January 09, 2023
The Foreign Intelligence Surveillance Act and Court
By: Emily Berman
For the Foreign Intelligence Surveillance Act (FISA) and the Foreign Intelligence Surveillance Court (FISA Court), the past decade has been eventful. A series of controversies—some newly minted and some carried over from the period immediately after 9/11—repeatedly thrust into the spotlight a legal regime that had enjoyed relative obscurity for its first several decades. This attention precipitated vigorous public debate, unprecedented public disclosures of information regarding FISA and the FISA Court, and multiple reform measures. The next 10 years also promise to be a consequential time for America’s foreign intelligence collection regime.
Background
FISA was enacted in 1978 to impose traditional separation-of-powers checks on what had been an exclusively executive-branch activity: surveillance of foreign powers and their agents inside the United States. Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783 (codified as amended in scattered titles of U.S. Code). The statute aimed to balance the government’s intelligence collection needs against Americans’ individual rights by allowing the government to subject a target to surveillance only if it could first satisfy the FISA Court that it had probable cause to believe that the target was an agent of a foreign power. 50 U.S.C. § 1804(a)(3). For its first 20-odd years, the FISA regime was largely static, with only modest modifications. See, e.g., Intelligence Authorization Act for Fiscal Year 1995, Pub. L. No. 103-359, §§ 301-309, 108 Stat. 3423, 3443-53 (authorizing physical searches); USA Patriot Act of 2001, Pub. L. No. 107-56, §§ 206, 215, 218, 115 Stat. 272, 282, 287 291 (permitting roving wiretaps, expanding the business records provision, and requiring foreign intelligence to be a “significant” rather than the “primary” purpose of FISA surveillance); Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458, § 6001, 118 Stat. 3638, 3742 (amending definition of “agent of a foreign power” to include so-called “lone wolves”).
In December 2005, the New York Times reported that, immediately after 9/11, President George W. Bush’s administration began collecting Americans’ electronic communications without seeking the mandated FISA Court approval. James Risen & Eric Lichtblau, Bush Lets U.S. Spy on Callers Without Courts, N.Y. Times, Dec. 16, 2005. The Times report sparked a controversy that culminated in the passage of the FISA Amendments Act of 2008 (FAA). FISA Amendments Act of 2008, Pub. L. No. 110-261, 122 Stat. 2436. In Section 702 of the FAA, Congress authorized the government to seek foreign-intelligence information by collecting the electronic communications of non-U.S. persons located outside the United States. Notably, the provision allowed the executive branch to unilaterally make individual targeting decisions pursuant to procedures approved by the FISA Court but without judicial oversight of individual targeting decisions. By 2012, FISA’s electronic surveillance regime consisted of two starkly different programs: traditional FISA, in which the FISA Court approved government applications to target individuals suspected of acting as agents of a foreign power, and the programmatic surveillance authorized by Section 702 of the FAA.
The Snowden Leaks
In the summer of 2013, National Security Agency (NSA) contractor Edward Snowden leaked to members of the news media a slew of classified documents, numbering anywhere from 50,000 to 1.7 million. Chris Strohm & Del Quentin Wilber, “Pentagon Says Snowden Took Most U.S. Secrets Ever: Rogers, Bloomberg News, Jan. 10, 2014. The leaks revealed closely held U.S. government secrets about ongoing programs and created a firestorm of public debate over the lawfulness, efficacy, and civil liberties implications of U.S. surveillance activities.
In response to the Snowden leaks and subsequent Freedom of Information Act requests, the Office of the Director of National Intelligence declassified and released previously secret opinions of the FISA Court and related policies. The government posted this information on a newly launched website, IC on the Record, where it continues to post material relevant to America’s intelligence activities. The government’s efforts at increased transparency were not sufficient to narrow the trust deficit between the government and the American people. Policy changes were necessary, and the most important of these affected the two programs that bore the brunt of the post-Snowden criticism: the Section 215 bulk telephone metadata collection program and the Section 702 program.
The Section 215 Bulk Telephone Metadata Collection Program
The NSA collected telephone metadata—the date, time, and duration of calls as well as the participating telephone numbers—pursuant to Section 215 of the USA Patriot Act of 2001, also known as the FISA “business records” provision. The provision authorized the collection of “any tangible thing” for which the government demonstrated “reasonable grounds to believe that [it was] relevant” to an international terrorism or espionage investigation. Pub. L. No. 107-56, § 215, 115 Stat. 222 (2001), as amended by Pub. L. No. 109-177, § 106(b), 120 Stat. 192 (2006). Until 2013, one might have assumed that Section 215 operated like the rest of the traditional FISA regime: targeting collection based on individualized showings to the FISA Court. But the Snowden leaks revealed that the FISA Court interpreted Section 215 to allow the NSA to collect in bulk nearly all call detail records generated by telephone companies in the United States on an ongoing basis, irrespective of any demonstrated ties to terrorist or espionage activity. Privacy & Civil Liberties Oversight Board, Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court 8 (2014) [hereinafter PCLOB Section 215 Report]. Government officials could use the database containing this bulk telephone metadata to map Americans’ communications networks in an effort to identify individuals inside the United States who might have ties to suspected terrorists abroad, even though the vast majority of this data related to purely domestic calls among non-targeted Americans. ACLU v. Clapper, 785 F.3d 787, 815 (2d Cir. 2015).
