FISA Reauthorization Still Pending

Big Data, Broadband, Cybersecurity, Data Flows, DOD, DOJ, FBI, FISA, Fourth Amendment, NDAA, NSA, Privacy Shield, Technology, Telecommunications, United States 16 Minutes

First, subscribe to my newsletter, The Wavelength, if you want all the content on my blog delivered to your inbox four times a week.

More than a year after Foreign Intelligence Surveillance Act (FISA) authorities expired, there are no clear plans for Congress to reauthorize these provisions

Twitter

The received wisdom in Washington was a Biden Administration would bring a FISA reauthorization. Not yet, at least.

Cocktail Party

Last year, Congress and the Trump Administration let three FISA provisions expire when agreement could not be reached on language to reform the statute. The three provisions are the so-called Section 215 business record language, the roving wiretap language, and the “lone wolf” language added to FISA in 2004. Many Republicans and Democrats exhibited a desire to rewrite these FISA provisions to end abuses detailed in court opinions and investigations of how FISA was used to surveil some 2016 Trump campaign advisors. However, the exact changes were much in dispute, and when stakeholders in Congress finally agreed, the Trump Administration started opposing these efforts, leading to a lapse in these authorities.

Meeting

There is no public manifestation of will to reenact the lapsed provisions for a few different reasons. First, Congress and the White House have been busy with other more pressing matters. Second, the Intelligence Community and agencies like the Federal Bureau of Investigation (FBI) are not pushing for a reauthorization, for they apparently would rather live with the more cumbersome FISA procedures in place before the three provisions were enacted than live with the reforms Congress was considering. Third, FISA allows for the use of these lapsed authorities in cases where the conduct predates the expiration or were ongoing on the date of expiration. Therefore, U.S. agencies are still using the lapsed authorities, and it may late come to light that they read FISA expansively to keep using these powers in attenuated circumstances.

However, if Congress acts, there may be a few approaching decision points.

Geek Out

Three key provisions in FISA expired over a year ago, and Congress and the White House have done nothing public to reauthorize these programs. The catch, of course, is the language in FISA that allows the continued use of these powers for investigations or incidents that predate the expiration. Undoubtedly, U.S. intelligence and law enforcement agencies have utilized and are continuing to utilize this authority, and given the record of U.S. agencies in meeting the requirements of both FISA and the FISA court, it would not be out of the ordinary if these agencies have distorted this authority in ways neither Congress nor the FISA court would approve of.

Moreover, the lapses of two of the authorities (i.e., the roving wiretap order and the expanded business records provisions) merely mean U.S. agencies have to use FISA as it existed on 25 October, 2001, the point at which the now lapsed provisions were first enacted, unless, as mentioned earlier, it is for ongoing investigations or conduct that predates the expiration of these two provisions. Now, U.S. agencies can no longer ask for and receive one FISA order to track a person across devices and must seek different orders for each device unless these agencies are utilizing a different method. Likewise, the pre-PATROT Act business record provision is narrower and requires a greater showing; however, this process may be tolerable to U.S. agencies, or they may be utilizing a different means to seek and obtain business records.

The next action point on FISA reauthorization may be in 2023 when Title VII of FISA expires. However, there may be another, sooner impetus for action. The U.S. and the European Union are in ongoing talks to fashion a third agreement that would allow for the transfer of personal data of EU residents for processing in the U.S.  The easiest path under the General Data Protection Regulation (GDPR) for data controllers and processors is via an adequacy decision that finds the other nation’s laws are essentially equivalent to the EU’s and EU citizens will not have these rights impinged. And yet, last year, the Court of Justice for the European Union (CJEU) struck down the European Commission’s adequacy decision regarding the U.S. in large part because of FISA and other U.S. foreign surveillance. There may be an opening for FISA revisions to address some of the CJEU’s decision along with executive branch action and commitments. If Title VII of FISA is on the legislative menu in Congress, the lapsed provisions may be as well.

