Editor’s Note: This is part one in a multi-part series on foreign intelligence surveillance reform.
This year’s reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA) — a law that authorizes broad surveillance of foreigners outside the United States to acquire foreign intelligence information— will be unlike any previous one. In the past, reauthorization was a foregone conclusion, and civil liberties advocates struggled to secure even minor procedural safeguards. But a series of recent government reports and FISA Court opinions have demonstrated that Section 702 has become a go-to domestic spying tool for the FBI, and that FBI agents are routinely violating statutory and court-ordered limits on accessing Americans’ data “incidentally” collected under Section 702. At the same time, conservative lawmakers have turned against FISA in light of the government’s flawed applications to conduct surveillance of Trump associate Carter Page. With House Judiciary Committee Chairman Jim Jordan on record opposing reauthorization, it’s clear that Section 702 will not be renewed without a major overhaul.
In public, at least thus far, the Biden administration is acting as if this year’s reauthorization is business as usual. At a recent Privacy and Civil Liberties Oversight Board (PCLOB) hearing on Section 702, NSA Director Paul Nakasone’s opening remarks struck a tone-deaf note, reciting boilerplate talking points about balancing national security and civil liberties without any mention of the extensive violations revealed since the last reauthorization. Behind the scenes, though, the government’s anxiety is evident. Intelligence officials have been setting up Hill briefings since at least last fall — several months before this type of advocacy usually begins. They are also endeavoring to rebrand Section 702 as a cybersecurity authority, recognizing that the specter of terrorism no longer serves as a trump card in any conversation about reforms. For their part, lawmakers who support reauthorization are attempting to distinguish Section 702 of FISA from Title I (the part of the law used in the investigation of Carter Page), suggesting — wrongly, as discussed below — that Section 702 is used only against foreigners.
At bottom, intelligence officials and other defenders of broad surveillance authorities are aware that a straight reauthorization is out of the question, and so they are attempting to level-set around a small number of modest oversight provisions. This approach is evident in a recent Lawfare post by Adam Klein, President Trump’s appointee to chair the PCLOB, who has occasionally advocated strengthening oversight mechanisms but generally eschews substantive reforms. Klein’s post does not even mention the most controversial aspect of Section 702, namely, backdoor searches (discussed below). Instead, Klein focuses on improvements to the FISA Court process that would apply mainly in the area of Title I applications. Mike Herrington, an FBI official who spoke at the recent PCLOB hearing, similarly focused on ways in which the FBI is supposedly strengthening its internal oversight processes.
This time, however, lawmakers’ concerns are unlikely to be allayed by a mere bolstering of oversight requirements. For one thing, it’s doubtful that adding new layers of internal oversight will accomplish much, given the government’s 15-year cycle of violations, followed by the adoption of new administrative oversight measures, followed by more violations. At a more fundamental level, though, oversight — whether internal, in the form of FBI training or audits, or external, in the form of FISA Court review — is not an end in itself; it is a means to ensure that the government is following the rules. Where, as here, the rules themselves have been interpreted to permit warrantless searches of Americans’ private communications, all the oversight in the world won’t solve the problem.
Congress must rewrite the rules to ensure that the government cannot rely on its foreign intelligence surveillance authorities to conduct warrantless surveillance of Americans. This article is the first in a series that will examine the key reforms Congress should implement, including: (1) imposing a warrant requirement before the government searches Section 702-acquired data for Americans’ communications; (2) closing gaps in the law that permit the collection and use of Americans’ communications and other Fourth Amendment-protected information without any statutory limits or judicial oversight; (3) limiting the permissible pool of Section 702 targets to those who might reasonably have information about foreign threats, which would in turn limit the “incidental” collection of Americans’ communications; and (4) removing artificial barriers to existing judicial review mechanisms established by Congress.
Closing the Backdoor Search Loophole
Congress enacted Section 702 in 2008 to make it easier for the government to conduct surveillance of suspected foreign terrorists. Previously, FISA required the government to obtain an individualized order from the FISA Court in order to acquire communications inside the United States or from a U.S. company, even if the target was a foreigner overseas. The government also had to show probable cause that the target was a foreign power or agent of a foreign power. Under Section 702, no individualized order or probable cause showing is needed. The government may target any foreigner abroad to obtain foreign intelligence, and the FISA Court’s role is limited to approving general procedures for the surveillance on an annual basis.
