IC Concedes PATRIOT Act Used To Collect Browsing

The top U.S. intelligence official admits the PATRIOT Act has been used to surveil a website and its visitors. This admission could result in a narrowing of FISA to stop this and related practices.

In a follow-on letter to correct his previous letter the Director of National Intelligence (DNI) acknowledged the Federal Bureau of Investigation (FBI) has indeed used Section 215 of the PATRIOT Act to surveil a website and its users. The Senate came within one vote of adding language to the bill to reauthorize and reform the Foreign Intelligence Surveillance Act (FISA) barring the use of this provision to surveil web browsing and internet search histories. It is possible this revelation will sway the Congress and the Biden Administration to enact such a change when they turn to these and other lapsed FISA authorities next year. At present, FISA reauthorization seems very improbable under the current administration given the President’s animus for the FISA process that was used to surveil the contacts between his 2016 Campaign advisors and Russian intelligence operatives.

DNI John Ratcliffe conceded in a 25 November letter to Senator Ron Wyden (D-OR) that web browsing has been the subject of at least one FISA application and production. Ratcliffe stated “the Department of Justice provided additional information to my office indicating that one of those 61 orders [issued pursuant to applications under Title V of FISA in 2019] resulted in the production of information that could be characterized as information regarding browsing.” He added “[s]pecifically, as relevant to an authorized investigation to obtain foreign intelligence information, the order directed the production of log entries for a single, identified U.S. web page reflecting connections from IP addresses registered in a specified foreign country that occurred during a defined period of time.” Of course, Ratcliffe only referenced searches in 2019, and so, it is an open question as to how many FISA searches authorized under Section 215 authority have been conducted in recent years for web browsing and internet search histories.

In his 20 May letter to the then DNI, Wyden explained:

  • I am writing to inquire whether public reporting on the use of Section 215 of the PATRIOT Act would capture the government’s collection of web browsing and internet searches. As you know, on May 13, 2020, 59 U.S. Senators voted to prohibit this form of warrantless surveillance, reflecting the broad, bipartisan view that it represents a dangerous invasion of Americans’ privacy.
  • There have also been long-standing concerns about the inadequacy of public reporting on the use of Section 215, including whether the data released annually by the DNI adequately captures the extent of the government’s collection activities and its impact on Americans. These concerns are magnified by the lack of clarity as to how the public reporting requirements would apply to web browsing and internet searches.

In a statement to the New York Times, Wyden argued “the DNI has provided no guarantee that the government wouldn’t use the Patriot Act to intentionally collect Americans’ web browsing information in the future, which is why Congress must pass the warrant requirement that has already received support from a bipartisan majority in the Senate.” Apparently, Ratcliffe’s follow-on letter was a result of the newspaper’s reporters pressing the DNI on how it was defining web browsing. And yet, Ratcliffe refused to answer other questions about whether these practices occurred before 2019 or in 2020 because his letter is specific only to 2019.

The amendment Wyden referred to was considered earlier this year when the House, Senate, and White House seemed close to a deal to extend Section 215 and two other related surveillance provisions that had lapsed. That amendment would have barred the use of this FISA exception to the Fourth Amendment to surveil search histories, web browsing, location and GPS data. If all Senators had been present and voting, it would have likely been added to the bill, suggesting it will be added when FISA reauthorization is addressed next year. However, a compromise provision in the House was narrower than the Wyden/Daines amendment, which caused Wyden to announce his opposition to that language. Hence, there remains work on finding language acceptable to stakeholders in Congress and the Biden Administration.

In March, the House passed “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of Intelligence Community (IC) agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e., electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to.

Wyden and Senator Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Two weeks later, when the House was gearing up to consider the Senate-amended version of H.R.6172, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Wyden and Daines proposed that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

It appeared this amendment would be made in order during debate, but opposition from both the left and right in the House and among stakeholders made this untenable. The fact that the Lofgren/Davidson amendment was narrower in that it would only provide this protection to people in the United States whereas the Wyden/Daines amendment would have outright barred the practice under FISA led to opposition on the left. Early on 27 May, Wyden supported this language, but when House Intelligence Committee Chair Adam Schiff (D-CA) suggested that intelligence agencies could continue to collect web browsing and search histories of Americans, Wyden withdrew his support. Thereafter, House Democratic Leadership ultimately decided against allowing this amendment to have a vote. Consequently, the effort to enact a FISA reauthorization collapsed.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by joffi from Pixabay

Pending Legislation In U.S. Congress, Part I: FY 2021 NDAA and FISA Reauthorization

Normally, a FISA reauthorization would be considered must pass like an NDAA, but this year may be different.   

As Congress returns from an eventful summer recess, it is possible technology focused and related legislation is passed or advances towards passage before the body leaves Washington in late September. However, it is just as likely, possibly even more, that Congress punts everything except for a measure to keep the government funded through the November election. This week, we will explore some of the bills that may become law. Today’s piece is on the FY 2021 National Defense Authorization Act (NDAA) and the lapsed provisions in the Foreign Intelligence Surveillance Act (FISA).

