Published by The Lawfare Institute
in Cooperation With
Last month, the Office of the Director of National Intelligence (ODNI) released a redacted version of a Foreign Intelligence Surveillance Court (FISC) opinion and order following a declassification review. The opinion, which was originally entered in November 2020, reflects the findings and conclusions reached by the FISC after reviewing the 2020 “certifications” presented by the attorney general and the director of national intelligence (DNI) seeking authority to conduct electronic surveillance under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The court’s decision was widely chided in the media for, once again, approving a Section 702 certification in the face of “widespread violations."
The Nov. 18, 2020, decision entered by FISC Presiding Judge James Boasberg followed earlier orders from Boasberg, entered in December 2019 and in October 2018, that also addressed government certifications seeking approval to conduct surveillance under the authority of FISA Section 702 (50 U.S.C. § 1881a). In each instance, redacted versions of Boasberg’s opinions were released publicly after classification reviews by the ODNI. Boasberg’s redacted October 2018 opinion was released nearly a year later, in October 2019; his redacted December 2019 opinion was released by the ODNI in September 2020; and his redacted November 2020 opinion was released in April 2021.
Coincidentally, the ODNI released this most recent redacted FISC decision addressing Section 702 during the same week that the American Civil Liberties Union and others filed a petition asking that the Supreme Court find a qualified First Amendment right of access requiring that all FISC decisions be released and redacted “only as necessary to prevent genuine harm to national security.” In pursuing relief from the Supreme Court, those petitioners seek to overturn a carefully calibrated process regarding the workings of the FISC designed to provide reasonable transparency into that court’s decisions while protecting classified information relating to intelligence sources and methods. In the case of FISA Section 702, those processes are meant to protect the unique sources and methods associated with what has been described as “the most potent power Congress has granted U.S. spy agencies to gather intelligence on everything from terrorism to nuclear proliferation to foreign adversaries’ plans and intentions.”
Each of the redacted Boasberg opinions from 2018 through 2020 addresses the corresponding year’s government certification seeking reauthorization of the collection authority provided by FISA Section 702. The certifications are presented annually to the FISC along with the statutorily required targeting, minimization and querying procedures used by the U.S. intelligence community in connection with its employment of the surveillance authorized by the court’s approval of each certification. Substantively, in terms of the categories of foreign intelligence information sought by the government, the certifications have not changed materially since Section 702 was first enacted as part of the FISA Amendments Act of 2008.
The redacted Boasberg opinions are lengthy, and the discussions in each opinion recount multiple incidents of noncompliance in connection with the execution of the Section 702 program. These incidents are notable with respect to the application of the minimization and querying procedures employed in executing the program (explained below and here), and most particularly with the actions of the FBI in querying the Section 702 database of unminimized communications. Ultimately, however, the FISC approved each of the Section 702 certifications submitted by the government in 2018, 2019 and 2020, although the 2018 certification and procedures were approved only after Boasberg concluded that the FBI’s minimization and querying procedures, as first submitted and employed by the FBI, did not comply with the Fourth Amendment. The government appealed Boasberg’s initial ruling but, after the FISA Court of Review upheld the FISC’s decision, the FBI modified its procedures as needed to secure the FISC’s approval.
Media discussion of these FISC opinions has focused on those compliance issues with headlines declaring, “FBI and NSA violated surveillance law or privacy rules, a federal judge found” and “Federal court approved FBI’s continued use of warrantless surveillance power despite repeated violations of privacy rules.”
Critics were incensed at the FISC’s approval of the 2018 certification, pointing to the record of noncompliance reflected in the FISC’s opinions to argue that “at no point in Section 702’s existence has the government operated the program in full compliance with constitutional requirements.” When a December 2019 opinion by Boasberg was released in redacted form in September 2020 reflecting the FISC’s approval of the government’s requested 2019 reauthorization of Section 702 surveillance even as it revealed further incidents of noncompliance, exasperated opponents wondered aloud, “[W]hat would it take for the FISA court to say no?” Others described the FISC’s actions as “compliance whack-a-mole” while insisting that the frequency of the transgressions depicts “systemic noncompliance” that makes the entire program untenable.
Is the FISC failing its responsibilities with respect to the function it performs in the Section 702 program? Given the role the FISC is intended to play with respect to its oversight of the Section 702 program, the answer is no.
A Brief Primer on How Section 702 Works
Prior to the enactment of Section 702 as part of the FISA Amendments Act of 2008, the type of surveillance now authorized by Section 702 required that the government show on an individualized basis, with respect to all non-U.S. person targets located overseas, the existence of probable cause to believe that the target was a foreign power or an agent of a foreign power. In effect, the intelligence community treated non-U.S. persons located overseas like U.S. persons, even though foreigners outside the United States are not entitled to the protections of the Fourth Amendment. Coupled with the seismic change in the technological environment occurring since FISA’s 1978 passage, the application of the “traditional” FISA framework to targeting non-U.S. persons located outside the United States posed significant challenges to the timely collection of intelligence critical to the nation’s security.
