Intelligence Surveillance & Privacy

Three FISA Authorities Sunset in December: Here’s What You Need to Know

Robert Chesney
Wednesday, January 16, 2019, 12:50 PM

Thought we were done with surveillance-law debates, at least for a few years? Not by a long shot. A sunset is looming for three provisions of the Foreign Intelligence Surveillance Act. What’s at stake? Here’s a guide to prep you for the eventual legislative battle.

Which three authorities are in issue?

The Prettyman Courthouse in Washington, where the Foreign Intelligence Surveillance Court meets. (Credit: Wikimedia)

Published by The Lawfare Institute
in Cooperation With

Thought we were done with surveillance-law debates, at least for a few years? Not by a long shot. A sunset is looming for three provisions of the Foreign Intelligence Surveillance Act. What’s at stake? Here’s a guide to prep you for the eventual legislative battle.

Which three authorities are in issue?

  1. The “business records” provision (known variously as Section 215 of the USA Patriot Act of 2001, FISA Section 501, or simply 50 U.S.C. §1861)
  2. The “roving wiretaps” provision (also known as Section 206 of the USA Patriot Act of 2001, FISA Section 105(c)(2)(B), or simply 50 U.S.C. §1805(c)(2)(B))
  3. The “lone wolf” amendment to the FISA definition of “agent of a foreign power” (or Section 6001 of the Intelligence Reform and Terrorism Prevention Act of 2004, FISA Section 101(b)(1)(C), or simply 50 U.S.C. §1801(b)(1)(C)).

When exactly is the sunset?

Dec. 15, 2019. (You know, National Cupcake Day!).

Let’s take these three in order, starting with the one most-often called “Section 215” or simply the “business records” provision.

What is the status quo?

Section 215 authorizes the Foreign Intelligence Surveillance Court, or FISC, to issue an order for third parties to produce specific “tangible things (including books, records, papers, document, and other items)” when the FBI has made certain showings. The details are many and complex, but here are the basic mechanics:

First, FBI must be conducting one of three types of investigation:

1) a “foreign intelligence” investigation (but only if the investigation does not concern a US person);

2) an investigation “to protect against international terrorism” (whether targeting a US person or not); or

3) an investigation to protect against “clandestine intelligence activities” (whether targeting a US person or not).

Second, FBI must identify a “specific selection term,” or SST, that will lend focus to the request. An SST is something that specifically identifies a person, like an account, an address, a device, etc. It cannot be something the might encompass many such signifiers (so, no zip code, area code, city name, name of an entire communication service provider, etc.). The point of the SST is provide an individualized focal point for the requested production of tangible things.

Third, FBI must provide a statement of facts sufficient to show “reasonable grounds” to think the “tangible things” requested are relevant to the aforementioned investigation. Note that this does not mean that the person to whom the records pertain is itself the target of the investigation; often that will be the case, but in some instances the records of other persons might well be relevant to the larger investigation in some fashion. Note, too, that the statute specifies that certain facts are presumptively-sufficient to satisfy the relevance test. This is true, for example, for the situation in which the requested things pertain to a foreign power, to an agent of a foreign power, or to a person who is “in contact with, or known to, a suspected agent of a foreign power.”

Pause here for an important question: Can Section 215 still be used for bulk telephone metadata collection?

As you may recall, Section 215 first attracted attention when it became public that the FISC had been granting orders under color of this statute authorizing phone companies to provide the government with bulk records of telephone metadata (i.e., which numbers called which numbers). The theory was that having such a comprehensive data haystack on hand could count collectively as “relevant” to a terrorism investigation since a fulsome haystack could then be queried for “contact chains” when, from time to time, the government obtained a terrorism-related phone number. Well, Congress intervened in 2015 with the USA Freedom Act, which tweaked Section 215 on this dimension. The statute can no longer be read to enable such bulk production of data. On the other hand, the statute does provide for a limited replacement method of pursuing the contact-chain concept. Here’s how it works:

Section 215 can be used to request production of call-detail records (CDRs) on an ongoing basis when the following conditions are met: First, there must be an international terrorism investigation. Second, FBI must have facts establishing “reasonable, articulable suspicion” (abbreviated RAS) that a particular selection term is associated with a foreign power (or agent thereof) engaged in international terrorism (and must have reasonable grounds to think that getting the CDRs associated with that selection term is relevant to that investigation). In that case, the production order is good for 180 days. And, in a weakened echo of the earlier authority, Section 215 also specifies that the government also may have the CDRs of any other SST that turns out to be in direct contact with the initial one (that is, the government gets one extra “hop” of CDRs beyond the seed (RAS-supported) SST).

Fourth and finally, FBI must specify to the FISC the minimization procedures to be used with respect to limiting retention and dissemination of the things produced.

