December 20, 2017

FISA Section 702


KEY TAKEAWAYS

  • Overview: Section 702 of FISA authorizes a program of surveillance activities targeting non-U.S. persons reasonably believed to be located outside the United States for the purpose of acquiring foreign intelligence information. It expires at the end of this year.
  • Importance: The program has helped stop terrorist attacks inside the United States and remove senior ISIS leaders from the battlefield. Much of what we know about Russia’s intrusion into the 2016 presidential election comes from this program.
  • Oversight: The use of these authorities is subject to a comprehensive regime of extensive and substantial oversight by all three branches of government.
  • Operational effectiveness: The Constitution does not require a warrant to query information lawfully within the possession of the government by the use of 702. It is up to Congress, then, to decide whether to erect impediments to accessing that information, or to otherwise further hinder the government’s ability to connect the dots. The 9/11 Commission criticized the government’s failure to analyze information it already had.

Importance of Section 702

The importance of this program to the country’s national security cannot be overstated, according to our nation’s top intelligence officials. 

  • A 2013 statement on the National Security Agency website calls the program “the most significant tool” in the NSA arsenal for the detection and disruption of terrorist threats.

  • The NSA director has publicly said, “there is no alternative way” to replicate the collection under this program, and the information gained under it cannot be replaced “via other collection sources, via other legal means.”

  • At a hearing of the Senate Intelligence Committee on May 11, 2017, the NSA director bluntly said, “if we were to lose 702 authorities, we would be significantly degraded in our abilities to provide timely warning and insight as to what terrorist actors, nation-states, [and] criminal elements are doing that is of concern to our nation.”

  • As a specific example of the quality of information gained by the use of the authorities, he said at that hearing: “much of what was in the intelligence community’s assessment, for example, on the Russian efforts against the U.S. election process in 2016 was informed by the knowledge we gained through 702 authority.”

  • Information collected under this program was vital to locating ISIS second-in-command Haji Iman and to the raid removing him from the battlefield last year.

  • Najibullah Zazi is in prison for planning to attack the New York City subway system with explosives in 2009. He received explosives training in Pakistan from al Qaeda. The Privacy and Civil Liberties Oversight Board concluded in 2014: “without the initial tip-off about Zazi and his plans, which came about by monitoring an overseas foreigner under Section 702, the subway-bombing plot might have succeeded.”

FISA 702 OVERVIEW: TARGETING NON-U.S. PERSONS OUTSIDE U.S.

The FISA Amendments Act of 2008 updated the law to reflect the vast changes in communications technology that had taken place over the prior 30 years since the Foreign Intelligence Surveillance Act was first enacted. These updates were reauthorized at the end of 2012, and they expire at the end of this year.

One element of the update added a new section 702 to FISA. It authorizes the director of national intelligence and the attorney general to jointly approve:

  • a program of surveillance (such as emails or telephone calls),

  • directed at non-U.S. persons,

  • reasonably believed to be located outside the United States,

  • with the compelled assistance of electronic communications service providers,

  • for the purpose of acquiring foreign intelligence information.

These officials submit to the Foreign Intelligence Surveillance Court a certification specifying categories of foreign intelligence information the government can collect using the authorities of FISA section 702. Once approved by the court, the certification is good for one year, and individual court orders are not required for surveillance efforts fitting the statutory parameters of the program.

The statute further provides limitations on what may not be done under this program, namely that the government may not intentionally target:

  • a U.S. person reasonably believed to be located outside the United States;

  • any person known at the time of acquisition to be located inside the United States; or

  • a person reasonably believed to be located outside the United States if the purpose of the acquisition is to target a particular, known person reasonably believed to be in the United States (reverse targeting). 

The DNI and attorney general also submit for the court’s review the program’s targeting and minimization procedures. The targeting procedures are designed to ensure that these statutory limitations are carried out in practice, namely that only non-U.S. persons outside the United States believed to have foreign intelligence information are targeted for collection.

As for the minimization procedures, the DNI explained to Congress in June 2017 that they “restrict how the intelligence community treats any U.S. persons whose communications or information might be incidentally collected and regulate the handling of any nonpublic information concerning U.S. persons that is acquired.” An incidental collection is when the government targets a foreigner for surveillance and acquires information on a non-targeted U.S. person who may be communicating with that foreigner.

Part of this is how to handle the dissemination of intelligence reports that include references to a U.S. person. The practices differ by each intelligence agency, and they are not unique to section 702. The general standard, as articulated in the minimization procedures mandated by FISA, is that the identity of the U.S. person will be included by name in the report if the “person’s identity is necessary to understand foreign intelligence information or assess its importance,” or if it is evidence of a crime.

The privacy and civil liberties component of the Office of the Director of National Intelligence has explained that individual “agency policy and practice” can provide “additional protective measures” beyond this standard “to safeguard U.S. person information” in disseminations of intelligence reports.

