified that those procedures must include a technical method to record each U.S.-person query term used for a query.

The reauthorization further specified that in certain circumstances, codified at Section 702(f)(2), the government must obtain a FISC order before accessing 702-acquired information. Those requirements applied only to the FBI in the following circumstances:

(1) When seeking access to the contents of communications retrieved by a query using a U.S.-person query term.

(2) When the query used a U.S.-person query term that was not designed to find and extract foreign intelligence.

(3) In connection with a predicated criminal investigation that did not relate to national security (702 information could still be used without an order for purposes of evaluating opening an assessment or predicated investigation related to national security).

If any of the conditions are met, the FBI must apply for and receive a FISC order before accessing the contents retrieved by such a query.

The requirements also provided for an exigent circumstances exception in cases where contents could assist in mitigating or eliminating a threat to life or serious bodily harm.

Section 702(e)(1) also requires that each agency maintain certain minimization procedures that:

(1) “are reasonably designed in light of the purpose and technique of the particular surveillance [or physical search], to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information[.]”

(2) “require that nonpublicly available information, which is not foreign intelligence information ... shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand such foreign intelligence information or assess its importance[.]”

(3) “notwithstanding [the above subparagraphs] ... allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes[.]”

In prior dockets of FISC-approved 702 collection, minimization procedures contained rules for querying 702 data. Following the 2017 FISA Reauthorization Act, the attorney general and DNI adopted querying procedures for each agency, separate from the agency’s respective minimization procedures. However, both sets of procedures specify that minimization and querying procedures should be applied together.

Review of FBI Record-Keeping Requirements

The court deemed the FBI’s current record-keeping procedures insufficient to fulfill the bureau’s statutory obligations under Section 702(f)(1)(B). The plain text of the statute requires record keeping of any query terms that are run on U.S. persons. Ultimately, the court concluded that even if all of the queries are recorded, the lack of differentiation between queries of U.S. persons and international persons means that the requirement has not been met.

After a brief review of the dictionary definitions of “record,” the court dismantled the government’s first argument that the absence of the terms “separately” or “segregated” demonstrates that Congress did not intend to require a separate record keeping of U.S.-person query terms. The court pointed out, however, that such an interpretation for the record-keeping requirement would eliminate the very purpose of the record-keeping requirement—to keep records. Moreover, the court specifically identified that the statute’s identification of record keeping for U.S.-person query terms demonstrated an intention to specifically ensure capture of U.S.-person query terms and not to generate records for all query terms.

The government also argued that because Congress, under Section 603 of FISA and Section 112 of the FISA Reauthorization Act, has afforded the FBI exemptions from separately recording U.S.-person query terms for the purposes of public DNI reporting (to accommodate the FBI’s technical limitations), the FBI should be entitled to a similar exemption for 702(f)(1)(B) record keeping. The court dismissed this argument. Aside from helping to improve public reporting, Section 702(f)(1)(B) has the separate objective of improving oversight of 702 activity. To the court, because Section 702 has two objectives—public reporting and oversight—it is reasonable for the government to receive the exemption in one context but not in the other. The court therefore decided not to grant the government the Section 702(f)(1)(B) exception.

The government also attempted to argue that the legislative history supports the FBI record-keeping method, citing the HPSCI report statement that Section 702(f)(1)(B) does not require record keeping “in any particular manner.” The court quickly shot down the argument that the FBI procedure is an acceptable “manner,” as the text demonstrated clear intent to memorialize the U.S.-person query term records and the FBI method would render them indistinguishable from other records.

Finally, the government argued that such a record-keeping system is undesirable because it would have the adverse consequences of requiring FBI personnel to research whether proposed query terms are U.S.-person query terms before using 702. The government suggested that such a research burden would divert resources from investigations; delay analysis and discourage personnel from querying; or result in personnel relying on “personal knowledge” to assess whether a query term was a U.S.-person query term, resulting in inconsistent and unreliable information in FBI systems. The court denied the relevance of those practical results, however, emphasizing that the court does not substitute policy considerations for statute.

The court did not mandate a complete overhaul of existing FBI procedures. As it stands, the FBI relies on written records to document query terms. According to the holding, the FBI is not required to “immediately deploy a comprehensive technical means of generating appropriate records.” Instead, the court held that “so long as it is taking serious steps toward implementing such technical means, it may rely on ‘written’ records.”

