Reforming Section 702 of the Foreign Intelligence Surveillance Act for a Digital Landscape

Available Downloads

This week, the House Judiciary and Intelligence Committees advanced two competing bills to amend Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA)—which, unless Congress finalizes a temporary extension within the National Defense Authorization Act, is set to expire on December 31. Congress first passed Section 702 in 2008 after the post-9/11 investigations exposed a communications gap between foreign and domestic intelligence units. Under Section 702, the National Security Agency (NSA) can intercept emails, phone calls, and text messages from specific non-Americans overseas—including those routed through U.S. companies or stored on U.S. servers. The White House and intelligence community have urged Congress to renew Section 702, describing it as “one of the nation’s most critical intelligence tools used to protect the homeland and the American people.” Privacy and civil liberties groups have voiced concerns that the Federal Bureau of Investigation (FBI) could inappropriately access incidentally collected communications related to Americans without probable cause.

The House is expected to bring both the Protect Liberty and End Warrantless Surveillance Act and the FISA Reform and Reauthorization Act to a floor vote next week. However, these bills demonstrate diverging approaches to the question of U.S. person queries, and it is not yet clear which direction Congress will take. Although Congress previously elected to renew Section 702 in 2013 and 2018, reauthorization comes with a different set of trade-offs in 2023. This report describes how shifts in U.S. intelligence priorities, technological advancements in data collection, and EU concerns over digital trade have impacted the debate to renew Section 702. First, it explains how the U.S. government benefits from Section 702 to conduct national security activities, especially to address the evolving cybersecurity and espionage challenges from China’s rising influence. Then, it explores possible changes that Congress could make to Section 702 to safeguard privacy and prevent undue surveillance in a digital age.

The Evolution of Section 702 in the National Security Landscape

A Brief Overview of Section 702

Since its inception, a primary purpose of Section 702 has been to monitor and prevent foreign terrorist activity against the United States. In 2013, General Keith Alexander, who served as NSA director at the time, stated that Section 702 helped thwart roughly 42 terrorist plots and provided “material support” to 12 additional ongoing investigations. These activities included interrupting an al Qaeda–linked plot to bomb New York City’s subway in 2009 and identifying Khalid Ouazzani, who provided financial resources to al Qaeda in 2010. In 2017, then director of national intelligence (DNI) Daniel Coats testified that Section 702 led to the targeting and killing of Hajji Iman, second-in-command of the Islamic State. Around that time, the DNI also revealed that Section 702 produced information that enabled a U.S. partner in Africa to arrest two Islamic State terrorists suspected of planning an attack against U.S. individuals.

Despite the origins of Section 702 in counterterrorism, national security leaders have publicly shifted to a much wider focus to make the case for renewal in 2023. For example, deputy attorney general Lisa Monaco revealed that Section 702 was used to combat cyberattacks and murder-for-hire plots and contributed to a decline in the frequency of victim payments during ransomware attacks to 34 percent. Director of the Office of National Drug Control Policy Rahul Gupta described the usefulness of Section 702 in countering drug trafficking, particularly to locate illegal global supply chains that feed into the national opioid crisis. Assistant secretary for export enforcement Matthew S. Axelrod noted that 702 is instrumental in protecting sensitive U.S. technology from foreign adversaries, including to designate foreign companies to the Entity List, enforce export controls, and identify espionage attempts.

However, privacy advocates have questioned the enduring presence of 9/11-era surveillance laws, including Section 702, outside the original context of counterterrorism. Because Section 702 authorizes the NSA to target a broad range of internet and cellular communications by non-U.S. individuals, it also sweeps in messages from Americans who correspond with them. The NSA then stores these messages for approximately five years and allows the FBI to search a limited percentage of this database for communications connected with U.S. citizens in select contexts without first obtaining a warrant or court order based on probable cause. Section 702 lacks traditional judicial oversight; it is subject to a limited Foreign Intelligence Surveillance Court (FISC), which operates clandestinely and hears arguments only from executive branch agencies. These privacy standards are lower than otherwise required for traditional law enforcement investigations of Americans under the Fourth Amendment, which has sparked debate over their appropriateness for intelligence activities unrelated to immediate threats of mass violence.

These privacy standards are lower than otherwise required for traditional law enforcement investigations of Americans under the Fourth Amendment, which has sparked debate over their appropriateness for intelligence activities unrelated to immediate threats of mass violence.

Cyberattacks

Over the past 15 years, the rationale for Section 702 queries has increasingly focused on mitigating cybersecurity threats on U.S. networks due to the growing volume, scale, and sensitivity of attacks. In the first half of 2023 alone, Section 702 formed the basis of 97 percent of the FBI’s raw technical reporting on cyber threats. After the oil company Colonial Pipeline suffered a high-profile ransomware attack in 2021, government agents employed Section 702 to identify DarkSide, a nonstate hacking group presumed to be located in Russia, and recover most of the ransom. In 2023, General Paul Nakasone stated that officials used Section 702 data to identify a foreign data breach that had compromised sensitive U.S. military information. Of the 3.4 million searches the FBI conducted in 2021 for terms related to U.S. persons,[1] up to 1.9 million were to investigate victims of one massive data breach: SolarWinds. The supply chain attack, carried out by the Russian Foreign Intelligence Service, affected 18,000 entities, including U.S. federal agencies and critical infrastructure.

