October 6, 2017 5:13PM

What’s Good and What’s Missing in the 702 Reform Bill

My colleague Pat Eddington has already taken a first pass at the newly unveiled legislation aimed at reforming Section 702, the controversial foreign intelligence surveillance authority that empowers warrantless surveillance of foreigners outside the United States.  While Pat focused primarily on the defects of the bill, I'd like to start by briefly surveying what I think it gets right, and then note a few other elements I was disappointed not to see included.  

Probably the two most salient features of the "USA Liberty Act" for civil libertarians are that it partially closes the so-called "backdoor search loophole" in 702, and that it codifies the recent end of Upstream "about" collection.  For those not steeped in electronic surveillance law, both of those will require a bit of explanation. 

The "backdoor search loophole" is explained well and in some detail here by the Brennan Center's Liza Goitein, but here's the essence of it:  Section 702 permits the warrantless targeting of foreign persons located outside the United States, subject to broad procedures for selecting targets and "minimizing" the information obtained.  With more than 100,000 persons targeted for surveillance annually, the scope of communications collection under this authority is, as one might expect, enormous, and includes messages the targeted individuals exchange with American citizens.  This provides a roundabout mechanism for obtaining the communications of Americans, which would normally require a particularized Fourth Amendment search warrant based upon establishing probable cause before a judge: That vast database of warrantlessly collected communications can now be queried using search terms associated with Americans, and their communications with foreign targets obtained. We know that the CIA and NSA query the 702 database for terms (such as e-mail addresses) linked to Americans thousands of times each year—and that the FBI does so even more frequently, though unlike their bretheren agencies, they have not provided any estimate of how often. This sets up a sort of constitutional shell game, where an authority sold as a counterterrorism and intelligence tool targeting foreigners with no Fourth Amendment rights can ultimately be used by ordinary criminal investigators to sift through the emails of citizens.  

The Liberty Act addresses that concern in part by requiring a warrant to access the contents of a U.S. person's communication that was found by querying a search term linked to an American—again, an e-mail address being the simplest case.  This would, then, limit the ability of criminal investigators at the FBI to turn to 702 as a way of evading the need to establish probable cause for surveillance of their domestic targets.  I say it addresses the issue only "in part" for two reasons.  

First, the warrant requirement applies only to queries conducted for the purpose of obtaining evidence of a crime; warrantless queries on U.S. person–linked terms remain unencumbered if the purpose is to obtain foreign intelligence information.  Since these purposes often blur together in practice, this still leaves the government a fair amount of leeway in deciding which "purpose" to consider primary, at least for crimes with some plausible nexus to foreign intelligence.  Moreover, queries are often performed in the course of criminal investigations for a wide variety of reasons beyond seeking specific “evidence of a crime,” and the current language leaves ambiguous whether such searches are covered–though I am assuming that the intent was to do so.

But even when obtaining intelligence is clearly and genuinely the goal, the Foreign Intelligence Surveillance Act still requires a probable cause warrant to directly target an American, so 702 still provides a way around that requirement.  Many of the intelligence abuses of the 20th century involved nominal intelligence purposes. When the FBI spied illegally on domestic political adversaries in the 1960s and 70s, it rarely advertised its abuses by trying to make its surveillance the basis of a criminal prosecution, but rather used it for harassment, public embarrassment, or strategic advantage. Thus, closing that part of the loophole seems at least as important as restricting the repurposing of intelligence for criminal prosecutions.

Second, the warrant restriction applies when investigators access the contents of communications—not the communications metadata detailing when, how, with whom, and sometimes from what location a U.S. person is sending and recieving messages. While this is concerning, as metadata can often be extremely revealing, this exception is a closer call.  The case for permitting this is that it spares investigators the burden of expending valuable time and resources preparing a warrant application for communications that may have no bearing on their inquiry—which, in turn, may avoid further unnecessary intrusions on the targets.  It’s also true that, at least under current Supreme Court jurisprudence, metadata is generally not seen as subject to the Fourth Amendment’s warrant requirement.  Like many civil libertarians, I regard this as a profound error of both legal and technical reasoning, but as a practical matter, it may not make sense to impose a statutory warrant requirement on information that can, in fact, be obtained far more easily using other authorities: The likely effect would be to prompt the issuance of subpoenas or National Security Letters for the same metadata—and any other help by the same provider. Here a heightened standard short of “probable cause” may be an acceptable compromise pending a more comprehensive reevaluation of the protection due metadata, whether by Congress or the courts.

