Congress Surveillance & Privacy

How FBI Querying Under FISA Section 702 Works

Glenn S. Gerstell
Monday, July 10, 2023, 8:00 AM
Understanding the FBI’s new search rules regarding Americans’ communications is critical to the debate on Section 702 renewal.
NSA Director Gen. Paul M. Nakasone speaks at a Senate hearing, January 29, 2019. (Mark Warner,; CC BY 2.0,

Published by The Lawfare Institute
in Cooperation With

Since its enactment in 2008, the electronic surveillance program established under Section 702 of the Foreign Intelligence Surveillance Act (FISA) has been controversial, in large part because Americans who happen to be in contact with a foreign surveillance target might have their communications picked up by the U.S. intelligence community. This “incidental collection” of Americans’ communications is seen as an inevitable by-product of the program.

But the subsequent searching for Americans’ names or email addresses in the information acquired under Section 702—even for well-intentioned and legitimate purposes—has drawn criticism, since the program was aimed at collecting information about non-U.S. targets, not Americans.

That criticism has been focused specifically on searches undertaken by the FBI, and as a consequence, the FBI’s querying capabilities are currently the most disputed part of the congressional debate surrounding the renewal of Section 702. Misunderstandings about the FBI’s authority to search through some of the information collected under that section are prevalent, and the effects of recent rules changes are not well known. 

The FBI has long maintained that its ability to search through information lawfully acquired under Section 702 is critical to its dual missions of enforcing federal laws and countering national security threats on American soil. Because of these two missions—unlike parts of the U.S. intelligence community such as the CIA or the National Security Agency (NSA), which have solely foreign intelligence missions—the FBI is sometimes required to examine information about Americans when it is investigating foreign threats.

This piece, in question-and-answer format, is intended to explain the FBI’s current procedures for electronic searches or “queries.” The explanation is based on a review of publicly available government documents, with key points confirmed in conversations with relevant officials. This is not an explanation of Section 702 (the Department of Justice and the Office of the Director of National Intelligence have more detailed explanations available on their various websites, and especially contained in the Annual Statistical Transparency Report for 2022). It is intended to be responsive to public criticisms and questions about the FBI’s queries. Although this summary seeks to describe the key elements of the FBI’s querying procedures as accurately as possible, it does not use the precise legal terms of the statute and court-approved rules, and thus some details will inevitably be left out.

What information is the FBI searching when it says it’s looking at the “Section 702 database”?

For purposes of this piece, the FBI’s “Section 702 database” refers to the communications and other information obtained under Section 702 and made available to the FBI. But as a matter of long-standing policy, only a very small portion of the total information collected under Section 702 by the U.S. intelligence community is made available to the FBI, as explained below.

More specifically, in 2022 (based on the FBI’s statistics from Dec. 1, 2021, to Nov. 30, 2022, the most recent year for which figures are available), there were approximately 246,000 targets in total that were the subject of lawful electronic surveillance under Section 702 by the intelligence community. For a person to be a target, the intelligence community must reasonably believe the person is not a U.S. citizen or permanent resident and is located outside the U.S. In pursuing its dual missions, the FBI doesn’t need information about all foreign targets—instead, it is interested in only those that are pertinent to what the FBI calls a “full predicated national security investigation.” Out of the larger Section 702 collection in 2022, the FBI received the communications of approximately 7,900 foreign targets who met that criterion (roughly 3.2 percent of the total collection).

All the communications collected under Section 702 for those 7,900 foreign targets were potentially available for querying under proper procedures by the FBI; but the FBI cannot access the communications for the other 238,100 foreign targets for 2022 that were held by the NSA, CIA, and National Counterterrorism Center. The FBI’s Section 702 database currently includes similar subsets of communications for prior years, as well as additions subsequent to November 2022, all subject to deletions over time.

What’s a full predicated national security investigation?

There are detailed rules about when the FBI can start a criminal or national security investigation. When undertaking a “preliminary inquiry,” the FBI is often not sure that a crime has been or is being committed and might simply be responding to an allegation or other preliminary information. Only if there’s more specific information is the FBI able to open a “full predicated investigation.” While it might overlap with a criminal investigation, a national security investigation examines threats to national security such as foreign computer intrusions, international terrorism, or foreign-generated espionage or sabotage. The type of investigation the FBI is engaged in determines what kinds of investigative tools it can use and what types of restrictions might apply to those tools.

Can communications of any American be included in the FBI’s Section 702 database?

Potentially yes—but only if the American has been in contact with one or more of the foreign targets pertinent to full predicated national security investigations. Consequently, the Americans whose information is actually collected under Section 702 is a very limited group. The American in this situation isn’t the target of the Section 702 surveillance, but his or her communications may be collected since it’s not possible to filter out which of a target’s communications are known to be with an American. The intelligence community may not know at the time of targeting that there will be this type of “incidental collection” of an American’s communications; nor can it know how many of these communications are included in collection. That’s because, for example, the nationality of the sender or recipient of an email is rarely apparent from the email address or the content.

