Early last November, a bipartisan, bicameral group of U.S. senators and representatives introduced the Government Surveillance Reform Act (GSRA). The sponsors of the bill, who came from across the ideological spectrum, stood for three principles:
- First, the surveillance law known as Section 702 of the Foreign Intelligence Surveillance Act (FISA) should be reauthorized with reforms, rather than allowed to expire. The GSRA was in fact the first bill introduced in this Congress to reauthorize Section 702.
- Second, these reforms should allow the government to conduct surveillance of foreigners overseas while protecting the privacy of Americans whose communications get swept up with them.
- Third, it is long past time for comprehensive surveillance reform that addresses other major intelligence collection authorities that impact Americans’ privacy, as well as law enforcement surveillance authorities that, in many cases, have not been updated in decades.
In the last few months, the GSRA has elicited praise and endorsements, but also some opposition and, not surprisingly given the complex and often technical subject matter, a certain amount of confusion. White House staff began the debate by saying that they oppose the GSRA but also had not read it. This essay is intended to describe the basic intent of the bill and to explain the commonsense nature of its provisions. It is my hope that, with section 702’s expiration date now extended to April 2024, members of Congress and the administration can engage in substantive discussions, identify common principles that may not yet be apparent, and move forward toward legislation that protects both national security and the fundamental rights of Americans.
U.S. person queries of Section 702 collection
At the center of the debate about Section 702 is the government’s practice of querying communications collected under Section 702 to specifically look for U.S. persons’ communications without a warrant or any court oversight. To grasp the risks that these queries pose to Americans’ rights, it is important to understand the size and nature of the dataset that is being queried. The number of Section 702 targets has expanded dramatically, almost doubling since the program was last reauthorized, and now stands at approximately a quarter million people. And, while the program was for years described publicly as targeting terrorists and other “bad guys” with whom no “innocent” American would be communicating, the Biden administration, to its credit, recently declassified the fact that Section 702 is used much more broadly, including to collect intelligence related to “foreign governments and related entities.” It is not hard to imagine the range of American journalists, students, politicians, businesspeople and others with legitimate reasons to communicate with foreigners whom the government believes possess this intelligence.
The abuses of the government’s warrantless U.S. person queries under Section 702 – including queries for protesters, political campaign donors and even people who have simply reported crimes to the FBI – are extensive and well documented. Defenders of the FBI argue that the number of abuses has recently declined as a result of changes to the FBI’s internal policies. Yet clear abuses continue, in violation of internal policies: for example, the most recent FISA Court opinion on Section 702 describes inappropriate queries for a U.S. Senator, a state senator, and a state judge who had complained to the FBI about alleged human rights violations committed by a municipal police chief. These abuses, identified from the fraction of FBI queries actually reviewed by the Department of Justice, clearly demonstrate that internal policies alone are insufficient. If Congress passes a long-term Section 702 reauthorization without proper guardrails, including FISA Court oversight of queries for U.S. persons, ongoing privacy violations will continue and a resurgence of widespread abuses is likely, if not inevitable.
In pushing back against a warrant requirement for U.S. person queries of Section 702 data, the administration and other critics of the GSRA have argued that this reform will create an unacceptable burden on both the government and the FISA Court. What almost all of these critiques have in common, however, is a failure to consider how modest and operationally feasible the GSRA’s warrant requirement actually is.
Almost uniformly, critics of the GSRA have insisted that the bill requires a warrant for all queries of U.S. persons and persons inside the United States. In fact, only a small fraction of these queries would require a warrant. The GSRA does not require a warrant for queries of communications metadata (the “to, from and when” information). It is only when the government wants access to the content of those communications – information that is clearly protected by the Fourth Amendment – that it would have to go to the FISA Court and get a warrant. This distinction would permit the government to use Section 702-acquired metadata to look for connections between a particular American and foreign terrorists and use any such connections as the building blocks of an investigation. If an American is actually in communication with malicious foreign actors, that information, along with whatever information led to the query in the first place, could be used to obtain a warrant or an emergency authorization to read their communications. In emergency circumstances, the GSRA permits the government to conduct queries and obtain court review afterwards.