Although Section 702 surveillance must be targeted at foreigners abroad, it inevitably sweeps in large volumes of Americans’ communications — e.g., calls and emails between foreigners and their American friends, relatives, or colleagues. If the government’s intent were to eavesdrop on those Americans, it would have to obtain a warrant (for a criminal investigation) or a FISA Title I order (for a foreign intelligence investigation) to comply with the Fourth Amendment. Accordingly, Congress required the government to “minimize” the sharing, retention, and use of this “incidentally” collected U.S. person information, and to certify that it is not engaging in “reverse targeting” — i.e., using Section 702 surveillance to spy on Americans.
These protections for Americans’ constitutional rights are simply not working. Rather than “minimize” the sharing and retention of U.S. person information, the National Security Agency (NSA) routinely shares raw Section 702 data — which includes Americans’ communications — with the FBI, CIA, and National Counterterrorism Center (NCTC). All agencies retain the data for a functional minimum of five years. (Agency policies describe the 5-year period as a ceiling, not a floor. However, these same policies include several exceptions to this limit, and the PCLOB has reported that agencies rarely if ever delete information before the 5-year trigger.)
Worse, all of these agencies have policies in place that allow them to search through Section 702 data for Americans’ communications. In other words, after certifying to the FISA Court that it is not seeking the communications of any particular, known Americans (which would be “reverse targeting”), the government searches through the warrantlessly acquired data for the communications of . . . particular, known Americans. This is a bait and switch that violates the spirit, if not the letter, of the prohibition on reverse targeting, and it drives a gaping hole through Americans’ Fourth Amendment rights.
The FBI routinely performs these “backdoor searches” in ordinary domestic investigations that have nothing to do with national security or foreign intelligence. Until recently, though, the full extent of this practice was unknown. Although Congress has long required the NSA and CIA to report how many such searches they perform annually (the number is in the thousands for both agencies), the FBI for years claimed it had no ability to track this information. In early 2018, however, Congress required the FBI to begin keeping records of U.S. person queries. The FBI failed to comply for over two years, advancing an absurd legal argument that it could satisfy the requirement by simply counting all queries (i.e., including queries of non-U.S. persons). It finally began keeping the required records in 2020 after the FISA Court and FISA Court of Review rejected that argument.
Thus, the Office of the Director of National Intelligence (ODNI) included the number of FBI backdoor searches for the first time in its 2022 annual statistical report. The report revealed that the FBI performed up to 3.4 million U.S. person queries of Section 702 data in 2021 alone. ODNI cautioned that this number likely overcounts the number of Americans affected, in part because the FBI might use multiple identifiers for, or run multiple queries on, the same individual. But even if the number is off by an order of magnitude, that still represents nearly 1,000 warrantless searches for Americans’ communications each day.
In light of this new information, the government cannot plausibly maintain that Section 702 is solely foreign-focused. Instead, it has become something Congress never intended: a domestic spying tool — one that enables the government to routinely search for and review Americans’ phone calls, emails, and text messages without obtaining a warrant.
Both Congress and the FISA Court have attempted to place limits, albeit modest ones, on backdoor searches. In 2018, Congress required the FBI to show probable cause and obtain a court order for a very small subset of U.S. person queries: those conducted in predicated criminal investigations unrelated to national security. (The subset is small in part because the FBI generally runs U.S. person queries at early stages of the investigation, i.e., before they qualify as “predicated.”) According to the government’s figures, this requirement to obtain a court order has been triggered on more than 100 occasions since 2018. By the government’s own admission, however, the FBI has never once complied with it. Some of these non-compliance incidents can be traced to a technical issue with how the FBI’s systems display data — a problem the FBI notably failed to fix for nearly two years. But the FISA Court made clear that the violations could not all be explained by this technical issue.
