Statement on Behalf of OTI to the Privacy and Civil Liberties Oversight Board on Exercise of Authorities Under the Foreign Intelligence Surveillance Act

Thank you for the invitation to provide input to the Privacy and Civil Liberties Oversight Board (PCLOB) as it examines the exercise of authorities under the Foreign Intelligence Surveillance Act (FISA).

I am Sharon Bradford Franklin, Policy Director for New America’s Open Technology Institute (OTI). OTI works at the intersection of technology and policy to ensure that every community has equitable access to digital technology and its benefits. I direct the broad range of OTI's policy work on issues including broadband access, cybersecurity, encryption, freedom of expression online, government surveillance, net neutrality, privacy, transparency, and platform accountability. From September 2013 through January 2017, I served as Executive Director of the PCLOB. My work included supervising and directing the work of attorneys and other staff in carrying out the PCLOB’s mission, and I was one of a handful of staff members who participated, and supported the Board, in its reviews of both the Section 215 telephone records program and Section 702 of FISA. Previously, I served as Senior Counsel at the Constitution Project, a nonprofit legal watchdog group, where I worked on a range of issues involving national security and privacy and civil liberties, including surveillance policies, cybersecurity, government secrecy, individual privacy, and detention policies.

PCLOB Chairman Adam Klein and Board Member Ed Felten have requested input on a variety of topics related to surveillance conducted under FISA. Before addressing some of the questions they have outlined, I note that this nation is facing a unique moment that provides an opportunity for U.S. policymakers to undertake a full reexamination of the legal authorities governing U.S. surveillance programs and activities. I therefore urge the PCLOB to take this opportunity to conduct, or at least recommend, a thorough rethinking of U.S. surveillance laws. In addition, I outline a series of recommended transparency measures and more specific reforms to FISA. Several of these recommendations contemplate steps that the PCLOB could accomplish on its own, and others would require action by Congress.

A thorough rethinking of U.S. surveillance laws

We are facing an unprecedented situation in which three surveillance authorities—the roving wiretap provision, the lone wolf authority, and Section 215—expired on March 15, 2020, over five months ago. Since enactment of the USA PATRIOT Act in October of 2001, Congress has amended the laws governing U.S. surveillance on multiple occasions, including incorporating some reforms to promote privacy and civil liberties, but it has not previously allowed any statutory surveillance authority to actually lapse for more than a day. This year, however, although the House and Senate have each passed versions of the USA FREEDOM Reauthorization Act, they have not yet moved toward conferencing the two bills, nor have they announced any plans to negotiate a compromise version of this legislation, or otherwise to take up reauthorization of the three expired provisions.

It is not clear whether, or to what extent, the expiration of these authorities in March has hindered intelligence activities. Presumably, there is no harm from the lapse of the lone wolf provision, since the U.S. government had never once used this authority from the time it was enacted in 2001. Moreover, the Intelligence Community may continue investigations that were initiated under Section 215 before the lapse, and with regard to new investigations, the Section 215 business records provision simply reverts to its narrower pre-Patriot Act version.

Appropriately, on July 21, 2020, Senators Patrick Leahy and Mike Lee wrote to Attorney General Barr and Director of National Intelligence Ratcliffe to ask how the intelligence agencies are conducting surveillance following the expiration of these authorities. Their letter raised concerns that intelligence agencies might be inappropriately relying on Executive Order 12333 or “other claimed inherent surveillance powers” to fill any gaps left by the expired surveillance authorities. Their letter also noted that the Senators support reauthorizing the expired provisions, along with a package of reforms to U.S. surveillance law.

In addition, on July 16, 2020, in the Schrems II case, the Court of Justice of the European Union struck down the Privacy Shield that had provided a mechanism for data transfers between the United States and Europe. The Court found that U.S. surveillance laws do not provide an adequate level of protection for the personal data of European Union citizens that is essentially equivalent to the rights guaranteed in the European Union by the GDPR. In particular, the Court found “that neither Section 702 of the FISA, nor E.O. 12333, read in conjunction with PPD‑28, correlates to the minimum safeguards resulting, under EU law, from the principle of proportionality, with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary.”