The attorney general and the DNI authorize targeting under Section 702 in a manner substantially different from traditional electronic surveillance under FISA. Under Section 702, instead of issuing individual court orders, the FISC approves an annual certification submitted by the attorney general and the DNI that identifies categories of foreign intelligence targets. Targeting, however, is constrained by specific limitations included by Congress that prohibit targeting anyone known to be in the United States; prohibit targeting any U.S. person located outside the United States; prohibit targeting someone outside the United States for the purpose of targeting a particular, known person in this country; prohibit the intentional acquisition of any communication where all participants are located in the United States at the time of the acquisition; prohibit the acquisition of communications that refer to, but are neither to nor from an authorized target; and require that all Section 702 acquisitions be consistent with the Fourth Amendment.
To implement these statutory restrictions and protections, Section 702 requires the use of targeting procedures, minimization procedures, querying procedures and acquisition guidelines. The targeting procedures are designed to ensure that an acquisition targets only foreigners outside the United States and that it complies with the prohibition on acquiring wholly domestic communications. The minimization procedures protect the identities of U.S. persons and limit the dissemination of any nonpublic information concerning them that may be incidentally acquired. The acquisition guidelines seek to ensure compliance with all the statutory limitations described above. Finally, the querying procedures, added by Congress in reauthorizing Section 702 in 2018, regulate the manner by which the unminimized data collected under Section 702 may be searched to retrieve information.
Surveillance conducted under the authority of Section 702 is programmatic collection on a vast scale. A redacted FISC opinion from 2011 revealed that the National Security Agency (NSA) was collecting “more than 250 million internet communications each year pursuant to Section 702.” Two years later, the ODNI began reporting the number of Section 702 targets—and registered 89,138 for calendar year 2013. While no publicly available information has charted the expansion of collection under Section 702, the growth in the number of targets—to 204,968 in 2019—might reasonably be expected to correspond to a proportional growth in collection. The intelligence community transparency report for 2020, released just last month, showed a small decline in the number of Section 702 targets—disclosing 202,723 targets in 2020. It is the first decline in the number of Section 702 targets since the ODNI began disclosing Section 702 target numbers in 2013.
All of the required procedures used with Section 702 acquisitions have been mandated by Congress to address an inescapable feature of this type of collection: While Section 702 targets foreigners located outside the United States to acquire foreign intelligence information, it is understood that the communications of U.S. persons communicating with any targeted foreigner may be incidentally collected as part of the surveillance directed against that foreign target.
The existence of this incidental collection has been acknowledged from Section 702’s inception and is the bête noire of its critics. Following the Edward Snowden disclosures in 2013, the Privacy and Civil Liberties Oversight Board (PCLOB) conducted an extensive review of the Section 702 program, and its description of Section 702 acknowledged that “communications of … U.S. persons may be acquired in a variety of ways.” The PCLOB report described Section 702 as “a technologically complex collection program” where “incidents of noncompliance” have been identified but no “intentional attempts to circumvent or violate the procedures or statutory requirements.” Commenting further, the PCLOB observed that “many of these incidents have involved technical issues resulting from the complexity of the program, and the Board has not seen any evidence of bad faith or misconduct.” Since the issuance of that PCLOB report in July 2014, none of the FISC’s annual reviews of the government’s 702 certifications has identified any intentional effort to circumvent or violate the statutorily mandated procedures regulating its operation.
While there is no documented evidence of any intentional evasion of the procedures or statutory requirements governing the collection or use of information obtained by Section 702 surveillance, every available FISC opinion addressing the court’s review of the Section 702 program has documented incidents of noncompliance. In some instances, the noncompliance incidents have been numerically significant and, at times, represented recurring violations. However, it is also true, as the PCLOB noted, that calculating the compliance incident rate for the Section 702 program, as the government did, by dividing the number of identified compliance incidents by the average number of selectors on task produced an incident rate substantially below 1 percent at the time the PCLOB report was issued in 2014. Whether the compliance rate using those metrics remains in that range today is not publicly available information.
