The Gun Lap: FISA Renewal In The Homestretch – OpEd

By George W. Croner*

(FPRI) — As the calendar has turned to December, a fifth bill addressing the reauthorization of Section 702[1] of the Foreign Intelligence Surveillance Act has been introduced in Congress. This past week, Devin Nunes, chairman of the House Permanent Select Committee on Intelligence, introduced the “FISA Amendments Reauthorization Act of 2017” (the “HPSCI bill”) and, if the title sounds familiar, it mimics most of the significant features of the “FISA Amendments Reauthorization Act of 2017” (the “SSCI bill”) introduced by Senate Intelligence Committee chairman Richard Burr in late October.

The two bills have more than their titles in common, and their similarity in content suggests that, on an otherwise crowded legislative calendar as the year draws to a close, a consensus may be building on the terms for a renewal of the collection authority found in Section 702, which otherwise will lapse on December 31. To be sure, other FISA-related bills[2] remain extant in Congress, but with the introduction of the Nunes legislation last week, both chambers’ Intelligence committees have now reported out bills reauthorizing Section 702 on substantially similar terms.

By way of example, both the Burr and Nunes bills use fundamentally the same approach in addressing “about” collection.[3] Both bills require that, prior to any resumption of “about” collection, the Director of National Intelligence (DNI) and the Attorney General must notify Congress of their intent to resume such collection and, absent emergency circumstances, that notice triggers a 30-day period in which, according to the HPSCI bill, the Judiciary Committees and the Intelligence Committees in each chamber “shall, as appropriate, hold hearings and briefings and otherwise obtain information in order to fully review [the written notice provided by the DNI and the Attorney General].” In essence, the objective of the two bills seems to be to insure that “about” collection, a practice that continues to draw substantial fire from critics despite its abatement by the National Security Agency (NSA) earlier this year, will not resume without Congress at least having the opportunity to act on the practice. Given this similar approach, it appears unlikely that any renewal of Section 702 will emerge from Congress without some form of restriction on “about” collection.

Significantly, both the HPSCI and the SSCI bills include provisions that regulate “querying,” which is the practice by which intelligence analysts search the database of “raw” communications acquired pursuant to Section 702 certifications approved by the Foreign Intelligence Surveillance Court (FISC). Both bills would amend Section 702 to require that the DNI and the Attorney General adopt “querying procedures,” and would make those “querying procedures” subject to judicial review by the FISC. Both bills also would require that these new “querying procedures” include a “technical procedure whereby a record is kept of all queries using a known United States person identifier.”[4] Here again, the substantive similarities in the bills regarding this feature indicate that any final reauthorization of Section 702 is likely to require the adoption of “querying procedures” and a technical means for recording and preserving the use of U.S. person identifiers to query the Section 702 database.

Despite the broad similarities, there are some variations in the two bills’ approaches to querying, and these differences are notable, especially as they relate to the FBI because each approach appears directed to the “backdoor search” issue; i.e., the charge by critics that searching the Section 702 database using U.S. person identifiers seeking evidence of a crime violates the Fourth Amendment. Although neither bill acknowledges this issue as one of constitutional dimension,[5] the SSCI bill, for example, includes a provision requiring that the FBI inform the FISC (within one business day) of any query that “returns information that concerns a known United States person.” The FISC shall examine such queries “for consistency with the Fourth Amendment,” and information responsive to any query that “is not consistent with the Fourth Amendment” shall not be used in any court proceeding. Moreover, even where the query is found to satisfy the Fourth Amendment, the SSCI bill would limit the use of responsive information only to judicial proceedings that the Attorney General has determined involve national security or certain specified serious felonies.

The HPSCI bill takes a somewhat different route. There is no requirement that any form of individual query be cleared by the FISC; however, in those instances where a query of the Section 702 database is not designed to extract foreign intelligence information (i.e., is undertaken for law enforcement inquiries), the HPSCI bill furnishes the FBI with the option of applying for an order from the FISC with such application evaluated pursuant to traditional law enforcement probable cause standards. If the FISC concludes that there is sufficient probable cause to support the issuance of an order, the FBI may then use the responsive information elicited by the query in any law enforcement proceeding. In the absence of probable cause, the use of any responsive information is, as provided in the SSCI bill, limited solely to court proceedings that the Attorney General determines involve national security or certain specified serious felonies.

Both proposed statutes would increase the penalty for the unauthorized removal and retention of classified material. The SSCI proposal raises the maximum penalty to ten years imprisonment, while the HPSCI bill provides a maximum punishment of five years. Both bills also propose several legislative adjustments that are designed to facilitate the operations of the Privacy and Civil Liberties Oversight Board.

As the most recent piece of FISA legislation, the HPSCI bill shares several features found in some of the other FISA measures previously introduced while also introducing a few new wrinkles of its own. Like the USA Liberty Act (H.R. 3989) initiated in the House Judiciary Committee,[6] the HPSCI bill would require the DNI, in consultation with the Attorney General, to conduct a declassification review of any minimization procedures used in connection with the handling of Section 702 data so that such procedures could be made publicly available to the greatest extent practicable consistent with security needs. Conceptually, the objective is to make more broadly available to the public the procedures used by the Intelligence Community in its handling and use of the communications acquired through Section 702-authorized collection, including those incidentally collected communications of U.S. persons.

The HPSCI legislation also mirrors the USA Liberty Act’s direction that the Comptroller General conduct a study of the classification system of the United States and the problem of unauthorized disclosures. As I previously wrote regarding the USA Liberty Act, at the risk of appearing cynical, if some form of this mandate becomes law and the Comptroller General actually produces meaningful reform of the classification system used by the U.S. government, it will represent an accomplishment that has evaded nearly every Congress and presidential administration of the past 50 years.

