Published by The Lawfare Institute
in Cooperation With
On Sept. 28, the Privacy and Civil Liberties Oversight Board (PCLOB) published its long-expected report on Section 702 of the Foreign Intelligence Surveillance Act (FISA). The report is timely, if not overdue. Section 702 is scheduled to expire in three months if Congress does not renew it. The report is also dauntingly lengthy. Its three separate opinions total nearly 300 pages.
Origins of Section 702
For students of the program, though, the report is a valuable guide to statutory and procedural intricacies that have multiplied since the provision was first written into law in the FISA Amendments Act of 2008. Section 702 can be understood only through its history.
It has its origin in the days after 9/11, when intelligence officials realized that the attackers had evaded detection largely because of the government’s strict separation of domestic and foreign intelligence. In essence, the National Security Agency (NSA) and the CIA were conducting surveillance of terrorists’ activities and communications outside the United States, while the FBI was focused on what terror suspects did and said inside the country.
Each domain had its own legal rules. To simplify a bit, outside the U.S., national security surveillance was aggressive, flexible, and relatively free from statutory and political constraint, while inside the U.S., civil liberties concerns demanded strict compliance with FISA, which, in the absence of emergency, allowed intercepts only with court approvals and probable cause. Surveillance of communications that straddled the border fell into a legal no man’s land: The technical capability rested with the NSA, but only the FBI was in a position to navigate the legal and political risk of intercepts that would inevitably pick up the communications of Americans. Neither agency was comfortable operating that far out of its accustomed lane.
As a result, before the 9/11 attacks, the NSA actually intercepted calls to a known Yemeni terror safe house by one of the hijackers in California, but the agency failed to identify that the call terminated in the United States. Tracking intercepted international terrorist calls back to the U.S. could have yielded critical intelligence, but even more certainly it would have spawned a tangle of legal and political risks that neither the NSA nor the FBI had been willing to embrace.
Responding to this failure, President George W. Bush ordered the NSA to begin intercepting phone calls and other forms of communication from foreign terrorist suspects when the suspects communicated with people in the United States. Because this meant accessing domestic switches, routers, and webmail services, his order violated the Foreign Intelligence Surveillance Act, and when it came to light, there were hearings, heated speeches, and lawsuits (the Bush administration argued that the president was empowered to ignore FISA by Congress’s authorization to use armed force against al-Qaeda and the president’s role as commander in chief).
But in the end, Congress agreed that the gap needed to be filled. It adopted Section 702, which largely wrote the president’s program into law, creating a third legal domain for intelligence collection that fell somewhere between the rigidity of traditional FISA and the flexibility of overseas intelligence operations.
Broad Legal Framework of 702 Collection and Queries
Section 702 aims to maintain the nimbleness of overseas collection, where targets can be added or deleted in minutes based on new intelligence and priorities. No judicial approval is required to target foreigners under 702, although the parameters of the program are reviewed annually by the FISA court for lawfulness.
The program is controversial not because of the target but because of who the target may be talking to: Americans. Section 702 prohibits “reverse targeting”—picking foreign targets mainly because of the Americans they talk to. But even if they aren’t the targets, Americans will be intercepted when they communicate with the targets. That has fueled a persistent hostility to 702 in some circles, guaranteeing a debate over the program every five years.
The program’s detractors have raised occasional questions about whether it is really necessary and effective, but their primary concern has been the fact that Americans’ communications are being collected without the protection of probable cause and a court order.
The PCLOB report reflects that debate. Indeed, that is the central issue that splintered the board.
Unanimous Support for Renewing 702
Before exploring the division, it’s worth noting where the board was unanimous. Most important, after a probing and occasionally skeptical examination of the program’s results, all of the board members concluded that Section 702 “remains highly valuable to protect national security.” Indeed, 59 percent of the intelligence in the President’s Daily Brief comes at least in part from 702 collection.
Echoing an assessment issued in July by the President’s Intelligence Advisory Board, the board found that the program was highly cost-effective and that it provided insights into some of the highest priority intelligence topics, particularly terrorism, threats from Russia and China, weapons proliferation, and cyberattacks. No member of the board expressed any doubt that 702 should be reauthorized.
