As another sunset of Foreign Intelligence Surveillance Act (FISA) Section 702 authorities looms, the House of Representatives has passed a compromise bill, the “Reforming Intelligence and Securing America Act,” H.R. 7888 (RISAA), which the Senate is now considering.
The bill would reauthorize Section 702 – the controversial law that allows the U.S. government to acquire communications of non-Americans outside the United States without a warrant – and make a range of changes to FISA overall. It has something to interest everyone, from addressing the use of U.S. person query terms to formalizing oversight measures to a technical expansion of the type of service provider that can be compelled to help the U.S. government acquire communications. The changes are a combination of direct responses to legislative gaps and real or perceived Executive Branch transgressions, codifying existing practices, and updating FISA in ways that are evolutionary, but not radical. Taken together, they appear to reflect deep dissatisfaction with how the Executive Branch has implemented aspects of FISA, paired with a recognition of the need to permit essential national security operations to continue under the supervision of all three branches of government.
FISA and Section 702
FISA was enacted in 1978, largely as a means to impose a framework and limits on domestic national security surveillance. Such surveillance had grown in size, scope, and creativity over the preceding decades, and entities such as the Church Committee uncovered a stunning range of misguided and abusive activities. FISA brought domestic national security surveillance within the judicial system. It created the Foreign Intelligence Surveillance Court (FISC) and empowered it to issue orders authorizing national security electronic surveillance upon a showing by the government that, among other things, the target of such surveillance is a foreign power or agent of a foreign power. Similar to applications for criminal search warrants, investigative targets are not represented in FISC proceedings (informing criminal or national security subjects that they are being investigated is counterproductive). FISA also established the Foreign Intelligence Surveillance Court of Review (FISCR), a court to which the government can appeal FISC orders or denials. For U.S. persons (U.S. citizens or lawful permanent residents) to be “agents of a foreign power,” their activity generally must implicate U.S. criminal laws. See 50 U.S.C. § 1801(b)(2). FISA has been amended multiple times, for example to authorize the FISC to issue orders for national security physical searches and to establish a panel of amici to provide the FISC and FISCR with neutral support from experts from outside of government.
Whereas most FISA authorities require the government to make particularized showings to the FISC and obtain orders specific to particular targets, Section 702 of FISA, which was added in 2008 as part of the FISA Amendments Act (FAA), is different. It targets non-U.S. persons who are outside the United States and authorizes the government to compel certain communication service providers within the United States to assist the government in acquiring those targets’ communications. Such targets are not subject to Fourth Amendment protection. As a result, rather than obtain orders identifying and authorizing each target, under Section 702 the Attorney General (AG) and Director of National Intelligence (DNI) submit a “certification” to the FISC, which the FISC can authorize for up to one year.
A certification, among other things, describes targeting procedures the government will use to ensure that only non-U.S. persons outside the United States will be targeted, minimization procedures the government will apply to its acquisition, retention, and dissemination of collected information, and (as a recent addition) query procedures governing the use of U.S. person identifiers, such as names, telephone numbers, and email addresses, to search information that has already been collected under Section 702. Although Section 702 prohibits “reverse targeting” – collecting communications of an eligible target for the purpose of targeting a specific person in the United States – queries are run against information that has already been collected.
Section 702 has a built-in sunset provision under which its authorities periodically expire. Not for the first time, Congress enacted a brief extension of Section 702 in the National Defense Authorization Act at the end of 2023. Section 702 is now scheduled to expire on April 19, 2024, unless it is extended. The sunset clause for Section 702, however, has a continuation provision that allows certifications that are already in place to remain effective until their expiration date, even if the statute expires. See Pub. L. 11-261 § 404(b)(1), as amended.
Reauthorization of Section 702
Section 19 of RISAA would extend the sunset of Section 702 for two years from the date of the bill’s enactment. This is a shorter sunset provision than prior reauthorizations contained.
Section 21 would require the government to obtain new certifications within 90 days of enactment to replace any certifications that were obtained during the short-term extension of Section 702. Any such certifications would otherwise remain in effect for the remainder of their one-year duration. This would apply the new RISAA requirements sooner than such certifications’ expiration.
Section 702 Query Procedure Reform
Congress recently added the requirement for query procedures to Section 702. The statute currently allows the government to query “information” collection under Section 702 pursuant to querying procedures. Querying procedures must be “consistent with the requirements of the fourth amendment” and ensure that agencies keep records of each U.S. person identifier used for a query. Those records are available for after-the-fact internal and external oversight. Absent an emergency such as an imminent threat to life, the FBI may only review the “contents” (a subset of “information” that does not include metadata) of communications retrieved through a query used in a non-national security criminal investigation if the FISC finds probable cause to believe that those contents include evidence of a criminal activity, contraband, fruits of a crime, or property used to commit a crime. See 50 U.S.C. § 1881a(f)(2)(C), (D).
