by Michael Dean Thompson

The 2008 Foreign Intelligence ­Surveillance Amendments Act (“FAA”) Section 702 (codified as 50 U.S.C. § 1881A) exists to facilitate the capture of the communications of foreign actors as they pass through American facilities and hardware. However, in the process, the communications of American citizens are being captured and stored as well. The resulting repository of information is then made available to intelligence and law enforcement agencies such as the NSA, CIA, and FBI who can query against it using the identifiers of American citizens as part of a criminal search without a warrant. This is the backdoor loophole.

Prior to Section 702, the NSA had always been allowed to hoover up foreign surveillance information without warrants. The Foreign Intelligence Surveillance Act (“FISA”) at the time used geography to determine whether or not a warrant was required. If the collection occurred on U.S. soil, it generally required a warrant or court order. However, the technology changed significantly over the years after the original 1978 FISA. The advent of the internet and the expansion of international telephony meant that large amounts of international traffic pass through domestic servers and networks, making it a prime target for surveillance of foreign activities.

The program began as an overreach by the NSA in 2006, when the Foreign Intelligence Surveillance Court (“FISC”) approved an order that required Verizon to turn over all of its telephony data. The FISC later approved orders for all the major providers and went on to approve renewals of the program 34 times in seven years. Nearly all the information collected by the NSA was that of American citizens and residents who were not suspected of committing crimes. Much as the 1978 FISA was intended to rein in government actors (such as the Department of Defense) who were spying on Americans, the NSA had been caught violating the intent of the law by yet again spying on citizens for whom there was no reasonable suspicion of criminal activity.

The Foreign Intelligence Surveillance Amendments Act (“FAA”) was an attempt to address some of the problems. It requires first, that the information cannot be intentionally collected where the target is known at the time to be within the U.S. Because some American citizens may communicate with foreign targets, it is natural that their communications will be intercepted. For this reason, a target cannot be intentionally chosen simply because of their relationship with an American citizen or resident. It also requires that the collection cannot intentionally target an American citizen or resident who is reasonably believed to be located outside the U.S. Government is also barred from intentionally collecting information where all parties are known to be located in the U.S. at the time the information is requested. Each provision of the law at this point is given significant wiggle room with the words intentionally and/or known, an aspect of the law not lost upon the NSA.

One of the features of accessing “upstream” telephony data directly from the providers is it availed to the government access to something called a multiple communication transaction (“MCT”). The MCT contains the transaction being tracked, plus various other transactions that have nothing to do with the target, such as domestic conversations between citizens. At the very least, this stretches the meaning of the word intentionally. They were intentionally collecting the MCTs while also “unintentionally” collecting the attached unrelated transactions.

Through a program started in 2007, before Section 702 was codified, the government had also begun collecting “downstream” data from Microsoft and later Apple, Google, Facebook, YouTube, and Skype as well as others. This gave them access to email content, Voice over IP conversations, instant messages, and more. In addition, they began collecting “about” information where the content only mentioned the target, even if the communication was entirely domestic or between two U.S. residents overseas.

The government took some additional liberties with the terms intentionally and known. Absent evidence to the contrary, it assumes that the target is a “non-U.S. person outside domestic bounds.” This meant that by 2014, nine out of ten account holders in a cache of intercepted communications were not the target. That is a lot of information on U.S. citizens and residents stored for up to five years or more. And the intelligence agencies each have their own policies regarding how they can access the data.

The NSA was forbidden in 2011 from querying the upstream data using U.S. person identifiers. Unsurprisingly, however, they violated that rule and did so more often than they had disclosed to the FISC. The solution was to eliminate “about” collection (which Congress later legislated in 2018), yet they also expanded their ability to query upstream data for U.S. person information.

The FBI is also able to query the Section 702 data. As stated earlier, it is a massive repository of U.S. person data waiting to be searched without a warrant or court order. In 2014, the Privacy and Civil Liberties Oversight Board (“PCLOB”) pointed out that the FBI often does not register its queries, making oversight impossible. That caused Congress in 2015 to require the Director of National Intelligence (“DNI”) to report how many queries involved U.S. persons. The FBI’s searches were not included in the resulting 2016 report.

Again, in 2018, Congress required the FBI to begin keeping records of U.S. person queries. The FBI, however, refused to do so for two years, arguing through its own unique reading of the law that it only needed to count the total numbers of queries, including non-U.S. persons. When it finally did acquiesce and provide the tallies in 2022, the FBI reported 3.4 million U.S. person queries for 2021. The Office of the Director of National Intelligence (“ODNI”) cautioned that the same individuals could have been queried many times resulting in an inflation of the numbers. Nevertheless, that still counts almost 10,000 queries of American identifiers per day.

Not all those searches were actually in the service of unearthing criminal activity or illuminating anti-American foreign actor efforts. Contractors who came to the FBI buildings for repair work had their communications searched. Victims who reported crimes were also searched. Police officers aspiring to be special agents had their identifiers run through the Section 702 data as well. And, in a time-honored tradition of unlawful snooping, the friends and family of the agent behind the keyboard were searched.

Those searches might not have sufficed to garner the attention of Congress. However, an agent performed several searches using a congressman’s name then reviewed the search product. His was not an isolated incident. Another agent used Section 702 queries to investigate a local political party. Yet another performed a “batch query” in which the names of government officials, journalists, and political speculators were all searched at once.

After the massive 3.4 million queries, the FBI instituted a series of reforms. The ODNI reported that the changes to FBI “systems, processes, and training related to U.S. persons” resulted in a precipitous drop in 2022 to just 204,000 queries for U.S. persons against the Section 702 data. With that in mind, the FBI wants the public to believe that their repeated violations were simply a misunderstanding of the rules and a need for better training. The problem is that some of the rules they continued to violate had been around for 14 years. In response, the FISA court suggested that the FBI did not misunderstand; it was simply indifferent.

It is important to note that Section 702 data used to identify criminal activity is unlikely to ever be shown in court since no warrant or court order is needed to query it. Using the Section 702 data, the agents could simply recreate the evidence through other means (referred to as “parallel construction”). Rather than being used as trial evidence itself, it provides the keys needed to find the evidence. Therefore, it is not enough that the FBI institute new training and audits. Instead, any search of U.S. person data on the Section 702 repository must be supported by warrant. That is the only reliable means by which the unconstitutional intrusion into the private communications of Americans will be stopped.  

Sources: nytimes.org, FBI Warrantless Data Under Section 702 cbsnews.org, FBI Warrantless Searches of American’s Data Plummeted Following Reforms Brennancenter.org, An Opportunity to Stop Warrantless Spying on Americans Council on Foreign Relations, June 26, 2017 38 Harv. J. L. and Pub. Pol’y 117, Section 702 And The Collection Of International Telephone And Internet Content 37 Harv. J. L. and Pub. Pol’y 757, Bulk Metadata Collection: Statutory And Constitutional Considerations

Subscribe today

Already a subscriber? Login