Trends and Predictions in Foreign Intelligence Surveillance: The FAA and Beyond

It is a strange time for national security.

Beginning in 2013, Edward Snowden’s leaks caused the U.S. government to significantly reduce the scope, and increase the transparency, of its foreign intelligence surveillance, while the President urged caution and restraint in response to the extraordinary rise of the Islamic State of Iraq and the Levant (ISIL). At the same time, U.S. communications providers sought additional reforms and reduced their cooperation with surveillance directives in important cases. Finally, anti-surveillance politicians, on the right and left of the U.S. political spectrum, prospered as part of a burgeoning populist movement.

In Western Europe, by contrast, ISIL’s rise spurred a significant and overt expansion of surveillance authorities. European governments, particularly the United Kingdom, began making increasingly strident demands for communications data from U.S. providers. And the EU struck down the safe harbor regime for trans-Atlantic data sharing on the grounds that U.S. surveillance laws do not adequately protect privacy. Despite increased transparency, as of January 2016, the immense technical and legal complexity of U.S. surveillance law continues to challenge informed debate across all of these fronts.

In this highly charged and confused environment, Congress will soon take up the Foreign Intelligence Surveillance Act (FISA) Amendments Act (FAA), which is set to expire at the end of 2017.

In the paper, I make six predictions about the issues likely to dominate that legislative process. Most of those issues concern incremental change, and a range of possible outcomes well within existing legal and policy paradigms; many are explained in a 2014 report by the Privacy and Civil Liberties Board (PCLOB):

• The “upstream” collection of communications about non-U.S. persons located abroad (less than 10 percent of FAA collection, and probably unavoidable for technical reasons);
• U.S. person queries of FAA data (fewer than 200 conducted by NSA in 2013);
• statutorily required or forbidden sharing of raw FAA data with foreign partners (now dealt with through FISA Court-approved minimization procedures);
• the authorized purposes of FAA collection (likely not to affect existing collection very much); and
• NSA compliance issues (already well publicized, dealt with by the court and congressional oversight, and unlikely to result in significant FAA amendments, but perhaps significant for the long run as the Intelligence Community moves data to the cloud)

These issues are all important. But they are unlikely to have a revolutionary effect on security or privacy, except perhaps in the aggregate. The one exception concerns surveillance under Executive Order 12333, which is very likely to arise in connection with FAA renewal, but is difficult to discuss at present because it is the subject of a forthcoming report from the PCLOB.

I also make predictions about political and technological trends that I think will have the biggest impact on surveillance in the longer run. These predictions are more speculative than the ones discussed above. They include:

• increasing pressure on FISA’s “technical assistance” provisions, partly due to challenges posed by widespread and varied encryption;
• two gaps in U.S. law resulting from outdated assumptions that providers will voluntarily cooperate when surveillance requests are certified as lawful but compliance is not compelled;
• a growing but so far unmet need for international agreements to resolve cross-border data requests;
• the increasing indeterminacy of location on the Internet and the resulting foundational threat to U.S. surveillance law;
• the Internet of Things and Fintech, which promise to pose a host of practical, legal and cultural challenges;
• and the increasing availability of open source and social media, which creates significant problems and opportunities for U.S. intelligence and counter-intelligence.

At present, I fear that most of these issues, with the possible exception of cross-border data requests, are not very well in focus at the highest levels of the Executive and Legislative Branches. But I believe that they should be considered soon, either in connection with FAA renewal or in a separate process, because they have the potential to cause significant change over the next several years.

You can read the full paper here.