Part I of this post discussed the troubled history of the Section 702 program and the first two issues addressed in the FISA Court’s October 2018 opinion: whether a particular form of downstream collection constituted “abouts” collection, and whether the FBI is required by statute to keep records of each U.S. person query it conducts. Part II discusses the third issue addressed by the Court—the FBI’s improper queries of Section 702 communications—as well as the Court’s unsatisfactory solution for bringing the FBI into compliance with the statute and the Fourth Amendment.

The FISA Court’s October 2018 opinion, continued

Improper queries of Section 702 communications. The most eye-opening part of the October 2018 opinion is the section addressing the “large number” of queries undertaken by the FBI since April 2017 that did not comply with internal rules, the statute, or the Fourth Amendment.

To begin, the opinion provides the first glimpse of just how prevalent the FBI’s U.S. person queries really are. In the past, the FBI has claimed it has no way even to estimate this number. It was nonetheless clear that the number was significant, as the Privacy and Civil Liberties Oversight Board (PCLOB) reported that the FBI runs queries of databases containing Section 702 data at the earliest stage of every assessment or investigation.

The Court’s October 2018 opinion reveals that the FBI in 2017 conducted 3.1 million queries on one system alone. This number encompasses U.S. person and non-U.S. person queries alike, but as the Court observed: “[G]iven the FBI’s domestic focus it seems likely that a significant percentage of its queries involve U.S.-person query terms.” Almost certainly, then, the total number of U.S. person queries run by the FBI each year is well into the millions.

In theory, the FBI’s procedures are supposed to limit these searches. The key limitation, as set forth in the querying procedures, is as follows:

“Each query of FBI systems [containing raw Section 702 data] . . . must be reasonably likely to retrieve foreign intelligence information, as defined by FISA, or evidence of a crime, unless otherwise specifically excepted in these procedures.”

This requirement essentially mirrors the one previously contained in the FBI’s minimization procedures. The FISA Court once again held, as it has in the past, that this limitation, “as written,” satisfies both the statute and the Fourth Amendment.

But that didn’t end the Court’s analysis. The Court went on: “FISC review of minimization procedures under Section 702 is not confined to the procedures as written; rather, the Court also examines how the procedures have been and will be implemented.” The Court then noted that, “[s]ince April 2017, the government has reported a large number of FBI queries that were not reasonably likely to return foreign-intelligence information or evidence of a crime.” These included multiple one-off incidents of FBI personnel running U.S. person queries accidentally or for improper personal purposes. (In a frank statement that reveals why limits on access are a poor substitute for adequate limits on collection, the FISA Court commented that it was less concerned about personal misuses of the data, because “[i]t would be difficult to completely prevent personnel from querying data for personal reasons.”) They also included several incidents indicative of more systemic problems, including:

In March 2017, the FBI, against the advice of the FBI’s Office of General Counsel, conducted queries using 70,000 identifiers “associated with” people who had access to FBI facilities and systems.

On a single day in December 2017, the FBI conducted over 6,800 U.S. person queries using Social Security Numbers.

Between December 7-11, 2017, an FBI official improperly reviewed raw FISA information resulting from 1,600 U.S. person queries.

On more than one occasion, the FBI conducted dozens of U.S. person queries to gather information about potential informants.

The government told the FISA Court that these errors stemmed from “fundamental misunderstandings by some FBI personnel [about] what the standard ‘reasonably likely to return foreign intelligence information’ means.” This is a remarkable admission, given that this standard has been in place for several years, and given the government’s repeated assurances to the FISA Court during this time that access to Americans’ data was restricted to personnel who were carefully trained in the applicable limits.

The Court expressed “serious concern” about “the large number of queries evidencing a misunderstanding of the querying standard—or indifference to it.” It identified three factors that heightened its concern. First, it cited limitations on existing oversight mechanisms. It noted that some FBI offices field offices go for periods of two years or more between oversight visits, and ultimately, Justice Department overseers “review only a small portion of the queries conducted.” It also observed that “the documentation available to [overseers] lacks basic information that would assist in identifying problematic queries.” Given these limitations, the Court wrote, “it appears entirely possible that further querying violations involving large numbers of U.S.-person query terms have escaped the attention of overseers and have not been reported to the Court.”

