This article was first published at Just Security.
On Oct. 7, President Biden issued an executive order establishing rules for “signals intelligence activities”—basically, electronic surveillance—conducted by the United States for foreign intelligence purposes. The immediate purpose of the order is to pave the way for an agreement between the United States and the European Union (EU) governing data transfers between EU and U.S. companies. Previous versions of that agreement were invalidated by the Court of Justice of the European Union (CJEU) because U.S. law doesn’t adequately safeguard EU citizens’ privacy. The executive order attempts to cure that defect by extending greater privacy protections to foreign nationals.
Does the order succeed? It certainly gives foreign nationals more protection against unfettered surveillance than they previously had. The creation of a hybrid governmental-private court to hear foreign nationals’ claims of unlawful surveillance is particularly significant. However, the scope of permissible surveillance remains far too broad—indeed, the executive order expressly permits bulk collection of signals intelligence. That’s a problem, not only for the viability of the new U.S.-EU agreement, but for the privacy rights of Americans who get swept up in foreign intelligence surveillance. Only fundamental reform by Congress can solve that problem.
This two-part series will examine how the executive order impacts privacy rights. Part I will focus on the substantive criteria for the collection and use of signals intelligence. Part II, by Ashley Gorski of the American Civil Liberties Union, will delve into the provisions of the order establishing a process to resolve allegations of unlawful surveillance.
The Surveillance at Issue
Before evaluating the order’s impact on privacy, it’s important to understand the type of surveillance at issue. The order doesn’t supplant the Foreign Intelligence Surveillance Act (FISA), which, for the most part, affords more protection to Americans than the order does. (“Americans” is used here as shorthand for U.S. citizens and residents, known as “U.S. persons” under the law.) The order’s main application, therefore, is to surveillance that doesn’t target specific Americans. Such surveillance is governed by Section 702 of FISA or Executive Order (EO) 12333, depending on where the collection itself takes place. In general, collection inside the United States or from U.S. companies (Section 702) is subject to legislative limitations and judicial oversight by the Foreign Intelligence Surveillance Court (“FISA Court”), while collection outside the United States (EO 12333) is not.
Even though Section 702 and EO 12333 surveillance activities may not target specific Americans, they have an enormous impact on Americans’ privacy. For one thing, such surveillance acquires any communications between foreign targets and Americans. More broadly, under EO 12333, there is no requirement for surveillance to be “targeted” at all: The U.S. government can and does engage in bulk collection of communications and other data. Because Americans’ communications are routinely routed through or stored in other countries, bulk collection overseas inevitably sweeps in not only Americans’ international communications, but purely domestic communications as well. Under both Section 702 and EO 12333, agency officials are allowed in most cases to search through the collected information for Americans’ data without obtaining a warrant.
Additional restrictions on Section 702/EO 12333 surveillance are thus critical for Americans’ privacy, as well as for data transfers from EU to U.S. companies. Until last week, there were effectively no substantive restrictions on EO 12333 collection: EO 12333 defines “foreign intelligence” to include information relating to the activities of any foreign person or entity. Under Section 702, “foreign intelligence” has a somewhat more restrictive definition, but still includes any information that “relates to” either “the national defense or the security of the United States” or “the conduct of the foreign affairs of the United States.” Both standards permit the targeting of individuals who pose no threat to our nation’s security.
Legitimate Objectives of Surveillance
The new order imposes additional substantive restrictions by defining twelve “legitimate objectives” of collection. These objectives include, among others, assessing the capacities of foreign governments; protecting against terrorism and espionage; safeguardingthe integrity of elections and political processes; and understanding climate threats. The order tasks the Office of the Director of National Intelligence’s Civil Liberties Protection Officer with “validating” the intelligence priorities established by the Director of National Intelligence—which serve as the basis for all intelligence collection activities—to ensure they advance one or more of the objectives.
In one sense, the establishment of objectives for EO 12333 surveillance represents a significant advance for foreign nationals’ privacy, as such surveillance was effectively unlimited before this order. Even as applied to Section 702 surveillance, the twelve objectives effectively narrow the statutory definition of “foreign intelligence” set forth in the statute. However, there are important caveats.
As for the objectives themselves, they seem reasonable on their face, but the devil is in the details. For instance, one objective would allow surveillance to understand or assess the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, or a “foreign-based political organization.” The first three terms seem self-explanatory, but the scope of the last term is less clear. Could it include, for example, a non-governmental organization advocating for political reform? There are also objectives that permit surveillance to protect “government property” and to protect against “transnational criminal threats.” Presumably these are not meant to encompass cases of minor vandalism or petty crimes, but the objectives themselves incorporate no threshold level of seriousness.