Notably, the FISC obtains its information regarding incidents of noncompliance from the agencies that operate the Section 702 program. Self-disclosure of noncompliance is mandatory: Section 702(m) requires the attorney general and the DNI to assess compliance with the targeting, minimization and querying procedures approved by the FISC every six months, and to provide the FISC with this assessment. Self-reporting is also required, for example, by the NSA’s minimization procedures, and the FISC’s own rules of procedure mandate disclosure whenever any authority or approval by the court is implemented in a manner that does not comply with the court’s authorization or with applicable law. According to the ODNI, “every identified incident of non-compliance, regardless of the U.S. person status of individuals affected by the incident, is reported to the FISC (through notices or in reports) and to Congress in semiannual reports.”
The Role of the FISC With Section 702
Given this standard of mandatory self-reporting, what is the role of the FISC as it considers the government’s annual certification and accompanying procedures seeking reauthorization of Section 702 authority even as the FISC is aware of existing noncompliance in the program? The disclosure and oversight regimen described above reflects the coordinated approach the FISC takes in addressing FISA submissions received from the government. Generally, the FISC’s rules require that the government begin with a “proposed” submission, which the court will review and, where necessary, raise any potential issues directly with the government. Only after this dialogue has occurred will the government submit, and the court consider, a final submission.
While this coordinated approach is established via the FISC’s own rules of procedure for FISA Title I surveillance, Congress has directly mandated a similar process with respect to the government’s requests for surveillance authority under Section 702. Congress established a specific “Schedule” in Section 702 requiring: (1) that the government submit any requested reauthorization of Section 702 surveillance authority at least 30 days prior to the expiration date of the existing authorization, and (2) that the FISC review a certification and its accompanying targeting, minimization, and querying procedures within 30 days of submission, and then “issue an order under paragraph (3)[,]” that is, Section 702(j)(3)).
The FISC review contemplated by Section 702 includes consideration of both the certification, for compliance with FISA’s statutory requirements, and the accompanying targeting, minimization and querying procedures for consistency with the Fourth Amendment. This latter mandate is not found in FISA’s Title I because of the materially different nature of the surveillance authority presented for the FISC’s review. Title I applications seek orders based on individualized determinations of probable cause. Even with Title I applications, however, FISA’s language suggests an approach that is arguably designed to provide the government with the requested surveillance authority whenever the court can satisfy itself that statutory and constitutional standards have been met. Thus, Section 105 in FISA Title I reads that, upon receipt of a FISA application, the FISC “shall enter an ex parte order as requested or as modified approving the electronic surveillance.” Certainly, no order would, or should, be entered, for example, if the government cannot establish probable cause, but the language chosen by Congress clearly expresses that, with respect to the nation’s critical foreign intelligence electronic surveillance capabilities, the FISC should give broad consideration to granting the government’s applications for surveillance authority when it can do so consistently with its statutory and constitutional responsibilities.
The accommodation of the government’s surveillance requests suggested by FISA’s Title I statutory text is more pronounced with respect to the role Congress delineated for the FISC’s consideration of certifications submitted under Section 702. Congress deliberately eschewed a “thumbs up or thumbs down” review process, directing instead that the FISC’s review culminate in the issuance of an order. Significantly, the only statutory alternatives available to the FISC with respect to entering orders related to its review of Section 702 certifications are “Approval” or “Correction of Deficiencies.” FISA does not contemplate an outright denial of a government certification seeking Section 702 surveillance authority; instead, the statute requires that the FISC offer the government the election to correct any deficiency identified by the FISC, or “cease or not begin, the implementation of the authorization for which such certification was submitted.”
The Boasberg Opinions Approving Section 702 Certifications (2018-2020)
When viewed in the context of the statutory construct of FISA, the redacted and recently released version of Boasberg’s November 2020 opinion addressing the government’s 2020 Section 702 certification and procedures takes precisely the form FISA contemplates. Even as it offers pointed criticism in addressing the seemingly perpetual compliance failures of the FBI with respect to its querying practices, the FISC concludes that the reporting requirements and other corrective measures it has required as part of its approval of previous Section 702 submissions are adequate to conclude that “the proposed procedures, as reasonably expected to be implemented, comply with the applicable statutory and Fourth Amendment requirements.”
Opponents of Section 702 are aghast at the FISC’s repeated willingness to accept corrective measures proposed by the government that seem to continually fall short of fully remedying the repeated compliance violations discussed in Boasberg’s opinions of October 2018, December 2019 and November 2020. They openly speculate as to the level of noncompliance the FISC would need to see to deny a certification package and bring Section 702 collection to a halt. In fact, the statutory regimen created by Congress in Section 702 does not provide the FISC with the authority to unilaterally terminate critical government surveillance efforts.
This makes perfect sense judged in the context of the Fourth Amendment analysis used to assess the government’s Section 702 surveillance requests. The test the FISC properly applies is one of “reasonableness”—the touchstone of the Fourth Amendment—which is evaluated using a “totality of the circumstances” standard in which the court balances the competing interests at stake.
