One of the most hotly debated aspects of Section 702 is the practice of querying 702-acquired data using U.S.-person identifiers—in particular, queries conducted by the FBI in non-national-security criminal investigations. Some label these “backdoor searches,” although the Foreign Intelligence Surveillance Court has held that such queries are not searches that trigger the Fourth Amendment’s warrant requirement.
Even assuming that the practice is constitutional, however, it nonetheless raises legitimate civil liberties concerns. General Michael Hayden quipped yesterday that “even to this former director of NSA, using U.S. person data to query the lawfully collected foreign intelligence is a not trivial privacy question.”
The challenge for observers has long been assessing the scale of the potential privacy problem. The FBI told the Privacy and Civil Liberties Oversight Board that it is “extremely unlikely that an agent or analyst who is conducting an assessment of a non-national-security crime would get a responsive result from the query against the [FBI’s] Section 702-acquired data.” (Note that the FBI only receives data from 702’s PRISM, or downstream, component; until last week’s major change to 702’s upstream component, upstream was far more likely to pull in some wholly domestic communications.) But that failed to assuage many critics, perhaps because “extremely rare” lacks the power of a simple number.
For that reason, two coauthors and I recommended in a recent Center for a New American Security report that the IC publish annually the number of instances in which an FBI query in a non-national-security investigation returns 702 information about a U.S. person. We noted that since November 2015, the Foreign Intelligence Surveillance Court has already required the FBI to report each such instance to the court. While we acknowledged that “the details of these reports must remain classified,” we saw “no national security harm that would result from publishing the overall number of such occurrences.”
So it is welcome news that today’s IC transparency report for calendar year 2016 takes that step, declassifying and publishing the number of such instances reported to the FISC. And that number is: one. That is, one FBI query in a non-national-security investigation returned 702-acquired data about a U.S. person in 2016.
So that’s one side of the scale: a lawful (per the FISC) but nonetheless real intrusion on the privacy of a single U.S. person (which, it bears noting, could have been a U.S.-based corporation rather than a natural person).
On the other side: the potential value of this practice for public safety, which is not trivial. The 9/11 Commission explained that the inability to connect the dots across the “foreign-domestic divide”—that is, between foreign intelligence and domestic law-enforcement investigations—was a key reason the 9/11 plot succeeded. Prohibiting these queries could impede counterterrorism, counterintelligence, and other disciplines where identifying problematic foreign-domestic connections is vital, by preventing the FBI from “connecting the dots” between disparate pieces of information it already possesses. If there is a previously unknown connection between an FBI investigation in the United States and information the government has already collected under 702—including the communications of known terrorists and foreign intelligence officers—it is important for the FBI to learn of it.
We wrote in our report that “[i]t may be that disclosing more information about U.S.-person queries of 702 data would show that the scale of the potential privacy problem is less grave than feared.” And indeed, that is what today’s report shows: that the so-called “backdoor search loophole” is, at least under the rules that govern 702 today, in fact vanishingly small.
Congress may still wish to consider other responsible ways to enhance transparency and accountability around the use of 702-derived information in the criminal justice system when it reauthorizes 702 this year. But today’s report confirms that it would be unnecessary, as well as unwise, to ban these queries outright.