The Future of U.S. Foreign Intelligence Surveillance
Nov. 11, 2020
by Ashley Gorski, Patrick C. Toomey and Kate Ruane
Over the last two decades, in the name of national security, the U.S. government has engaged in mass surveillance of private communications and data on an unimaginable scale. Although the government conducts this surveillance for “foreign intelligence” purposes, the term is so broadly defined that it gives the government wide latitude to collect international communications – and, in the process, to sweep up the communications of countless people with no nexus to actual foreign intelligence. This surveillance poses grave threats to our constitutional rights to privacy, freedom of expression, and freedom of association. It also disproportionately impacts communities of color, especially Black, Brown, Muslim, and Chinese American communities, who are more likely to be subject to scrutiny by U.S. intelligence agencies.
Not only does U.S. foreign intelligence surveillance raise a host of constitutional problems, but it is increasingly a financial liability for U.S. companies attempting to compete in a global marketplace. The European Union’s (E.U.) highest court recently invalidated an E.U.–U.S. data transfer agreement, known as Privacy Shield, on the grounds that U.S. surveillance is too sweeping, and that the remedies for unlawful surveillance are inadequate. The court’s decision has enormous implications for the 5,300 U.S. companies that relied on Privacy Shield, and for countless more that rely on other instruments for E.U.–U.S. data transfers.
There’s only one solution to these sets of problems: comprehensive surveillance reform.
In the spirit of Just Security’s recent series on new approaches to national and human security, we outline below several necessary reforms to the U.S. foreign intelligence surveillance regime. Ideally, Congress would enact these reforms through comprehensive legislation that limits the government’s ability to spy on individuals with impunity, strengthens independent oversight, and provides meaningful due process and accountability to people subject to unlawful surveillance. The executive branch has an important role to play as well. The next administration should offer its full support for these legislative reforms, and if Congress fails to act quickly, the president can and should implement the majority of these proposals, which can legally be achieved through executive action.
Reforming Section 702 and Executive Order 12333
Americans’ communications and data are vulnerable to mass surveillance under at least two broad surveillance authorities: Section 702 of the Foreign Intelligence Surveillance Act (FISA), and Executive Order (EO) 12333. (Our concerns are not limited to the surveillance of American citizens, and in this post, “Americans” also refers to non-citizens inside the United States.)
Section 702 allows the government to monitor Americans’ international emails, web-browsing, and phone calls without a warrant, relying on the compelled assistance of companies like Facebook, Google, AT&T, and Verizon. Under the law, the government can “target” the communications of any non-U.S. person abroad to collect “foreign intelligence information” – even if an American is on the other end of the line. Although the government cannot directly target Americans, this surveillance predictably captures substantial quantities of Americans’ communications. That is in part because the targeting rules are so broad: the government’s targets need not have any connection to terrorism investigations or criminal activity, and can include academics, journalists, and human rights workers. Last year, the United States targeted more than 200,000 individuals and groups under the law, resulting in the mass collection of hundreds of millions of communications (if not more). The government obtains these communications without warrants, but nevertheless uses them in ordinary criminal investigations of Americans.
EO 12333 is the primary authority under which the government conducts foreign intelligence surveillance, and it encompasses a wide array of warrantless surveillance programs. Unlike Section 702 surveillance, most EO 12333 surveillance occurs outside the United States. Although this surveillance is directed at foreigners, Americans’ communications are routinely sent, routed, or stored abroad, where they may be caught up in the EO 12333 dragnet. Under EO 12333, the United States also contends that it can search through and collect communications in bulk – without any target whatsoever – to obtain foreign intelligence. According to news reports, the National Security Agency (NSA) has relied on EO 12333 to collect nearly 5 billion records per day on the locations of cell phones; amass hundreds of millions of contact lists and address books from personal email and messaging accounts; and record every cell phone call to, from, and within at least two countries.