The legal underpinnings of the Section 215 program unraveled under public scrutiny. While the FISA Court and the government continued to defend the program as lawful, theirs was the minority position. See In re Application of the Federal Bureau of Investigation for an Order Requiring the Production of Tangible Things From [Redacted], BR 13-109 (FISA Ct. Aug. 29, 2013). The Privacy and Civil Liberties Oversight Board, the independent agency tasked with assessing the civil liberties implications of U.S. counterterrorism policy, determined that the program was inconsistent with the statutory language of Section 215 as well as the U.S. Constitution. PCLOB Section 215 Report, supra. Multiple federal judges not on the FISA Court, legislators, and legal experts agreed. See, e.g., Klayman v. Obama, 957 F. Supp. 2d 1 (D.D.C. 2013); ACLU v. Clapper, supra, at 815; Brett Max Kauffman, Senators Say Bulk Collection Unnecessary to Fight Terrorism, ACLU Blog, Nov. 19, 2013.
The Section 702 Program
The other lightning rod for criticism was the programmatic surveillance authorized by Section 702 of the FAA, under which the government collected from communications providers, such as Google, Facebook, and Skype, the content of electronic communications of non-U.S. persons reasonably believed to be located outside the United States. FISA Amendments Act of 2008, Pub. L. No. 110-261, 122 Stat. 2436. See NSA Prism Program Slides, Guardian, Nov. 1, 2013; 50 U.S.C. § 1801(i), 50 U.S.C. § 1881a (defining U.S. persons). While the FISA Court had to approve the procedures through which targets were selected, the actual targeting decisions were made by executive branch officials and not approved by the FISA Court. FAA, Section 702(d). Section 702 does not permit targeting of U.S. persons or anyone inside the United States, but the individuals with whom targets communicate are often, if not usually, U.S. persons inside the United States. Privacy & and Civil Liberties Oversight Bd., Report on the Surveillance Program Operated Pursuant to Section 702 of the FISA 6 (2014) (“[C]ommunications of or concerning U.S. persons may be acquired … when a U.S. person communicates with a non-U.S. person who has been targeted.”). This “incidental” collection, as the government terms it, sweeps up a vast number of communications to or from Americans who are located in the United States and whose communications have no known foreign intelligence value. Id. at 87 (noting that U.S. persons’ communications are collected “potentially in large numbers”).
Civil liberties advocates were already concerned by Section 702’s expansive scope of collection under limited FISA Court oversight. The Snowden leaks and related FISA Court opinions generated two additional concerns. The first stemmed from the revelation that the NSA had repeatedly exceeded both statutory and policy limits on data collection and retention, including the unauthorized collection and retention of hundreds of thousands of Americans’ purely domestic communications. See Memorandum Opinion and Order, [REDACTED], No. [REDACTED], 2011 WL 10945618, at *5–6 (FISC Oct. 3, 2011) (Bates, J.). For a comprehensive account of Section 702 violations, see Robyn Greene, A History of FISA Section 702 Compliance Violations, New America Blog, Nov. 18, 2017.
The second concern arose out of the uses of data permitted by Section 702. As with Section 215 targeting decisions, decisions about when and how to query the database containing communications collected under Section 702 are made by executive branch officials pursuant to FISA Court-approved procedures, but not with Court approval specific to each query. Under those Court-approved procedures, government officials may perform “U.S.-person queries,” or database searches using Americans’ phone numbers or email addresses. Thus, the government may review Americans’ electronic communications “incidentally” collected under Section 702 despite being barred from targeting those same Americans directly. U.S.-person queries by the Federal Bureau of Investigation (FBI) have proved particularly controversial. While intelligence community agencies may query the database for foreign intelligence purposes, the FBI may also access the data in routine criminal investigations. See Querying Procedures Used by the Federal Bureau of Investigation in Connection with Acquisitions of Foreign Intelligence Information Pursuant to Section 702 of the Foreign Intelligence Surveillance Act of 1978, as amended. This “back door searching” allows the FBI to query the Section 702 database for U.S.-person communications without probable cause and a warrant, thus sidestepping Fourth Amendment protections. See Elizabeth Goitein, The NSAs Backdoor Search Loophole, Boston Rev., Nov. 14, 2013; Julian Sanchez, Reforming Surveillance Authorities, in Cato Handbook for Policymakers (8th ed. 2017); Laura Donohue, The Case for Reforming Section 702 of U.S. Foreign Intelligence Surveillance Law, Council on Foreign Relations, June 26, 2017.
