Reforming FISA: A Critical Look at the Wyden/Udall Proposal and Foreign Surveillance

A new bipartisan bill co-sponsored by two of the most vocal critics of the NSA does not go far enough to protect the average non-U.S. person from indiscriminate surveillance.  Without these protections, America’s Internet companies and our long term political interests in spreading democracy and the rule of law will suffer.

Yesterday, Senators Ron Wyden (D-OR) and Mark Udall (D-CO), along with Senators Rand Paul (R-KY) and Richard Blumenthal (D-CT) announced they would co-sponsor the Intelligence Oversight and Surveillance Reform Act, a bill that would amend the legal authorities under which the National Security Agency has collected information about Americans in bulk and without a warrant. This is not the first bill to address these issues, but given its bipartisan sponsorship, including by two of the most vocal critics of the NSA, this proposal will be seen as the farthest-reaching reform out there.

The bill’s language is not available yet, but the sponsors have made a two-page fact sheet available. The fact sheet says that the legislation would make clear that bulk collection of phone call records, business records, or Internet transaction records cannot take place under either section 215 of the USA Patriot Act, or the FISA pen register statute.  I’ve argued that bulk collection is both unconstitutional and illegal under current law, but since the NSA disagrees, these amendments are essential to preventing this foreign intelligence agency from collecting data revealing the reading histories and social networks of hundreds of millions of Americans. Hopefully, the language in the bill will be air-tight.

Rather than focus on section 215, I want to focus in this post on the bill’s proposed reforms to section 702 of the FISA Amendments Act, or FAA. This is the provision underlying the PRISM program—and its use to obtain the content of phone calls and Internet messages, which Glenn Greenwald revealed based on Edward Snowden’s documentation.  There’s been less discussion of the problems with section 702 than of those with section 215, even as we’ve learned some worrisome things about the way the NSA uses this legal authority. The new bill would address some, but by no means all, of these problems.  In my opinion, it needs to be broader.

I. Background

First, some legal and technological background is in order. Traditional FISA required the government to show probable cause that the target of the underlying foreign intelligence surveillance was an agent of a foreign power and would use the facilities at which the government planned to direct surveillance before conducting electronic surveillance. This probable cause requirement had the practical effect of limiting surveillance to communications to or from individuals who are reasonably believed to be working for another government or a terrorist group.

In addition to the expansions created in 2001 by the USA PATRIOT Act (including section 215), section 702 of the FAA created a new source of authority for conducting warrantless electronic surveillance. If the Attorney General and the Director of National Intelligence certify that the purpose of the monitoring is to collect foreign intelligence information about any non­American individual or entity not known to be in the United States, the Foreign Intelligence Surveillance Court (FISC) can require companies to provide access to Americans’ international communications. The court does not approve the target or the facilities to be monitored, nor does it assess whether the government is doing enough to minimize the intrusion, correct for collection mistakes, and protect privacy. Once the court approves the certification, the government can issue top-secret directives to Internet companies like Google and Facebook to turn over calls, e-mails, video and voice chats, photos, voice­over IP calls (like Skype), and social networking information.

Enter, PRISM.  PRISM surveillance is technologically complicated, involving both the aforementioned directives demanding that companies turn over the contents of user Internet messages, as well as upstream surveillance conducted directly on the fiber optic cables carrying telecommunications and Internet traffic. Pulling the right stuff off the cables as it travels is a technological challenge.  Reports suggest that one way the NSA has accomplished this surveillance is via the XKeyScore tool, which appears to copy and temporarily store almost everything that flows over the network, filter that traffic based on various selection criteria, and store the subset in different databases for longer periods of time.  No one has yet identified the legal authority under which the NSA justifies XKeyScore. It cannot be the FAA because that law does not authorize copying everything, even for a short period of time.

Leaving that question aside for now, I want to highlight several pernicious results of the FISA Amendments Act or FAA.

  • Americans’ communications with targets overseas are subject to warrantless interception. Once those communications are collected, current rules allow the NSA to search the trove for U.S. person identifiers, which Wyden has referred to as the “back door searches loophole”.
  • The non-U.S. targets include regular people, not just those who are agents of foreign powers. While analysts provide their foreign intelligence purpose when selecting the target, the rationale is just one short sentence.
  • By untethering surveillance from facilities that the target uses, the FAA greatly increased the opportunity for the NSA to collect information about rather than just to or from the target. As an example, if I monitor a network for “Jennifer Granick” and Jennifer Granick uses that network, I’ll get her communications, and maybe some messages about her.  If I can monitor any facility for “Jennifer Granick”, I’m going to pull only messages about, but not to or from her.

II.  The Wyden/Udall Proposal

Enter the new bill.  The fact sheet says the Intelligence Oversight and Surveillance Reform Act would reform section 702 to:

  1. Close the “back door searches” loophole;
  2. Prohibit the government from collecting communications that are “about the target”, in non-terrorism contexts;
  3. Strengthen the prohibition against “reverse targeting,” or targeting a foreigner in order to warrantlessly acquire the communications of an American who is known to be communicating with that foreigner; and
  4. Place stronger statutory limits on the use of unlawfully collected information.

