(Editor’s Note: This is part of a series on the FISA Section 702 reauthorization and reform debate.)
With momentum of efforts to legislate new restrictions on the functioning of Section 702 of the Foreign Intelligence Surveillance Act (FISA) slowing, Senators Dick Durbin (D-IL) and Mike Lee (R-UT) of the Senate Judiciary Committee recently introduced the newest entrant in the legislative mélange of bills addressing the reauthorization of Section 702: the Security and Freedom Enhancement (“SAFE”) Act of 2024. Like the nearly half-dozen other bills directed to Section 702, a principal focus of the SAFE Act is the admittedly controversial record of the FBI’s querying of the database of lawfully acquired Section 702 communications.
Described as a “compromise bill,” the SAFE Act is anything but, instead serving in many respects as the fraternal twin of the Government Surveillance Reform Act (GSRA) introduced a few months earlier by Senator Ron Wyden (D-OR), a long-time critic of Section 702 (Wyden is a SAFE Act co-sponsor). Like Wyden’s GSRA, the SAFE Act proposes that Section 702 be renewed, but only with changes that seriously undermine its agility and value as an indispensable foreign intelligence collection tool. While the SAFE Act covers a number of national security activities and practices, this analysis is limited to the specific features it devotes to “reforming” FISA Section 702.
U.S. person queries of Section 702 collection and the SAFE Act’s warrant requirement
By way of background, I previously addressed the flaws in Senator Wyden’s GSRA here and here, and those analyses offer a primer on the SAFE Act’s flaws. Most conspicuous are its crippling restrictions imposed on the government’s querying of lawfully acquired communications using U.S. person (USP) identifiers. Proponents of the SAFE Act insist that these restrictions are necessary because the government is conducting hundreds of thousands of “warrantless searches” – “more than 500 warrantless searches every day” – of the emails, phone calls, and text messages incidentally collected from those Americans communicating with foreigners properly targeted under the authority of Section 702.
This assertion is simply false. The searches condemned by the SAFE Act are “warrantless” only in the sense that a microwave oven is unlicensed: technically true, but legally irrelevant because, just as a microwave requires no license to own or operate, neither does an authorized acquisition under Section 702 require a warrant. In Section 702(c)(4), Congress specifically exempts Section 702 collection from the court order requirements found in Title I of FISA.
As the Foreign Intelligence Surveillance Court (FISC) has observed: “The touchstone of the Fourth Amendment is reasonableness” and “although the warrant requirement is often a tolerable proxy for reasonableness when the government is seeking to unearth evidence of criminal wrongdoing … it fails to properly balance the interests at stake when the government is instead seeking to preserve the nation’s security from foreign threat.” While the Second Circuit noted in its decision in U.S. v. Hasbajrami that certain considerations surrounding querying using U.S. person identifiers “counsel in favor of considering querying a separate Fourth Amendment event,” the FISC has repeatedly rejected the proposition that the “querying of information lawfully acquired under Section 702 be considered a distinct Fourth Amendment event requiring a reasonableness determination independent of the other circumstances of acquisition.”
The FISC reiterated this stance as recently as April 2023, and even the chairperson of the Privacy and Civil Liberties Oversight Board (PCLOB) acknowledged that “the FISC has determined that current Section 702 querying procedures comply with the Fourth Amendment.” The bottom line: no court has ever held that the Fourth Amendment requires that the government secure a warrant or other form of court order in connection with a Section 702 query using USP identifiers. So the descriptive “warrantless” simply should not be applied to these lawful queries.
Nevertheless, the SAFE Act requires, except in narrowly cabined circumstances, that the government secure a constitutionally unnecessary court order before examining the contents of communications retrieved by queries using USP identifiers. If enacted, this mandate would be the first time that Congress required the Executive branch to secure a court order to examine information already lawfully in its possession and properly stored in government databases.