Second, the Court—for the first time—acknowledged the tension between the substantive limits on queries contained in the FBI’s procedures, and the Bureau’s vigorous encouragement to its personnel to run queries early and often. Indeed, an FBI official submitted a declaration to the Court stating that “FBI encourages its personnel to make maximal use of queries—provided they are compliant with the FBI’s minimization procedures . . . .” FBI officials are thus simultaneously told to maximize and minimize their access to U.S. person information. In the Court’s words:

On the one hand, the FBI is obligated to query Section 702 and other FISA information only in circumstances satisfying a querying standard that does not apply to FBI information generally. On the other hand, it has set up its systems to facilitate running the same query simultaneously across FISA and non-FISA datasets . . . and encourages personnel to make maximal use of such queries, even at the earliest investigative stages. Those policy decisions may well help FBI personnel work efficiently and “connect dots” to protect national security . . . but they also create an environment in which unduly lax applications of the Section 702 querying standards are more likely to occur.

Third, the Court discussed the FBI’s use of “batch queries”—perhaps the most explosive revelation in the opinion. The FBI’s querying procedures require that “[e]ach query” must be reasonably likely to retrieve foreign intelligence information or evidence of a crime. The government, however, has taken the position that “an aggregation of individual queries”—also referred to as a “batch query”—“can satisfy the querying standard, even if each individual query in isolation would not be reasonably likely to return foreign-intelligence information or evidence of a crime.” So, for instance, if the FBI has information that an employee at a particular company is planning illegal actions, but the FBI has no knowledge of who the employee is, the Bureau would be justified (the government argues) in running queries for every employee at that company. This is presumably the theory on which the FBI ran the massive numbers of queries described above (e.g., 70,000 queries on individuals with access to FBI systems and facilities).

If this sounds familiar, it should. This is the same rationale the NSA used to justify “bulk collection” of Americans’ telephone records. Even though the applicable statute, Section 215 of the Patriot Act, allowed the government to obtain records only if they were “relevant” to an authorized investigation, the FISA Court allowed the NSA to collect the phone records of nearly every American—most of which were, of course, entirely irrelevant to any investigation—on the ground that some relevant records were likely buried within them. When this practice was made public as a result of Edward Snowden’s disclosures, it was unable to withstand either judicial review (the Second Circuit Court of Appeals held that it violated the statute) or the judgment of Congress (which changed the law in 2015 with the goal of prohibiting bulk collection).

As the NSA’s bulk collection program illustrates, there is no logical limit to how many queries the FBI could aggregate based on the theory that the result will likely yield foreign intelligence or evidence of a crime. Indeed, the larger the number of individuals swept in, the more likely it is that the queries, in aggregate, will turn up results. It is a small step from “batch queries” to “bulk queries.” The Court did not seem alarmed by the implications of the theory—it opined that “[p]erhaps in the abstract it would be reasonable for the FBI to run such an aggregated query”—but it nonetheless expressed skepticism that such an approach could be reconciled with the text of the FBI’s querying procedures, which require “[e]ach query” to be reasonably likely to return foreign intelligence information or evidence of a crime.

Ultimately, the Court held that the extent of improper querying rendered the FBI’s procedures, as implemented, inconsistent with Section 702’s “minimization” requirement. It also held that the FBI’s practices violated the Fourth Amendment’s reasonableness requirement. Although it found the government’s interest in acquiring foreign intelligence information to be “particularly intense,” it quoted a decision by the Foreign Intelligence Surveillance Court of Review (FISCR) stating that if “the protections that are in place for individual privacy interests are . . . insufficient to alleviate the risks of government error and abuse, the scales will tip toward a finding of unconstitutionality.” The Court concluded: “Here, there are demonstrated risks of serious error and abuse, and the Court has found the government’s procedures do not sufficiently guard against that risk.”

To cure these defects, the Court recommended—and the FBI ultimately adopted, after the government’s unsuccessful appeal to the FISCR—a remedy proposed by amici. Specifically, any time the FBI runs a U.S. person query that returns Section 702 data, FBI personnel are not permitted to view the content (although they may still view non-content “metadata”) unless they first document the reasons why they believed the query was likely to return foreign intelligence or evidence of a crime. The Court opined that this requirement would force FBI personnel to think more carefully about the applicable standard before running queries, and would assist oversight personnel in determining whether the standard was indeed being honored.

A Triumph of Oversight?

The FISA Court identified serious problems with the government’s submissions, engaged amici to provide advice, considered and partly agreed with their arguments, held the government’s actions to be not only unlawful but unconstitutional, and adopted a remedy proposed by amici—all of which was made public, albeit with redactions. Taken in isolation, these facts might seem to tell a resounding success story for oversight of foreign intelligence surveillance.

But such a conclusion would ignore many other salient facts. For one thing, the government sat on the FISA Court’s October 2018 opinion for almost a year, instead of promptly declassifying and releasing it as envisioned by Congress in the 2015 USA FREEDOM Act. Clearly, the government was hoping for a win on appeal that would neutralize the negative impact on public opinion. Had the appeal taken several additional months to resolve, there is no doubt that we would still be in the dark about the FBI’s activities today.

