As heated debate continues over possible changes to the Foreign Intelligence Surveillance Act (FISA), which is poised to expire later this month, we wanted to provide some perspective on a few practical issues. As former DOJ and FBI officials and current advisors to private companies, we are focused on a few things: ensuring the intelligence community can do its vital work, the protections afforded by intelligence operations to U.S. citizens and businesses in a dangerous world, the need to protect the Constitutional rights of Americans, and the need for predictability and clarity for companies that receive legal process under FISA. We have been involved in FISA-related legal and policy issues for years, whether in government reviewing and participating in work under FISA or, for example, filing the bipartisan amicus brief for former Attorneys General supporting the government in prior litigation over the constitutionality of 2008 amendments to FISA.
What is the debate?
There is a flurry of activity on the Hill as the December 31 deadline for renewing FISA Section 702 approaches. FISA Section 702 provides procedures under which the government may target non-U.S. persons located outside the U.S. without a warrant based on probable cause. Under these procedures, the government is authorized to direct an “electronic communication service provider” (ECSP) to provide the assistance necessary to accomplish the acquisition.[1] Congress is considering the specifics of several bills to make changes to Section 702 and will make judgments about what process is appropriate for the issuance of legal process and for whether the government will need to obtain a search warrant based on probable cause to query the data collected under FISA Section 702.
The 702 program has been controversial due in part to “compliance incidents” involving FBI queries of raw 702 information.[2] Privacy advocates contend that the querying of U.S. Person information that is incidentally obtained constitutes a “backdoor search” which should require a warrant based on probable cause.[3] In September, the Privacy and Civil Liberties Oversight Board (PCLOB) issued a report arguing that while the U.S. is safer with 702 in place than without, additional procedures and controls are needed to protect Americans’ privacy.
The government contends 702 enables the collection of uniquely valuable intelligence by targeting non-Americans overseas who are using U.S.-based communications services and that without 702, the U.S. Government would lose indispensable intelligence for our decision makers and warfighters as well as those of our allies. The government also says that the U.S. has no fallback authority that could come close to making up for this loss.[4]
Some proposals would impose dramatic limits on the ability of government to query data, which could limit the utility of information in the government’s possession to identify and stop terrorism, cyber or other attacks. Some of the debate seems to overlook important procedural protections that govern FISA queries, or they conflate the concern about prior instances of misuse of FISA to target U.S. persons with remedies that would impose additional restrictions on the downstream uses of data legitimately collected by proper FISA collection activities.
In terms of legislation, there have been four main contenders. Two competing House proposals would reform and extend 702 in dramatic ways. A few of the more prominent bills are also identified below.
House Judiciary Committee: HR 6570 Protect Liberty and End Warrantless Surveillance Act
This bill would renew FISA Section 702 authority for three years. This bill would impose substantial limits on the use of data collected on U.S. persons under Section 702 by adding a warrant requirement for information with a few narrow exceptions.
This bill would limit the immunity available to service providers when responding to emergency authorization requests but does not appear to strip providers of their immunity under Title 50 for good faith reliance on government process.
This bill also adds a new term, “intermediate service provider” to the Electronic Communications Privacy Act, which is defined to mean a provider that delivers, stores, or processes communications on behalf of an electronic communications or remote computing service provider.
House Intelligence Committee: HR 6611 FISA Reform and Reauthorization Act
This bill would renew Section 702 for eight years.
It would require a probable cause warrant only for “evidence of a crime” or criminal searches that are not related to foreign intelligence activity. It includes constraints on the FBI’s use of Section 702 data, requires adoption of minimum accountability standards and audits, and establishes transparency requirements.
Bicameral: HR 6262 and S 3234 Government Surveillance Reform Act
This bill would renew Section 702 authority for four years. It would require a probable cause warrant when querying data that includes information on U.S. persons.
NDAA Conference Report to HR 2670
The House Senate Conference Report that was agreed upon on December 7, 2023 included a clean FISA Section 702 extension through April 19, 2024.
What should U.S. businesses be watching?
Cyber and Counterintelligence Threats
A robust intelligence apparatus with effective tools is vital to protect U.S. businesses from disruptive attacks. Critical infrastructure is being targeted and FBI Director Wray just testified to Congress that he sees elevated threats against the U.S., describing “blinking lights everywhere I turn.”[5] Some argue that now is not the time to reduce our government’s visibility into threats. Sen. Warner, Chairman of the Senate Intelligence Committee, argued earlier this summer that “We desperately need to get 702 reauthorized.”[6] Similarly, PCLOB Commissioner Beth Williams noted, “Information derived from Section 702 has proven crucial in the government’s efforts to assist private U.S. industry and operators of critical infrastructure in identifying and responding to cyber threats and corporate industrial espionage, including theft of intellectual property.”[7]
Revised Definitions for Electronic Communications Services
One of the ongoing issues that is important for communications providers is the dispute over what or who can be considered a provider of electronic communication service. FISA Section 702 relies, in part, upon the Title 18 definition of “electronic communication service” as “any service which provides to users thereof the ability to send or receive wire or electronic communications.”[8] Courts have generally noted that “2510(15) describes network service providers and covers telephone companies, Internet or e-mail service providers and bulletin board services.”[9] Courts have also interpreted 2510(15) to include web hosting and social networking services as well as electronic messaging systems and police department paging systems.[10]
From what can be gleaned from declassified opinions of the Foreign Intelligence Surveillance Court (FISC), it appears the government sought a company’s assistance in the spring of 2022 but the company declined arguing that it was not an ECSP as defined by FISA and moved to set aside or modify the 702 Directive the Government had issued to it. Though a lot of information and reasoning was redacted from the publicly released opinion, the FISC determined that the company did not satisfy the definition of ECSP under FISA Section 702.[11]
When the government appealed the decision, the Foreign Intelligence Surveillance Court of Review (FISCR) affirmed the FISC’s decision and noted that 2510(15) was written in 1986 and premised on internet architecture now almost 40 years old.[12] The FISCR noted that any unintended gap in coverage revealed by its interpretation is open to reconsideration by branches of government whose competence and constitutional authority extend to statutory revision. The Hill seems to have accepted this invitation.