What happens in the event if the provision expires without renewal in December?

In the event of a hard sunset, the situation reverts to the status quo as it was all the way back on October 25, 2001—i.e., prior to the passage of the USA Patriot Act. (Topping the billboard charts that week? J-Lo & Ja Rule with “I’m Real.”)

What does that mean in practical terms? At that time, the business records authority existed but had a much narrower scope along a few dimensions.

First, the FISC could authorize production of records only from entities that count as common carriers, public accommodation facilities, storage facilities, or vehicle rental facilities (in contrast to the status quo, which does not contain limits involving the type of entity holding the information).

Second, the government back then was obliged to limit its requests to situations in which the information sought directly concerned the investigative target. That is, the government had to have “specific and articulable facts giving reason to believe that the person to whom the record pertains is a foreign power or agent of a foreign power.” As noted above, the current version of Section 215 merely requires the more-general “reasonable grounds/relevance” standard and, in any event, does not require that the records actually pertain to the target as such.

Predictions for the eventual debate?

There are many points of potential friction in the Section 215 debate, of course. Some would very much like to chop back the authority at least to its pre-Patriot Act levels, and others would just as much like to restore it to its pre-Freedom Act levels (or at least the version of those levels that the FISC accepted for a time). Neither of those outcomes is likely, though. More likely, we’ll see either an extension of the current provision, or perhaps some (comparatively minor) tweaks. That said, an episode in summer 2018 hints at the possibility of something more dramatic occurring:

We likely will hear quite a lot about the June 2018 revelation (revealed by NSA, notably) that various companies providing CDRs under the USA Freedom Act model turned out to be providing some CDRs they should not have. NSA found that it was not technically feasible to correct that problem, and—quite remarkably—announced that it therefore would conduct a dramatic minimization in response: It just deleted all the CDRs it had acquired under this authority since 2015. As David Kris noted at the time, this implied that there was not great value in the data even from NSA’s perspective, and thus the question arose whether the whole elaborate (and politically sensitive) mechanism was “worth the squeeze.” Well, as David predicted, the sunset likely will force that question.

Let’s turn now to Section 206 Roving Wiretaps.

What is the status quo?

This topic concerns electronic surveillance orders (i.e., orders authorizing monitoring the content of electronic communications) issued pursuant to FISA Title I—that is, traditional FISA “wiretap” orders. More specifically, it concerns the question of whether it is desirable—and in any event whether it is constitutional—for such orders not to specify the particular phone number or other selector that is to be monitored (while still being specific to a particular target, however).

Much like the more-familiar category of warrants issued for law enforcement purposes, FISA orders for electronic surveillance raise questions about which particulars must be specified in the warrant (and thus must be presented in the government’s application in the first place). As a general matter, the answer to that question is a function of both the Fourth Amendment and of applicable statutes (“Title III” in the case of law enforcement investigations, FISA in the case of foreign-intelligence collection).

Bearing that in mind, let’s first take note of the Fourth Amendment. It requires that all searches be “reasonable” and that warrants shall not issue except “upon probable cause … and particularly describing the place to be searched.” Note that last bit—the “particularity requirement” as it is known. Does it preclude an otherwise-sufficient warrant that refers not to some particular cell-phone number but, instead, broadly to any cell-phone number the target of the search may use? That issue has come up in the law enforcement setting because the relevant statute in that context—“Title III”—contains a “roving wiretap” option for situations in which the target is taking steps to defeat surveillance (such as cycling through burner phones). Courts have allowed this in the face of a Fourth Amendment challenge, reasoning that it is a clear who the target is and thus, even with a burner phone scenario, there still is relatively little risk of the government accidentally tapping the wrong number.

Should the same result attach in the FISA setting? The question was moot for quite some time, because FISA itself did not allow for roving/multi-point surveillance orders for many years. But that changed with Section 206 of the USA Patriot Act in 2001. The statute now permits roving wiretaps. Further, in keeping with the concept that some targets will cycle through communication devices and, thus, in some cases they’ll quickly cycle through different communication providers as well, FISA also now provides an option for the FISC to require technical assistance in implementing the surveillance without actually having to pre-identify the entity that will provide said assistance.

What happens if it is not renewed?

If Section 206 terminates, FISA orders will revert to the pre-Patriot Act standard, with two major differences as noted above:

First, FISA orders will need to specify particular facilities what will be subjected to electronic surveillance. Thus in the event that a target rotates rapidly through devices, it would be necessary to (attempt to) rotate rapidly through a series of corresponding applications and orders matching them.

Second, FISA orders that call for technical assistance would need to name specific third parties to provide that assistance, and this too might require rapid renewal and alteration of applications and orders.

Predictions for the eventual debate?

