Reforms to Collection and Targeting

Collection of information is the first step in conducting surveillance, and the first point at which government actions interfere with the privacy interests of individuals. Reforms that would address collection and targeting practices under Section 702 and EO 12333 would limit the risk of intrusion on the privacy rights of both non-U.S. persons and Americans, and would likely be the most effective means of protecting those rights. Specifically, narrowing definitions for how surveillance may be targeted and raising the standards for approving particular targets will reduce privacy threats because surveillance will focus more closely on appropriate targets. Such measures can also improve the efficacy of surveillance activities by assisting intelligence agencies in honing in on actual threat actors and actionable intelligence.

Reforms that would address collection and targeting practices … would limit the risk of intrusion on the privacy rights of both non-U.S. persons and Americans, and would likely be the most effective …

Bulk collection, which involves conducting surveillance without any defined target or other “discriminants”—characteristics that define or limit—is not permitted under Section 702. However, for foreign intelligence collection under EO 12333, the U.S. government does assert the authority to conduct bulk collection when it is “necessary” to collect signals intelligence in bulk due to “technical or operational considerations.”¹

Since, by definition, bulk collection is conducted without discriminants, it creates significant risks that the government will also acquire vast quantities of information concerning people who have no connection with wrongdoing or foreign intelligence information. The U.S. government can and should implement robust safeguards to mitigate these risks, and the executive branch can adopt such measures without any action by Congress. Because both EO 12333 and PPD-28 were issued as executive actions, the president has full authority to expand the protections for individual rights under them by issuing a new executive order or policy directive. The U.S. government can also develop and issue updated attorney general–approved guidelines.

At present, Section 2 of PPD-28 provides some limitations on bulk surveillance and protections for non-U.S. persons’ data by requiring that intelligence agencies may only use signals intelligence collected in bulk for six designated purposes. The permitted categories are the purposes of detecting and countering threats from or regarding: (1) espionage; (2) terrorism; (3) weapons of mass destruction; (4) cybersecurity; (5) U.S. or allied armed forces; and (6) transnational criminal acts.² However, not only are these categories relatively broad but they only govern the use of data collected in bulk and do not in any way limit the purposes for which data may be collected in bulk in the first place. In other words, intelligence agencies are still permitted to engage in broad bulk collection for any foreign intelligence purpose, and PPD-28 only restricts how the government may use the data once it is in government databases.

Thus, as an initial reform, the U.S. government should build upon PPD-28 by applying the six-category use limits for bulk data to cover the purposes for bulk collection. No bulk collection should be permitted for any other purposes.

In addition, the U.S. government should adopt binding rules to ensure that, even within these six categories, bulk collection is only conducted when it meets the principles of necessity and proportionality under international human rights law. When a government or entity is considering instituting policies or practices that would restrict key rights, the necessity principle requires the actor to ensure that the restriction on fundamental rights is necessary and meets a “pressing social need.” Proportionality ensures that any advantages conferred by restrictions on fundamental rights are not outweighed by potential disadvantages.³ In December 2020, the Organization for Economic Co-operation and Development’s Committee on Digital Economy Policy, which includes the United States as a member,⁴ issued a statement explaining the need for an instrument setting out principles for government access to personal data held by the private sector. The statement noted that these principles may include requirements that government access must “meet legitimate aims and be carried out in a necessary and proportionate manner.”⁵

Current rules in the SIGINT Annex, which, as noted above, essentially govern most signals intelligence collection under EO 12333, contain the seeds for such necessity and proportionality limits. With regard to necessity, Section 2.2(a)(2) already states that the government should use discriminants whenever practicable and that bulk collection may be used “when necessary due to technical or operational considerations.” For proportionality, Section 2.3(a) states that the government should endeavor “to limit the types and aspects of the information collected to those relevant to the purposes of the collection.”⁶ The intelligence agencies are also already familiar with the “least intrusive means” standard,⁷ which is similar to the proportionality principle but framed as only permitting certain collection methods when no less intrusive means are available. The U.S. government should build on this foundation to clearly require implementation of the necessity and proportionality principles.

With regard to surveillance that is not considered bulk collection, the intelligence agencies should narrow the scope of collection to better focus on legitimate targets. There are several approaches that could help in this regard under both Section 702 and EO 12333. These include narrowing the definition of foreign intelligence information that may be sought through surveillance, and strengthening the standards for what agents must show in order to justify particular surveillance targets.

Both FISA Section 702 and EO 12333 allow for broad targeting due to their sweeping definitions of what constitutes “foreign intelligence.” The expansive FISA definition of foreign intelligence information includes such matters as those relating to the national defense and foreign affairs of the United States. EO 12333 defines “foreign intelligence” even more broadly as information “relating to the capabilities, intention or activities of foreign governments or elements thereof, foreign organizations, foreign persons, or international terrorists,” and thus includes information that simply relates to the activities of “any foreign person.”⁸

Under Section 702, targets can be any non-U.S. person, regardless of that person’s level of connection to a foreign power.⁹ The targeting procedures require that the surveillance of the target must be likely to lead to the collection of foreign intelligence information within the scope of one of the “certifications” or topics for which surveillance has been approved by the FISA Court—such as counterterrorism or weapons of mass destruction. This standard could permit targeting of people who may unwittingly or unknowingly possess information that meets the broad definition of “foreign intelligence.” The rules for selecting non-U.S. person targets under EO 12333 are even more permissive; the government must have a valid foreign intelligence purpose for its collection, but there are no further limits on selecting non-U.S. persons as targets for surveillance.

