For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, requires regular congressional renewal. Each cycle brings negotiation on policy priorities, technological advancements and privacy tradeoffs. Originally set to expire in December 2023, a short-term extension moved the deadline to April 2024. While the vote was contentious and Congress considered several bipartisan and partisan proposals to update the text of the act, the Senate ultimately passed the bill in the early hours of 20 April to reauthorize the section of FISA that the intelligence community relies on with very few changes to the text.

I remember it all too well

Section 702 of the Foreign Intelligence Surveillance Act was first passed in 2008 in response to a post-9/11 investigation revealing that the strict separation between foreign and domestic intelligence contributed to the failure of national security agencies to intervene in the attack. Section 702 allows the National Security Agency to intercept communications from non-U.S. individuals outside of the U.S. for foreign intelligence purposes, store these messages for about five years, and provide the intelligence community with the ability to conduct specific types of queries on the database.

Although Americans and people inside the U.S. may not be the targets of this collection, it may include the "incidental" collection of U.S. communications. Each program within an intelligence agency with access to the system must be reviewed and approved annually through the FISA oversight process, which involves a review of the purposes and procedures of each program.

During a query, the requesting agency submits a request to the NSA to add a foreign individual to the targeted individuals list, and this request is reviewed at the NSA's discretion. If the nomination of that individual and their communications is accepted, the NSA adds that information to the database that the requesting agency can query. The Foreign Intelligence Surveillance Court provides judicial oversight, hearing arguments to broaden access or review case-by-case intelligence use from government agencies.

In addition to preventing threats to national security and investigating cyberattacks, the intelligence community has also relied on 702 to provide presidents (since 2008) with as much as 60% of their daily brief. In order to be eligible for access to 702, each program or activity must have a nexus with counterterrorism, but counterterrorism does not have to be its only goal.

Congress also requires the intelligence agencies to minimize retention and use of 702 data and requires each agency to annually certify to the Foreign Intelligence Surveillance Court that it is not improperly using 702 to access U.S. communications. However, because of the nonzero likelihood that the foreign conversations involve or include U.S. recipients, agencies like the FBI can access and review U.S. citizens' communications without obtaining a judicial warrant as would otherwise be required for such access under the Fourth Amendment. This privacy gap, among other concerns, has led to the years-long debate of how or whether to amend the text of 702 every time that section of FISA comes up for reauthorization.

You know that it's delicate

In a comprehensive report last September, all five members of the Privacy and Civil Liberties Oversight Board agreed that the 702 program should be reauthorized with adjustments to fix the risks it poses to privacy and civil liberties. They did not agree on much else, with the members splitting along party lines in their recommendations for reforms. Nevertheless, the majority of PCLOB members recommended Congress mandate FISA-court review for queries involving U.S. persons under Section 702 to protect Fourth Amendment rights.

The report points to the FBI's history of compliance issues to underscore the need for such judicial oversight. The PCLOB suggests that the standard for this review should be "reasonably likely to retrieve" pertinent information, with some members advocating for a “probable cause” standard to align with constitutional protections and parity with criminal law. However, the dissenting members expressed that court approval for 702 searches would place bureaucratic burdens on agency personnel and the intelligence community "without evidence there would be much, if any, privacy and civil liberties improvement."

Below are other highlights from the PCLOB majority's 19 recommendations:

Ensure purpose specification. Executive Order 14086 requires enhanced safeguards for U.S. signals intelligence activities due to the sensitive nature of intelligence collected. A recommendation that aligns with this executive order states that Congress should "codify the twelve legitimate objectives" for signals intelligence collection to provide necessary clarity in giving the FISC explicit jurisdiction and narrow the grounds of collection. Another provision recommends the FBI ensure that each query term that relates to a specific person only be used if it individually meets the applicable query standard and approval process, which would also meet the executive order requirement that SigInt activities only be conducted as necessary and proportionate to intelligence priority.

Enhance transparency and oversight. Similarly, the PCLOB called for court approval to access query results when they yield information about an American. This would codify and strengthen the current requirement that the government submit a random sample of targeting decisions. PCLOB also recommends strengthening the role of the FISC amicus and implementing a declassification process to improve transparency of FISC opinions. The PCLOB also expressed concern over the government's reluctance to develop metrics for incidental collection, emphasizing that even less precise numbers are meaningful for public understanding and assessing the adequacy of safeguards.