FY 2021 NDAA

Congress will almost certainly pass its annual policy and authorization bill for the Department of Defense (DOD) as it has done for every year since FY 1962. Any more, this bill is laden with technology provisions, most of which are oriented towards national security programs, but not always because the National Defense Authorization Act (NDAA) is considered must-pass legislation, it attracts some legislation that is non-defense. For example, the revamp of how the United States government buys and develops information technology programs, the “Federal Information Technology Acquisition Reform Act” (FITARA) (P.L. 113-291), was enacted as part of the FY 2015 NDAA.

The House and Senate have passed their respective bills: the “William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021” (H.R.6395) and the “National Defense Authorization Act for Fiscal Year 2021“ (S.4049) and have already started work on resolving differences between the two packages. However, over the last decade or so, the NDAA has been one of the last major bills passed each calendar year, and it is possible this legislation will not reach the President’s desk until late December.

The base bill put on the floor of the House contained a range of cybersecurity provisions. The DOD’s requirement that it must submit its cybersecurity and information technology (IT) budget would be broadened to include cyber mission force and a its new cyber operations force budgets. The Cyberspace Solarium Commission’s (CSC) structure would be changed and would be extended. The DOD would need to study and consider replicating an entity inside the Navy that has been researching and pioneering cyber warfare. The DOD’s Principal Cyber Advisor would be invested with the authority to manage the Pentagon’s role as the sector-specific agency (SSA) for the Defense Industrial Base (DIB) under Presidential Policy Directive- 21. The bill also increased the DOD’s reporting requirements to Congress regarding compromises of its system and exceptions to its IT policies with the goal of creating a baseline to help the Pentagon manage its cyber risks and tradeoffs. The DOD would determine whether a current public-private partnership on cybersecurity is working and should be extended.

The Department of Homeland Security (DHS) would need to submit a report on the feasibility of an Integrated Cyber Center housed at its National Cybersecurity and Communications Integration Center (NCCIC). DHS would need to work with the DOD, Office of the Director of National Intelligence (ODNI) and National Security Agency (NSA) on whether it makes sense to create a joint collaboration environment to help shore up cybersecurity. The Pentagon would need to study and then implement a threat hunting program that would allow its personnel to go searching for vulnerabilities and cyber risks in the IT systems of DIB contractors. The DOD would be barred from contracting with entities that do not belong to the DIB threat intelligence sharing program. The bill would also permit the DOD to make grants to companies providing cybersecurity to small manufacturers in the U.S. The bill would establish a National Artificial Intelligence Initiative to support and foster a number of related activities including research and development, education, and training.

During floor consideration of H.R.6395, the House agreed to scores of amendments in two en bloc packages that contained most of the technology provisions made in order for consideration. Among the most notable of these provisions are the following, some of which have been considered by the House as standalone legislation:

The cybersecurity provisions in S.4049 would change, alter, or establish a range of programs and operations. The bill would modify the statutory duties of Department of Defense’s Principal Cyber Advisor to require that the person chosen for this role is a civilian at the Pentagon who holds a position requiring Senate confirmation. The DOD would need to develop and implement a framework for forward hunt operations (i.e. offensive cyber operations) to address some of the issues the committee’s oversight turned up. The focus on this exercise would be to get a better understanding on the utility and life span of intelligence gained through such operations. The Pentagon’s reporting duties after executing an offensive or defensive cyber operation would be expanded to include nations and entities with whom the United States is not at war. The Committee expanded the DOD’s required briefings on cyber operations, expressing frustration with the Department’s “unwillingness to keep the committee apprised of cyber operations conducted to gain access to adversary systems, including those conducted pursuant to standing military plans against military targets.”

There is language mandating that the DOD begin the process of harmonizing the Pentagon’s cyber capabilities and those provided by private sector contractors, much of which overlaps in the view of the committee. Cyber Command would receive expanded but necessarily acquisition authority as the service branches are to remain the entities undertaking large procurements. The Principal Cyber Advisor and head of Cyber Command would need to assess how well the DOD manages inter-agency conflict in the Pentagon and among Intelligence Community agencies in managing the process by which cyber operations are designed and executed, suggesting there is significant internal friction among the stakeholders. The DOD would need to conduct a pilot on the feasibility of adopting and using a commercial practice of speed-based cybersecurity metrics. The Pentagon would also need to better integrate its data collection and data analysis regarding potentially malicious or illegal activities by DOD employees and contractors (i.e. so-called insider threat).

The DOD would need “to develop a comprehensive plan, by February 1, 2021, for the deployment of commercial-off-the-shelf solutions on supplier networks to monitor the public-facing Internet attack surface of members of the defense industrial base (DIB)” that is intended to supplement the DOD’s new Cybersecurity Maturity Model Certification and other DOD efforts to shore up the cybersecurity of its contractors. The bill would grant a DOD request to receive the authority to immediately react and respond to reported threats and penetrations to “operationally critical” DOD contractors’ systems and networks. The DOD would need “to conduct a baseline review of the Joint Regional Security Stacks (JRSS) activity to determine whether the initiative should continue, but as a program of record, or should be replaced by an improved design and modern technology.” The DOD would also receive limited flexibility to use Operation and Maintenance (O&M) “for cyber operations-peculiar capability development projects.” The committee also conditioned the availability of certain Office of the Secretary of Defense travel on fulfilling a requirement in the current year’s NDAA to submit “a report for the structuring and manning of information operations capabilities and forces” in the DOD, develop “a strategy for operations in the information environment” and to “conduct an information operations posture review.”