Taken together, these developments should both provide the impetus for, and create the necessity of, undertaking an overhaul of U.S. surveillance law. Congress’s inability to enact legislation that is acceptable to a majority in both chambers reflects deep concerns by many policymakers that our system of surveillance laws needs fundamental reform. The December 2019 and March 2020 reports by the Justice Department Inspector General provided detailed evidence to illustrate what many in the intelligence agencies, Congress, and civil society have long known: our current system is broken and we need a comprehensive review, rethinking, and redrafting of relevant legal authorities. Moreover, the finding by the Court of Justice of the European Union in Schrems II that U.S. surveillance laws do not provide adequate safeguards for privacy and civil liberties should act as a further wake-up call that comprehensive reforms are needed.

The rules governing U.S. surveillance should ensure that surveillance activities are conducted under the rule of law, based on an adequate factual predicate, focused on legitimate and appropriate targets, and include robust safeguards for privacy and civil liberties. The comprehensive rethinking of these rules should include not only significant reforms to FISA, but also reform and codification of the rules governing any surveillance that may implicate individual rights. Where surveillance currently conducted under E.O. 12333 will foreseeably result in collection of information of or regarding U.S. persons, this should be brought within the statutory structure of a revised FISA. Rather than relying on guidelines approved by the Attorney General, surveillance activities should be governed by rules approved by Congress and subject to judicial review by the FISA Court. The PCLOB could seek to conduct this examination itself, and to develop a proposal for rewriting, reforming, and codifying the rules that govern U.S. surveillance activities.

The PCLOB has expertise in making recommendations to ensure that programs and activities for protecting U.S. national security include adequate safeguards for privacy and civil liberties. And the PCLOB has experience in evaluating the efficacy of surveillance activities and in recommending rules designed to protect security as well as privacy and civil liberties. The topics listed in the Request for Expert Input under the “FISA Statute” header suggest that the agency may already be considering such a comprehensive project.

However, if the PCLOB concludes that it could not take on this project itself because the agency’s jurisdiction is limited to counterterrorism, or because it may lack the resources necessary for such a comprehensive review, the PCLOB could urge that Congress create a commission to undertake a comprehensive updating of U.S. surveillance law. Such a commission could be modeled in structure on the 9/11 Commission, with all members drawn from outside of government. The composition of such a commission would be critical. Authorizing legislation must provide clearly that members must come from diverse backgrounds, including not only people with prior experience in the Intelligence Community, but also people who come from outside the intelligence agencies and who have recognized expertise in, and commitment to, privacy and civil liberties.

Should the PCLOB determine that it will undertake a comprehensive review of U.S. surveillance laws itself, it should hold one or more public forums to explore the issues, and should solicit input from a wide range of stakeholders.

Greater transparency to the public regarding FISA activities and their impact

In the near term, the PCLOB should implement measures to provide greater transparency to the public regarding FISA activities. Although in the aftermath of the Snowden disclosures and particularly since enactment of the USA FREEDOM Act in 2015, the Intelligence Community has significantly increased its transparency reporting to the public, there is still much room for improvement. In particular, the PCLOB can and should promote transparency in four key areas. First, the Intelligence Community has still failed to disclose information that would improve public understanding of the extent to which it collects information regarding U.S. persons under Section 702 of FISA. Second, there is almost no public information regarding the impact of FISA surveillance activities on members of racial minorities and other protected classes, or on First Amendment-protected activities. Third, the Intelligence Community has not yet provided any public response to the questions in the July 2020 letter from Senators Leahy and Lee about how the intelligence agencies have been operating since the lapse of the three surveillance authorities in March. Fourth, the Intelligence Community and the Department of Justice have not explained key legal policies regarding their implementation of FISA. The PCLOB, on its own initiative, can play an important role in improving transparency in all of these categories.