More concerning, the order gives the president authority to expand the list of objectives—and to do so secretly, if publishing the updated list “would pose a risk to the national security of the United States.” The order thus expressly endorses the possibility of secret law, including its most pernicious variant: a set of secret rules that differs from the publicly available version, thus actively misleading the public. It’s hard to imagine that the CJEU will be satisfied with a set of paper constraints that might or might not match those actually in force.
Finally, even without the ability to engage in secret amendments, there are inherent shortcomings in attempting to narrow surveillance by setting forth permissible objectives rather than placing limitations on who may be targeted. Constraints on objectives do not necessarily translate into constraints on surveillance. For instance, one of the objectives permits surveillance to protect against foreign threats to cybersecurity. While the goal is clearly legitimate, protecting cybersecurity could in theory justify constant monitoring of any and all Internet activity. Indeed, the order expressly contemplates bulk collection—confirming that, at least in some cases, the adoption of specific objectives will not limit the scope of collection at all.
Bulk Collection
Bulk collection—the collection of communications or other data not tied to any particular surveillance target—is inherently problematic, because it inevitably results in the collection of private information that the government has no legitimate need to collect. The EO attempts to mitigate the privacy incursion through back-end “minimization” requirements, which include limiting the retention of non-pertinent data. But these requirements roughly mirror those currently in place for U.S. persons, under which agencies may retain data for five years or even longer in many cases. As discussed further below, these post-collection constraints do not and cannot cure the massive intrusion on privacy that bulk collection entails.
To engage in bulk collection, an element of the Intelligence Community must determine that it is necessary to do so. The order’s “necessity” standard, however, applies to all forms of surveillance, bulk and otherwise. Requiring such a finding for bulk collection does not impose any further limitation on this particularly dangerous form of surveillance. All it does is endorse the notion that bulk surveillance may sometimes be necessary. The order also requires intelligence agencies to apply “reasonable methods and technical measures” to limit the acquisition of non-pertinent data. But without additional information about what these measures are, how well they work, and what will lead intelligence agencies to deem them “reasonable,” it is impossible to assess whether this requirement will have any measurable impact.
The order contains some limits on how the government may use information collected in bulk. These limits are actually somewhat less restrictive than those set forth in Presidential Policy Directive 28 (PPD-28) issued by President Obama, which the new order replaces. They are actualized through a weak requirement that queries of bulk-collected data be “consistent” with such uses, which could in theory permit a query based on the smallest possible chance that it might return relevant information (as opposed to a requirement that a query be reasonably likely to return relevant information). And once again, the order authorizes the president to loosen these restrictions in secret.
The CJEU has held that bulk collection, as a general matter, violates international law. In the court’s words: “Legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter [of Fundamental Rights of the European Union].” The order’s authorization of bulk collection accordingly could be sufficient to scuttle the U.S.-EU agreement, as well as undermining the privacy rights of Americans and foreign nationals across the globe.
The “Necessary and Proportionate” Test
The U.S. government’s use of bulk collection—and the scope of any targeted collection—ostensibly would be limited by the order’s requirement that surveillance be necessary to advance, and proportionate to, a validated intelligence priority. “Necessity” and “proportionality” are key terms under international law; they are the primary legal yardstick by which European courts will measure U.S. surveillance authorities. On their own, however, they are too vague and subjective to provide much guidance. Unless the United States intends to rely on the body of international case law interpreting and applying these terms, their inclusion in the order is little more than legal window dressing.
The Department of Justice has disclaimed any such intent. In regulations accompanying the issuance of the executive order, the Department stated that “[t]he Executive Order of October 7, 2022 and its terms shall be interpreted . . . exclusively in light of United States law and the United States legal tradition, and not any other source of law” (emphasis added). It is one thing to acknowledge the truism that the United States is not bound by non-U.S. courts in this context. It is another altogether to assert that the United States will rely onlyon U.S. law, without considering international courts’ rulings, in construing terms borrowed from international law. This pronouncement gives little confidence that the “necessary and proportionate” test will be applied in a way that provides any meaningful check on U.S. surveillance activities.
Indeed, the proportionality test set forth in the order is already flawed. The order requires that surveillance activities be conducted in a manner proportionate “to the validated intelligence priority for which they have been authorized.” Although the National Intelligence Priorities Framework is classified, much of it is reflected in the unclassified Worldwide Threat Assessment, which often describes threats in highly general terms. Such threats have included, for example, “organized crime” and “migration.” Proportionality will thus be considered at an extremely high level of generality, with more important priorities ostensibly justifying broader and more intrusive surveillance.
