The FISA Court’s 702 Opinions, Part I: A History of Non-Compliance Repeats Itself – Just Security

Last week, the Office of the Director of National Intelligence released three redacted opinions of the Foreign Intelligence Surveillance Court (also known as the FISA Court) and the FISA Court of Review (FISCR). In the first opinion, the FISA Court held that the FBIs procedures for accessing Americans communications that are incidentally collected under Section 702 of FISA violated both the statute and the Fourth Amendment. The government appealed, and in the second opinion, the FISCR upheld the FISA Courts decision. The FBI was forced to revise its procedures to conform with the Courts ruling, and in the third opinion, the Court approved the revised procedures.

The government will no doubt try to sell this as an oversight success story. After all, the Department of Justices audits had detected instances of FBI non-compliance with legal requirements, and the Department reported those instances to the FISA Court. The Court solicited the assistance of amici and adopted their position in significant part. It ordered remedies that the FBI is now required to implement. And all of this became public because Congress in 2015 required the disclosure of significant FISA Court opinions. The system worked, right?

I see a very different story. This is now the fourth major FISA Court opinion on Section 702 in 10 years documenting substantial non-compliance with the rules meant to protect Americans privacy. The opinion, moreover, reveals that the FBI is conducting literally millions of backdoor searchesincluding so-called batch queries that rest on the same discredited legal theory used to justify the NSAs bulk collection of Americans phone records. Despite the enormous implications for Americans privacy and the governments dismal record, the remedy suggested by amici and imposed by the Court was just more record-keeping. And the government sat on the opinion for a year, hoping for an appellate victory that would help mitigate the PR damage from disclosure.

Background: Section 702s Troubled History

To put the Courts recent opinions in context, some background is necessary. Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), passed in 2008, the National Security Agency (NSA), operating inside the United States, is authorized to collect communications of foreigners overseas for foreign intelligence purposes. No warrant is required for this collection because courts have held that foreigners have no Fourth Amendment rights. Instead, each year, the FISA Court must sign off on the procedures that govern the surveillance.

Although ostensibly targeted at foreigners, Section 702 surveillance inevitably sweeps in massive amounts of Americans communications. Recognizing the impact on Americans privacy, Congress required the NSA to minimize the sharing, retention, and use of this incidentally collected U.S. person data. But the government and the FISA Court have embraced an interpretation of minimize that is remarkably maximal. The NSA shares raw data with multiple other agenciesincluding the FBI and the CIAand all of them retain the data for a functional minimum of five years. Moreover, the FBI routinely combs through it looking for Americans communications to use in purely domestic cases, even in situations where the FBI lacks a factual predicate to open a full investigation.

In 2011, the government disclosed to the FISA Court that it had misrepresented the nature of its upstream collection activities under Section 702. (Upstream collection takes place as the communications are transiting over the Internet backbone; downstream collection acquires stored communications, usually from the servers of Internet Service Providers.) When conducting upstream surveillance, the government was acquiring, not just communications to or from the targets of surveillance, but communications that simply mentioned certain information about them (known as abouts collection). As a result, the government was acquiring packets of data containing multiple communications, some of which had nothing to do with the target. This included tens of thousands of wholly domestic communications.

The Court was not pleased to learn about this significant issue three years into the programs operation. It held that the governments handling of the data violated the Fourth Amendment, and it required the government to develop special rulesapproved by the Court in 2012for segregating, storing, retaining, and accessing communications obtained through upstream collection.

In 2015, the Court was under the impression that these rules were being followed. However, in approving Section 702 surveillance that year, it noted several incidents of non-compliance with other rules designed to protect Americans privacyincluding FBI violations of protections for attorney-client communications, a failure of access controls by the FBI, and the NSAs failure to purge certain improperly collected data. Once again, the Court expressed displeasure at being notified of infractions long after they occurred.

In 2016, the FISA Court learned that the NSA had been violating the rules established in 2012. Because those rules were designed to remedy a Fourth Amendment violation occurring since the start of the program, the NSAs non-compliance meant that its upstream collection activities had been operating unconstitutionally for eight years. Moreover, the government did not report this issue for several months after discovering it. Unable to bring itself into compliance, the NSA made the only decision it could: In the spring of 2017, it abandoned abouts collection, which was at the root of the problem.