The FBI’s authority to use U.S. person identifiers to query information previously collected under Section 702 has been debated and discussed at length. A recent panel discussion (which I co-moderated) summarized different constituencies’ views of some of the operational, policy, and constitutional considerations. Some consider U.S. person queries to be a “back door” search for U.S. person communications without a warrant, while others consider them to be an operationally important search of material that has already been lawfully collected. Bills in the most recent reauthorization cycle emerging from the House Judiciary Committee, House Permanent Select Committee on Intelligence (HPSCI), and Senate Judiciary Committee each approached the issue differently.
The RISAA compromise, set forth in Section 2, would not impose a warrant requirement. Its title asserts that it would “Strictly Limit” FBI queries of unminimized Section 702-acquired information using U.S. person identifiers. The new limits would include a requirement that an FBI supervisor or attorney approve such queries. Political appointees would be ineligible to approve queries, and only FBI personnel who are approved to access raw FISA-acquired information (in other words, information to which investigators have not applied minimization procedures) could approve requests – which in practical terms means they would have to have received mandatory training in FISA-related procedures.
This is a far cry from a search warrant or other court approval, but it adds a metaphorical “grownup in the room” when line agents, who can have less experience, conduct intrusive searches of Americans’ communications. This reduces the likelihood that an agent, however well-intentioned, might transgress based on a misunderstanding of the rules. The bill would also enhance individual accountability by requiring the FBI to maintain written records of queries (including its justification) and requiring the Department of Justice to review queries within 180 days of when they were conducted. Based on personal experience, Justice Department reviews of agencies’ compliance with FISA and National Security Investigation rules can be very thorough, and – along with agency self-reporting – have been an important means of identifying compliance and implementation issues.
The query provision also requires that any FBI personnel who conduct queries must receive annual training on applicable procedures. “Sensitive” queries – such as queries using terms associated with elected officials, politicians, media organizations and figures, and religious organizations and figures – would require higher-level approvals, as would queries run using “batch job” technology (for a discussion of batch jobs, see the Privacy and Civil Liberties Board (PCLOB) 2023 Report on Section 702 at 101 and this explainer from Lawfare).
In addition, the query provision would prohibit FBI database checks from automatically running against raw Section 702-acquired information by default. Rather, when an FBI agent or analyst uses any tool that pulls information from multiple data stores, they would have to affirmatively opt in to searching against Section 702-acquired data, which would likely require them to affirm that they understood the applicable rules.
The House also included limitations on the FBI’s authority to conduct queries using the identifiers of Members of Congress. For queries related to investigations, the FBI would be required to notify Congressional leadership and the subject of the query, to the extent consistent with national security considerations, which could include maintaining the integrity of an investigation. And the FBI would require a Member’s consent before using their identifiers in a query to support a counterintelligence defensive briefing.
In sum, the query procedure modifications would add some degree of responsibility and accountability that Section 702 did not previously require. Some individual requirements seem sufficiently specific that they are likely responses to particular incidents. These will not satisfy those who consider a query of previously collected data to constitute a search under the Fourth Amendment, and probably will provide sufficient flexibility to potentially aggravate, but not impede, operators who seek to query raw data.
Other Changes to Acquisition and Use Under Section 702
Separately, Section 3 of RISAA would prohibit the FBI from conducting queries of raw Section 702-acquired information (information to which the minimization procedures have not been applied) solely to find evidence of a crime, absent a serious emergency. The bill would permit queries designed to identify information that the government is required to preserve or produce in discovery, such as Brady material.
Section 3 would also prohibit the FBI from ingesting unminimized data into analytic repositories unless the target from whom the data was collected is “relevant to an existing, open, predicated full national security investigation.” The FBI can only open a “full” investigation under circumstances described in Justice Department guidelines, so this rule incorporates a tangible threshold. It is less clear what the scope of “analytic” repositories is and the extent to which FBI systems might fall outside that definition.
Section 22 would repeal the government’s authority to use “abouts” collection. “Abouts” collection refers to the use of a selection term associated with a target, such as an email address, to acquire communications that are not to or from that target. See 50 U.S.C. § 1881a(m)(4)(B)(i). Such collection is currently prohibited unless the AG and DNI initiate a specified Congressional process described in 103(b) of the 2017 FAA reauthorization. RISAA would eliminate the possibility of the AG and DNI re-initiating abouts collection.
Section 24 would require Section 702-related procedures to facilitate vetting of non-U.S. persons traveling to the United States. The use of Section 702-acquired information for vetting purposes was discussed, for example, in the PCLOB 2023 Report on Section 702. The PCLOB found that “[v]etting is a crucial national security function, and Congress should make clear that Section 702 may be utilized to support it,” and expressed concern that the government might lawfully possess Section 702-acquired information that it was not allowed to access for such a purpose. According to the PCLOB, the National Security Agency (NSA) querying procedures were amended in April 2023 to permit such queries. See PCLOB 2023 Report at 97. RISAA would go a step further and require those procedures to permit the use of queries for vetting.