Both the HPSCI bill and the USA Liberty Act address the issue of protecting U.S. person identities in intelligence reporting. As noted in my earlier review in October, the USA Liberty Act would mandate specific procedures regulating the “unmasking” of U.S. person identities as part of a broadening of existing statutory minimization requirements. The HPSCI bill, on the other hand, proposes to amend the National Security Act by adding a new section establishing procedures to regulate “covered requests”[7] seeking the disclosure of U.S. person information. Moreover, both of these legislative proposals emanating from the House of Representatives add virtually identical requirements addressing the use of U.S. person identifiers that would become part of the reporting included in the annual submission to Congress required by Section 107 of FISA (50 U.S.C. § 1807).

Alone among the proposed statutes, however, the HPSCI bill also amends the long-standing FISA definitions for “foreign power” and “agent of a foreign power” to address the issue of “malicious cyber activity” such that FISA surveillance would now be authorized against foreign governments or organizations (or those acting on their behalf) engaged in “international malicious cyber activity.”[8] In this regard, the HPSCI bill is the only piece of pending FISA legislation that addresses the cyber activity that has become such a focal point of the investigations surrounding the 2016 presidential election.

Finally, there is the question of the length of reauthorization provided for Section 702 in any renewal. It seems clear that the Intelligence Community will not receive the permanent authorization sought by the DNI and the Attorney General since every FISA bill introduced has some temporal limit on a reauthorization: the SSCI bill proposes an eight-year extension; the USA Liberty Act proposed nearly six years (until September 30, 2023); while the HPSCI bill introduced last week would limit the renewal to four years.

As noted at the outset, the new HPSCI bill shares many of the same features found in the SSCI bill introduced in the Senate in late October. Concurrently, however, several topics addressed by the HPSCI bill are unmentioned in the SSCI legislation, but appear in the USA Liberty Act first introduced in the House Judiciary Committee in early October, suggesting an effort by the HPSCI to promote some level of consensus with its colleagues on the House Judiciary Committee.

Four weeks remain for Congress to fulfill its responsibilities regarding the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act before its December 31 expiration date. These time constraints dictate that there is realistically no chance that there will be extended debate of this legislation, either in an open forum or even in closed session, and that is unfortunate because this is the first genuine opportunity for extended discussion in the context of renewing Section 702 since the 2013 disclosures made by Edward Snowden. Nonetheless, there is enough shared ground in the bills advanced out of the two Intelligence Committees to suggest that a consensus can be reached to forestall the calamitous possibility that the Intelligence Community will need to terminate collection on over 100,000 targets and lose the information that underlies at least 25% of the nation’s counterterrorism intelligence reporting. The clock ticks on, but the outlines of a renewal compromise seem to be taking shape.

About the author:
*George W. Croner previously served as principal litigation counsel in the Office of General Counsel at the National Security Agency. He is also a retired director and shareholder of the law firm of Kohn, Swift & Graf, P.C., where he remains Of Counsel, and is a member of the Association of Former Intelligence Officers.

Source:
This article was published by FPRI.

Notes:
[1] Section 702 (50 U.S.C. § 1881a) is that section of the Foreign Intelligence Surveillance Act (FISA) providing the authority by which the National Security Agency targets and acquires the communications of foreigners located abroad without the need to show probable cause or obtain a particularized warrant. A full description of the Section 702 collection program is found in “The Clock is Ticking: Why Congress Needs to Renew America’s Most Important intelligence Collection Program,” FPRI E-Notes, September 29, 2017.

[2] Previous reviews of other FISA legislation have appeared in FPRI E-Notes: “What’s To Be Found in the USA Liberty Act,” FPRI E–Notes, October 20, 2017; and “Congress Skirmishes Over FISA Section 702: Will it Preserve the Intelligence Community’s ‘Crown Jewel’ or Neuter It?,” FPRI E-Notes, November 1, 2017.

[3] “About” collection refers to the practice of acquiring communications that are to, from, or about a particular target. This form of collection has been a particular focus of critics who contend it improperly expands the universe of U.S. person communications incidentally acquired as part of Section 702 collection activity. The NSA, the Intelligence Community component responsible for Section 702 collection, discontinued “about” collection earlier this year, but there currently is no legislative prohibition against its resumption.

[4] This is the language used in the SSCI bill. The HPSCI bill mandates “a technical procedure whereby a record is kept of each United States person query term used for a query.”

[5] To the contrary, the website of the HPSCI takes pains to note that, “When the Government looks into its own database of lawful collection using U.S. person information, it is not a Fourth Amendment ‘search.’ The Government is not collecting any new information. Rather, the Government is simply reviewing the database of foreign communications it already has in its possession.” https://intelligence.house.gov/uploadedfiles/uspq_faq_2017_clean.pdf (emphasis in original).

[6] A discussion of the USA Liberty Act appears in FPRI E-Notes, “What’s to be Found in the USA Liberty Act of 2017?” October 20, 2017.

[7] A “covered request” is a request by a “requesting element” (a component of the U.S. government receiving an Intelligence Community report) to an “originating element” (a component of the Intelligence Community disseminating an intelligence report) for nonpublic identifying information with respect to a known, unconsenting U.S. person that was omitted from (or “masked” in) the initial report issued by the originating element.

[8] “International malicious cyber activity” is defined as activity on or through an information system (as defined in the Cybersecurity Information Sharing Act) originating from, or directed by, persons located outside the United States, that seeks to compromise or impair the confidentiality, integrity, or availability of computers, information systems, or communications systems or networks.