While it is unclear whether the intelligence agencies use these authorities quite as expansively as their language appears to allow, the definitions here should be narrowed to strengthen safeguards for the data of both foreign persons and U.S. persons.

The government can implement these improved protections in the near term without need for congressional action. As noted above, no changes to EO 12333 would require legislation. Moreover, under Section 702, the government can incorporate new limits into its targeting procedures at the time of its next annual renewal of the 702 program, which the FISA Court can then approve. Such a move would be binding and narrow the government’s collection. Subsequently, Congress could codify limits to ensure they are made permanent.

First, the government should commit—in its Section 702 targeting procedures—to following the definition of foreign intelligence information under FISA that applies to U.S. persons, namely that information must be “necessary to” the United States’ ability to protect against threats, rather than the broader “relates to” standard that applies to foreign intelligence information regarding non-U.S. persons.¹⁰ Further, the government should strengthen and narrow the standard for targeting under Section 702 from “reasonably likely to return” foreign intelligence information related to one of the 702 certifications. Restricting targeting to foreign powers or agents of a foreign power (as under other sections of FISA), as some have proposed, may be too limiting, but the Intelligence Community should work with reform advocates and the administration to develop narrower but workable limits.

Relatedly, the U.S. government should commit that it will not reinstate “about” collection under Section 702, ensuring that the NSA only collects communications that are “to” or “from” a target. As part of its “upstream” surveillance under Section 702, the NSA used to collect communications that merely reference, or are “about,” a target, such as when the email address for a target appears in the body of an email. “About” collection therefore could sweep up communications that are neither to nor from an approved target, creating a significantly greater risk of including the communications of people with no connection to wrongdoing or foreign intelligence. The NSA suspended “about” collection in 2017 based on its inability to conduct this collection in compliance with applicable privacy protections,¹¹ but the statute permits the NSA to restart “about” collection after obtaining permission from the FISA Court and notifying Congress. Again, to guarantee a more permanent limit on overbroad surveillance, Congress should also pass a reform bill that includes a prohibition against “about” collection.

With regard to EO 12333, simply removing “foreign persons” from the definition of foreign intelligence would ensure that collection is limited to information regarding foreign governments, organizations, and terrorists, rather than any foreign individual. This can be done through administrative action, including a new directive or executive order. Currently, collection must be supported by a “foreign intelligence” purpose, but there are no standards to ensure that agents have a sufficient predicate for concluding that particular targets will fulfill the foreign intelligence purpose. The standard for surveillance targeting under EO 12333 should at the very least be elevated to the Section 702 targeting standard of “reasonably likely to lead” to foreign intelligence, and could be strengthened further by working with the Intelligence Community, as suggested above.

Independent judicial review provides a fundamental safeguard for civil liberties. As noted above, under Section 702, the FISA Court only reviews the government’s annual “certifications” for the categories of surveillance that will be permitted, together with the government’s targeting, minimization, and querying procedures. The FISA Court reviews these submissions on an annual basis and, in between annual reviews, will only consider particular compliance incidents that are brought to the court’s attention. The court does not play any role in reviewing the government’s selection of particular targets. And for signals intelligence conducted under EO 12333, no court plays any role in assessing targeting procedures or determinations of particular targets.

In the near term, the U.S. government should seek and create procedures for FISA Court review of targeting decisions under Section 702, at least after the fact as part of the annual review of the Section 702 program. This would provide a critical independent check on targeting decisions to help ensure that they meet all applicable standards and to promote compliance. In its 2014 report on Section 702 surveillance, the Privacy and Civil Liberties Oversight Board (PCLOB) recommended that the government submit a random sample of 702 targeting decisions to the FISA Court for review as part of the annual certification process.¹² The government provided the FISA Court with a briefing on how this could work, but the FISA Court itself declined to accept the recommendation.¹³ To ensure post hoc review by the FISA Court of a selection of targeting decisions, the government should build such a process into its targeting procedures as part of its submission to the FISA Court at the next annual renewal of the Section 702 certifications. The government should update its 702 targeting procedures to outline that, in order to ensure compliance, the government will submit a random sample of targeting decisions to the FISA Court for post hoc review, and specify the sampling methodology to be used.

In the longer term, Congress should enact a requirement for such post hoc FISA Court review of targeting decisions. This would provide a more fail-safe mechanism to ensure that the FISA Court would accept jurisdiction to review Section 702 targeting decisions, and Congress could expand the post hoc review to cover all targets approved in the prior year rather than only a random sample.¹⁴ To the extent that such reviews substantially increase the workload of the FISA Court, Congress should also ensure that the FISA Court has sufficient resources to take on this work, possibly including expanding the number of judges serving on the FISA Court.¹⁵ Congress could also authorize the FISA Court to conduct post hoc review of targeting under EO 12333 to ensure that such targeting meets the necessity and proportionality principles. Any judicial role in intelligence collection conducted pursuant to EO 12333 would be a significant change, and therefore it would also be critical to expand resources to the FISA Court and to establish appropriate procedures.