702 Bill Comparison

                

Wyden/Paul

HJC

SSCI

https://assets.documentcloud.org/documents/4114579/Pre-Markup-SSCI-702-Draft.pdf

Backdoor search fix

                        

For years, all agencies that receive 702 data have used US person identifiers to search the data, amounting to a warrantless search on Americans. This is particularly problematic at FBI, where such searches happen before FBI obtains evidence of wrong-doing.

Section 2: The prohibition is broad, prohibiting queries by all US officials, so not just FBI, but also NSA, CIA, and NCTC). It does include corporate identities in the exceptions (which would be useful for cybersecurity and counterproliferation). It also has technical access controls that the NSA long refused to add to backdoor searches, which led to last year’s problems.

The bill permits queries in an emergency or for people covered by a FISA order, which harmonizes with NSA’s current practice.

Section 101: The bill requires a FISC probable cause order for criminal searches of content, which cannot rely exclusively on metadata showing the communication exists, and AG approval for criminal searches of metadata (broadly defined). Because most FBI queries are done at the assessment phase to determine if there is a national security nexus, this means the warrant requirement will virtually never trigger, making the “fix” meaningless.

                        

The query requirement also excepts US persons covered by a domestic FISA order, which makes sense because it harmonizes with NSA’s current practice.

                        

The bill requires auditable records of back door searches, but exempts tech access; on at least one occasion in the past, NSA used such non-auditable tech access to obtain data otherwise not permitted. In addition, the bill does not require tracking whether a search is on US persons or not, which FBI currently doesn’t do.

                        

The bill does not define foreign intelligence information query, on which much of the change hinges, outsourcing that legislative role to FBI in the next certification process.

SSCI includes no backdoor fix, and codifies the use of 702 information for 8 non national-security crimes, as well as national security crimes and those that “affects, involves, or is related to” national security (determined entirely at the AG’s discretion).

About collection

                        

For a decade, NSA obtained communications by packet sniffing for selectors in the content of a packet. This has been a persistent source of problems, and has resulted in entirely domestic communications being collected.

Section 4: The bill uses a slightly different formulation for ending about collection, prohibiting the acquisition of a communication “as to which no participant is targeted pursuant to the authorized acquisition.” By putting the about restriction on acquisition, rather than on targeting of people, it likely prohibits certain uses that are currently still permitted and pose the same privacy risks as about collection.

Section 102: The bill closely matches the FISC fix for about collection, requiring that the “targeting of a person is limited to communications to or from the targeted person.” Particularly given how the government defines where content begins in a packet, this might permit some collection that amounts to about collection, with its associated problems.

                        

The HJC about prohibition sunsets in 2023, which might be read as tacit approval for its resumption.

Section 3. The bill uses yet another description of “about” collection, but then sets up its later reauthorization by permitting the IC to ask for it to be authorized with a 30 day window during which Congress can reject that request. It also provides for an exigent reauthorization that would largely bypass that Congressional review.

The definition of about collection is “a communication that contain[s] a reference to, is not to or from, a facility, a place, premises, or property at which an acquisition is authorized under [the targeting section].”It shifts the targeting away from actual people to facilities, which in some ways better matches NSA’s own technical language than the HJC bill, but introduces slippage in the meaning of “user,” which also means, even if Congress disapproves of restarting about collection, it won’t have its intended effect.

The bill adds a “material breach” reporting requirement, just for about collection, with no punishment or decertification tied to it.

2014 exception fixes        

Since 2014, FISC has permitted NSA to remain tasked on certain kinds of facilities [probably VPNs and Tor] even after learning that US persons also use the facility, effectively permitting NSA to collect US person communications with 702. These are dealt with in post-tasking purges.        

Section 4 and 5: Wyden-Paul prohibits this practice which, in conjunction with FISC’s approval of backdoor searches for upstream content this year, may result in access of US person data.

In particular, the bill prohibits the collection of communications known to be domestic.

HJC bill does not address the 2014 exception.

Section 5. SSCI bill turns the 2014 exception into a domestic Tor spying bill.

Use limits

                        

FBI may find and use evidence of a crime unrelated to the 702 certificate purposes.

