PCLOB’s Split on FISA Section 702, Explained

On Sept. 28, the Privacy and Civil Liberties Oversight Board (PCLOB) released a comprehensive public report on the surveillance program conducted under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The statute, a powerful tool used by both the intelligence community and federal law enforcement, is set to expire in December. The PCLOB report aims to inform Congress’s debate over whether and how to reauthorize that tool. It marks the board’s second comprehensive treatment of the surveillance authority, carrying forward and updating the factual, legal, and policy findings from the board’s previous report in 2014.

The PCLOB was established by the 9/11 Commission Act of 2007. It is an independent agency in the executive branch that performs an oversight and advisory role in ensuring that “the federal government's efforts to prevent terrorism are balanced with the need to protect privacy and civil liberties.”

FISA Section 702 permits the intelligence community and, in some cases, federal law enforcement to target non-U.S. persons reasonably believed to be located outside the United States for the purpose of collecting foreign intelligence information. To obtain that information, the government ordinarily provides a target’s selector information, such as an email address or telephone number, to the relevant electronic communication service provider, which then sends back communications content and communications metadata associated with the selector. U.S. persons may not be targeted for collection under Section 702; however, U.S. person communications or information are sometimes “incidentally” collected if the non-U.S. person—a lawful target—is communicating with or about a U.S. person.

Intelligence community personnel then perform “queries” to sift through Section 702 data. Similar to searching an email inbox, a query brings forward information that is already acquired; it does not produce new collection. Under the statute, any query by intelligence community personnel must be reasonably likely to retrieve foreign intelligence information or, for some FBI queries, be reasonably likely to return evidence of a crime.

Two types of Section 702-related queries are particularly controversial, and the report unsurprisingly dedicates a significant amount of discussion to them. The first relates to U.S. person queries, which may use terms that identify information associated with one or more U.S. persons. Currently, government personnel may largely access the resulting U.S. person information without a warrant if the query was conducted for foreign intelligence purposes. The second relates to the FBI’s capability to run multiple query terms as part of a single query action pursuant to the same justification, in what is known as a “batch job” query. In 2022, the Foreign Intelligence Surveillance Court (FISC) found that the high numbers of FBI batch queries did not comply with proper querying procedures.

Overview of the PCLOB Report

According to the PCLOB, the report serves as an effort to “better inform public understanding of the [Section 702] program” amid debate in Congress about its reauthorization ahead of the program’s upcoming expiration.

The 225-page (plus four annexes) document comprises five parts, including (a) an introduction that details the board’s investigative methodology, (b) a description and historical background of the Section 702 program, (c) operations and oversight, which details the program’s targeting and querying  procedures as well as oversight and compliance issues, (d) a comprehensive policy analysis, and (e) recommendations for Congress to consider to reduce risks to Americans’ privacy and civil liberties if the surveillance program is reauthorized at the end of this year. 

The five-member bipartisan board—composed of a full-time chair and four part-time members—was unanimous in the view that Congress should reauthorize Section 702, given the value of 702-derived intelligence for national security. The board was also unanimous in the view that the program would benefit from several major reforms, including more robust oversight of and stronger compliance regimes within the intelligence community.

The unanimity ended there.

It’s imprecise to describe the PCLOB release as a “single” report. There are, in fact, two reports. The main report represents the findings and recommendations of a three-member board majority—board chair Sharon Bradford Franklin, board member Edward W. Felten, and board member Travis LeBlanc. Franklin also wrote separately to endorse strengthening the program’s judicial review requirement with a higher “probable cause” standard rather than a lower “reasonably likely” standard. In Annex B of the release, two board members, Beth Williams and Richard DiZinno, critiqued the majority’s analysis and dissented from the report. They offered separate recommendations—as described in more detail below—focused largely on improving organizational and cultural issues at the FBI.

The PCLOB Majority

The majority concluded that the United States is safer with the Section 702 program than without it, but the program presents “serious risks to, and actual intrusions upon, the privacy and civil liberties of both Americans and non-Americans.” The majority’s analysis in Part 4 of the main report followed factual description of 702’s history, statutory structure, operations, and oversight in Parts 2 and 3.

Section 702’s Operational Value

The majority acknowledged Section 702’s significant value as an intelligence collection tool, finding that 702 has been “highly valuable” in protecting the United States from cyberattacks, supporting counterterrorism operations, advancing great power competition, and disrupting instances of weapons proliferation.

The diversity in these national security results amplifies the program’s reach and agility. According to the release, Section 702 holds a distinct national security advantage over other signals intelligence authorities in light of how the collection occurs in the United States with the compelled assistance of electronic communications service providers, with lower legal standards, and without individualized judicial review. As a result, the majority found that 702 is well positioned to extend collection into parts of the world where poor communications infrastructure or a reduced U.S. military footprint may otherwise limit U.S. access and insights.

