Congress is considering permanently reauthorizing four provisions, two of which are unused, of the Foreign Intelligence Surveillance Act that are set to expire Dec. 15. Considering the ongoing scrutiny of U.S. government surveillance practices, lawmakers should carefully consider the permanent reauthorization of the unused provisions. If these surveillance tools were valuable and effective, federal law enforcement would use them, which lawmakers on both sides of the aisle have recognized. Given European scrutiny of U.S. surveillance practices, permanent reauthorization of unneeded surveillance powers will become one more reason for European courts and lawmakers to further contract available cross-border transfer mechanisms, causing unnecessary damage to business interests.
In the Sept. 18 hearing before the U.S. House Committee on the Judiciary, and again in the Nov. 6 hearing before the U.S. Senate Committee on the Judiciary , representatives of the U.S. Department of Justice, Federal Bureau of Investigation and National Security Agency urged Congress to permanently reauthorize FISA’s roving wiretap, business records, lone wolf and call detail records provisions. The administration does so while acknowledging that neither the lone wolf or CDR authorities are in use.
Congress implemented the first of these unused surveillance authorities, the CDR provision, in the USA Freedom Act of 2015, in response to the Edward Snowden revelations about the NSA’s bulk collection program. Under the bulk collection program, the NSA gathered virtually all cell phone records held by major U.S. telecoms. Brennan Center for Justice Director Liberty & National Security, Elizabeth Goitein, testified in the Senate Committee on the Judiciary hearing and described the program as indiscriminate, illegal and ultimately ineffective in countering terrorism. The Freedom Act banned use of FISA’s business records provision for bulk collection. Lawmakers added the current CDR authority to the Act in what House Judiciary Committee Chairman Jerrold Nadler, D-N.Y., characterizes as a good faith effort to compromise with the intelligence community.
Through the CDR authority, the NSA can ask the Foreign Intelligence Surveillance Court for an order compelling telecoms to produce CDR information based on specific “selection terms.” Goitein describes the CDR program, together with other government surveillance authorities, as a post-Snowden “bulky” collection regime. Goitein and other civil liberties advocates note that under the CDR program, the NSA has had fewer than 150 targets over the past 3 years, but those targets have resulted in collection of more than a billion records. Adam Klein, the Chairman of the Privacy and Civil Liberties Oversight Board, testified before the Senate Committee that in 2018 alone, just 14 FISA orders collected 434 million records.
In both hearings, lawmakers asked NSA Official Susan Morgan if she could identify a single instance in which the CDR authority had materially contributed to a terrorism investigation or stopped a terrorist attack. In the House committee hearing, she gave the surprising response that the value of a program should not necessarily focus on “whether or not it prevented or stopped a terrorist attack.” In August, the NSA discontinued the CDR program for “technical and operational reasons.” These reasons included the NSA’s discovery that “technical irregularities” had resulted in the mass collection of records it was not authorized to collect. And because the NSA couldn’t distinguish between authorized and unauthorized records, it elected to delete all records collected under the program. The NSA, in its own words, has concluded that the costs of the CDR program presently outweigh its benefits. But as Morgan testified, if the program remains, the NSA believes it can resume it at will.
The second unused FISA authority, the lone wolf provision, was enacted by Congress in 2004 when it amended FISA’s definition of “agent of a foreign power” to include non-U.S. persons who engage in or prepare for terrorism but do not have a connection to a foreign power or terrorist group. These are the so-called “lone wolves.” Not only is the lone wolf provision currently unused, but it has never been used since it was added to FISA 15 years ago.
Although neither the lone wolf amendment nor the CDR authority are in use, the administration is urging Congress to reauthorize the programs and do so permanently. It contends that while these tools are currently unnecessary, the security landscape is in constant flux and the tools should remain in the “toolbox” because they might prove useful in the future. Chairman Nadler described this rationale as “baffling.”
In both congressional hearings, lawmakers focused exclusively on U.S. national security concerns and the civil liberties of U.S. citizens. While these are certainly core considerations, they are not the only considerations, particularly given the international microscope applied to U.S. surveillance practices. As Congress considers reauthorizing the lone wolf and CDR authorities, business interests cannot be overlooked. The EU in particular remains hyper-focused on U.S. surveillance practices and FISA-related developments are of special concern. That focus has been particularly intense since the 2013 Edward Snowden revelations, which substantially affected the economic interests of companies doing business in the EU.
In his 2015 victory against Facebook before the European Court of Justice—what is now known as Schrems 1.0—Austrian attorney Max Schrems relied upon the Snowden revelations to attack the legitimacy of the Safe Harbor program as a means of cross-border data transfer. The ECJ held that the U.S. surveillance regime effectively trumped the privacy protections implemented under Safe Harbor and therefore Safe Harbor was not a lawful means of transferring EU personal data to the U.S. As many will recall, this left businesses scrambling and many were compelled to adopt the use of standard contractual clauses. While Safe Harbor was ultimately replaced with the EU-U.S. Privacy Shield, EU concerns about U.S. surveillance practices persist. The GDPR itself contains Article 48, which is known as the “affidavit he submitted in the Schrems 2.0 proceeding, there could be “large economic effects from a categorical finding that the U.S. lacks adequacy due to its surveillance regime.” But even if Schrems 2.0 is more limited than many fear, there’s another Matthew Henry on Unsplash
