Balancing National Security with Digital Privacy: Concerns Posed by Section 702 Surveillance
In January 2018, Section 702 of the Foreign Intelligence Surveillance Act of 1978 (“FISA”) was reauthorized. Since 2008, Section 702, codified as 50 U.S.C. § 1881a, has allowed the Attorney General and the Director of National Intelligence to jointly authorize a warrantless electronic surveillance program without a court order, for the purposes of acquiring foreign intelligence information from non-U.S. persons reasonably believed to be outside of the U.S.
The highly controversial Section 702 has drawn continued criticisms about the potential for its misuse. While Congress included some safeguards to prevent mishandling and misuse of the warrantless surveillance programs authorized by Section 702, there still exists cause for concern, as these programs (1) still authorize “incidental” collections, (2) establish a “backdoor” use of data collected by the programs that can be used against U.S. persons and those located in the U.S., and (3) fail to provide adequate judicial oversight.
Downstream and Upstream Surveillance
The U.S. government has relied on Section 702 to authorize two types of electronic surveillance programs that scan for “selectors.” Selectors are identifiers such as email addresses, phone numbers, or IP addresses (but not keywords or names) of non-U.S. person targets who are reasonably believed to be located outside of the U.S. The two types of surveillance programs – Downstream and Upstream Collection – obtain information containing selectors in different ways.
Downstream Collection, also known as the PRISM program, authorizes the U.S. government to direct Internet Service Providers to screen stored data for selectors, and to provide all communications to and from that selector.
By contrast, Upstream Collection automatically screens for selectors traveling through telecommunications backbones such as cables and switches, and saves all communications that are to, from, or about selectors.
These electronic surveillance programs, which can be implemented without a court order, are subject to procedural restrictions designed to prevent mishandling and misuse. First, under 50 U.S.C. § 1881a(b), any surveillance authorized by Section 702 is required to adopt “targeting procedures” that are reasonably designed to prevent the collection of data of both U.S. persons, and those known to be in the United States. U.S. persons includes U.S. citizens, lawful permanent residents, and U.S. corporations.
Second, under 50 U.S.C.A. § 1881a(h)(1), both data collection methods are subject to minimization procedures “that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, or nonpublic available information concerning nonconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.”
A major point of contention between critics and proponents of Section 702 has been about “incidental” collections. Incidental collections are collections of information about U.S. persons or of persons located in the U.S. that are collected while going after legitimate foreign targets. For example, if a U.S. person were to send a message to an email address of a target that was designated as a selector, the U.S. person’s message would also be obtained by the U.S. government. While it would be reasonable to argue that the U.S. government would be justified in obtaining communications sent by U.S. persons to a targeted foreign agent, there is also a separate concern regarding Upstream “about” collections.
“About” collections are “incidental” collections that involve collections of data that contain a selector in the message, but that isn’t to or from that selector. This means that communications between two non-targeted U.S. persons that contain a selector such as a phone number would be intercepted by the NSA, even though the communication wasn’t to or from the target.
When criticized for “about” collections, the NSA argued that it was not feasible to “limit ‘about’ collection without also eliminating a substantial portion of Upstream’s ‘to/from’ collection, which would more drastically hinder the government’s counterterrorism efforts.”
While continuing to maintain that technological obstacles prevent the NSA from being able to limit “about” collections, the NSA paused “about” collections in April 2017, although the 2018 reauthorization allows the NSA to resume such collections. Clearly, this poses a privacy problem; notably, Edward Snowden and the Washington Post publicized revelations that the U.S. government intercepted communications of U.S. persons containing everything from medical records to personal pictures.
Backdoor Queries and the Fourth Amendment
Data privacy is not the only issue at stake; alarmingly, information about U.S. persons collected without a warrant or probable cause through incidental collections is also accessible by federal law enforcement for domestic law enforcement purposes.
Because Section 702 authorized surveillance programs to engage in warrantless collection of data without probable cause, there exists an inherent tension between the programs and the Fourth Amendment. The House Permanent Select Committee on Intelligence has argued that the program is constitutional because of Section 702’s focus on the acquisition of foreign intelligence information from foreign non-U.S. based targets.