A complete rejection of roving wiretap authority is not just unlikely, but nearly inconceivable given that the authority exists under Title III. There may be some debate about whether the constitutionality of the roving approach extends beyond the criminal investigative context to the foreign-intelligence collection context (a counterintuitive notion at first blush, but one that makes a degree of sense given that, in some cases, the FISA order in question might involve a specific-but-as-yet-unnamed target). I’m doubtful that the point will have traction in Congress, however, and it is worth bearing in mind it will be met by the counterpoint that some courts have concluded that foreign-intelligence collection as a category should not be subject to the warrant requirement but rather must merely satisfy the Fourth Amendment “reasonableness” baseline. At any rate, absent a clear and accessible illustration of abuse over these many years, we are not likely to see significant change on this front (unless other factors cause Congress to fail outright in meeting the sunset deadline, quite apart from views on the merits).

Finally, let’s look at the Lone Wolf amendment to the “agent of a foreign power” definition in FISA

What is the status quo?

This one is, very much, a story about the once-familiar story of Zacarias Moussaoui. Moussaoui was a French citizen in the United States before 9/11 who came under suspicion based on odd behavior at a flight school (wanting to learn to pilot large commercial aircraft without interest in takeoffs or landings). He was detained on immigration charges, and investigators were eager to examine the contents of his laptop. They had a strong suspicion of terrorism and sought to obtain a FISA order to enable the search. But though there was no small amount of reason to suspect him of being a foreign Islamist extremist who entered the country to carry out a terrorist attack of some kind involving a plane, FBI did not have information to support a showing that he was an agent of some specific foreign power (whether al-Qaeda or some other discrete organization of a similar kind). Simply put, FISA Title I surveillance orders at that time could not reach a foreign person who was inspired by but not actually an agent of a foreign terrorist organization, let alone a foreign person who perhaps was acting entirely on a lone-wolf basis.

Whether the available information at that time should have been enough to prove something more or whether this would have led to a chain of events unraveling the 9/11 plot are not the points here (the 9/11 Commission was equivocal on this point). What matters is that the post-hoc analysis of the episode inclined in that direction, and this generated strong interest in tweaking the scope of the foreign power/agent of a foreign power definition so as to align it with the perceived lesson of the Moussoaui scenario. And so the Intelligence Reform and Terrorist Prevention Act of 2004 (IRTPA, which was in significant part a legislative response to the recommendations of the 9/11 Commission and gave rise to, among other things, the ODNI structure) included just such a change. Now, the definition of “agent of a foreign power” includes a stand-alone scenario in which the target is a non-U.S. person who “engages in international terrorism or activities in preparation therefore” (note that it also has a similar lone-wolf clause keyed not to international terrorism but instead to “international proliferation of weapons of mass destruction, or activities in preparation therefore”).

What happens if it is not renewed?

It’s simple: If this provision expires, then in future cases involving non-U.S. persons suspected of involvement in international terrorism, the FISA Title I option will require probable cause showing the person to be acting on behalf of a particular entity engaged in international terrorism.

What is at stake with this change, in practical terms?

Bearing in mind the extent to which terrorism associated with Sunni Islamist extremism tends to be assimilated to specific terrorist organizations (al-Qaeda, the Islamic State, etc.), as well as the fluidity of definitions and understandings involving the organizational boundaries of such groups (see my 2012 article on this point), it is tempting to assert that little would be lost by elimination of the lone-wolf pathway to FISA coverage in foreign-terrorist scenarios. But in my view, this would be unwise in light of extent to which terrorism based on inspiration rather than direction-and-control has risen to prominence. That’s the current center of gravity with respect to foreign political violence (note that domestic political violence is of course an important topic, but by definition it is not one that plausibly comes within reach of FISA). Nor would drawing such a line make a great deal of sense from a conceptual perspective. A foreign person who is inspired to violence by the Islamic State and comes into the United States for that purpose, but who is not in actual contact with Islamic State personnel, can be every bit as much a foreign-intelligence concern as one who is a formal Islamic State agent. Unless one has such a sharp attachment to Westphalianism that one might well also object to including in FISA discernible non-state actors like al-Qaeda or the Islamic State themselves (on the ground that “foreign intelligence” somehow should be limited to the actions and capabilities of sovereigns), it would seem rather arbitrary to exclude from FISA’s reach foreign individuals lacking larger, already-known organizational ties; it’s the “foreign” nature of the intelligence that ought to loom largest. At any rate, change on this front seems quite unlikely.

Robert (Bobby) Chesney is the Dean of the University of Texas School of Law, where he also holds the James A. Baker III Chair in the Rule of Law and World Affairs at UT. He is known internationally for his scholarship relating both to cybersecurity and national security. He is a co-founder of Lawfare, the nation’s leading online source for analysis of national security legal issues, and he co-hosts the popular show The National Security Law Podcast.

Subscribe to Lawfare