                

Section 6: The bill limits the use of 702 information only in proceedings of any type to purposes that align with the 702 certificates (terrorism, counterintelligence, WMD proliferation).

                

                        

                        

                

Section 5: SSCI codifies the use of Section 702 information in crimes “affect[ing], involv[ing], or [] related to the national security of the United States,” as well as for:

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

The AG has nonreviewable discretion to make this determination.

PCLOB reforms

                        

While PCLOB has done superb work, it has been hampered by several limits of its charter, which make it very easy for the Executive to render it non-functional. Improving PCLOB is also important for EU Privacy Shield certification.

Section 7: Wyden/Paul make 6 improvements to PCLOB:

                        

  • Expanding its mandate to include all foreign intelligence purposes (not just counterterrorism)
  • Permitting whistleblowers to go to PCLOB, on top of other permitted reporting channels                         
  • Eliminating AG review over PCLOB subpoenas                        
  • Making PCLOB functional even in absence of confirmed Chair                
  • Making all board positions paid full time
  • Requiring PCLOB receive all reporting on the FISC that Congress would receive        

Section 202: The bill makes PCLOB functional even in the absence of a confirmed Chair.

                        

The bill also requires a report on Section 702 and terrorism within a year of passage of the bill. This report might actually lead to more intrusive spying if (for example) the report emphasized how encryption made hunting terrorists more difficult. As such, while the report may be useful, it may also be an inappropriate use of PCLOB time.

Section 7: The bill exempts PCLOB from open meeting rules by making it no longer an agency.

Whistleblower protections

                        

Particularly in the wake of the Snowden leaks, there has been more attention to granting intelligence community contractors the same whistleblower protections granted to government employees.

                

Section 7 permits whistleblowers to make protected disclosures to PCLOB, in addition to agency or congressional reporting channels.

                

Section 204 extends whistleblower protections to contractor employees, enforced only by presidential enforcement (which is particularly problematic for intelligence whistleblowing).

In addition, it does not protect contractor whistleblowers from retaliation by their employers.                         

                

FISC Amicus Curiae

                        

In 2015, USA Freedom Act required FISC to appoint amici for significant rulings or explain why they did not. In this year’s very significant 702 certification, Rosemary Collyer did neither. In addition, in one review of PCTDD, many judges on the FISC objected, but no amicus was appointed at the district level because no issue came before the court until it became too urgent for amicus review.

                

Section 8: The bill makes several improvements to FISC amicus curiae:

                        

  • Permits the amicus to raise issues at any time, and ask for an en banc or FISCR review                
  • Requires amicus involvement in Section 702 reauthorization, without discretion                

The required 702 amicus involvement is stronger than HJC, and also requires timely involvement.

                        

Section 8 also includes more public reporting on significant decisions.

                

Section 104: The bill requires appointment of an amicus for yearly 702 reauthorization, though the court may issue a finding stating such appointment is not appropriate.                         

                

Section 4: The bill only adds the presumption of requirement for an amicus for the first certification involving about collection, but does not otherwise improve the amicus.

FISC diversity

                        

Many of FISC’s most important decisions amount to one person circuit decisions. And most of those decisions are made by DC District judges, who have a close relationship with the Executive (and often less experience presiding over cases incorporating FISA).

Section 8, 9, and 10

                        

The bill expands the number of judges to match the number of circuits. It requires majority SCOTUS approval for each FISCR judge. It also requires a study on the diversity of the FISC judges.

                        

By permitting an amicus to request an en banc review, the bill eliminates the problem of one-person “appellate” decisions.

                        

                        

                

Standing

                        

Just a few people have ever challenged Section 702, partly because DOJ interprets its notice requirements to avoid almost all notice, and partly because innocent people otherwise affected do not have standing.

                

Section 11 and 13

                        

The bill gives standing to those who communicate with foreigners who communicate foreign intelligence information and whose profession (such as lawyers) requires them to avoid surveillance.

                        

The bill defines the notice provisions for all of FISA to include any data that would not have been found but for the FISA collection of it. It also requires public disclosure of DOJ’s interpretation of notice. It also newly requires notice for overseas surveillance.