Thus, if the statutory standard is not met, or to provide additional protection for policy reasons, the report would “mask the identity” of [that] individual,” referring to him as “U.S. person one,” for example, as NSA Director Mike Rogers explained at a hearing of the House Intelligence Committee on March 20 of this year. In cases where additional protections have been provided to U.S. persons for policy reasons, ODNI has explained there is a stringent process for responding to “customer initiated, post-publication ‘identity release’ requests.” Such requests can only be approved at NSA by designated, senior officials. Approvals are specific to that authorized recipient only. Finally, the standard remains that dissemination of the report with the U.S. person’s identity is “consistent with NSA’s minimization procedures,” namely that the identity is necessary to understand the intelligence information or its importance.

Rogers further said at the hearing that “reporting involving U.S. persons at all is an incredibly small subset in my experience of our total reporting.”

Several provisions of federal criminal law prohibit the unauthorized disclosure of classified information, including leaks of classified information pertaining to the investigation into Russia’s interference in our 2016 domestic electoral process. At the March 20 hearing, then-FBI Director Jim Comey testified that “an unauthorized disclosure of FISA is an extraordinarily unusual event.” He went on to clarify these particular matters in combination have “nothing to do with [FISA section] 702.” As Rogers summarized, “FISA collection on targets in the United States has nothing to do with 702.”

OVERSIGHT: NOT A SINGLE INTENTIONAL VIOLATION OF THE LAW

The use of these authorities is subject to a comprehensive regime of extensive and substantial oversight by all three branches of government:

  1. Judicial: The Foreign Intelligence Surveillance Court approves the certifications submitted by the attorney general and director of national intelligence. It also reviews the accompanying targeting and minimization procedures, providing further protections for U.S. persons by an independent and neutral third-party arbiter.

  2. Executive: The inspectors general of the Department of Justice and certain elements of the intelligence community review the implementation of section 702 and provide copies of their reviews to the attorney general, DNI, and congressional committees of jurisdiction.

  3. Legislative: Using the numerous reports it receives from the executive on this matter, and its own oversight investigations, the committees of jurisdiction conduct robust oversight of the use of these surveillance authorities.

The day-to-day implementation of the program is subject to rigorous oversight as well.

When an analyst nominates a “selector,” e.g., a phone number or email address, for surveillance, there are numerous steps to be completed before the communications of the selector are collected. First, there must be a selector itself, not a key word. Next, the analyst must demonstrate the selector is of a non-U.S. person reasonably believed to be located outside the United States. The analyst must further demonstrate the selector is reasonably expected to have foreign intelligence information, such as information about terrorism or cyberattacks.

At the NSA, the analyst’s nomination of a selector for surveillance is reviewed by two specially trained analysts. Only upon their concurrence can the communications of the nominated selector be collected. CIA and FBI personnel can also nominate selectors, with the agencies requiring multiple layers of review before nominating selectors to NSA for tasking to section 702.

All of this is audited in post-targeting checks by multiple entities responsible for oversight of the program. The Department of Justice reviews every single targeting determination.

The director of national intelligence testified in June that any incident of noncompliance with the statute or the procedures is reported to the court and to Congress, and “no review has identified a single intentional violation of the law.”

702 IS TARGETED, NOT MASS, SURVEILLANCE

Critics of the 702 program have asserted it engages in “mass” surveillance, but this concern is misplaced.

  • The world’s population is more than 7.5 billion people.

  • There are more than 3 billion internet users worldwide.

  • There were 106,469 targets authorized for collection under the 702 program in 2016. This is approximately .004 percent of the world’s internet users, and .001 percent of the global population.

The program is targeted by its very terms. It requires the use of a selector – not just key words – meaning targeting is individualized. And it is directed at non-U.S. persons, reasonably believed to be located outside the United States, who are believed to communicate information of foreign intelligence value.

The scope becomes even more narrow for agencies other than the NSA. The FBI director has said the bureau receives collection from “about 4.3 percent of the targets that are under NSA collection.” The CIA and NCTC similarly receive access to only part of the 702 collection. Information acquired under the 702 program, while large in volume and vital in quality, comes from a very specific set of parameters.

U.S. PERSON QUERIES – A POLICY CHOICE TO REBUILD THE WALL

Prior to the September 11 terrorist attacks, there developed a series of barriers to sharing information between intelligence and law enforcement that had come to be known as “the wall.” In a recent speech, the FBI director said: “the fact that we have not suffered another 9/11-scale attack is not just luck. ... It is a product of teamwork and information sharing and dot-connecting.” He lamented that certain proposed amendments to FISA section 702 are “eerily similar to essentially rebuilding walls like we had before 9/11.”

When the intelligence community collects communications via 702 authorities, the communications themselves are stored in databases, and information identifying a U.S. person has not yet been “minimized.” When an intelligence community element wants to query these databases using query terms associated with a U.S. person, this raises a not “trivial privacy question,” according to General Michael Hayden, former director of NSA and CIA.

The intelligence community has explained that a “query” in this instance “means to take a term, such as a name, phone number, or email address, and use it to isolate communications with that term from a larger pool of data that an agency has already lawfully collected.” It is an electronic search of data already within the possession of the government.

