If Congress Wants to Protect Section 702, It Needs to Rein in the FBI
One of the most valuable U.S. foreign intelligence programs will expire at the end of this year unless Congress reauthorizes it. But before that happens, Congress must place tighter controls on domestic law enforcement’s access to the program’s data.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act allows the National Security Agency (NSA) to collect the communications of non-U.S. persons located abroad. Because the statute prohibits the NSA from targeting U.S. persons or people located in the United States, the government does not need a warrant to collect the communications, though the program is subject to oversight by the director of national intelligence, the Justice Department, congressional committees, and the Foreign Intelligence Surveillance Court (FISC).
As NSA Director Gen. Paul Nakasone said at a Privacy and Civil Liberties Oversight Board (PCLOB) forum on Jan. 12, Section 702 is an “irreplaceable” source of foreign intelligence that contributed to the government operation against Ayman al-Zawahiri and so many other successful efforts. “It allows the intelligence community to acquire the communications of specific foreign actors overseas and use those details to identify terrorist plots, track spies, identify cyber attacks and try to stop them as well as provide U.S. policymakers with the information they need to understand a wide range of national security threats,” Nakasone continued.
When Congress last debated reauthorizing Section 702 in 2017, I testified before the House Judiciary Committee that it is “an effective program that is subject to rigorous oversight by the three branches of government” and, on balance, complies with the Fourth Amendment’s prohibition on unreasonable searches. Yet I noted my concerns with the FBI’s ability to query data that the NSA has collected not only for foreign intelligence purposes but also for evidence of a crime.
The FBI’s access to Section 702 data is the main reason policymakers must carefully evaluate whether the program complies with the Fourth Amendment. Although Section 702 prohibits the NSA from targeting U.S. persons, their communications could be collected “incidentally” if a foreign target is on the other end of the communication. When I spoke on the Jan. 12 PCLOB panel after Nakasone’s remarks, I described that, in light of revelations over the past six years, my concerns about the FBI’s access to Section 702 data have grown substantially.
The intelligence community has not reported how many U.S. persons’ communications have been swept up in Section 702. But last April, a report from the Office of the Director of National Intelligence provided a startling statistic about the FBI’s use of Section 702 data. From December 2020 through November 2021, the FBI queried Section 702 data for information about U.S persons up to 3.4 million times. While 3.4 million is an upper limit of the number of U.S. persons involved in the searches—many queries could be associated with a single person, and the FBI told the media that more than half of those searches were related to a single Russian cyberthreat—even a fraction of 3.4 million queries is massive and difficult to fairly classify as “incidental.”
For years, the FBI has touted its access to Section 702 data as subject to controls that are overseen by various agencies and the FISC. But since Congress reauthorized Section 702 in early 2018, the FISC has repeatedly documented the FBI’s failure to adhere to basic privacy practices.
The FBI’s internal procedures allow it to query Section 702 data in a manner that is “reasonably likely” to return “foreign intelligence information or evidence of a crime.” Those procedures prohibit the use of the data for personal or other improper reasons. An October 2018 FISC opinion found that the FBI had fallen short of that standard. “Since April 2017, the government has reported a large number of FBI queries that were not reasonably likely to return foreign-intelligence information or evidence of crime,” Judge James E. Boasberg wrote. “In a number of cases, a single improper decision or assessment resulted in the use of query terms corresponding to a large number of individuals, including U.S. persons.”
Although many examples of improper access were heavily redacted in the publicly released opinion, Boasberg noted that the government acknowledged that the queries stemmed from “fundamental misunderstandings by some FBI personnel [about] what the standard ‘reasonably likely to return foreign intelligence information’ means.” Boasberg also documented a “small number” of queries for personal reasons, including “a contract linguist who ran queries on himself, other FBI employees, and relatives.”
The FBI’s queries violated both the requirements of Section 702 and the Fourth Amendment, Boasberg concluded, because its practices “present a serious risk of unwarranted intrusion into the private communications of a large number of U.S. persons.” To cure the constitutional problem, Boasberg ordered the FBI to document the reason for each U.S. person query. The government appealed the documentation requirement, but the appellate court later affirmed it.
