This article first appeared at Just Security.
In a previous post, I described the political landscape for this year’s Section 702 reauthorization debate and noted the view of most observers that Section 702 is unlikely to be reauthorized this year without significant reforms. I outlined four key areas of reform and discussed the first of these: closing the backdoor search loophole. In today’s post, I discuss the second area of needed reform: closing gaps in the law that permit the collection and use of Americans’ communications and other Fourth Amendment-protected information without statutory authorization or judicial oversight.
There are two primary gaps that Congress must address. First, changes in communications technology since FISA’s 1978 enactment have dramatically altered the reach of the law. In 2008, Congress addressed one of the unintended outcomes of these changes: The government was required to obtain FISA Court orders to collect purely foreign communications, simply because they were routed through or stored in the United States. However, Congress failed to fully address the flip side of the issue: massive amounts of Americans’ communications and other sensitive information are routed and stored overseas, rendering them vulnerable to collection outside any statutory framework. To complete the modernization of FISA that began with Section 702, Congress must close this critical gap in coverage.
Second, after 9/11, the government sought to evade FISA’s substantive and procedural constraints by relying on claims of inherent executive authority. Congress responded by reaffirming that FISA was the exclusive means by which the government could conduct “electronic surveillance.” Because of the highly technical definition of that term, however, the exclusivity provision fails to reach many types of collection covered by FISA. There is ample reason for concern that the government is exploiting these gaps to collect some of the most sensitive data Americans generate without adhering to FISA’s requirements — including by purchasing it from data brokers. Congress should fill the holes in FISA’s exclusivity provision and bar the government from buying its way around FISA and other legal restrictions on governmental access to Americans’ data.
FISA’s Outdated Geographical Distinctions
As a general matter, FISA applies when the government collects foreign intelligence inside the United States or from U.S.-based companies. (A significant exception to this rule is discussed in the next section of this post.) When the government collects foreign intelligence abroad, it generally relies on claims of inherent presidential authority, as regulated by Executive Order (EO) 12333 and related executive branch policies. The distinction has critical consequences; as explained further below, there are exceedingly few legislative protections for Americans’ privacy when the government conducts surveillance under EO 12333, and such surveillance is not subject to review or approval by any court.
As I explained in comments to the Privacy and Civil Liberties Oversight Board (PCLOB) last November, a geographic limitation on FISA’s reach might have made some sense in 1978, when surveillance inside the United States generally meant surveillance of Americans and surveillance abroad generally meant surveillance of foreigners. To be sure, FISA did not restrict the government’s ability to collect communications between foreigners and Americans when the surveillance took place overseas or was accomplished by satellite. Nonetheless, the volume of international communications in 1978 was exponentially smaller than it is today. Communications were generally ephemeral and had to be captured in transit; they did not rest in electronic storage for years or decades. And there were significant technological limitations on storing, processing, and analyzing data. These factors greatly limited overseas collection of Americans’ international communications.
As for purely domestic communications, they were transmitted almost entirely through wires inside the United States (and therefore covered by FISA). Today, communications are routinely routed and stored all over the world, in places far removed from the points of origin and receipt. Indeed, the fact that purely foreign communications could be handled by internet service providers inside the United States — which, under FISA as originally enacted, would have triggered the requirement to obtain a probable-cause order — is one of the main reasons the government sought to “modernize” FISA in 2008 through the enactment of Section 702.
The government showed markedly less interest in the other half of this problem: the fact that purely domestic communications and other personal data are routinely routed and stored abroad. In some cases, this could remove them from FISA’s protections and expose them to EO 12333 surveillance. Congress did extend FISA to cover the intentional targeting of Americans who are themselves located overseas, and EO 12333 policies generally prohibit targeting Americans or intentionally collecting domestic communications. These limits, however, are subject to various caveats and exceptions. Moreover, they have little practical effect when the government engages in bulk collection — a dragnet approach in which the government does not identify particular targets. Bulk collection is prohibited under FISA, but permitted under EO 12333.