Review of FBI Querying and Minimization Practices

The FBI’s querying standard requires that a search is “reasonably likely to retrieve foreign intelligence information, as defined by FISA, or evidence of a crime.” While the court found that the standard satisfies Section 702 requirements, at issue were the large number of incidents of FBI noncompliance. While a collection of seemingly mundane instances of noncompliance did not overly bother the court, the court appeared troubled by instances that “evidence misunderstanding” or “indifference” to the standard. The court was particularly concerned because of the limits on government oversight and the FBI’s policy of routinely and maximally querying 702 data. The court also worried that “delays in reporting some … querying violations” indicate “that FBI and [Justice Department National Security Division] personnel charged with applying the querying standard may lack a common understanding of it.” While the government has taken steps to prevent violations through training and internal attorney guidance, there has not yet “been insufficient time to assess its effect.”

The government has additional statutory requirements to institute minimization procedures according to §1801(h)(1) and (h)(3). The statute requires that procedures be “reasonably designed in light of the purpose and technique of the particular surveillance, to minimize” all interaction with U.S. person information. The “purpose and technique” of Section 702 surveillance “involves targeting non-U.S. persons reasonably believed to be located outside the United States to obtain foreign-intelligence information.” To the court, because FBI procedures “have involved a large number of unjustified queries conducted to retrieve information about U.S. persons, they are not reasonably designed, in light of the purpose and technique of Section 702 acquisitions, to minimize the retention and prohibit the dissemination of private U.S. person information.”

Even though “the government has taken constructive steps” toward compliance with §1801(h) through training and internal guidance from attorneys, the court still believes FBI procedures are inconsistent with the statute. First, FBI personnel’s consistent misapplication of the querying standard makes it appear unlikely that personnel will successfully abide by minimization requirements. Second, the exceptions to the attorney approval requirements, notably the 702(f)(2) exception to query for targets of predicated investigations, provide personnel with a significant capability to query without approval.

Beyond statutory concerns, the court was emphatic that “the FBI Minimization procedures and querying procedures are … unreasonable under the Fourth Amendment.” As they stand, the FBI’s current procedures “present a serious risk of unwarranted intrusion into the private communications of a large number of U.S. persons,” the court wrote. The Fourth Amendment exists to protect against “arbitrary invasions by government officials” and the court asserted that under current procedures the FBI likely “searched for” and “examined” the “private communications” of U.S. persons “on arbitrary grounds.” While foreign intelligence gathered for national security reasons is a matter of “intense interest,” the court concluded that the government’s procedures do not sufficiently guard against risk of serious error and abuse and are not compliant with the requirements of the Fourth Amendment.

Recognizing this, the court recommended the adoption of a documentation requirement proposed by amici that:

FBI personnel be required to document in writing their bases for believing that queries of Section 702 data using U.S.-person query terms were reasonably likely to return foreign-intelligence information or evidence of crime before they examine content information returned by such queries.

Such a query would apply only to U.S.-person queries and when a query has returned Section 702 information that FBI personnel wish to view. Over the government’s objections of administrative burden, the court argued that such a standard is not so onerous and would greatly restrict unjustified intrusions on privacy of U.S. persons and greatly enhance FBI oversight.

Exemptions in the Minimization and Querying Procedures

The court found that, although the March 2018 FBI proposed minimization procedures included exemptions that were overbroad, the revised October 2018 procedures comport with statutory requirements and the Fourth Amendment. These exemptions excuse certain activities, such as querying, from procedural requirements if they are conducted for specific oversight or training purposes.

Oversight exemptions cover activities “conducted by independent executive-branch entities or the agencies themselves.” Both the March and October proposed exemption language targeting activities conducted by independent executive-branch agencies tracked language used in previously approved FBI, NSA, CIA and NCTC minimization procedures. The FISC found in March 2018 that the FBI’s submitted procedures for independent oversight did not require amendment. However, the exemption language covering activities conducted by the FBI itself was considered too expansive, including activities performed

in support of FBI’s investigation and remediation of a possible compliance incident, in support of FBI’s application of the destruction requirements in these minimization procedures; in support of [redacted], and in support of FBI Inspection Division and Records Management Division audits.