In cases not subject to this statutory court-order requirement — i.e., the vast majority of cases — the only limitation on backdoor searches is a FISA Court-approved requirement that U.S. person queries must be reasonably likely to retrieve foreign intelligence or evidence of a crime. This is a low bar, and it’s been in place, in one form or another, for longer than Section 702 itself (as it has long been part of more general FISA minimization rules). Nonetheless, FISA Court opinions from 2018, 2019, and 2020 reveal that the FBI has engaged in “widespread violations” of this rule. To name just a few examples, FBI agents searched for the communications of people who came to the FBI to perform repairs; victims who approached the FBI to report crimes; business, religious, and community leaders who applied to participate in the FBI’s “Citizens Academy”; college students participating in a “Collegiate Academy”; police officer candidates; and colleagues and relatives of the FBI agent performing the search. The FBI also engages in “batch queries,” querying thousands or even tens of thousands of Americans’ communications at one time using a single justification.
Government reports released in 2022 reveal even more disturbing violations. In one instance, an FBI agent conducted U.S. person queries of Section 702 data because a witness had reported seeing two “Middle Eastern” men loading boxes labeled “Drano” into a vehicle. In another case, an agent conducted several queries using the name of a U.S. congressman, and reviewed information that these queries returned. Another agent conducted queries using the names of “a local political party.” And one agent conducted a batch query that included “multiple current and former United States Government officials, journalists, and political commentators.” These incidents raise the specter of backdoor searches being used to target individuals based on race, religion, politics, and journalistic activity. That’s alarming, but it should not be surprising. When government officials are not required to show probable cause of criminal activity to a court, it dramatically increases the risk that searches will be driven by improper considerations — including officials’ conscious or subconscious prejudices or political leanings.
Finally, while the most flagrant recent violations were committed by the FBI, the NSA has similarly violated the rules limiting access to Americans’ communications. Most notably, in 2011, the FISA Court prohibited the NSA from conducting any U.S. person queries of data obtained through “upstream” collection — a method of Section 702 collection that is more likely to sweep in purely domestic communications. The Court made clear that this prohibition was necessary to preserve the constitutionality of the program. Several years later, the NSA reported to the FISA Court that its agents had not been complying with this rule. The agency blamed the violations on “human error” and “system design issues”; the NSA’s Inspector General found that “the problem was widespread during all periods under review.” In a 2017 opinion, the FISA Court chided the NSA, not only for its failure to comply with the querying prohibition, but for its “institutional lack of candor” in failing to timely report the violations.
Given this background, the only way to fully protect Americans’ Fourth Amendment rights and prevent abuses is to require the government to obtain a probable-cause court order before performing U.S. person queries. In law enforcement investigations, the government should be required to obtain a warrant from a magistrate judge. In foreign intelligence investigations, it should be required to obtain a FISA Title I order from the FISA Court, which means showing probable cause that the subject is an “agent of a foreign power.” (FISA defines this term, as applied to U.S. persons, in a way that requires involvement in espionage, terrorism, identity fraud, or other illegal activity.)
This requirement would prevent the government from using Section 702 as an end-run around the Fourth Amendment. And while there might well be violations of this mandate, as well, “widespread violations” like those we’re seeing now — or, at least, the FISA Court’s willingness to continue approving the program despite such violations — would be far less likely. The FBI has claimed that some agents simply didn’t understand existing limits on conducting U.S. person queries. A requirement to obtain a probable-cause order for all U.S. person queries, however, is as clear and simple as any rule could be. The FBI would be hard pressed to claim confusion over such a requirement.
Many lawmakers have already embraced this approach. Senators Diane Feinstein, Mike Lee, Patrick Leahy, and Kamala Harris cosponsored an amendment requiring the government to obtain a probable-cause order for U.S. person queries the last time Section 702 was reauthorized, although it didn’t receive a vote. And the House has twice passed a similar amendment (in 2014 and 2015) with both Democratic and Republican support.
The FBI’s Arguments
The government, predictably, opposes closing off the backdoor search loophole. It leads with the assertion that these searches are lawful. That is indeed the view of the FISA Court. But among the handful of federal courts outside the FISA Court that have had the opportunity to weigh in on this question, a divide has emerged, with several judges — including a unanimous panel of the Second Circuit Court of Appeals — raising constitutional concerns. (Notably, judges on the other side of this divide have relied heavily on a misrepresentation that the Department of Justice made in litigation, namely, that government officials are required to review Americans’ communications anyway as part of the minimization process.) Outside of the courts, constitutional scholars have argued that backdoor searches must be treated as a separate Fourth Amendment event than the underlying collection, thus triggering the warrant requirement. In short, the constitutionality of backdoor searches is anything but settled.