Critics who have argued that the GSRA’s warrant requirement would overwhelm the FISA Court have not considered the bill’s permissive approach to metadata queries. U.S. intelligence agencies informed the Privacy and Civil Liberties Oversight Board (PCLOB) that only 1.58% of the FBI’s U.S. person queries of Section 702 result in access to the content of communications. As the PCLOB reported, “[t]he vast majority of FBI’s U.S. person queries of Section 702 information that are conducted return no results,” a process that, the government argues, “is a value in itself, as it allows personnel to rule out certain leads.” None of these queries would require a warrant under the GSRA.
In fact, the number of queries that would require a warrant is likely smaller still. Under the GSRA the government can also access content without a warrant if there is a threat of imminent death or serious bodily harm, if consent is provided by the subject of the query or someone legally authorized to provide consent, or if there is a preexisting criminal or FISA warrant. The GSRA even permits nearly unfettered investigations into cyber attacks by allowing not only warrantless queries of the metadata that would reveal the sources of the attacks but also warrantless access to the malware being sent.
The feasibility of the GSRA’s approach to queries is not even theoretical; it is largely mirrored in the rules the NSA already applies to its U.S. person queries of communications collected outside of FISA, under Executive Order 12333. As outgoing NSA Director Nakasone once explained:
“I understand that the Attorney General-approved procedures that govern NSA’s collection, processing, and dissemination of SIGINT pursuant to EO 12333 impose significant restrictions on queries that are intended to retrieve the contents of communications to, from, or about US persons. Absent consent of the US person or certain emergency situations, my understanding is that such queries normally must be approved by the Attorney General on a case-by-case basis after a finding of probable cause. Metadata queries follow a different process and procedural requirements”
In other words, the GSRA would require intelligence agencies to follow essentially the same rules that the NSA already follows when looking for U.S. person information in its non-FISA collection. The primary difference is that the facts supporting probable cause would be submitted to the FISA Court rather than just the Attorney General. This additional step is a small price to pay to provide the American public the protections that will come from checks and balances and judicial oversight.
Another area where the GSRA is not far off from how Intelligence Community officials describe existing processes is “reverse targeting” – the deliberate, ostensibly prohibited targeting of a foreigner overseas to obtain the communications of an American who is communicating with that foreigner. Over and over again, Intelligence Community and Justice Department officials from multiple administrations have described a “fact specific” approach to determining whether reverse targeting violations have occurred. According to these officials, among the “variety of factors” that could provide an indication of reverse targeting would be if there had been “substantial” reporting regarding the American and “little” reporting on the foreign target.
The problem is that there is a disconnect between this weighing test and the actual statute. Under Section 702, the government is only deemed to have committed reverse targeting if “the purpose” for targeting a foreigner is to collect on a person inside the United States. That all-or-nothing formulation would suggest that any sliver of interest in the foreign target, including a single report on that foreigner, would allow for the ongoing targeting of the foreigner, even if the government’s primary intent was actually to surveil the American. To guard against this violation of Americans’ rights and bring the statute into alignment with the testimony of these government officials, the GSRA would define reverse targeting as occurring when a “significant” purpose of the targeting of a foreigner overseas is to collect on an American.
It has been argued that the GSRA would prevent the government from using Section 702 to identify Americans or people in the United States who are communicating with foreign targets. The GSRA is absolutely intended to allow the government to identify Americans who are communicating with foreign targets – this can be a legitimate and important intelligence activity. But when those Americans are identified and their government’s interest shifts to them, the proper approach is for the government to target them directly, with a court-approved warrant.
In 2017, the government voluntarily suspended “abouts” collection under Section 702. This controversial practice allowed the government to collect communications in which none of the communicants were actually targets. The only requirement was that the communication be about a target, for example if the content included an email address associated with a target. In other words, the government could even collect communications conducted entirely among Americans – two American businesswomen sharing contact information for a foreign official, for example. The PCLOB has rightly noted that “abouts” collection “raised significant privacy and civil liberties concerns,” and that if it were to resume, “the unique privacy risks stemming from such collection could reappear.”