The Cyberspace Solarium Commission (CSC) would have its mandate extended so it could monitor, assess, and report on the implementation of its 75 recommendations made in March 2020. The bill includes a number of CSC recommendations, including:

  • Adding “a force structure assessment of the Department of Defense’s Cyber Operations Forces to future cyber posture reviews.”
  • “a report to the congressional defense committees, detailing the actions that the Secretary will undertake to ensure that the Commander, U.S. Cyber Command, has enhanced authority, direction, and control of the Cyber Operations Forces and of the equipment budget that enables Cyber Operations Forces’ operations and readiness, beginning with fiscal year 2024 budget request.”
  • Assessing “options for establishing a cyber reserve force.”
  • A comprehensive plan for “[e]nsuring cyber resiliency of nuclear command and control system”
  • Requiring “the Secretary of Defense to establish policies and requirements for each major weapon system, and the priority critical infrastructure essential to the proper functioning of major weapon systems in broader mission areas, to be re-assessed for cyber vulnerabilities.”
  • Mandating that the Secretary of Defense “establish a threat intelligence sharing program to share threat intelligence with and obtain threat intelligence from the defense industrial base.”
  • Requiring the Pentagon “to conduct an assessment of the adequacy of threat hunting elements of the Cyber Maturity Model Certification (CMMC) program and the need for continuous threat monitoring operations.”
  • Addressing “the risks to National Security Systems (NSSs) posed by quantum computing by requiring the Secretary of Defense to: (1) Complete an assessment of current and potential threats to critical NSSs and the standards used for quantum-resistant cryptography; and (2) Provide recommendations for research and development activities to secure NSSs.”
  • Study the feasibility of establishment of a National Cyber Director.

In terms of the provisions that were folded into the final Senate bill, Senate Homeland Security and Governmental Affairs Committee Chair Ron Johnson (R-WI) succeeded in attached to the larger bill the “Cybersecurity Vulnerability Identification and Notification Act of 2019” (S.3045). S.3045 would expand the authority of Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC) to issue subpoenas to internet service providers to obtain the identity of owners and operators of critical infrastructure subject to be drafted procedures and limits on how any information collected from subpoena is used and retained. The House’s counterpart bill, H.R.5680, was added as an amendment to H.R.6395, meaning the substance of the legislation will almost certainly be in the final NDAA. Also, an amendment was adopted to stimulate semiconductor manufacturing in the United States by creating a grant and tax incentive program at the Department of Commerce

There were other technology provisions added to the bill during debate. The following amendments were adopted on 2 July en bloc by unanimous consent:

  • The Department of Homeland of Security “shall produce a report on the state of digital content forgery technology” within one year of enactment and then every five years
  • “[T]he Secretary of Defense, with appropriate representatives of the Armed Forces, shall brief the Committees on Armed Services of the Senate and the House of Representatives on the feasibility and the current status of assigning members of the Armed Forces on active duty to the Joint Artificial Intelligence Center (JAIC) of the Department of Defense.”
  • “[T]he Secretary of Homeland Security shall conduct a comprehensive review of the ability of the Cybersecurity and Infrastructure Security Agency to fulfill–
    • the missions of the Cybersecurity and Infrastructure Security Agency; and
    • the recommendations detailed in the report issued by the Cyberspace Solarium Commission”
  • The “Developing Innovation and Growing the Internet of Things Act” (DIGIT Act) (S.1611) that would require the Department of Commerce to “convene a working group of Federal stakeholders for the purpose of providing recommendations and a report to Congress relating to the aspects of the Internet of Things.”
  • “[T]he Secretary of Defense, in coordination with the Director of the National Reconnaissance Office and the Director of the National Geospatial-Intelligence Agency, shall leverage, to the maximum extent practicable, the capabilities of United States industry, including through the use of commercial geospatial-intelligence services and acquisition of commercial satellite imagery.”
  • “[T]he Secretary of Defense is authorized to establish a pilot program to explore the use of consumption-based solutions to address software-intensive warfighting capability” per a re commendation made by the Section 809 Panel.
  • “[T]he Secretary of Defense shall complete a study on the cyberexploitation of the personal  information and accounts of members of the Armed Forces and their families.”
  • A modified version of the “Utilizing Strategic Allied (USA) Telecommunications Act” (S.3189) that “would reassert U.S. and Western leadership by encouraging competition with Huawei that capitalizes on U.S. software advantages, accelerating development of an open-architecture model (known as O-RAN) that would allow for alternative vendors to enter the market for specific network components, rather than having to compete with Huawei end-to-end” according to a press release.

Additionally, a deal was struck to add the “Intelligence Authorization Act for Fiscal Year 2021” (S.3905) to S.4049 but without a bill included in the package as reported out of the Senate Intelligence Committee: the “Foreign Influence Reporting in Elections Act” (FIRE Act) (S.2242).

