Section 702 of the Foreign Intelligence Surveillance Act (FISA) is constitutional and effective, the U.S. Privacy and Civil Liberties Oversight Board decided in a unanimous vote Wednesday morning.
“Overall, the board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence,” the board said. “The program has operated under a statute that was publicly debated, and the text of the statute outlines the basic structure of the program. Operation of the Section 702 program has been subject to judicial oversight and extensive internal supervision, and the board has found no evidence of intentional abuse.”
The board is an independent, bipartisan agency within the executive branch that was established on the recommendation of the 9/11 Commission Act in 2007. As part of its duties, the board reviews and analyzes actions the executive branch takes to protect the nation from terrorism to ensure that the needs for those actions are balanced with the need to protect privacy and civil liberties.
As part of its decision on the Section 702 program, the board also released a report on its decision-making process along with recommendations to ensure that the program continues to operate in accordance with U.S. laws. In the 196-page document, the board outlined its process for analyzing the program, its findings, and its recommendations to increase privacy protections.
Section 702 Overview
Under the 702 program, the federal government collects the contents of electronic communications, including telephone calls and e-mails, where the target is reasonably believed to be a non-U.S. person located outside of the United States. It was enacted in 2008 as part of the FISA Amendments Act, which made changes to the FISA Act of 1978.
Among those changes was Section 702, which allows the attorney general and the director of national intelligence to jointly authorize surveillance conducted within the United States but targeting only non-U.S. persons reasonably believed to be located outside the United States. This means that the program cannot intentionally target U.S. persons or anyone located in the United States.
As part of the program, the attorney general and director make annual certifications authorizing targeting to acquire foreign intelligence information, without specifying to the FISA court the non-U.S. persons who will be targeted. There is also no requirement for the government to demonstrate probable cause to believe that an individual targeted is an agent of a foreign power.
“Instead, the Section 702 certifications identify categories of information to be collected, which must meet the statutory definition of foreign intelligence information,” according to the board. “The certifications that have been authorized include information concerning international terrorism and other topics, such as the acquisition of weapons of mass destruction.”
Additionally, executive branch authorizations to acquire designated types of foreign intelligence under Section 702 must be approved by the FISA court, along with procedures governing targeting decisions and the handling of information that has been acquired. It is also required to develop minimization procedures to ensure that information that the federal government collects and stores relates only to foreign intelligence information.
While U.S persons are not intentionally targeted under Section 702, their communications and communications about them may be acquired in various ways. For instance, if a U.S. person communicates with a non-U.S. person who has been targeted, an “incidental” collection takes place where their communications could be collected. These types of communications are subjected to rules and requirements for government use.
Communications of U.S. persons can also be collected by mistake, such as when a U.S. person is erroneously targeted because of a technological malfunction, resulting in an “inadvertent” collection. In cases like this, however, the rules generally require the communications to be destroyed.
The Board’s Review
The board began examining the program following leaks by former National Security Agency (NSA) contractor Edward Snowden in June 2013, which lead to public outcry and concerns about the privacy protections associated with the program. After the leaks, a group of U.S. Senators asked the board to investigate Section 215 of the USA PATRIOT Act and Section 702 and release an unclassified report on its findings.
As part of its process, the board met with President Barack Obama, held public hearings, met with the intelligence community, the Department of Justice, congressional committee staff, privacy and civil liberties advocates, academics, trade associations, and technology and communications companies.
After months of research, the board concluded that the program is constitutional and has shown no evidence of intentional abuse. However, it did have recommendations to help strengthen the program’s privacy safeguards.
All of the board’s recommendations are based on policy grounds, so they will not require additional action from Congress to be implemented. Additionally, in its meeting on Wednesday the board clarified that the recommendations are focused on the margins of the Section 702 program and that the core of the program is fine as is.
Targeting and Tasking
The board’s first recommendation was to change the NSA’s targeting procedures to specify criteria for determining the expected foreign intelligence value of a particular target. It also recommended that the NSA require a written explanation of the basis for that determination to demonstrate that the targeting of each selector is likely to return foreign intelligence information relevant to one of the certifications approved by the FISA court.