Amici were concerned that this March 2018 language was overbroad, covering deviations from procedures that compromised privacy without requiring sufficiently strong government justification for the activity. For example, the government argued that the FBI’s oversight exemption allowed them to retain unminimized Section 702-acquired information in databases of emails and instant messages to comply with records-management and archiving requirements. Amici raised the concern, and the court agreed, that these deviations should not be covered by the exemption.

The FBI responded to these concerns by modifying its language in the October 2018 proposal to clarify the breadth of oversight activities. The exemption is now limited to buckets of activities the purpose of which justifies the deviation from protocol. The exempted oversight activities are now limited to

(1) review of Section 702-acquired information the FBI determines is necessary to remediate a potential spill of Section 702-acquired information; (2) review, retention, and disclosure of Section 702-acquired information subject to destruction, including under these minimization procedures; and (3) review and retention of unminimized Section 702-acquired information contained in employee electronic communications by the FBI’s Inspection Division, as part of its record of what it has provided to the Office of the Inspector General.

The proposal also requires compliance with minimization procedures “to the maximum extent practicable,” limiting disproportionate deviations, and mandates the destruction of unminimized information once it is “no longer reasonably believed to be necessary to the lawful-oversight function.” These added restrictions avoid pretextual exemptions and the retention of information originally used for oversight for later unrelated purposes. As a catch-all, the procedures also permit deviation for activities not described in the procedures only after consultation with the Justice Department’s National Security Division and the DNI, followed by “prompt reporting” to the FISC. The court found these adjustments sufficient to comply with statutory and Fourth Amendment standards.

In addition to oversight functions, training and systems-administration functions within the intelligence community are also exempted from minimization and querying requirements. Prior to March 2018, training activities were not exempt from these requirements, despite the common practice of training FBI employees on databases containing unminimized Section 702 information. Trainer-provided query terms often included U.S. persons who were former subjects of FBI investigations.

Amici objected to a blanket exemption of training activities from querying, retention and dissemination rules. The court agreed that the wholesale exemption was overbroad, because it covered all training, not just training limited to protecting U.S.-person information—an instance when using unminimized data might be necessary to training.

In response, the government narrowed the breadth of training activity covered by the exemption. The amended proposal permits deviations from procedures governing access and review of information only if “reasonably necessary for effective training.” Additionally, deviations from querying procedures are permitted only for training regarding compliance with FISA. Finally, the use of U.S.-person identifiers during training, a practice of which the court was skeptical, is now allowed only when there is a “particular need to do so in the conduct of such training.” (Notably, the CIA removed the training exemption from its minimization procedures after it deemed the exemption unnecessary.)

The court found these modifications “meaningfully limit the types of training activity exempted.” In upholding these amended procedures, the court also clarified its understanding of the querying of U.S.-person identifiers. It stated that the U.S.-person identifiers used should still meet the objective querying standard of “reasonably likely to retrieve foreign intelligence information or evidence of a crime” even if exempted from other requirements to avoid “unnecessary querying of U.S.-person identifiers unassociated with national-security investigations.”

Exemptions for Responding to Congressional Mandates

The proposed language also includes new exemptions regarding compliance with congressional mandates that would require deviation from minimization or querying rules. The new “congressional mandate” language covers only activities that respond to “a subpoena or similar process consistent with congressional oversight,” no longer covering “unspecified” congressional mandates.

The court previously expressed concern about exemptions based on “unspecified mandates,” or congressional requests without formal legal process, because they could “undermine the Court’s ability to find that the procedures satisfy statutory requirements.” In approving similar exemption language in 2015 and 2016, the court stated that the exemption must be interpreted narrowly to include only those mandates containing language “that clearly and specifically requires action in contravention of an otherwise-applicable provision of the requirement of the minimization procedures.” The court also required the government to report any activity undertaken pursuant to this exemption.

While the government never relied on the original “congressional mandate” exemption, which did not include language cabining it to formal legal process, the court’s concerns regarding the FBI’s deviation from procedures to respond to a congressional request were realized. The agency had relied on the “lawful oversight” exemption to respond to a congressional request, delivered without process, for the number of communications of U.S. persons that have been acquired pursuant to 702. The court required the government to file a notice of such actions, but amici raised concerns that the congressional mandate exemption was too vague and overbroad to protect privacy interests. Amici urged the court to interpret the exemption to extend only to formal legal process such as a subpoena, making it distinct from the “lawful oversight” exemption.