With regard to U.S. person information collected under Section 702, Recommendation 9 of the PCLOB’s Section 702 Report stated that: “The government should implement five measures to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program.” In the PCLOB’s Recommendations Assessments Report released on February 5, 2016, the PCLOB found that the NSA was in the process of implementing this recommendation, and had partially done so, but had encountered difficulty with some of the subparts of the recommendation. The PCLOB explained that:

[T]he NSA has informed the Board that it has considered various approaches and has confronted a variety of challenges. However, the NSA has advised that it remains committed to developing and implementing measures that will, in the language of the Board’s recommendation, “provide insight about the extent to which the NSA acquires and utilizes” communications involving U.S. persons and people located in the United States under the Section 702 program. The NSA seeks to work with Board staff to develop such measures, either through further refinement of the measures described in the Board’s recommendation or through development of alternative approaches.

To date, however, the NSA has not developed alternative measures and the PCLOB’s recommendation has not been fully implemented as promised. Rather, in early June 2017, then-Director of National Intelligence Dan Coats told Congress that the Intelligence Community would not provide any estimate of the number of U.S. persons whose communications have been collected under Section 702. The DNI stated that they could not develop a number that would be accurate. However, when the PCLOB made its recommendation, the Board fully recognized that the NSA would only be providing estimates, and deliberately proposed a series of metrics that, taken together, would “shed some light on the extent to which communications involving U.S. persons or people located in the United States are being acquired and utilized under Section 702.” As the PCLOB explained the rationale for Recommendation 9:

Since the enactment of the FISA Amendments Act in 2008, the extent to which the government incidentally acquires the communications of U.S. persons under Section 702 has been one of the biggest open questions about the program, and a continuing source of public concern. The executive branch has maintained that it cannot provide such a number — because it is often difficult to determine from a communication the nationality of its participants, and because the large volume of collection under Section 702 would make it impossible to conduct such determinations for every communication that is acquired. The executive branch also has pointed out that any attempt to document the nationality of participants to communications acquired under Section 702 would actually be invasive of privacy, because it would require government personnel to spend time scrutinizing the contents of private messages that they otherwise might never access or closely review.

As a result of this impasse, lawmakers and the public do not have even a rough estimate of how many communications of U.S. persons are acquired under Section 702. Based on information provided by the NSA, the Board believes that certain measures can beadopted that could provide insight into these questions without unduly burdening the NSA or disrupting the work of its analysts, and without requiring the agency to further scrutinize the contents of U.S. persons’ communications.

The PCLOB should hold the NSA to its promise to develop substitute measures that will provide some insight into the scope and scale of collection of U.S. person information under Section 702. In late June 2017, prior to his appointment as PCLOB Chairman, Adam Klein testified to the Senate Judiciary Committee that one of his key recommendations was that the NSA should fully implement Recommendation 9 of the PCLOB’s Section 702 Report. He correctly noted that “the pursuit of an all-encompassing estimate should not distract from other, more targeted ways to measure 702’s effect on Americans.” Although the Board does not have the power to compel the Intelligence Community to develop metrics to provide this information to the public, no legislation is necessary for the PCLOB to demand that the agencies live up to their commitment as memorialized in the PCLOB’s February 2016 assessments report. Nor is any legislation required to provide the Intelligence Community with the authority to comply.

The second area in which the PCLOB can take important steps to improve transparency regarding FISA activities involves the impact of FISA surveillance on protected classes and on First Amendment activities. FISA does not contain explicit prohibitions against targeting on the basis of race, religion, gender, ethnicity or other protected classes, and there are no publicly available rules or guidance that address this issue. Moreover, FISA only prohibits targeting of surveillance that is “solely” based on First Amendment-protected activities, and at least one publicly released (and heavily redacted) opinion of the FISA Court raises serious questions about whether the implementation of this “solely” standard provides any meaningful safeguards for First Amendment activities. Thus, the public lacks information about the extent to which the government targets people for surveillance based on their membership in protected classes or on their exercise of First Amendment rights, and about what rules actually govern such targeting. There is also no publicly available information about the impact that such targeting has on members of these protected classes or on the exercise of First Amendment rights.