This odd formulation makes it far too easy to justify bulk or mass surveillance simply by pointing to the importance of the ultimate goal. Instead, the proportionality test should take place at the level of specific surveillance decisions, and it should be based on the likely outcome of that surveillance rather than the general priority it serves. In other words, in any given instance, the level of privacy intrusion—as measured by the type of data obtained, the duration of surveillance, the scope of incidental collection, and other such factors—should be proportionate to the particular information the analyst expects to obtain.
Post-Collection Safeguards
Because the order contemplates mass or even bulk collection of data, its effectiveness relies heavily on back-end protections: limitations on queries, uses, dissemination, and retention. While the order’s minimization requirements protect non-U.S. persons’ privacy to a similar extent as that of Americans, these protections are far too weak. For instance, as noted above, non-pertinent information generally can be retained for five years, with multiple exceptions allowing for even longer retention. Additionally, while agencies’ own policies may include greater restrictions, the order itself allows agencies to search for Americans’ information based on an internal assessment that the information will be used for permissible purposes. That’s a far cry from the probable-cause warrant that the Constitution demands when the government accesses communications content, geolocation data, and other Fourth Amendment-protected information
Moreover, any system that depends on agencies limiting their own access to data they have already collected is bound to fail. The 15-year track record for Section 702 surveillance leaves no doubt on this point. Agency officials frequently tout the rigorous and multi-layered internal oversight mechanisms designed to ensure adherence to Section 702’s post-collection limitations. And yet, time and again, these same agencies have violated those limitations, as made clearin published FISA Court opinions and surveillance transparency reports. In many cases, agencies have compounded their violations by providing inaccurate or misleading information to the FISA Court. Compliance problems will almost certainly be even more widespread under EO 12333 because the order does not provide for regular judicial oversight.
Of course, some reliance on back-end limitations is necessary. Even narrowly targeted surveillance will result in some degree of incidental collection. But such reliance should be minimized; the emphasis should be on ensuring that collection is as narrowly tailored at the outset as possible, which the order fails to do. In addition, post-collection constraints must be subject to oversight by the FISA Court. Finally, any access to Americans’ Fourth Amendment-protected information should be conditioned on the government obtaining a warrant, either from the FISA Court during a foreign intelligence investigation or in a regular Article III court during a criminal one.
The Need for Legislative Action
Ultimately, protecting the privacy of Americans and foreign nationals alike will require Congress’s intervention. Given the significant impact of EO 12333 surveillance on Americans’ privacy, it is high time lawmakers set forth some basic rules for its conduct. They can accomplish this by amending FISA to bring at least some aspects of EO 12333 surveillance within its auspices. And for both EO 12333 and Section 702 surveillance, lawmakers should ensure that collection is appropriately targeted and that the information collected under these programs cannot be used as a source of warrantless access to Americans’ data.
More specifically:
- Congress should prohibit bulk collection.
- Under Section 702, surveillance should be limited to foreign powers or agents of foreign powers—terms that are broadly defined under FISA to include international terrorists, factions of foreign governments, and entities under foreign governments’ control.
- The permissible objectives set forth in the order should be codified and tied to restrictions on permissible targets. Specifically, a person may be targeted only if surveillance of that person is reasonably likely to provide information that will advance one of the objectives. Agencies should document the justification for each targeting decision to facilitate FISA Court oversight.
- The FISA Court should be required to approve the procedures for EO 12333 surveillance annually and to assess whether EO 12333 surveillance, both on paper and in practice, meets all relevant legal requirements. Significant FISA Court opinions should undergo declassification review and be made public to the extent possible.
- Retention limits for data collected under either Section 702 or EO 12333 should be codified and shortened to three years, and the multiple existing exceptions should be eliminated.
- To enable FISA Court oversight, the justifications for queries and disseminations of information collected under EO 12333 should be documented.
- The government should be required to obtain a warrant from either the FISA Court or a regular Article III court before conducting U.S. person queries of Fourth Amendment-protected data obtained under Section 702 or EO 12333. For other types of sensitive information that generally may be obtained only with a court order or subpoena, the government should be required to follow those procedures.
Congress should make these changes as soon as possible, but at a minimum, Congress should incorporate them into any reauthorization of Section 702, which is scheduled to expire in December 2023. Reports suggest that lawmakers are squeamish about reauthorizing Section 702 after a series of foreign intelligence surveillance scandals over the past few years. Although some of these concerns are misplaced (for instance, there is no evidence that the Obama administration was improperly spying on Donald Trump), the extent of governmental non-compliance with the rules governing foreign intelligence surveillance has rightly given lawmakers pause. The changes proposed here would help to address these legitimate concerns. And they would show the rest of the world—including the courts that will review the U.S.-EU data-transfer agreement—that the United States takes seriously its obligations to respect the fundamental privacy rights of all people.