During many cyber incidents, the government may be aware of the identity of the U.S. target but not the suspected non-U.S. perpetrator. Therefore, the FBI might choose to query the Section 702 database using terms associated with the affected U.S. corporation, including relevant employees, instead of obtaining a search warrant. These queries could potentially encompass both communications content and metadata (e.g., timestamp or duration) to trace the recipients of ransom payments, identify contact with malware tools, or flag irregularities in networks. Section 702 offers more speed and flexibility than traditional warrants, which require probable cause and could take a few days to obtain. Mike Herrington, an FBI senior operations advisor, has stated that rapid response is especially important during real-time data breaches when “every passing minute could mean irreparable damage or loss of data.” However, even if the FBI conducts U.S. person queries with the intention to help cyber victims, searching communications without first obtaining either a warrant or consent could incidentally reveal other sensitive details about a person’s life.

However, there are open questions about the specific role of Section 702 in cyber response that could inform legislative proposals for the statute’s renewal. For example, it is not publicly clear what percentage of U.S. person queries primarily relate to domestic or foreign cybercrime investigations. Another relevant factor is the nature of the data: if intelligence officials monitor communications networks during cybersecurity investigations, it would be beneficial to assess how many investigations require scanning victims’ content and how many cyberthreats could be detected by analyzing metadata alone. Finally, although many cyber intrusions last for weeks or months before being detected, the FBI has not publicly confirmed what percentage of investigations require rapid responses due to immediate loss of data or harm to individuals, compared to the number that fall into nonemergency classifications. While the disclosure of additional details on these factors could inform the reauthorization debate, they could also fluctuate from year to year depending on the severity of cyberattacks.

Technology Espionage and U.S.-China Competition

Whereas the first annual threat assessment of the Office of the Director of National Intelligence (ODNI) in 2006 highlighted nonstate actors like al Qaeda as the nation’s “top concern,” the 2023 report shifted focus to technological military advancements by nation-states. In particular, the ODNI has described China as the “broadest, most active, and persistent cyber espionage threat to U.S. Government and private-sector networks.” In recent years, the Chinese government has strategically deployed both human operatives and cyber campaigns in attempts to gain access to U.S. critical infrastructure networks. In October 2023, the FBI estimated that over half of Chinese attempts to steal trade secrets target Silicon Valley firms, particularly related to artificial intelligence.

Foreign espionage comes with significant national security ramifications, since it could allow adversaries to enhance their military capabilities using U.S. semiconductors, source code, and other critical technologies. Between 2000 and 2022, the Modern War Institute at West Point documented at least 90 espionage campaigns associated with the Chinese government. For example, after hacking the U.S. Transportation Command, naval contractors, and other defense industrial entities over the past decade, China’s military reportedly built fighter jets and other weapons systems based on U.S. technologies. Espionage also carries economic costs: the National Bureau of Asian Research estimated in 2017 that overall intellectual property theft could cost the U.S. economy up to $600 billion per year, a significant portion of which could be attributed to China. Axelrod has argued that Section 702 could support efforts like the Disruptive Technology Strike Force to counter illegal technology transfers to foreign adversaries. U.S. officials have also stated that Section 702 has previously been used to identify attempts to recruit human spies in the United States and that it played an instrumental role in countering threats from China, though most details have not been made public.

As espionage concerns increasingly focus on China, a coalition of Asian American and Pacific Islander (AAPI) organizations penned a letter in September 2023 to voice concerns that Section 702 could be used in ways that reinforce broader historical biases in policing. Because Section 702 generally allows the FBI to conduct U.S. person queries without probable cause, there are fewer institutional safeguards to prevent ethnicity or race from contributing to decisions. They cite the FBI’s use of Section 702 in 2015 to surveil Xiaoxing Xi, a U.S. citizen and professor at Temple University, which led to criminal charges for allegedly sharing sensitive technologies with Chinese scientists. Although the Department of Justice (DOJ) later dropped the charges after they were found to be untrue, Xi stated that he suffered irreparable career and financial losses due to the wrongful arrest. General concerns around ethnic profiling intensified from 2018 to 2022, when the DOJ launched a “China Initiative” to identify spies at U.S. university and research programs, though the agency has not publicly confirmed whether Section 702 played a role. Further, some lawmakers and academics have warned that disproportionate targeting based on race or ethnicity could actually harm national security by discouraging research and talent exchanges that could lead to innovative technological breakthroughs.