FISA Reauthorization

At present, key surveillance authorities for new investigations have lapsed, and it does not appear Congress is close to a deal to restore and reform them, an unusual state of affairs, for since 11 September 2001, it has done so regularly. The House and Senate have both passed bills but have been unable to agree on the extent of reforms to Foreign Intelligence Surveillance Act (FISA) programs given antipathy from the Trump Administration on proposed changes and opposition from some Democrats and Republicans who want to see more significant reforms. It is always possible a compromise package is agreed to and then tacked onto the FY 2021 NDAA, a continuing resolution, or an omnibus appropriations bill as has happened before.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172, which it did in May. Thereafter, reforms House Democratic leadership tried adding to the bill failed to please stakeholders, leaving the chamber to squelch plans to send a revised bill to the Senate and instead ask for a conference, which is where matters currently stand.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the “USA PATRIOT Act” in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

In May, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories. However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

In late May, it appeared as if the House would bring H.R. 6172 to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill to send it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA). The bill is being held at the desk in the Senate and Senate conferees have not been named, meaning the conference committee cannot formally begin.  

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by ArtTower from Pixabay

House Action On FISA Fizzles; A Conference Committee Is Requested

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Despite House Democratic leadership’s plans to pass the Foreign Intelligence Surveillance Act (FISA) reauthorization the Senate sent back to the House earlier this month, plans for a vote last week were scrapped when the coalition that made possible passage of substantially the same bill in March fell apart. Instead, the House voted for a motion to disagree with the Senate’s amendments, to request a conference, and to appoint conferees. It remains to be seen whether the Senate opts to go to conference with the House, but a statement from a spokesperson for the Senate Majority Leader suggested he would support doing so. In the meantime, intelligence and law enforcement agencies cannot use the authorities the bill would renew and reform for they expired on 15 March except for investigations that started before that date.

At week’s beginning, it appeared as if the House would bring the amended “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) to the floor and possibly take a run at adding language that barely failed to get added during debate in the Senate that would further pare back the ability of federal law enforcement agencies to use the FISA process for surveillance. However, the Trump Administration more forcefully stated its objections to the amended bill, including a veto threat issued via Twitter, that caused Republican support for the bill to cave, and with it the chances of passage, for Republican votes were needed to pass the bill in the first place. Consequently, House Democratic Leadership explored the possibility of a clean vote on the Senate-amended bill, with the House Rules Committee reporting a rule for debate, but this effort was also scuttled as there were not the votes for passage of the bill, sending it to the White House. Instead, House Democratic Leadership opted to go to conference committee, which succeeded in a 284-122 proxy vote, one of the first taken under the new procedure. Thereafter, the House named the following conferees: House Judiciary Committee Chair Jerrold Nadler (D-NY) and Ranking Member Jim Jordan (R-OH); House Intelligence Committee Chair Adam Schiff (D-CA) and Ranking Member Devin Nunes (R-CA) and Representative Zoe Lofgren (D-CA).

House Democratic plans on the FISA reauthorization went from amendment to passing the bill the Senate passed to requesting a conference after the Democratic-Republican coalition that got the bill out of the House in March crumbled.  

As noted, this week, the Trump Administration’s opposition has stiffened with the President getting on the field via Twitter, the Department of Justice (DOJ) publicly stating its opposition, and House Republican leadership urging its Members to vote no on H.R.6172. Moreover, progressive Democrats and allied advocacy groups were pushing House Democratic Leadership to adopt provisions blocking the collection and surveillance of web browsing and search engine history under Section 215. Also, some House Democrats had announced their intention to vote against H.R. 6172 regardless of whether the Section 215 narrowing was added, and so it was not clear the Speaker had the votes to pass a bill the President had vowed to veto anyway.

On 26 May, President Donald Trump tweeted “I hope all Republican House Members vote NO on FISA until such time as our Country is able to determine how and why the greatest political, criminal, and subversive scandal in USA history took place!” On 27 May, Trump tweeted

If the FISA Bill is passed tonight on the House floor, I will quickly VETO it. Our Country has just suffered through the greatest political crime in its history. The massive abuse of FISA was a big part of it!

Also on 27 May, Assistant Attorney General Stephen Boyd released the following statement on H.R.6172:

The Department worked closely with House leaders on both sides of the aisle to draft legislation to reauthorize three national security authorities in the U.S.A. Freedom Act while also imposing reforms to other aspects of FISA designed to address issues identified by the DOJ Inspector General. Although that legislation was approved with a large, bipartisan House majority, the Senate thereafter made significant changes that the Department opposed because they would unacceptably impair our ability to pursue terrorists and spies. We have proposed specific fixes to the most significant problems created by the changes the Senate made. Instead of addressing those issues, the House is now poised to further amend the legislation in a manner that will weaken national security tools while doing nothing to address the abuses identified by the DOJ Inspector General.

Accordingly, the Department opposes the Senate-passed bill in its current form and also opposes the Lofgren amendment in the House. Given the cumulative negative effect of these legislative changes on the Department’s ability to identify and track terrorists and spies, the Department must oppose the legislation now under consideration in the House. If passed, the Attorney General would recommend that the President veto the legislation.

