Skip Navigation
Analysis

Secret Law Is Not the Solution to an Overbroad Surveillance Authority

A new provision uses classified information to define the scope of spying powers. There’s a better way.

June 11, 2024

This article first appeared at Just Security.

When the House passed legislation to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) in April, it included a new provision that Senator Ron Wyden described as “one of the most dramatic and terrifying expansions of government surveillance authority in history.” Concern over the provision mounted in the Senate and threatened to derail the law’s renewal. Anxious to secure reauthorization before Section 702 expired, the chairman of the Senate Select Committee on Intelligence (SSCI), Senator Mark Warner, promised to work with other senators to narrow the provision in subsequent legislation.

To his credit, Senator Warner has made good on that promise; but the cure that SSCI has chosen is nearly as bad as the disease. The committee has created a dangerous new form of “secret law,” in which the legal parameters for surveillance—rules that bind not only the government, but private parties—are themselves classified. There is a much better solution available: Congress can legislate both responsibly and openly, as long as the administration declassifies certain information that is already in the public domain.

A Dramatic and Terrifying Expansion of Government Surveillance Authority

The provision at issue is a seemingly innocuous change to the statutory definition of “electronic communication service provider” (ECSP)—i.e., the type of entity that may be compelled to assist the government in conducting Section 702 surveillance.

In brief, Section 702 allows the government to target almost any foreigner abroad and collect their communications for the purpose of acquiring foreign intelligence. The government accomplishes this surveillance by serving directives on U.S.-based ECSPs requiring them to provide assistance. The law’s original definition of “electronic communication service provider” encompassed companies, like Verizon and Google, that have direct access to communications. The government would provide those companies with the “selectors” of foreign targets (e.g., email addresses or phone numbers), and the companies would turn over the communications associated with those selectors.

In 2022, the government served a Section 702 directive on a company that was recently revealed by the New York Times to be a data center for cloud computing. The data center argued that it did not qualify as an ECSP under the statutory definition, and the Foreign Intelligence Surveillance Court (FISC) agreed. The Biden administration thus decided to seek an amendment expanding the ECSP definition. But it did not want to specify the type of provider at issue, as that information was (and remains) classified. So instead of amending the definition to include data centers, the administration worked with allies in Congress to develop an amendment that was deliberately vague and overbroad, in an attempt to hide the specific intent behind it.

The resulting provision was a truly breathtaking expansion of surveillance authority. It amended the definition of ECSP to include the provider of any type of service whatsoever—as well as any officer, employee, custodian, or agent of such provider—that has access to equipment that may be used to transmit communications. On its face, this definition sweeps in almost every business in the United States. Most businesses provide some type of “service,” and every business has access to equipment on which communications may be transmitted (e.g., phones, computers, servers, or wifi routers).

In response to criticism of an early version of the amendment, its drafters excluded hotels, libraries, food service establishments, and a handful of other entities. The vast majority of businesses, however—including laundromats, barber shops, fitness centers, dentist’s offices, and hardware stores—still fell within the new definition. So did the commercial landlords that lease the office space where tens of millions of Americans go to work every day.

Moreover, unlike Verizon and Google, most of the businesses encompassed by the expanded definition lack the technical ability to isolate and turn over specific communications. Their compelled “assistance” would likely take the form of giving National Security Agency (NSA) personnel direct access to their communications equipment—and to all of the communications transiting over, or stored on, that equipment. Although the NSA would be legally authorized to collect and retain only the communications of Section 702 targets, such unprecedented access to domestic communications streams would carry enormous potential for abuse.

The amendment was unveiled three days before the House voted on it. House intelligence committee members described it as a narrow fix to a specific FISC decision; members accepted this characterization and passed it by a significant margin. But when the bill was sent to the Senate, Senator Wyden sounded the alarm. It quickly became clear that, even if the circumstances prompting the amendment were narrow, the solution was anything but. Several senators, Democrat and Republican, introduced amendments to strip the provision from the bill.

Had the Senate voted to remove the provision, the bill would have had to go back to the House, delaying reauthorization and guaranteeing a temporary lapse in Section 702. Faced with this prospect, Senator Warner conceded the point that his House counterparts had refused to admit: the amendment was overbroad (or, in his words, “could have been drafted better”). He publicly committed to working with concerned colleagues “to see if we can improve the definition of the ECSP before the next sunset, including through any legislative vehicle between now and then.” Based on that commitment, a majority of senators voted to pass the House version of the bill without amendment, and President Biden signed it into law.