The FBI next argues that requiring a warrant would interfere with efforts to protect Americans. At the PCLOB hearing, Herrington identified hypothetical scenarios in which backdoor searches could be used to identify victims of cyberattacks and targets of espionage. Indeed, ODNI has stated that 1.9 million of the U.S. person queries conducted in 2021 were for the purpose of identifying potential cyberattack victims. Herrington expressed concern that the government would not be able to obtain a warrant for such searches.
The fundamental problem with this argument is that there is no “cybersecurity” or “victim” exception to the Fourth Amendment. If the FBI were investigating a cyberattack perpetrated by a purely domestic actor, it could not simply help itself to the communications of 1.9 million Americans to identify victims. It would have to use other investigative techniques. The Fourth Amendment doesn’t afford lesser protection to American victims simply because the perpetrator happens to be foreign. The foreign suspect may not have Fourth Amendment rights, but the American victims most certainly do.
In any event, if protecting victims were the sole or even primary purpose of backdoor searches, the government would not oppose a warrant requirement outright. It would instead propose a narrow and rigorously overseen carveout — e.g., one that would not involve accessing communications content and that would require FISA Court approval on a case-by-case basis — for situations in which the government has reason to believe someone is a victim or target of malign foreign activity.
Instead, the government is flatly opposing a warrant requirement on the ground that it would recreate “the wall.” That’s nonsense, and the government knows it. “The wall” refers to pre-9/11 rules that governed how law enforcement officials could use foreign intelligence information acquired with a FISA Title I order. In other words, these were rules that (in practice, if not on paper) limited the use of foreign intelligence information for law enforcement purposes even after the government made the probable-cause showing required by the statute. Requiring a warrant or FISA Title I order for U.S. person queries would involve no such restrictions or distinctions. It would constitute a “wall” only in the sense that the Fourth Amendment’s warrant requirement establishes a wall between the government and the private communications of Americans.
As for the FBI’s widespread violations of existing limits on U.S. person queries, the government told the FISA Court that FBI agents didn’t understand those limits. To address that problem, the FBI is bolstering its training requirements and imposing new internal oversight measures. This would be a more convincing argument if the rule the FBI has been violating (i.e., that queries must be designed to retrieve foreign intelligence or evidence of a crime) was a new one. But the notion that FBI agents didn’t understand the relevant standard — and that they simply need better training and oversight — is hard to accept when that standard has been in place for at least 14 years, and when the government has been touting its rigorous training and oversight throughout that period. As the FISA Court suggested, there’s an alternative explanation for the FBI’s behavior: not just a misunderstanding of the standard, but “indifference toward it.”
Indeed, it’s important to recognize that the recent FISA Court opinions are only the latest in a string of opinions dating back to 2009 that reveal an unbroken pattern of violations — by the FBI, NSA, and CIA — of the rules designed to protect Americans’ privacy. (See here for a compilation of Section 702 violations as of 2017.) In written comments to the PCLOB, I documented the FISA Court’s rising frustration with these violations and the government’s failure to timely disclose them. On multiple occasions, the government has responded by pledging to improve its training and/or bolster internal oversight. None of these efforts has been sufficient to disrupt the pattern. In the words of surveillance expert Julian Sanchez, the FISA Court and the government have been engaged in a game of “compliance whackamole.”
Ultimately, though, even if the FBI could ensure perfect compliance with the existing rules, it wouldn’t obviate the need for a warrant. Communications are collected without a warrant under Section 702 based on the premise that the subjects of the government’s investigative activity are foreigners abroad. If that premise changes, so does the constitutional calculus. Requiring a warrant for U.S. person queries honors the balance between security and liberty struck in the Fourth Amendment and ensures that Section 702 can’t be used to get around Americans’ constitutional rights. That essential reform should be the starting point for any reauthorization of the law.