It Will Take More than Reforming Section 702 to Rein in Warrantless Government Surveillance

As the debate over reauthorizing Section 702 of the Foreign Intelligence Surveillance Act (FISA) revs up, Congress has already recognized that the Administration’s calls for a clean authorization are wildly out of touch and a “nonstarter” given the long history of non-compliance with Section 702’s minimally protective privacy safeguards. However, this year’s debate over the reauthorization of Section 702 is an important opportunity for Congress to reform national security surveillance beyond the Section 702 framework, and even beyond the Foreign Intelligence Surveillance Act (FISA).

Section 702 Must Sunset Absent Significant Reform

Section 702 authorizes the government to conduct surveillance targeting non-U.S. persons outside the United States who use U.S. service providers like Google, Apple, Meta, and Yahoo, in order to acquire foreign intelligence. While Section 702 is ostensibly foreign-focused, the government collects significant amounts of Americans’ information, which has serious implications for Americans’ privacy, especially given the FBI’s dual foreign intelligence and domestic law enforcement role.

The government’s efforts to police itself have only underscored the extent to which the system is broken. The National Security Agency (NSA) has a long history of noncompliance with both Section 702’s rules as well as the Constitution, culminating in 2017 when the Foreign Intelligence Surveillance Court (FISC) excoriated the NSA for an “institutional lack of candor” after the agency failed to disclose rampant noncompliance.

The Federal Bureau of Investigation (FBI), meanwhile, has proven to be such a repeat offender that that House Intelligence Chair Mike Turner has called the Bureau “the problem child” of Section 702. The most recent declassified FISA Court opinion emphasized that the FBI has engaged in a “pattern of conducting broad, suspicionless queries” of Section 702 information and that its violations have proven to be “persistent and widespread.” Prior FISA Court opinions and government audits have found “fundamental misunderstandings” of the relevant legal standards and procedures. FBI analysts have searched Section 702-derived data for information relating to racial justice protestors, community leaders, donors to political campaigns, sitting members of Congress, and local political parties, all in violation of their own agency procedures. Given these agencies’ failure to comply with Section 702’s minimally protective safeguards, it should be no surprise that Congress is seeking wholesale reform in any potential reauthorization.

Section 702 Reform Is a Necessary, but Not Sufficient, Requirement for Reauthorization

For all of Section 702’s privacy issues, the reality is that surveillance programs conducted pursuant to Section 702 are only one part of a much broader, unchecked expansion of the national security surveillance ecosystem. Government agencies—including elements of the Intelligence Community (IC)—have engaged in bulk collection under other authorities and have purchased Americans’ sensitive data to circumvent constitutional protections (to say nothing of the increasingly pervasive deployment—often without a warrant—of novel and intrusive surveillance tools like cell site simulators, spyware, and facial recognition).

In addition to Section 702, the intelligence community relies heavily on Executive Order 12333 (EO 12333) to conduct foreign intelligence surveillance. EO 12333, unlike Section 702, does not authorize a particular type of collection; rather, it establishes a broad framework for government intelligence activities. Whereas Section 702 governs U.S.-based collection of electronic communications, EO 12333 governs such collection outside the United States. Further, unlike Section 702, EO 12333 activities operate almost totally outside the realm of congressional or judicial oversight. The Privacy and Civil Liberties Oversight Board (PCLOB) has reviewed several intelligence activities pursuant to EO 12333 and has found that while agencies collect significant amounts of Americans’ information, there are few if any rules for how this information is collected, segregated, deleted, disseminated, or even used against Americans.

Given the overlap between these surveillance activities, it makes sense to reform EO 12333 surveillance along with Section 702. Nearly a decade ago, the President’s Review Group on Intelligence and Communications Technologies recommended that the government undertake parallel reforms of both Section 702 and EO 12333 surveillance. The report recommended—in both the Section 702 and EO 12333 contexts—purging requirements, a prohibition on the use of evidence derived from this surveillance in criminal proceedings, and a prohibition on searching information in these surveillance databases without a warrant unless necessary to prevent death or bodily harm. While the government incorporated some of these recommendations in the context of Section 702, it rejected the parallel EO 12333 recommendations, leaving Americans targeted through claimed executive authority even worse off than those subject to Section 702 surveillance. And without accompanying EO 12333 reform, the reform or sunset of Section 702 may have the perverse effect of allowing the government to move its surveillance operations under its claimed executive authority.

EO 12333 is not the only means by which agencies are vacuuming up Americans’ information. The Drug Enforcement Agency (DEA), for example, used administrative subpoenas to telecommunications providers to conduct bulk collection of telephone call records, which the DOJ Office of the Inspector General said “raised significant legal questions.” More recently, Immigrations and Customs Enforcement (ICE) has reportedly used customs summons to engage in bulk collection, sweeping in data from news organizations, abortion clinics, telecommunications providers, Big Tech firms, money transfer services, airlines, and utility companies. A Wired review of an ICE disciplinary database revealed that ICE agents and contractors have abused their access to these sensitive databases, querying information for a range of impermissible purposes, including to look up information on exes and colleagues, to facilitate fraud, and in some cases to pass along information to criminals in exchange for payment.

In addition to using their own obscure and legally questionable authorities to engage in bulk collection, the intelligence community (and law enforcement) has sought to buy itself out of compliance with Americans’ Fourth Amendment rights. Agencies have increasingly turned to the private sector, purchasing Americans’ data and circumventing traditional legal processes, and without providing any transparency about the government agency procedures (or lack thereof) for protecting Americans’ privacy. This end-run around the Fourth Amendments’ protections has only grown more pervasive—and more severe—as private companies have stockpiled personal data, including sensitive data on Americans. Just to name a few recent examples:

• The Department of Defense (DOD), Defense Intelligence Agency (DIA), and FBI have both admitted to purchasing location information;
• The DOD and FBI both bought netflow data, allowing the agencies to track internet traffic. The Internal Revenue Service (IRS) has also reportedly sought to buy the same type of information.
• The Department of Homeland Security (DHS) regularly buys commercial data, including location data; and
• The DEA reportedly bought customer data from informants within airline, bus, and parcel companies in lieu of seeking a warrant.

On Friday, in response to EPIC’s Freedom of Information Act (FOIA) request, ODNI declassified a report on the IC’s purchase of commercially available information (CAI). The report revealed several alarming findings about the IC’s purchase of data in bulk, including information about Americans. The report found that the IC is collecting increasing amounts of CAI—including sensitive information like location data—but does not know how much CAI intelligence agencies are collecting, what types, or even what it is doing with that data. The report also found that, despite the Supreme Court’s 2018 decision in Carpenter v. United States, which requires a warrant for persistent location information and potentially other data, the IC has no formal, community-wide position on the issue, and IC elements continue to narrowly construe the decision to allow it to purchase otherwise protected information from data brokers without a warrant.

Conclusion

The Intelligence Community regularly emphasizes that it needs Section 702 to address “a collection gap that resulted from the evolution of technology” in the years after FISA’s passage. The American people deserve a robust conversation about the privacy gap that has resulted from the evolution of government surveillance technology over the past two decades. It is also vital that this conversation be informed by an understanding of the full scope of the government’s collection and use of Americans’ personal information.