Global Privacy Concerns

Prior to 2013, criticism of Section 702 centered on its effects on the privacy of individuals within the United States. Leaked information by Edward Snowden in 2013, however, proved a pivotal moment in transatlantic digital trade. After Snowden revealed details of the NSA’s PRISM program under Section 702, the European Union—the largest U.S. trade partner—repeatedly threatened to curtail cross-border data flows. In Schrems I (2015) and Schrems II (2020), the Court of Justice of the European Union (CJEU) ruled that Section 702 of FISA and Executive Order (EO) 12333 fell short of EU privacy standards to limit U.S. surveillance to what is “necessary and proportionate” and provide a redress mechanism.[2] As a result, the CJEU declared that the Safe Harbor and Privacy Shield data transfer agreements were inadequate under Article 45(3) of the General Data Protection Regulation, thus leaving U.S. companies without clear legal means to export personal information from the European Union.

This decision created significant uncertainty for numerous U.S. organizations, including start-ups and small businesses that relied on international data transfers. In July 2023 the European Commission fined Meta $1.3 billion for transferring EU personal information despite the possibility of U.S. government surveillance under Section 702 and EO 12333, leaving the company to warn that it may have to end services in the European Union altogether unless a long-term agreement is reached. Although a third agreement, the EU-U.S. Data Privacy Framework (DPF), received an adequacy decision from the European Commission in July 2023, it will likely continue to face legal challenges unless Congress enacts substantive changes to surveillance laws.

In this manner, FISA and EO 12333 surveillance have fostered a sense of global distrust that hurts U.S. businesses and international trade. The European Union and United States are each among the other’s top trading partners, with a bilateral relationship that accounts for approximately 9.4 million jobs and $1.3 trillion in goods and services each year. According to the U.S. Chamber of Commerce, approximately 58 percent of U.S. services to EU countries were “digitally enabled” in 2019, driven by the rapid growth of mobile apps, e-commerce platforms, and other technology companies. Transatlantic data flows are crucial to this bilateral relationship: approximately 50 percent of U.S. data flows are routed to EU countries, and over 90 percent of EU companies transfer information to the United States. Data flows also provide benefits beyond digitally enabled goods and services; they enable the free exchange of communications and information outside commercial transactions.

In addition, both EU and U.S. privacy advocates have voiced concerns that existing privacy legal safeguards have not kept up with the rapid pace of technological change. The U.S. technology industry has dramatically expanded its commercial data collection practices in recent years, which indirectly increases the volume and types of information that U.S. government agencies could access through FISA or other authorities. Electronic communications and metadata can sit in remote storage indefinitely, creating a broader window for interception under Section 702 than what was possible in the past. It is now easier than ever for Americans to communicate with non-Americans on a global scale through social media, online forums, e-commerce, and messaging apps, which heightens their possible exposure to incidental surveillance under Section 702. This societal trend was accelerated by the Covid-19 pandemic lockdowns in 2020, which prompted individuals and businesses to shift almost all aspects of daily life and activities online. Congress will need to consider these shifting trends as it charts a path forward to Section 702 reauthorization in 2024 and beyond.

The U.S. technology industry has dramatically expanded its commercial data collection practices in recent years, which indirectly increases the volume and types of information that U.S. government agencies could access through FISA or other authorities.

Modernizing Section 702 to Enhance Privacy and Civil Liberties

There is broad recognition that Section 702 offers intelligence value to address a range of evolving priorities, including cybersecurity and espionage, and that reauthorization could aid U.S. strategic competition against China. There is also widespread consensus that Congress must consider targeted amendments to uphold privacy, civil liberties, and international trade in a more digital society. In a Washington Post survey published in May 2023, a small minority of surveyed cybersecurity experts—14 out of 70—supported a full reauthorization of Section 702 with no amendments. Most stakeholders—including about half of the Washington Post respondents and 21 prominent privacy and civil liberties groups—have endorsed various changes to Section 702 upon renewal.

On September 28, the Privacy and Civil Liberties Oversight Board (PCLOB) released comprehensive recommendations to reform Section 702 for surveillance of both U.S. and non-U.S. persons. Bipartisan members of Congress have introduced three bills so far: the Government Surveillance Reform Act (GSRA) on November 7, the FISA Reform and Reauthorization Act on November 28, and the Protect Liberty and End Warrantless Surveillance Act (PLEWSA) on December 4, the latter two of which are expected to reach the House floor. In addition, the Republican majority within the House Intelligence Committee released a working group report on November 16 that cited allegations over possible political usages of both Title I and VII of FISA as a catalyst for reform. Based on these proposals, this report next outlines seven major policy reforms to Section 702 that Congress should consider to balance both privacy and national security in an evolving technological landscape.