(Support for 702’s value is by and large a consensus view in policy circles, and one that I share, but it is worth noting that, just 23 years ago, this immensely valuable and largely abuse-free intelligence program was, as a practical matter, prohibited by law. We now know that was a mistake, which should lead to this question: What other valuable, abuse-resistant capabilities have we unwisely taken off the table by writing such detailed legal limits for intelligence collection?)
A Split on Prior Judicial Review of 702 Queries
The question that divided the board was what changes should be made in the renewed law. All the board members supported reforms. Many of these centered on FBI searches of its database of 702 intercepts. The FBI database contains only a small portion (under 5 percent) of 702 intercept targets—essentially those already tied to an existing FBI investigation. In 2022, the FBI had access to data on “approximately 3.2 percent of the total number of Section 702 targets, or about 8,000 of them.” But the FBI has conducted millions of searches using the names or other identifiers (phone number, IP address) of U.S. persons.
Critics of the program (including the three Democrat-appointed PCLOB members) maintain that the FBI is exploiting the fact that many American communications have been incidentally collected without a court order, and adding to the problem by searching for the Americans’ conversations directly, again without going to court for approval. Defenders of the practice (including the two Republican-appointed members) argue that there is no reason to restrict the government’s ability to search data it has collected lawfully and already has in its files.
The split in the board over this issue is brought to a head in Recommendation 3: “Congress should require [Foreign Intelligence Surveillance Court (FISC)] authorization of U.S. person query terms.” Three of the members believe that 702 materials should not be searched for U.S. person identifiers unless the FISA court agrees that the search is justified. Two of the members, Edward Felten and Travis LeBlanc, think the search would be justified in most cases by showing that the search is “reasonably likely” to yield foreign intelligence.
Only one member, Board Chair Sharon Bradford Franklin, takes the position shared by left-leaning advocacy groups and some law professors, who argue that Congress should allow searches based only on probable cause.
The two dissenters, in contrast, see no reason to bring the FISA court into the picture at all. Instead, with a few tweaks, they would allow the FBI to continue to make queries of the 702 database under recently tightened Justice Department standards, supplemented by more active congressional oversight.
The FBI’s Compliance Failures
The debate over U.S. person queries is driven largely by the FBI’s long series of failures to adhere to internal standards for such queries. These failures are numerous, but few of them appear to be deliberate. The report finds just a handful of queries whose motives seem to be personal. Most of the others appear to be what I’d call “let’s look everywhere to be safe” queries, in which the agent is checking the database not because there’s reason to think the subject is in touch with foreign intelligence targets, but because it would be a big deal if the query identified such contacts. That would explain why 98 or 99 percent of the FBI’s U.S. person queries return no information. The problem with such queries is that they don’t meet the requirement that such queries must be based on a reasonable belief that the search is reasonably likely to produce foreign intelligence or evidence of a crime.
One might ask whether the Justice Department erred in requiring that searches of 702 data be performed only if they are likely to produce intelligence or evidence. Indeed, the FBI seems to have resisted the Justice Department’s strict interpretation of this requirement. It’s easy to imagine the dialogue between the FBI and Justice over particular searches:
Justice lawyer: “Agent, I see that you searched the 702 databases for information on twenty-five American citizens and green card holders. Why did you do that?”
Agent: “Well, sir, they were scheduled to meet as a group with the President in a Denver hotel room, and I wanted to make sure none of them was in touch with a foreign terrorist group that we knew about.”
Justice lawyer: “But did you have any reason to think that any of them were in touch with foreign terrorists?”
Agent: “No, that’s why I wanted to check.”
Justice lawyer: “OK, without some advance reason to suspect the members of the group, your 702 check is a violation.”
It is understandable that individual agents would have trouble grasping the policy behind this rule (indeed, so do I), and it’s therefore no surprise that they could have violated it in good faith for months or years until corrected. In fact, it did take years of increasingly aggressive action by Justice and FBI leadership to put an end to such queries. Meanwhile, delayed compliance auditing meant that reports of massive violations kept pouring in, long after corrective policies had been implemented but before they showed up in backward-looking audits.