In response, the government added the descriptor “such as a subpoena or similar process consistent with congressional oversight” to the exemption. The court believes that this revision, in addition to the revisions enumerating lawful oversight functions, sufficiently clarifies and narrows the exempted activities.

Other Changes to the FBI Minimization Procedures

Metadata refers to information collected from a communication not including the content of the communication. The court separately addressed metadata used for link analysis (the analysis of data to find associations between individuals, places, or events for threat assessment) and metadata retained for other purposes.

Currently, metadata in systems used solely for link analysis are exempted from Section 702 retention timetables. The government has proposed indefinite retention of all metadata for possible link analysis. This is an attempt to harmonize 702 metadata retention policies with metadata retention policies under Titles I and III of FISA.

The court approved this proposal, finding that the strong querying and minimization limitations in the current proposal are sufficient to protect U.S. person privacy while allowing the intelligence community to take advantage of a tactically valuable data collection practice. The government argued and the court agreed that retaining metadata from all systems improves the FBI’s capacity to make connections about targets and their networks. Similar arguments persuaded the court in 2016 to remove retention restrictions on metadata collected under Titles I and III of FISA. The court reaffirmed that the constitutional privacy interest in metadata is lower than the protections afforded to communications, but that does not equate to no privacy interest. Therefore, the government must report the type and volume of data it collects under Section 702 that it regards as metadata and the extent to which such metadata, such as cell tower sites or GPS coordinates, can reveal location information about U.S. persons.

The government has advised the court that it intends to implement the 10-year access-restriction provision under its minimization procedures to allow the agency to immediately access metadata responsive to a query, without first having to document the basis for the query. This change would apply whether the query was run for link analysis or other reasons. It also intends to make any approved query results of Section 702 communications available to “all users who would otherwise be authorized to access such information” for six months (or until 15 years from when the authority used to access the communication expires, whichever is sooner). The court has requested a written explanation for these proposals and will assess their reasonableness in the future.

The FBI has also sought modifications that would allow it to retain unminimized Section 702 information even in certain repositories that do not comply with current minimization procedures. The agency seeks this exemption because it is technologically incapable of purging these systems of 702 data without removing valuable communication records. These systems include secret-level email systems that retain documents to assist in response to discovery requests, records management, FOIA processing and the FBI’s investigatory purposes. A separate secret-level instant messaging system also retains 702 information primarily for investigative purposes. The court in 2017 had required the government to report the extent of noncompliance with minimization procedures on these systems and outline the remediation measures taken.

In response, the FBI indicated it would prohibit sharing unminimized FISA information on instant messages and emails. It had previously indicated that sharing unminimized information in classified emails was necessary for personnel, but recognizing that it did not have the technology to delete unminimized data from the email system, the FBI could not permit this practice and remain compliant with minimization procedures. Unminimized information already sent on email systems will remain there until a solution is developed to delete it, but new information won’t be ingested.

The government has proposed provisions that would permit indefinite retention of Section 702 information on these systems while restricting access. Access would be limited to “FBI personnel who require access to perform their official duties or assist in a lawful and authorized governmental function, including system administrators and other technical personnel, and who have received training on these minimization procedures and the Querying Procedures.” The FBI has proposed that records of individuals with access would be maintained. And, finally, according to the new proposal, queries must comply with all querying procedures and may be conducted only for a specific type (redacted in the opinion) of investigations, records management inquiries, or discovery.

Amici were concerned about the lack of specificity regarding individuals who might have access and the justification for exempting this information from U.S.-person masking requirements. The court shared these concerns, but to the FISC, the worries were mitigated by the efficacy of the proposed modifications and the low quantity of Section 702 information found on these systems as compared to systems primarily used for analytical or investigative work. However, the court will still require the FBI to report where unminimized 702 information has been found, whether it can be brought into compliance with procedure or, if not, why its retention in that system is necessary.

Other Noncompliance

The court addressed other instances of noncompliance that it conceded did not bear significantly on the legal matters at hand. Namely, the court discussed concerns about the low frequency of NSA’s post-tasking review of content, the improper disclosure of Section 702 information by the FBI and newly emerged noncompliance issues.