  1.  Narrow the scope of surveillance of non-U.S. targets.

Section 702 allows the NSA to surveil non-U.S. individuals and organizations abroad if a “significant” purpose is to acquire “foreign intelligence information,” which it defines as information related to the conduct of U.S. foreign affairs. The broad scope of “foreign affairs” could apply to almost any activity, which has allowed U.S. intelligence agencies the flexibility to address emerging trends in cybersecurity and technology theft over time but has also raised international concerns over the potential to surveil non-U.S. persons who are unaffiliated with terrorism or cybercrime. As societal functions moved online in the past decade, the scope of these targets almost tripled from an estimated 89,138 non-U.S. persons in 2013 to 246,073 in 2022. Although President Obama signed Presidential Policy Directive PPD-28 in 2014 to restrict signals intelligence (SIGINT) collection to “foreign intelligence or counterintelligence” purposes, the European Parliamentary Research Service has noted that unclear definitions of “signals intelligence” could leave its scope open to interpretation, especially as technological advancements expand channels for data collection.

While intelligence officials have defended Section 702 as “lawful” since Fourth Amendment protections do not extend to non-Americans overseas, the United States cannot afford to ignore the substantial political and legal challenges it has encountered in the European Union. To address any future CJEU legal challenges, the logical first step is for Congress to codify the EU-U.S. DPF, which President Biden implemented through EO 14086 in October 2022. The EU-U.S. DPF limits U.S. signals intelligence collection to what is “necessary” and “proportionate” to achieve 12 “legitimate objectives” including cybersecurity and sanction enforcement, and it reserves the right to make updates to align with upcoming national security trends. It also expressly bans the interception of foreign communications for four improper purposes, including “disadvantaging” historically marginalized individuals and suppressing free speech. None of these provisions would restrict intelligence agencies from using Section 702 responsibly to conduct accepted national security activities. Both the President’s Intelligence Advisory Board (PIAB) and the majority side of the PCLOB recommended cementing these 12 national security objectives for signals intelligence into statute.

Although codification could mitigate concerns from the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that EOs “can be amended at any time by the U.S. President,” Congress will need to choose the legislative language carefully. Numerous parties have noted major provisions in EO 14086 are vaguely worded, which leaves their application open to interpretation. For example, both the European Data Protection Board and Max Schrems have highlighted concerns that the CJEU and White House interpret the meaning of “necessity” and “proportionality” differently. The Center for Democracy and Technology has also noted the prohibition on conducting signals intelligence “for the purpose of . . . disadvantaging persons based on their ethnicity, race, gender, gender identity, sexual orientation, or religion” does not specify whether it refers to the sole purpose of collection or if intelligence agencies could still fall back on those traditional biases as a contributing—or even primary—factor. To address their concerns, Congress will need to clarify the principles in EO 14086 with more precise language, particularly to impose clearer boundaries on the scope of initial surveillance under Section 702 and to specifically ban all discrimination against protected classes in signals collection. Furthermore, Congress could expand protections within the EU-U.S. DPF to all forms of digital surveillance, beyond just signals intelligence collection as defined in PPD-28.

  1. Strengthen guardrails on FBI queries related to U.S. individuals.

While the purpose of Section 702 is to facilitate intelligence investigations into non-U.S. individuals abroad, it also permits the incidental collection of communications with U.S. persons. In turn, the NSA shares a limited portion of communications related to a “full predicated national security investigation” with the FBI, which in 2022 amounted to communications from approximately 7,900 out of 246,073 non-U.S. persons, or 3.2 percent of the initial database. In turn, the FBI may query this subset of communications using search terms related to U.S. persons if “reasonably likely” to return “foreign intelligence” or “evidence of a crime.” Although “evidence of a crime” searches occur significantly less frequently than “foreign intelligence” searches, privacy advocates have noted that they could potentially allow the FBI to avoid obtaining a traditional warrant when conducting domestic criminal investigations outside the traditional national security scope.[3]

A spectrum of privacy organizations have called for Congress to require the FBI to obtain either a warrant (for domestic “evidence of a crime” activities) or a FISA Title I court order (for “foreign intelligence” investigations) before using U.S. person terms to search communications collected under Section 702. Both would require agents to demonstrate probable cause, which is a higher legal standard that calls for preacquired facts to support the necessity of a search. As civil rights groups have highlighted, a probable cause standard could prevent unnecessary or inappropriate searches primarily based on factors like a person’s race, religion, or political affiliation. In general, the intelligence community has maintained that individualized search approval could overwhelm the FISC with hundreds of applications each day, which could create lengthy delays of weeks or even months for review. Herrington stated that individualized FISC approval “would become so burdensome, that it would really be tantamount to a de facto ban on querying USPER [U.S. person] terms against this dataset” and “go towards rebuilding the wall that the 9/11 and Fort Hood Commissions identified.” The GSRA and PLEWSA put forth a probable cause warrant requirement to conduct most U.S. person queries for communications content—and would limit their subsequent use to specific contexts, including foreign cyber breaches and attacks on critical infrastructure—though the White House has called this standard “operationally unworkable.” In contrast, the FISA Reform and Reauthorization Act would only prohibit “evidence of a crime” queries but continue to allow the “foreign intelligence” searches that comprise the bulk of U.S. person queries.

