How to Address Newly Revealed Abuses of Section 702 Surveillance

Newly declassified judicial opinions, released last week, revealed that the government has again violated the rules for access to vast databases containing Americans’ private communications—and that it’s warrantlessly searching these databases on a massive scale.

The databases contain communications collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA), a controversial statute that authorizes the warrantless collection of Americans’ international communications in the name of foreign intelligence. Relying on this law, the government vacuums up billions of Internet and phone communications and stores them for years in agency systems. These databases include untold volumes of sensitive and private information, including the communications of Americans suspected of no wrongdoing.

Once these conversations are intercepted and stored, the FBI and other agencies exploit what’s known as the “backdoor search” loophole: they query Section 702 databases for information about Americans, including in criminal investigations—without obtaining a warrant at any stage of the process. Only a handful of anemic statutory and court-ordered restrictions apply to the government’s backdoor searches. The Foreign Intelligence Surveillance Court (FISC) has held that the FBI is permitted to engage in these warrantless queries so long as the FBI believes a query is reasonably likely to return foreign intelligence information or evidence of a crime—a very low threshold.

As Liza Goitein outlined, the opinions released last week provide an unprecedented look at the breadth of the FBI’s backdoor searches, and they show that the FBI has failed to abide by even the most minimal limitations. In particular:

  • The FBI failed to create a record when it searched for information about a U.S. person (generally American citizens and permanent residents), as required by statute; and
  • FBI agents repeatedly conducted searches that failed to satisfy the low querying threshold. Across thousands of queries, they sought information about Americans that was not reasonably likely to result in foreign intelligence information or evidence of a crime. These queries apparently included searches for information concerning other FBI agents, relatives, potential witnesses, and potential informants.

Faced with these violations, in October 2018, the FISC found that the FBI’s procedures were inadequate and unreasonable. But it held that the FBI could cure the deficiencies simply by creating records of U.S.-person queries and documenting the basis for its backdoor searches. The FBI initially refused to adopt even these basic requirements—it did so only after appealing to the Foreign Intelligence Surveillance Court of Review (FISCR), which largely endorsed the FISC’s opinion.

To put the FBI’s violations in context, readers should keep in mind the bigger picture: the constitutional problems posed by warrantless searches of Section 702 databases for Americans’ information. Nothing in the newly released opinions meaningfully addresses or remedies those problems. Indeed, the FISC continues to allow the FBI to conduct backdoor searches under a remarkably permissive set of rules, including at the earliest stages of criminal investigations.

At bottom, the drawn-out fight in the FISC was about two simple documentation requirements. These requirements are no substitute for a warrant. Even if the FBI could manage to properly document its warrantless searches, which it has apparently struggled to do, its queries would violate the Fourth Amendment. The newly released opinions provide even more evidence that the current system fails to adequately protect Americans’ privacy.

The Backdoor Search Problem

To understand the scope of the constitutional problems with backdoor searches, as well as the rules that the FBI violated, some background:

In 1978, largely in response to unlawful executive branch surveillance, Congress passed the Foreign Intelligence Surveillance Act. To conduct electronic surveillance inside the United States, FISA generally requires the government to apply to the FISC for an order approving surveillance of a particular target. The government must establish, among other things, probable cause to believe that the target of surveillance is a “foreign power” or “agent of a foreign power.” Following the attacks of September 11, 2001, the Bush administration conducted widespread warrantless wiretapping of Americans’ communications without FISC authorization, in violation of FISA. Years later, Congress amended FISA to ratify elements of President Bush’s warrantless wiretapping program, as reflected in Section 702.

Section 702 allows the government to target any non-U.S. person abroad who is reasonably likely to communicate “foreign intelligence information”—defined expansively to encompass information related to the “foreign affairs” of the United States. There is no requirement of probable cause to believe that targets are associated with foreign powers, and there is no judicial review of individual targets. Instead, the FISC annually reviews the “targeting” and “minimization” procedures that apply to Section 702 surveillance. Targeting decisions are left to the discretion of agency analysts.

Notably, the government’s Section 702 targets need not have any connection to terrorism investigations or criminal activity. Targets may be academics, journalists, or human rights workers—anyone likely to communicate about “foreign intelligence.”