Given that the Section 702 database holds only communications to or from the foreign targets “pertinent to full predicated national security investigations,” may the FBI search it for more than just cases involving national security?

Yes, but in a restricted way. Even though the Section 702 database consists of communications to or from the subset of foreign targets described above, the FBI can, because of its dual mission, search those communications for foreign intelligence information, evidence of a crime, or both. Some examples of cases where searches for foreign intelligence information would be appropriate include malicious cyber activity linked to foreigners, international terrorism, counterintelligence activities involving another country, or international weapons proliferation. Some examples of cases in which the FBI might not be seeking foreign intelligence information but rather evidence of a crime would include crimes that are unrelated to national security, such as violations of federal securities or antitrust laws or a bank robbery. But the latter set of cases is extremely limited because, as explained below, there must be some specific factual connection allowing a query of the Section 702 database.

So every time the FBI runs a search through its databases for either foreign intelligence information or evidence of a crime, it’s looking through information collected under Section 702?

Not necessarily. In response to significant criticism about its querying procedures, the FBI changed its internal procedures and computer systems in June 2021 so that they do not default to searching communications collected through Section 702. Instead, the agent running the search (or the national security analysts and supervisors who are authorized to run these searches) must affirmatively elect to search Section 702 data and must document the authorized justification for doing so. If the agent doesn’t expressly opt in to the 702 data before running the search, the search term won’t examine any Section 702 communications (i.e., foreign targets or Americans in contact with those foreign targets) but would merely examine other information not collected pursuant to Section 702 that the FBI collects under other authorities.

How does a general FBI search operate, and what terms might the FBI be searching for? 

The simplest analogy is to think of doing a search for an email in one’s inbox or other electronic folder. Assuming an agent has the proper authorizations, he or she first selects the appropriate databases in the FBI’s computer system that stores information lawfully acquired pursuant to the FBI’s dual missions (including the Section 702 database described above), and then enters a person’s name, email address, phone number, or other information to initiate the search. The name might, for example, be the victim of a foreign espionage operation or the IP addresses of affiliates of a company subject to a foreign ransomware attack. The FBI’s computer system will tell the agent the number of “hits” or responsive results (including in the Section 702 database, if selected). Oftentimes, searches turn up nothing. 

There are separate procedures where the agent uses a search term pertaining to an American, such as a name or an email address. In that case, the system won’t at that stage reveal the content of any Section 702 communications, such as the actual text of an email. But if there is a hit in the Section 702 database and the agent wants to see the contents of that result, then he or she must take an additional step to elect to view the data with a justification for why a review of the content of communications in that database is appropriate. 

What is required for an agent to opt in to the Section 702 data?

Under the FBI’s written guidance, released to the public in April 2023, given to every agent who’s authorized to run searches, the agent must have “a specific factual basis” to think that the Section 702 data in particular is reasonably likely to be relevant to the search. Given that the Section 702 data, as stated above, consists only of communications to or from the foreign targets relevant to a full predicated national security investigation, the agent must articulate why that particular set of communications is likely to yield a hit. Only in that case is the agent permitted by the guidance to affirmatively elect to run a search involving the Section 702 communications and to see the contents of any hits. A “specific factual basis” means more than speculation or a hunch—it could, for example, be a specific and credible tip. And there must be such a justification for each query that the agent uses in the search.

What are some hypothetical examples of when an agent could opt in to Section 702 data under the FBI guidance?

An inquiry about an American university professor who was approached for a proposed research contract by a known foreign spy operating overseas might, on its face, qualify. The agent could reasonably state that there’s a specific factual basis to believe that Section 702 data is likely to yield evidence: There’s an obvious and known foreign connection, and indeed the foreign spy already might be one of the Section 702 targets. 

Another example could be a query about a U.S. defense contractor whose aircraft stealth technology was stolen in a cyber intrusion. Even if the perpetrator of the cyber hack wasn’t known, it’s reasonable, if not likely, that a foreign adversary could be behind the attack, given the interests of foreign governments in that very specific type of information. Thus, this situation might support an opt-in to the Section 702 database and could potentially permit the FBI to look into the U.S. defense contractor’s information as well. 

The foreign connection in those examples makes it clear that the agent could opt in to searching the database of communications of the foreign targets. But what about cases where the FBI is searching for evidence of a purely domestic crime?

Very few cases involving purely domestic crimes would support a search of the Section 702 database, because there would be no reason to believe that database would contain relevant evidence. (The FBI doesn’t keep track of the number of cases where there’s no basis for an opt-in search.)

But there could be an additional factual element—some foreign contact or other foreign connection—that might change the situation. For example, if an agent investigating a domestic bank robbery had a specific factual basis to believe that the suspect had been boasting about his crime to an international terrorism target under Section 702 surveillance, then the agent could run an appropriate query of Section 702 data. Thus, even though the bank robbery is unrelated to international terrorism, the agent could reasonably believe that the Section 702 database in particular could reveal evidence of that specific crime, such as the suspect’s location or plans for further robberies. Not surprisingly, however, this type of domestic crime with a factual element permitting a Section 702 search is exceedingly rare.

