Last week, the Office of the Director of National Intelligence released three redacted opinions of the Foreign Intelligence Surveillance Court (also known as the FISA Court) and the FISA Court of Review (FISCR). In the first opinion, the FISA Court held that the FBI’s procedures for accessing Americans’ communications that are “incidentally” collected under Section 702 of FISA violated both the statute and the Fourth Amendment. The government appealed, and in the second opinion, the FISCR upheld the FISA Court’s decision. The FBI was forced to revise its procedures to conform with the Court’s ruling, and in the third opinion, the Court approved the revised procedures.
The government will no doubt try to sell this as an oversight success story. After all, the Department of Justice’s audits had detected instances of FBI non-compliance with legal requirements, and the Department reported those instances to the FISA Court. The Court solicited the assistance of amici and adopted their position in significant part. It ordered remedies that the FBI is now required to implement. And all of this became public because Congress in 2015 required the disclosure of significant FISA Court opinions. The system worked, right?
I see a very different story. This is now the fourth major FISA Court opinion on Section 702 in 10 years documenting substantial non-compliance with the rules meant to protect Americans’ privacy. The opinion, moreover, reveals that the FBI is conducting literally millions of backdoor searches—including so-called “batch queries” that rest on the same discredited legal theory used to justify the NSA’s bulk collection of Americans’ phone records. Despite the enormous implications for Americans’ privacy and the government’s dismal record, the remedy suggested by amici and imposed by the Court was just more record-keeping. And the government sat on the opinion for a year, hoping for an appellate victory that would help mitigate the PR damage from disclosure.
Background: Section 702’s Troubled History
To put the Court’s recent opinions in context, some background is necessary. Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), passed in 2008, the National Security Agency (NSA), operating inside the United States, is authorized to collect communications of foreigners overseas for foreign intelligence purposes. No warrant is required for this collection because courts have held that foreigners have no Fourth Amendment rights. Instead, each year, the FISA Court must sign off on the procedures that govern the surveillance.
Although ostensibly targeted at foreigners, Section 702 surveillance inevitably sweeps in massive amounts of Americans’ communications. Recognizing the impact on Americans’ privacy, Congress required the NSA to “minimize” the sharing, retention, and use of this “incidentally” collected U.S. person data. But the government and the FISA Court have embraced an interpretation of “minimize” that is remarkably… maximal. The NSA shares raw data with multiple other agencies—including the FBI and the CIA—and all of them retain the data for a functional minimum of five years. Moreover, the FBI routinely combs through it looking for Americans’ communications to use in purely domestic cases, even in situations where the FBI lacks a factual predicate to open a full investigation.
In 2011, the government disclosed to the FISA Court that it had misrepresented the nature of its “upstream” collection activities under Section 702. (“Upstream” collection takes place as the communications are transiting over the Internet backbone; “downstream” collection acquires stored communications, usually from the servers of Internet Service Providers.) When conducting upstream surveillance, the government was acquiring, not just communications to or from the targets of surveillance, but communications that simply mentioned certain information about them (known as “abouts” collection). As a result, the government was acquiring packets of data containing multiple communications, some of which had nothing to do with the target. This included tens of thousands of wholly domestic communications.
The Court was not pleased to learn about this significant issue three years into the program’s operation. It held that the government’s handling of the data violated the Fourth Amendment, and it required the government to develop special rules—approved by the Court in 2012—for segregating, storing, retaining, and accessing communications obtained through “upstream” collection.
In 2015, the Court was under the impression that these rules were being followed. However, in approving Section 702 surveillance that year, it noted several incidents of non-compliance with other rules designed to protect Americans’ privacy—including FBI violations of protections for attorney-client communications, a “failure of access controls” by the FBI, and the NSA’s failure to purge certain improperly collected data. Once again, the Court expressed displeasure at being notified of infractions long after they occurred.
In 2016, the FISA Court learned that the NSA had been violating the rules established in 2012. Because those rules were designed to remedy a Fourth Amendment violation occurring since the start of the program, the NSA’s non-compliance meant that its upstream collection activities had been operating unconstitutionally for eight years. Moreover, the government did not report this issue for several months after discovering it. Unable to bring itself into compliance, the NSA made the only decision it could: In the spring of 2017, it abandoned “abouts” collection, which was at the root of the problem.