NSA targeting procedures require analysts to take reasonable steps to confirm that all selectors continue to be used by non-U.S. persons located outside the United States. This process involves periodically reviewing contents of communication. But the court expressed concerns about the government’s ability to monitor the analysts’ compliance with policies about post-tasking review of content.

In response, the government has begun to report noncompliance with policies. Six quarterly reports since the court’s first opinion on this matter in April 2017 show several instances of noncompliance with the policy, some of which involve the CIA or FBI failing to conduct post-targeting reviews entirely. However, the court did not find that the reports were cause for significant concern because of the small number of noncompliance instances and the even smaller number of deviations that involved an identifier that should have been detasked (no longer associated with a non-U.S. person overseas).

In its April 2017 ruling, the court also discussed instances in which the FBI allowed unauthorized personnel to access Section 702 information. However, since then, the FBI has not reported any additional instances of improper disclosure, which has eased the court’s concern regarding the possibility of future noncompliance.

Though the FBI has not reported new instances of unauthorized personnel getting access to Section 702 information, the government has identified other new instances of noncompliance. Many of these involve the NSA. The NSA has reported tasking selectors under 702 without conducting the necessary foreignness checks, failing to perform timely foreignness checks, and failing to consider the totality of circumstances when making a foreignness determination. In other instances, the government failed to timely detask accounts. However, the court was not concerned by most of these incidents, finding that the government has largely taken the necessary remedial measures.

One instance of noncompliance, however, remained of concern to the court. On May 2018, the government reported to FISC that since September 2017, the NSA had a growing backlog of purge-discovery orders, queries conducted to confirm that certain information has been purged from 702 databases, which resulted in significant delay in placing information that should have been purged on the Master Purge List (MPL). The bulk of these orders pertain to 702 collection, which suggests that the NSA was not complying with its purge obligations under Section 702.

In response, the NSA has automated its processing of some of its purge-discovery orders. The agency considers the backlog to be eliminated. However, until the government can assure the court that the purge-discovery orders are being processed in a timely manner, the NSA will continue to report the number of pending purge-discovery orders biweekly.

In March 2018, the government informed the court that it had identified certain insider-threat monitoring activities, or work conducted by agencies to identify risks from within to their mission, that may encounter Section 702 information. The government is currently investigating to what extent this “user activity monitoring” (UAM) might find unminimized 702 information. So far, the investigation has only found that UAM might have resulted in violations of minimization procedures.

The FISCR

The government appealed the FISC decision to the superior court, the FISCR. The two questions considered on appeal were

(1) Whether the FBI’s proposed query procedures properly recorded “United States person query terms” as required by Section 702(f)(1)(B).

(2) Whether the FBI’s broader “minimization and query procedures” complied with FISA and the Fourth Amendment.

In a per curiam opinion decided on July 29 and released to the public on Oct. 8, the FISCR ruled against the government. The court of review’s central holding was that “[t]he FBI’s proposed query procedures do not comply with Section 702(f)(1)(B)” because they have no procedure whereby the FBI would record whether a query term “relates” to a U.S. person. Affirming the lower court decision, the FISCR ruled that 702 did in fact require the FBI to “memorialize” query terms associated with U.S. persons, “to the extent reasonably feasible.” Pursuant to this holding, the FISCR instructed the FBI to revise its query procedures.

FISCR declined to reach the merits on the second question at bar in order to allow the FBI to revise and resubmit its updated procedures to the FISC. Nevertheless, the court did not shy away from “offering guidance” to both the FBI and the FISC on broader compliance with FISA and the Fourth Amendment—the subject of the second question.

Leading up to this dispute, the FBI’s self-stylized procedures obligated personnel to record queries only in aggregate, failing to distinguish between query terms that related to U.S. persons versus those that related to non-U.S. persons. Because the FBI’s record-keeping procedures did not differentiate query terms in this fashion, the court concluded that the FBI’s procedures failed to comport with Section 702(f)(1)(B) of FISA.

Question One

The Text of Section 702(f)(1)(B)

The FISCR’s opinion begins with a review of the relevant portions of Section 702. The portion of Section 702(f)(1)(B) at dispute in this case requires that querying procedures developed by the intelligence community “include a technical procedure whereby a record is kept of each United States person query term used for a query.” The government argued that the best textual interpretation of the statute would not require any differentiation between U.S.-person query terms and non-U.S.-person query terms. This, according to the government, would help minimize record-keeping costs incurred by the FBI.

