Last week, members of the the House Judiciary Committee (HJC) introduced the “Uniting and Strengthening American Liberty Act of 2017,” known as the “USA Liberty Act.” A discussion draft of the bill had been circulating since a few days prior to introduction. The bill reauthorizes, with changes, Section 702 of the Foreign Intelligence Surveillance Act (FISA), which it is set to expire on December 31, 2017.
The last time Congress had to reauthorize authority for Section 702 was in 2012, which was a fairly uncontroversial process of “clean” reauthorization supported by the Obama administration. Today, the political landscape is quite different. In the intervening five years, the Snowden leaks and other developments have substantially shifted debates regarding national security measures and privacy. Representatives are split on whether Section 702 needs reform and increased oversight. The lines drawn do not strictly follow party affiliations; the majority of Republican lawmakers supported the clean bill in 2012 but some have since expressed qualms over the program’s reach.
Few people question the integral role Section 702 plays in foreign intelligence collection and our national security. In his February confirmation hearing, Dan Coats, then the nominee to be the director of national intelligence (DNI), called Section 702 the “crown jewel” of the intelligence community. Still, the debate on surveillance reform has yet to be resolved. While the HJC bill—sponsored by Reps. Goodlatte, Conyers, Sensenbrenner, and Jackson Lee—proposes temporary reauthorization of 702 with some reforms, over in the Senate intelligence committee, Senator Tom Cotton has introduced a bill pushing for 702 to be reauthorized in its existing form, but without a sunset.
FISA and Section 702
Section 702 authorizes intelligence agencies to collect the content, or substance of communications, and non-content, or metadata, for broad purposes of defense and foreign affairs both directly through their own technology and also by compelling U.S. companies to produce data. One form of collection, known as “upstream,” involves capturing packets of information directly as they cross the internet backbone through service providers like AT&T and Verizon when there is a belief such packets will include communications “to” and “from”—and under old rules “about”—an intended target. “Downstream” collection is commonly referred to as “PRISM” and involves the government requesting data from retail providers like Hotmail or Gmail.
The program’s procedural protections include certification (court-approved justifications for surveillance), targeting (methods to ensure surveillance is individual-specific based on selectors), and minimization guidelines (ex ante requirements to withhold, mask, or purge information). The Foreign Intelligence Surveillance Court (FISC) must grant annual approval of the proposed procedures.
The U.S. government has repeatedly stressed the importance of the program. Though the majority of information related to 702 is classified, Office of the Director of National Intellience (ODNI) has declassified some examples of 702 successes.
USA Liberty Act Provisions
The House bill to reauthorize 702 involves several important provisions, some including large departures from past versions. Below is a summary of the bill’s key components.
Title I - Foreign Intelligence Surveillance and Accountability
Section 101: Court Orders and Protection of Incidentally Collected United States Person Communications
Section 101 is the broadest and most potentially consequential reform and addresses what is commonly referred as “backdoor searches.” The provision requires the FBI to obtain a FISC order to view the results of a query on a 702 database if the result turns up information about a U.S. person, “for evidence of a crime.”
Independent audits show that the FBI has only used information about Americans obtained under 702 in criminal investigations one time in 2016, but concerns about the permissibility of these searches remain.
The new Section 101 requirement would only impact (1) queries that yield a positive result, (2) “content” information, and (3) activities by the FBI. Metadata is addressed in a different provision and may be accessed with attorney general approval. Courts have previously determined that metadata does not warrant constitutional protection because users do not have a reasonable expectation of privacy in this non-content information. However, in order to obtain the FISC order, the bill requires the government submit more than the existence of metadata information to establish probable cause that the intended surveillance target is a foreign power or the agent of a foreign power.
Section 101 explicitly states that even if 702 data uncovers evidence of a crime, officials must revert to domestic evidence tools to develop a basis for a criminal case. The Act also mandates simultaneous access to FBI databases in order to prevent reimposing the “wall” in information sharing that was deconstructed in post-9/11 reforms.
Section 101 lays out mandates for the National Security Agency (NSA), CIA, National Counterterrorism Center, and FBI to maintain records of queries to 702 databases that yield positive results. Agencies must maintain these records for at least five years in a readily accessible and auditable format. The bill does not require agencies to maintain records for queries requested by Congress, queries conducted for maintenance or information testing purposes, and queries conducted on identifiers for individuals that have given consent.
Section 102: Limitation on Collection and Improvements to Targeting Procedures and Minimization Procedures
Section 102(a) codifies the termination of the “about” collection program for the next six years, until the next reauthorization process. The “about” collection program was a surveillance practice strategy that targeted upstream communications not just “to” and “from” the intended target, but also communications “about” the target. The NSA voluntarily halted this program earlier this year, following persistent compliance failures.
Section 102(b) mandates that requests to unmask information in disseminated intelligence reports must be documented and certified. “Unmasking” has been featured in the news recently, largely driven by conservative lawmakers ostensibly concerned with unmasked information being used for political purposes, in contravention of procedures. NSA Director Adm. Mike Rogers has said that only about 20 members of the agency were permitted to approve “unmasking” requests. The provision also requires the DNI to affirm in a report to Congress within 90 days that his agency is comporting with the existing practice of masking the identities of known Americans.