Section 5, discussed further below, would also create a presumption that the FISC would consult independent legal and/or technical experts as amici when considering Section 702 certifications or procedures by requiring the FISC to consult amici absent an affirmative finding that such consultation was not appropriate.
Changes to Fundamental Definitions
Section 23 would expand the definition of “foreign intelligence information” to include the international production distribution, or financing of certain drugs, including drugs “driving overdose deaths,” such as opioids. This is significant because Section 702 certifications and targeting decisions are predicated on the acquisition of foreign intelligence information (and the term is also one important pillar of “traditional” FISA). In July 2023, the DNI disclosed that “there are three Certifications under Section 702, covering the following categories of foreign intelligence: (1) foreign governments and related entities, (2) counterterrorism, and (3) combatting proliferation.” Adding to the definition of foreign intelligence information could potentially lead to an additional certification and/or an expansion of the scope and volume of Section 702 collection.
Section 25 would expand the definition of “Electronic Communication Service Provider” (ECSP), which determines the range of entities that the government can compel to provide assistance in acquiring communications under Section 702. The definition currently includes (A) telecommunications carriers; (B) providers of electronic communications service (ECS) (cross-referencing the Wiretap Act); (C) providers of remote computing service (RCS) (cross-referencing the Stored Communications Act); (D) “any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored;” and (E) an officer, employee, or agent of any of the listed types of entities.
Similar to an earlier HPSCI bill, RISAA would add another type of provider: a service provider that “has access to equipment that is being or may be used to transmit or store wire or electronic communications,” but would not qualify under any of the existing definitions. It would also add “custodians” to the list of individuals who could qualify. These additions, which appeared in the Protect America Act (which preceded the FAA), appear to have been proposed in response to a 2022 FISC decision, which the FISCR affirmed in 2023, finding that a provider that the government sought to serve with a Section 702 directive was not an ECSP, and therefore could not be compelled to provide assistance. The publicly released versions of the opinions were subjected to extensive use of the government’s “black highlighters,” and do not disclose the type of service the provider offered. A recent New York Times article, however, reported that the recipient was a data center. The Times described data centers as “centralized warehouses of computer servers that can be accessed over the internet from anywhere in the world” that are “increasingly operated by third parties that rent out the storage space and computing power that make other companies’ online services work.”
The application of this amendment, of course, will not necessarily be limited to the specific use addressed in the FISC and FISCR opinions. The provider of any internet or communications infrastructure service that is not covered by the existing definition could potentially be implicated, if the provider is subject to U.S. jurisdiction and the target of acquisition is a non-U.S. person outside the United States.
There has been public speculation about whether the expanded definition could bring businesses such as hotels and coffee shops that provide internet connectivity within the scope of Section 702. To the extent that such entities are not already ECSPs, such as by operating as an ECS or RCS, the expansion would only appear to implicate them to the extent they could help acquire non-Americans’ communications overseas. The definitional change does not affect other limitations of the statute, so even under the HPSCI bill, Section 702 could still not be used to compel a hotel, coffee shop, store, or other establishment within the United States to provide any assistance to the government. Still, in response to concerns about the expansion, the RISAA definition includes exceptions that the HPSCI bill did not. The proposed new definition of ECSP would exclude “any entity that serves primarily as” a public accommodation facility, dwelling, community facility, or food service establishment.
Changes to FISC and FISA Applications
RISAA proposes to change how the government obtains particularized orders under “traditional” FISA – the sections of FISA under which the FISC can authorize electronic surveillance and physical search of U.S. persons and within the United States. Here are some notable provisions.
Accuracy. FISA applications are generally supported by sworn declarations of Headquarters-based supervisory agents, sometimes referred to as “program managers.” See, e.g., Justice Department OIG 2019 FISA Report at 44. Program managers do not conduct the investigation or collect the information underlying FISA applications; rather, they rely on information from the case agent in the field who is seeking FISA authorities. The FBI applies accuracy procedures, sometimes referred to as “Woods Procedures,” to confirm that “the factual assertions contained in the application are accurate.” Records relating to the application of accuracy procedures are subject to Justice Department review. Rule 13(a) of the FISC’s rules requires the government to disclose, correct, and explain material misstatements or omissions in FISA applications.
Section 10 of RISAA would bring the accuracy procedures into FISA itself, thereby codifying (and potentially modifying) processes and understandings among the Justice Department, the Intelligence Community, and the FISC. Moreover, it would add a requirement for the government to disclose to the FISC “exculpatory” information about the target, similar to prosecutors’ Brady and Giglio obligations in criminal discovery.