Mass surveillance under Section 702 and EO 12333 violates Americans’ constitutional rights, and it led directly to the E.U. Court of Justice’s invalidation of Privacy Shield. To begin to address these issues, and to ensure that E.U.–U.S. data transfers are on a sound legal footing, the next administration should work to enact significant reforms to both authorities. Although the changes below would not resolve all of our constitutional concerns about this surveillance, they are a critical first step.
Narrow Collection Under Section 702 and EO 12333
Before the enactment of the Protect America Act in 2007, when U.S. agencies sought to conduct foreign intelligence surveillance on U.S. soil, they had to make a showing to the Foreign Intelligence Surveillance Court (FISC) that there was probable cause to believe that the target of surveillance was a “foreign power” or an “agent of a foreign power.” Today, in contrast, under Section 702, agencies operating on U.S. soil can target any non-U.S. person abroad to collect foreign intelligence, without making any showing to the FISC about that person’s location or activities.
The next administration should support legislation to rein in Section 702 surveillance. Congress can begin by requiring, at a minimum, an executive branch determination that surveillance targets are “foreign powers” or “agents of a foreign power” outside of the United States. And if Congress fails to act, the executive branch should implement this reform on its own.
Likewise, the next administration should support legislation narrowing surveillance under EO 12333. Congress should curtail bulk collection under EO 12333, and instead require that surveillance be directed at specified targets. Separately, Congress should narrow EO 12333’s definition of “foreign intelligence,” which currently allows the government to conduct surveillance to obtain any “information relating to the capabilities, intentions, or activities of . . . foreign persons.” As with other reforms, the next administration should take executive action to narrow EO 12333 if Congress is unable or unwilling to enact legislative limits.
Expand the Role of the Foreign Intelligence Surveillance Court in Supervising Section 702 and EO 12333 Surveillance
In invalidating Privacy Shield, the E.U. Court of Justice focused largely on the lack of independent approval of surveillance targets under Section 702 and EO 12333. Under Section 702, the role of the FISC consists mainly of an annual review of general targeting and minimization procedures; the FISC does not evaluate whether there is sufficient justification to conduct surveillance on specific targets. Under EO 12333, the FISC has no role at all. EO 12333 programs, procedures, and targets are determined solely by the executive branch, and can be changed by the president at any time.
To address these concerns, and to ensure greater protection for Americans whose communications and data are swept up in this surveillance, the next administration should endorse significant changes to the FISC’s role in supervising Section 702 and EO 12333 surveillance. The FISC or other independent entity should approve intelligence agencies’ individual targeting decisions based on narrowed, objective criteria (like those discussed above). At a minimum, the FISC should review targeting decisions on an individual ex post basis. Although this reform would likely require Congress to expand the number of FISC judges, it is essential to satisfying the concerns of the E.U. Court of Justice – and thus essential to ensuring the free flow of data between Europe and the United States.
End Warrantless “Backdoor Searches” of Americans’ Private Data
After relying on Section 702 and EO 12333 to collect Americans’ private communications in enormous quantities – without a warrant – the government stores those communications in databases for long-term use. Government agents then routinely search through these databases using Americans’ names, email addresses, and other identifiers, with no judicial authorization whatsoever. These warrantless searches, known as “backdoor searches,” are highly controversial, and for good reason: they are specifically designed to circumvent Americans’ bedrock Fourth Amendment protections. Indeed, the government conducts these warrantless searches even in domestic criminal investigations unrelated to foreign intelligence. (In 2018, Congress required the FBI to obtain FISC approval for an extremely narrow subset of its backdoor searches, but recent disclosures show that the FBI failed to comply with even this modest requirement).
The next administration should support legislation that puts an end to backdoor searches, and that requires the executive branch to obtain a warrant before searching for or using Americans’ communications collected under Section 702 or EO 12333.
Impose Additional Limitations on the Use and Retention of Information Under Section 702 and EO 12333
Under Section 702, the government has broad authority to retain and use the data it has collected. If communications are encrypted or contain “foreign intelligence” information, they can be retained indefinitely. Even for communications and data that do not fall into those categories, the default retention period is as long as five years. The retention limitations for communications and data collected under EO 12333 are similar.