Recognizing that a comprehensive cyber defense benefits from information sharing between the public and private sectors, Congress could direct the FBI to establish a formal mechanism to request affirmative consent from presumed U.S. victims of foreign cyberattacks as the first step to investigating their communications or metadata. A voluntary consent mechanism could build upon existing laws, like the 2022 Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure providers to report “significant cyber incidents” that are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States” to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. All three proposed bills—the GSRA, FISA Reform and Reauthorization Act, and PLEWSA—provide for some form of consent from potential victims to access sensitive communications collected through FISA.

During noncyber contexts (or cases where consent is not feasible), Congress could consider requiring the FBI to seek individualized FISC approval to conduct U.S. person queries—but with modifiers. For example, Congress could require probable cause to intercept content but not metadata (as the GSRA and PLEWSA cosponsors recommend) or allow initial queries using U.S. person terms but requiring a court order only if it returns a hit. During exigent circumstances—for example, an immediate threat of violence—the Fourth Amendment also permits the U.S. government to conduct searches without a warrant. Formal procedures like a voluntary consent mechanism, modifiers to court approval, or exigent circumstances could significantly pare down the number of applications to FISC, which could mitigate concerns about overwhelming its resources. However, as discussed, additional clarity on the role of Section 702 in cyber defense would be invaluable to assess the practicality of these middle-ground proposals to minimize the number of U.S. person queries conducted.

  1. Codify FBI compliance procedures into law to prevent mishandling of personal data in domestic law enforcement cases.

No matter which standard for U.S. person queries that Congress chooses, privacy and national security officials agree that strong compliance mechanisms will be necessary to prevent misuse. In the past, the FISC noted that the FBI had engaged in “persistent and widespread” violations of existing Section 702 query procedures, including improperly searching communications from 133 Black Lives Matter protesters and 19,000 donors to a congressional campaign around 2020 and 2021. In 2016 and 2017, an FBI agent searched the database for two men perceived to be of “Middle Eastern descent” who were loading boxes into a truck. In turn, this history of FBI noncompliance incidents has led to a significant deterioration in trust in Section 702 among both Republicans and Democrats in Congress. FBI director Christopher Wray called incidents like these “unacceptable” and Deputy Homeland Security Advisor Joshua Geltzer stated that there is “no debate” over the severity of the past compliance failures.

After the DOJ’s Office of the Inspector General reported “widespread non-compliance” in December 2019, the FBI instituted several reforms to its querying procedures. In August 2020, the attorney general announced the creation of the Office of Internal Auditing (OIA) within the FBI to oversee compliance with minimization procedures. In November 2021, the FBI also modified its internal procedures to exclude Section 702 data from default searches. In addition, the FBI now requires agents to participate in new training protocols, obtain high-level approval, and enter case-specific justifications to search U.S. person terms. After instituting these compliance reforms, the number of U.S. person queries fell 93 percent from 2,964,643[4] in 2021 to 204,090 in 2022. In May 2023, the OIA reported its compliance rate across all raw FISA data rose from approximately 82 percent to 96 percent in the same time frame. Intelligence officials point to these statistics as evidence that their reforms have curtailed searches of U.S. person communications, thus reducing—though not eliminating—privacy risks.

Although more time is necessary to gauge the long-term effectiveness of these practices, Congress could codify them into law now to prevent future administrations from reversing the progress made—as the FISA Reform and Reauthorization Act and House Intelligence working group majority both provide for. In addition, Congress could consider other mechanisms to further improve trust in FBI compliance and prevent unwarranted surveillance by factors like race, ethnicity, religion, or political affiliation. For example, the PIAB recommended appointing a compliance officer at the FBI headquarters and 56 field offices, establishing an independent review mechanism within the Executive Office of the President, and investing in machine learning systems to automatically flag possible noncompliance incidents at a more rapid pace. The House Intelligence working group majority recommended permitting members of Congress to attend FISC hearings and view transcripts of proceedings, as well as requiring independent audits of all FBI queries over U.S. persons. Because both Republicans and Democrats in Congress have raised concerns over abuse, Section 702 would benefit from clearer compliance protections for U.S. person queries, accompanied by both automated and human resources for enforcement, to gain the momentum necessary for reauthorization.

  1. Strengthen the role of amicus curiae in Foreign Intelligence Surveillance Court proceedings.

Although the FISC annually approves general Section 702 surveillance procedures and reviews significant noncompliance incidents, it does not operate like a traditional court. The FISC primarily hears arguments from the government—not from affected individuals, who are not notified of Section 702 surveillance outside of criminal proceedings. To address the one-sided nature of proceedings, Congress established a formal role for amicus curiae in 2015. Amici are nongovernment experts with security clearances, typically former government attorneys, who provide external perspectives during FISC proceedings (including the annual certification process) that require “novel or significant” interpretations of Section 702.

