This article first appeared in Just Security.
In the 1970s, congressional investigators revealed that the FBI, NSA, and CIA had spent decades illegally surveilling and harassing the civil rights and anti-war movements. These abuses shocked the American public and led Congress to implement a series of intelligence reforms, including the Foreign Intelligence Surveillance Act (FISA), which set strict limitations on when and how intelligence agencies could perform domestic spying.
In the decades since the 9/11 attacks, changing laws and aggressive executive branch lawyering have significantly relaxed the rules that govern surveillance of Americans. Not surprisingly, we are once again seeing abuses of these powers, including instances of intelligence agents seeking access to the communications of politicians, protesters, and journalists.
Today, a bipartisan group of lawmakers, led by Senator Ron Wyden (D-OR), Senator Mike Lee (R-UT), Representative Warren Davidson (R-OH), and Representative Zoe Lofgren (D-CA), introduced the Government Surveillance Reform Act of 2023 (GSRA) to reverse this erosion of privacy rights and prevent further abuses. If passed, the GSRA would be the most significant surveillance reform legislation since FISA itself. This analysis will highlight some of the key reforms in the bill and explain why it represents the right approach — and, quite possibly, the only viable path — to reauthorization of FISA Section 702.
Reforms to Section 702
The GSRA begins by tackling Section 702, a controversial surveillance law that expires at the end of this year. Section 702 allows the government to collect the communications of non-Americans located abroad without a warrant. But Americans’ private phone calls, emails, and text messages are inevitably captured, too — and intelligence officials frequently perform warrantless searches for them, despite a congressional command that intelligence agencies “minimize” the retention and use of Americans’ information. (We are using “Americans” as a shorthand for “U.S. persons,” defined in FISA to include U.S. citizens and legal permanent residents.) Intelligence officials conducted more than 200,000 of these “backdoor searches” for Americans’ communications last year alone.
By itself, that is an egregious violation of our privacy rights. The problem is compounded by what the FISA Court has described as the FBI’s “persistent and widespread” violations of the minimal rules that govern backdoor searches. These abuses include searches for the communications of 141 racial justice protesters, members of Congress, 19,000 donors to a congressional campaign, journalists and political commentators, and “Middle Eastern” menwho were reported to the FBI by witnesses who saw them loading cleaning supplies into a vehicle, among many others. In a report issued last month, the Privacy and Civil Liberties Oversight Board (PCLOB) observed that “[i]n the reporting period covering November 2020 to December 2021, non-compliant queries related to civil unrest numbered in the tens of thousands.”
Recent procedural changes at the FBI have reportedly improved matters, with the government now reporting a 98% compliance rate. But two percent of 200,000 is still 4,000 warrantless searches each year that violate the government’s own internal rules. Moreover, disturbing abuses continue to occur. Since the procedural changes were implemented, agents have conducted improper searches for the communications of a U.S. senator, a state senator, and a state court judge who reported a local police chief’s civil rights violations to the FBI.
The volume of backdoor searches and the regular abuses of them have caused bipartisan outrage in Congress, with lawmakers vowing not to reauthorize Section 702 without “significant reforms” to enhance privacy protections for Americans. Foremost among the reforms that lawmakers are considering — and that privacy advocates have called on Congress to enact — is a warrant requirement for backdoor searches.
The GSRA includes such a requirement: It would prohibit officials from performing searches for Americans’ communications unless they had obtained a warrant in a criminal investigation or a FISA Title I order in a foreign intelligence investigation. (Under Title I of FISA, the government may conduct surveillance of an American to collect foreign intelligence if it shows probable cause to the FISA Court that the American is an “agent of a foreign power.”) The bill’s warrant requirement includes narrow and appropriate exceptions for cases in which (1) the government obtains consent from the subject of the search (for instance, if the subject is a potential victim of a foreign plot); (2) exigent circumstances are present; or (3) the government is attempting to identify targets of cyberattacks by searching for malicious code embedded in Americans’ communications.
Requiring a probable cause order for backdoor searches would safeguard Americans’ privacy rights and help prevent abuses, while preserving the core national security value provided by Section 702. The government has provided many examples in which Section 702 surveillance of foreign actors played an important role in combating cyberattacks, espionage, and fentanyl trafficking. When it comes to the utility of warrantless searches for Americans’ communications, however, the record is notably thin. Although the government has cited a handful of cases in which backdoor searches provided useful information about potential American victims of malign foreign activities, it appears that the government likely would have been able to get a warrant, obtain consent, or apply the exigent circumstances exception in these cases — a point confirmed by the Chair of the PCLOB.