The next administration should support legislation to impose additional legally enforceable restrictions on the use and retention of data collected under Section 702 and EO 12333. Specifically, where information about a U.S. person is obtained without a warrant under either authority, Congress should not permit the use of that information (or its fruits) against a U.S. person in a criminal, civil, or administrative proceeding. Congress should further require that where an agency seeks to retain data beyond the default retention period, the agency must establish that the data falls within a narrow subset of critical “foreign intelligence.” In addition, Congress should limit the Section 702 and EO 12333 default retention period to three years.
Reforming “Traditional” FISA
In addition to warrantless surveillance under Section 702 and EO 12333, the government continues to rely on what is known as “traditional” FISA when conducting certain foreign intelligence surveillance inside the United States, such as surveillance specifically intended to target U.S. persons. Under traditional FISA, the government must make an application to the FISC establishing (among other things) probable cause to believe that its target is a foreign power or agent of a foreign power.
In December 2019, the Department of Justice (DOJ) Inspector General’s report on the “Crossfire Hurricane” investigation revealed that the government’s applications to the FISC to surveil Trump campaign advisor Carter Page contained a series of significant omissions and errors, resulting in the unlawful surveillance of Page. DOJ subsequently acknowledged that two of its applications to surveil Page were “invalid.” If the government’s surveillance had not been so politically sensitive, there would have been no Inspector General report, and Page likely never would have uncovered these defects in the FISA applications – even if he had faced criminal prosecution. Indeed, the overwhelming majority of FISA applications – including those impacting communities of color – have not been subject to this degree of scrutiny.
Subsequent Inspector General reports have shown that the problems in the Page applications were not isolated errors. In an audit of 25 FISA surveillance applications, the Inspector General found that there were “apparent errors or inadequately supported facts” in every single case that it fully examined.
Require Amicus Participation in the FISC in Cases Involving Heightened Constitutional Concerns
The next administration should endorse legislation to require the appointment of an amicus to the FISC in cases involving heightened constitutional concerns, such as intrusions on political associations or religious activities, or risks of racial or ethnic bias; novel or significant legal or technological questions; and requests for reauthorization of programmatic surveillance. Under statutory law, the FISC has the discretion to appoint amici in novel and significant cases, and it possesses the inherent authority to appoint amici. Congress should mandate the participation of amici in a broader set of cases, and ensure that they have access to all relevant classified materials to assist the court’s review.
An amendment to Section 215 reauthorization legislation offered by Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) earlier this year would accomplish many of these goals by expanding the role of the amicus, increasing their access to information and their power to raise issues with the FISC. It would also encourage their appointment in cases involving political or religious leaders and the domestic news media. The Lee/Leahy Amendment passed the Senate by an overwhelming vote of 77-19; however, it failed to become law when Congress failed to reach an agreement to reauthorize Section 215. The Lee/Leahy Amendment should be enacted at the earliest opportunity.
Provide Individuals with Access to FISA Materials Under Appropriate Security Precautions When FISA Surveillance is Challenged in Court Proceedings
Since the enactment of FISA in 1978, in every case in which defendants have challenged FISA surveillance and have sought access to the underlying FISA applications and orders, the government has successfully opposed disclosure. These defendants have had no opportunity to review the government’s applications for inaccuracies or material omissions, like those identified by the DOJ Inspector General’s review of the Carter Page applications. Not only does this secrecy violate defendants’ due process and Fourth Amendment rights, but it also thwarts adversarial litigation over novel forms of FISA surveillance. Congress should mandate disclosure of these materials to defendants and their security-cleared counsel pursuant to Section 3 of the Classified Information Procedures Act, which is designed to ensure that classified information is handled appropriately. In the absence of congressional action, the next administration should unilaterally implement these reforms to satisfy its constitutional obligations and ensure fairness for defendants.
