Glenn S. Gerstell served as general counsel of the National Security Agency from 2015 to 2020 and is now a senior adviser at the Center for Strategic and International Studies.
This is the second part of a two-part series on FISA. Part one can be accessed here.
President Trump’s claims of improper surveillance during his 2016 presidential campaign and the ensuing highly publicized inquiries by the executive branch and Congress have all created an atmosphere where the Foreign Intelligence Surveillance Act (FISA) has become almost impossibly political. First, recently declassified documents [PDF] show that conversations between former National Security Adviser Michael Flynn and the Russian ambassador to the United States were apparently captured under FISA, presumably with the ambassador as a target. (Normally, the U.S. government does not confirm or deny the existence or nature of any FISA surveillance.) Members of the Republican Party later alleged that in its closing days the Obama administration improperly combed through FISA intelligence reports to dig for political dirt on incoming Trump administration officials who were having conversations with foreign officials. There hasn’t been any showing that the foreign surveillance was improper; Flynn’s statements to the FBI in the subsequent investigation were the basis for criminal charges. The allegations about the Obama administration’s use of intelligence reports have also been discredited, since it appears that no digging for or “unmasking” of Flynn’s name was required in the first place.
The so-called “unmasking” controversy lingers, however, and colors the current debate about reauthorizing parts of FISA that came up for renewal at the end of 2019, which had been put in place for only a short time to allow Congress to revisit controversial sections of the act in light of operational success or failure or any intervening technological changes. The most significant of the expiring provisions were ones permitting the FBI to obtain a broad range of business records for foreign intelligence purposes and enabling the National Security Agency (NSA) to continue its by then-abandoned call data records program.
Any renewal of those provisions would already have been problematic, given increased attention to (among other things) digital privacy, but it became exceptionally difficult in the current political environment. In particular, the report [PDF] of the Department of Justice inspector general regarding the FBI’s investigation of Carter Page, former advisor to President Trump, was erroneously cited as evidence of the need for FISA reform. Although the report found sloppy procedures (and worse) at the FBI, none of the report’s nine recommendations said anything about problems with FISA itself; moreover, the sections of FISA relevant to Carter Page had nothing to do with the provisions coming up for renewal. Although the Trump administration supported a reauthorization, Congress proved unable to agree on anything other than a short-term extension to March 15, 2020, and thereafter the authority for those provisions expired.
Based on the bills that have passed at least one chamber of Congress, it seems certain that the NSA’s authority to obtain call data records of Americans in international terrorism investigations will be permanently curtailed, but that’s of no real operational significance since the NSA has already shut that program down. On the other hand, the expiring business records provision is almost indisputably needed by the FBI. Congress should reinstate this relatively non-controversial provision, which is being held hostage to the larger question of what unrelated changes, if any, should be made to FISA.
Congress is currently considering a series of proposals that would add additional safeguards and, at least in theory, protect U.S. persons’ privacy. These include turning the FISA application process before the Foreign Intelligence Surveillance Court (FISC) into a more adversarial process, with an independent advocate appointed to evaluate the government’s applications, requiring additional public reporting, and limiting the scope of the government’s ability to search an American’s website browsing history. Although a few of the proposals are aimed at the deficiencies noted in the inspector general’s report, most are regarded by privacy groups as welcome but insufficient. Making predictions about congressional or President Trump’s actions is foolhardy, but one would think that everyone would feel sufficiently uncomfortable with a set of lapsed authorities on their hands that could spell the difference in a counterterrorism investigation. Most likely, lawmakers will cobble together a package of largely procedural “reforms”—some genuinely useful and others not—enabling all sides to claim an accomplishment but neglecting the fundamental and well-recognized weaknesses in the foreign intelligence surveillance architecture.
Almost all national security experts and privacy advocates [PDF] agree that FISA has in many respects failed to keep pace with modern technology. For example, as the concept of location becomes increasingly irrelevant and indeterminate, FISA’s insistence on using the location of the electronic interception and of the target seems misplaced.
No one should minimize the intrusiveness of government surveillance or argue that it shouldn’t be strictly regulated. Nonetheless, the imbalance between the ability of the government to obtain information for national security purposes, and the vast, largely unlimited and unregulated abilities of the private sector to collect and use personal data needs rationalization. As the private sector generates ever more data, due to the advent of 5G telephony, the proliferation of the internet of things, and the increasing role of artificial intelligence, it makes sense to permit the government to use that data for national security purposes, with whatever limitations our society wishes to impose. FISA, as currently constructed, is largely ignorant of these technological trends.
Congress will have more latitude than one might think to craft new surveillance regimes that are constitutionally sound. The Fourth Amendment sets limits on how the government may access increasingly revealing and important data, but there is surprisingly little specific guidance offered by the judiciary in this area. Most Fourth Amendment cases deal with specific surveillance techniques, such as the use of cellphones to track location, infrared detectors, or GPS tracking devices, and are difficult to extrapolate to new technologies. Indeed, the Supreme Court’s most recent pronouncement in this area explicitly said it was a "narrow decision" [PDF].
In the best of times, surveillance, even for vital national security purposes, is a topic fraught with sharply different opinions; and in today’s political environment, it is impossible to see how Congress and any administration could agree on a complete reimagination of surveillance for foreign intelligence purposes. However, that is exactly what is needed.
The imperatives of surveillance for foreign intelligence have never been greater in this increasingly complex, connected, and multipolar world, with the dangers heightened by the prevalence of disinformation. Think tanks, academics, privacy advocates, national security experts and others should explore how we can adapt to relentlessly changing technology in ways consistent with our evolving views of privacy. Perhaps Congress would feel more comfortable accepting the suggestions of a bipartisan expert commission to give us the national security tools our nation needs while preserving American values. U.S. society is, however, still in the midst of determining what privacy means in the digital age, and a national commission can’t make that decision for us. We need to crystalize our views on that point before the onrush of technology in effect makes the decision for us.