When Section 702 came up for reauthorization in late 2017, civil liberties advocates pointed to this troubled history. They also pointed to a growing body of case law holding that searches of government databases can, in certain circumstances, constitute a separate Fourth Amendment event. They argued that government agencies should be required to obtain a warrant before searching Section 702-obtained data for the communications of Americans (a practice formally called “U.S. person queries” and informally dubbed “backdoor searches”). They also urged Congress to ban “abouts” collection, lest the government attempt to resume it.
Congress rejected these proposals. Although Congress did require the FBI to obtain the FISA Court’s permission to conduct U.S. person queries in a tiny sliver of cases, it blessed the vast majority of these searches, which previously had no foundation in the text of Section 702. It simply required the FBI to develop “querying procedures” that the FISA Court would have to approve. It also required the FBI to keep records of each U.S. person query it conducted. With respect to “abouts” collection, Congress required the government to obtain FISA Court approval and to give Congress advance notice before resuming the practice.
The Court’s October 2018 Ruling
In March 2018, the government submitted its annual certifications and procedures to the FISA Court for its approval. In a decision dated October 18, 2018, and released last week, the FISA Court held that the FBI’s minimization procedures violated both the statute and the Fourth Amendment. The Court’s opinion addresses three main practices by the FBI: downstream collection of certain communications; the FBI’s failure to record USP queries; and the FBI’s improper use of USP queries.
Downstream collection and “abouts” communications. Although this section of the opinion is highly redacted, it appears that the government is engaged in a new form of downstream collection that raised a flag for the FISA Court. The Court solicited amici’s advice about whether the statutory preconditions for resuming “abouts” collection apply to downstream collection, and whether certain activities in the government’s 2018 certifications involve the acquisition of “abouts” communications. Amici argued that the answer to both questions was yes; the government’s answer was no in both cases. The Court split the baby, holding that the statutory requirements apply to any kind of “abouts” collection, but that no such collection would occur under the government’s certifications.
The heavy redactions make it difficult to assess the significance of this part of the opinion. However, on its face, the definition of “abouts” collection—basically, anything other than a communication to or from the target—should not be difficult to apply. It is worrisome that the government and amici reached different conclusions about whether a certain form of collection merited the label “abouts.” The uncertainty strongly supports a suspicion civil liberties advocates have held for some time: that the selectors the government uses to identify the communications to be collected are not necessarily unique identifiers (such as email addresses), but can sweep in people other than the intended targets (as would, for instance, IP addresses).
The statutory requirement to count U.S. person queries. In its January 2018 reauthorization of Section 702, Congress ordered the government to adopt querying procedures that included “a technical procedure whereby a record is kept of each United States person query term used for a query.” Instead, in the querying procedures that the FBI submitted to the FISA Court, the Bureau announced that it “intends to satisfy the record-keeping requirement by keeping a record of all queries”—in other words, the FBI would lump together U.S. person queries and non-U.S. person queries, without distinguishing between them.
The government defended this approach with a weak argument that the statutory text was somehow ambiguous, and that both the legislative history and policy considerations weighed against requiring the FBI to document U.S. person queries. In a refrain often heard when an intelligence or law enforcement agency is asked to devote time or resources to safeguarding civil liberties, the government claimed that requiring the FBI to figure out whether a particular investigative subject was a U.S. person would “divert resources from investigative work . . . to the detriment of public safety.”
The FISA Court has historically yielded to such pleas, and on this occasion, the Court seemed sympathetic. Ultimately, however, the Court concluded that it had no choice. It stated: “Regardless of how persuasive the FBI’s considerations may be, the Court is not free to substitute its understanding of sound policy—or, for that matter, the understanding of the Director of the FBI—for the clear command of the statute.” The law, the Court held, was unambiguous in its directive to count U.S. person queries.
On appeal, the FISCR upheld the Court’s ruling on this question. The FISCR, however, seemed somewhat less sympathetic to the government’s position. Under the FBI’s querying procedures, “U.S. person query term” is defined as “a term that is reasonably likely to identify one or more specific United States persons.” This definition does not require a high level of certainty. Moreover, the procedures provide for the application of default assumptions in cases where specific information is lacking. Under these circumstances, it is hard to argue with the FISCR’s assessment that counting U.S. person queries is not “a burdensome substantive requirement,” and that it would simply mean “adding one (largely ministerial) item to the checklist that FBI personnel most likely already work through when conducting queries for investigative purposes.”
Somewhat oddly, the FISCR did not resolve the other major issue on appeal: whether the FBI’s repeated violations of its own querying and minimization procedures rendered those rules unlawful and unconstitutional as implemented. Those violations, and the FISA Court’s failure to require an adequate remedy for them, will be the subject of Part II of this post.