Impose Strict Limitations on the Use of Information Obtained from FISA-Authorized Searches of Electronic Devices
The purpose of a FISA search is the acquisition of “foreign intelligence information,” but that term is both broad and elastic. And since 2001, FISA has required that the acquisition of foreign intelligence be merely a “significant purpose” of a search. Given these relaxed standards, FISA searches of electronic devices – which contain vast repositories of our private information – risk becoming general searches for evidence of criminal activity, in violation of the Fourth Amendment. The next administration should support legislation prohibiting the executive branch from using non-foreign intelligence information in criminal investigations and prosecutions when that information is obtained during a FISA-authorized search of an electronic device.
Reforming Section 215
Section 215 of FISA authorizes the collection of business records “relevant” to certain investigations. In 2013, Edward Snowden revealed that the government had been relying on Section 215 to secretly collect the call records of virtually every American. Between 2006 and 2015, the FISC had authorized this collection under an extraordinarily expansive interpretation of the statute. In 2015, the Second Circuit held that this interpretation was untenable, and that the government’s mass call-record program was unlawful. Shortly thereafter, Congress formally put an end to the program, though it authorized a modified version of call-records collection – which still resulted in the acquisition of hundreds of millions of call records each year. That modified program involved persistent compliance violations, including the substantial overcollection of records. It was also ineffective, and the NSA ultimately suspended the program in 2019.
This year, Congress was unable to reach agreement on reforming or reauthorizing Section 215, and it allowed the provision to expire (though a savings clause permits the executive branch to continue to rely on the statute for certain collection). Notably, the Trump administration sought to renew the statutory authority for the call-records program, notwithstanding its ineffectiveness.
Prohibit the Use of Section 215 for the Collection of Sensitive Information
In addition to ending the call-records program, if Section 215 is to be reauthorized, the next administration should endorse legislative reform of Section 215 and other FISA authorities that merely require the government to meet a “relevance” standard. The government should be expressly prohibited from authorities to collect sensitive information, including location information, internet search history, browsing history, medical records, or tax records. For these types of information, the government should instead meet a “probable cause” standard under Titles I or III of FISA.
Senators Ron Wyden (D-OR) and Steve Daines (R-MT) offered an amendment to the Section 215 reauthorization bill that the Senate passed earlier this year that would have eliminated the use of Section 215 for warrantless surveillance of people in the United States’ internet search and browsing history. This amendment is critical to protecting privacy online and must be included if Congress reconsiders authorizing Section 215 surveillance authorities.
Prevent Future Large-Scale Collection Under Section 215
Congress should also prevent large-scale surveillance under Section 215 by adopting standards and procedures that ensure any request is sufficiently narrow in scope.
For nearly everyone affected by the government’s foreign intelligence surveillance, there are enormous obstacles to challenging the legality of that surveillance in court. Over the last two decades, the executive branch has routinely sought (and courts have then largely granted) dismissals on the basis of the “standing” and “state secrets” doctrines. As a result, no civil lawsuit challenging the lawfulness of Section 702 or EO 12333 surveillance has resulted in a U.S. court opinion addressing the legality of that surveillance. Nor has any litigant obtained a remedy of any kind for Section 702 or EO 12333 surveillance.
Not only do these doctrines function as unjust obstacles to redress, but they are a serious problem for the future of transatlantic data transfers. In its decision invalidating Privacy Shield, the E.U. Court of Justice was clear that individuals must have access to judicial remedies to challenge the treatment of their data – remedies that they lack under the current legal framework in the United States.
Ensure that Individuals Affected by U.S. Surveillance Have Standing to Challenge Improper Surveillance in Court
As a general matter, individuals do not receive notice that their information has been collected for foreign intelligence purposes, even in cases where notice would not jeopardize an active investigation. The lack of notice makes it difficult – if not impossible – for people subjected to illegal surveillance to establish standing to challenge that surveillance in U.S. courts.