The press release issued by the Senate Judiciary Committee tries to mitigate the dangers the SAFE Act poses to Section 702 by describing its proposed warrant requirement as “narrow” and “carefully crafted” because it applies “only for accessing content in those cases where a USP search has returned results.” This is a curious dilution of the warrant requirement given that the chairperson of the PCLOB stated that “running a[ny] U.S. person query does create a privacy intrusion regardless of whether there is a hit.” For years, Section 702 critics have insisted that all USP queries – representing those supposed “500 warrantless searches per day” – constitute warrantless backdoor searches that violate the Fourth Amendment. But now, apparently, not all “warrantless” USP searches are the same. Instead, the SAFE Act offers an implicit concession that querying USP identifiers does not, in and of itself, trigger a separate Fourth Amendment inquiry – just as the FISC has been saying for years.
Most important, there are practical impediments to the SAFE Act’s warrant requirement. The Act’s sponsors insist that a warrant will be necessary only for the “less than two percent” of USP queries that actually return content, but even that figure threatens to choke the use of Section 702 in circumstances posing serious, time-sensitive threats to the nation’s security. Each year the Annual Statistical Transparency Report (ASTR) provides data on the use of USP queries in the Section 702 program. Only four agencies are authorized access to the Section 702 database but, unlike NSA, CIA, and National Counterterrorism Center (NCTC), the FBI does not report content (i.e., verbal or written content of communications) and non-content (i.e., metadata) queries separately in the ASTR. Therefore, a little interpolation is necessary to estimate the handicap the SAFE Act will impose on Section 702 operations.
In 2022, NSA, CIA, and NCTC collectively reported conducting 4,684 USP queries designed to retrieve content and 3,656 USP queries designed to retrieve only metadata. In other words, approximately 56% of queries run by the three agencies were content queries. In the same year, the FBI conducted 119,383 USP queries. Applying the same percentage as its sister agencies, the FBI therefore conducted an estimated 66,850 content queries, meaning the four agencies cumulatively ran approximately 71,534 content queries. The PCLOB reported that 1.58% of the FBI’s USP content queries actually returned content. Applying that percentage to the estimated 71,534 cumulative queries means that approximately 1,130 queries returned content. Under the SAFE Act, each of these queries would have required a warrant. Or over 3 warrants per day, every day of the year – a tasking that will inevitably delay the time-sensitive querying process that serves as an invaluable early step in identifying espionage, terrorist and cyber threats to the homeland.
The FISC issued only 337 Title I FISA probable cause court orders in all of 2022. Plainly, that court currently lacks the resources to address the wave of applications that the SAFE Act would demand. Little wonder, then, that the President’s Intelligence Advisory Board (PIAB) describes a warrant requirement like that proposed in the SAFE Act as “unjustified,” “impractical,” and leaving America ”significantly less safe.”
Some final points are also worthy of consideration when assessing the proposed warrant requirement. First, the FBI– the SAFE Act’s warrant requirement is principally directed at the FBI–receives access to only the communications of Section 702 targets that the FBI itself nominates for collection—approximately 3.2% of all targets. The FBI nominates for collection only those foreign targets that are subjects of open, fully predicated national security investigations – the most serious class of investigation in the FBI hierarchy. Thus, any USP communications incidentally acquired by targeting FBI-nominated targets are from USPs communicating with subjects of the FBI’s most serious national security investigations. Plainly, at least some of these may not be the “innocent” Americans the SAFE Act aims to protect.
Second, the SAFE Act’s “reforms” aren’t limited to protecting Americans – a “covered query” requiring a warrant includes any query “using a term associated with a U.S. person or a person reasonably believed to be located in the United States at the time of the query or the time of the communication or the creation of the information.” So, if the FBI wants to access the content of a query targeting a Chinese agent or Taliban terrorist operating in the U.S., the SAFE Act requires a warrant. How, exactly, does that leave any American safer?
Reverse Targeting
The SAFE Act’s imposition of “reverse targeting” restrictions, using the same substantive language as the misguided limitations found in Senator Wyden’s GSRA, hardly signals the “compromise” that the SAFE Act insists preserves the value of Section 702 as an intelligence tool.
