The USA FREEDOM Act Turns Two
Today marks two years since enactment of the bipartisan USA FREEDOM Act (USAF), the first major government surveillance reform legislation in decades, and a lot has happened in the law's short life. Most notably, the world did not come to an end with the end of the NSA's bulk collection of Americans’ phone records.
Published by The Lawfare Institute
in Cooperation With
Today marks two years since enactment of the bipartisan USA FREEDOM Act (USAF), the first major government surveillance reform legislation in decades, and a lot has happened in the law's short life. Most notably, the world did not come to an end with the end of the NSA's bulk collection of Americans’ phone records.
This post provides an overview of the significance of the USAF not only in ending this bulk collection but also in bringing newfound transparency and key reforms to the government’s surveillance activities.
The End of the NSA's Bulk Collection of Americans' Phone Records
The now-defunct bulk collection program, secretly launched in the wake of the 9/11 terrorist attacks as part of the Presidential Surveillance Program, was moved under the purview of the Foreign Intelligence Surveillance Court in 2006. The FISC authorized the program by relying on the FISA business records authority and, specifically, the broader legal standard established by Section 215 of the USA PATRIOT Act, but the program remained classified. When Edward Snowden disclosed the existence of the program in June 2013, the objections from many in Congress and their constituents—to both its function and legality—were swift and vocal. Nearly two years later, Congress enacted the USAF to prohibit bulk collection under the FISA business records provision. The law also prohibits bulk collection under the FISA pen register and trap and trace authority and the National Security Letter statutes, which are based on similar legal standards. Some in Congress worried that cutting off the prospect of bulk collection unnecessarily placed America’s national security in peril. In retrospect, it seems prudent that these limits were enshrined in law and not just in practice.
As the committee report accompanying the USAF explains, Congress replaced the bulk collection program with a targeted, FISA Court-approved call detail records (CDR) program:
[The Act] . . . establish[es] a new, narrowly-tailored mechanism for the targeted collection of telephone metadata for possible connections between foreign powers or agents of foreign powers and others as part of an authorized investigation to protect against international terrorism. This new mechanism is the only circumstance in which Congress contemplates the prospective, ongoing use of Section 501 of FISA in this manner.
Under [the Act], if the government can demonstrate a reasonable, articulable suspicion that a specific selection term is associated with a foreign power or an agent of a foreign power engaged in international terrorism or activities in preparation therefor, the FISC may issue an order for the ongoing, daily production of call detail records held by telephone companies. The prospective collection of call detail records is limited to 180 days.
In January 2016, two months after the CDR program took effect, NSA General Counsel Glenn S. Gerstell opined on the CDR program on Lawfare, noting that:
NSA will in due course, as it gains experience with the new process, report to Congress about the efficiency of the new arrangement. NSA is confident, however, that it can operate the new scheme in compliance with the law, while still obtaining information necessary to help protect our country, and it believes that the country’s telephone companies will similarly fulfill their roles under the new statute. Largely overlooked in the debate that has ensued in the wake of recent attacks is the fact that under the new arrangement, our national security professionals will have access to a greater volume of call records subject to query in a way that is consistent with our regard for civil liberties.
The DNI’s recently issued Statistical Transparency Report Regarding Use of National Security Authorities for 2016—the first year for which publicly reported CDR information is available and a direct result of the USAF—informs us that the NSA (acting through the FBI) obtained 40 CDR orders for 42 targets. Those 40 orders generated approximately 151 million records received from providers and stored in NSA repositories.
But that number, 151 million, may be misleadingly large. As the report explains, the government counts every instance in which two telephone numbers are in contact with each other as a separate CDR. So if a targeted selector is in repeated contact with another telephone number, each instance is counted separately. Also, the report states that “the government counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers). Additionally, this metric includes duplicates of unique identifiers—i.e., because the government lacks the technical ability to isolate unique identifiers, the statistic counts the number of records even if unique identifiers are repeated.”
Thus, the number includes many duplicate records and, in any event, it is still dramatically less than the billions of records the NSA collected under its bulk collection program. The records collected via the CDR program include those associated with the targeted telephone number (first “hop”) and those associated with the records identified in the first hop (second “hop”). Rather than collecting and sifting through billions of records hoping to “connect the dots,” the NSA can now use the targeted CDR program to collect the dots by placing the telephone records more closely associated with a terrorism target at their fingertips and thereby simplifying the task of identifying those records that may be relevant to an investigation.
But there's more to the USAF than simply ending the controversial metadata program. The Act greatly expands transparency and reporting, improves FISC procedures, addresses constitutional infirmities with nondisclosure procedures, and enhances certain national security tools. And already many of these new requirements have been put to use.
