Congress is considering permanently reauthorizing four provisions, two of which are unused, of the Foreign Intelligence Surveillance Act that are set to expire Dec. 15. Considering the ongoing scrutiny of U.S. government surveillance practices, lawmakers should carefully consider the permanent reauthorization of the unused provisions. If these surveillance tools were valuable and effective, federal law enforcement would use them, which lawmakers on both sides of the aisle have recognized. Given European scrutiny of U.S. surveillance practices, permanent reauthorization of unneeded surveillance powers will become one more reason for European courts and lawmakers to further contract available cross-border transfer mechanisms, causing unnecessary damage to business interests.
In the Sept. 18 hearing before the U.S. House Committee on the Judiciary, and again in the Nov. 6 hearing before the U.S. Senate Committee on the Judiciary , representatives of the U.S. Department of Justice, Federal Bureau of Investigation and National Security Agency urged Congress to permanently reauthorize FISA’s roving wiretap, business records, lone wolf and call detail records provisions. The administration does so while acknowledging that neither the lone wolf or CDR authorities are in use.
Congress implemented the first of these unused surveillance authorities, the CDR provision, in the USA Freedom Act of 2015, in response to the Edward Snowden revelations about the NSA’s bulk collection program. Under the bulk collection program, the NSA gathered virtually all cell phone records held by major U.S. telecoms. Brennan Center for Justice Director Liberty & National Security, Elizabeth Goitein, testified in the Senate Committee on the Judiciary hearing and described the program as indiscriminate, illegal and ultimately ineffective in countering terrorism. The Freedom Act banned use of FISA’s business records provision for bulk collection. Lawmakers added the current CDR authority to the Act in what House Judiciary Committee Chairman Jerrold Nadler, D-N.Y., characterizes as a good faith effort to compromise with the intelligence community.
Through the CDR authority, the NSA can ask the Foreign Intelligence Surveillance Court for an order compelling telecoms to produce CDR information based on specific “selection terms.” Goitein describes the CDR program, together with other government surveillance authorities, as a post-Snowden “bulky” collection regime. Goitein and other civil liberties advocates note that under the CDR program, the NSA has had fewer than 150 targets over the past 3 years, but those targets have resulted in collection of more than a billion records. Adam Klein, the Chairman of the Privacy and Civil Liberties Oversight Board, testified before the Senate Committee that in 2018 alone, just 14 FISA orders collected 434 million records.
In both hearings, lawmakers asked NSA Official Susan Morgan if she could identify a single instance in which the CDR authority had materially contributed to a terrorism investigation or stopped a terrorist attack. In the House committee hearing, she gave the surprising response that the value of a program should not necessarily focus on “whether or not it prevented or stopped a terrorist attack.” In August, the NSA discontinued the CDR program for “technical and operational reasons.” These reasons included the NSA’s discovery that “technical irregularities” had resulted in the mass collection of records it was not authorized to collect. And because the NSA couldn’t distinguish between authorized and unauthorized records, it elected to delete all records collected under the program. The NSA, in its own words, has concluded that the costs of the CDR program presently outweigh its benefits. But as Morgan testified, if the program remains, the NSA believes it can resume it at will.
The second unused FISA authority, the lone wolf provision, was enacted by Congress in 2004 when it amended FISA’s definition of “agent of a foreign power” to include non-U.S. persons who engage in or prepare for terrorism but do not have a connection to a foreign power or terrorist group. These are the so-called “lone wolves.” Not only is the lone wolf provision currently unused, but it has never been used since it was added to FISA 15 years ago.
Although neither the lone wolf amendment nor the CDR authority are in use, the administration is urging Congress to reauthorize the programs and do so permanently. It contends that while these tools are currently unnecessary, the security landscape is in constant flux and the tools should remain in the “toolbox” because they might prove useful in the future. Chairman Nadler described this rationale as “baffling.”
In both congressional hearings, lawmakers focused exclusively on U.S. national security concerns and the civil liberties of U.S. citizens. While these are certainly core considerations, they are not the only considerations, particularly given the international microscope applied to U.S. surveillance practices. As Congress considers reauthorizing the lone wolf and CDR authorities, business interests cannot be overlooked. The EU in particular remains hyper-focused on U.S. surveillance practices and FISA-related developments are of special concern. That focus has been particularly intense since the 2013 Edward Snowden revelations, which substantially affected the economic interests of companies doing business in the EU.
In his 2015 victory against Facebook before the European Court of Justice—what is now known as Schrems 1.0—Austrian attorney Max Schrems relied upon the Snowden revelations to attack the legitimacy of the Safe Harbor program as a means of cross-border data transfer. The ECJ held that the U.S. surveillance regime effectively trumped the privacy protections implemented under Safe Harbor and therefore Safe Harbor was not a lawful means of transferring EU personal data to the U.S. As many will recall, this left businesses scrambling and many were compelled to adopt the use of standard contractual clauses. While Safe Harbor was ultimately replaced with the EU-U.S. Privacy Shield, EU concerns about U.S. surveillance practices persist. The GDPR itself contains Article 48, which is known as the “anti-FISA provision.” While the final version of Article 48 is narrower than that supported by the EU Parliament, it nonetheless shows that FISA continues to be front and center among EU privacy proponents. This is not going to change.
The FISA reauthorization decision is happening at another crucial moment for companies doing business in the EU. Schrems is before the ECJ with a second lawsuit against Facebook, dubbed Schrems 2.0. And once again, he contends that U.S. surveillance practices should invalidate a cross border transfer mechanism—namely, standard contractual clauses. Many are concerned that if the ECJ invalidates standard contractual clauses, it may strike down the Privacy Shield using the same rationale. Either of these outcomes would be a serious blow to businesses transacting in both the U.S. and EU, the vast majority of which rely on standard contractual clauses or Privacy Shield. As Peter Swire states in the affidavit he submitted in the Schrems 2.0 proceeding, there could be “large economic effects from a categorical finding that the U.S. lacks adequacy due to its surveillance regime.” But even if Schrems 2.0 is more limited than many fear, there’s another case in the queue that squarely attacks Privacy Shield.
In deciding whether to permanently reauthorize the four FISA provisions under consideration, U.S. lawmakers should carefully consider EU privacy concerns. In light of those concerns, and given that the lone wolf and CDR provisions are unused and apparently ineffective, the costs of reauthorizing them may be much greater than any benefits. EU privacy advocates may pay special attention to the decision about the CDR authority because it is a product of the Freedom Act, by which Congress tried to remedy the bulk collection abuses that helped topple Safe Harbor. In the face of the EU fed up with what it considers to be U.S. surveillance overreach, what message is sent if lawmakers permanently reauthorize two surveillance powers with no present national security value? Now is not the time to ignore both business interests and EU privacy concerns in favor of unused and ineffective surveillance tools.
Photo by Matthew Henry on Unsplash