This originally appeared in Just Security.
Every year, the Office of the Director of National Intelligence (ODNI) releases a statistical transparency report on the use of national security authorities. The report, which began as a voluntary undertaking and is now a statutory requirement, is useful for detecting trends and patterns in foreign intelligence surveillance. For instance, the reports have revealed a steady increase in the number of targets under Section 702 of FISA (from 89,138 in 2013 to 204,968 in 2019), as well as the acquisition of a massive number of Americans’ phone records (over a billion between 2015 and 2018) under a program that was intended to replace bulk collection.
Buried in the 2019 report — released by ODNI on Thursday — is information of a different nature: a major instance of non-compliance with the law that ODNI hasn’t previously reported, and that directly implicates the constitutional rights of Americans.
To understand the violation in question, a bit of background is necessary. (I’ve started many a Section 702-related blog post with this same background information; readers who are familiar with it might want to skip the next two paragraphs.) Under Section 702 of FISA, enacted in 2008, the National Security Agency (NSA) collects hundreds of millions of electronic communications each year. No warrant is required for this collection because the targets of surveillance are foreigners overseas. However, massive amounts of Americans’ communications are “incidentally” collected in the process.
Recognizing the inevitability of this spillover, Congress sought to protect Americans’ constitutional rights by requiring the government to “minimize” the retention, use, and sharing of information about U.S. persons incidentally acquired under Section 702. Instead, as we learned through Edward Snowden’s disclosures in 2013, the FBI routinely helps itself to this data, combing through communications obtained under Section 702 to find Americans’ phone calls, e-mails, and text messages for use in purely domestic criminal investigations. This practice is commonly known as “backdoor searches.”
When Section 702 came up for reauthorization in late 2017, civil liberties advocates pushed to end backdoor searches by requiring the government to obtain a warrant before conducting U.S. person queries. Ultimately, Congress required the FBI to obtain a warrant in only a small subset of cases — criminal investigations not relating to national security that had reached a certain stage of the investigation — and only after the query is conducted (but before reviewing the contents of any communications).
As minimal as this requirement is, the 2019 statistical transparency report reveals that the FBI has failed to comply with it in literally every relevant case. According to a table in the report, there were six instances in 2018 in which the FBI reviewed the contents of Americans’ communications after conducting a backdoor search in a criminal, non-national security case. (These six instances went unreported in the 2018 transparency report because they were not detected until a Department of Justice oversight review in 2019.) The same table indicates that the FBI obtained a warrant to review the contents of those communications exactly zero times. Similarly, for 2019, the table lists one instance in which the FBI ran a backdoor search in a criminal, non-national security case and reviewed communications content, but zero instances in which it obtained a warrant.
At first blush, it might seem that there’s an apple-to-oranges problem in interpreting these statistics. The requirement to report the number of times communications were reviewed after a backdoor search applies in every criminal, non-national security investigation; the requirement to obtain a warrant applies only when the investigation has reached a particular stage (namely, when it is designated as a “predicated” investigation). A footnote in the ODNI report, however, states that the Department of Justice reported “each instance” to the Foreign Intelligence Surveillance Court as a “compliance incident.” That means the warrant requirement applied— and was violated — in each case. (ODNI has confirmed the accuracy of this interpretation.)
Leaving aside the substance of this revelation, its timing and the way in which it was presented are deeply disturbing. The six warrantless reviews that took place in 2018 were discovered by the Justice Department at an unspecified time in 2019; four months into 2020, the 2019 statistical report is the first public admission of these incidents. Moreover, even now, the fact of non-compliance with a major statutory requirement must be inferred from numbers on a table on page 17 of a routine statistical report. There has been no statement from ODNI or the FBI — no explanation of how the violations occurred or any steps that are being taken to ensure that no such violations take place in the future.
Under any circumstances, the fact that the FBI has failed to adhere to a statutory warrant requirement is significant information that ODNI should promptly report — and explain — to the public. That is particularly true here, given that three provisions of FISA were scheduled to expire in March of this year and Congress was debating and voting on proposed reforms to multiple FISA authorities as part of the reauthorization process.
Then there are the violations themselves. Congress chose to require a warrant in only a limited category of cases: those in which Americans’ privacy and liberty interests are at their very highest. Predicated criminal investigations are likely to result in prosecutions, and potentially in the deprivation of the target’s freedoms. Additionally, because the cases in question do not implicate foreign intelligence or national security, there can be no argument that the information is subject to any exception to the Fourth Amendment’s warrant requirement. And there is nothing complicated about the requirement Congress imposed; it should have been an easy matter to educate FBI agents about their new obligation. There is no imaginable excuse for a compliance rate of zero percent.
The news that the FBI violated the warrant requirement is just the latest in a remarkable series of revelations. In the last six months alone, we’ve learned that the FBI openly flouted the requirement Congress enacted in early 2018 to count the number of backdoor searches it performs; conducted tens of thousands of U.S. person queries without meeting the extremely low standard that applies to any query of Section 702 data (i.e., that the query must be reasonably designed to return foreign intelligence or evidence of a crime); and violated the so-called “Woods procedures” in each of 25 cases reviewed by the Justice Department’s Inspector General, resulting in applications to conduct surveillance under Title I of FISA that were riddled with errors. These incidents follow a decade in which the government failed (for several years) to report the collection of purely domestic communications under Section 702, and then failed (for several more years) to comply with the procedures that the Foreign Intelligence Surveillance Court imposed to remedy the resulting Fourth Amendment violation.
The lesson should be clear. Multiple FISA authorities that enable either the direct or “incidental” collection of Americans’ information rely on statutory and/or court-imposed limitations on how that data is accessed, shared, and kept. Scrupulous adherence to those limitations is necessary to safeguard Americans’ privacy and, in many cases, their constitutional rights. After 12 years of repeated and systemic violations, Congress cannot continue to hand the government sweeping powers to collect Americans’ most personal data on the assumption that the FBI is following the rules, or that the FISA Court’s interventions will put an end to any non-compliance. Instead, in order to adequately protect Americans’ rights, Congress must begin to put stricter limits on the scope of collection itself.
What this means in practice will depend on the FISA authority in question. Most immediately, Congress should revisit the low “relevance” standard for collection under FISA’s business records provision, Section 215, which is scheduled for a reauthorization vote in May. One obvious solution is for Congress to go back to the pre-2001 requirement that the subject of business records requests must be a foreign power or its agent. In addition, when Congress next considers Section 702 — which should happen well before 702’s scheduled 2023 sunset, given the many recent revelations of non-compliance — it should narrow the scope of permissible foreign targets. In both cases, these changes would greatly reduce the amount of information about Americans that is subject to collection. That, in turn, would reduce our reliance on the FBI’s adherence to post-collection privacy safeguards — reliance that has proven, once again, to be misplaced.