House Permanent Select Committee on Intelligence (HPSCI) Chairman Mike Turner is celebrating the passage of HR 6611, the 2023 FISA reauthorization bill.

Chairman Turner would have granted a clean FISA renewal, he’s that kind of Republican; however, several Republicans demanded changes to the FISA-702 authorities that capture the data of American citizens without a warrant.  Thus, the HPSCI modified the authorities within HR 6611, but they made it worse.

(Via CDT) – Tucked away near the end of the bill the House Intelligence Committee reported on December 7 (H.R. 6611, the “HPSCI bill”) is a provision that would dramatically expand surveillance under the controversial Section 702 of the Foreign Intelligence Surveillance Act (“FISA 702”), which sunsets on December 31 unless reauthorized. Section 504 of the bill, innocuously captioned “Definition of Electronic Communications Service Provider,” would expand the types of entities that can be compelled to disclose internet communications whether in storage or in transit.

FISA 702 permits the U.S. government to compel communication service providers to disclose for foreign intelligence purposes the communications of persons reasonably believed to be non-U.S. persons abroad. No warrant is required; a belief that the communications relate to U.S. foreign affairs or national security is sufficient.  Under current FISA 702, only entities that provide communication services like email, calls, and text messaging can be compelled to disclose these communications. 

As FISA Court amicus and longtime practitioner Marc Zwilligener and his colleague Steve Lane have already noted, the HPSCI bill would upend the current system, enabling the government to compel anyone with mere access to the equipment on which such communications are stored or transmitted to disclose those communications.  That could include personnel at coffee shops that offer WiFi to their customers, a town library that offers public computer internet services, hotels, shared workspaces, landlords and even AirBNB hosts that offer WiFi to the people who stay there, cloud storage services that host but do not access data, and large data centers that rent out computer server space to their clients.

The provision is intended to reverse a rare decision of the FISA Court of Review (FISCR), which had rejected the government’s claim that a service that a company provided fit within the scope of Section 702. In its effort to override the FISCR ruling, the HPSCI bill has opened Pandora’s Box.  

Because FISA 702 does not merely give the government power to compel production of communications but rather to require that businesses “provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition,” [emphasis supplied] the government could use this new section to compel changes to the infrastructure and operations of some of the business entities listed above. For example, a provider of computer co-location services whose business model is to rent out and to service space on which its clients place their computer servers could be compelled to engineer its service to facilitate such access. In addition, because the HPSCI bill’s expansion is designed to pull in entities that do not currently even have access to communications, the extent of this forced restructure could be severe.

Such a shift not only affects American businesses, it is also likely to spur on overcollection and improperly sweep in Americans’ communications. The expansion would likely facilitate compelled  “Upstream” collection from these entities, a technique in which the government demands access to the entire stream of communications data, rather than obtaining only the communications to and from surveillance targets. It may be difficult for businesses that have access to equipment on which communications are stored and transmitted, but have never had to access the communications themselves, to ensure that only the data of Section 702 targets is turned over to the government.

Instead, they may be compelled to turn over entire communication streams or permit the copying and dragnet scanning of all the data on a server they host. Upstream collection performed by sophisticated giant telcos who operate the Internet backbone already has a fraught history of overcollection, including sweeping in wholly domestic communications (such as through multi communication transaction and “Abouts” collection). Forcing businesses that do not by practice even access communications to comply with FISA 702 orders—including Upstream orders—is reckless, and very likely to cause domestic communications to be improperly collected. (read more)

Here’s the core problem The DATA COLLECTION is not going away, meaning the wholesale gathering of the metadata on all electronic communication is the baseline.  As long as that baseline exists, the debate is about how the metadata can be accessed and what queries into that data can take place without a search warrant.

If FISA-702 was completely removed, the executive branch (DOJ-NSD) would be on the honor system, which essentially- they are now.

As long as the capability to retrieve and store the data exists, it will be exploited.   The data collection horse left the barn long ago.  That reality only leaves the ability to limit access as a solution to the abuses and warrantless surveillance.

Having looked extensively at this issue for years, and accepting the data collection is never going to be stopped, the only pathway to try and ensure rules and regulations are compliant with the 4th amendment, would be an oversight panel from the legislative branch put inside the process.

The only time the legislative branch has any power in the FISA process, is when they reauthorize its use.  Only at these specific moments is the legislative branch currently involved.  At all other times, it is the executive branch (DOJ, DOJ-NSD and FBI) involved, along with the FISA Court which represents the judicial branch.   The absence of the legislative branch in the process could be considered the oversight problem.

FISA, as it applies to American citizens caught up in the “incidental collection,” is clearly weaponized.  The underlying database, the storage system for all data, is the other problem.  As long as thousands of people in the executive branch have access to search this database, that access will be abused.

[CTH] – Office of Inspector General Michael Horowitz testified, April 27, 2023, that more than 3.4 million search queries into the NSA database took place between Dec. 1st, 2020 and Nov. 30th, 2021, by government officials and/or contractors working on behalf of the federal government. These search queries were based on authorizations related to the Foreign Intelligence Surveillance Act (FISA).

Approximately 30% of those 3.4 million search queries were outside the rules and regulations that govern warrantless searches – what the politically correct government calls “non-compliant searches.”  That means during the year 2021, more than 1 million searches of private documents and communication of Americans were illegal and outside the rules.

Additionally, IG Horowitz admitted that somewhere north of 10,000 federal employees have access to conduct these searches of the NSA database; a database which contains the electronic data of every single American, including emails, text messages, social media posts, instant messages, direct messages, phone calls, geolocation identifiers, purchases by electronic funds, banking records and any keystroke any American person puts into any electronic device for any reason. (more)

In my opinion, instead of trying to put the FISA genie back into the bottle, Congress needs to work on the accountability piece.  The punishment for abusing the database needs to be defined – perhaps 5 years imprisonment for each search violation.

The only thing I can think of that will improve the “702” issue, is a legislatively created oversight panel forced within the process (that puts the legislative branch inside the DOJ/FISC relationship) that has full access to see and monitor everything that is being done by the DOJ/FBI.

I don’t know if that would work, but it’s better than what they are doing now.