FISA Section 702 Reauthorization Debate Carries Transatlantic Implications
The second half of this year will be an important one for the U.S. Congress as it struggles to reauthorize key intelligence legislation.
The legislation in question is part of the Foreign Surveillance Intelligence Act (FISA), which was first introduced in 1978. FISA addressed the collection of foreign intelligence on domestic soil. Under this law, government agents had to get a warrant from the Foreign Intelligence Surveillance Court (FISC) before spying on U.S. people to find out about foreign entities.
In 2008, Congress introduced a new part of FISA called Title VII. Title VII originally expired in 2017, but Congress reauthorized it. Title VII is due to expire on December 31 this year unless lawmakers reauthorize it again.
The controversial part of Title VII has always been section 702, which addresses the collection of data on non-U.S. people located outside the U.S. It doesn’t require individual warrants to wiretap targets based on probable cause in the same way that FISA does. Instead, FISC can pre-approve swathes of queries. This represents a relaxation of FISA’s original requirements.
Section 702 allows the FBI and several intelligence agencies to ask telecommunications service providers about electronic conversations running over their networks. They can make those queries based on the message’s sender or recipient.
Queries are supposed to focus on conversations that could reveal valuable things about non-U.S. people that don’t reside in the U.S. However, there’s a risk of scooping up communications involving domestic U.S. residents in something we could colloquially call ‘drive-by querying’.
This is especially true for a third, more controversial query vector: ‘about’ identifiers. These come up in communications in which the target is not a sender or a recipient of a message but where they come up incidentally in the content of that message. So, if two people mentioned your name in an email that an intelligence community was reading, the agency could use that to run a query about your conversations with others.
Misuse of Section 702 Sparks Concern
A 2014 report found that the NSA collected too much information using this ‘about’ collection vector, scooping out tens of thousands of wholly domestic communications. Nevertheless, after assessing that report, the FISC continued to permit the practice.
In 2017 the NSA said it had stopped ‘about’ collection on the basis that ‘to’ and ‘from’ collections were more fruitful. When Congress reauthorized Title VII in 2018, it prohibited the resumption of ‘about’ collection unless the Attorney General and Department of National Intelligence notified Congress first.
Nevertheless, the ‘to’ and ‘from’ data collection requirements are powerful tools to be dangerous if misused. This year, the Office of the Director of National Intelligence (ODNI) released a declassified but heavily redacted FISC court report on 702 querying procedures, and it doesn’t look good.
The document revealed that FBI analysts had used 702 to research individuals suspected of involvement in the January 6 riots and others involved in protests during May and June 2020 that were likely a response to the police murder of George Floyd.
FISA found no reasonable expectation of foreign party involvement to justify these queries. Overall, an audit by the FBI found 278,000 non-compliant Section 702-based queries against raw FISA data by Bureau staff in a single year, at least one of which was a large batched query on tens of thousands of people at once.
These infractions have lawmakers on both sides of the Senate concerned. They have called for reform before reauthorizing section 702 in a congressional grilling of intelligence and law enforcement staff over querying practices in June.
Some reform appears to be in the works. Senator Ron Wyden (D-Ore), is said to be working on a surveillance reform bill that will address the issue. The FBI has also issued a new set of accountability guidelines to staff. Still, it remains to be seen whether that will placate a congressional working group currently addressing the reauthorization issue.
What Section 702 Means for Europe
Aside from the implications for U.S. citizens on domestic soil, section 702 has implications in Europe. In July, the European Commission approved the latest data privacy framework (DPF), which is the third attempt at an adequacy agreement between the E.U. and U.S. Max Schrems, the Austrian lawyer who successfully challenged the first two attempts, is unhappy about the current state of section 702. The core complaint is that the legislation doesn’t protect non-U.S. people, which precludes safe data privacy exchange with the U.S.
“The U.S. continues to insist that non-US persons do not have constitutional rights in the U.S., said noyb (‘none of your business’), the non-profit body that Schrems co-founded to enforce privacy through legal means. “Hence a violation of their right to privacy is not covered by the 4th Amendment.”
Noyb’s likely forthcoming challenge to the U.S-EU DPF won’t help privacy advocates in the post-Brexit U.K., who would need to challenge a planned data privacy adequacy agreement with the U.S. locally. As per the U.S.-EU DPF, both countries are using President Biden’s Executive Order 14086, passed in 2022, to help assuage concerns over U.S. intelligence collection of data on non-U.S. people.
Titled “Enhancing Safeguards for United States Signals Intelligence Activities”, EO 14086 restricts surveillance to a set of legitimate objectives, focusing on anti-espionage and terrorism and election integrity. It cannot be used to suppress dissent or privacy or target individuals based on factors such as race, gender identity, or region.
The E.O. also created the Data Protection Review Court (DPRC) via the Attorney General. This will hear complaints from affected parties submitted via the Civil Liberties Protection Officer at the Office of the Director of National Intelligence. However, noyb doesn’t think that the DPRC will be accountable enough.
While there is strong domestic pressure to reform Section 702 to protect U.S. residents, it seems unlikely that the U.S. Congress will pay as much attention to the rights of non-U.S. residents. That’s a worry for privacy advocates across the pond because in a connected global society, what happens – or doesn’t happen – in one region sends ripples around the globe.