Published by The Lawfare Institute
in Cooperation With
On July 31, the President’s Intelligence Advisory Board (PIAB) issued a report on Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). The public release of the report was notable, as PIAB reports are generally kept private and are used only for internal deliberations. The report acknowledged problems with agency compliance with Section 702 requirements, analyzed potential reforms, and made a series of recommendations. The PIAB—an independent executive staff agency tasked with advising the president on intelligence issues—is composed of experts in various fields and is staffed by detailees from intelligence agencies. However, unlike the Privacy and Civil Liberties Oversight Board and the President’s Review Group established in the wake of the Snowden disclosures, the PIAB does not include members or staff from a civil rights and civil liberties background.
FISA 702 is set to expire at the end of this year, and the past months have featured robust debate about whether or not Congress should renew the provision. Some of the report’s conclusions could help move the debate on FISA 702 forward; however, its recommendations regarding the key issue of U.S. person queries fall short of needed reform and are unlikely to help bring about a resolution.
Falling Short on U.S. Person Queries
While many important reforms are needed as part of a FISA 702 reauthorization, the issue of U.S. person queries—and potentially instituting a requirement to obtain court approval for conducting those queries—has been central to this year’s debate. U.S. person queries involve deliberately seeking out U.S. persons’ communications by using various “selectors” (names, email addresses, Social Security numbers, and so on) as search terms to pull up items gathered under FISA 702, all without the court oversight and approval that is standard for direct surveillance of Americans. Unfortunately, even while acknowledging serious misconduct involving U.S. person queries, the PIAB recommendations to address wrongdoing in this space fall short.
Specifically, the report recommends that the FBI’s power to conduct warrantless U.S. person queries of FISA 702-acquired data should remain in place when the query is conducted for foreign intelligence purposes and in criminal investigations related to national security. This would be a small change compared to current law—which offers four categories for warrantless U.S. person queries—and wholly unresponsive to the main area in which U.S. person queries have been abused in recent years: queries ostensibly conducted for foreign intelligence purposes.
When Congress last renewed FISA 702 in 2018, it restricted warrantless FBI queries, albeit with four major exceptions for:
- Queries conducted in whole or in part for foreign intelligence purposes.
- Queries conducted for national security crimes (including an undefined catch-all of crimes that “relate to national security”).
- Queries that occur prior to the existence of a predicated criminal investigation (most notably meaning there are no limits on queries conducted as part of assessments).
- Queries that might mitigate “a threat to life or serious bodily harm” (this includes no imminence requirement, meaning virtually all queries related to any serious violent crime or potentially fatal narcotics, such as fentanyl, could be looped into this exception).
The PIAB proposal would cut off the FBI’s ability to conduct warrantless U.S. person queries for the latter two categories but leave the first two in place.
This is deeply problematic in principle—the Fourth Amendment doesn’t include a national security exemption for rummaging through Americans’ communications. It’s also problematic in practice, because it will not place safeguards on querying in the circumstances in which this power has been most often misused. Most of the publicly disclosed cases of misconduct in recent years involved U.S. person queries ostensibly conducted for precisely the foreign intelligence purposes that the PIAB says should be left unrestricted: Queries of a sitting U.S. representative, a sitting U.S. senator, a batch of 19,000 donors to a congressional campaign, and over 100 Black Lives Matter (BLM) protesters were all justified at the time on the basis of foreign intelligence. (The query of BLM protesters was initially justified for ostensible terrorism connections, with a foreign intelligence justification added later. But even if only the initial terrorism purpose were applied, this improper query would still have been permitted under the PIAB’s recommended rules as a national security-based query.) These queries were later deemed improper by the FISA court and through internal reviews and unlikely to return foreign intelligence information, but the absence of independent oversight provided the opportunity for abuse. So long as U.S. person queries lack judicial approval, that same opportunity will exist and likely be exploited in the future.
The PIAB’s U.S. Person Query Examples
While in the past the government has provided virtually no evidence that a warrant rule for U.S. person queries would inhibit security needs, the PIAB report offers three new examples that it claims demonstrate how such a rule would have a disruptive impact. But these new examples either fail to illustrate the alleged disruption or appear too ambiguous to show operational harms.