And yet this week, the head of the DOJ’s National Security Division John Demers said there is no pressing need for reauthorization at this time. He remarked in an interview:

We’re going to have to look at where we can fill in the gaps using criminal tools. They’re not perfect. Foreign partners are not crazy when we use their information as the basis of criminal tools, because we don’t have the same protections that we do to protect underlying information as we do on the national security side. We are going to do the best we can to fill those holes and keep those investigations going.

Two weeks ago, following Senate amendment and passage of H.R.6172, a DOJ spokesperson said of the bill, it “would unacceptably degrade our ability to conduct surveillance of terrorists, spies and other national security threats.”

Early in the week, Representatives Zoe Lofgren (D-CA) and Warren Davidson (R-OH) submitted an amendment along the lines of the language Senators Ron Wyden (D-OR) and Steve Daines (R-MT) that the Senate rejected by one vote to bar the collection of web browsing and internet search history via a FISA order under Section 215. Lofgren and Davidson had negotiated with other House Democratic stakeholders on language acceptable to them.

Regarding their amendment, in their press release, Lofgren and Davidson claimed “[t]he amendment – which is supported by Reps. Adam Schiff, Chair of the House Permanent Select Committee on Intelligence, and Jerrold Nadler, Chair of the House Judiciary Committee – is an outright prohibition: the government will not be able to use Section 215 to collect the websites that a U.S. person visits, the videos that a U.S. person watches, or the search queries that a U.S. person makes…[and] [s]pecifically:

  • If the government is not sure if you’re a U.S. person, but you could be, the government cannot get your internet activity without a Title I FISA warrant.
  • If the government wants to order a service provider to produce a list of everyone who has visited a particular website, watched a particular video, or made a particular search query: the government cannot make that order unless it can guarantee that no U.S. persons’ IP addresses, device identifiers, or other identifiers will be disclosed to the government.
    • This amendment does not allow for the incidental collection of U.S. persons’ web browsing or search information when the target is a specific-selection term that would or could produce such information.
  • This prohibition is a strict liability-type provision. (It isn’t a knowledge standard or a reasonable-belief standard. An order must not result in the production of a U.S. person’s web browsing or search information.)
  • If the order would or could result in the production of a U.S. person’s web browsing or search information, the government cannot order it without a Title I FISA warrant that must be narrowly tailored toward the subject of the warrant.

It appeared this amendment would be made in order during debate, but opposition from both the left and right in the House and among stakeholders made this untenable. The fact that the Lofgren/Davidson amendment was narrower in that it would only provide this protection to people in the United States whereas the Wyden/Daines amendment would have outright barred the practice under FISA led to opposition on the left. Early on 27 May, Wyden supported this language, but when House Intelligence Committee Chair Adam Schiff (D-CA) suggested that intelligence agencies could continue to collect web browsing and search histories of Americans, Wyden withdrew his support. Thereafter, House Democratic Leadership ultimately decided against allowing this amendment to have a vote.

In December, Lofgren and Davidson were among the Members who introduced the “Safeguarding Americans’ Private Records Act of 2020” (H.R.5675/S.3242) in both chambers. In their press release, the sponsors claimed “[t]he bill includes a host of reforms:

  • It would permanently end the flawed phone surveillance program, which secretly scooped up Americans’ telephone records for years.
  • It would close loopholes and prohibit secret interpretation of the law, like those that led to unconstitutional warrantless surveillance programs.
  • It would prohibit warrantless collection of geolocation information by intelligence agencies.
  • It would respond to issues raised by the Inspector General’s office by ensuring independent attorneys, known as amici, have access to all documents, records and proceedings of Foreign Intelligence Surveillance Court, to provide more oversight and transparency.

Notably, beyond revoking the authority for the NSA to restart the telephone collection program, the bill would also exclude from the definition of “tangible thing” in the Section 215 business records exception: Cell site location information, Global positioning system information, Internet website browsing information, and Internet search history information. The bill also contains language that would limit the use of Section 215 to only counterterrorism and foreign intelligence matters and limit the retention of any such material to three years unless it includes foreign intelligence. Moreover, the bill would increase the justification requirements the government must meet before a nondisclosure requirement (aka gag order) can be placed on a company subject to a Section 215 order.

Two week ago, the Senate amended and passed H.R. 6172 by an 80-16 vote. Consideration of the bill was stalled in March when some Senators pushed for amendments, a demand to which the Senate Majority Leader finally agreed, provided these amendments would need 60 votes to be adopted. Consequently, once COVID-19 legislation had been considered, the Senate returned to H.R.6172, and debated and voted upon three amendments, one of which was agreed to. Senators Pat Leahy (D-VT) and Mike Lee’s (R-UT) amendment to expand the amicus process during the FISA process prevailed by a 77-19 vote. In an op-ed in The Washington Post, Leahy and Lee argued

  • The key to our proposal is to substantially strengthen a program that currently allows FISA judges, in very limited circumstances, to appoint outside legal scholars — called “amici”— to independently analyze FBI surveillance requests that are particularly sensitive. Out of thousands of cases, FISA judges have called for such an independent review by a court-appointed “amicus” only 16 times. Yet this protection is critical because, unlike every courtroom you may have stepped into or any court in a TV drama, the FISA court is not adversarial — meaning there is only a government lawyer and a judge, but no one to advocate for Americans under surveillance.
  • We propose measures that would authorize and actively encourage judges in this secret court to seek independent amicus reviews in all sensitive cases — such as those involving significant First Amendment issues — thereby adding a layer of protection for those who will likely never know they have been targeted for secret surveillance.