Using language that essentially duplicates the GSRA, the SAFE Act would modify the language in Section 702 that prevents the government from targeting a foreigner as pretext for acquiring the communications of a particular USP. Currently, the government may not “intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States.” As a practical matter, compliance with the reverse targeting prohibition has not been an issue in prior reauthorizations of Section 702—most likely because, as a matter of intelligence tradecraft, reverse targeting makes little sense since intelligence officers interested in a person in the United States will be naturally inclined to seek a court order providing access to all of that target’s communications rather than the limited subset that might be acquired through reverse targeting. Semiannual compliance assessments for Section 702 required by FISA have noted “the extreme rarity of reverse targeting incidents,” but the SAFE Act would change the statutory language from barring targeting where the “purpose” is to target a particular known person in the United States to where a “significant purpose” is to target a particular known person in the United States.
These revisions are alarmingly misguided because a fundamental reason for Section 702 is to facilitate the ability to ascertain whether foreign terrorists or intelligence services are communicating and plotting with persons in the United States. However, like its warrant requirement, the SAFE Act’s reverse targeting restrictions would extend to foreign intelligence services and foreign terrorist organizations conspiring with their accomplices in the U.S. Recognizing the importance of this collection, Congress, in passing Section 702 in 2008, rejected the same “significant purpose” language now being exhumed and repackaged in the SAFE Act and the GSRA. To be clear, then, if the SAFE Act becomes law, Section 702 could no longer be used to query Russian and Chinese intelligence operatives or terrorists to see if they are talking to contacts in the United States. The language proposed in the “compromise” SAFE Act needlessly and dangerously closes an invaluable window to protect against a panoply of dangers including terrorism, espionage, nuclear proliferation, and cyberattacks.
Much like the GSRA and the “Protect Liberty and End Warrantless Surveillance Act” (PLEWS) issued by the House Judiciary Committee, the SAFE Act appears more designed to curtail Section 702 and counterproductively rein in the FBI than to reauthorize America’s most important foreign intelligence collection tool. In a pointed criticism of the PLEWS Act’s “reverse targeting” provisions, which are substantively indistinguishable from those included in the SAFE Act, Benjamin Wittes trenchantly observed that it amounted to a functional repeal of Section 702.
So, make no mistake, those who claim the SAFE Act represents “compromise” legislation should recognize that they are not protecting Americans’ privacy and civil liberties; instead, they are returning to a pre-9/11 security paradigm that blinds itself to the activities of foreign actors seeking harm and havoc against the United States.
“Abouts” Collection
I have addressed here and here why the GSRA’s ban on “abouts” collection, seems superfluous and myopic. The SAFE Act proposes the same ban using virtually identical language, so all of the objections I noted to the GSRA apply equally to the SAFE Act.
A Better Alternative
The SAFE Act includes a medley of reforms directed at addressing the FBI’s dismal history of querying. Many of those measures have already been implemented by the FBI, resulting in considerable improvement in FBI querying activities. The FISC commented, in its most recent Section 702 opinion, “there is reason to believe the FBI has been doing a better job in applying the querying standard.”
Consequently, prudence suggests that legislative proposals should foster the upward trajectory in compliant FBI querying practices by incorporating, where appropriate, those measures that have produced the improvements in FBI querying activities noted by the FISC, but without draconian new restrictions like a warrant requirement. Some lessons may be drawn from the PCLOB’s review of NSA’s XKEYSCORE foreign intelligence platform in a report issued in December 2020.
Although heavily redacted, the report describes the auditing architecture used with XKEYSCORE as “noteworthy” for its capability to provide meaningful scrutiny of querying activities in close to real time. Describing XKEYSCORE’s sophisticated technical capabilities for logging queries and organizing the accompanying query justifications in a manner conducive to efficient review by human auditors, the report notes that XKEYSCORE’s capabilities are more advanced than those used at other agencies and suggests it “can offer a useful example (and perhaps some technical solutions) to other IC elements seeking to ensure effective oversight of their personnel’s access to large, sensitive datasets.”
As suggested by the XKEYSCORE review, an approach that combines technological advances with rigorous compliance standards seems far more likely to “reform” Section 702 in a way that balances its irreplaceable intelligence value with the privacy interests of Americans. Imposing a constitutionally unnecessary, practically unworkable warrant mandate is no “compromise” and leaves only those who would harm America any better off.