The next administration should provide its full support for a legislative “standing fix”: Congress can and should pass legislation to more clearly define what constitutes an “injury” in cases challenging government surveillance, as Senator Wyden and others proposed in a 2017 reform bill. While standing is a constitutional requirement, the Supreme Court has been clear that Congress has a role to play in defining what qualifies as an “injury” for the purposes of standing. Congress could, for example, explain that where a person takes objectively reasonable protective measures in response to a good-faith belief that she is subject to surveillance, those protective measures constitute an injury-in-fact.
Ensure that Individuals are Notified of U.S. Surveillance
Today, the only individuals notified of FISA surveillance are a handful of criminal defendants in cases where the government intends to use information “obtained or derived” from FISA. The next administration should endorse legislation requiring notice to any U.S. person targeted for FISA surveillance where it would not result in an imminent threat to life or safety, risk evidence- or witness-tampering, or seriously jeopardize an active investigation. Any decision not to provide notice should be reviewed every 180 days.
Modify FISA to Define “Derived,” to Ensure that the Government Fully Complies with its Statutory Notice Obligations
As mentioned above, the text of FISA requires the government to notify defendants where it seeks to use information “obtained or derived” from Section 702 in civil, administrative, or criminal proceedings. However, the government has a history of failing to comply with Section 702’s notice provision, and there are serious concerns that it continues to define “derived” narrowly to avoid providing notice of surveillance to defendants, thereby thwarting any potential challenge. Although the Ninth Circuit recently held that the Fourth Amendment requires the government to provide notice of its foreign intelligence surveillance in criminal cases where its evidence is obtained or derived from that surveillance, it remains to be seen how the court’s ruling will be implemented, given the government’s historically narrow definition of “derived.”
The next administration should support changes to FISA to (1) clearly define “derived,” to ensure that individuals receive notice where FISA surveillance contributed in any manner to the preceding investigation; and (2) extend the notification requirements to all forms of foreign intelligence surveillance, including collection under EO 12333 and Section 215.
Increasing transparency, accountability, and oversight
Finally, the next administration should endorse legislative reforms designed to increase transparency, accountability, and oversight. In particular:
Congress should require DOJ and the Office of the Director of National Intelligence (ODNI) to declassify and release internal guidance related to (1) how U.S. intelligence agencies are applying the Supreme Court’s Carpenter opinion – which held that the government must get a warrant before collecting sensitive cellphone location information – to foreign intelligence surveillance, and (2) how DOJ determines when information is “derived” from FISA, triggering notice obligations.
In addition, Congress should require DOJ and ODNI to publicly identify and conduct a declassification review of all FISC opinions addressing novel or significant issues of law issued between January 2001 and June 2015.
Congress should also require the NSA’s statistical transparency report to include:
Additional reporting about surveillance programs under EO 12333, including the amount of information collected, number of queries, types of records collected, and use of information for any civil, administrative, or criminal purposes.
Additional reporting about surveillance conducted under Section 215 and metadata-collection authorities, including the number and types of non-communications records collected.
Additional reporting about surveillance under Titles I and III of FISA, including the number of orders, number of uses in civil, administrative, or criminal proceedings, the demographic breakdown of the targets, and the number of applications that relate to sensitive investigative matters.
Despite President Trump’s many tweets about wiretapping, his administration failed to support meaningful reforms to traditional FISA, Section 702, and EO 12333. Meanwhile, the U.S. government’s foreign intelligence apparatus has continued to expand, violating Americans’ constitutional rights and threatening a $7.1 trillion transatlantic economic relationship. Given the stakes, the next President and Congress must prioritize surveillance reform in 2021.
Image: WASHINGTON, DC – DECEMBER 09: The headquarters of the Federal Bureau of Investigations (FBI) on a foggy morning on December 9, 2019 in Washington, DC. The Justice Department Inspector General released his report on the investigation into the Justice and FBIs conduct during the FISA warrant process as it relates to the 2016 election on December 9, 2019. (Photo by Samuel Corum/Getty Images)