As mentioned, Wyden and Daines offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and the underlying text of H.R. 6172 would exclude cell site location and GPS location from Section 215. The Wyden/Daines amendment would also exclude web browsing and search engine histories.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

As for the underlying bill the Senate considered, in March, the House passed H.R. 6172 by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process. Consequently, Senate Majority Leader Mitch McConnell (R-KY) promised amendment votes when the Senate took up H.R.6172.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Further Reading and Other Developments

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

Other Developments

  • Verizon released its annual Data Breach Investigations Report, which “analyzed a record total of 157,525 incidents” of which “32,002 met our quality standards and 3,950 were confirmed data breaches.”
  • Health Affairs detailed its thoughts on HIPAA and COVID-19 contact tracing and argued “[d]igital contact tracing can provide enough capacity but comes with serious privacy concerns.” They argued that Congress adding another law on top of HIPAA to address these concerns “would create an unworkable regulatory patchwork in conjunction with HIPAA.”
  • The American Civil Liberties Union “is demanding Congress and state and local governments ensure all students have equal access to the technologies that make effective remote learning possible, and that strong and uniform privacy safeguards are in place to protect students in the virtual classroom.” The ACLU “is also calling on Congress to provide billions of dollars in funding as part of the next COVID-19 relief package to meet the broadband access and technology needs of students and other impacted individuals.”
  • In a blog posting, Amazon calls for a federal price gouging law after noting it “has zero tolerance for price gouging and longstanding policies and systems in place to combat it.” Amazon called for legislation to “provide the Federal Trade Commission (FTC) the authority to go after scammers.” As detailed, platforms such as Amazon would appear not to face liability for price-gouging much like Facebook and the like do not face liability for content posted on their platforms.

Further Reading

  • How Google and Apple outflanked governments in the race to build coronavirus apps” – Politico EU. This is the tale of how Apple and Google caused a number of European Union (EU) governments to change cause, often moving from developing their own COVID-19 to hewing to the two tech giants’ approach. A key fault line has been where an app’s data would be stored: on a person’s phone or at a central location? Google and Apple favored the former, and some governments bowed to that position, notably Germany’s. A number of officials are quoted as saying that public policy cannot be dictated by private companies, but that appears to be exactly what happened in the EU.
  • What Colombia Did With American Spy Tools” ­– The New York Times. The paper’s editorial board decries the use of U.S. funds and technology used to surveil a range of real and perceived opponents of the regime in Bogota, including U.S. journalists. Much of the surveillance was electronic including wiretaps and other technological means used to vacuum up information.
  • Justice Department signals opposition to Senate’s surveillance bill” – The Hill. A Department of Justice (DOJ) spokesperson said of the amended the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172), it “would unacceptably degrade our ability to conduct surveillance of terrorists, spies and other national security threats.” With the DOJ now opposed and the White House remaining a wild card on Foreign Intelligence Surveillance Act (FISA) reauthorization, the future of the legislation in the House just became murkier. There is also pressure from the American Civil Liberties Union (ACLU) and related groups on House Democratic leadership to add the amendment that narrowly failed to be adopted in the Senate that would exclude web browsing and search history from Section 215 surveillance. Doing so may further complicate the road to enactment.
  • China launches new Twitter accounts, 90,000 tweets in COVID-19 info war” – NBC News. A trans-Atlantic thinktank is alleging the People’s Republic of China (PRC) is waging a massive information campaign against the United States, largely in pushing back and turning around accusations COVID-19 came from a Chinese laboratory. Interestingly, much of the campaign is being waged by PRC officials.
  • U.S. Is Using Taiwan as a Pressure Point in Tech Fight With China” – The New York Times. Washington’s latest move against Beijing aimed at a sore sport: Taiwan. The Trump Administration finally convinced the Taiwan Semiconductor Manufacturing Company (T.S.M.C.) to agree to open a plant in the United States, and it has announced plans to do so in Arizona. Not only would this pull the world’s foremost semi-conductor producer closer to the U.S., it may also allow the company to escape the shadow cast by the People’s Republic of China. Moreover, once produced in the U.S., T.M.S.C. semi-conductors may be considered free of potential backdoors and malicious code policymakers have long feared populate the Department of Defense’s (DOD) supply chain.
  • One of the first contact-tracing apps violates its own privacy policy” – The Washington Post. Turns out Care19, a contact tracing app developed when the governor of North Dakota asked a friend who had designed a app for football fans to meet up, is violating its own privacy policy according to Jumbo, the maker of privacy software. Apparently, Care19 shares location and personal data with FourSquare when used on iPhones. Both Apple and state officials are at a loss to explain how this went unnoticed when the app was scrubbed for technical and privacy problems before being rolled out.
  • US officials say they’ve cracked Pensacola shooter’s iPhones, blast Apple” – cyberscoop. The United States Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) use the cracking of the iPhone belonging to the person who shot and killed members of the military at Pensacola Air Station as an occasion to reiterate their calls for technology companies to provide backdoors for end-to-end encryption.
  • Four states warn unemployment benefits applicants about data leaks” – NBC News. This article shines a light on poor information security practices at the state level as exposed by glaring weaknesses in a program to get unemployment assistance to those affected by COVID-19.
  • Poor Americans Face Hurdles in Getting Promised Internet” – The New York Times. Even though major American internet providers have made available free and discounted service, there have been many issues, some of which have left populations the offers were supposed to help without service.
  • NSO Group Impersonated Facebook to Help Clients Hack Targets” – Vice. Researchers have turned up domains that may have been used by Israeli security company, the NSO Group, to fool people into thinking they were logging into Facebook. These domains may have been based in the United States, which may be used as proof in WhatsApp’s suit against the company.
  • Coronavirus: Security flaws found in NHS contact-tracing app” – BBC News. The United Kingdom’s National Health Service’s contact tracing app has been flagged with new privacy and security issues by researchers.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Senate Amends FISA Reauthorization; Bill Goes Back To House

