Published by The Lawfare Institute
in Cooperation With
Over the past several months, the Biden administration has furiously defended Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), even as Congress seems potentially poised to overhaul the warrantless surveillance law. The government’s arguments have focused largely on a straightforward premise: FISA 702 is highly valuable for a range of national security priorities. But this fails to address a basic issue: Will the value of FISA 702 be meaningfully inhibited if Congress enacts substantial reforms? At a recent Senate Judiciary Committee hearing, government witnesses were forced to confront this question head on, and their responses (detailed below) indicated that the answer is a resounding no. The government’s objections to reforms—particularly a warrant requirement for FISA 702 U.S. person queries—are paper thin.
FISA 702 authorizes the government to compel U.S.-based companies to disclose communications and data without warrants or individualized court approval for data demands. Targets of this surveillance must be persons reasonably believed to be foreigners abroad but need not be suspected foreign agents or wrongdoers. Last year there were over 246,000 targets. This surveillance results in the collection of likely millions of Americans’ communications whenever they interact with a Section 702 target. Government personnel—including the FBI for domestic law enforcement purposes—can then conduct queries for Americans (using their names, or identifiers such as email addresses, IP addresses, and Social Security numbers) to pull up their private communications acquired from FISA 702. Under current law, a warrant is practically never required for such queries. This standard exists despite the fact that if the government had sought the same content directly from the communications provider, it would have to have a warrant based on probable cause. And it’s led to serious abuse: In recent years, the FBI has conducted queries of over 100 Black Lives Matter protesters, a batch of 19,000 political donors, a U.S. congressman, a local political party, journalists, political commentators, victims of crimes, and relatives of the personnel conducting queries. With FISA 702 set to expire at the end of the year, Congress is considering an array of significant reforms, most notably a warrant rule for U.S. person queries.
In their testimony, the government representatives from the intelligence community offered only limited indications of how U.S. person queries in particular (as opposed to FISA 702 surveillance in general) provide value. Most support was couched in vague terms, describing U.S. person queries as something that can “help us detect and evaluate connections” and “can identify links between foreign threats and those inside the United States.” The government cited only three concrete examples (two in its written statement and a third in testimony during the hearing) of how U.S. person queries provided security value:
The FBI used U.S. person queries to gain information on a foreign government’s kidnapping and assassination plots, contributing to the FBI’s disruption of these plots.
The FBI used U.S. person queries to discover that Iranian hackers were researching and likely targeting the former head of a federal department.
The FBI conducted U.S. person queries following a cyberattack against a critical infrastructure company; this provided information on the source of the attack (Chinese hackers) and how they compromised the system, helping to mitigate the attack.
At first blush, one might look at these examples and say, “Well what’s the risk there—it sounds like they were just querying potential victims to help them?” But there is no victim exception in the Fourth Amendment for a reason: As I’ve written before, “defensive” searches have been weaponized for decades as a pretext for some of the United States’ worst surveillance abuses. And many of the most troubling known examples of improper U.S. person queries—one of a group of 19,000 political donors, another of a U.S. congressman—were ostensibly conducted to guard against foreign influence operations. Even when queries are connected to potential victims, probable cause and independent oversight are key to preventing misconduct.
And despite spurious claims from the FBI, a query being centered on a victim would not preclude obtaining a warrant to conduct that query. The standard for Title III warrants that a query rule could be based on sets a probable cause standard for returning evidence of a specified crime, not probable cause that the individual to be monitored committed the crime (18 U.S.C. § 2518(3)). Thus, so long as there is probable cause the query would return information about a malicious hacking operation or some other crime, the probable cause standard could be met even if the victim rather than the perpetrator is the focus of the query. And in individual cases—such as an ongoing attack against an entity like Colonial Pipeline—consent could be obtained to bypass the warrant requirement.
In the three cases the government cited, it provided no argument or evidence that placing safeguards on querying (notably a warrant rule) would have prevented that value from being obtained. This shouldn’t be shocking. There is a huge difference between requiring a warrant as a precursor to U.S. person queries and actually prohibiting queries. It’s a distinction worth highlighting because during the hearing, Assistant Attorney General Matt Olsen claimed during a colloquy with Sen. Jon Ossoff (D-Ga.) that a warrant rule would “simply wall off the FBI” from seeing and using FISA 702-acquired information.