It has been almost seven years since the suspension of this practice and, according to the PCLOB, the government has no interest in, or plans to, restart it. Yet any administration could restart it at any time, without any requirement to seek congressional authorization. The GSRA would foreclose that option and obligate the government to obtain congressional authorization before restarting “abouts” collection.
Targeting of Americans
There are three means by which Americans’ communications and other records can be collected by the government:
- The first is so-called “incidental” collection that occurs when Americans are in touch with specific foreign targets. As described above, the GSRA’s approach to incidental collection is not to prohibit it, but to place guardrails around queries for the content of those Americans’ communications and to protect against reverse targeting of Americans.
- The second means by which Americans’ data can be swept up by the government is through indiscriminate “bulk” collection of large datasets. Such collection is not conducted under Section 702, but it can be conducted under other authorities, and is discussed below.
- The third means by which Americans’ communications and records can be collected is if the government targets them directly. Most Americans, even those who follow debates about surveillance authorities, might presume that the government is required to obtain a warrant before targeting an American. But, as a statutory matter, that is not necessarily the case.
It was only in 2008 that I and my colleagues amended FISA to require a warrant to target an American overseas. And even that important reform left gaps. The law currently requires a warrant only in “circumstances in which the targeted United States person has a reasonable expectation of privacy,” a test that has raised concerns about the warrantless targeting of Americans living in countries where there is less privacy than in the United States. The GSRA corrects this problem.
Current law also does not protect Americans overseas from being targeted for collection that would fall short of a probable cause warrant requirement, specifically the collection of communications metadata (the “to, from and when” information). The GSRA’s approach to this form of targeting is to require the same kind of court order (pen register or trap and trace, or PRTT) as would be required for metadata collection in the United States.
Finally, under current law, there is no clear prohibition on the warrantless targeting of Americans in the United States when the collection occurs overseas. The GSRA extends Fourth Amendment warrant protections to all Americans, regardless of location.
FISA business records
In 2020, Congress allowed a separate provision of FISA, Section 215 of the USA PATRIOT Act, otherwise known as the “business records provision,” to expire. This was a reasonable decision – Section 215 had been used to justify massive, dragnet surveillance of Americans that provided little value for national security. But there was an exception to the sunset: under the terms of the original 2001 PATRIOT Act the government could continue to use Section 215 in investigations initiated prior to the sunset date and to investigate offenses that occurred prior to the sunset date.
At the time Section 215 sunsetted, members of Congress could reasonably have imagined that the use of Section 215 would gradually diminish. But the opposite has occurred: the amount of information collected under this expired provision has increased by a factor of seven, from 7,654 records collected in 2020 to 55,431 in 2022.
In 2020, the same bipartisan coalition that now supports the GSRA sought to reauthorize Section 215 with reforms, some of which received majority support in the U.S. Senate. If, notwithstanding the sunset, the use of Section 215 is going to continue to expand, Congress should have the opportunity to debate those reforms. The GSRA will phase out the expired Section 215 authorities. If government officials believe those expired authorities are still needed, they should obtain congressional approval to use them, accompanied by whatever reforms Congress opts to include.
Executive Order 12333
Most intelligence collection done outside the United States is not governed by FISA. For this collection, the only governing authority is a presidential directive known as Executive Order (EO)12333. Unlike Section 702 of FISA, this directive has no expiration date to help spur congressional review. Still, there are many reasons why these collection activities should be addressed now, as part of comprehensive surveillance reform.
Just like it does with Section 702, the Intelligence Community collects information on Americans under EO 12333 – information that can be shared with U.S. law enforcement. The fact that this collection is conducted outside statutory authorities and without FISA court approval is not a reason for Congress to look the other way. On the contrary, the absence of court oversight and Department of Justice review underscores the particular need for congressional action.
Unlike Section 702, collection conducted pursuant only to EO 12333 remains almost entirely secret. But one recent public example highlights the risks inherent in collection conducted outside of a statutory framework. In 2022, the PCLOB released an overview of EO 12333 that included two “deep dive” investigations. Among the Board’s findings was that the CIA, which conducts U.S. person queries of records collected pursuant to the Executive Order, was not even recording the justifications for those queries, thereby impeding any audits that might uncover abuses. This practice violated the CIA’s Attorney General-approved guidelines for EO 12333 activities, but did not violate any statutes (because there are no statutes here to violate). This serious problem likely would have gone unnoticed and unaddressed had the PCLOB not decided to focus its limited resources on the topic.