That balancing necessarily begins with recognizing that government noncompliance with the myriad rules and procedures governing the operation of the Section 702 program does not, in and of itself, render the program unreasonable and, it logically follows, does not render it constitutionally suspect. Simply put, noncompliance does not equate to unconstitutional. The government interest at stake in this balancing is the nation’s security. Numerous courts have confirmed repeatedly that national security is at the apex of governmental interests, and the higher the government interest, the greater the intrusion that may be constitutionally tolerated. The countervailing interest is the desire of a U.S. person to communicate freely with foreigners located outside the United States without any prospect of those communications being collected by government surveillance despite that foreigner being a target of foreign intelligence interest to the government. Where the Fourth Amendment reasonableness balance should be struck in this setting produces the entirely supportable conclusion that the incidental collection of U.S. person communications acquired while targeting foreigners located outside the U.S. pursuant to an approved Section 702 certification does not violate the Fourth Amendment.
Perhaps it is the futility of this Fourth Amendment argument, which essentially challenges the constitutionality of Section 702 on its face and has been repeatedly rejected by the courts, that more recently has led opponents, and amici counsel arguing in the FISC, to pursue a different approach. This alternative argument contends that even if the initial incidental acquisition of U.S. person communications using Section 702 authority is constitutional, the subsequent querying of the database containing those unminimized Section 702 communications using a U.S. person query term constitutes a new “backdoor search” that must be separately supported by probable cause. This contention receives its broadest analysis in the 2018 Boasberg opinion where, admittedly, the record before the FISC tempted such an argument because the FBI seems incapable of executing, in practice, querying procedures that Boasberg concluded were constitutionally sufficient as written.
The amici curiae appointed by the court focused on Congress’s requirement in the 2018 FISA Reauthorization Act that the government adopt querying procedures governing access to the Section 702 database and that the FBI, in certain circumstances, acquire a FISC order before querying that database. These changes, they argued, reflected a congressional recognition that FBI queries of the Section 702 database represented new “searches” requiring separate Fourth Amendment analysis. They also insisted that the Supreme Court’s 2018 decision in Carpenter v. U.S. represented a recognition that modern technologies, like the cell site location information at issue in Carpenter, warranted a redefining of Fourth Amendment protections and that querying a database collected using the government’s Section 702 surveillance authority should receive such protection.
Boasberg declined to find that querying the unminimized Section 702 database represents an additional search. In his view, Congress created statutory, not constitutionally mandated, protections with its addition of the querying requirements included in the 2018 FISA Reauthorization Act. He also resisted the invitation to extend the Carpenter ruling to the querying of unminimized Section 702 data, perhaps recalling the Supreme Court’s own insistence that its Carpenter decision was intended as “a narrow one” that specifically did not “consider other collection techniques involving foreign affairs or national security.” Indeed, examined logically, the later querying of data that has been lawfully collected by targeting a foreigner located outside the U.S. pursuant to a FISC-approved Section 702 certification seems to more closely resemble the querying of the Combined DNA Index System (CODIS) database using a lawfully obtained DNA sample, a practice approved by the Supreme Court in Maryland v. King. As in King, a subsequent query of the unminimized Section 702 database searches a repository of information already lawfully in the government’s possession by virtue of having been collected pursuant to a FISC-approved Section 702 certification that complies with the Fourth Amendment.
The public debate over the Section 702 collection program and, specifically, the question of the government’s right to access the communications of U.S. persons incidentally acquired while communicating with foreign Section 702 targets will unquestionably continue if for no reason other than the FBI will almost certainly generate new issues of compliance related to its querying practices. That debate will sharpen each time a new FISC opinion related to its oversight of Section 702 is released in redacted form, and there will be many who will excoriate the FISC for refusing to say no to a history of government noncompliance.
“No,” however, is not among the statutory options that FISA provides to the FISC. Congress recognizes the critical role that authorities like the Section 702 surveillance program play in protecting the nation’s security: producing intelligence product that the House Intelligence Committee has described as “unique, unavailable from any other source, and regularly provid[ing] critically important insights and operationally actionable intelligence on terrorists and foreign intelligence targets around the world.” FISA includes the congressional mandate that the Section 702 program be conducted consistently with the Fourth Amendment. In carefully balancing the nation’s security with its cherished constitutional principles, Congress has fashioned a role for the FISC that calls for oversight, review and correction—rather than termination—when surveillance practices encroach on those constitutional precepts. Viewed from this perspective, the Boasberg opinions of 2018, 2019 and 2020 addressed, and resolved, the compliance issues presented with each of the government’s annual Section 702 submissions precisely as FISA requires.