Last week, three Foreign Intelligence Surveillance Act authorities expired after a watered-down reauthorization and reform bill that had been hastily approved by the House ran into opposition in the Senate. Though the Senate ultimately agreed to a short-term 77 day extension, the House has yet to act on it. Since the authorities are grandfathered for investigations already undeway, or for potential offenses a temporary lapse is unlikely to have much operational impact, and an extension soon seems inevitable. When Congress does finally take up the issue again, this most recent compromise bill will be the baseline for further improvements—and improvements are sorely needed.

There are certainly some things to support in the failed compromise bill, but it ultimately falls well short of what’s necessary—and includes a lot of cosmetic tweaks designed to mollify a president outraged over the mishandling of the Carter Page investigation, without actually effectuating substantive change.

Let’s review both the good and the not-so-good.

The bill would finally put an end to the misbegotten “call detail records program” initially exposed by Edward Snowden nearly seven years ago, and preserved in a diluted form under the USA Freedom Act of 2015. Though more limited than its predecessor, which indiscriminately vacuumed up nearly all domestic call records, the USA Freedom version of the CDR program nevertheless led to the government collecting hundreds of millions of call detail records each year, based on just a handful of orders. Like its predecessors, it was both plagued with compliance problems and errors, and essentially useless operationally, as the Privacy and Civil Liberties Oversight Board, an independent executive branch agency, confirmed in a recent report. Though the National Security Agency itself decided to mothball the program, the administration formally requested that the authority for it be renewed, just in case they saw a need for it in the future. Rejecting that idea, as this latest bill does, should be a no-brainer.

There are also welcome–if inadequate–changes to the broader business records provision, also known as Section 215, which (as the name suggests) enables the government to obtain business records, or any other “tangible thing,” that is deemed “relevant” to a national security investigation. Because the bar for obtaining §215 orders is far lower than the probable cause required for a full-blown FISA warrant, the new bill closes a potential loophole by clarifying that the authority may not be used to obtain any record that would otherwise require a full search warrant in an ordinary criminal investigation—and that this includes location information, which the Supreme Court brought under the protection of the Fourth Amendment in Carpenter v. United States (2018).

Yet this bill does not go nearly as far as Sen. Ron Wyden’s Safeguarding Americans’ Private Records Act, which would similarly require a warrant to obtain a target’s Web browsing history and other categories of particularly sensitive records. Nor, perhaps more importantly, does it address the underlying breadth of §215: The trivially low bar of “relevance to an investigation” compounded by a requirement that the FISA Court approve orders for individuals with any connection to the target of an investigation. In the now notoriously botched investigation of former Trump campaign advisor Carter Page, for instance, the FISA Court would have been presumptively obligated to issue an order for the financial or telecommunications records of anyone “known to” or “in contact with” Page, since he was the target of a foreign intelligence investigation believed to be acting as an agent of a foreign power, and all such records are defined as automatically “relevant” by the statute. In principle, that would have made the records of virtually the whole of the senior Trump campaign staff available to the FBI without any further basis for suspecting them individually,

Also in the positive column are expansions of the role of the FISA Court’s amici curiae—expanding their ability to provide the Court with an independent perspective from the government’s, and assuring them access to files and evidence needed to do their job more effectively—as well as a firmer deadline for the publication of significant rulings by the Court.

But these are ultimately efforts to compensate for a deeper defect in the FISA process: Unlike ordinary criminal wiretaps, FISA surveillance is normally permanently covert by default, with only a tiny fraction of those spied on every learning about it. Eliminating that back-end notice to the target of surveillance—notice that is normally considered constitutionally necessary to make a search “reasonable”—also eliminates an important incentive to be scrupulous in seeking applications. There may often be compelling national security reasons to delay notice to individual targets, perhaps even for quite extended periods of time, but at least in the case of U.S. persons, there is no good justification for making secrecy the universal, uniform default: The government should have to make the argument once surveillance terminates. In cases where surveillance has ultimately failed to support the government’s belief that a U.S. target had acted as a foreign agent, then there will often be no compelling national security rationale for failing to disclose.

Finally, there are what I think of as the “Carter Page provisions” of the bill. These are fairly clearly calculated to persuade Donald Trump that serious reforms have been enacted which will prevent a repeat of the grossly flawed investigation of his erstwhile advisor. As one might expect, they are largely cosmetic—sounding “tough” but with little real chance of making much practical difference. Criminal penalties for misuse of FISA are increased somewhat, which doesn’t add up to much if, in practice, nobody is ever actually criminally prosecuted for FISA misuse. Even in the Page case, only one of the attorneys involved in reviewing the application faces even the slenderest chance of prosecution. FBI agents are not thinking “well, I’ll falsify an application if I risk a three year prison term, but eight is too much!” They don’t believe they will be prosecuted, and they are well justified in that belief.

There’s also a provision requiring the “attorney general” to approve in writing of investigations targeting candidates for federal office before certain FISA tools can be employed. “Attorney general” is in quotation marks there, because for FISA purposes “attorney general” is actually defined as a cluster of senior Justice Department officials who must already sign off on any full-blown FISA surveillance. And given the narrowness of this provision, it’s not clear it would have applied even to the investigation of Page—not himself a candidate for any office.

These aren’t necessarily inherently objectionable, but they are ultimately Potemkin reforms designed to persuade an audience of one to sign an otherwise relatively weak bill.

In short, the FISA reauthorization bill qualifies as a promising start, but falls short of the fiery rhetoric we’ve heard lately about the need to overhaul the system. But it remains a stronger baseline than many civil libertarians would have thought possible a few years ago, and if amendments offered before a final vote address some of the shortcomings identified here, reality might actually live up to the rhetoric.

Cross posted to the Cato Institute Blog.