When Section 702 came up for reauthorization in late 2017, civil liberties advocates pointed to this troubled history. They also pointed to a growing body of case law holding that searches of government databases can, in certain circumstances, constitute a separate Fourth Amendment event. They argued that government agencies should be required to obtain a warrant before searching Section 702-obtained data for the communications of Americans (a practice formally called U.S. person queries and informally dubbed backdoor searches). They also urged Congress to ban abouts collection, lest the government attempt to resume it.

Congress rejected these proposals. Although Congress did require the FBI to obtain the FISA Courts permission to conduct U.S. person queries in a tiny sliver of cases, it blessed the vast majority of these searches, which previously had no foundation in the text of Section 702. It simply required the FBI to develop querying procedures that the FISA Court would have to approve. It also required the FBI to keep records of each U.S. person query it conducted. With respect to abouts collection, Congress required the government to obtain FISA Court approval and to give Congress advance notice before resuming the practice.

The Courts October 2018 Ruling

In March 2018, the government submitted its annual certifications and procedures to the FISA Court for its approval. In a decision dated October 18, 2018, and released last week, the FISA Court held that the FBIs minimization procedures violated both the statute and the Fourth Amendment. The Courts opinion addresses three main practices by the FBI: downstream collection of certain communications; the FBIs failure to record USP queries; and the FBIs improper use of USP queries.

Downstream collection and abouts communications. Although this section of the opinion is highly redacted, it appears that the government is engaged in a new form of downstream collection that raised a flag for the FISA Court. The Court solicited amicis advice about whether the statutory preconditions for resuming abouts collection apply to downstream collection, and whether certain activities in the governments 2018 certifications involve the acquisition of abouts communications. Amici argued that the answer to both questions was yes; the governments answer was no in both cases. The Court split the baby, holding that the statutory requirements apply to any kind of abouts collection, but that no such collection would occur under the governments certifications.

The heavy redactions make it difficult to assess the significance of this part of the opinion. However, on its face, the definition of abouts collectionbasically, anything other than a communication to or from the targetshould not be difficult to apply. It is worrisome that the government and amici reached different conclusions about whether a certain form of collection merited the label abouts. The uncertainty strongly supports a suspicion civil liberties advocates have held for some time: that the selectors the government uses to identify the communications to be collected are not necessarily unique identifiers (such as email addresses), but can sweep in people other than the intended targets (as would, for instance, IP addresses).

The statutory requirement to count U.S. person queries. In its January 2018 reauthorization of Section 702, Congress ordered the government to adopt querying procedures that included a technical procedure whereby a record is kept of each United States person query term used for a query. Instead, in the querying procedures that the FBI submitted to the FISA Court, the Bureau announced that it intends to satisfy the record-keeping requirement by keeping a record of all queriesin other words, the FBI would lump together U.S. person queries and non-U.S. person queries, without distinguishing between them.

The government defended this approach with a weak argument that the statutory text was somehow ambiguous, and that both the legislative history and policy considerations weighed against requiring the FBI to document U.S. person queries. In a refrain often heard when an intelligence or law enforcement agency is asked to devote time or resources to safeguarding civil liberties, the government claimed that requiring the FBI to figure out whether a particular investigative subject was a U.S. person would divert resources from investigative work . . . to the detriment of public safety.

The FISA Court has historically yielded to such pleas, and on this occasion, the Court seemed sympathetic. Ultimately, however, the Court concluded that it had no choice. It stated: Regardless of how persuasive the FBIs considerations may be, the Court is not free to substitute its understanding of sound policyor, for that matter, the understanding of the Director of the FBIfor the clear command of the statute. The law, the Court held, was unambiguous in its directive to count U.S. person queries.

On appeal, the FISCR upheld the Courts ruling on this question. The FISCR, however, seemed somewhat less sympathetic to the governments position. Under the FBIs querying procedures, U.S. person query term is defined as a term that is reasonably likely to identify one or more specific United States persons. This definition does not require a high level of certainty. Moreover, the procedures provide for the application of default assumptions in cases where specific information is lacking. Under these circumstances, it is hard to argue with the FISCRs assessment that counting U.S. person queries is not a burdensome substantive requirement, and that it would simply mean adding one (largely ministerial) item to the checklist that FBI personnel most likely already work through when conducting queries for investigative purposes.

Somewhat oddly, the FISCR did not resolve the other major issue on appeal: whether the FBIs repeated violations of its own querying and minimization procedures rendered those rules unlawful and unconstitutional as implemented. Those violations, and the FISA Courts failure to require an adequate remedy for them, will be the subject of Part II of this post.