Another route FISA reauthorization could take is standalone legislation to address U.S. government’s buying and using commercially available personal data in ways that critics claim circumvents the letter and spirit of the Fourth Amendment’s bar on unreasonable searches. Last month, Senators Ron Wyden (D-OR) and Rand Paul (R-KY) and 18 other cosponsors have introduced the “Fourth Amendment is Not for Sale Act,” (S.1265) “to put a stop to shady data brokers buying and selling Americans’ Constitutional rights.” House Judiciary Committee Chair Jerry Nadler (D-NY) and House Administration Committee Chair Zoe Lofgren (D-CA) introduced a companion bill in the House (H.R.2738). They claimed:

  • The Fourth Amendment is Not for Sale Act closes the legal loophole that allows data brokers to sell Americans’ personal information to law enforcement and intelligence agencies without any court oversight – in contrast to the strict rules for phone companies, social media sites and other businesses that have direct relationships with consumers.
  • The Senators asserted the bill:
    • Requires the government to get a court order to compel data brokers to disclose data — the same kind of court order needed to compel data from tech and phone companies.
    • Stops law enforcement and intelligence agencies buying data on people in the U.S. and about Americans abroad, if the data was obtained from a user’s account or device, or via deception, hacking, violations of a contract, privacy policy, or terms of service. As such, this bill prevents the government buying data from Clearview.AI.
    • Extends existing privacy laws to infrastructure firms that own data cables & cell towers.
    • Closes loopholes that would permit the intelligence community to buy or otherwise acquire metadata about Americans’ international calls, texts and emails to family and friends abroad, without any FISA Court review.
    • Ensures that intelligence agencies acquiring data on Americans do so within the framework of the Foreign Intelligence Surveillance Act and that when acquiring Americans’ location data, web browsing records and search history, intelligence agencies obtain probable cause orders. This language is similar to language that was in the 2020 Wyden-Daines amendment to legislation to reform Section 215.
    • Takes away the Attorney General’s authority to grant civil immunity to providers and other third parties for assistance with surveillance not required or permitted by statute. Providers retain immunity for surveillance assistance ordered by a court.

Nonetheless, the recently declassified and released FISA Court’s (FISC) approval of the U.S. government’s “Ex Parte Submission of Reauthorization Certifications and Related Procedures, Ex Parte Submission of Amended Certifications, and Request for an Order Approving Such Certifications and Amended Certifications” may shape any FISA reauthorization legislation because of the significant lapses, irregularities, and outright failures to follow FISA and the court’s orders. Admittedly, this memorandum and order pertain to Title VII, which governs “the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” Nonetheless, it has roused critics of the FISA process.

Once again, the FISC agreed to allowing U.S. agencies to continue using FISA’s Title VII for foreign surveillance even though there were significant shortcomings and failures of some agencies to follow their own procedures to ensure FISA and the U.S. Constitution were not violated. The FISC explained:

the government discovered 40 queries that had been conducted in support of predicated criminal investigations relating to health -care fraud, transnational organized crime, violent gangs, domestic terrorism involving racially motivated violent extremists, as well as investigations relating to public corruption and bribery.

The FISC added these searches were not foreign intelligence or national security related:

None of these queries was related to national security, and they returned numerous Section 702-acquired products in response.

In other words, U.S. agencies searched intelligence acquired under the lower standards of Title VII for domestic purposes, which would normally require some type of court approval, often through a search warrant.

Nonetheless, the FISC noted the FBI’s claims that none of the searches were used in investigations or prosecutions:

The government discovered these and a number of similar violations during oversight reviews at seven FBI field offices. Of the reported instances in each field office, the FBI advised that none of the Section 702-acquired information returned was used in a criminal or civil proceeding or otherwise used for any investigative or evidentiary purpose, even when the Section 702 product displayed had been opened and reviewed.

The FISC observed these failures of the FBI to follow its own procedures were also turned up in the previous year, likely indicating the problem of agents using intelligence obtained through Title VII of FISA for domestic investigations is widespread:

These reported violations are similar to those referenced in the December 6, 2019 Opinion, which suggests that similar violations of Section 702(f)(2) likely have occurred across the Bureau.

The FISC was quick to excuse the ODNI and FBI, however:

But these query violations were discovered during a limited number of oversight reviews that occurred before NSD and ODNI suspended on-site reviews at FBI field offices because of the COVID -19 pandemic. Therefore, the reported violations involved queries that were conducted prior to the FBI’s implementation of the systems changes in late November 2019, and prior to completion of the mandatory training on these new features or the Querying Procedures as amended.