These are critical reforms. I would like to see the bill further include a higher standard of care with regards to ensuring that people inside the U.S. are not targeted. As Professor Christopher Sprigman and I argued in the New York Times, PRISM is designed to produce at least 51 percent confidence in a target’s “foreignness” — as John Oliver of “The Daily Show” put it, “a coin flip plus 1 percent.” In other words, 49 percent of the time the NSA may be acquiring information it is not allowed to have, even under the terrifyingly broad auspices of the FAA.

More fundamentally, though, the Wyden/Udall bill does not fully address a fundamental problem with the FAA, which is that it authorizes surveillance of average citizens of other countries for reasons that are not necessarily related to the security of the United States. Senator Udall acknowledged in the press conference announcing the bill (at 30:17) that the NSA’s unfettered spying has had and will continue to have an adverse economic effect on U.S.-based businesses, and that this is one of the motivations behind the bill.

Prohibiting “about the target” collection is one giant step forward.  That would mean that non-targets outside the U.S. could not be subject to surveillance under this law just because they talk about a target, unless their conversation is related to terrorism. Depending on the details of the targeting and minimization procedures, if my British friend in London and I email about our dismay over the Kenya attacks, that would be fair game, but our conversation about the policies of Brazilian President Dilma Roussef would be off limits.

However, targets still need not be agents of foreign powers so long as a significant purpose of the collection is foreign intelligence.  Foreign intelligence is broad, and includes any information that “relates to” the conduct of U.S. foreign affairs.  For example, DNI James Clapper affirmed that the U.S. collects information about economic and financial matters to “provide the United States and our allies early warning of international financial crises which could negatively impact the global economy … or to provide insight into other countries’ economic policy or behavior which could affect global markets.”

Monitoring economic and financial matters is in the United States’ national interest.  However, routine eavesdropping upon common foreigners to discover information about these matters is a bad idea.  First, foreigners have privacy rights, too.  Freedom from arbitrary interference with one’s privacy is part of the Universal Declaration of Human Rights.

Next, this monitoring is detrimental to U.S. companies and to the United States’ long-term interests in promoting democratic ideals.  As Sprigman and I argue, although it may be legal, unfettered U.S. spying on foreigners will cause serious collateral damage to America’s technology companies, to our Internet-fueled economy, and to human rights and democracy the world over. Since our Atlantic article on June 28th, and the disclosure that the NSA targeted both Petrobras and President Dilma Roussef, Brazil has announced that it will look into requiring Internet companies to store its citizens’ data locally, and take other steps that threaten to balkanize the global Internet. When Brazil takes these steps, it gives comfort and cover to authoritarian countries who will do the same, so that they can better censor, spy on, and control Internet access within their own borders.

As an economic matter, Facebook’s CEO Mark Zuckerburg recently said the government “blew it” when it sought to reassure a public nervous about the NSA revelations by saying, “‘Oh don’t worry, basically we’re not spying on any Americans.’ Oh, wonderful, that’s really helpful to companies who are trying to serve people around the world and really going to inspire confidence in American Internet companies.”

Based on the description we have, the only change the new bill would make is that it would prohibit the NSA from listening in on foreigners who talk about matters of foreign intelligence interest, like Petrobras, but still authorize collection to and from those who work at the company. This does not go far enough to reassure other nations that their average citizen – someone disconnected from official government policy, terrorism or other dangers to the U.S.’s national security interests — will not be lawfully targeted by the NSA.

Senators Wyden and Udall have said that section 702 has produced valuable actionable intelligence. What those successes have been is not public. But lawmakers need to study those gains with an eye to preserving the possibility of such success in the future, while ensuring that regular people who work at banks, global companies, cybersecurity firms or other businesses are not subject to NSA targeting.  Thus, the Wyden/Udall bill could also limit section 702 surveillance to exclude foreign intelligence information merely about the conduct of U.S. foreign affairs, while allowing such surveillance for all the other enumerated foreign intelligence purposes.  This would be an easy idea to implement in the statute.  Where the law currently authorizes targeting “to acquire foreign intelligence information”, it could be amended to read, “to acquire foreign intelligence information as defined in 50 U.S.C. §§ 1801(e)(1) and (e)(2)(A).” This reform would mean “the conduct of the foreign affairs of the United States” could not be the basis for targeting under the FAA, leaving regular people outside of the warrantless surveillance regime.

This could send a powerful message to people around the world, Americans and otherwise, that the United States can respect individual privacy while still protecting itself against external threats.  This reassurance could go a long way towards mollifying the concerns of current and future customers of global communications platforms based in the U.S. with regard to whether they can and should continue to do business with the Facebooks of the world, while denying authoritarian regimes the argument that the NSA can surveil innocent people, and so their government officials must be able to do the same. 

About the Author(s)

Jennifer Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology Follow her on Twitter (@granick).