Reforms to Other Surveillance Authorities
Section 702 is not the only surveillance authority badly in need of reform. Indeed, if Section 702 were reformed in isolation, intelligence and law enforcement agencies would be able to obtain similar information by relying on other authorities that have even fewer protections than Section 702, or by exploiting gaps in the law that enable surveillance without any statutory authority at all.
One key way in which the government obtains access to Americans’ sensitive information without statutory authorization is through overseas surveillance. While FISA (including Section 702) generally governs foreign intelligence surveillance that takes place inside the United States, spying abroad is typically regulated only by Executive Order (E.O.) 12333. Such surveillance often captures sensitive information about Americans, given the prevalence of international communication and the fact that Americans’ digital data may be routed and stored all over the world. Yet there are no legislative limits on E.O. 12333 collection and no judicial oversight whatsoever. While the details of E.O. 12333 surveillance programs remain shrouded in secrecy, Senators Ron Wyden and Martin Heinrich revealed last year that the CIA operates multiple “bulk collection” programs under E.O. 12333 that pull in Americans’ data, including records of financial transactions and what appears to be communications information — data that CIA analysts retrieve through warrantless backdoor searches.
In addition, intelligence and law enforcement agencies have increasingly used specious legal reasoning and deep pockets to buy their way around Carpenter v. United States, a Supreme Court ruling that requires police officers to get a warrant to obtain cell phone location information from a cell phone company. Notwithstanding the Court’s holding, multiple federal agencies, including the FBI, the Department of Homeland Security, and the Department of Defense, are buying access to entire databases of this Fourth Amendment-protected information without any legal process, let alone a warrant. They are similarly evading a range of privacy laws by purchasing other highly sensitive types of information about Americans, such as email metadata (including the time, source, and destination of emails) and web browsing history. A declassified report commissioned by the Director of National Intelligence reveals that the nation’s intelligence agencies are acquiring such information in large amounts, with no mechanisms in place to track what purchases they have made or how they are using the data.
The GSRA addresses both of these troubling practices. It would require the government to get a warrant or FISA Title I order before searching E.O. 12333-acquired data for Americans’ communications and other Fourth Amendment-protected information, with the same narrow exceptions that would apply in the Section 702 context. It would also close the data broker loophole by prohibiting intelligence and law enforcement agencies from purchasing Americans’ personal data rather than following the compulsory legal processes established by law.
These reforms are bolstered by a provision that would require the government to obtain a warrant when seeking to collect Internet search and web browsing records. Courts have not definitively established the Fourth Amendment status of this information, but there is no question that it can reveal some of the most sensitive facts about a person’s private life. In 2020, an amendment along these lines offered by Senators Wyden and Steve Daines (R-MT) came one vote shy of the 60-vote threshold in the Senate, and likely would have passed if two key members had not been absent for the vote.
Finally, the bill would establish new rules for the government’s use of cell site simulators (which capture location information from all cell phones in a particular geographic area) and for governmental access to location information and other data maintained by car computers. The core principles animating these rules are that government collection of Americans’ most sensitive data should require a warrant, and that surveillance should be no broader than necessary to meet legitimate law enforcement and national security needs.
Facilitating Judicial Review
Legal privacy protections are of limited value without effective judicial oversight to ensure compliance. In FISA, Congress established three mechanisms for judicial review: regular oversight by the FISA Court, civil lawsuits to challenge unlawful surveillance, and challenges by criminal defendants when the government uses evidence “obtained or derived from” FISA surveillance. None of these mechanisms is working as Congress intended.
The FISA Court faces inherent limitations because it operates in secret, often only hears from government lawyers, and must accept the facts that those lawyers present (as there is no discovery to unearth additional or conflicting facts). In 2015, Congress attempted to mitigate these factors by establishing a pre-cleared panel of amici curiae and encouraging the Court to permit their participation in cases involving “novel or significant interpretations of the law.” But amici are still absent in too many important cases. Moreover, despite having top-level security clearances, amici have limited access to information, and they are not allowed to appeal adverse decisions. And amici are not well-positioned to identify and correct the inaccuracies that have plagued the government’s submissions to the FISA Court.