Post-Snowden Reforms
After the Snowden leaks, public and congressional debate over the Section 215 and Section 702 programs led to the USA Freedom Act of 2015, Pub. L. No. 114-23, 129 Stat. 268, and Presidential Policy Directive-28 (PPD-28), Presidential Policy Directive 28, Signals Intelligence Activities § 4 (Jan. 17, 2014).
The USA Freedom Act included two primary reforms. First, it ended bulk telephone metadata collection under Section 215, thereby requiring the government to identify a specific selection term (SST), “a term that specifically identifies a person, account, address, or personal device, or any other specific identifier,” as the basis for the production of a tangible thing. Pub. L. No. 114-23, § 101, 129 Stat. 268, 269. If the tangible thing sought is call detail records, the bar is higher and “a reasonable, articulable suspicion” that an SST is associated with a foreign power engaged in international terrorism is required. Id.
Second, the USA Freedom Act directed the FISA Court to assign an expert to serve as amicus curiae in any matter that “presents a novel or significant interpretation of the law.” Id. § 401, 129 Stat. 279. This provision was meant to ensure that the government would no longer be the only party to proceedings when the FISA Court faced difficult or novel legal questions, but language allowing the FISA Court to proceed without amici if “the court issues a finding that such appointment is not appropriate” undermines this goal. Id. Nevertheless, the FISA Court has employed amici in a handful of cases and, at times, adopted their recommendations. See, e.g., Memorandum Opinion & Order Regarding the 2018 FISA Section 702 Certifications [REDACTED], at 92 (FISA Ct. Oct. 18, 2018).
Section 702-specific reforms have been more modest. The FISA Amendments Reauthorization Act of 2017 reauthorized the program. Pub. L. No. 115-118, 132 Stat. 3. It requires that the government keep records of U.S.-person queries for oversight and auditing purposes. Id. § 101, 132 Stat. 4 (adding new 50 U.S.C. § 1881a(f)(1)). In addition, the FBI must obtain FISA Court approval for any query performed in connection with an FBI investigation that is neither related to national security nor designed to find foreign intelligence information. Id. § 101, 132 Stat. 4-5 (adding new 50 U.S.C. § 1881a(f)(2)).
PPD-28 changed the government’s position with its statement of principle that “all persons should be treated with dignity and respect, regardless of their nationality or wherever they might reside, and all persons have legitimate privacy interests in the handling of their personal information.” It instructs the intelligence community to apply that principle “equally to the personal information of all persons, regardless of nationality to the maximum extent feasible consistent with the national security.” PPD-28, supra. While the impact of PPD-28 is difficult to assess, as a statement of principle it broke new ground.
The Carter Page Surveillance and Its Aftermath
Traditional FISA surveillance collecting the electronic communications of foreign powers and their agents also came under scrutiny. It was spotlighted in the investigation of Russian interference in the 2016 Presidential election when the Department of Justice (DOJ) targeted the electronic communications of then-candidate Donald Trump’s campaign advisor, Carter Page. Page’s communications were collected pursuant to a lawful order issued by the FISA Court, which found probable cause to believe that Page was acting as a Russian agent. Office of the Inspector Gen., U.S. Dep’t of Justice, Review of Four FISA Applications and Other Aspects of the FBI’s Crossfire Hurricane Investigation i (2019) [hereinafter DOJ IG Report]. A subsequent investigation by the DOJ Inspector General (IG) revealed that the information the government provided to the FISA Court in its Page application was incomplete, inaccurate, and misleading. Opinion and Order at 1, In re Accuracy Concerns Regarding FBI Matters Submitted to the FISC, No. Misc. 19-02 (FISC Mar. 4, 2020) (Boasberg, J.) [hereinafter Boasberg Mar. 4, 2020 opinion]. Three applications to renew the Page order included further misstatements and errors and omitted facts. DOJ IG Report, supra note 36, at 5.
A DOJ IG review of an additional 29 FISA applications from the FBI found that the Page application was not an anomaly. Of the 29 applications reviewed, 25 suffered from discrepancies and errors and four lacked evidence that internal procedures to ensure the applications’ accuracy were followed. OIG, Management Advisory Memorandum for the Director of the FBI Regarding the Execution of Woods Procedures for Applications Filed with the FISC Relating to U.S. Persons 7-8 (March 2020). The DOJ IG’s findings prompted the FBI to implement new standards and procedures to “enhance accuracy and completeness” of FISA applications, more supervision and training, a special questionnaire about any use of informants, and a requirement that FBI personnel disclose “all information that might reasonably call into question the accuracy of the information in the application or otherwise raise doubts about” the validity of the surveillance. Id.