However, the oversight function of amici is relatively limited. Amici are appointed at the discretion of the FISC, which often chooses to exclude them in its review of noncompliance incidents and the annual certification process. According to Senator Richard Blumenthal (D-CT), several amici resigned due to general lack of appointments throughout Title I and VII proceedings, which increased turnover and hindered long-term development of institutional expertise. Even in proceedings where an amicus is present, it typically has limited access to the facts of the case, hampering its ability to advise on the privacy interests of the public. The GSRA proposes requiring the FISC to report the number of amicus appointments, which could further inform the nature of their current role.

There is general support to expand the role of amici in conjunction with Section 702 reauthorization, but national security and privacy professionals have presented differing proposals on the scope and contexts of their appointment. For example, the privacy coalition has called for amici to be present in noncompliance reviews that involve U.S. religious, political, or journalistic targets, which the FISA Reform and Reauthorization Act would also provide for. Adam Klein has similarly suggested appointing an amicus in “highly sensitive” investigations, as defined by the FBI’s “Sensitive Investigative Matters” guidelines, or in cases involving U.S. individuals or companies. Even DOJ inspector general Michael Horowitz testified in April 2023 in general support of adversarial processes in FISA cases, particularly to improve the quality of evidence and facts. However, Assistant Attorney General Matthew Olsen presented an alternate view, stating in June that amici are generally unnecessary in cases that do not involve unique applications of FISA.

The PCLOB and House Intelligence working group majorities both recommend requiring an amicus to be present during all annual FISC recertifications, with the former noting that the rapid pace of technological change fundamentally alters the surveillance landscape regardless of whether there are novel legal questions at stake. The PCLOB majority also recommends expanding amicus access to relevant information in the case. To bolster the data, it suggests requiring the NSA, FBI, and Central Intelligence Agency (CIA) to submit a random sample of non-U.S. targets and U.S. queries during each recertification proceeding. Finally, it recommends allowing amici to appeal decisions and petition the Foreign Intelligence Surveillance Court of Review for appellate review. In addition to annual recertification, the GSRA and PLEWSA propose the FISC appoint amici in cases that involve a significant constitutional concern, “sensitive investigative matter,” or “new technology, or a new use of existing technology.” If enacted, these expanded categories could serve dual purposes: First, by strengthening judicial oversight of FISA, they could mitigate U.S. and EU concerns over secrecy and accountability. Second, by ensuring regular amici representation given both legal and technological developments, they could address the trade-off between privacy and security in the context of cyberattacks and other digital threats.

  1. Improve public transparency into Section 702 outcomes.

Since Snowden’s disclosures in 2013, U.S. intelligence agencies have taken strides to improve transparency into their operations. The ODNI has released the Annual Statistical Transparency Report (ASTR) each year since 2014, which includes top-line numbers on non-U.S. person targets. In 2021, the ASTR included, for the first time, the number of U.S. person queries—up to 2,964,643, over half of which were to identify victims of cybersecurity attacks or espionage. As discussed earlier, that number fell to 204,090 in 2022 after the FBI implemented its new query changes. It remains to be seen whether this decline in overall U.S. person queries will continue into the long term, but high-level metrics and other transparency tools are invaluable to understanding the efficacy of policy changes and ensuring accountability in Section 702 operations.

While the ASTRs are a good start, it is possible to further improve their methodologies to inform public debate over the effects of Section 702 on Americans. The PCLOB majority recommends further breaking down top-line numbers of U.S. person queries into multiple categories—including searches that are politically or culturally sensitive or primarily domestic in nature. In addition, the PCLOB majority has recommended systemic design changes to better quantify all “evidence of a crime” queries by the FBI.[5] Going further, privacy advocates have called for PCLOB and U.S. intelligence agencies to estimate the number of U.S. persons affected by Section 702 incidental surveillance. In 2017, the NSA pledged to calculate this number but later reversed its decision, stating that email addresses do not reveal the nationality of senders and that comprehensive attempts to identify them could further intrude on individuals’ privacy. However, even if an exact number is technically difficult to quantify, intelligence agencies could still generate an approximate range of U.S. persons affected through methods like randomly sampling the Section 702 database and encrypting the contents of communications.

National security officials commonly state that no court has ruled Section 702 unconstitutional. However, nontransparency has created structural barriers that prevent lawsuits. Since most individuals lack means to obtain evidence of surveillance, it is almost impossible to establish legal standing to challenge Section 702 in a traditional court. U.S. government agencies are required to alert defendants if they base criminal charges on FISA but may avoid notification through “parallel construction,” or picking up information through Section 702 then retracing it using a separate source. Furthermore, individuals who are not affiliated with illegal activity—the majority of those surveilled—are never notified. Due to this institutional barrier, no U.S. court has ever issued a ruling on the constitutionality of Section 702 or EO 12333 in a civil lawsuit.[6] In Clapper v. Amnesty International USA (2013), the Supreme Court ruled that the potential for FISA surveillance—without solid evidence of prior intercepted communications—was not enough for plaintiffs to demonstrate standing to sue. To better understand this information asymmetry, Congress could hold hearings to explore the feasibility of proposed transparency measures, including (a) direct notification to foreign surveillance targets after a reasonable grace period following an investigation, should intelligence agents determine that the individual poses no demonstrable security risks, (b) more cohesive public explanations on the DOJ’s use of Section 702 evidence in criminal cases, and (c) closing the loophole of “parallel construction,” which is a provision within the GSRA.