The court begins its textualist analysis by defining “record” as used in Section 702(f)(1)(B). The meaning of “record” has implications for whether the FBI would be required to provide an undifferentiated list of query terms, or a list of query terms that differentiate between U.S.-person query terms and others. A record, as defined by the court, is an account that “perpetuate[s] knowledge” of information. The FBI’s current method of record keeping does indeed record all query terms, including U.S.-person query terms, in a raw list, but Section 702(f)(1)(B) requires the FBI to perpetuate knowledge of a “specific type of information.” The court noted that the statute expressly identifies “United States person query terms” as the object of such record keeping. So, even though the FBI’s current method of record keeping includes U.S.-person query terms, albeit in an undifferentiated format, it does not “perpetuate” the relevant knowledge—that is, identification of U.S.-person query terms as distinct from non-U.S.-person query terms. In the court’s eyes, the FBI’s current procedure is thus inconsistent with the statutory obligations of Section 702(f)(1)(B).

To support its textualist interpretation of Section 702(f)(1)(B), the court briefly explores the implications of the government’s reading of “record” and the procedural architecture they erected pursuant to that reading. If the FBI could not differentiate between U.S. and non-U.S. query terms, it would not be able to supply a list of only U.S.-person query terms to oversight bodies. Without this differentiated recording upstream, the FBI would not be able to tell the difference between U.S. and non-U.S.-person query terms downstream.

Next, the court resists the government’s claim that, for the court’s textualist interpretation of the statute to be sound, it must read the word “separate” into the statute—i.e., “a [separate] record” should be kept of “each United States person query term.” The court does not read the statute to require one record for U.S.-person query terms and another “separate” record for non-U.S.-person query terms. Rather, the court argues that out of a single pool of query terms, “United States person query terms must, to the extent reasonably feasible, be identifiable as such.” Since the court’s interpretation does not require the government to keep and maintain two separate records, the government’s argument that the court’s interpretation imposes severe procedural burdens loses some ground.

Further grappling with the government’s concerns about procedural burdens, the court explains that Section 702(f)(1)(B) merely imposes a “technical” requirement. It does not, in the court’s reading, impose an “inflexible substantive requirement” meant to compel an exhaustive evaluation of any and every given query term. To better explain this reading, the court offers three scenarios: In the first, the query term is obviously associated with a U.S person; in the second, the query term is less obviously associated with a U.S. person; and in the third, the query term’s association with a U.S. person is unknowable. The court suggests that in scenario one, U.S.-person status is easily demarked. In scenario two, FBI personnel can deploy presumptions they currently use to determine whether a person with unknown status is indeed a U.S. person. Finally, in scenario three, the court suggests that the FBI can simply designate the U.S.-person status of query terms as “unknown” or “to be determined.” Thus, the court demonstrates the sort of flexibility the statute provides, ultimately leaving the method of organizing this knowledge to the various intelligence-gathering agencies.

Statutory Context

Beyond the specific statutory text at issue, the court argues that the broader statutory context of Section 702(f)(1)(B) does not support the government’s position.

Following the government’s lead, the court first looks to Section 702(f)(2), which, like Section 702(f)(1)(B), was added to FISA as a part of the 2017 Reauthorization Act. Section 702(f)(2) uniquely applies to the FBI, requiring the FBI to seek a FISC warrant before deploying queries in circumstances sensitive to U.S. persons’ privacy rights. Because Section 702(f)(2) imposes new constraints only on the FBI, the government derives two inferences: First, Section 702(f)(2) seeks to alter FBI querying procedures—not Section 702(f)(1)(B)—and second, since (f)(2) applies only under certain circumstances, the statute cannot be interpreted to require a change to querying procedure under all circumstances.

In their own analysis, the court, however, “draws [from Section 702(f)(2)] a different set of inferences.” The court infers that (f)(2) was mainly intended to safeguard against potential Fourth Amendment challenges. Its purpose, then, is not to narrow the application of (f)(1)(2)’s record-keeping requirements to those circumstances described in (f)(2). The court argues, “[I]t is reasonable to assume that Congress did not view it as affecting the general recordkeeping requirement set forth in Section 702(f)(1)(B).” Moreover, the court takes the absence of an explicit record-keeping mandate in (f)(2) to suggest that Congress assumed the FBI would be able to identify U.S.-person query terms at least for internal purposes. Only if the FBI had procedures that enabled it to identify U.S.-person query terms from other query terms, the court concludes, would the FBI be able “to comply with Section 702(f)(2).”