Each agency’s minimization procedures provide the defined circumstances in which that agency may use U.S. person identifier information to query the communications in the 702 databases. NSA and CIA can perform such an inquiry if there is a reasonable basis to expect it will return foreign intelligence information. The FBI standard is also similar, but it is also allowed to conduct such queries that are designed to find and extract evidence of a crime. This comes from FBI’s role as both a foreign intelligence and law enforcement agency.

   Requiring a warrant is not constitutionally compelled

The incidental collection of U.S. person communications in connection with the 702 program is not unconstitutional. As the FISA Court of Review – the FISA appellate court – observed, “incidental collections occurring as a result of constitutionally permissible acquisitions do not render those acquisitions unlawful.”

The constitutionality of FISA 702 is well-established. No one has questioned that the U.S. government has the right, if not the duty, to collect foreign intelligence information from foreigners located in foreign lands. The FISA court rigorously reviews the use of FISA section 702 to ensure this task is performed in a way that comports with the Constitution. Given that the use of FISA 702 results in “constitutionally permissible acquisitions,” incidental collection of U.S. person communications within that construct are not rendered unlawful.

Thus, with those U.S. person communications already lawfully within the ambit of the federal government, querying them without a warrant is not unlawful either. After all, as the intelligence community has explained, “queries do not result in additional collection of any information.” As a matter of law, multiple courts have found that such a query is not a separate Fourth Amendment event, and thus a warrant to perform a query is not required.

   Encumbering investigators with a warrant requirement

Since requiring a warrant for this investigative effort is not a constitutional requirement, Congress may set policy for access to the information. Should Congress erect impediments to accessing information lawfully within the possession of the government? Would doing so hinder the government’s ability to connect the dots of information already lawfully within its knowledge base? Re-creating old barriers would be at odds with the 9/11 Commission’s criticism of the government’s failure to analyze and synthesize data already within its ambit in national security investigations.

The FBI director has explained why requiring a warrant to search information already lawfully within the possession of the federal government is based upon a fundamental misunderstanding of national security investigatory practices. He gave an example: someone makes a purchase at a supply store of an odd accumulation of chemical products in substantial quantities. That person has not committed a crime. He said the FBI receives tips like this “by the thousands” and attempts “to figure out which ones are innocuous and which ones are the indication of something really serious.” It does so by searching its federated database of information. This database comprises more than 120 individual databases, including a FISA database, which would have information collected under FISA section 702. The director has explained that at these initial stages “section 702 is one of the most important tools that we have” in helping to “prioritize and work threats.” To secure a warrant from a magistrate generally requires a showing that there is probable cause to believe that the investigative task to be undertaken will yield the evidence or information sought. In many cases, that simply does not exist at the early stage when a database search would happen.

The FBI director has said the effect of requiring a warrant would be to “create a serious risk to the American people.” This is because it could “blind” the FBI to information already lawfully within its possession, or otherwise delay access to that information while the FBI performs other more privacy-intrusive investigatory tasks in an effort to establish the probable cause necessary to apply for a warrant.

   Protections for Americans at this stage

Some are also concerned the FBI might use FISA section 702 to prosecute crimes, such as bank robbery. This concern, too, is unfounded after looking closer at 702 collection and the protections that exist.

First, the Privacy and Civil Liberties Oversight Board in 2014 noted it would be “extremely unlikely” that an FBI agent conducting an investigation of a non-national security crime would get a responsive result from a section 702 query. And indeed, the FBI position was borne out as an empirical matter. FBI reported that in calendar year 2016, it received and reviewed 702-acquired information concerning a U.S. person in response to a query designed to return evidence of a crime unrelated to foreign intelligence exactly once. This makes sense, since section 702 is directed at non-U.S. persons reasonably believed to be outside the country for the purpose of collecting foreign intelligence.

Second, Justice Department policy requires that information about a U.S. person obtained using section 702 may only be used in a criminal proceeding with the approval of the attorney general. Even then, it may be used only in the most serious circumstances – namely “criminal proceedings related to national security” – or prosecutions of certain serious crimes, such as those involving death, substantial bodily harm, destruction of critical infrastructure, or human trafficking.

Finally, if a query of the federated database returns a hit of 702-acquired information, the search will alert to that fact, but only FBI personnel with specialized training are permitted to access the information.

The FISA court’s review of this entire landscape contributed to its conclusion that the use of U.S. person identifiers to query without a warrant information lawfully collected under the program is constitutional, consistent with the requirements of the Fourth Amendment.

The FBI director has summarized the case like this: “normally the idea of imposing more restrictions on our ability at the FBI to do our jobs would be based on some kind of constitutional challenge.” But requiring a warrant in this instance is “not based on a need to somehow make this statute constitutional.” In this respect, he concluded, “we owe it to the American people to use the full extent of our authorities that are consistent with the Fourth Amendment, and that we shouldn’t be creating gaps and limitations in those authorities simply for policy reasons.”

Congress can reauthorize this vital intelligence program in a way consistent with this guidance, namely not hindering its operational effectiveness. The information derived from FISA section 702 is important, and there is no other way to replicate its collection.

Issue Tag: National Security