In both the version of the USA FREEDOM Reauthorization Act passed by the House in March, and the Senate version passed in May, Section 405 of the bill directs the PCLOB to prepare, and make publicly available, a report examining the impact of FISA surveillance on members of protected classes and on the exercise of First Amendment activities, as well as the extent to which such protected classes and activities are used to support targeting decisions under FISA. As described in the bill, the PCLOB should undertake the following:

(a) REPORT.—Not later than one year after the date of the enactment of this Act, the Privacy and Civil Liberties Oversight Board shall make publicly available, to the extent practicable, a report on—

1. the extent to which the activities and protected classes described in subsection (b) are used to support targeting decisions in the use of authorities pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.); and
2. the impact of the use of such authorities on such activities and protected classes.

(b) ACTIVITIES AND PROTECTED CLASSES DESCRIBED.—The activities and protected classes described in this subsection are the following:

1. Activities and expression protected by the First Amendment to the Constitution of the United States.
2. Race, ethnicity, national origin, religious affiliation, sex, and any other protected characteristic determined appropriate by the Board.

Even without a congressional mandate, the PCLOB can and should take on this project and produce a publicly available report on First Amendment activities and protected classes. Such a report would provide much-needed transparency to the public, and would help inform policymakers as they consider future reform efforts. The PCLOB does not need congressional authorization for such a report.

Third, the PCLOB should investigate and issue a public report outlining how the Intelligence Community has been interpreting the lapse of Section 215, and what impact the lapse of all three surveillance authorities has had. In addition to the specific questions listed in the July 2020 letter from Senators Leahy and Lee, the PCLOB should specifically review the effect of the expiration of Section 215, and examine how the change to the narrower pre-Patriot Act version of the business records provision has affected intelligence activities.

Finally, the PCLOB should press the Intelligence Community and the Department of Justice to disclose more information to the public regarding implementation of key aspects of FISA. In particular, the PCLOB should:

• Recommend that the Intelligence Community produce and make public a legal memorandum describing how the government interprets the Supreme Court’s decision in Carpenter v. United States in the context of FISA surveillance. While the Court in Carpenter stated that it was not reaching the question of how its ruling might apply in the national security context, as I have written previously, “collection of digital information for national security purposes implicates the same expectations of privacy as does the acquisition of records by law enforcement.” The PCLOB should urge the Intelligence Community to make public its legal analysis for how it is applying the Carpenter decision.
• Recommend that the Department of Justice make public its guidance—or at a minimum, a memorandum describing its guidance—for how and when prosecutors must provide notice to criminal defendants where evidence has been derived from FISA. The PCLOB should also recommend that the Department of Justice implement policies that require such notice and also prohibit parallel construction, to the extent that existing policies do not already do so.

At a minimum, recommend robust reforms to FISA

In addition to the measures described above that the PCLOB may take on its own initiative, the Board should make recommendations to Congress for enactment of a robust package of reforms to FISA. While, as noted, this nation needs a full overhaul of its surveillance authorities, at a minimum, the PCLOB should urge Congress to enact a series of more specific reforms.

Strengthening and expanding the role of the FISA Court amici

First and foremost, the PCLOB should recommend that Congress significantly strengthen and expand the role of the FISA Court amici. Such reforms would apply across all FISA operations to greatly enhance oversight of surveillance conducted under various FISA authorities. A robust amicus role would provide structural change for the FISA Court process that can have a greater impact than particular adjustments to specific FISA provisions.

In the PCLOB’s Section 215 Report which was issued in January 2014, the Board recommended creation of a Special Advocate role for the FISA Court. When Congress enacted the USA FREEDOM Act in June 2015, it instead created a role for “amici,” or friends of the FISA Court. That role is weaker than the Special Advocate position described by the PCLOB in three critical ways. First, the PCLOB recommended that the Special Advocates participate in more than just matters involving “novel and significant” issues. Second, the PCLOB urged that the Special Advocates should have full access to information related to the matters in which they participate. Third, the PCLOB recommended that the Special Advocates should be able to petition for an appeal from the FISA Court to the FISCR, and from the FISCR to the Supreme Court. The role Congress created in 2015 fell short on all three of these criteria, and the PCLOB should now recommend to Congress that it strengthen the role of the amici in all three ways.