Next, the court considers Section 603(d)(2)(a)—another FISA provision auxiliary to Section 702(f)(1)(B). This section exempts the FBI from having to report the number of U.S.-person search terms and the number of actual queries deployed by the bureau to the public. Agreeing with the FISC opinion, the court argues that the only way this provision could come to bear on the record-keeping requirement under Section 702(f)(1)(b) would be if (f)(1)(b), like Section 603(d)(2)(a), sought to improve only public reporting requirements. But, one of the core objectives of 702(f)(1)(b) is to improve nonpublic oversight of the intelligence community by the executive branch, Congress, and the FISC. Therefore, the court rejects the government’s claim that the exemption from 603(d)(2)(a) is transferable to Section 702(f)(1)(B).

Finally, the court turns to Section 112 of the 2017 FISA Reauthorization Act. This provision requires that the Department of Justice inspector general report “any impediments … for the [FBI] to count … the total number of … queries that used” U.S.-person identifiers. In their own analysis, the government attempted to highlight the difficulty in reconciling Section 112 with the FISCR’s reading of Section 702(f)(1)(B). If Section 702(f)(1)(B) clearly requires the FBI to memorialize U.S. query terms, why then, the FBI asks, would Congress institute a feedback channel where the bureau could report to Congress any complications in counting U.S. query terms? In the government’s view, there is no cognizable reason why the FBI would struggle to count U.S. query terms, if, as required under the court’s reading of Section 702(f)(1)(B), the FBI instituted a procedure that guaranteed a clear identifiable record of U.S. query terms. Therefore, the government argues, it cannot be the case that Section 702(f)(1)(B) requires differentiation of U.S. query terms, as the court suggests. Only if the FBI had flexibility in the way it recorded query terms—U.S. person and otherwise—would the instruction in Section 112 make sense. Maintaining that the government’s argument is plausible, the court ultimately concludes that the “opposite view is equally plausible.” Indeed, the court argues, Congress may choose to request that the FBI keep it abreast of any challenges the bureau faces in the application of Section 702(f)(1)(B)’s record-keeping requirement, while simultaneously expecting them to institute that requirement. In other words, it is not absurd for Congress to request feedback from the FBI on compliance difficulties, despite Congress’s expectation that the FBI will ultimately comply.

For these reasons, the court concludes, the statutory context neither bolsters nor undermines the government’s position.

Legislative History

Though the court finds no ambiguity in the text of Section 702(f)(1)(B), nor anything conclusively disfavorable to the court’s interpretation in FISA’s broader statutory context, the court nevertheless turns to a brief analysis of legislative history. Both the government and the court look to a House Permanent Select Committee on Intelligence report published prior to the 2017 Reauthorization Act in order to derive congressional intent. Despite their reliance on the same House report, the court and the government reach different conclusions.

The court begins by identifying two statutory aims expressed by lawmakers in the House Report. First, Congress sought to address U.S. persons’ privacy concerns. Second, Congress sought to ensure that the intelligence community’s record-keeping activities would be subject to oversight. To the court, the government’s reading of Section 702(f)(1)(B) fails to satisfy both of these twin aims. To the court, if, as the government claims, Section 702(f)(1)(B) required no “differentiat[ion] between United States person query terms and other query terms,” the statute would serve only a “limited oversight goal” while wholly failing to protect the privacy interests of U.S. persons.

Next, the court shifts to addressing the government’s interpretations of the legislative history. The government first argued that Congress sought to grant the attorney general and the DNI “discretion” in the “manner” in which agencies can record U.S.-person query terms. The court concedes that the House report suggests that agencies can determine “how” they keep such records. But the question at bar is “whether” they must keep such records in the first place. And on that question, the court notes, the House report is silent.

The government also relied on an excerpt from the House report that states that the intelligence community “should have separate procedures documenting their current policies and practices related to querying” of FISA data. According to the government, this excerpt justifies existing querying practices. But when “read in context,” the court replies, this excerpt simply stands for the general proposition that agencies, for the first time, must begin to document their querying practices.

