Thoughts on a Blue-Sky Overhaul of Surveillance Laws: Approach

[Editor's Note: below you'll find the third in a series of posts by David Kris on surveillance reform.  In the first two installments, David introduced his subject, and then overviewed the challenges facing an attempt to overhaul the legal rules for surveillance.  Below he sketches a possible approach to a "blue-sky" reform effort.] 

The first task in any overhaul effort would probably be to define the conduct to be regulated.  In part for convenience, I have referred here to an overhaul of “surveillance” laws, but the project would need to consider more than just electronic surveillance.  It could include physical searches, and other methods of collecting information.  Current law governing intelligence collection offers a starting point for defining the scope of the project, but perhaps we would want to regulate more, or less, than we currently do. 

The Fourth Amendment provides another starting point, but it may be too narrow because many current statutes (e.g., those governing pen-trap surveillance) regulate conduct that is not a Fourth Amendment search or seizure.[1]  Extant foreign intelligence collection activity (as opposed to regulation) might also serve as a guide, but that too is subject to change, and not all current foreign intelligence activity is equally regulated.  Moreover, a focus on intelligence leaves the question whether to address law enforcement collection, because differences between the two regimes may themselves create severe anomalies – particularly for the FBI[2] – where the same information can be obtained under each. A related question concerns the nature of the overhaul.  For example, if limited to legislative change, we may want to ignore some collection activity altogether, and leave it to internal executive branch regulation, as Congress did when it enacted FISA in 1978.[3]  Today, a good deal of foreign intelligence collection is regulated by the Fourth Amendment and Executive Order 12333 and its subordinate procedures, but not in any meaningful way by statute; bringing all of that activity under statutory control would be a radical step. 

In short, defining the conduct to be regulated is not as straightforward as it might sound, but will fundamentally affect the basic scope of the project. The next step, and in some ways the hardest and most important one, would be to divide the universe of relevant conduct into meaningful pieces, which can be regulated in different ways, at different levels of intensity.  This process of division probably should begin with our values.  For example, where do we most and least value privacy? [4]  Where do we want or need broad governmental power, and the famous “speed and agility” that apparently motivated the Terrorist Surveillance Program?[5]  Whatever proposals emerge from the overhaul, they would likely need to distinguish in some way between different forms of collection – e.g., between non-consensual surveillance of the words spoken in a telephone call between two American citizens in the United States, and the consensual monitoring of the telephone numbers dialed (but not the words spoken) in a call between two citizens of Afghanistan located in that country, or the mere physical surveillance of the Afghans when they visit a public market in Kabul.  What are the values that inform this distinction? Rather than beginning with a clean slate, and an attempt to discern our values from scratch, it may help to note the distinctions that have in fact been used in prior and current statutes and rules, which reflect values we have adopted, or at least enacted into law, from time to time.  A blue-sky project would critically review these distinctions and consider whether to adopt, reject, modify, or supplement them. 

Here is a list of some (not all) of those distinctions:  

A. Distinctions Concerning the Target of Surveillance and/or His Interlocutors

1.  Location.  An overhauled legal regime might distinguish between targets who are known or reasonably believed to be in the United States, those who are known or reasonably believed to be abroad, and those whose location is uncertain.[6]  As explained above, the FAA was designed in part to address the growing uncertainty of location in electronic communications, particularly web-based communications.  Distinctions are possible based on the location of the target alone, or the target and his interlocutors.[7]  Alternatively, a new regime might abandon location as a distinguishing feature, on the theory that it is becoming ever more indeterminate.

2.  Nationality and Citizenship.  We would need to consider whether to distinguish between targets who are known or reasonably believed to be U.S. persons, those who are known or reasonably believed not to be U.S. persons, and those whose status is uncertain.[8]  In today’s world, nationality is often difficult to discern; even in 1978, FISA required assumptions about nationality that were largely based on location.[9] As location becomes more indeterminate, nationality may as well.  Again, distinctions are possible based on the nationality or citizenship of the target alone, or of the target and her interlocutors.

