FISA Section 702 Reauthorization Attempts Privacy, Intel Balance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

FISA Section 702

The Foreign Intelligence Surveillance Act reauthorization attempts to preserve privacy protections while simultaneously preserving a collection authority that the intelligence community believes is critical to stopping national security threats, the author writes.

Andrew B. Serwin

By Andrew Serwin

Andrew Serwin is a partner in Morrison & Foerster LLP’s global privacy and data security practice group in San Diego.

By Andrew Serwin

The Foreign Intelligence Surveillance Act (FISA) has drawn significant recent attention due to the debate over the reauthorization of one of the more controversial provisions, as well as some Congressional concerns about the nature and scope of surveillance generally under FISA. Some of those Congressional concerns, including use of the information that has been gathered under FISA by law enforcement, were addressed in current Senate bill that will be the the 2018 reauthorization. Moreover, certain practices that had been discontinued—about collection under Section 702—appear to have new life, if certain actions are taken by the Executive Branch. Overall, while one can debate the nature of the protections, and whether the right compromises were made, the reauthorization attempted to preserve privacy protections while simultaneously preserving a collection authority that the Intelligence Community believes is critical to stopping national security threats to the U.S. This article addresses what is likely the final Senate bill, which will also likely be the final version of this re-authorization.

FISA is the result of concern over unchecked surveillance within the U.S., and was designed to address the concerns raised before of the Church Committee, which in the early 1970s reviewed alleged abuses of surveillance in the U.S. What is perhaps the most important point is that even though FISA is focused on “foreign intelligence” collections, its true focus is on regulating a subset of those collections—foreign intelligence collections that potentially impact U.S. persons, or “domestic” collections—certain intelligence gathering that occurs in the U.S. FISA does not regulate all foreign intelligence gathering and in fact is not always the exclusive authority for foreign intelligence gathering by U.S. agencies authorized to carry out such activities.

FISA originally just covered electronic surveillance, but it has been repeatedly amended and expanded over the years, including an amendment signed by President Bill Clinton that authorized physical searches. Many amendments were also made in the wake of 9/11, and some of that authority remains. One of those remaining authorities is Section 702.

In response to the terrorist attacks of Sept. 11, 2001, President George W. Bush issued a Top Secret authorization to the Secretary of Defense directing that the signals intelligence (SIGNINT) capabilities of the National Security Agency (NSA) be used to detect and prevent further attacks in the U.S. The Presidential Authorization stated that an extraordinary emergency existed permitting the use of electronic surveillance within the U.S. for counterterrorism purposes, without a court order, under circumstances. This program has been known as the President’s Surveillance Program, as well as its code name, STELLARWIND.

This program was renewed on 30- to 60-day intervals for a number of years, and under this program the NSA intercepted the content, as well as metadata of both U.S. and non-U.S. persons. Ultimately the content collection program that existed under STELLARWIND became what we now know as Section 702, and that pattern of reauthorization has continued since its codification into FISA, albeit at longer intervals. This recent reauthorization is the result of that process.

What is Section 702?

Two programs that have been discussed in the media—PRISM (also known as Downstream) and Upstream—that exist under Section 702 illustrate its importance, and what Section 702 is used for. There are three key components to a 702 request—the certification that is discussed below, the authorization that is then permitted to conduct surveillance, and the directive, which is the method that is used to compel a third-party to provide information.

Section 702 permits the Attorney General and the Director of National Intelligence to jointly and annually certify the criteria for Section 702 requests, and the criteria are then approved by the FISA Court, though the follow-on targeted requests, or authorizations, are not. From there, the government must meet the criteria of the certification, as well as other criteria, but it is then authorized to seek metadata and content regarding the targets of the surveillance. These targets generally are not supposed to be in the U.S. or U.S. persons reasonably believed to be abroad. The government can also compel U.S. companies to assist them with these requests via a directive. There are a number of requirements that the government must meet under Section 702 including targeting procedures, minimization procedures, and guidelines for compliance with limitations that are beyond the scope of this article, but are important to note.

Section 702 focuses on the collection of the content of communications, and not metadata which was the former focus of a different portion of FISA commonly known as Section 215. Once surveillance is authorized it is accomplished by the U.S. government providing selectors (such as an email address) to a U.S.-based company, consistent with the requirements of the certification and 702. PRISM (or Downstream) and Upstream are important to understand when looking at Section 702. The programs accomplish similar goals, but target different forms of electronic communications service providers. PRISM is a program in which U.S. service providers that are not telecommunications “backbone” companies, such as the more traditional internet companies. Upstream differs in that the request is sent to U.S. companies that are part of the telecommunications backbone.

Under PRISM, the NSA traditionally provides a “to or from” selector, such as an email address. In essence this means that the NSA is getting communications to or from the person tied to the selector. Under Upstream the NSA has provided “to, from, or about” selectors, meaning that in addition, the NSA has collected communications “about” a target that were sent by others who were not the individual tied to the selector of a 702 request. In April of 2017 the NSA announced that it would no longer be seeking internet communications based upon “about” requests. However, this point is important to note because the final bill contained changes to FISA that potentially impact these requests.

The current version of Section 702 expired on Dec. 31, 2017, and it was extended to permit time for new legislation to pass. This Law reauthorized it, with certain key amendments, which are noted below.

The Merged Bill

The current Senate bill extends Section 702 for 6 years, which was a shorter period of time than the Senate Bill.