Policy Considerations

The court then transitions into a discussion of policy, focusing on the merits of two arguments made by the government concerning the court’s interpretation of Section 702(f)(1)(B): that it fails to improve FBI oversight and that it will hamper the FBI’s broader mission.

The court pushes back against the first point, arguing that its interpretation improves oversight. In requiring the FBI to highlight query terms related to U.S. persons, the court argues, the statute enables more robust “auditing” of querying practices as they relate to U.S. persons. Indeed, in the court’s view, this requirement supplies “other Executive Branch offices, Congress, and the FISC” with previously unavailable data. Further, the court maintains that “additional transparency” regarding U.S.-person query terms enables cabined oversight over Section 702 programs and leaves the FBI’s public disclosure exemptions undisrupted. The FBI relies on these public disclosure exemptions to protect the secrecy of its investigations.

The court then dispels the notion that differentiating query terms will “drain FBI resources, create unreliable records, and, potentially, harm national security.” The court dismisses these concerns, arguing that adding one “largely ministerial” item to an investigative checklist is unlikely to overburden the entire FBI mission.

Question Two

Despite its refusal to reach the second question, which asks whether the FBI’s “querying and minimization procedures” complied with FISA and the Fourth Amendment more broadly, the court proceeds to “offer some guidance” to the FBI and the FISC ahead of future judicial review.

The court first instructs the FISC that it may look to how agencies implement existing minimization procedures in conducting a FISA- and Fourth Amendment-compliance analysis. Cautioning the FISC not to put too much stock in old procedures, especially where new proposals feature substantial changes to those old procedures, the court double backs to remind the FISC that procedural compliance with the statute “as written” is what primarily decides this question.

Next, the court greenlights, without explicitly affirming, the FISC opinion on question two. In their current state, the court asserts, the FBI’s proposed “querying and minimization” procedures are wanting. The court does not go so far as to definitively rule that the FBI must change its proposed querying and minimization procedures, but the FISCR strongly suggests that the FBI address the statutory and constitutional deficiencies flagged by the FISC ahead of future judicial review. Further, the court advises that the FBI share any interim procedural improvements with the FISC to aid future review of FBI reforms.

Finally, the court encourages but does not “require” that the FBI adopt a minimization procedure recommended by amici. According to that procedure, FBI personnel would document in writing their justifications for using a certain U.S.-person query term before conducting a search. The goal of this procedure, according to the court, is to encourage “careful consideration” on behalf of FBI personnel before conducting a search that might violate U.S. persons’ privacy rights. The court adds that mandating contemporaneous documentation of these queries will help develop a better record for oversight purposes.

Even if the FBI refuses to adopt these suggested revisions, the opinion cautions that if it wants a favorable outcome in the FISC’s review of its amended procedures, the agency must, at a minimum, rectify its record-keeping procedures to allow oversight bodies to readily identify “United States person query terms.”


David Benger is a student at Harvard Law School. Previously, he served an investigative analyst at the New York County District Attorney's Office Major Economic Crimes Bureau, and a legal assistant on a trial team at the International Criminal Court. He earned a Bachelor of Arts in Politics and Russian Studies summa cum laude from Brandeis University and a Master of Arts in Global Affairs from Tsinghua University (Beijing) where he studied as a Schwarzman Scholar.
Philip Chertoff holds a J.D. candidate from Harvard Law School. Prior to law school, he was a research fellow studying cybersecurity and emerging technology issues in Europe. He received his bachelor’s degree in political science, with honours, from the University of Chicago.
Erik Manukyan is a graduate of Harvard Law School, where he is a Principal Senior Editor on the National Security Journal. He graduated from the University of California, Los Angeles with a B.A. in Political Science.
Jacob Schulz is a law student at the University of Chicago Law School. He was previously the Managing Editor of Lawfare and a legal intern with the National Security Division in the U.S. Department of Justice. All views are his own.
Chinmayi Sharma is an Associate Professor at Fordham Law School. Her research and teaching focus on internet governance, platform accountability, cybersecurity, and computer crime/criminal procedure. Before joining academia, Chinmayi worked at Harris, Wiltshire & Grannis LLP, a telecommunications law firm in Washington, D.C., clerked for Chief Judge Michael F. Urbanski of the Western District of Virginia, and co-founded a software development company.

Subscribe to Lawfare