This was originally published by Just Security.
Something quite unusual happened last fall. After an internal Justice Department watchdog reported that the government had submitted flawed documents to get court approval for surveillance of former Trump campaign aide Carter Page, Republicans who had long supported broad surveillance powers began calling for greater civil liberties protections. A rare window opened for reform of the Foreign Intelligence Surveillance Act (FISA)—the law that governs surveillance of suspected terrorists, spies, and other foreign agents. That window coincides with an upcoming deadline to reauthorize three expiring FISA authorities, providing a perfect opportunity for Congress to make much-needed changes.
Something much more ordinary is happening now: Members of Congress are poised to let this opportunity pass them by. Senators Ron Wyden (D-Or.) and Steve Daines (R-Mont.) have introduced a strong, bipartisan reform bill, but the administration and intelligence hawks in Congress are seeking straight reauthorization without reform. The House Judiciary Committee decided to split the baby, and on Monday unveiled modest reform legislation that is missing key safeguards against surveillance abuse. Committee members should insist on strengthening the bill when it goes to markup on Wednesday.
What we’ve learned since the last reauthorization of Section 215
The main authority at issue is Section 215 of the 2001 USA Patriot Act, which amended FISA’s “business records” provision. It allows the government to get an order from the secret FISA Court compelling a third party, such as a bank or telephone company, to turn over “any tangible thing” in their possession. The government need only show that the item is “relevant” to an ongoing counterterrorism or foreign intelligence investigation.
This is one of the lowest legal standards available—so low, in fact, that the FISA Court interpreted it to justify the National Security Agency’s (NSA) indiscriminate or “bulk” collection of Americans’ telephone records, based on the theory that some relevant information must surely buried within them. What’s more, while the government cannot obtain the content of phone calls or emails under Section 215, it can obtain information that is often every bit as personal, such as medical records, book sales, library records, and tax returns.
In 2015, after Edward Snowden revealed the NSA’s phone records program, Congress passed the “USA Freedom Act” to prohibit bulk collection under Section 215 and other FISA authorities. But there were two flaws in Congress’s approach. First, instead of requiring the government to focus on individual suspects, Congress allowed the government to collect information about entire companies, organizations, and IP addresses, which can encompass thousands of people. Civil liberties advocates thus feared that “bulk collection” might simply be replaced with “bulky collection”—i.e., collection that is tied to a particular target but still sweeps in the information of large numbers of innocent Americans.
A second problem was that Congress created a new program within Section 215 for collecting Americans’ phone records. Under the so-called “CDR Program” (for “call detail records”), the government can collect the phone records of suspected terrorists and anyone who has ever been in contact with them. With two independent executive branch commissions having concluded that the NSA’s bulk collection program provided little to no counterterrorism value, it was unclear why a scaled-down version was deemed necessary.
Five years later, we can see how these flaws have played out. The law requires the government to report both the number of targets of Section 215 orders, and a number that indicates how many people’s information is actually collected. There were 56 targets of Section 215 orders in 2018, but 214,860 people had their information collected under those orders. If that isn’t “bulky” collection, it’s hard to think what is.
As for the CDR program, it has been, without exaggeration, a disaster. Although intended to replace bulk collection, it swept in more than a billion phone records between 2015-2018. Moreover, in 2018, the NSA disclosed that it had been collecting data it was not legally authorized to collect, due to technical problems it was unable to fix. NSA officials bluntly admitted that the program wasn’t generating sufficient benefit to justify its continuance, and the agency decided to pause collection in early 2019. A government study declassified and released today confirms that the program provided scant value while costing $100 million to operate.
The opportunity now
As a starting point, any legislation to reauthorize Section 215 must revoke authorization for the CDR program. Even the leaders of the Senate intelligence committee—which is notoriously pro-surveillance and anti-reform—have acknowledged this necessity.
The bill offered by Senators Wyden and Daines, with a companion bill offered by Representatives Lofgren (D-Ca.), Jayapal (D-Wash.), and Davidson (R-Ohio), would go much further. It would tackle the problem of “bulky” collection by limiting the targets of Section 215 collection to foreign powers, agents of foreign powers, or people in contact with them—basically, people who could themselves be legitimate focuses of a counterterrorism or foreign intelligence investigation.
Their proposal would also take on a host of other problems with FISA. For instance, the government’s default practice is to keep the records it collects for at least five years, even if the information is highly personal and contains no evidence of wrongdoing. This exposes Americans’ private data to theft, negligent mishandling, or abuse. The Wyden-Daines bill would require the government to delete data within three years unless it is determined to constitute foreign intelligence. It also specifies certain categories of data, such as geolocation information and web browsing history, which the government must obtain a warrant to access. And it includes several provisions that would enhance transparency and oversight of the FISA process.
The bill offered by the House Judiciary Committee, by contrast, is much less ambitious. It would end the CDR program, as it must. But it would do nothing to address the problem of continuing “bulky” collection under Section 215. It allows the government to continue hoarding the data of innocent Americans. It prohibits the use of Section 215 to collect items that would otherwise require a warrant, but it does not specify what any of those items are, leaving the government with far too much wiggle room to rely on its own cramped legal interpretations of the Fourth Amendment. And its transparency and oversight provisions, while important, are less far-reaching than those in the Wyden-Daines bill.
Committee members should insist on amendments to fill these gaps during Wednesday’s markup. Opportunities to build meaningful civil liberties protections into our sprawling surveillance laws are few and far between. The politics of fear that underlie most national security debates generally create a one-way ratchet, in which government authorities grow ever broader while protections for Americans’ privacy are eroded. We are in that rarest of moments in which Democrats and Republicans alike are calling for civil liberties enhancements. The House Judiciary Committee should not allow this moment to pass with a business-as-usual compromise between the reform seekers and the defenders of the status quo.