So is it correct to summarize the FBI’s query guidance as saying agents can’t run searches of 702 communications in purely domestic crime cases unless there’s some specific factual basis supporting a reasonable belief that the Section 702 foreign target database will have relevant information about the crime?

Yes, that’s a fair summary of some rather complicated rules.

As in any complex operational situation with detailed legal rules and policy guidance, there could always be unusual factual situations where a search might be allowed without such a foreign connection—but the FBI has said that it’s not aware of any such cases in 2022 that were in compliance with the guidance.

Are there any situations where the FBI must obtain a court order before running a search on an American’s information in the Section 702 database?

Yes. As a result of the FISA Amendments Reauthorization Act of 2017, the FBI must obtain a specific order from the Foreign Intelligence Surveillance Court (FISC) before looking at the contents of communications in the 702 database where (a) the FBI used a search term pertaining to an American, (b) the FBI was searching for evidence of a domestic crime, but not foreign intelligence information, and (c) the search was for a predicated investigation for a domestic crime, not a national security matter. In simple terms, where the FBI is in effect investigating a particular American in a domestic criminal case, there should be extra protections, such as a court order, before the FBI may access the content of communications in the Section 702 database. (Under the statute, the court order can be dispensed with in certain situations involving mitigating or eliminating a threat to life or serious bodily harm.) 

How many of the various queries were there in 2022? And what did they entail? 

In 2022, the FBI searched for 119,383 unique query terms using U.S. person identifiers (such as an email address), seeking content or non-content in the Section 702 database. Of those 119,383 query terms…

  • …only 16 were used in searches having as their sole purpose the return of evidence of a crime, not foreign intelligence information, where the agent sought access to the content of the communications. And of those 16 U.S. person query terms…

  • …one was used in connection with a predicated criminal investigation that did not relate to national security, for which a FISC order should have been obtained. No such order was obtained, and that was an error. Also, there were no cases in which a FISC order should otherwise have been obtained but wasn’t because of the exception mentioned above for threat to life or serious bodily harm.

  • …14 were used in an effort to identify information that needed to be produced or preserved in connection with a criminal prosecution (for example, where the government had an obligation to search for and disclose material evidence favorable to a criminal defendant).

  • …one was used in some other type of assessment or inquiry (not a fully predicated investigation).

  • Presumably, the overwhelming bulk of the remaining 119,367 query terms were used to obtain foreign intelligence information—and perhaps in a very small number of cases, also evidence of a crime, although the latter was not the sole purpose.

  • There could be a third—presumably very small—category, comprising some of those remaining 119,367 query terms, due to a quirk in the reporting system. Namely, some of those remaining query terms might have been used in a search for solely evidence of a crime that did not yield a hit, and thus no Section 702 collection was reviewed. The actual number (if any) in this category is unknown, because the FBI doesn’t keep track of how many such searches don’t produce a hit in the Section 702 database. Due to differing statutory and FISC requirements, the FBI’s reporting system is designed to record for this purpose when Section 702 collection is accessed in response to such a search. Again, given the limitations on searching the Section 702 database in the context of domestic crimes in the first place, this last category—initial searches for solely evidence of a crime that didn’t turn up a response for which the agent sought content—must be very small.

Have any courts addressed the constitutionality of the searches undertaken without a court order described in this piece?     

Yes. The FBI is required to annually submit its formal procedures for querying to the FISC for the court’s approval. Those procedures were approved most recently in April 2023 by the FISC as being in compliance with FISA and the Constitution. The court’s opinion has not yet been released pending declassification, but the opinion for the prior year as well as opinions and procedures for earlier periods have been made public and are available on the website of the Office of the Director of National Intelligence. 

As a general matter, governmental queries of lawfully collected information are not characterized as searches requiring judicial warrants under the Fourth Amendment. 

The activities of the FBI under Section 702 are subject to multiple levels of oversight and audit, both internally and externally. In particular, the Office of the Director of National Intelligence and the Justice Department audit the queries made by FBI personnel and semiannually issue a public report on the results of those compliance audits. Those and other reports, as well as FISC opinions, have revealed that FBI agents have made significant mistakes in the past, violating the querying procedures.

Are all these restrictions and procedures spelled out in written documents, and do FBI agents have to be familiar with them?

Yes. As noted, the FBI is statutorily required to have querying procedures that are submitted annually to the FISC for review and approval. In addition, the FBI and the Justice Department issue periodic guidance, like the guidance explained above that was publicly released in April 2023 but was issued to national security personnel in the FBI in late 2021. Agents had to complete new mandatory training based on this guidance by January 2022 to maintain their access to the Section 702 database, and now agents are required to retake expanded query training every year.


Glenn S. Gerstell served as general counsel of the National Security Agency from 2015 to 2020 and writes frequently on the intersection of national security and technology.

Subscribe to Lawfare