3.  Other Nationality-Related Issues.  Under FISA, there are distinctions between entities that are controlled by a foreign government, and those openly acknowledged to be controlled by a foreign government.[10] The theory is that errors are less likely with respect to the latter (justifying some expanded collection authority), but there is some question whether there is much of a practical difference and whether, if there is, it justifies the added complexity in the overall regime resulting from the distinction.

4.  International versus Domestic Terrorism.  In keeping with a distinction recognized by the Supreme Court, FISA applies only to international terrorism, not domestic terrorism, but surveillance of domestic terrorism need not proceed solely under ordinary law enforcement standards.[11]  The Supreme Court invited Congress to enact a special domestic security surveillance statute with standards different than those governing surveillance of ordinary crime, and Congress could always accept the invitation.[12]  Again, however, creating a new class of surveillance for domestic security threats, which would be regulated somewhere on the continuum between FISA (which applies to foreign security threats) and the federal wiretap statute known as Title III (which applies to ordinary crime) would generate still more complexity in the law.

5.  Reasonable Expectation of Privacy.  The regulatory role of a reasonable expectation of privacy could also be considered as part of a blue-sky overhaul.[13]  This concept, rooted in the Fourth Amendment, is obviously central, but FISA has used it more broadly than the Constitution may require – e.g., in drawing distinctions based on whether “a person” (meaning a U.S. person) has a reasonable expectation of privacy, even when the particular person being targeted (e.g., certain non-U.S. persons) may not have such an expectation.[14]

6.  Consent.  A blue-sky overhaul could consider whether and how to distinguish surveillance based on the consent of one or all parties to a communication or other form of collected information.[15]

B.  Distinctions Based on How the Government Conducts the Surveillance

7.  Investigative Agency Limits.  An important question in an overhaul would be whether to limit collection techniques to certain types of investigations conducted by certain types of agencies in certain circumstances.[16] For example, there may be reasons that the FBI should enjoy more investigative authority than the CIA in certain domestic settings, and perhaps reasons for the opposite outcome abroad.  But one possible price of this agency-specific tailoring is more complexity and perhaps uncertainty.

8.  Targeting.  There is a question whether to distinguish in our law between surveillance targeting a specific person and surveillance that does not target any specific person.[17] This was an enormously important distinction when FISA was enacted in 1978, with the statute designed to focus on any targeting of a particular, known U.S. person inside the United States.[18]  Collection targeting a specific person may be more intrusive than generic surveillance that happens to collect communications of many persons, but advances in technology since 1978 may put the distinction in a slightly different light (there are limits on what I can say publicly in this area).[19]

9.  Location of Collection.  An overhaul could consider whether to distinguish classes of surveillance based on the location in which the surveillance (or other collection) occurs.  Again, in the past we have distinguished between collection in the United States and abroad,[20] but location seems to be harder and harder to determine in real time.  The uncertainty here is obviously less severe than with respect to the location of targets, since the government’s own collection conduct is at issue, but there may be complexities that arise with advancing technology.

10.  Surveillance Solely Directed at Foreign Powers.  Today, FISA distinguishes according to whether the surveillance or other collection is directed solely at foreign powers and/or has a reasonable likelihood of collecting U.S. person communications.[21] We could maintain, change, or eliminate this distinction as part of a blue-sky overhaul.

11.  Use of a Collection Device.  We could also maintain, change, or eliminate legal distinctions, that are embodied in current law, based on whether the government uses an electronic or mechanical device in the surveillance or other collection.[22]

12.  Type of Communication.  In FISA, information acquired through electronic surveillance is either a wire communication, a radio communication, or neither; in Title III, the categories are wire, oral, and electronic communications.[23]  Perhaps the distinctions within each regime no longer make sense, and perhaps the distinctions between the regimes no longer make sense.

13.  Real-Time Collection.  An overhaul would need to consider whether to distinguish between real-time collection and after-the-fact collection even where the information to be collected is essentially the same.[24] This is a distinction with historical roots, but advances in the speed and nature of electronic record-keeping may call into doubt its continuing relevance.