So much for backdoor searches.  The issue of “about” searches concerns the recently halted practice of scanning Internet traffic—including message content as well as headers—for the “selectors” tasked for surveillance.  The result was that messages could be swept up that were neither to nor from the target, but only mentioned—were “about”—the target of surveillance.  An unsurprising side effect of such collection was that it carried a much higher risk of intercepting wholly domestic communications, which are meant to be beyond the scope of 702.  Under pressure from the FISA court, the NSA finally halted such collection earlier this year.  The bill would codify that cessation, making clear that 702 is meant to authorize interception only of communications to which the target is a party.  This provision, however, has its own independent “sunset” clause, meaning that the limitation could be allowed to expire while the 702 authority generally remains in place. It would be better to make it a permanent restriction on the authority.

There’s an assortment of other procedural and transparency reforms I’ll try to survey in a follow up post next week, but those are the marquee changes. So what’s missing? New America’s Open Technology Institute has already put out a strong list of absent reforms worth looking at, which I’m largely in sympathy with, so I’ll save an in-the-weeds consideration for yet another follow-up post and focus on a few broad points.  

First, there’s little here that would tend to assuage foreigners’ discomfort with 702 surveillance—which means there’s still a risk that European courts will end up invalidating the Privacy Shield framework for international data transfers, with severe consequences for the ability of American firms to compete in European markets.  Foreign citizens may lack Fourth Amendment rights, but that doesn’t mean foreign govenrments are sanguine about the prospect of their citizens’ communications being indiscriminately scanned or collected.  One healthy way to narrow the scope of collection would be to limit the scope of “foreign intelligence purposes” for which communications can be intercepted.  The legal definition of “foreign intelligence” encompasses not just obvious matters like information relevant to counterespionage or counterterrorism, but also information relevant to the government’s conduct of foreign affairs—a catchall that can be stretched to cover a huge swath of ordinary foreign political and business activity.  If the public case for 702 authority was that it was necessary to monitor spies and terrorists, the statute should confine it to those bounds, especially if that is already its core use in practice.

Second, it’s not clear whether this addresses an issue alluded to obliquely by Sen. Ron Wyden, who hinted that 702 may be sweeping in wholly domestic communications.  I’ve speculated that one way this could occur is if a person who has spent time in the U.S., such as on a student visa, is targeted after leaving the country, making the archived messages they sent and received while here fair game.  More broadly, there’s no effort here to focus 702 on the problem it was initially pitched to the public as solving: Enabling the collection of strictly foreign-to-foreign communications that merely happen to transit through the United States (because, for instance, the foreign correspondents are using a U.S. email provider).  While there are post-collection or “backend” rules governing the use and dissemination of communications to which a U.S. person is a party, it would be preferable to have stronger up-front filtering requirements, leveraging data about user location the companies already possess to exclude such messages up front.

Third and finally, there are some good transparency measures here I’ll try to detail in a subsequent post, but still no requirement to estimate, even approximately, the number of Americans whose communications have been incidentally swept into NSA’s database.  The intelligence community repeatedly assured civil liberties groups that it was working on providing such an estimate, but then earlier this year, new Director of National Intelligence Dan Coats abruptly changed gears and declared the task infeasible.  Having discussed this with intelligence officials at some length, I’m persuaded that there are indeed legitimate challenges with generating a meaningful figure—and even, perhaps ironically, legitimate privacy concerns around how to do so.  But the public cannot meaningfully evaluate the privacy/security tradeoff implicit in this authority without at least a rough sense of the scale of its impact on citizens’ communications.

On the whole, it’s hard not to be disappointed in this draft, even though it would undoubtedly constitute a significant improvement over the current state of the law.  The list of what it fails to address is too long, and the areas it does cover, it covers spottily.  At a time when Republicans are loudly complaining about the perils of the “deep state,” one would have hoped it would be politically possible to go further than this.