Reflections on Renewing and Reforming FISA Section 702

More than 70 years ago, U.S. Supreme Court Associate Justice Robert Jackson wrote, “The purpose of the Constitution was not only to grant power, but to keep it from getting out of hand.” Since the revelation in the 1970s of decades of abuses of national security authorities by the executive branch, Congress has endeavored, under the Constitution, to regulate certain aspects of the executive branch’s collection of foreign intelligence information. Congress has tried not only to grant such power to the intelligence community to protect the country from hostile foreign threats but also to keep that power from getting out of hand. One of the main ways it has done so is through the Foreign Intelligence Surveillance Act of 1978 (FISA), which it has amended numerous times over the years.

As Lawfare readers know, an important part of FISA, known as Section 702, expires at the end of 2023. The government has made a strong case that Section 702 provides a large volume of critically important intelligence information about topics such as terrorism, cyber, and counternarcotics. Congress enacted Section 702 in 2008 to empower the government to target non-Americans located overseas to acquire foreign intelligence information by compelling U.S.-based electronic communications service providers to turn over the contents and metadata of accounts and other selectors associated with those targets. Because those targets sometimes talk to or about Americans, it’s well understood that the government obtains, searches for, and reviews the incidentally collected communications of Americans. This is completely lawful. Even though it is a warrantless surveillance program, Section 702 is constitutional because the searches it authorizes are reasonable in light of the structure and purpose of the law.

But the government doesn’t always follow the law, unfortunately. The government has self-reported that it has repeatedly misused its authority to search the communications of Americans that it has incidentally obtained under Section 702 authority. Notwithstanding those violations of law, Congress has little choice but to renew Section 702 because the collection it authorizes is so valuable and there is no viable alternative to it right now. The hard question is what to do about the government’s violations and how to substantially reduce or eliminate them while maintaining the vital Section 702 collection authority. 

The government has said that many of the violations resulted from misunderstandings about the rules. If true, that highlights that Section 702 itself, and all the procedures and rules that it requires or that flow from it, are very complex and that following them requires significant compliance resources. It is by no means an elegant or model piece of legislation.

One obvious, and much discussed, solution for the violations would be to require the government to obtain a warrant before it could search its database of Section 702-collected information to find information about Americans, except in limited emergency circumstances. These searches are typically referred to as “U.S. person queries.” Imposing a warrant requirement for all such queries would certainly enhance the protection of the privacy rights of Americans. But would it come at too high a cost in terms of protecting the safety of Americans such that Congress should focus on other reforms to address the violations?

The executive branch clearly thinks so. It has raised several objections to the U.S. person query warrant idea, such as (a) it would not be able to meet a probable cause standard required for warrants, (b) it would not have the speed and agility it needs to respond quickly to aggressive and adaptive foreign adversaries, and (c) the volume of queries would overwhelm the system. There are ways Congress could address all of those issues, but doing so would not be easy or cheap, especially in addressing the volume problem. And they may not be successful in all instances, thus exposing the country to security risks.

First, probable cause. It’s important to remember that probable cause is fundamentally about the level of factual predication that exists to support a proposition. A criminal search warrant may be issued, for example, if there is probable cause to believe that the person or place to be searched contains evidence of a crime; contraband, fruits of crime, other items illegally possessed; or instrumentalities used in committing a crime. A FISA wiretap order, in contrast, may be issued if there is probable cause to believe that, among other things, the target is a foreign power or an agent of a foreign power. Thus, it seems Congress could craft a set of workable criteria for the government to meet under a Section 702 probable cause standard for U.S. person queries. Simultaneously, Congress should make sure that the government is not interpreting that standard too narrowly. For example, if an American’s phone number or email address is in the contact list or pocket litter of a terrorist picked up on a battlefield somewhere, that should be sufficient probable cause to query that person’s phone number or email address in the Section 702 database. Nevertheless, there may be instances in which the government cannot meet a probable cause standard. That is a risk Congress will be responsible for if it establishes a warrant requirement.