However, this does not mean that incidental collections cannot be used against U.S. persons. Information that is collected incidentally is stored by the NSA, and undergoes minimization procedures that limit what types of searches can be conducted by the agencies. After these procedures have been met, analysts can perform “queries” of the stored data, to find information about U.S. persons or those located on U.S. soil, which could be used as evidence of certain crimes during criminal prosecutions. Moreover, information found in incidental collections could be used to initiate investigations, under the justification that queries of collected data is not an additional search, and that the original search was of a non-U.S. person who was outside of the U.S. In other words, Section 702 creates a backdoor that allows the government bypass warrant requirements by searching through data that was obtained for the purposes of foreign intelligence collection.
Proponents of continuing to allow backdoor queries have defended this type of usage by pointing out procedural safeguards, such as how the FBI only receives PRISM information from the NSA when selectors are found from the FBI’s “full investigations,” where there is an articulable factual basis that a federal crime or threat to national security has occurred or is ongoing. The House Intelligence Committee has also implied that backdoor queries are analogous to when a police officer lawfully enters a suspect’s home, and finds evidence of a separate individual’s crime – a scenario that is permitted under the Fourth Amendment.
But these arguments justifying backdoor queries fail to address the most fundamental flaw. Even if non-U.S. persons located outside of the U.S. are not protected by the Fourth Amendment’s protection against unreasonable searches, incidental collections obtained while targeting those persons cannot be used in criminal proceedings against U.S. persons without running afoul of the Fourth Amendment. In the House Intelligence Committee’s analogy, the police officer’s authority to search a suspect’s home is subject to Fourth Amendment restrictions, whereas under Section 702, the surveillance target does not have Fourth Amendment protections and can be searched without a judicial warrant. If a police officer discovers evidence of individual B’s crime while searching individual A’s home, individual B still had a level of protection provided by individual A’s Fourth Amendment rights. In the Section 702 context, a U.S. person who has had their information collected incidentally as a result of a warrantless search targeting a non-U.S. person does not have that level of protection. Critically, this creates an incentive to bypass Fourth Amendment protections by targeting a non-U.S. person outside of the U.S. for the purposes of obtaining information about a U.S. person.
Even if existing procedural safeguards were sufficient to resolve the privacy and Fourth Amendment issues posed above, there must be adequate oversight mechanisms to ensure compliance with the safeguards. While the FISA Court (“FISC”) under Section 1881a(j) has the authority to review certifications by the Attorney General that procedural requirements are being complied with, FISA does not grant FISC the jurisdiction to review “individual surveillance orders.” This poses a serious threat to the effectiveness of the existing oversight framework.
Over Section 702’s lifetime, the FISC has addressed various problems with agencies’ failures to comply with procedural safeguards. For example, in 2016, the FISC found that the restriction on the usage of “personal identifiers of Americans, such as our phone numbers,” and other safeguards, were violated. The FISC in response suspended renewal of the offending program until 2017.
At first glance, FISC’s reaction to the “serious Fourth Amendment issue” posed by use of prohibited identifiers in 2016 appears to demonstrate that the system is working as intended. However, a closer look at the statute exposes that FISC is limited in its ability to address violations. It can suspend Section 702 programs until agencies edit their procedural safeguards including minimization and targeting procedures, but it cannot address deficiencies until issues are brought forward to it for review. Moreover, FISC cannot review or provide remedies for individual cases where abuse of Section 702 occurs, nor do victims of improper conduct have rights to know about infringements.
National security is an important function of the federal government, and it is difficult to dispute that Section 702 contributes significantly to that purpose. But the costs and infringements to the privacy and constitutional rights of U.S. persons raise significant policy and constitutional concerns. The Section 702 issues raised here suggest that Congress must revisit these issues prior to the next reauthorization deadline in 2024, and reconsider whether it is appropriate to authorize “about” collections and backdoor queries, particularly in the absence of more robust judicial oversight.
Ben Choi is a Quorum Editor and a J.D. candidate, Class of 2018, at N.Y.U. School of Law.