As for the substance of the opinion, the illusion of accountability fades when one considers the many aspects of the Court’s own ruling that were left entirely unaddressed by its chosen remedy. The Court’s opionion cited the following major problems and sources of concern:

FBI personnel are fundamentally confused about what “reasonably likely to return foreign intelligence or evidence of a crime” means.

Oversight is limited because overseers review only a tiny fraction of queries.

Oversight is limited because overseers lack documentation of the justification for queries.

There is a mismatch between the FBI’s querying procedures, which purport to place substantive limits on queries, and the FBI’s policy of encouraging routine use of those queries at the earliest stage of every investigation.

“Batch” queries are seemingly inconsistent with the text of the FBI’s querying procedures.

The remedy imposed by the Court—a requirement that FBI personnel document their reasons for performing a U.S. person query before viewing content information—addresses only one of these problems (lack of documentation for overseers to review). After all, if FBI agents truly do not understand what “reasonably likely to return foreign intelligence or evidence of a crime” means, requiring them to document their misconceptions will not produce any greater understanding; it will merely reaffirm the confusion that the Court already observed.

In theory, the documentation could be used as a mechanism to identify personnel who require remedial training or even administrative discipline. But the Court did not order any such measures, and the FBI’s revised procedures don’t contemplate them. In any case, it is clear from the Court’s opinion that the Justice Department would require expanded oversight capacity to detect non-compliance in anything more than a fraction of cases. The Court did not direct the Justice Department to devote more resources to oversight, and so virtual piles of documentation recording FBI agents’ various interpretations of the legal standard for queries will languish unexamined. Knowing this, FBI agents are unlikely to spend much time or thought on writing out their rationales.

Nor does the Court’s remedy do anything about the mixed message the FBI sends its personnel by simultaneously limiting (in its querying and minimization procedures) and urging (in its policies and rhetoric) the use of queries. It was an important step forward for the Court to recognize this fundamental disconnect in the FBI’s practice. But the disconnect will continue unless and until the Court orders the FBI to harmonize its policies and its rhetoric with its Section 702 procedures.

The Court also strongly suggested that “batch queries” are inconsistent with the text of the FBI’s querying procedures. However, it did not order the FBI either to stop batch queries or to alter its procedures to allow them. The FBI’s revised procedures, which the FISA Court approved in September 2019, still have the language that would seem to foreclose batch queries. But there is no indication, either in the procedures or in any other public document, that the FBI has stopped the practice; and the FISA Court apparently forgot to ask, as its September 2019 opinion does not even mention the issue.

More to the point, the Court should have barred “batch queries” outright. The FISA Court’s finding that Section 702 surveillance is constitutionally reasonable has always hinged on a delicate balance between the government’s interest in collecting foreign intelligence and Americans’ privacy interests in their communications. The ostensible existence of strict limitations on government officials’ access to Americans’ communications—including the requirement that queries must be designed to return foreign intelligence or evidence of a crime—has been a key factor in the Court’s conclusion that the balance tips in the government’s favor. Allowing the FBI to conduct tens of thousands of queries in a “batch,” when it is apparent that the vast majority of them will not yield any such information or evidence, would require a significant repositioning of the scales.

One final observation: The Court’s modest record-keeping remedy is particularly inadequate in light of the government’s history of Section 702 violations. On four separate occasions, as recounted in Part I of this post, the FISA Court has found that the government was improperly handling or accessing Americans’ communications. On three of those occasions, the Court held or otherwise indicated that these actions violated the Fourth Amendment. Astonishingly, at no point in Section 702’s existence has the government operated the program in full compliance with constitutional requirements. In light of this history, the Court should have required changes far more substantial than (as the FISCR described it) “adding one (largely ministerial) item to the [FBI’s] checklist.”

After a decade of trial and error, the FISA Court should have required FBI agents to obtain warrants before searching for Americans’ communications. In my opinion, the Court erred when it held that recent case law does not support a warrant requirement for U.S. person queries of Section 702 data. Nonetheless, even if a warrant requirement were not compelled by the case law, the Court still could have concluded that warrants are necessary here. In light of the repeated failure of the government, over the course of more than a decade, to adhere to the procedural requirements that the Court has held the Fourth Amendment does require, the Court could easily have determined that nothing short of a warrant requirement will guard against the “risks of serious error and abuse” that have thus far rendered the government’s practices unconstitutional. Now that would have been a triumph of foreign intelligence surveillance oversight.

Photo by Joe Raedle/Getty Images