14.  Content or Metadata.  An important question would be whether to continue to distinguish between collection of the content of communications (e.g., the words spoken in a telephone call), metadata (e.g., the numbers dialed in a telephone call), and/or perhaps borderline material that is not as easily classified as one or the other.[25]

15.  Role of Third Parties.  We would need to consider whether to continue to permit, or require, surveillance or other collection to proceed with voluntary or compelled third-party assistance, whether third parties may challenge an order or directive to assist in collection, and whether they should be immunized for providing assistance under certain circumstances.[26] Also, we would need to consider the significance of conveying information to third parties – e.g., e-mail to an Internet Service Provider – as Congress did when it enacted the Electronic Communications Privacy Act.[27]

16.  Purpose.  An overhaul would consider whether to distinguish based on the government’s programmatic purpose or individual purpose in conducting the collection, whether to distinguish based on the government’s ultimate purpose (e.g., to protect against foreign threats to national security) or the methods used to achieve that ultimate purpose (e.g., criminal prosecution as opposed to other methods), and whether to make the inquiry turn on primary purpose, significant purpose, or some other quantum of purpose.[28]

17.  Private Property and U.S. Residences.  There are many relatively precise distinctions in current law that could be reconsidered, including, for example, whether to impose special requirements where a search or surveillance requires or involves a physical entry on private property[29] or into a home.[30]

C.  Levels and Types of Approvals for Surveillance

18.  Advance Approval.  A fundamental question in a blue-sky overhaul is whether and when to require approval for surveillance or other collection before the fact, after the fact, or not at all.[31]  This set of distinctions tends to reflect a balance between speed and agility on the one hand, and protection for civil liberties on the other hand, and was obviously central in the process leading to enactment of the FAA.

19.  Approval by Whom.  A related question to be considered is whether the approval should be from the judicial branch, the executive branch, and/or another source;[32]and within the executive branch, the level of approval required,[33] including whether the President must individually authorize collection or delegate authority to do so.[34]

20.  Scope of Approval.  The scope of any required approval is also very important – i.e., whether surveillance approvals should be limited to individual persons or facilities (e.g., John Doe or a particular 10-digit telephone number), or can be broader (e.g., any member of al Qaeda or a gateway switch),[35]including (where approvals are more limited) whether to allow roving surveillance based on certain showings and whether to impose special reporting obligations in roving or other cases.[36]

21.  Emergency and Other Exceptions.  A blue-sky overhaul would consider whether to permit short-term collection without a required advance approval for short periods in certain circumstances subject to after-the-fact ratification.[37]

22.  Duration of Approval Period.  Current law allows certain approvals for a short period (e.g., 30 days), as well as longer periods (e.g., 60 days or 1 year), and allows different periods for different types of targets and/or collection techniques, and initial authorization orders as opposed to renewals of orders.[38]  This complex regime could be reconsidered.

23.  Stages of Conduct Subject to Regulation and Approval.  A key question, as we move further into an era of larger haystacks of collectible data, is whether approvals should regulate (or focus most on regulating) acquisition, retention, and/or dissemination of information.[39] This is another important area where new approaches to managing large data sets could be valuable, and minimization doctrines could be updated.

D.  Use of Information Obtained or Derived from Surveillance

24.  Procedures for Establishing Improper Collection.  A blue-sky overhaul would consider whether and how to conduct proceedings to determine whether information was improperly collected.[40]

25.  Defensive Remedies for Improperly Collected Information.  A related question would be whether to allow suppression of evidence or other defensive remedies where information was improperly collected.[41]

26.  Offensive Remedies for Improperly Collected Information.  Another related question is whether to impose civil or criminal liability for improper collection of information, or knowing use of improperly collected information, and in particular to identify the right scienter requirement with respect to such use where the government may not know if information, or an analytic product derived from multiple streams of information, is or may be tainted, in whole or in part, by underlying improper collection.[42]  This is a very important question as the scale of surveillance and related activities increases.

27.  Coordination.  An overhaul would consider whether to limit or require federal-state coordination and sharing of information obtained or derived from surveillance.[43]

E.  Public and Congressional Reporting and Oversight

28.  Reporting.  An overhaul would consider whether and how to require reporting on surveillance and collection[44] to the public,[45] to the Intelligence Committees and to the Judiciary Committees, as well as the rest of Congress.[46]  Today, the reporting regime is very complex.