The SSCI Solution: Using Secret Law to Rein In Overbroad Surveillance Powers 

At the time Senator Warner made his pledge, civil liberties advocates were skeptical. I tweeted that the Senate “should not enact a terrifying expansion of government surveillance authorities based on one member’s unenforceable half-promise to ‘take it back later.’” I worried that Senator Warner might agree to narrow the provision in ways that would still leave it far too broad—e.g., by excluding a few additional categories of businesses. Or he might engage in negotiations with concerned colleagues in a show of good faith, but ultimately declare the issue too thorny to resolve.

He did neither of those things. The recently unveiled Intelligence Authorization Act (IAA) includes a provision that effectively narrows the problematic ECSP provision to precisely the category of companies at issue in the FISC opinion that prompted the original amendment. It also requires reporting to the relevant committees of Congress (including the judiciary committees, which are often forgotten in intelligence committee legislation), and it allows the FISC to preemptively review directives that are issued to companies that fall within the new category.

Senator Warner deserves credit for following through on his commitment (and other members, no doubt, for holding him to it). But while the solution in the intelligence authorization bill solves one problem, it creates another one that is nearly as dangerous. Rather than specify the type of company at issue (i.e., data centers for cloud computing), the IAA language narrows the new definition to providers of “the type of service at issue in the covered opinions.” “Covered opinions,” in turn, are defined to include two specific opinions: the FISC opinion holding that data centers do not qualify as ECSPs, and the Foreign Intelligence Surveillance Court of Review’s decision upholding that ruling. Both decisions have been publicly released, but with substantial redactions that include the type of company at issue in the case. That means the new legal parameters for permissible surveillance are a secret, known only to those with the requisite security clearance and authorization.

To be fair, this is not a problem of SSCI’s making—at least not primarily. Short of identifying data centers by name, incorporating the opinions by reference is the only way to precisely conform the language of the provision to its intent. While Congress is free to legislate on classified matters and members would violate no law by naming data centers, vanishingly few members would feel comfortable disclosing classified information in legislation. So they have resorted instead to “secret law.”

The Perils of Secret Law

As the Brennan Center expounded in a 2016 report, “secret law” is a common feature of repressive regimes, but it is widely considered to be anathema to democratic societies. Secrecy undermines the moral authority and legitimacy of law. At the most basic level, secret law denies the people the ability to shape the rules that govern official conduct through the democratic process. It also prevents people from holding the government accountable for violations of the law, which in turn renders such violations much more likely. And it weakens checks and balances, as both legislative and judicial oversight operate less effectively under the constraints imposed by secrecy.

Of course, some of these harms can result from government secrets of all kinds, not just secret law. And national security operations often rely on some degree of secrecy. But as the Brennan Center’s report explains:

[The] law is different. It is both more durable and more general than other types of government action: it constrains or authorizes government action across a range of circumstances for (usually) a long period of time. It also serves a function of political self-definition that the individual actions of government actors do not. The law is meant to express the values and norms held by a society. Secret law alienates people from the society in which they live.

Unfortunately, there are large and growing pockets of secret law in the United States—but they are mostly confined to the executive and judicial branches. The best-known example is legal interpretations issued by the Department of Justice’s Office of Legal Counsel. These interpretations have the force of law because they are binding on the executive branch, yet they are often withheld from the public. In addition, until a decade ago, FISA Court opinions were almost always secret. Only after Edward Snowden’s disclosures, followed by Congress’s enactment of surveillance reform and transparency legislation (the USA FREEDOM Act), did the government begin declassifying and releasing large portions of significant FISC opinions.

There is some precedent for secret law in Congress. The committee reports accompanying intelligence and defense appropriations and authorization acts frequently include classified annexes. While neither the reports nor the annexes are themselves “law,” Congress has sought to turn various provisions of classified annexes into law by incorporating them by reference into the actual bills. And while none of the annexes has become public, the wording of some of the incorporation provisions indicates that they are incorporating not only funding and personnel allocations, but substantive regulations.

For instance, the 2004 defense appropriations act authorized a program for “[p]rocessing, analysis, and collaboration tools for counterterrorism foreign intelligence, as described in the Classified Annex.” The defense appropriations act for the following two years allocated a total of $4.8 billion for “classified programs, described . . . in the classified annex.” In 2014, the Washington Post reported that a classified annex prohibited relocating the drone strike program from the CIA to the Department of Defense.

