The debate over reauthorization of Section 702 of the Foreign Intelligence Surveillance Act will be a hot topic in privacy circles right up to the December 2023 deadline. On 28 Sept., U.S. Privacy and Civil Liberties Oversight Board stirred the pot with a new report on the foreign surveillance tool's effectiveness and recommendations to consider in 702's reauthorization discussion.
The report was approved by a 3-2 vote that was split along party lines with Republican board members dissenting. The split is notable, as the PCLOB's previous report on Section 702 in 2014 was unanimous.
The new report outlined 19 privacy and oversight recommendations for U.S. Congress to consider including with a reauthorization. Risk mitigation goals were a priority in the report, as it noted how perceived risks from Section 702 "can be reduced while preserving the program’s value in protecting Americans' national security."
"The Board concludes that although the Section 702 program presents serious risks to, and actual intrusions upon, the privacy and civil liberties of both Americans and non-Americans, the United States is safer with the Section 702 program than without it," the report said. "The Board further finds that the most serious privacy and civil liberties risks result from U.S. person queries and batch queries, and the government has not demonstrated that such queries have nearly as significant value as the Section 702 program overall."
Among the recommendations was a court approval process for searches of information and communications belonging to U.S. citizens along with other transparency and agency review measures.
Another notable recommendation was for the Foreign Intelligence Surveillance Court to consider FBI search standards when deciding whether to extend a search warrant on U.S. citizens' communications. The FBI standard maintains agents are only permitted to search for data on U.S. persons if there is a reasonable expectation of raising foreign intelligence information or criminal evidence.
Many of the recommendations, and the general reauthorization debate, stem from perceived privacy and oversight issues with the FBI's prior Section 702 use. The bureau underwent internal reforms to alleviate potential abuse in the future, but the PCLOB report cements those intentions.
"The FBI has taken some measures to increase safeguards for privacy and civil liberties, and to improve compliance with the rules, and these steps are welcome. But all board members agree, the FBI must do more," PCLOB Chair Sharon Bradford Franklin said at a press event regarding the Section 702 report.
In comments provided to the IAPP, Georgia Tech School of Cybersecurity and Privacy Chair of Law and Ethics Peter Swire, CIPP/US, added the FBI's alleged missteps and PCLOB's reactions merely highlight the importance of the board's oversight duties.
"Every compliance system, if it operates properly, finds problems in actual operations. This report is another example of the U.S. checks and balances functioning the way they are supposed to," Swire said. "The FBI acted badly, and PCLOB and Congress investigated and responded after they learned the facts. Now, practices are changing."
Members divided
The board's vote on party lines demonstrated a new resistance to Section 702 among members that has cropped up since the unanimous approval of the last PCLOB Section 702 report in 2014.
"No board member has called for the program to lapse and also no board member has called for clean reauthorization of the program," Franklin said.
Republican PCLOB members Beth Williams and Richard DiZinno, who both joined the board in 2022, filed an annex with their disapproval of the report and did not attend the board's presser. Beyond consensus agreement that Section 702 must be reauthorized in some fashion, Williams and DiZinno wrote in the annex that the PCLOB majority's recommendations "miss the mark, in ways both large and small."
Specifically on the court approval for searches, Williams and DiZinno said such a process would place "bureaucratic burdens on agency personnel and the (foreign intelligence surveillance community) without evidence there would be much, if any, privacy and civil liberties improvement." They added the recommendation "would force additional, potentially invasive and unnecessary investigation of U.S. persons, and will make it substantially more difficult to detect and thwart hostile foreign action."
Democratic PCLOB member Travis LeBlanc, who was reappointed in 2022, was previously vocal about Section 702 reauthorization and offered a stark contrast from Republican members on court-approved searches. "Such a program warrants court approval of individual U.S. person queries, which would reduce compliance errors, promote accountability, and build public trust in a surveillance program long beleaguered by a wide range of privacy and civil liberties threats," he said in a statement.
LeBlanc's previous takes on reauthorization included how the foreign intelligence community should not be given "clean reauthorization" without "common-sense reforms."
EU-US Data Privacy Framework impacts?
The Section 702 debate holds great significance in discussions on the EU-U.S. Data Privacy Framework, which has already met challenges in the EU for its perceived lack of action to address foreign surveillance issues.
Signals intelligence and government access to that data have become noted hurdles in EU-U.S. data transfer saga over the years. While the DPF and its Data Protection Review Court have been cleared by EU and U.S. officials, arguments remain over how and why the U.S. government can achieve an adequate level of data protection with the EU while maintaining its access to Europeans' data.
The PCLOB is responsible for reviews of necessity and proportionality in relevant agencies' policies and procedures under U.S. President Joe Biden's executive order that stands up the U.S.'s DPF commitments.
The Section 702 report "supports the position that electronic surveillance by the U.S., including under FISA 702, is subject to a comprehensive array of checks and balances, and multiple levels of oversight" as the DPF mandates, according to Sidley Austin Partner Alan Charles Raul.
"It is also highly significant, and supportive of the DPF, that (Executive Order) 14086 is being institutionalized and operationalized in the intelligence community," Raul added. "The purpose limitations for signals intelligence collection specified in the (order) apply to both foreign and US person information, as does the principle that electronic surveillance should be governed by the standards of necessity and proportionality with respect to serious foreign intelligence, foreign government and counter-terrorism objectives — including cybersecurity."