Now, some background on the events of last year when Congress opted not to reauthorize the FISA provisions may be helpful. In March 2020, the House passed “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote to reauthorize the three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, then Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 would have ended the NSA’s ability to use the call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized. The forerunner to the CDR program was the one exposed by former NSA and Central Intelligence Agency (CIA) contractor Edward Snowden in 2013.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of Intelligence Community (IC) agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e., electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May 2020, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to.

Wyden and Senator Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. The now lapsed Section 215 allowed for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Following the Senate’s amendment and passage of H.R.6172, a Department of Justice (DOJ) spokesperson said of the bill, it “would unacceptably degrade our ability to conduct surveillance of terrorists, spies and other national security threats.” This comment was a precursor to stiffer Trump Administration opposition.

Nonetheless, in late May, when the House was gearing up to consider the Senate-amended version of H.R.6172, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Wyden and Daines proposed that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them. However, this language proved to be too much for the Trump Administration and the entire effort collapsed.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

As noted, the Trump Administration started forcefully stating its objections to the amended Senate bill, including a veto threat issued via Twitter. On 26 May, former President Donald Trump tweeted “I hope all Republican House Members vote NO on FISA until such time as our Country is able to determine how and why the greatest political, criminal, and subversive scandal in USA history took place!” On 27 May, Trump tweeted

If the FISA Bill is passed tonight on the House floor, I will quickly VETO it. Our Country has just suffered through the greatest political crime in its history. The massive abuse of FISA was a big part of it!

Also on 27 May, Assistant Attorney General Stephen Boyd released the following statement on H.R.6172:

  • The Department worked closely with House leaders on both sides of the aisle to draft legislation to reauthorize three national security authorities in the U.S.A. Freedom Act while also imposing reforms to other aspects of FISA designed to address issues identified by the DOJ Inspector General. Although that legislation was approved with a large, bipartisan House majority, the Senate thereafter made significant changes that the Department opposed because they would unacceptably impair our ability to pursue terrorists and spies. We have proposed specific fixes to the most significant problems created by the changes the Senate made. Instead of addressing those issues, the House is now poised to further amend the legislation in a manner that will weaken national security tools while doing nothing to address the abuses identified by the DOJ Inspector General.
  • Accordingly, the Department opposes the Senate-passed bill in its current form and also opposes the Lofgren amendment in the House. Given the cumulative negative effect of these legislative changes on the Department’s ability to identify and track terrorists and spies, the Department must oppose the legislation now under consideration in the House. If passed, the Attorney General would recommend that the President veto the legislation.

What’s more, in the same week, the head of the DOJ’s National Security Division John Demers said there is no pressing need for reauthorization at this time. He remarked in an interview:

We’re going to have to look at where we can fill in the gaps using criminal tools. They’re not perfect. Foreign partners are not crazy when we use their information as the basis of criminal tools, because we don’t have the same protections that we do to protect underlying information as we do on the national security side. We are going to do the best we can to fill those holes and keep those investigations going.

Trump’s tweets caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. House Republican leadership began urging its Members to vote no on H.R.6172. Moreover, progressive Democrats and allied advocacy groups were pushing House Democratic Leadership to adopt the Wyden/Daines language or something similar. Also, some House Democrats had announced their intention to vote against H.R. 6172 regardless of whether the Section 215 narrowing was added, and so it was not clear the Speaker had the votes to pass a bill the President had vowed to veto anyway.

Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill, sending it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA). However, nothing further occurred on H.R.6172.

As stated above, the received wisdom is that the new administration would be keen to work with Congress on enacting a reauthorization because it would not have the antipathy former President Donald Trump had for FISA given the investigation of his 2016 presidential campaign and the FISA irregularities, shortcomings, and violations the DOJ Inspector General turned up in the FISA application to surveil Carter Page who was advising the campaign. And yet, very little has been said about FISA, the lapsed authorities, or a reauthorization.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Maria Oswalt on Unsplash

Published by Michael Kans

An attorney who specializes in technology policy, law, and politics with other areas of expertise.

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s