A bill to renew three lapsed surveillance provisions was changed during debate, and it is unclear when the House would take up the bill.  

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The Senate sent an amended version of the Foreign Intelligence Surveillance Act (FISA) reauthorization back to the House without a clear timeline as to when that body will take up this bill. The Senate adopted one amendment to bolster the FISA amicus and disclosure process, narrowly failed to adopt another to exclude web browsing information and search history outside the scope of Section 215, and handily rejected an amendment to limit the use of FISA against United States persons.

In March, the House passed the “USA FREEDOM Reauthorization Act of 2020” (H.R. 6172) by a 278-136 vote, a bill to reauthorize three expiring FISA provisions used by the National Security Agency (NSA) primarily to conduct surveillance: the business records exception, roving wiretaps, and the “lone wolf” provision. These authorities had been extended in December 2019 to March 15, 2020. However, the Senate did not act immediately on the bill and opted instead to send a 77-day extension of these now lapsed authorities to the House, which did not to take up the bill. The Senate was at an impasse on how to proceed, for some Members did not favor the House reforms while others wanted to implement further changes to the FISA process.

Moreover, H.R. 6172 ends the NSA’s ability to use the so-called call detail record (CDR) program that had allowed the agency to access data on many billions of calls. Nonetheless, the NSA shut down the program in 2018 due to what it termed technical problems. This closure of the program was included in the bill even though the Trump Administration had explicitly requested it also be reauthorized.

As mentioned, H.R. 6172 would reauthorize the business records exception, which includes “any tangible thing,” in FISA first instituted in the USA PATRIOT Act in 2001 but would reform certain aspects of the program. For example, if the Federal Bureau of Investigation (FBI) or NSA is seeking a business record under FISA for which a law enforcement agency would need to obtain a warrant, then the FBI or NSA will also need to obtain a warrant. Currently, this is not the case. Additionally, under H.R.6172, the FISA application process under Section 215 could not be used to obtain a person’s cell site location or GPS information. However, the FBI or NSA would still be able to use Title I of FISA to seek cell site location or GPS data for purposes of conducting electronic surveillance related to alleged foreign intelligence. The bill would require that prosecutors must inform defendants of the evidence derived from electronic surveillance unless doing so would harm national security.

Moreover, records obtained under Section 215 could be retained no longer than five years subject to a number of exceptions that may serve to make this limitation a dead letter. For example, if such records are deemed to have a “secret meaning” or are certified by the FBI as being vital to national security, then such records may be held longer than five years. Given the tendency of agencies to read their authority as broadly as possible and the past record of IC agencies, it is likely these authorities will be stretched as far as legally possible. It bears note that all restrictions are prospective, meaning that current, ongoing uses of Section 215 would be exempted. The business records provision would be extended until December 1, 2023 as are the other two expiring authorities that permit so-called roving wiretaps and allow for surveillance of so-called “lone wolves.”

For FISA applications under Title I (i.e. electronic surveillance), any agency seeking a FISA order to surveil will need to disclose to the FISA court any information that may call into question the accuracy of the application or any doubtful information. Moreover, certain FISA applications to surveil Americans or residents would need to spell out the proposed investigative techniques to the FISA court. Moreover, any FISA application targeting U.S. officials or candidates for federal office must be approved by the Attorney General in writing before they can be submitted. H.R.6172 would permit the suspension or removal of any federal official, employee, or contractor for misconduct before the FISA court and increases criminal liability for violating FISA from five to eight years. Most of these reforms seem aimed at those Members, many of whom are Republican, that were alarmed by the defects in the FISA surveillance process of Trump Campaign associate Cater Page as turned up by the Department of Justice’s Office of the Inspector General investigation. Some of these Members were opposed to the House Judiciary Committee’s initial bill, which they thought did not implement sufficient reforms to the larger FISA process.