What makes the new ECSP definition different, and the reason it sets a dangerous precedent, is that it may be the first time Congress has used secret law to impose legal requirements on private parties. The government will rely on the new definition to serve directives on companies. Those companies will not have access to the FISC opinions—the reference points used in the statute itself—that reveal whether they are properly subject to Section 702 directives. In other words, they will not know whether they are legally required to comply with the directive.

The IAA provision attempts to address this issue by requiring the government to provide the companies with “a summary description of the services at issue in the covered opinions.” But as every lawyer knows, when applying the law to facts, the devil is always in the details. A summary of the law (provided by a party that is far from disinterested) cannot substitute for the law itself. At the same time, many companies have limited resources and appetite for taking on legal battles that have uncertain outcomes. A company that might have contested a directive if it had access to the law might well decide not to contest it if presented with a persuasive-sounding summary.

Fundamentally, Americans have a right to know what the law authorizes and what it forbids when it comes to surveillance that is conducted by U.S. agencies, takes place on U.S. soil, requires the cooperation of U.S. companies, and results in the collection (even if “incidental”) of Americans’ communications. If Congress adopts secret law as the solution to the overbroad ECSP definition, we may well see additional laws in the future granting the government secret domestic surveillance authorities spelled out in classified annexes.

The Path Forward: Discretionary Declassification

There is a better solution. The Biden administration can—and should—declassify the fact that the company at issue in the FISC decision that triggered the new ECSP definition is a data center for cloud computing.

The executive order governing classification allows agency heads or senior agency officials to declassify information as a matter of discretion if “the public interest in disclosure outweighs the damage to the national security that might reasonably be expected from disclosure.” That test is clearly met here. The public has an overriding interest in knowing what the law is. Indeed, avoiding secret law is such a vital imperative, it is not clear that it should ever be outweighed by claims of possible national security harm. At a minimum, only the most grievous and certain threat to national security should place the public nature of the law in question.

In this case, the national security risk of declassification is negligible at best, because the information is already squarely in the public domain (albeit without the administration’s confirmation). As noted above, the New York Times revealed in April that the FISC decision at issue involved a data center for cloud computing. During the Senate debate over this provision, multiple senators either stated or implied that the provision was intended to address data centers. Senator Warner himself, who has access to the FISC opinions in question, confirmed this information:

Now, why has this suddenly now become such an issue? Well, one of those communications providers—remember I talked about clouds, data centers, how these networks come together and how network traffic is intertangled at these data centers? One of these entities that controlled one of those new enterprises that didn’t exist in 2008 said: Well, hold it. You can’t compel us to work with the American government because we don’t technically fit the definition of an electronic communications service provider. And the fact was, the company that raised that claim won in court. So what happened was, the FISA Court said to Congress: You guys need to close this loophole; you need to close this and change this definition. So that is where a lot of this debate has come from.

To be sure, the government takes the position that official confirmation of information that has already been made public can still lead to national security harms in some cases—for instance, where that confirmation would strain relationships with a foreign partner, or where the veracity of the source who made the information public is in significant doubt. But this is not one of those occasions. If any foreign targets are paying attention to what types of U.S. companies are subject to Section 702—and changing their behavior in response—they are surely not waiting for official confirmation before acting on information from a respected national security reporter and the Senate intelligence committee chairman.

Of course, one could argue that the IAA reworking of the ECSP provision isn’t truly “secret law” for the same reason: it is widely known that the provision addresses data centers. As noted above, however, the precise wording of the law is important when it comes to questions of compliance—whether by the government, or by the companies that are served directives. Perhaps more important, using classified information to define the scope of surveillance powers creates a precedent that could be followed in cases where that information is not in the public domain.

On May 9, more than thirty organizations, including the Brennan Center, sent a letter to Attorney General Merrick Garland and Director of National Intelligence Avril Haines urging them to declassify the information needed for Congress to legislate responsibly. To date, there has been no response to this request. But there is still time; there will be opportunities, either through floor votes or in conference, to amend the bill before it is passed. The administration should move quickly to release Congress from the Hobson’s choice it now faces: enact a surveillance provision that is necessarily imprecise and overbroad, inviting abuse, or resort to secret law.