As I have argued previously, “strengthening and expanding the role of the amici has the potential to provide sorely needed oversight for the FISA process. Because the amici can participate behind the curtain that protects classified information, they can serve as the public’s eyes and ears, pushing back against the government’s arguments, and holding the government and the secret courts accountable.”

The version of the USA FREEDOM Reauthorization Act that the Senate passed in May 2020, which included the Leahy/Lee amendment, would address all three categories of reform to the amicus role, and the PCLOB should urge Congress to enact these provisions even if Congress does not otherwise reauthorize the expired surveillance authorities. First, PCLOB should urge Congress to significantly expand the types of cases in which amici are authorized to participate, beyond cases raising “novel and significant” issues, to also include:

• cases that present “significant concerns” regarding activities protected by the First Amendment;
• “sensitive investigative matters,” which are defined to include matters involving domestic public officials or candidates for office, news media, and religious or political organizations;
• matters involving a request for approval of a new program, a new technology, or a new use of existing technology; and
• requests for reauthorization of programmatic surveillance, which would include the annual renewals of authority to conduct surveillance under Section 702 of FISA.

Second, the PCLOB should recommend that Congress expand the ability of the amici to access information relevant to the matters in which they appear. More specifically, Congress should mandate that amici “shall have access” to the full record in a given matter, from the application through motions, including relevant legal precedent and unredacted copies of prior FISA Court opinions, to the same extent that such information is available to the government.

Third, as both the House and Senate versions of the USA FREEDOM Reauthorization Act would have done, Congress should provide a procedure for the amici to seek appellate review of decisions. With regard to this reform, however, the PCLOB should urge that Congress strengthen the provision in the USA FREEDOM Reauthorization Act bills and instead grant amici the ability to file a petition for review directly in the FISA Court of Review (FISCR) and to file a petition for certiorari in the Supreme Court. This procedure would ensure that FISCR judges—and in turn the Supreme Court—would actually have the opportunity to see the amicus’ petition and assess whether to accept review of the matter. It is also one of the procedures specifically recommended by the PCLOB in its Section 215 report:

[T]he Board would recommend a structure allowing the Special Advocate to file a petition with the FISCR seeking review of a FISA order and giving the FISCR discretionary review of the petition. This would be similar to the process of seeking certiorari in the Supreme Court of the United States. . . . If the FISCR granted review, the Special Advocate would be permitted to participate in the matter, just as in the FISC. Similarly, Congress could authorize the Special Advocate to file a petition for certiorari seeking the Supreme Court’s review of a FISCR decision in which the Special Advocate had participated. This approach would be consistent with the Board’s recommendation above, which grants the court some discretion to manage the Special Advocate’s role in proceedings. It would also have the benefit of allowing the Special Advocate to appeal without the permission of the court that issued the order in question.

Nonetheless, the “authority to seek review of decisions” provision in the USA FREEDOM Reauthorization Act bills passed earlier this year by both the House and Senate, which would authorize petitions for certification for review, would still be an improvement over current law. Thus, the PCLOB should recommend that Congress authorize the amici to file direct petitions for appeal, but could suggest the petition for certification for appeal as an alternative.

Reforms to Section 702 of FISA

The PCLOB should also recommend that Congress enact a series of critical reforms to Section 702 of FISA. Since July 2014 when the PCLOB issued its Report on Section 702, the public has learned more information about the threats that this program poses to privacy and civil liberties, which the PCLOB should consider in expanding the reform recommendations contained in the 2014 report. First, in April 2017, the NSA announced that it was suspending “about” collection as part of 702 upstream collection, because the agency had been unable to conduct this collection in compliance with the rules the FISA Court had imposed in order to protect U.S. person information. In addition, we have learned that the number of targets under the Section 702 program has more than doubled from the 89,138 figure for 2013 contained in the PCLOB’s report to the 204,968 targets for 2019 as reflected in the most recent Intelligence Community transparency report. Further, in December 2019, in United States v. Hasbajrami, the U.S. Court of Appeals for the Second Circuit held that U.S. person queries must comply with the reasonableness standard of the Fourth Amendment. As the Second Circuit found:

Section 702 forbids the government from targeting a non-United States person as a backdoor way of targeting a United States person. 50 U.S.C. § 1881a(b). But, as detailed above, in the course of its intelligence gathering operations, the NSA may have collected all sorts of information about an individual, the sum of which may resemble what the NSA would have gathered if it had directly targeted that individual in the first place. To permit that information to be accessed indiscriminately, for domestic law enforcement purposes, without any reason to believe that the individual is involved in any criminal activity and or even that any information about the person is likely to be in the database, just to see if there is anything incriminating in any conversations that might happen to be there, would be at odds with the bedrock Fourth Amendment concept that law enforcement agents may not invade the privacy of individuals without some objective reason to believe that evidence of crime will be found by a search. Treating querying as a Fourth Amendment event and requiring the query itself to be reasonable provides a backstop to protect the privacy interests of United States persons and ensure that they are not being improperly targeted.

Therefore, the PCLOB should recommend that Congress:

• Create a search warrant requirement to close the “backdoor search loophole,” through which the government warrantlessly searches through Section 702 data looking for the contents of specific U.S. persons’ metadata and communications contents.
• Fully prohibit the practice of “about” collection, by codifying a prohibition against the collection of communications that merely reference—or are “about”—the targets, and clarifying that the only collection authorized under Section 702 is of communications “to” or “from” a target.

If reauthorized, reforms to Section 215 of FISA

The PCLOB should also recommend that if Congress reauthorizes Section 215 of FISA, it should include several key reforms to that authority. In particular, the PCLOB should urge Congress to:

• Codify ending the Section 215 Call Detail Records program, which replaced “bulk collection” but is ineffective as a counterterrorism measure and still leads to overproduction of Americans’ personal records. The program has now been dark since late 2018, when NSA quietly ended it due to “the program’s relative intelligence value, associated costs, and compliance and data integrity concerns,” and it should not be reauthorized/reopened. The PCLOB’s own assessment of this program released in February 2020 found that it was ineffective and not worth continuing, and therefore, even if Congress reauthorizes Section 215 it should remove this CDR authority.
• Prohibit discriminatory surveillance based on race, ethnicity, religion, and other protected classes, and based on First Amendment-protected activities. Congress should make clear that the intelligence community has no authority to engage in unconstitutional and discriminatory practices, by explicitly prohibiting discriminatory surveillance based on race, ethnicity, religion, and other protected classes. Congress should also move beyond the “solely” standard when it comes to targeting based on activities and speech protected under the First Amendment, and also prohibit targeting based “in part” on activities protected by the First Amendment.
• Prohibit warrantless collection of geolocation data, web browsing and internet search history, and other sensitive data, making clear that the Supreme Court’s decision in Carpenter v. United States applies to intelligence cases. While, as noted above, the Court in Carpenter did not make clear how its ruling would apply outside of the facts at hand, the same Fourth Amendment principles should apply in the context of intelligence collection, and a warrant should therefore be required in advance of collection of this sensitive data. Congress should clarify that the government does not have the authority to warrantlessly collect geolocation information, web browsing and internet search history, and other sensitive information that would require a warrant if it were collected by law enforcement agencies in the context of criminal investigations.
• Require that notice be provided to defendants against whom Section 215 data is being used by requiring the government to inform a defendant in a criminal case if information is “obtained or derived from” 215 collection.
• Establish and make public meaningful data retention limits. Though minimization procedures are required, retention limits for information collected under Section 215 have not been made public. If Congress reauthorizes Section 215, it should enact a retention limit of no more than three years for information collected under this authority.

Conclusion

As outlined, I urge the Board to undertake, or at least to recommend, a thorough review of U.S. surveillance laws leading to a comprehensive rewriting and reform of these laws to better protect privacy and civil liberties. In the interim, there are a variety of measures the PCLOB can take on its own initiative to promote greater transparency and accountability for FISA activities. Finally, at a minimum, I urge the PCLOB to recommend a series of robust reforms to FISA, including strengthening and expanding the role of the FISA Court amicus.

I appreciate the opportunity to provide this input to the PCLOB as it examines the exercise of authorities under FISA.