Another barrier to litigation is the state secrets privilege, which intelligence agencies may invoke to withhold confidential national security information. The state secrets privilege can prevent plaintiffs from discovering evidence or lead to the wholesale dismissal of Section 702 challenges, as it did in Wikimedia Foundation v. NSA. To clarify the role of judicial oversight, both the ACLU and the GSRA have recommended amending FISA to expressly state that existing Section 106(f) procedures for ex parte in-camera review of complaints supersede the state secrets privilege, though the GSRA focuses on U.S. person complaints while the ACLU generally recommends extending protections to non-U.S. persons as well.[7] From a national security perspective, former NSA official George Croner has defended the state secrets privilege to maintain separation of power between the executive and judicial branches in the context of military duties. In general, Congress and PCLOB may benefit from additional feedback through formal hearings or investigations on the extent to which transparency mechanisms are feasible without compromising national security. In turn, robust but tailored transparency tools could partially address some EU concerns over the adequacy of the redress mechanism within the EU-U.S. DPF and overall judicial scrutiny of FISA.

  1. Align Section 702 protections with other surveillance laws, including EO 12333 and the Electronic Communications Privacy Act.

Section 702 of FISA is in the spotlight because of its upcoming sunset date, but it is only one of several surveillance tools available to U.S. government agencies. While national security agencies must follow FISA procedures when conducting “electronic surveillance” of non-U.S. persons if data are stored within U.S. borders, they may turn to EO 12333 for activities that occur entirely overseas. EO 12333 contains broader surveillance authorities than FISA. It allows intelligence agencies to conduct bulk surveillance—which, similarly, may sweep in incidental communications from Americans—and is not subject to FISC oversight. The U.S. government typically does not notify criminal defendants if it uses EO 12333 evidence in court, nor do the FBI’s revised Section 702 querying procedures apply to EO 12333. In 2022, Senators Ron Wyden (D-OR) and Martin Heinrich (D-NM) wrote a letter indicating that CIA bulk surveillance under EO 12333 had affected U.S. individuals, though many of the details remain classified. But in a digital economy, geography is a less relevant proxy for privacy risks: U.S. companies now routinely transfer and store data all over the world, regardless of the affiliated person’s nationality or physical location. Recent advancements in artificial intelligence have also created enormous demand for personal information to be outsourced overseas, where it is sorted and labeled for training data.

Meanwhile, the Electronic Communications Privacy Act (ECPA) of 1986 creates a separate set of rules for U.S. government interception of real-time or stored communications, but technological advancements similarly have left gaps in its protections. The ECPA contains disparate requirements for U.S. government officials to intercept emails, audio messages, and other electronic communications depending on factors like (a) whether or not a person opens a message, (b) if a message is stored on a local hard drive or remote cloud server, and (c) how long a message has been in storage. However, as companies expand their data collection practices, they are increasingly shifting to remote cloud servers to save information for longer time frames, eroding ECPA protections. In other words, traditional surveillance authorities have not kept up with technological advancements, creating uneven privacy and civil liberties protections for similar types of data collection.

FISA reform alone will not holistically increase U.S. privacy protections or address CJEU concerns if significant gaps exist outside its framework. In the short term, the Brennan Center’s Elizabeth Goitein has recommended extending FISA protections to signals intelligence typically conducted under EO 12333, including FISC programmatic review of querying procedures and direct notification to criminal defendants if using evidence derived from these programs. Similar to Section 702, privacy advocates have also recommended requiring U.S. government agencies to obtain either a warrant or FISA Title I court order to conduct U.S. person queries on EO 12333 databases. The GSRA similarly extends its warrant proposal to surveillance conducted under EO 12333 and the ECPA including location data, stored emails, and web browsing history. This model could set a baseline for more comprehensive updates to the entire surveillance framework that shift away from outdated distinctions like the physical location of personal information, type of communications device, length of data storage, or method of procurement. In the long term, Congress could require clear, uniform procedures to access U.S. communications based on more relevant standards like the scope, sensitivity, and nature of the data collection, as well as associated privacy or cybersecurity risks.