Questioning whether these reforms were sufficient, the FISA Court appointed as amicus former DOJ National Security Division Chief, David Kris. Kris found the FBI’s measures necessary but not sufficient and emphasized the need for cultural change. Letter Brief of Amicus Curiae David Kris at 5, Boasberg Mar. 4, 2020 opinion, supra note 37. “Standards and procedures, checklists and questionnaires, automated workflows, training modules, and after-the-fact audits are all important,” Kris wrote, “[b]ut they cannot be allowed to substitute for a strong FBI culture of individual ownership and responsibility for the accuracy and completeness of FISA applications.” Id. at 12. Whether and how the FBI pursues cultural reform remains to be seen.
Business Records, Roving Wiretaps, and the Lone Wolf Provision Sunset
The anti-surveillance political climate that emerged after the Carter Page surveillance controversy also impacted other provisions of FISA. After short-term renewals in November and December of 2019, three post-9/11 amendments to FISA were scheduled to sunset on March 15, 2020: 1) Section 215’s expansion of the scope of the business records provision; 2) the roving wiretap provision, which allowed the government to target an individual, rather than merely a particular phone or device, see USA Patriot Act of 2001, Pub. L. No. 107-56, § 206, 115 Stat. 272, 282; and 3) the so-called “lone wolf” provision, which permitted FISA surveillance of individuals engaged in international terrorism, even if they had no known affiliation with any foreign power. See Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L. No. 108-458, § 6001, 118 Stat. 3638, 3742 (amending FISA’s definition of “agent of a foreign power” to include individuals who “engag[e] in international terrorism or activities in preparation therefore”). With the exception of the USA Freedom Act’s bar on bulk collection under the business records provision, previous renewals of these provisions contained minimal or no modifications. Edward C. Liu, Origins and Impact of the FISA Provisions That Expired on March 15, 2020 (Cong. Res. Serv. R40138) (Mar. 31, 2021), at 2 n.11 (listing public laws reauthorizing provisions from 2005 to 2015).
Another renewal seemed inevitable when, just before the March 15, 2020 sunset date, Congress agreed on a bipartisan bill that included both extensions of the expiring provisions and enhanced procedural protections addressing concerns raised by the Carter Page surveillance. But the deal fell apart when then-President Trump announced that he did not support the legislation. See Ellen Nakashima & Mike DeBonis, House Effort to Pass Surveillance Overhaul Collapses After Trump Tweets and Pushback from DOJ, Wash. Post, May 28, 2020. Thus, the business records provision reverted to its pre-9/11 form, which limits collection to records held by common carriers, public accommodation facilities, physical storage facilities, or vehicle rental facilities. 50 U.S.C. § 1862. The roving wiretap and lone wolf authorities lapsed entirely.
The Next 10 Years
Section 702 is scheduled to sunset in 2023, and efforts to renew it are already underway. Any discussion of Section 702 reauthorization will certainly involve efforts to revive the lapsed FISA provisions and possibly include attempts to add some of the reforms contained in the failed House and Senate bills from March 2020.
Additional issues likely to arise in the next decade include the role of location in the FISA regime. The locations of both the target and the collection determine whether FISA applies at all and, if so, which FISA authorities are available. But it is not always possible to pinpoint a target’s location, and the ease of global travel renders temporary any determination of a country-specific location. Indeed, the government has already encountered difficulty administering the Section 702 requirement that targets be located outside the United States. See, e.g., Memorandum Opinion and Order at 70-75, [REDACTED], No. [REDACTED] (FISC Apr. 26, 2017) (Collyer, J.). Whether location remains a viable foundation on which to build surveillance rules and what might replace it are questions that will need answers.
Other pressing questions involve data aggregation and use. The rules governing surveillance focus on the government’s act of collecting discrete pieces of information. They often overlook the implications of the volume of collected data and the sophistication of analytical tools, both of which have massively increased in recent years while the cost of data storage has become negligible. The Supreme Court has recognized that these accelerating trends raise new concerns of privacy and civil liberties when it comes to mining collected data. See, e.g., Carpenter v. United States, 585 U.S. __ (2018). Addressing these concerns should not be left to the courts alone. Crafting policies regarding whether and how the government retains, aggregates, and analyzes Americans’ data requires balancing multiple, sometimes competing, interests. These are decisions that demand public debate now and political action soon, with the understanding that the salience of foreign intelligence surveillance, FISA, and the FISA Court are guaranteed for years to come.
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.
The views expressed herein represent the opinions of the authors. They have not been approved by the House of Delegates or the Board of Governors of the American Bar Association and, accordingly, should not be construed as representing the position of the Association or any of its entities. Nothing contained in this publication is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This publication is intended for educational and informational purposes only.