Embrace data minimization. PCLOB recommended the relevant agencies' querying procedures to be updated to require personnel perform due diligence to assess the U.S. status of the query subject by searching in minimized FISA and non-FISA datasets. They also recommended that Congress should codify the prohibition against "abouts" collections by removing the NSA's ability to restart the collections without congressional approval and subject to exigent circumstances, because there is no identified mission need for such collection. An "abouts" collection occurs when a communication contains a reference to, but is not to or from, an individual who is a 702 target. The NSA ceased "abouts" collection in response to a FISC ruling that questioned the mechanism's lawfulness, but the agency is able to resume such collection if it feels it could "work that technical solution in a way that generates greater reliability."

Are you ready for it?

Many other stakeholders, from privacy advocates to policymakers, have chimed in over the past year to recommend adjustments to the process and governance structure of 702 authorities. Though most supported a reauthorization of the program, they generally opposed a "clean" reauthorization, without recommended adjustments.

Demand Progress, the Brennan Center for Justice, American Civil Liberties Union and other civil liberties groups sent a letter to Senate Majority Leader Chuck Schumer, D-N.Y., stating 702 in its then-current form was "dangerous to our liberties and our democracy," and urging that it not be renewed without "robust debate, an opportunity for amendment, and — ultimately — far-reaching reforms." The Center for Democracy and Technology also issued a brief proposing changes that would allow the intelligence community to retain access to necessary foreign intelligence information. The ACLU specifically denounced the FISC granting the government a new one-year certification to conduct surveillance under 702, and, with groups like the Electronic Privacy Information Center and Electronic Frontier Federation, urged Congress to oppose 702's reauthorization without key amendments to limit surveillance on U.S. citizens.

Leaders in both chambers of Congress began engaging on FISA reform long before the expiration deadline. Privacy hawk Sen. Ron Wyden, D-Ore., drafted a bill that garnered bipartisan support in both chambers that would have reauthorized 702 with added protections against misuse and accountability measures when abuses occur, along with other surveillance reforms like a warrant requirement for government purchases of private data from data brokers. Wyden has spoken out on multiple occasions against reauthorization as long as FISA allows U.S. person queries without a probable cause warrant.

Rep. Andy Biggs, R-Ariz., introduced a similar bill that would have required a warrant for all U.S. person searches. Sens. Dick Durbin, D-Ill., and Mike Lee, R-Utah, proposed a 702 amendment that would have required the government to obtain a probable cause warrant or FISC order before accessing the results of the query, with carve outs for emergencies or time-sensitive incidents like cyberattacks. On the other hand, Sens. Mark Warner, D-Va., and Marco Rubio, R-Fla., introduced a bill that would have reauthorized 702 through 2035 and eliminated the FBI's authority to query the 702 database solely for the purposes of discovering evidence of a crime, language that is nominally privacy-protective.

Finally, the president's own Intelligence Advisory Board provided President Joe Biden with a report that recommended prohibiting the FBI from searching communications data for investigations unrelated to foreign intelligence while maintaining access only for national security matters, and requiring agencies with access to 702 data develop a policy to meet certain standards before conducting any query using Americans' identifiers. Many of this body's recommendations echo those seen in the PCLOB report.

I wanna be your endgame

Ultimately, in the final days leading up to the reauthorization deadline, there was a bipartisan effort to reauthorize an amended Section 702 with a 60-34 Senate vote. Hours later, President Biden signed the bill into law.

The amended bill expands, rather than reducing, FISA authorities. Specifically, it edits the definition of "electronic communications service provider" with the goal of matching the technological capabilities of today. That term had not changed since 702's adoption in 2008, and the updated definition was supported by a bipartisan majority in the House. The edit is responsive to a FISC decision, which concluded the government could not compel a data center to collect communications.

However, on the Senate floor Wyden proposed an amendment, cosponsored by senators on both sides of the aisle, which attempted to reverse this change. The amendment was rejected. Sen. Chris Van Hollen, D-Md., spoke on the floor about his concerns with the new language, among other changes: "While I appreciate the administration's commitment to apply this new definition exclusively to cover the type of service provider at issue in the litigation before the FISC, I believe there are ways to more narrowly achieve the administration's goal without providing the open-ended authority that  is currently included in the bill."

Say you will remember me

As we stare at the sun setting on the latest cycle of debate over Section 702, we know the same debates will return in the next cycle. The reauthorization of this influential authority marks a continuation of a surveillance framework that has been both a shield against threats to national security and a source of unease for privacy advocates. The passage of the bill, while ensuring the U.S. intelligence community retains its tools, also underscores the ongoing discourse on the need for robust oversight and stringent safeguards to protect civil liberties. As we move forward, it is incumbent upon all stakeholders — lawmakers, intelligence agencies, privacy advocates and the judiciary — to remain vigilant.