FISC Procedures. FISC orders authorizing electronic surveillance are limited in duration, so the government must seek renewed authorization to continue such surveillance before an order expires. Section 5 would require the government to present a request to renew FISC authorization to conduct electronic surveillance to the same FISC judge that authorized the initiation of that surveillance, subject to certain exceptions. This could potentially present logistical challenges and, particularly given the very involved role of FISC staff attorneys in the evaluation of FISA applications, it is not entirely clear how significant a problem this would solve.
Section 5 would also require the FISC to “designate one or more attorneys” to review applications for electronic surveillance of a U.S. person and present analyses to the court. This appears to simply codify the FISC’s longstanding practice of employing highly experienced attorneys to fulfill that purpose and others.
Section 5 would also grant certain Members of Congress and their designees with access to FISC proceedings. Observers should stay tuned on this seemingly arcane point; it is not clear to outsiders how the Justice Department, the Intelligence Community, or the FISC would react.
Applications. Section 6 appears to be a reaction to recent commentary regarding publicized FISA applications. It would require factual declarations supporting FISA applications to be “sworn,” which they already are. Section 6 would also prohibit the use in FISA applications of information obtained from a political organization unless the organization is clearly identified, the information has been corroborated, and the factual declaration describes the investigative techniques used to corroborate the information. It would similarly require identification and certain disclosures about any news media reports on which an application relies.
Section 6 would also increase the government’s burden to explain other, presumably less intrusive, investigative techniques it used before applying for authority to conduct electronic surveillance of a U.S. person; such assertions are currently required at a more general level in the certifications (not to be confused with Section 702 certifications) that high-level FBI or other Intelligence Community agency officials submit as art of FISA applications. Section 6 would similarly require the government to provide more detail in renewal applications about the need to continue implementing FISA authorities.
Interestingly, Section 6 would impose a new pleading requirement specifically when the government seeks electronic surveillance or physical search authority based on one way a target can act as an “agent of a foreign power”: by engaging in “clandestine intelligence activities,” other than intelligence-gathering, “for or on behalf of an intelligence service or network of a foreign power” and pursuant to its direction. Currently, a U.S. person can only be targeted (i.e., found to be an agent of a foreign power) for engaging in such activities when those activities “involve or are about to involve a violation of the criminal statutes of the United States.” 50 U.S.C. § 1801(b)(2)(B). The official providing the factual basis for a FISA application, who is usually an FBI agent, currently must set forth the facts and circumstances justifying a belief that the target is an agent of a foreign power, see 50 U.S.C. § 1804(a)(3)(A), and this particular definition of “agent of a foreign power” already incorporates a criminal violation. But Section 6 would require an application based on to specifically state the basis to believe that “a violation of the criminal statutes referred to in [Section 1801(b)(2)(B)] has occurred or is about to occur.” This may be a response to a specific issue, but its inclusion in a bill that also adds the requirement for a “sworn” statement and enhances accuracy requirements, as described above, and imposes penalties for government officials relating to FISA applications, described below, evinces Congressional concern about accuracy and accountability. The fact that this requirement only applies to allegations that the target is engaged in clandestine intelligence activities other than intelligence collection – such as spreading disinformation, collecting unclassified information, or harassing dissidents at the direction of a foreign intelligence service – is interesting.
Transparency, Oversight, Consequences, and Future Reform
Conducting classified domestic operations in a democracy presents inevitable and enduring challenges when it comes to balancing national security and government transparency. Section 7 of RISAA would add a specific deadline to FISA’s existing requirement for the DNI and AG to conduct declassification reviews of significant FISC and FISCR opinions. Section 8 would require FISC hearings to be transcribed, much like other court proceedings. Section 9 would require a Justice Department Inspector General audit of FBI querying practices.
RISAA would also impose consequences for noncompliance with FISA requirements. Section 12 would require the FBI to implement “measures for holding the executive leadership of each covered component appropriately accountable for ensuring compliance” with FISA procedures. The FBI would be required to report to Congress regarding this and other FISA-related disciplinary measures. Section 13 would criminalize unauthorized disclosure of FISA applications or of classified Section 702-acquired information to which a U.S. person is a party (both of which likely could be prosecuted under existing law). Section 13 would also add a sentencing enhancement for false declarations before the FISC.
Section 16 would require the FBI to implement “minimum accountability standards” for noncompliance with limits on using U.S. person identifiers to query Section 702, and Section 17 would require adverse employment actions against any federal officer who engages in misconduct regarding proceedings before the FISC.
Looking Forward. Sections 18(b) would direct a study to be made of the potential use of technology to monitor the FBI’s compliance with Section 702-related rules. Section 18(c) would charter a FISA Reform Commission to “consider ongoing reforms” to FISA.