Like the bill the House Judiciary Committee was to mark up, the “USA FREEDOM Reauthorization Act of 2020” would set a six-month deadline for the Director of National Intelligence to declassify significant FISA opinions, orders, and decisions. The bill also beefs up the adversarial procedures in the FISA process by expanding the process by which amici curiae are expanded and their ability to ability FISA decisions to the FISA review court would also be expanded. Additionally, both FISA courts and the FISA review court would be empowered to seek outside legal counsel.

The Intelligence Committees would see their power increased to seek and obtain FISA applications in order to conduct oversight of the FISA process.

Finally, the powers of the Privacy and Civil Liberties Oversight Board (PCLOB) to oversee the FISA process would also be expanded. PCLOB would need to report on the extent to which FISA investigations are arising from protected First Amendment activities and from protected characteristics such as race, gender, sexual orientation, and others. There are broader PCLOB reforms that, for example, lengthen PCLOB members’ terms to six years and allows them to serve past the six-year mark until a successor is confirmed by the Senate as is the case with many other agencies.

Senators Pat Leahy (D-VT) and Mike Lee (R-UT) succeeded in having their amendment to expand the amicus process expanded during the FISA process by a 77-19 vote. In an op-ed in The Washington Post, Leahy and Lee argued

  • The key to our proposal is to substantially strengthen a program that currently allows FISA judges, in very limited circumstances, to appoint outside legal scholars — called “amici”— to independently analyze FBI surveillance requests that are particularly sensitive. Out of thousands of cases, FISA judges have called for such an independent review by a court-appointed “amicus” only 16 times. Yet this protection is critical because, unlike every courtroom you may have stepped into or any court in a TV drama, the FISA court is not adversarial — meaning there is only a government lawyer and a judge, but no one to advocate for Americans under surveillance.
  • We propose measures that would authorize and actively encourage judges in this secret court to seek independent amicus reviews in all sensitive cases — such as those involving significant First Amendment issues — thereby adding a layer of protection for those who will likely never know they have been targeted for secret surveillance.

Leahy elaborated during floor debate:

  • My amendment with Senator Lee would create a presumption of amici participation in cases involving significant First Amendment issues, not just “exceptional concerns” as in the House bill. Importantly, we also create a presumption of amici participation when the FBI considers the case to be a “sensitive investigative matter” which the FBI would call an investigation involving the domestic media, a domestic religious organization, or a public official. I think all of us should agree that in those instances we ought to have somebody independently looking at them.
  • Most critically, though, we would leave the decision to appoint amici entirely up to the FISA judge. Even if it would fall into all of these categories they could still say no. As a result, the argument that the expanded amici participation would duly burden the court doesn’t even withstand the slightest scrutiny. If the judge believes amici would not be appropriate because the case is too time sensitive or too simple or too routine or for any other reason–any other reason–they have the discretion to not appoint amici at all. Under our amendment, throughout the FISA process, the judge maintains complete control. It is not a burden on the court. What it is doing is empowering the court. It is up to them.

Senators Ron Wyden (D-OR) and Steve Daines (R-MT) offered an amendment to narrow the Section 215 exception to the Fourth Amendment’s requirement that a search requires a warrant. Section 215 currently allows for FISA court approved searches of business records and all tangible things in the course of a national security investigation, and H.R. 6172 would, as noted, exclude cell site location and GPS location from Section 215.

As Wyden explained during debate,

With web browsing and searches, you are talking about some of the most intimate, some of the most personal, some of the most private details of the lives of Americans. Every thought that can come into people’s heads can be revealed in an internet search or in a visit to a website: their health histories, their medical fears, their political views, their romantic lives, their religious beliefs. Collecting this information is as close to reading minds as surveillance can get. It is the digital mining of the personal lives of the American people.

However, the amendment failed to reach the 60-vote threshold necessary for adoption under the rule of debate for H.R. 6172, failing by one vote as four Senators did not vote.

Finally, Senator Rand Paul (R-KY) offered an amendment “to prohibit the use of  authorities  under  [FISA]  to  surveil  United  States  persons  and  to  prohibit  the  use of information acquired under such Act in  any  criminal,  civil,  or  administrative  proceeding or as part of any criminal, civil, or  administrative  investigation,  and  for  other purposes.” Paul’s amendment would bar the use of FISA for the following:

(1)  electronic surveillance of a United  States person;

(2)  a  physical  search  of  a  premises, information, material,  or  property used  exclusively  by, or under the open and exclusive  control of, a United States person;

(3) approval of the installation and use of a pen register or trap and trace device to obtain information concerning a United States person;

(4) the production of  tangible  things (including  books,  records,  papers,  documents,  and other items) concerning a United States person; or

(5) the  targeting of a United States person for the acquisition of information.

Moreover, prosecutors could not use any such information in court proceedings against U.S. persons if obtained without a warrant issued by a federal court excepting FISA courts.

The amendment failed by an 11-87 vote, and then the Senate sent the amended version of H.R. 6172 back to the House by an 80-16 vote where its path to enactment is not immediately clear, in no small part, due to the extended COVID-19 recess that body has taken. However, the House Rules Committee is taking up a proxy voting measure today that may allow all Members to vote without having to be in Washington. This may allow action much sooner on the bill.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.