Overall, the PIAB report inaccurately describes the rule that civil rights and civil liberties advocates have proposed. According to the report, if proposed reforms were in place, various U.S. person queries would be prohibited because “there would have been no probable cause that the user of the U.S. selector was a foreign power or agent of a foreign power.” This misrepresents the proposed rule in two key ways. First, a FISA Title I warrant (which requires probable cause that the target is a foreign power or an agent of a foreign power) is one means of satisfying the proposed rule for queries, but it is not the exclusive means of doing so. The government could also obtain a warrant pursuant to Title III of the Wiretap Act, which requires probable cause that the search (or, in this case, query) will return evidence of a specified crime. This is key because it would provide a means for querying selectors associated with U.S. entities like Colonial Pipeline that are not suspected of wrongdoing or being an agent of a foreign power but have been subject to a cyberattack (although, in such a scenario, consent could also be obtained from the victim).
Second, while the reform is commonly referred to in shorthand as a “warrant rule” for queries, overall it would require that queries for Americans’ communications or data be preceded by court approval, with the process replicating whatever is required for compelled production. Thus, while queries to access communications content generally would require a warrant, queries for communications metadata would only need to follow the requirements in law to acquire that form of data (such as the relevance standard for compelled production of communications records). This distinction is crucial, as the majority of the examples the PIAB cites appear to hinge on use of metadata, rather than content.
The first example the PIAB offers involves foreign state cyber actors attempting to hack U.S. network infrastructure, where the FBI was aware of a malicious hacking effort but unsure of what entities were being targeted. According to the report, the infrastructure targets were discovered via queries of 702 data because a “small number of them had a high volume of data communications with the foreign state cyber actor, indicating that they were potentially compromised” (emphasis added). The key indicator in this case was the existence of the communications traffic itself, not its content. As a result, queries of metadata would have been sufficient to identify the hackers’ targets. Such a query could be conducted pursuant to a grandfathered Patriot Act Section 215 authority (while expired, the law can still be used for investigations open at time of the sunset) or via a demand for compelled production of communications records pursuant to what is commonly referred to as a “D order” under the Stored Communications Act, which is used by law enforcement to compel metadata in a wide variety of criminal investigations. Under both authorities, the government merely needs to demonstrate that such records are relevant to an ongoing investigation, a low standard easily met in this scenario.
The second example the PIAB provides deals with a situation in which a U.S. person was being targeted by foreign intelligence officers attempting to gain information related to weapons of mass destruction proliferation. Specifically, the report states that “[t]he queries returned results that confirmed contact [by the U.S person] with officers from the threat country.” As in the previous example, a metadata query that would confirm such contact could be conducted by obtaining court approval (potentially via multiple legal authorities) by merely showing relevance to the investigation, a low standard easily met under the circumstances described. The report states that the FBI “subsequently determined that the U.S. person was unaware they were being targeted and obtained important intelligence on the threat country’s [objectives]” but does not state whether this subsequent information was the result of further queries of 702 information or, even if this were the case, evaluate whether it was reasonably feasible to obtain that same information via alternative means. With the information provided, there does not appear to be any clear indication that a court approval rule for U.S. person queries would have proved detrimental.
If in either of these cases communications content from queries did play some useful role, there still would have been available means for the government to obtain it. Once victims are identified—either via metadata or by other means—the FBI could obtain their consent to conduct a full content query. Alternatively, the FBI could obtain a warrant by demonstrating probable cause that such queries would return evidence of crimes, a standard that could be met even when the subject of a query’s role in an investigation (such as whether they are a victim, target, or collaborator) is unknown.