In February 2022, through the efforts of Senators Ron Wyden and Martin Heinrich, Americans learned that the CIA has for years been conducting bulk collection programs under EO 12333 that pull in Americans’ data. One set of activities includes the bulk acquisition of information about financial transactions involving Americans and others. Another program collects an unspecified type of data, but the CIA’s sparse public statements on the program suggest that it impacts “Americans who are in contact with foreign nationals,” which implies that it involves communications records. A document that was partially declassified by the CIA shows that intelligence analysts query the data acquired under this program for information about U.S. persons, and that they do so without recording the justification for the queries — making it virtually impossible to conduct even internal oversight.
Even when EO 12333 surveillance is targeted at identified foreigners (rather than conducted in bulk), it will acquire the communications of Americans in contact with those targets, just as Section 702 surveillance does. As a result of the explosion in international communication mentioned above, the volume of such “incidental” collection is likely immense. The collection of communications between foreign targets and Americans squarely implicates the Fourth Amendment, as the FISA Court has recognized in the Section 702 context. Congress clearly shares this understanding, having included minimization and FISA Court oversight as critical elements of Section 702. Even though these measures have failed to protect Americans’ privacy (as I explained in Part I of this series), they still far exceed the protections established by EO 12333 and its implementing policies.
Consider, for instance, the role of the courts. Under Section 702, the FISA Court reviews the government’s targeting, minimization, and querying procedures on an annual basis to determine whether they comport — both on paper and in practice — with the statute and the Constitution. The FISA Court also reviews any significant instances of non-compliance, which the government is required to report, and may order appropriate remedies. There is no such oversight — indeed, no judicial oversight whatsoever — for surveillance that takes place under EO 12333. Similarly, the government is required by statute to notify criminal defendants if it relies on evidence obtained or derived from FISA surveillance (including Section 702), but there is no such statutory requirement if the government uses evidence obtained or derived from EO 12333 surveillance. In short, as a practical matter, no court can step in if the government operates EO 12333 surveillance in ways that violate the order, statutory law, or the Constitution.
There are also fewer limits on backdoor searches of EO 12333-acquired data, particularly those performed by the CIA and FBI. The CIA’s EO 12333 procedures permit U.S. person queries for any information “related to a duly authorized activity of the CIA.” That’s a much broader standard than the one contained in the CIA’s Section 702 querying procedures, under which queries “must be reasonably likely to retrieve foreign intelligence information, as defined by FISA.” The gulf is even wider for the FBI. The bureau’s Section 702 querying procedures state that U.S. person queries “must be reasonably likely to retrieve foreign intelligence information, as defined by FISA, or evidence of a crime” — and in one small subset of cases, FBI agents must obtain a court order before viewing the results of U.S. person queries (although to date, they have entirely failed to comply with this mandate). By stark contrast, there are no specific restrictions on FBI queries of data obtained under EO 12333. The only limitation is a general admonition, set forth in the Attorney General’s Guidelines for Domestic FBI Operations, that “[a]ll activities under these Guidelines must have a valid purpose consistent with these Guidelines, and must be carried out in conformity with the Constitution and all applicable statutes, executive orders, Department of Justice regulations and policies, and Attorney General guidelines.”
As I wrote in my comments to the PCLOB:
“There is no justification for giving lesser protection to Americans’ constitutional rights based solely on where the data was obtained. If anything, the privacy implications of EO 12333 surveillance for Americans are likely even greater than those of Section 702. The government has acknowledged that the majority of its foreign intelligence surveillance activities take place under EO 12333. Accordingly, it reasonable to expect that there is more “incidental” collection of Americans’ information under EO 12333 than under Section 702, even when such surveillance is targeted. And, of course, bulk collection has the potential to sweep in Americans’ data in amounts that far exceed what normally occurs during targeted surveillance.”
In short, the lack of legislative limits and judicial oversight for EO 12333 surveillance is a constitutionally untenable anachronism, rooted in modes and methods of communication that no longer exist. To close this gap and complete the modernization of FISA, Congress should enact rules for any EO 12333 activities that result in the collection of Americans’ information.
Such activities should be treated similarly to collection under Section 702. In other words:
- Congress should prohibit the targeting of Americans under EO 12333.
