An Update on the Status of FISA Transparency Reporting

What follows is a quick recap on the status of FISA transparency reporting (most of this was news in late January but is summarized here with some useful links) along with a couple of observations on what may lay ahead. Up until the unauthorized disclosures regarding surveillance activities, communications providers on the receiving end of requests for information pursuant to FISA were precluded from including statistics in their periodic transparency reports. (These transparency reports traditionally concerned compliance with law enforcement requests.) Following the disclosures, as a result of advocacy by the companies concerned with the effects of the disclosures on their business both present and future, the government said the companies could publicly disclose overall numbers that combined criminal process, FISA orders and National Security Letters (NSLs). Not satisfied by this result or by progress of continued negotiations with the government, five companies filed suit in the Foreign Intelligence Surveillance Court (FISC) challenging the government’s restrictions. The companies argued, generally, that FISA does not prohibit public disclosure of the specific information sought by each company, and that the government’s restrictions violated the First Amendment. The companies’ filings and government responses are available here on the FISC’s public docket page. The docket page includes other pending public matters before the FISC. For ease of reference, the initial filings are as follows, by company: Case No. Misc. 13-03 (Google), 13-04 (Microsoft), 13-05 (Yahoo), 13-06 (Facebook), and 13-07 (LinkedIn). The initial motions for relief were made in June (Google and Microsoft) and September (Yahoo, Facebook and LinkedIn). Apple filed a brief as amicus in each, in November. It appears that sometime in December 2013, perhaps, and into January 2014, additional negotiations took place between the companies and the Department of Justice, presumably on behalf of the Intelligence Community. The result of those negotiations was revealed in a January 27, 2014 letter from the Deputy Attorney General to the general counsels of the five companies. This was ten days after the President’s speech on reforms of signals intelligence activities, and issuance of Presidential Policy Directive-28. The agreement letter provided for a new level of transparency on national security process compliance reporting. The government offered two options of public reporting. One allows for the reporting of aggregate data in separate categories including all of the following, in bands of 1000: numbers of NSLs received; customer accounts affected by NSLs; number of “FISA orders for content;” number of “customer selectors targeted under FISA content orders;” number of “FISA orders for non-content;” and the number of “customer selectors targeted under FISA non-content orders.” Companies may report on criminal process with “no restrictions.” The second option allows for the reporting of aggregate data in separate categories including the following, in bands of 250: either “the total number of all national security process received, including all NSLs and FISA orders;” and “the total number of customer selectors targeted under all national security process, including all NSLs and FISA orders.” Again, if this option is followed, companies may report on criminal process with “no restrictions.” The companies quickly put out reports in accordance with the new rules. (Here they are: Facebook, Google, LinkedIn, Microsoft and Yahoo. Apple, too.) Because of a six-month lag directed by the government, the most recent reporting period for national security process is the January-June 2013 time period. Presumably in July 2014, the companies will release information relating to the July-December 2013 time period, and so on. An additional time lag of two years may apply for a “new capability order,” which the government describes as an order “that is served on a company for a platform, product or service (whether developed or acquired) for which the company has not previously received such an order…” The government will apparently designate a “new capability order” when it is served. This provision probably represents the government’s effort at preserving, for at least two years, the types of capabilities traditionally referred to as “sources and methods.” As referenced above, the agreement letter discusses FISA reporting in terms of “orders.” The agreement letter does not appear to allow for public reporting as broken down by individual statutory provisions. It is worth noting that section 702 of FISA, the provision added by the FISA Amendments Act of 2008 to enable the acquisition of foreign intelligence information when targeting non-U.S. persons reasonably believed to be outside the United States, provides for the service of “directives” on the companies, not “orders.” The “directives” are issued jointly by the Attorney General and Director of National Intelligence. Providers may challenge directives. There are also orders issued by the FISC with respect to 702 collection: the orders reflect the FISC’s approval of the targeting and minimization procedures and the overall certification authorizing the acquisition as approved by the Attorney General and Director of National Intelligence. It is not a major point, but it is one of precision. Clearly, based on the companies’ motions filed with the FISC and the public reports issued after the January 27^th agreement was reached, the companies intended to, and are, including information regarding compliance with directives issued pursuant to Section 702. But, given that other companies like this one (besides the five that were in direct discussions with the government) already have issued and will issue transparency reports in accordance with the agreement letter, precision matters---even if the letter’s mention of “orders” was only intended as a shorthand. The Microsoft General Counsel, for example, provided an explanatory note towards the end of his post releasing the data, and made a connection between the statutory provisions and the language of the agreement letter. Some of the other companies also presented their reporting as concerning “requests” for content, or non-content. An additional observation: the agreement letter's concluding paragraph---rather optimistically---seems to put reporting matters behind the participants, and looks forward to “finding common ground on other issues raised by the disclosures.” But despite this, it is not at all clear that the discussions will not resume in order to address providers' remaining concerns about public reporting requirements. For the government’s part, it will need to consider whether it prefers legislation (such as S. 1452 or H.R. 3035) requiring more public reporting; or whether more can be negotiated with the leading providers, consistent with national security.