Additional Reporting to Congress
The USAF answered the call for greater transparency and public reporting on our national security programs through a variety of measures, beginning with requiring the government to provide additional information to Congress in its annual reporting about the use of FISA business records authority and the CDR program. Specifically, the Act requires the government to inform Congress on compliance review matters that arise under the business records authority and provide data on the use of “specific selection terms” under the law and any additional minimization procedures imposed by the FISC. The USAF also expanded the government’s obligation to supply Congress, within 45 days, FISC orders or opinions, and all related pleadings, involving a significant interpretation of law or a novel application of any provision of the Act.
As directed by the USAF, the Justice Department Office of the Inspector General completed in 2016 an updated report on the FBI’s use of FISA business records authority (as amended by Section 215 of the USA PATRIOT Act) from 2012-2014.
Annual Public DNI and AO Reporting
Beyond reports to Congress, the USAF also codified and expanded annual public transparency reports issued by the DNI beginning in 2013. The Act requires the DNI to provide additional statistical information concerning U.S. person search terms and queries, including queries of Section 702 content and non-content data and statistics relating to the new CDR program.
The USAF also directed the Administrative Office of the Courts to make publicly available a report to Congress outlining the number of applications or certifications submitted to the FISC and whether those submissions were granted, modified, or denied. The report also contains information on the use of the newly created amicus curiae in proceedings before the FISC and Foreign Intelligence Surveillance Court of Review (FISCR).
Private Sector Transparency Reporting
The desire for greater transparency does not rest solely with government reporting. Not surprisingly, the Snowden leaks escalated the public outcry for information from private companies on government requests for their customers’ data. But prior to the USAF, the classified nature of FISA orders and National Security Letters precluded their inclusion in transparency reports from private companies.
The USAF now empowers companies to inform their customers (both in the U.S. and abroad) about the volume and types of national security requests they receive, modeled after a January 2014 settlement between various companies and the government.
Declassification of FISC Opinions
Another meaningful result of the legislation is a reduction in secret law. For decades, the FISC operated almost exclusively in a classified setting, and its interpretations of FISA—including its view that the FISA business records authority authorized the bulk collection of Americans’ phone records—remained secret. The USAF mandates declassification of FISC opinions containing significant legal interpretations, or that a summary of an opinion be made public if declassification is not possible. As a result of this provision, additional FISC opinions and orders have been declassified and made publicly available, including opinions relating to the operation of Section 702 of FISA, which expires at the end of this year. The FISC’s website now makes available an unprecedented amount of information about FISC proceedings, allowing for more public discussion and debate about these issues.
Amicus Curiae
As a result of the USAF, the FISC has established an institutionalized process for the participation of amicus curiae, and has designated a panel of six individuals with security clearances who it can call upon as needed. This is particularly important because in most instances, the government is the only party before this court. It is longstanding practice in federal courts to allow—or invite—amicus curiae to brief the court, a practice that had not been previously utilized by the FISC. The court can now call upon legal and technological experts to assist in its analysis of complex national security programs. Already the FISC has appointed amicus curiae to participate in multiple court proceedings, including several proceedings that occurred even before the court had designated the panel of amici.
FISA Court of Review Petition
USAF also addressed a longstanding problem with the largely one-sided FISC process: the lack of appellate review. The FISC has rarely outright denied government applications for surveillance orders; instead, there is often a give and take between the FISC and government lawyers, resulting in the government either amending its application or withdrawing it. As a result, there have been only rare instances when the government has lost before the FISC and had reason to appeal the FISC’s ruling. The appellate court, the Foreign Intelligence Surveillance Court of Review (FISCR), was established in the original FISA legislation in 1978, but did not meet for the first time until 2002—and has met only a handful of times since. This means that some quite significant legal issues have never been considered by an appellate court. The USAF created a mechanism to allow a FISC judge to certify a question of law to the FISCR in certain circumstances, and the FISCR to certify a question of law to the Supreme Court. Last year, this provision was used for the first time, and the FISCR’s decision addressing the certified question of law was declassified (also pursuant to the USAF).
NSL Nondisclosure Procedures
In 2015, the FBI issued new guidelines governing the review of nondisclosure orders accompanying National Security Letters (NSLs), pursuant to the USAF. Although court cases are ongoing to determine whether these guidelines fall short, the new statutory provisions governing NSL nondisclosure orders have resulted in several instances where entities that received NSLs have been able to release them publicly in redacted form.
Conclusion
We certainly appreciate that for many, the USA FREEDOM Act did not go far enough, and that for others it went too far. But two years later, it has not only ended the bulk collection of Americans’ phone records, it also has provided unprecedented transparency about Intelligence Community surveillance activities. It has fundamentally shifted the FISC’s operations, allowing for amicus participation, more openness, and new opportunities for appellate review. It has addressed constitutional problems with the NSL statutes. And all on a strong bipartisan basis—showing that Congress can still find consensus and pass meaningful legislation.