Today, OTI joined a coalition letter to the Senate, signed by forty-two privacy and civil liberties groups, supporting the USA Rights Act (S. 1997). The bill would reauthorize and amend Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is set to expire in December, to protect Americans’ privacy. It includes reforms that would end warrantless searches of Americans’ communications that are incidentally collected under Section 702, prohibit the practice of “abouts” collection, require more transparency and accountability from the intelligence community, and ensure Americans can challenge the constitutionality of Section 702 surveillance in court.
The USA Rights Act would close the so-called “backdoor search loophole” where the government warrantlessly searches through Section 702 data looking for the contents of specific Americans’ communications. This practice circumvents the Fourth Amendment, which requires law enforcement to obtain warrants based on probable cause before seeking Americans’ communications contents. The bill would require intelligence agencies to obtain a warrant before searching through Section 702-collected communications for Americans’ metadata and communications contents.
Codifying the end of “abouts” collection is another way the USA Rights Act would better protect Americans’ privacy. “Abouts” collection is a part of NSA’s “upstream surveillance” program where it scans all data crossing the internet backbone (the vast majority of global internet traffic), and collects communications related to its targets. “Abouts” collection is where, in addition to sweeping up communications that are “to” and “from” targets, the NSA collects communications that merely reference -- or are “about” -- the targets. This practice is incredibly privacy-invasive, and historically has resulted in the NSA’s improper collection of substantial quantities of wholly domestic communications and communications that don’t even reference a target. Because the practice is so privacy-invasive, the Foreign Intelligence Surveillance Court (FISC) has twice found the practice to raise serious constitutional concerns, most recently this spring. The Intelligence Community has indicated intent to revive the practice if the FISC someday reauthorizes it, so codifying a prohibition against this collection is important. The USA Rights Act would do this by clarifying that the only collection authorized under Section 702 is of communications “to” or “from” a target.
The bill also strengthens Section 702 oversight by adding new reporting requirements to promote transparency. One new transparency requirement mandates the declassification review and release of additional key FISC decisions made before the USA Freedom Act was passed in 2015. Another would also require the Director of National Intelligence and the FBI to publicly report more statistics about Section 702 usage, such as an annual estimate of how many Americans’ communications were incidentally collected. Companies served with national security demands could also disclose more granular information about the amount and types of user data they were required to hand over.
Finally, the USA Rights Act would address impediments to individuals challenging the constitutionality of Section 702 in court. For any court to hear a case challenging Section 702 surveillance, the person bringing the challenge has to establish standing, which requires a showing of proof that they were improperly surveilled under that authority, that they suffered harm as a result, and that there is a remedy the court could impose. Under current law, individuals typically cannot establish standing because they cannot show a court that they have been harmed by Section 702 surveillance since they are almost never told if their communications were incidentally collected under Section 702. The USA Rights Act would resolve this by allowing individuals to meet standing requirements by showing “a reasonable basis to believe their communications will be acquired” under Section 702, and showing they “have taken reasonable steps to avoid surveillance.” For example, an attorney representing a client abroad who uses encrypted email to protect attorney-client privilege would be able to show standing under the USA Rights Act: the foreign aspect of the communications provides a reasonable basis to believe they were surveilled, and the use of encryption could constitute reasonable steps to avoid surveillance.
The bill would also reform notice requirements where the government must tell a defendant in a criminal case if information “obtained or derived from” FISA collection is introduced as evidence against them. The reported amount of Section 702-related notice is startlingly low given how much information is collected under the authority and how critical the Intelligence Community argues Section 702 collection is to its work. This may be because of an overly limited interpretation of what constitutes information “derived from” FISA surveillance, resulting in numbers inaccurately suggesting scarce use of FISA-derived information in bringing cases. For example, the government may engage in a practice called parallel construction, where it creates a secondary path or origination of evidence used in an investigation or prosecution to conceal how investigation actually began or how the evidence was actually obtained. Alternatively, it may simply argue that the notice requirement does not apply if Section 702-acquired data is sufficiently attenuated from the evidence that is actually introduced in court during a prosecution. The USA Rights Act addresses concerns that the government is avoiding its duty to provide notice by clarifying that information “derived from” FISA surveillance is information an agency would not have had “but for” the surveillance.
OTI joined 42 groups in a letter of support for the USA Rights Act because these reforms, as well as others included in the bill, would make meaningful improvements to Section 702 to significantly enhance protections for Americans’ privacy. Congress should look to this bill as a roadmap for how to amend Section 702 as it considers reauthorization.