Second, the speed and agility question can be addressed by Congress authorizing a sufficient number of officials to approve queries on an emergency basis, with a full application to the FISA court to follow within a specified short period (for example, seven days). This is analogous to other FISA emergency provisions, some of which have existed since 1978. By way of comparison, during 2001-2007, the quality and volume of highly actionable intelligence information that the government obtained using “traditional FISA”—with its probable cause requirement and emergency provisions—far outstripped the usefulness of the intelligence information produced by the large but largely ineffective warrantless Stellarwind program (a predecessor to Section 702). The U.S. military and intelligence community operationally dismantled al-Qaeda, but it wasn’t because of Stellarwind. It was, in significant part, because of collection pursuant to warrants. Because of this work, many terrorists are dead, and many Americans are alive. In my experience, focused and well-thought-out collection easily beat widespread and bulk collection efforts. In its efforts to get Section 702 renewed, the government has said that such warrant-based collection was “legally unnecessary.” The government is wrong about that—it’s misinterpreting various provisions of FISA, especially regarding the FISA court’s jurisdiction—and clearly hasn’t thought through the downstream consequences of the “legally unnecessary” assertion (such as what to do about data obtained pursuant to orders the FISA court had no jurisdiction to issue).

Third, the volume and workload issues are substantial, and the government is right to worry about them. Congress needs to take those concerns seriously. In 2022, the FBI made approximately 120,000 U.S. person queries, with other authorized agencies making a few thousand more. If that is the right level of work to think about going forward, that translates to more than 300 queries every day, including weekends. The FISA system could not handle that volume right now. Congress would have to appropriate significant additional funds to the Justice Department, the intelligence community (especially the FBI), and the judiciary if it imposed a warrant requirement (otherwise, it won’t work). Even so, that would be a lot for the Justice Department to manage and I’m not convinced they could do it. 

To address both the volume issue and the speed and agility issue, one other option is that Congress could empower the government to query Section 702 databases for U.S. person information on its own authority and then seek after-the-fact approval from the FISA court within a week (the current standard for traditional FISA orders following an emergency authorization). In other words, Congress could create an ex post warrant system rather than an ex ante one. One way it could be structured is that designated officials in the government would approve the queries, the Justice Department would file an application with the court within seven days (probably covering numerous queries), and the court would then approve or disapprove the queries. A tough question is what to do if the court disapproved a query–there are parallels in existing parts of FISA to situations involving emergency approvals that could provide a model here. Or the court could reject a query and submit a report to Congress. The government would be incentivized to make queries it was confident the court would approve, which would likely reduce their number, something that might have both costs and benefits. To be sure, an ex post warrant system  would not be as protective of the civil rights of Americans and would pose security risks, but it may be an unsatisfying compromise solution to a difficult problem.

Persuading Congress to renew Section 702 without a warrant requirement may not be possible. Many in Congress and the public do not trust the executive branch, especially the FBI . The government has already adopted several internal reforms, and executive branch advisory panels have sensibly recommended others, but those internal reforms are unlikely to carry the day. As Chief Justice John Roberts said in Riley v. California, “the Founders did not fight a revolution to gain the right to government agency protocols.” In addition to Section 702 abuses, the FBI has also had widespread accuracy failures with its traditional FISA applications (some of which occurred on my watch and for which I bear some responsibility). And many view the Justice Department and the FBI as untrustworthy partisans as a result of the investigations of Hillary Clinton, Donald Trump and Russia, Jan. 6, Hunter Biden, and more. No number of internal and external reviews (also here) have seemed to dispel that notion. There is also a strong perception—which I share—that people at the FBI have not been held sufficiently accountable for some of their actions related to FISA. 

But Congress needs to renew Section 702 to protect the country. If it decides to amend the law by adding a warrant requirement to achieve that result, then it needs to do so carefully so that it does not put the safety of Americans at risk. It will also need to appropriate substantially more funds and provide flexibility to the very agencies about which it has deep concerns. But it should not punish the nation for the real or perceived sins of the FBI or the rest of the executive branch. And Congress will need to take responsibility for the national security risk associated with the imposition of a warrant requirement in this arena. To quote Chief Justice Roberts, again from Riley, “Privacy comes at a cost.” If Congress imposes a warrant requirement, the questions will be what will that cost entail and who will pay it.