In addition, the bill addresses certain substantive issues under FISA, including the retrieval by the FBI of unminimized contents or non-contents regarding U.S. persons that were obtained under Section 702. The final bill requires the FBI, with certain exceptions, to obtain a court order to make a query noted above, if the query is made in connection with a “predicated criminal investigation” unrelated to the national security of the U.S. An application for and order to obtain such communications must include an affidavit that justifies the belief that the communications that are sought would provide evidence of:

  •  criminal activity;
  •  contraband, fruits of a crime, or other items illegally possessed by a third party; or
  •  property designed for use, intended for use, or used in committing a crime.
An order is not required, however, if the FBI determines that there is a reasonable belief that the contents would assist in mitigating or eliminating a threat to life or serious bodily harm. This concept is further defined in amendments to other portions of FISA, which makes clear the general rule that evidence gathered under 702 should not be used in evidence against a U.S. person unless an order is obtained or the Attorney General determines that:
  •  the criminal proceeding affects, involves, or is related to the national security of the U.S.; or
  •  the criminal proceeding involves:
  •  death;
  •  kidnapping;
  •  serious bodily injury, as defined in section 1365 of title 18, United States Code;
  •  conduct that constitutes a criminal offense that is a specified offense against a minor, as defined in section 111 of the Adam Walsh Child Protection and Safety Act of 2006 (34 U.S.C. 20911);
  •  incapacitation or destruction of critical infrastructure, as defined in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e));
  •  cybersecurity, including conduct described in section 1016(e) of the USA PATRIOT Act (42 U.S.C. 5195c(e)) or section 1029, 1030, or 2511 of title 18, United States Code;
  •  transnational crime, including transnational narcotics trafficking and transnational organized crime; or
  •  human trafficking.
“About” or “abouts” collection was also addressed. While this term was previously used, it has now been defined in FISA to mean, “…a communication that contains a reference to, but is not to or from, a target of an acquisition authorized under section 702(a) of the Foreign Intelligence Surveillance Act of 1978.” Under this bill, the Attorney General and the Director of National Intelligence can choose to try and implement abouts collection (which had previously been voluntarily suspended) if they submit to the Committee on the Judiciary and the Select Committee on Intelligence of the Senate and the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives a written notice of the intent to implement the authorization of such an acquisition, and any supporting materials. The bill contemplates that an application authorizing abouts collection could be submitted to the FISA Court, and the notice under this provision should include the application and related materials, if any. These Committees then have 30 days to review this notice and materials. During this period, unless the Attorney General and the DNI make a determination under Section 702(c)(2), abouts collection generally cannot occur, though there is an emergency acquisition exception. Moreover, if the FISA Court approves a certification before the end of the 30 day period, the Attorney General and the DNI can implement collection immediately if they determine that certain exigent circumstances exist, and notice is to be given to the relevant Congressional Committees. The Amendment also added the concept of reporting to certain Congressional Committees regarding a “material breach” regarding abouts collection, which is “…significant noncompliance with applicable law or an order of the Foreign Intelligence Surveillance Court concerning any acquisition of abouts communications.”

The bill also instructs the DNI, in conjunction with the Attorney General, to conduct a declassification review of certain minimization procedures and to “the greatest extent practicable” make those procedures available, including in redacted form, not later than 180 days after the review is completed.

Section 705 of FISA, 18 U.S.C. § 1881d would also be amended to include an emergency authorization provision if certain conditions are met. The bill also addresses appointments of the Privacy and Civil Liberties Oversight Board, and to provide some protections to whistleblowers for contractors in the Intelligence Community. The bill also adds a requirement that the Inspector General of the Department of Justice submit certain reports regarding the querying authority that was added, and that report must include an assessment of:

  •  the interpretations by the Federal Bureau of Investigation and the National Security Division of the Department of Justice, respectively, relating to the querying procedures adopted under subsection (f) of section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a(f)), as added by section 101;
  •  the handling by the Federal Bureau of Investigation of individuals whose citizenship status is unknown at the time of a query conducted under such section 702; The practice of the Federal Bureau of Investigation with respect to retaining records of queries conducted under such section 702 for auditing purposes;
  •  the training or other processes of the Federal Bureau of Investigation to ensure compliance with such querying procedures; The implementation of such querying procedures with respect to queries conducted when evaluating whether to open an assessment or predicated investigation relating to the national security of the U.S.;
  •  the scope of access by the criminal division of the Federal Bureau of Investigation to information obtained pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), including with respect to information acquired under subsection (a) of such section 702 based on queries conducted by the criminal division;
  •  the frequency and nature of the reviews conducted by the National Security Division of the Department of Justice and the Office of the Director of National Intelligence relating to the compliance by the Federal Bureau of Investigation with such querying procedures;
  •  any impediments, including operational, technical, or policy impediments, for the Federal Bureau of Investigation to count:
  •  the total number of queries where the Federal Bureau of Investigation subsequently accessed information acquired under subsection (a) of such section 702;
  •  the total number of such queries that used known U.S. person identifiers; and
  •  the total number of queries for which the Federal Bureau of Investigation received an order of the Foreign Intelligence Surveillance Court pursuant to subsection (f)(2) of such section 702.
In addition, certain portions of the Intelligence Community disclosures that are contained in Section 603, 50 U.S.C. § 1873, are amended under the bill to broaden the information that is disclosed.

The current Senate bill addresses some of the key issues raised about FISA, but does not address all of them, and the potential for about collection to resume, albeit under more limited circumstances, has caused concern among some Senators and certain privacy advocates. There is no indication that about collection will start immediately, and the bill does contain privacy enhancements for U.S. persons, so time will tell if ultimately these amendments are sufficient to quell some of the concerns that have been raised by some about FISA.

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security