This one public example underscores the need for statutory guardrails around EO 12333 activities that affect Americans’ privacy. It also highlights how, regardless of efforts at congressional and PCLOB oversight, there is no substitute for the kind of scrutiny that comes with court review.
The CIA query example also illustrates a key principle underlying the GSRA – surveillance under Section 702 and surveillance under EO 12333 should be treated consistently. The privacy implications of warrantless U.S. person queries or reverse targeting of Americans is the same, regardless of how the data was collected. As described below, existing statutory guardrails around bulk collection are relevant to EO 12333. And, in some cases, protections that are included in current EO 12333 guidelines, such as the probable cause determinations for the NSA’s U.S. person queries, can and should be applied to Section 702 collection.
In 2015, in the wake of revelations about government collection of millions of Americans’ communications records, Congress acted to prohibit bulk collection, amending Section 215 of the USA PATRIOT Act (the “business records” provision that subsequently expired), FISA pen trap authorities, and even National Security Letters, the warrantless authority comparable to administrative subpoenas. What remained unaddressed, however, were bulk collection activities conducted under EO 12333 – activities that could include the purchase of Americans’ sensitive data from shady data brokers as well as other forms of collection.
The GSRA takes a modest approach to this problem, permitting the collection of datasets that include Americans’ data while requiring efforts to remove that U.S. data prior to acquisition and use of the datasets. This process is similar to the Defense Intelligence Agency’s segregation of purchased U.S. geolocation data, except that the GSRA would require government agencies to destroy much of the U.S. data swept up in this bulk collection.
The GSRA includes numerous exceptions that would permit the government to retain and use Americans’ data acquired through bulk collection, including information made lawfully available to the public by the government or through widely distributed media and information voluntarily made available by the person whose information is being collected, such as social media posts. There are also exceptions for the limited use and retention of information that intelligence agencies need for employment purposes, to comply with laws and guidelines, in cases of emergencies involving the threat of death or serious bodily harm, and when consent is provided.
The GSRA is intended to protect Americans from being swept up in indiscriminate bulk collection. There may be times, however, when a dataset includes communications or transactions between Americans and foreign targets like terrorists or foreign intelligence officers. The GSRA permits the retention and use of those records, treating them like the incidental collection of Americans’ communications under Section 702 and subjecting them to the same limitations on U.S. person queries. This approach would give intelligence agencies the flexibility they need to pursue national security threats while adding significant new protections for Americans’ rights.
Finally, no congressional debate over surveillance reforms can avoid the problem of secret law. As has been demonstrated repeatedly, statutory surveillance authorities have been subject to secret interpretations, by successive administrations and the FISA Court. To be sure, there is much more transparency now than in the past, as demonstrated by the public release of FISA Court opinions and related documents. But, as the public can see, these documents are often extensively redacted.
I take the protection of intelligence sources and methods extremely seriously, and it is appropriate for intelligence agencies to conduct much of their work in secret. But there are cases where redactions obfuscate basic information about how the law is interpreted and prevent Congress and the public from debating important statutory reforms, all while serving little to no national security purpose. Unfortunately, this is the case today with Section 702. There is important, secret information about how the government has interpreted Section 702 that Congress and the American people should see before the law is reformed. I will continue to urge the administration to make this information public.
* * * * *
It is understandable that the prospect of surveillance reform makes intelligence agencies nervous. They have important work to do, and it is natural to be apprehensive about learning to do anything differently. For nearly a century, champions of expanded surveillance have argued that checks on their authority will impair their ability to protect Americans from bootleggers, anarchists, communists, terrorist groups, or drug cartels. But in fact, our country’s history has shown over and over again that it is possible to protect public safety and Americans’ constitutional rights at the same time. The GSRA provides a measured approach to surveillance reform because Americans deserve both their security and their liberty, and should never be forced to choose one over the other.