Responding to Legal Process Under FISA
Companies that receive legal process from the government, particularly those involving national security authorities such as FISA, need a few things:
- Predictable standards and process: First, companies will have to understand whether they operate covered services and are subject to the authorities in question. As noted above, uncertainty about the application of 702 to certain online services presents challenges for companies that may receive a directive. Second, in addition to clarity about whether they are subject to 702, companies may want to consider how they will receive process, what the expectations are for producing materials, including time frames, formats, and which government agencies they will be expected to deal with. Adding complexity can complicate the compliance challenges faced by the private sector.
- Protections that provide immunity from lawsuits when they respond to government process in good faith and in compliance with the law.[13] Similarly, while good faith reliance on government orders or a company’s “good faith determination” of the legality of the request are a defense under the Stored Communications Act, companies need that same certainty under FISA – particularly when certain facts and the law are not freely available because of classification issues. Proposals that would strip that immunity from the private sector or limit immunity in certain circumstances deserve extra scrutiny.
What’s Next?
There is a great deal of uncertainty right now on the Hill about the future of FISA. Both the House Judiciary and Intel bills advanced to the floor this week. Speaker Johnson may bring both the House Judiciary Committee and House Intelligence Committee bills to the floor under a special rule that provides members a fair opportunity to vote in favor of their preferred measure.[14]
The Intel Committee bill may have a better chance of advancing as it is seen as less disruptive than its counterpart in the Judiciary Committee. Many are concerned that the Judiciary bill goes too far to dismantle FISA 702 authority. Leaders Schumer and McConnell have both committed to negotiating a long-term bipartisan compromise can be passed early next year. It’s unclear whether NDAA will have enough votes to pass if a FISA 702 extension is included.
The government seems to be sensitive to the impact of removing or limiting liability protection provisions has on carriers and we expect the Executive branch will seek to keep liability protection and immunity provisions intact as much as possible. But the concern about the legislation expiring continues. DOJ says expiration would result in “a self-inflicted national security calamity.”[15]
For now, current 702 Directives issued before the end of the year would remain in effect, but Directives could not be renewed from January 2024 onwards unless or until Section 702 is reauthorized. It remains to be seen whether Congress and the Executive branch can find an appropriate compromise and ensure that our country is protected from the foreign threats FISA Section 702 was intended to help prevent.
[1] See 50 U.S.C. §1881a(i)(1)(A) defining an ECSP as: (A) a telecommunications carrier, as that term is defined in section 153 of title 47; (B) a provider of electronic communication service, as that term is defined in section 2510 of title 18; (C) a provider of a remote computing service, as that term is defined in section 2711 of title 18; (D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or (E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), (D).
[2] FBI, “FBI Releases Results of OIA FISA Query Audit,” (May 11, 2023), https://www.fbi.gov/news/press-releases/fbi-releases-results-of-oia-fisa-query-audit.
[3] E.g., Brennan Center for Justice, “FISA Section 702 Backdoor Searches: Myths and Facts,” (Nov. 28, 2023) https://www.brennancenter.org/our-work/research-reports/fisa-section-702-backdoor-searches-myths-and-facts.
[4] DOJ, “Assistant Attorney General Matthew G. Olsen Delivers Remarks at Brookings Institution on Section 702,” Speech, (Feb. 28., 2023), https://www.justice.gov/opa/speech/assistant-attorney-general-matthew-g-olsen-delivers-remarks-brookings-institution-section.
[5] https://www.cnn.com/2023/12/05/politics/fbi-director-senate-hearing/index.html.
[6] https://www.defenseone.com/defense-systems/2023/07/intel-leaders-white-house-make-case-keep-digital-spy-powers/388545/.
[7] PCLOB Report at B-32 (Separate Statement of Board Members Beth A. Williams and Richard E. DiZinno).
[8] 18 U.S.C. § 2510(15).
[9] See In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 147 (3rd Cir. 2015) (internal citations omitted).
[10] See Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 980-82 (C.D. Cal. 2010); In re Application of the U.S. for an Order Pursuant to 18 U.S.C. § 2705(b), 289 F. Supp. 3d 201, 209 (D.D.C. 2018); Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 902 (9th Cir. 2008), rev’d in part on other grounds sub nom. City of Ontario v. Quon, 560 U.S. 746 (2010); Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996).
[11] In re Petition to Set Aside or Modify Directive Issued to _____, (FISA Ct. 2022), available at: https://www.intel.gov/assets/documents/702%20Documents/declassified/2022-FISC-ECSP-OPINION.pdf
[12] In re Petition to Set Aside or Modify Directive Issued to _____, (FISA Ct. Rev. 2023), available at: https://www.intel.gov/assets/documents/702%20Documents/declassified/2023_FISC-R_ECSP_Opinion.pdf
[13] See 18 U.S.C. § 2707(e)(1).
[14] Source: Olivia Beavers Twitter post 12/7/23, 12:45 pm. https://twitter.com/Olivia_Beavers/status/1732818568817856779
[15] DOJ, “The Hill Op-Ed: Reauthorizing Section 702 of the Foreign Intelligence Surveillance Act is a national security imperative,” Blog Post, (Aug. 16, 2023), https://www.justice.gov/opa/blog/hill-op-ed-reauthorizing-section-702-foreign-intelligence-surveillance-act-national.
[View source.]