- Congress should require the government to minimize the retention, sharing, and use of Americans’ information that is “incidentally” acquired under EO 12333. One of the few statutory limits on EO 12333 surveillance is a requirement to delete any unencrypted U.S. person information after 5 years if it does not constitute foreign intelligence or evidence of a crime; however, there is a broad “national security” exception that greatly weakens the force of this provision.
- Just as Congress should close the backdoor search loophole under Section 702, it should do the same for EO 12333, requiring the government to obtain a warrant or FISA Title I order before conducting U.S. person queries of the data.
- Congress should subject EO 12333 programs that result in the collection of Americans’ data to FISA Court oversight, including annual court approval of minimization and querying procedures.
- Congress should require the government to inform criminal defendants when using evidence obtained or derived from EO 12333 surveillance.
- Because bulk collection poses unique risks to Americans’ privacy (not to mention the privacy of countless foreign nationals who pose no threat whatsoever to the United States), Congress should prohibit the practice, or at least tightly limit its availability — e.g., to geographic areas of active or impending hostilities.
In implementing these changes, Congress need not call into question the president’s constitutional authority to conduct surveillance of foreigners abroad. But where such surveillance extends beyond foreigners themselves and sweeps in the Fourth Amendment-protected information of Americans, there can be no question regarding the necessity and appropriateness of legislative and judicial involvement. As the Supreme Court has made clear, the Constitution “most assuredly envisions a role for all three branches when [Americans’] individual liberties are at stake.”
FISA’s Flawed “Exclusivity” Provision and the Data Broker Loophole
FISA provides the government with a range of authorities that can be used in foreign intelligence investigations, including the authority to acquire communications content; to conduct physical searches; to install a pen register or trap-and-trace device to obtain communications metadata; and to collect business records from third parties. All these authorities come with substantive restrictions and procedures that the government must follow, including obtaining approval by the FISA Court.
After 9/11, however, the government found a way to free itself from these constraints. Executive branch lawyers asserted that “the President has inherent constitutional authority to conduct warrantless searches and surveillance within the United States for foreign intelligence purposes” — a prospect that the Supreme Court has never endorsed. This claim meant that the government could simply choose which authority to use: FISA, with its attendant restrictions and procedures; or the president’s inherent authority, which comes with no such limitations. Unsurprisingly, the government chose Option 2, launching a program code-named “Stellar Wind” to collect communications between suspected foreign terrorists and Americans without obtaining a FISA Title I order, as the law then required.
After the program was made public, Congress passed the FISA Amendments Act of 2008, which included Section 702. Through this law, Congress gave its blessing to some aspects of Stellar Wind. However, Congress also sought to prevent the government from evading the restrictions and procedures of FISA in the future. It did so by clarifying and bolstering FISA’s “exclusivity” provision, which provides that FISA, along with various criminal law provisions authorizing electronic surveillance, “shall be the exclusive means by which electronic surveillance and the interception of domestic wire, oral, or electronic communications may be conducted.”
This “exclusivity” provision is vital to the effectiveness of FISA. Its scope, however, is limited. FISA’s highly technical definition of “electronic surveillance” excludes many types of collection authorized by the statute. For instance, it applies only to the collection of communications (including content and some types of metadata), not other types of sensitive information about Americans. In addition, its application to third parties’ production of stored records is at best unclear. The government can thus claim that certain provisions of FISA — including Section 702 itself, to the extent it authorizes collection activities that do not qualify as “electronic surveillance,” as well as the provisions governing physical searches and the collection of some third-party records — are not the exclusive means by which such activities may be conducted, and that the government may ignore the restrictions and procedures contained in such provisions.
There’s every reason to believe that’s happening now. In 2020, Congress was debating whether to reauthorize Section 215, the so-called “business records” provision of FISA that the NSA relied on to collect Americans’ phone records in bulk. Senator Richard Burr — who then chaired the Senate Select Committee on Intelligence — warned that if Section 215 expired, “the president under 12333 authority can do all of this without Congress’s permission, with no guardrails.” The authority indeed expired (although pending investigations were grandfathered), and the conspicuous absence of any serious government efforts to reinstate it strongly suggests that the government is obtaining the same information through other means.
That’s alarming, because the information that the government may obtain under Section 215 and other provisions of FISA not fully covered by the exclusivity provision can be extremely sensitive. Take the phone records that were the subject of the NSA’s bulk collection program.
