A debate is erupting in Congress over whether to renew or repeal a law that officials say is vital to combating terrorism, cybercrime, and disruptive foreign espionage—but that others decry as a violation of Americans’ civil liberties.
The law, Section 702 of the Foreign Intelligence Surveillance Act, allows the National Security Agency to intercept the communications of foreigners, even if it means tapping into networks or servers based on U.S. soil, without a warrant.
The existence of this program, known as PRISM, was made public back in 2013 by NSA whistleblower Edward Snowden. Snowden’s leaks of highly classified documents, first published in the Washington Post, suggested that the NSA—by far the largest U.S. intelligence agency—was monitoring the emails and phone calls of thousands, possibly millions, of Americans.
Subsequent analyses revealed that the program really was aimed at foreigners on foreign soil, but that some Americans did get swept up in the gigantic data-suck. This occurred mainly as an unavoidable consequence of internet technology, though it was sometimes the result of bureaucratic overstepping, not so much by the NSA, but rather by the FBI.
The revelations of FBI abuse have turned many Republicans against the program, in keeping with their general hostility toward the FBI for its investigations—which they see as politically motivated—of former President Donald Trump.
Unless Congress votes to extend Section 702 by the end of this year, it expires.
The Biden administration is pushing hard for its renewal. This week, Attorney General Merrick Garland and the Director of National Intelligence, Avril Haines, sent a letter to Congress urging reauthorization as “a top legislative priority” and offering classified briefings to anyone who doubts it. Haines will also be testifying, in open hearings, before the House and Senate Intelligence Committees next week.
PRISM had its roots in 2007, when Adm. Mike McConnell, then the NSA’s director, was shown a map revealing that, at some point, 80 percent of the world’s digital communications passed through U.S. servers. Digital data travels in packets, which whoosh around the globe as fast as possible. Information travels more quickly along the densest routes. The U.S. hosts the greatest density of internet traffic. Therefore, if, say, a terrorist in Sudan was talking with a terrorist in Pakistan, some of the packets would travel through American servers.
The implications for intelligence-gathering were profound. Ever since digital devices supplanted telephones, radio signals, and microwave transmissions, the NSA had been having a hard time monitoring foreign communications—which was, and is, the agency’s primary mission. The problem was compounded by the fact that the U.S. had no listening stations—analog or digital—in areas close to terrorist hot spots. But McConnell’s map suggested that no such stations were necessary. The NSA could pick up packets of the dialogue right here at home. In some cases, terrorists were using, or communicating with, U.S. email addresses. That made the task easier still.
However, there was a legal obstacle. The FISA Act, which was written in 1978, barred domestic surveillance without court-concurred evidence of “probable cause” that the target was an agent of a foreign power who would actually be using the places under surveillance and that the eavesdropping would not pick up the communications of an American citizen, permanent resident, or corporation.
The problem was that in the digital age, there are no concrete places of surveillance; cyberspace is everywhere. Nor could the government guarantee that, while intercepting the packets of a cellphone conversation, it might not pick up some innocent American’s chatter.
So, at McConnell’s urging, President George W. Bush proposed, and Congress readily passed, an amendment to FISA. A key passage, the essence of Section 702, noted that “electronic surveillance” of an American would not be illegal—would not even be defined as “electronic surveillance”—if it was aimed at a person who was “reasonably believed to be located outside of the United States.” Finally, a little-noticed clause allowed the agency to conduct its surveillance “with the assistance of a communications service provider.” This is what Snowden’s leak amplified: that the major service providers—Sprint, Verizon, Microsoft, Google, and others—were supplying the data that let the NSA do its spying.
Shortly after the Snowden leaks, President Barack Obama appointed a special commission to investigate the situation. (I tell the detailed story of this commission, and of the origins of Section 702, in my 2016 book, Dark Territory: The Secret History of Cyber War, especially Chapters 11 and 14.) After a four-month investigation, in which they were given clearances to inspect any and all files, the commissioners found—in a 303-page report—“no evidence of illegality or other abuse of authority.” Regulations laid down strict guidelines for Section 702 surveillance; vast legal teams within the NSA enforced the guidelines; the Justice Department supervised the operation and verified compliance. There would always be “the lurking danger of abuse,” the commissioners noted, suggesting more than a dozen reforms to keep them from turning real, but for now the popular “impression” that NSA surveillance “is indiscriminate and pervasive” was “not the case.”
More than that, the commission confirmed the NSA’s claim that Section 702 intercepts had impeded or blocked 54 terrorist operations, or 53 of them anyway.
As a result, in 2018, Congress renewed Section 702 with little controversy. Its second renewal is coming up at the end of this year. If Congress doesn’t approve an extension, the law expires. Two things have happened since the 2018 extension: one strengthens the program’s legitimacy; the other weakens it.
The positive development is that Section 702 is now invoked to track, impede, counter, or capture not only terrorists, but also cybercriminals, spies, and a variety of other dangers to national security. In the coming weeks, the Biden administration will be declassifying several case studies purporting to prove this claim.
However, official audits of the program have also revealed a rise in the incidence of abuse. The NSA stores the raw data collected under Section 702—including the incidental data involving Americans—for five years. It can share this data with some other U.S. intelligence agencies, which can make requests by citing names, email addresses, or phone numbers of certain Americans. They are supposed to do this only if those Americans are suspected to be involved with foreign terrorists, spies, cybercriminals, and so forth. But it is widely believed—and suspicions have been confirmed in some cases—that the FBI has been invoking its privileges to find dirt on Americans they’ve been tracking for criminal cases that have nothing to do with national security, and doing so without going to the trouble of obtaining a search warrant. This practice is known as a “backdoor search loophole”—and it’s a violation of the 4th Amendment guarantee against unlawful search and seizure.
In 2021, according to a report by the Director of National Intelligence, the FBI queried Section 702 data for information about Americans 3.4 million times. Many of those searches involved a single person—but, as Jeff Kosseff, an associate professor at the U.S. Naval Academy’s cyber science department, wrote in Lawfare, “even a fraction of 3.4 million queries is massive and difficult to fairly classify as ‘incidental.’ ”
Kosseff wrote that he supports an extension of Section 702, but only if it’s revised to impose new restrictions on the FBI and other users of the data. One possible reform would be to require a warrant detailing “probable cause” before any Section 702 data can be used to investigate an American.
The debate over the future of Section 702 is shaping up to be a clash among three factions: those who want to preserve the law as it is; those who want to reform it along the lines that Kosseff and others have suggested; and those who want to let it expire.
Biden, his relevant cabinet secretaries, and his top aides are pushing for full preservation. The MAGA backers want to let Section 702 die; Rep. Jim Jordan, a stolid Trump supporter and chairman of the House Judiciary Committee, has called for killing not just Section 702 but the entire FISA Act.
The assumption is that, sometime before the end of the year, Biden will offer enough compromises to soften some of the extremists and bolster the majority of legislators who, whether outspokenly or not, would like to keep the law intact while tightening controls on abusers. The question is whether, in this fractious political climate, any sort of compromise can be reached.