The final example cited by the PIAB concerns a former U.S. clearance holder who had been co-opted and was working with a Chinese intelligence officer. According to the report, “[b]ased on results of these U.S. person queries of Section 702 data, FBI identified a need to conduct an independent investigation of this U.S. person and obtained a warrant in order to do so.” Unfortunately, the limited details of this example leave more questions than answers. With reforms in place, the type of metadata queries described above could have been conducted to discover the existence of ongoing correspondence between the U.S. person in question and the Chinese intelligence officer, confirming the need for further investigation. Admittedly, such metadata would not itself reveal whether that U.S. person was a foreign asset or was in contact with the Chinese intelligence officer for other reasons. The report confirms that the FBI eventually obtained a warrant to focus surveillance on the U.S. person, but it is unclear what information supported a finding of probable cause for the warrant. Did the communications content found within those queries provide a smoking gun as to misconduct? If so, were those communications the only means of obtaining such information? Or was evidence obtained via independent investigative activities? If the latter occurred, then this case would serve as an example of the feasibility of employing and satisfying a court approval rule, rather than such a rule representing an impossibly difficult obstacle. The PIAB’s failure to provide this additional information casts doubt on the impact the proposed reforms would have on the scenario it described.
Reviewing and Limiting the Scope of FISA 702 Surveillance
While the PIAB recommendation on U.S. person queries is disappointing, the report does offer a promising path forward on another important issue: the scope of FISA 702 surveillance. Currently, FISA 702 can be used to monitor any non-U.S. person abroad, so long as they are targeted to obtain “foreign intelligence information.” But foreign intelligence information is defined so broadly that it permits surveillance of not only foreign agents and security threats but also average foreigners abroad who are completely disconnected from any nefarious activities. In addition to raising concerns regarding privacy and human rights, this makes it much more likely that Americans having innocuous conversations with innocent colleagues abroad will have their communications monitored. And the scale of FISA 702 surveillance has seriously harmed U.S. businesses, causing instability for U.S.-EU data flow arrangements as the Court of Justice of the European Union has repeatedly struck down data flow agreements due to lack of safeguards on U.S. surveillance.
The PIAB report makes two recommendations in this area. Most importantly, it calls for legislation codifying the October 2022 executive order on signals intelligence, which restricted FISA 702 surveillance (as well as surveillance conducted pursuant to Executive Order 12333) to a set of 12 specifically enumerated purposes, including understanding the capabilities, intentions, and activities of foreign governments, militaries, and organizations; protecting against terrorism; and protecting against proliferation of weapons of mass destruction. Codifying the signals intelligence executive order’s list of purposes—rather than continuing to employ the needlessly broad foreign intelligence parameters—would be a significant step forward, although certain language from this new list would need to be refined in order to work effectively as statutory text.
Additionally, the report calls for the government to publicly release its annual FISA 702 certifications—which specify the purposes for which FISA 702 targets are designated—to the maximum extent possible, a positive transparency measure. The Biden administration has already embraced this recommendation, last month releasing the surveillance purposes included in its annual certification for the first time since FISA 702 was enacted.
The most recently released certifications authorize Section 702 surveillance for purposes of gathering information related to foreign governments and related entities, counterterrorism, and combating proliferation. All of these purposes are included in the purposes for which the signals intelligence executive order permits intelligence surveillance. As a result, codifying that executive order would accommodate operational needs for how FISA 702 functions, while also guarding against the risk of sweeping surveillance of innocent individuals that current law permits. Narrowing the purposes of FISA 702 surveillance in line with the PIAB recommendations would protect the privacy of innocent individuals in the United States and abroad alike, and promote stability of data flows for American companies, all without endangering security needs. This reform is a commonsense measure to include in any legislation reauthorizing FISA 702.
While the PIAB’s recommendations codifying the signals intelligence executive order and placing reasonable limits on the scope of FISA 702 surveillance offer some promise of compromise, its weak stance on U.S. person queries should be cause for concern as a resolution to the looming reauthorization is sought. Even as Congress seems to be moving toward consensus on the need for court approval for U.S. person queries of FISA 702 data, the administration’s reaction to the new report indicates it is stuck in place in opposition to this crucial reform. It seems unlikely that any FISA 702 reauthorization can pass without new safeguards that prevent a repeat of past abuse of U.S. person queries. Ultimately, the administration may have to choose between agreeing to court approval of U.S. person queries or having the law sunset.