The court’s scolding did not, however, cause the FBI to immediately clean up its act. In a December 2019 opinion, Boasberg found “that there still appear to be widespread violations of the querying standard by the FBI.” Among the FBI’s uses of Section 702 data: screening a local police officer candidate, vetting a potential source, investigating people who visited an FBI office to perform maintenance, and investigating college students who applied for the FBI Collegiate Academy. Boasberg wrote that he was not terribly surprised by the violations because the FBI was just beginning to implement its reforms. In a November 2020 FISC opinion, however, the court revealed that it had found additional problems with the FBI’s querying of Section 702 data. New reports of 2019 oversight reviews, Boasberg wrote, “suggest that the FBI’s failure to properly apply its querying standard when searching Section 702-acquired information was more pervasive than was previously believed.” For instance, an employee queried the data 124 times with information about people reporting a tip or being the victims of a crime, seeking to perform a service, such as a repair, at an FBI field office, or requesting to participate in the FBI’s Citizens Academy program for community leaders. Again, Boasberg seemed to forgive the violations, acknowledging that most of the queries took place before the FBI’s court-ordered documentation changes and that the coronavirus pandemic “severely limited the government’s ability to monitor the FBI’s compliance once the system changes were implemented and users received training on those changes.”
Perhaps I should be as patient and forgiving as Boasberg, but when I read his opinions, I see years of the nation’s largest law enforcement agency playing fast and loose with warrantlessly collected communications of U.S. citizens. I accept that the occasional misstep may happen, but the FISC has documented many serious errors over many years. Section 702’s reauthorization is Congress’s chance to take a close look at the program and require changes that protect Americans’ civil liberties.
Boasberg’s opinions are the best glimpse that the public has into how the FBI handles Section 702 data, but they do not provide a complete picture. Setting aside the fact that the publicly released opinions are heavily redacted, they focus largely on specific compliance incidents. Fortunately, as it did before the last Section 702 reauthorization, the PCLOB is preparing a report about the program before Congress votes. Hopefully the FBI and other agencies will give the PCLOB broad access so that it can show lawmakers and the public how the FBI has been using Section 702 data.
The PCLOB’s findings, along with Boasberg’s opinions, should drive Section 702 reform. At a minimum, Congress should impose more transparency and documentation obligations before the FBI can search Section 702 data, though recent experience has shown that such administrative requirements do not solve the problem. These obligations must be coupled with aggressive external oversight and enforcement.
Among the necessary transparency reforms is a requirement that the intelligence community calculate and disclose how many Americans’ communications are swept up in Section 702. The intelligence community has resisted before, partly due to privacy concerns in assessing whether the communications belong to Americans. Anunay Kulshrestha and Jonathan Mayer of Princeton University have proposed a method of using secure multiparty computation to obtain an estimate while maintaining confidentiality, which would be valuable in assessing Section 702’s privacy implications.
Further, Congress should consider requiring that the FBI obtain a warrant, supported by probable cause, before querying Section 702 data for U.S. persons information. While the intelligence community is correct that such requirements can slow down intelligence operations or criminal investigations, the same can be said of nearly any restriction on government surveillance. The question is not whether the warrant requirement would be inconvenient for the FBI, but whether it is necessary to preserve Fourth Amendment rights.
In its 2018 reauthorization, Congress required the FBI to obtain a probable cause order from the FISC to review Section 702 data from queries in a small fraction of late-stage criminal investigations that are unrelated to national security. But as the Brennan Center pointed out in recent comments to the PCLOB, government data suggests that the FBI did not obtain a single order over the past four years, despite the requirement apparently applying more than 100 times. This suggests that an across-the-board warrant requirement for FBI Section 702 queries of U.S. persons information might be necessary.
Alternatively, Congress could decide to prohibit the FBI from querying Section 702 data for any purpose unrelated to obtaining foreign intelligence information. This would be an even more extreme solution, but it might be Congress’s only choice if the FBI cannot comply with basic privacy practices.
As I did in 2017, I part ways with privacy advocates who say that each FBI query of already-collected Section 702 data is a separate search to be assessed under the Fourth Amendment.
Rather, I agree with FISC judges who evaluate the entire Section 702 program for Fourth Amendment reasonableness.
As the Supreme Court has stated, such an evaluation requires consideration of, “on the one hand, the degree to which it intrudes upon an individual’s privacy and, on the other, the degree to which it is needed for the promotion of legitimate governmental interests.” The FBI’s repeated misuse of the data over many years—and after many warnings—does not support a finding that the program as a whole is constitutional. If the FBI continues to flout the few limits on its access to Section 702 data, the program is more likely to fail Fourth Amendment scrutiny.
Policymakers cannot allow that to happen. As Nakasone and many others have shown over the years, Section 702 is far too valuable to national security to let it fall victim to FBI overreach. Limiting the FBI’s access to Section 702 data and refocusing Section 702 on its core mission would benefit both privacy and national security.