“The NSA should implement these revised targeting procedures through revised guidance and training for analysts, specifying the criteria for the foreign intelligence determination and the kind of written explanation needed to support it,” the report said. Following up with this change in procedure, the board suggested internal agency reviews, along with compliance audits by the Office of the Director of National Intelligence (ODNI) and the Department of Justice (DOJ), to assess the NSA’s new procedures.
U.S. Person Queries
To better protect privacy, the board has recommended that the FBI, NSA, and CIA all make changes to their minimization procedures. The board specifically suggested that the FBI’s minimization procedures be updated to “more clearly reflect” the actual practice for conducting U.S. person queries. This should be done by including how often Section 702 data may be searched when making routine queries as part of FBI assessments and investigations.
“No later than when the results of a U.S. person query of Section 702 data are generated, U.S. persons’ communications should be purged of information that does not meet the statutory definition of foreign intelligence information relating to U.S. persons,” said David Medine, the chairman of the Privacy and Civil Liberties Oversight Board, and Patricia Wald, a board member, in a joint statement on the recommendation. “This process should be subject to judicial oversight.”
The minimization procedures the board suggested for the NSA and CIA were to allow the agencies to query 702 data for foreign intelligence procedures using U.S. person identifiers “only if the query is based upon a statement of facts showing that it is reasonably likely to return foreign intelligence information as defined in FISA.” The board mirrored its recommendation for the FBI by saying that the NSA and CIA should do this by constructing written guidance for agents and analysts as to what information and documentation is needed to meet the new standard.
The board also called for additional limits to be placed on the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters.
FISA Court Role
Along with recommendations for the executive branch, the board also suggested additional changes in the judicial review process. One recommendation was to assist in the process of the FISA court’s consideration of the government’s periodic Section 702 certification applications. “The government should submit with those applications a random sample of tasking sheets and a random sample of the NSA’s and CIA’s U.S. person query terms, with supporting documentation,” the board explained. This sample size and methodology should then be approved by the FISA court.
Additionally, the board suggested that the government incorporate into its submission to the FISA court the rules for operation of the Section 702 program that have not already been included in certification orders by the court. These rules might be contained in separate orders and opinions, affidavits, compliance and other letters, hearing transcripts, and mandatory reports filed by the government, and the board recommends that they all be incorporated so the court can use them to approve Section 702 certifications.
Upstream and “About” Collection
To better filter upstream communications to avoid collecting purely domestic communications, the board recommended that the NSA and DOJ periodically assess whether filtering techniques applied in upstream collection utilize the best technology consistent with program needs. Upstream collection includes telephone calls and Internet communications collected from telecommunications providers. Adopting this recommendation would allow the government to ensure that it was only acquiring communications that it’s authorized to gather and would prevent the “inadvertent collection of domestic communications.”
To accomplish this, the board said that the NSA and DOJ should work with affected telecommunications service providers and independent experts, when appropriate.
It also said that the NSA should review the types of communications it acquired through “about” collection under Section 702. About communication is when the selector of a targeted person, such as the person’s e-mail address, is contained within the communication but the targeted person is not necessarily a participant in the communication. The board suggested that the NSA NSA should study the extent to which it would be feasible to limit the types of “about” collection.
Accountability and Transparency
The board also asked for the federal government to do a better job of being transparent with the American people about the Section 702 program as misinformation about what it is and how it works continues to filter through the public. As a first step, the board suggested that the government create and release—with minimal redactions—declassified versions of the FBI’s, CIA’s, and NSA’s minimization procedures for the program.
Additionally, the board recommended that the federal government adopt five measures to provide insight about the extent that NSA acquires and uses the communications involving U.S. citizens and people located in the United States under Section 702. The board called for the NSA to create a process to annually count: the number of telephone communications acquired where one caller is located in the United States; the number of Internet communications acquired through upstream collection that originate or terminate in the United States; the number of communications of or concerning U.S. persons that the NSA positively identifies in its routine work; the number of queries performed that employ U.S. person identifiers; and the number of instances in which the NSA disseminates non-public information about U.S. persons.
These figures should then be reported to Congress in the NSA director’s annual report and should also be released publicly, to the extent that’s consistent with protecting national security.
The board’s final recommendation was for the government to develop a comprehensive methodology for assessing the efficacy and relative value of counterterrorism programs.