But lawmakers are not choosing between a binary of either rebuilding “The Wall” (a term for the pre-Sept. 11 practice of strictly siloing data between agencies) where key intelligence is actually blocked off, or continuing the status quo of dangerously unrestricted access. Surveillance in America—from searching a desk of letters to wiretapping a phone to collecting emails and texts—is built around the premise of warrants preempting efforts to deliberately read individuals’ communications without judicial authorization. That principle can and should apply to seeking out Americans’ communications acquired (without any warrant) from FISA 702. And while Olsen repeatedly emphasized that queried communications were “lawfully collected,” it would be outlandish to claim that once the government possesses data, there should be no restrictions on accessing it. The regular adoption of minimization rules that limit access to data in the government’s possession demonstrates how extreme such a theory is: Such rules have been in place to govern electronic surveillance for over 50 years, and the text of various provisions of FISA (including FISA 702) explicitly requires that they be adopted.
While warrants don’t wall off access to information, they are (by design) an obstacle making it harder to access Americans’ most private information. So it’s worth asking whether this obstacle would be too onerous for the government to bear in the context of FISA 702 U.S. person queries.
The Senate Judiciary Committee hearing did not provide any strong indications this was the case. Although the potential for a warrant requirement was discussed at length, at no point did any of the government witnesses claim that such a rule would have posed a significant obstacle in the three cases cited where U.S. person queries provided value. The only objection that the probable cause standard could be challenging to meet came not from a real-world scenario, but from a hypothetical situation first posed by Sen. Lindsey Graham (R-S.C.) and later latched onto by Olsen: What if the military obtained a phone belonging to a suspected terrorist abroad and that phone had a set of 30 U.S. persons’ phone numbers?
As Olsen noted correctly, with just this information, there wouldn’t be probable cause to justify a query requiring a warrant for those U.S. persons. But this scenario would be the start, not the end, of an investigative effort. Those U.S. persons’ information would certainly be relevant to an investigation, and therefore the government could quickly obtain their communications records prospectively with pen register/trap and trace orders. It could also use National Security Letters to compel production of financial and transactional information along with a host of other records. If the numbers could be associated with specific persons, the FBI could obtain passport information to review any suspicious activities. It could search internal databases maintained by the FBI (such as the Terrorist Screening Database and National Crime Information Center) and National Counterterrorism Center for relevant information acquired from sources and methods other than FISA 702. It could scour publicly available social media posts and connections. It could pull records and data from fusion centers. All of these methods could simultaneously provide the necessary evidence to obtain a probable cause warrant for a FISA 702 query, while also filtering out innocent individuals.
While these additional steps could be undertaken immediately, would they take too long? When highlighting the hypothetical, Olsen stated that “with time being of the essence,” the FBI would want to conduct FISA 702 queries right away, implying this was the case. But later in the hearing when Sen. Peter Welch (D-Vt.) pressed this point—saying, “My telephone number is on a telephone that’s been captured on the battlefield, but there’s no urgent matter that has to proceed with action. What’s the problem with providing a continuation of the warrant protection that is available to all U.S. citizens outside of FISA?”—Olsen had no answer, pivoting instead to a description of FISA 702 targeting rules. There’s nothing about the hypothetical indicating instant need that precludes engaging in the basic investigative activities.
Of course, it’s always possible to invent a ticking time bomb scenario with alarming urgency that doesn’t leave time to get a warrant from a judge where a U.S. person query is the critical puzzle piece that no other investigative tools could provide. But when the stakes are so high for civil rights and civil liberties as well as national security, it’s best to base policy on real-world scenarios, not Jack Bauer fanfiction. And if there genuinely were any scenarios of imminent threats in the future that queries are needed to address, both criminal and foreign intelligence warrant requirements provide an exception for emergencies.
A warrant rule won’t stop the government from using FISA 702 to guard against foreign actors and malicious cyberattacks. It will, however, stop the government from using FISA 702 to deliberately pull up the communications of Black Lives Matter protesters and thousands of political donors. If Congress reauthorizes FISA 702, it needs to do so with legislation that protects both security and civil liberties by establishing a warrant requirement for U.S. person queries.