The resulting surveillance is incredibly broad. Last year, the United States targeted more than 164,000 individuals and groups under Section 702, likely resulting in the mass collection of more than a billion communications—including emails, video calls, telephone calls, texts, and online chats. This vacuuming up of foreigners’ messages means a vast number of Americans’ international communications end up in government hands, too.

Not only are Americans’ communications warrantlessly collected in enormous quantities, but they are retained for years by default, routinely searched, and used in later investigations—including in domestic criminal investigations that are unrelated to the original “foreign intelligence” purpose behind the surveillance.

In 2014, the Privacy and Civil Liberties Oversight Board explained that the FBI conducts backdoor searches as a matter of course, “whenever the FBI opens a new national security investigation or assessment.” To better understand the scope of the issue, civil liberties advocates and Congress sought data about precisely how often the FBI conducts these searches. Until very recently, the FBI has refused to count, estimate, or report these numbers.

But as we’ve now learned from one of the recently declassified FISC opinions, in 2017, the FBI ran 3.1 million searches of Section 702-acquired information, on just one of its systems. Although the FBI records don’t differentiate between query terms associated with Americans and those associated with foreigners, the FISC explained that, “given the FBI’s domestic focus[,] it seems likely that a significant percentage of its queries involve U.S.-person query terms.”

As the ACLU has written elsewhere, Section 702 surveillance violates the Fourth Amendment because it permits the government to intercept, use, and disseminate the international communications of U.S. persons without obtaining a warrant or submitting to any kind of individualized court review. The fact that Americans’ conversations are captured while targeting foreigners abroad does not justify dispensing with these safeguards—and the government’s backdoor searches for Americans’ communications only compound the constitutional problems.

Yet the FBI continues to conduct these searches, even though FBI agents have repeatedly failed to comply with the modest requirements that Congress and the FISC have imposed.

Newly Declassified Opinions Reveal the FBI’s Systemic Compliance Violations

The FISC and FISCR opinions declassified last week show that the FBI resisted its congressional mandate to track U.S.-person queries, conducted backdoor searches in violation of existing court-ordered rules for those queries, and resisted documenting the basis for future queries—thwarting meaningful oversight in the process.

The FBI’s Failure to Track Backdoor Searches for Americans’ Communications

When Congress renewed Section 702 surveillance authorities in early 2018, it imposed a documentation requirement for backdoor searches. Each time an agency queries its Section 702 databases with a “United States person query term,” it is required to create a record of that fact.

In March 2018, the FBI submitted its Section 702 targeting and minimization procedures to the FISC for its annual review. After the FISC expressed initial concerns, the FBI submitted amended versions in September 2018. In the September 2018 procedures, the FBI proposed that it would comply with Congress’s new directive by recording all queries of its Section 702 databases, but it would not record or track which of those queries were U.S.-person queries.

In an October 2018 ruling that was declassified just last week, FISC Judge James E. Boasberg painstakingly explained why the FBI’s proposal did not satisfy the statute. The FBI then appealed to the FISCR, which likewise concluded that Congress expressly required agencies to record their use of U.S.-person query terms. After the FISCR’s ruling, the FBI finally agreed to comply and amended its proposed minimization procedures accordingly. The FISC approved the FBI’s revised procedures in September 2019.

Meanwhile, for 21 months, from January 2018 until September of 2019, the FBI did not conduct the count that Congress had mandated as part of its decision to renew Section 702 powers.

The FBI’s Failure to Document Its Basis for Its Backdoor Searches

The FISC-approved rules for access to Section 702 communications generally allow FBI agents to conduct backdoor searches when they believe a search is “reasonably likely” to return foreign intelligence information or evidence of a crime.

In the proceedings leading up to the October 2018 FISC opinion, the government reported that, since April 2017, “a large number” of FBI queries did not meet the requisite standard. (These improper queries are discussed at length below.)

Although Judge Boasberg concluded that the FBI’s querying standard was lawful as written, he held that the FBI’s procedures, as implemented, failed to satisfy the requirements of Section 702 and the Fourth Amendment. His holding was based in part on the fact that, unlike personnel at the CIA, NSA, and NCTC, FBI personnel did not memorialize their reasons for believing that query terms were appropriate—and this omission contributed to the FBI’s significant violations of the querying standard.