The Majority Recommendation: FISA Court Approval for Any Access to 702 Data
The report covers these compliance failures in detail, and they are at the heart of the board’s splintered recommendation. For the majority, the compliance problems show the privacy risks inherent in allowing searches for U.S. person identifiers. In order to police those searches, the majority calls for FISA court review to determine whether a query is likely to be productive. In an effort to ease the burden of such review, the majority seems to agree that FBI agents can make such queries on their own, as long as the only result they get is a “hit/no-hit” report. The FISA court will hear requests to get access to data only at that point, when responsive information is known to be in the database.
Even so, the burden is likely to be heavy. The chair estimates in her opinion that the proposal would require 3,225 additional FISA orders each year, an order of magnitude larger than the 317 FISA intercept applications the court processed in 2022, and still an underestimate, for the majority’s proposal would apply not just to FBI queries but to U.S. person queries by all agencies with access to 702, including the CIA, the NSA, and the National Counterterrorism Center.
In recommending a remedy, the chair breaks with the rest of the majority because of a difference in her legal analysis. In her view, 702 would be unconstitutional if it did not provide for individualized judicial review of all such queries. She is undeterred by the dozen or so FISA judges who have rejected that view.
The Dissenters: Ground Reforms in Identifiable Abuses
The dissenters see the FBI’s query compliance woes as a serious matter. But they credit FBI leadership and new procedures with greatly reducing the problem. They would give those efforts a chance to succeed while keeping the pressure on, not by involving the courts but by beefing up congressional oversight. Their disagreement with the majority boils down to two points: They note that the majority doesn’t actually identify any significant abuses, even of the query power. And they find no reason to think that mandating FISA court review of 702 queries would stop abuses without severely degrading the value of 702 for national security purposes.
The dueling opinions cover far more than just this issue. But this conflict does reflect a theme that runs through the report. The majority finds no significant abuses of power by the intelligence agencies; on the contrary, it praises their adoption and pursuit of strict procedures to prevent abuses. Nonetheless, the majority notes with alarm the large scale of the program and the high likelihood that many American communications have been intercepted and stored. This, the majority says, creates risks to privacy. So more should be done to restrict the program. On that basis, they propose seven new congressional enactments and 12 new administrative reforms.
The dissenters home in on what they see as a disconnect between the majority’s “not guilty” verdict and its determination to impose a sentence anyway. If we are going to make recommendations for reform, they say, we should be able to point to real risks and propose steps that will reduce those risks without harming national security. That leads them to go further afield, touching on abuses that may resonate more with Republicans than Democrats, such as a lack of accountability in unmasking, or identifying, U.S. persons whose conversations with foreigners have been intercepted and unauthorized leaks of intercepts for political ends.
Perhaps the most interesting, and arguably the bravest, of the dissenters’ proposals is a short section arguing that existing privacy protections in the 702 program have gone too far. Like the FBI agent in my imagined dialogue, the two Republican-appointed board members see great value in using the 702 database to “vet” individuals by checking for a hit in the 702 database—even without reason to believe the query will yield foreign intelligence. They are right; there are circumstances in which the likelihood of a hit is small, but the government should not take even a small chance that the individual has been compromised by a foreign intelligence target. So before the government grants a security clearance, they argue, it should vet the applicant in the 702 database. Not because we expect the check to disclose foreign intelligence information—we don’t—but because it would be a disaster if there were such information and we never looked.
The PCLOB report is a gold mine of authoritative information about Section 702, and evaluating the recommendations is a good way to refine one’s view of what reforms are needed.
Whether the report will have much impact on the debate over renewal, however, is less clear. The unanimous support for renewal may be influential in the sense that it confirms a sentiment that already seems widespread in Congress, despite the FBI’s travails.
The report’s inability to agree on more than that will dissipate its influence, particularly because understanding the dueling proposals for 702 reform requires working through hundreds of dense pages. Fascinating as that may be for intelligence nerds, that’s an audience that has already come to a conclusion on 702; those still on the fence may not have the time and patience to work through the whole report.