Section 104: Appointment of Amicus Curiae for Annual Certifications
Section 104 requires the FISC to appoint an amicus curiae, or special advocate and expert, in the certification process for Section 702’s surveillance programs, unless the court issues a finding that such appointment would not be appropriate. Amici were established in 2015’s USA FREEDOM Act, but until now, the FISC appointed them at its discretion.
Section 105: Increased Accountability on Incidentally Collected Communications
Section 105 requires the DNI to report “the number, or good faith estimate” of known U.S. persons that the NSA positively identifies as such in the “ordinary course of its business.” The report must outline the process of arriving at the number or estimate. The agency is exempted from (a) reporting the “number, or good faith estimate” of known U.S. persons are are not identified in the “ordinary course of business” and (b) reporting anything if the DNI determines that calculating the “number, or good faith estimate” is not achievable as long as they provide a reason why.
Section 105 also requires that the DNI report (1) the number of individuals unmasked pursuant to the Act, (2) the number of unmasking requests that involved U.S. persons, (3) the number of requests by governments that resulted in the dissemination of unmasked U.S. person identifiers (including names, titles, or other identifiers associated to individuals), (4) the number of disseminations of communications to the FBI for cases not pertaining to national security or foreign intelligence, and (5) the number of times 702 information was shared from the national security branch of the FBI to the criminal investigations branch.
Section 106: Semiannual Reports on Certain Queries by Federal Bureau of Investigation
Section 106 requires the FBI director to report the number of FBI queries on the 702 database that resulted in a positive hit, or communications being accessed or disseminated.
Section 108: Sense of Congress on Purpose of Section 702 and Respecting Foreign Nationals
Section 108 of the bill includes a “sense of Congress” that Section 702 should respect the “norms of international comity” and avoid targeting foreign individuals based on “unfounded discrimination” or to obtain “commercial advantage.” This section codifies to some degree a portion of Presidential Policy Directive 28, issued under President Obama, which recognized the privacy interests of non-U.S. persons for the first time. This provisions is a nod to international community; the European Commission Court of Justice has agreed to hear a case from Ireland that could potentially prohibit the transfer of data from the E.U. to the U.S. on the grounds that the existence of 702 violates E.U. citizen’s privacy rights.
Title II - Safeguards and Oversight of Privacy and Civil Liberties
Section 201: Limitation on Retention of Certain Data
Section 201 reaffirms the intelligence community’s commitment to destroy communications that are known not to contain foreign intelligence information within 90 days of learning that they do not contain foreign intelligence information. However, the NSA director can individually waive the requirement to purge communications not containing foreign intelligence if the director determines the waiver is necessary to protect national security. This can allow the NSA to retain data from known U.S. persons that do not contain foreign intelligence at their discretion.
Section 202: Improvements to Privacy and Civil Liberties Oversight Board
Section 202 reforms the Privacy and Civil Liberties Oversight Board (PCLOB), which is an independent organization that has statutory authority and duty to audit the surveillance activities of the intelligence community. The bill allows the PCLOB to hire staff and continue working even if all five members have not been nominated and confirmed, addressing past roadblocks to efficiency.
Section 204: Whistleblower Protections for Contractors of the Intelligence Community
Section 204 grants employees of government contractors the same degree of whistleblower protection that government employees currently enjoy. Contractor is defined as “an employee of a contractor, subcontractor, grantee, subgrantee, or personal services contractor of a covered intelligence community element.”
Title III - Extension of Authorities, Increased Penalties, Reports, and Other Matters
Section 301: Extension of Title VII of FISA
The bill reauthorizes Title VII of FISA, which includes Section 702, pursuant to the USA Liberty Act’s provisions until September 30th, 2023. This renews the “upstream” and “downstream” surveillance programs for six years, a longer larger time period than the 2012 reauthorization, which renewed the program for five years.
Section 302: Penalties for Unauthorized Removal and Retention of Classified Documents or Material
Section 302 increases punitive measures for people who mishandle classified material in two ways. First, it increases the maximum punishment for mishandling classified information and leaks from “up to one year” to “up to five years.” The provisions also criminalizes the negligent removal of “documents or materials without authority and knowingly retaining such documents or materials at an unauthorized location” as a misdemeanor offense.
In addition to Senator Cotton’s reauthorization bill and the USA Liberty Act, more proposals reauthorizing 702 are expected in the coming weeks.
Senator Rand Paul and Senator Ron Wyden have indicated they will introduce a bill that would require a warrant to run any query on a 702 database when the results include information belonging to a known American along with other reforms.
Senator Dianne Feinstein and Senator John Cornyn are also expected to introduce a bill later this week proposing more modest reforms than the Goodlatte proposal such as maintaining a sunset provision, codifying the termination of the “about” collection program, and mandating the appointment of an amicus to the FISC.