Adopting the recommendation of court-appointed amici, Judge Boasberg reasoned that, if the FBI documented the basis for its queries, it would result in fewer violations of the querying standard. Notably, the court proposed documentation in limited circumstances: only after FBI personnel conduct the U.S.-person query, review any responsive metadata, and decide to examine responsive content information.

The FBI refused and appealed to the FISCR. Although the FISCR did not formally reach the issue on appeal, it characterized the documentation requirement as a “modest measure that would alleviate the most significant concerns raised by the FISC.” Following the FISCR’s opinion, the FBI relented and adopted the documentation requirement.

While this “modest measure” will generate data that could be used for oversight purposes down the road, it does little to restrain the vast number of warrantless queries that the FBI uses to access Americans’ private communications.

Violations of the Existing Limits on Backdoor Searches

The October 2018 FISC opinion describes substantial and systemic FBI violations of the existing limitations on backdoor searches. Of especially serious concern to Judge Boasberg was the “large number of queries evidencing a misunderstanding of the querying standard—or indifference toward it[.]”

As just one example, the FBI conducted queries using 6,800 Social Security numbers, which are clearly U.S. persons’ information. Other illegal searches stemmed from investigators trying identify Americans to collaborate as potential confidential sources of information.

In another instance, FBI agents used 70,000 identifiers to search for information about FBI employees or contractors—contrary to the advice of the FBI Office of General Counsel, which had explained that higher-level approval would be required for these searches.

There’s a systemic problem lurking here. Indeed, it’s of interest that these types of bulk queries could be thought to be permissible at all. One of the issues is that FBI interprets the querying standard quite liberally. It argued to Judge Boasberg that even when an individual query would not satisfy the low querying threshold, it may nevertheless be permissible to engage in so-called “categorical batch querying.”

In an effort to justify its batch queries, the government posited the following hypothetical: say an employee at a cleared defense contractor has access to certain technology and unlawfully plans to sell it. According to the government, if 100 employees of the contractor have access to that technology, the FBI could properly run a categorical query of the identifiers associated with these 100 employees—even though a search for any one of those employees on his or her own is impermissible.

The flaws in this logic are obvious. What would prevent the FBI from conducting a batch query using identifiers associated with everyone in a particular neighborhood or city? Although Judge Boasberg was rightly skeptical of the government’s reasoning, the new FISC-approved minimization rules do not expressly prohibit categorical batch queries.

Going Forward

In light of what we’ve learned about the government’s backdoor searches of its Section 702 databases, it’s clear that Congress and the courts have a role to play in safeguarding Americans’ fundamental privacy rights.

Congress and the courts should prohibit warrantless backdoor searches for the information of Americans and individuals in the United States. These warrantless searches of Section 702 databases violate the Fourth Amendment’s fundamental protections. The few rules governing these searches haven’t been followed—and they are no substitute for a warrant.

Congress and the courts should protect metadata from abusive searches. Although Judge Boasberg rightly recognized that metadata can implicate privacy interests, he nevertheless allowed the FBI to query and access non-content metadata without documenting the basis for the query. In addition, the FISC’s opinion expanded the FBI’s ability to indefinitely retain Americans’ metadata collected under Section 702.

Congress should reform FISA to ensure judicial review of Section 702 surveillance in public courts. To date, no civil court has reached the merits in a challenge to Section 702 collection, in part because of the difficulty litigants face in establishing standing. The ACLU has brought two challenges to Section 702—Amnesty International USA v. Clapper, Wikimedia v. NSA—that the government has sought to block on standing grounds.

Given the number of Americans impacted by this novel and invasive surveillance, the public courts have a vital role to play in determining what set of safeguards the Constitution requires.

Courts should enforce the government’s compliance with its obligation to provide notice of Section 702 surveillance. The government should, but does not, fully comply with its obligation to notify individuals when it intends to use Section 702 information against them in criminal proceedings. Notice is essential to ensure that defendants subject to this surveillance have the opportunity to challenge it and to seek redress. In order to facilitate this judicial review, courts should require the government to disclose to defendants basic information about how it obtained their communications under Section 702, including the queries that agents used to identify defendants’ communications. 

About the Author(s)

Jennifer Stisa Granick

Surveillance and Cybersecurity Counsel at the ACLU's Project on Speech, Privacy and Technology. Member of the editorial board of Just Security. Follow her on Twitter (@granick).

Ashley Gorski

Staff Attorney in the ACLU's National Security Project