Civil lawsuits challenging unlawful surveillance face their own obstacles. Courts have applied a cramped view of the “standing” doctrine, requiring plaintiffs to prove definitively that the government has spied on them before the case can move past the pleadings stage — a nearly impossible task, given that FISA surveillance is always secret. Even if plaintiffs can get past the standing hurdle, courts will often refuse to hear the case if the government asserts that it will involve “state secrets.”
As for challenges in criminal cases, serious questions have been raised about whether the government is adhering to its legal obligation to notify criminal defendants if it intends to use any information “obtained or derived from” Section 702 in court. The government has not provided any such notice in the past five years – despite performing literally millions of backdoor searches during that same time period.
The GSRA includes promising solutions for these problems. It requires the FISA Court to consider the appointment of amici in a range of sensitive investigative matters, such as cases involving religious organizations or the media; it ensures that amici have access to the same information as does the government; it authorizes amici to petition the FISA Court to certify decisions for appellate review; and it requires the Attorney General to adopt, and government officials to certify compliance with, “accuracy procedures” designed to minimize errors and omissions in court filings. The bill also provides that individuals have standing to sue if they have reason to believe that their communications are being surveilled by the government, and it clarifies that FISA’s special procedures for handling sensitive national security information in litigation supersede the state secrets privilege. Finally, it strengthens the notice requirement in criminal cases.
Targets of Surveillance Not Limited
Although the GSRA is far-reaching in its approach, it does not include all of the reforms sought by the Brennan Center (where we both work) and a cross-partisan coalition of 30 other privacy, civil rights, and civil liberties organizations. Most notably, the bill does not narrow the scope of foreign intelligence surveillance. Under Section 702, virtually any non-American located abroad may be targeted by U.S. spy agencies. President Biden issued an executive order last year that placed some weak limitations on the “legitimate objectives” of signals intelligence collection, but even these limitations may be changed in secret.
Privacy advocates have consistently called for Congress to narrow the permissible pool of foreign targets to those who are likely to have information about a threat to the United States or its interests. Doing so would not just honor U.S. obligations under international law, such as those enshrined in the International Covenant on Civil and Political Rights; it would protect Americans’ privacy as well, because it would reduce the volume of Americans’ communications that are “incidentally” collected. It would also benefit American businesses by bringing greater legal stability to U.S.-EU data transfer agreements, reducing the risk that American companies could be subjected to billion-dollar fines for transferring EU citizens’ data to the U.S. without sufficient privacy protections in place. Unfortunately, the GSRA does nothing to limit the scope of foreign intelligence surveillance.
Congress’s Next Steps
Notwithstanding its silence on foreign targets, the GSRA would be the most significant advancement of Americans’ privacy rights since FISA was enacted in 1978. It also has something no other Section 702 reauthorization proposal currently has: a chance of becoming law. As discussed above, there is a strong bipartisan consensus in Congress that Section 702 should not be reauthorized without major reforms. A bill that merely codifies the FBI’s existing procedures (as some have advocated) has no hope of passage. Even a bill that substantially reforms Section 702, but leaves other authorities untouched, might run into difficulties, as some conservative members might well prefer sunset to a reformed Section 702. By including other reforms that could not be accomplished through sunset, the GSRA provides an incentive for these members to come to the table.
Moreover, several components of the GSRA already have wide support in Congress. In 2014 and 2015, House Democrats and Republicans joined forces to pass amendments that would have required the government to obtain a warrant before searching Section 702-acquired data for Americans’ information. In 2020, the Senate voted 77–19 in favor of an amendment introduced by Senators Mike Lee (R-UT) and Patrick Leahy (D-VT) that would have strengthened FISA’s amicus provisions. Earlier this year, the House Judiciary Committee voted unanimously in favor of a bill that would prohibit intelligence and law enforcement agencies from purchasing communications-related and geolocation information.
In short, the GSRA offers Section 702 reforms that would protect Americans’ privacy without compromising the law’s effectiveness. It presents a critical opportunity to close surveillance loopholes that give the government extraordinary discretion to examine the most intimate details of Americans’ lives. And it provides the best — and perhaps only — path to reauthorization of an authority that the government asserts is critical to our national security. In these ways, it sets the standard against which any other reauthorization proposals should be measured.