                

                        

                        

                

Technical Assistance

                        

It would be possible for the government to mandate something under technical assistance provisions—such as back dooring encryption—that would not otherwise be permissible.

                

Section 14: The bill imposes a narrowly tailored standard on technical assistance under 702 and requires explicit approval from the FISC.

                

                        

                        

                

Public reporting fixes

                        

While USAF permitted more reporting from private companies and mandated new reporting from the government, some of that reporting is misleading

Section 15: The bill permits more granular reporting—including disaggregated reporting by authority—for companies that have more FISA responses.                

                        

                        

                

The government has never declassified the purposes for which 702 may be used, which obscures debates about where it has been useful and fosters dishonesty in criminal discovery.

Section 16: The bill requires publication of the purposes for which certificates have been approved.        

                        

                        

                

USA Freedom imposed transparency requirements for backdoor searches, but exempted FBI from that reporting, hiding the most important impact.

Section 17: The bill eliminates FBI’s exemption from transparency reporting included in USA Freedom Act.

Section 107: Along with requiring the AG to report on electronic surveillance already counted, the bill fixes the PRTT count from USAF to count US persons affected by all PRTT uses, not just call records of actual calls (that is, it will also count things like location data).        

SSCI bill requires reporting on items (such as US person targets) covered last year by IContheRecord.

Last year, the IC promised to give a count of US persons affected by 702, a necessary count to understand impact of warrantless surveillance on Americans. This year they reneged on that promise.

Section 18: The bill requires a count of the how many US persons and persons within the US get collected under Section 702, but permits DNI to say it is not “technically possible.”

Section 105: The (manager’s amendment) bill requires a count of a good faith estimate of US person communications acquired under 702, but permits DNI to say it’s “not achievable” (a broader excuse than permitted under Wyden bill). If DNI deems it not achievable (which DNI Coats already has), DNI provides:

                        

  • unmasking number (compared to back door searches, a marginal impact on US person privacy        
  • the number of times another agency disseminates crime information to FBI (which almost never happens)
  • the number of times FBI’s NSB disseminates crime information to field offices (access to 702 data was already shifted to field offices in 2013)        

                        

In short, assuming DNI will continue to refuse to give the count already promised, this bill continues to substitute meaningless, low-impact numbers for even a count of how many back door searches or hits FBI gets.

                        

Section 106: The bill also requires FBI to report how many criminal warrants it obtains to access 702 data, which is based off the meaningless fix and will be negligible.

SSCI requires a count of how many back door search hits that were searches for a crime (which never happens) FBI has had passed on from other agencies (17 lines 13ff).

Data Purge

                

In its 2014 report, PCLOB recommended that data collected under 702 that did not have a foreign intelligence purpose needed be purged, particularly in light of backdoor searches.

Members Medine and Wald further recommended that FBI purge any non-FII data upon discovering it as part of a US person query, enforceable by a court.

                

                        

                

Section 201: The bill implements a data purge, except it in many ways counteracts the purpose. It permits the government to retain communications that do not contain foreign intelligence information for 90 days past that discovery, and further permit DNI to waive destruction requirements on an individualized basis.

                        

Rather than court oversight of these purges, the bill requires an affidavit certifying purges of such information, with a count of waivers given.                         

                

Felony data retention crime

                

                        

                        

                

Section 302 makes willful removal and retention of classified information a felony, punishable by up to five years, and creates a new misdemeanor for negligent retention of classified information.                

GAO report on classified information

                

                        

                        

                

Section 303 orders a GAO study on unauthorized disclosures, examining such issues as how the use of cloud computing and polygraphs affect unauthorized disclosures of classified information.

                

Sunset

                        

Sunsets provide an opportunity for Congress to make necessary fixes to problems identified over the period of the sunset.

                

Section 19: The bill sets the sunset for the bill to September 2021 (four year extension).

                

The bill sets the sunset for the bill to 2023 (six year extension) and includes a separate sunset for the about fix on that date.

                

Section 2: The bill sets the sunset to 2025 (eight year extension).