These factors also helped the majority explain Section 702’s value to national security decision-makers. In 2022, citing the National Security Agency, 59 percent of articles in the President’s Daily Brief (PDB) cited 702-derived information. Despite its favorable inclusion of the PDB statistic, however, the majority was dissatisfied with the absence of a more comprehensive methodology from the intelligence community to articulate the program’s efficacy and recommended the government develop an assessment framework to do so.

Further, the majority assessed that U.S. person queries and batch queries helped enable some of Section 702’s operational results. For example, it noted that U.S. person “victim queries,” which may identify actual or potential targets of cyberattacks or foreign malign activities and facilitate warning or protection, uncovered links between U.S. persons and foreign threat actors, while batch queries permitted quicker and more effective processing of larger sets of identifiers. However, these components also represented majority’s primary areas of privacy concerns

Areas of Concern for the Majority

The majority found that Section 702’s most significant privacy and civil liberties risks arose from U.S. person queries and batch queries. As an initial matter, the board was concerned that it could not wrap its arms around the scope of incidental collection, which is the primary means under 702 through which the government obtains U.S. person information, because the intelligence community has not developed a way to capture or estimate the amount of this data.

Privacy concerns related to U.S. person queries revolve around an absence of individualized approval before accessing potentially sensitive details about a U.S. person who may have no reason to suspect their communications are monitored. The majority notes that government personnel largely are not required “to make any showing of suspicion that the U.S. person is engaged in any form of wrongdoing” before running a query term associated with that person. The query may nevertheless surface highly personal and nonderogatory information about that U.S. person, who “may be in contact with Section 702 targets for business or personal reasons.” (Under Section 702, the government would have incidentally collected the U.S. person’s communication while targeting the non-U.S. person communicant.)

The FBI’s status as a law enforcement organization makes its query practices even more susceptible to privacy risks, in the majority’s assessment, because the FBI often searches Section 702 data during the very early stages of FBI investigations. (The FBI may not be sure that a crime has been committed and, as part of its assessment, may be seeking to learn more about a given individual.) This dynamic creates the risk that “an individual’s private communications will be compiled [in a law enforcement context] despite the lack of any basis to suspect the individual of wrongdoing.” The majority pointed to previous FBI queries related to “social advocacy and non-violent civil protests”—protected First Amendment activities—as evidence of the threats these queries pose to privacy and civil liberties.

The FBI has been required, since 2018, to obtain an individualized court order under Section 702(f)(2) whenever its personnel query 702 information for evidence of a non-national security crime. However, the majority found no evidence the FBI had taken this step.

The majority also identified another primary issue: batch queries. As outlined in Section 702, an analyst may run batch queries to process large sets of identifiers. For example, say the intelligence community acquires the address book from a terrorist’s phone. Querying those stored numbers at once and as a group may more quickly illuminate links among the contacts. However, this dynamic typically involves the use of a “single broad justification” to support a query containing “hundreds or thousands of query terms.” The majority’s position is that, without an individualized assessment for each term, “it is not possible to ensure that the query standard is actually being met and only searches reasonably believed to return evidence of a crime or foreign intelligence are performed.”

The majority also highlighted the extensive risk of incidental or inadvertent collection, given how Section 702 surveillance is targeted and collected. The majority is careful not to call Section 702 a “bulk” collection program, which probably would evoke images of controversial legacy surveillance efforts. However, the majority remains concerned about the risk of overbroad collection because individual targeting decisions for Section 702 surveillance are not subject to judicial review. (The FISC, instead, approves broad targeting procedures contained in annual certifications submitted by the attorney general and director of national intelligence.) The majority noted that the number of non-U.S. persons targeted under Section 702 had increased by 276 percent since 2013. Additionally, the majority flagged privacy risks associated with the current collection methods, which require screening a broader set of traffic transiting telecommunications infrastructure and raise the likelihood that the National Security Agency will collect information inadvertently or incidentally.

The Majority’s Way Forward

Part 5 of the report contains 19 recommendations for Congress and the executive branch to consider alongside reauthorization of Section 702. Recommendations 1-7 endorse statutory codification of several new practices and practices already in place through executive action. For example, Recommendation 1 calls upon Congress to “codify the twelve legitimate objectives for signals intelligence collection under Executive Order 14086.” Recommendations 8-19 are focused on tightening internal compliance, record-keeping, training, leadership, and oversight mechanisms within the intelligence community. For example, Recommendation 15 calls on the FBI to “strengthen its internal Section 702 compliance processes and supplement its internal auditing.”

The majority’s most notable recommendation was number 3, which calls on Congress to require the FISC to review and approve U.S. person query terms before the government can access the results of any U.S. person query. This recommendation represents the sharpest departure from current Section 702-related practices.

More specifically, the majority recommends that FISC approval rest on a “reasonably likely to retrieve” foreign intelligence or “reasonably likely to retrieve” standard, which resembles the query standards that the intelligence community currently uses. This standard of review represents a compromise among the majority’s ardent belief in individualized and particularized judicial review for all U.S. person query terms, the practical benefits of a consistent standard across all types of queries, and recognition that a higher standard (probable cause) may not fit foreign intelligence contexts.