After Edward Snowden’s disclosure of the program, experts explained how communications “metadata” — a term many Americans had never encountered — could be crunched to reveal people’s associations, activities, and even beliefs. Geolocation information can similarly reveal the most intimate aspects of people’s private lives. Indeed, for that very reason, the Supreme Court in Carpenter v. United States (2018) held that police need a warrant to obtain a weeks’ worth of geolocation information from a cell phone company.
If the government wanted to obtain such information without adhering to FISA, one workaround would be to purchase it from data brokers. This appears to be an increasingly common practice among federal agencies. In one particularly worrisome example, Vice News reported that “[m]ultiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies.” Additionally, multiple agencies have reportedly purchased access to Fourth Amendment-protected cell phone location information, including the Federal Bureau of Investigation (as recently confirmedby FBI Director Chris Wray), the Drug Enforcement Administration, the Internal Revenue Service, multiple components of the Department of Homeland Security, the Secret Service, and the Department of Defense.
The government’s purchase of Americans’ cell phone location information would seem to violate Carpenter’s holding that the government needs a warrant to obtain such information. Agencylawyers, however, have interpreted Carpenter to apply only when the government compels companies to disclose location information. When the government merely incentivizes such disclosure — by writing a check — the warrant requirement conveniently disappears. At that point, the argument goes, the government may obtain this Fourth Amendment-protected information in unlimited quantities without any individualized suspicion of wrongdoing, let alone probable cause and a warrant. This is legal sophistry, but it could take years for the courts to resolve the issue. In the meantime, the government has effectively sidelined the Fourth Amendment when it comes to data purchases.
Another apparent barrier to these purchases — the Electronic Communications Privacy Act (ECPA) — has also proven inadequate. ECPA prohibits phone and Internet companies from disclosing customer records to government agencies unless the government produces a warrant, court order, or subpoena. But it includes broad exemptions for foreign intelligence surveillance. Moreover, the law is woefully outdated. It does not cover app developers or digital data brokers, for the simple reason that they did not exist in 1986, when the law was passed. As I testified before the House Judiciary Committee last July:
This gap creates an easy end-run around the law’s protections. Companies that are prohibited from selling their data to the government can sell it to a data broker — a disturbingly common practice — and the data broker can resell the same information to the government, at a handsome profit. The information is effectively laundered through a middleman.
These combined gaps — in FISA, in the government’s reading of Fourth Amendment case law, and in ECPA — leave the government free to collect some of the most sensitive information Americans generate, and to do so inside or outside the United States, without statutory authorization or judicial oversight. That is presumably how the CIA came to operate a bulk collection program that pulls in Americans’ data, to be retrieved through backdoor searches and used for unknown purposes
For foreign intelligence investigations, there’s a simple way to fix the problem: amend FISA’s exclusivity rule to encompass all of FISA’s provisions. Specifically, Congress could provide that the provisions of FISA, insofar as they authorize the collection of Americans’ information or searches of Americans’ property, constitute the exclusive means by which such collection or searches may occur for foreign intelligence purposes. Without this modest step, many of the protections Congress wrote into FISA will become largely optional.
But Congress should go further and use the opportunity presented by the Section 702 sunset to close the data broker loophole completely — that is, not just for foreign intelligence investigations. Congress should make clear that the government may not purchase Americans’ personal information in any situation where it would otherwise require a warrant, court order, or subpoena to obtain the same information. The Fourth Amendment Is Not For Sale Act, a bill introduced in the last Congress by Senators Ron Wyden and Rand Paul and by Representatives Jerrold Nadler and Zoe Lofgren, would go a long way toward accomplishing this goal.
***
Lawmakers on both sides of the aisle can surely agree on this basic principle: There should be no collection of Americans’ communications or other highly sensitive information that takes place outside of any statutory framework and beyond the reach of the courts. There are gaps in FISA’s coverage, however, that are producing exactly that result. If Congress doesn’t fill these gaps, any reforms to Section 702 will have limited effect, as the government will be able to obtain much of the same information — with far fewer constraints — entirely outside the FISA framework.