  1. Limit commercial acquisitions of data outside the FISA framework.

Government agencies have interpreted the Fourth Amendment to permit the “voluntary” procurement of personal information outside frameworks like the ECPA, FISA, or PPD-28, including purchasing smartphone geolocation from data brokers and scanning facial recognition databases. FISA applies when U.S. intelligence authorities conduct “electronic surveillance,” a term that includes specific devices and communications available in the analog age, such as wires and radio. However, it does not apply to the modern data brokerage market, which generally lacks strong legal limitations on data collection. The LIBE’s April 2023 resolution cited how the United States lacks a federal privacy law comparable to the GDPR, which enables private companies to collect expansive amounts of personal data that U.S. government agencies could subsequently tap into. Notably, the ODNI reported in June 2022 that intelligence agencies have purchased a “large amount” of commercially available information on both U.S. and non-U.S. individuals, often without clear guardrails for privacy or civil liberties in place.

Despite the intelligence value of commercially available information, the ODNI report acknowledged it can expose sensitive details of individuals’ lives, which creates potential for abuse through blackmail, harassment, or stalking. The widespread availability of sensitive personal information also increases exposure to Russian and Chinese government access through both legal and illegal means, including through direct sales with data brokers, indirect sales through intermediaries, and cyberattacks. In turn, foreign adversaries could exploit commercial data to track military operations, target information operations, or commit intellectual property theft. The Chinese Communist Party (CCP) has contracted data brokers to compile dossiers on domestic and foreign political critics, including some in the United States. Meanwhile, the Russian government has targeted social media messages to U.S. voters in previous elections—a threat that the investigation under former FBI director Robert Mueller found to be “magnified by the ease with which personal data can be purchased or stolen by a foreign adversary with advanced cyber capabilities.”

Even if Russia and China acquire sensitive personal information on the open market, the United States should act as a leader on privacy by enacting legal guardrails on this practice. One short-term fix is to update FISA’s definition of “electronic surveillance” to include data brokers, which would more accurately reflect today’s digital landscape. Furthermore, Congress could extend existing statutory and constitutional protections to commercial data, as the GSRA cosponsors recommend: if U.S. government agencies required a warrant or court order to involuntarily compel a technology platform to turn over user information, the government could impose the same standards to buy that information. Finally, Congress could create direct boundaries on how data brokers and other technology platforms collect, process, and share personal information, which could indirectly affect how both U.S. and non-U.S. governments access it.

Conclusion

As Congress continues to consider legislation, Section 702 reauthorization should center around two primary objectives: (a) preventing digital adversaries from exploiting gaps in U.S. intelligence communications and (b) protecting individual privacy and civil liberties amid technological expansions in data collection. These goals are not incompatible, but reauthorization will require striking a delicate balance between them.

To start, Congress could more easily codify some privacy safeguards that already exist in practice, like the EU-U.S. DPF and agency compliance procedures. Other policy proposals, like direct notification of surveillance or state secrets reform, contain more novel legal implications and may require careful technical language to implement. Both categories, however, will require tailored approaches to enhance privacy safeguards while still preserving the statute’s flexibility to quickly respond to real-time national security threats. The intelligence community could assist in this risk-benefit analysis by providing additional clarity on their current use of Section 702 to address digital threats like cyberattacks. This information could help identify which FISA provisions best equip national security agencies to address technological adversaries—and where Congress could implement policy proposals from the recent legislation, PIAB, PCLOB, and civil liberties groups without sacrificing the statute’s intelligence value.

Congress should also acknowledge the crucial ways in which amending Section 702 could help, not hurt, the public interest. In addition to safeguarding individual privacy and civil liberties, reasonable amendments to Section 702 surveillance could go a long way toward ensuring the sustainability of digital trade between the European Union and United States. Along with federal commercial privacy legislation, FISA reform could help the United States shift away from its global reputation as a “digital Wild West” and move toward shared global leadership on privacy and civil liberties. It could send a message to the world that privacy matters in the United States. Importantly, it could help the United States align more closely with geopolitical allies that consider privacy a fundamental right—in contrast with authoritarian governments that engage in widespread surveillance and espionage abuses.

FISA reform could help the United States shift away from its global reputation as a “digital Wild West” and move toward shared global leadership on privacy and civil liberties.

Looking ahead, the PLEWSA would extend Section 702 for three years while the FISA Reform and Reauthorization Act would do so for twelve. But no matter when Section 702 next comes up for renewal, it is important to note that the world might look different at that time. Technological advancements may implicate privacy and national security priorities in unforeseen ways. Transatlantic digital trade relationships could heighten urgency to sustain cross-border data flows, and global conflicts might break out, altering intelligence priorities. For these reasons, Section 702 merits careful evaluation to align modern trade-offs. Congress should not lose this chance to modernize U.S. surveillance in a digital age—but any changes to Section 702 now should not be the last.

Caitlin Chin-Rothmann is a fellow with the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.

The author would like to thank Julia V. Brock for her research assistance and editorial support. The author would also like to thank Evan Brown for his research support and feedback on this draft. 

This report is made possible by general support to CSIS. No direct sponsorship contributed to this report.

Please consult the PDF for references.

Image
Caitlin Chin

Caitlin Chin-Rothmann

Former Fellow, Strategic Technologies Program