The board also recommended that Congress carve out two exceptions to this rule: first, an exception allowing the government to bypass FISC approvals with the consent of the subject of the U.S. person query; and second, an exception for exigent circumstances, modeled on other emergency order provisions within the FISA statute. For example, under 50 U.S.C. § 1805(e), the attorney general “may authorize the emergency employment of electronic surveillance” for up to seven days while simultaneously applying for a judicial order. The majority likely envisions a similar limited exception within Section 702 that would allow the attorney general to bypass the FISC in viewing the results of a U.S. person query during an emergency situation.

Statement of PCLOB Chair Franklin

In Annex A of the release, PCLOB chair Franklin wrote separately solely to urge strengthening of Recommendation 3. She believes that Congress should require a probable cause standard—rather than a “reasonably likely to retrieve” standard—for U.S. person queries conducted by the FBI, at least in part, to seek evidence of a crime. Franklin’s reasoning centers on a view that current query rules within an agency “are insufficient to compensate for the lack of individualized judicial review at the front end of Section 702 collection,” where the incidental collection occurs, because the Fourth Amendment would ordinarily demand some judicial review before the government searches through the seized communications of an American. She suggested extending the current warrant requirement that Congress created in 2018 under Section 702(f)(2), which requires the FBI to obtain a court order whenever its personnel query 702 information for evidence of a non-national security crime, to cover all FBI U.S. person queries conducted at least in part for evidence of a crime.

In other respects, Franklin found Recommendation 3 sufficient, especially those aspects “that are designed to reduce the burden on the government and the FISC.” She also concurs with the majority’s exigent and consent exceptions and that a lower standard is appropriate where the government searches 702 databases solely for foreign intelligence information.

Statement of Board Members Williams and DiZinno

In Annex B, board members Williams and DiZinno wrote that they found the majority’s analysis “deeply flawed” at various points and voted against issuing the main report.

Williams and DiZinno attribute much of the present-day controversy to compliance issues rooted in FBI practices. They view the primary 702-related challenges inherent in organizational and cultural shortcomings, rather than broader issues with the law itself. They also believe Americans would draw relief from the fact that Section 702 has not produced “improper collection of U.S. person data”—which is often a major concern associated with government surveillance programs. This outcome, they say, is “thanks largely in part to stricter requirements from Congress, the attention of the privacy advocacy community, and ... innumerable compliance officers and other watchdogs.”

Williams and DiZinno seek to counter most points in the board’s analysis but concentrate their attention on the board’s Recommendation 3. Here, they push back against the warrant requirement for four main reasons:

1. The requirement threatens to diminish 702’s core value by slowing the research and analysis process that allows intelligence community personnel to quickly identify links between foreign threats and U.S. persons, especially because the requirement applies to U.S. person queries that return results.
2. The requirement would create confusion by leaving unclear what collection of information would be sufficient to support a submission to the FISC under a reasonably likely to retrieve foreign intelligence standard.
3. A warrant may reverse long-standing gains in tearing down the “wall” between intelligence and law enforcement.
4. The proposed exceptions to the preapproval requirement are infeasible. For example, investigators seeking the consent of U.S. persons may not know, during the early stage of an investigation, whether those subjects are victims or co-conspirators of the foreign action.

Williams and DiZinno acknowledge the FBI sits at an inflection point, writing that rebuilding trust in the bureau and larger intelligence community will require “a thorough change of culture, and a better organization.” They translate their focus on FBI institutional dynamics to the recommendations they layout. Their first set of recommendations aim to reform the FBI’s structure, in part, by elevating the role of its Civil Liberties and Privacy Office, mandating more rigorous justification and approval requirements for FBI U.S. person queries, and bolstering FBI internal audit procedures.

Their second set of recommendations look more broadly across the intelligence community with an eye toward preventing misconduct. They envision giving Congress an opportunity to regularly review “sensitive queries,” such as those involving political actors, journalists, and “others involved in protected First Amendment activities.” With these recommendations, congressional oversight, rather than judicial review, would become the primary safeguard against political misuse of FISA data. Along these lines, Williams and DiZinno support more stringent policies to “unmask” U.S. persons and a new criminal statute with “significant penalties for those who leak protected Section 702 information concerning U.S. persons.”

***

The split nature of the board’s report underscores long-standing divergences around Section 702 issues. The majority’s endorsement of a warrant requirement represents a win for privacy and civil liberties advocates, who have historically been troubled by the government’s ability to run U.S. person queries against 702 data without judicial review. The Biden administration, deeply skeptical of a warrant requirement, is likely to emphasize its ongoing efforts to improve the FBI’s culture and compliance, similar to the reforms put forward by Williams and DiZinno. However, with Section 702’s Dec. 31 expiration date looming, these debates must soon move beyond the philosophical realm. The recommendations of both the board’s majority and minority may emerge as key framing devices in the coming reauthorization negotiations.