FISA Section 702 Reform: Potential Implications for Businesses

One of the most important national security items on Congress's agenda for 2024 is the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA). While reform proposals concerning access to U.S. person communications and restrictions on the Federal Bureau of Investigation (FBI) have garnered the bulk of public attention, other proposals present significant implications for businesses. Provisions in the proposed bills would (i) require a wider range of companies to assist the government with Section 702 surveillance; (ii) impose greater hurdles on the government to compel companies’ assistance; (iii) limit the government’s ability to obtain certain kinds of data, such as location information or data purchased from brokers; and (iv) make it easier for American citizens to challenge the legality of government surveillance.

Section 702 Refresher

Enacted in 2008, Section 702 authorizes targeted collection of communications of non-U.S. persons reasonably believed to be located outside the United States. The National Security Agency (NSA) collects these communications with the assistance of electronic communication service providers (ECSPs), who are required by the statute to “immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition.”[1] While the overall program is approved annually by the Foreign Intelligence Surveillance Court (FISC), the targets of surveillance are chosen by the government without individualized judicial approval.

Pursuant to procedures approved annually by the FISC, certain agencies within the U.S. intelligence community (IC), including the FBI, can search the database of communications acquired under Section 702 for communications that are reasonably likely to yield foreign intelligence information or, only in the FBI’s case, evidence of a crime. A court-issued warrant supported by probable cause is not required to query the database. While the Section 702 program only targets communications by non-U.S. persons located abroad, communications by U.S. persons are collected incidentally if they are in contact with foreign targets. Subject to certain conditions, the intelligence agencies can query the Section 702 database using terms associated with a U.S. person, such as a name or an email address.

Legislative Proposals Overview

Section 702 is considered to be one of the U.S. government’s most valuable sources of foreign intelligence information. However, the law was set to expire at the end of 2023 and long-term reauthorization was controversial, principally because the program lacks a warrant requirement and incidentally collects U.S. person communications. Legislators have introduced several reauthorization bills, but none have passed. Although Congress just enacted a short-term extension until April 2024, long-term reauthorization remains in doubt.

Four bills are likely to define the contours of the continued debate. On one end of the spectrum are reauthorization bills that would impose substantial new constraints on the government’s authority under Section 702: the Government Surveillance Reform Act (“GSRA”), introduced by a bipartisan group of senators including Ron Wyden (D-OR) and Mike Lee (R-UT), and the Protect Liberty and End Warrantless Surveillance Act (“HJC bill”), passed by the House Committee on the Judiciary. On the other end of the spectrum are reauthorization proposals imposing less stringent reforms, sponsored by members of the Senate and House Select Committees on Intelligence (“SSCI bill” and “HPSCI bill,” respectively).

The reauthorization debate has largely centered on the issue of U.S. person queries. The GSRA and the HJC bill would require the government to obtain a warrant supported by probable cause for all queries using terms identifying U.S. persons, subject to limited exceptions. The SSCI and HPSCI bills would continue to allow the government to conduct U.S. person queries for foreign intelligence purposes without a warrant. The proposals also differ in the extent of additional compliance requirements they impose on the FBI.

Proposals with Significant Implications for the Private Sector

While warrant and compliance issues have dominated public attention, several provisions under consideration are highly relevant for businesses.

Expanded Definition of Electronic Communication Service Providers

The HPSCI bill would expand dramatically Section 702’s definition of an ECSP, potentially subjecting a wider range of companies to obligations under the law. Currently, the definition covers:

1. Telecommunications carriers;
2. Providers of “electronic communication” services, as defined by the Electronic Communications Privacy Act (ECPA);[2]
3. Providers of “remote computing” services, as defined by ECPA;[3]
4. “Any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored”; and
5. Officers, employees, or agents of any of the above entities.[4]

Section 504 of the HPSCI bill would expand the fourth and fifth categories. First, it would strike the “communication” qualifier in the fourth category, thereby extending the definition to non-communication service providers. Second, it would add providers who have access to “equipment that is being or may be used to transmit or store” wire or electronic communications. Section 504 would also expand category five to include “custodians” of covered entities. Thus, under this provision, the first three parts of the definition of an ECSP would remain the same, but the fourth and fifth would be:

4. “Any service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored, or equipment that is being or may be used to transmit or store such communications”; and

5.Officers, employees, agents, or custodians of any of the above entities.

Because Section 702 compels ECSPs to provide assistance in carrying out authorized surveillance, these broadened definitions could subject to Section 702 obligations many more companies that may be unaware that they would fall under Section 702. Although the proposed language is vague, non-communication service providers who merely have access to the “equipment” that facilitates communications could be obligated to assist in the collection of communications. This could include companies ranging from data centers to local businesses that offer free internet to their customers.

The proposed changes appear to come in response to a 2022 FISC decision, affirmed on appeal and recently released in redacted form, holding that an unidentified entity—speculated to be a cloud service provider—did not fall under the definition of an ECSP and therefore was not obligated to assist the government with Section 702 surveillance. Because of the breadth of the language, however, the change could subject a variety of entities beyond cloud providers to obligations under Section 702. As a result, it could have ramifications for the EU-U.S. Data Privacy Framework, the latest attempt to ensure seamless transatlantic data flows, which is already being challenged by privacy advocates in the EU. Section 702 has long been a significant source of concern for the EU. Under the status quo, many companies can assuage these concerns by correctly claiming that they are not the type of company likely to be subject to Section 702. The HPSCI bill could disrupt this defense and make it harder for companies to meet EU data protection requirements. If the HPSCI bill moves forward, this provision will need to be clarified and tightened.

Prohibition on Government Purchases from Data Brokers

Section 18 of the HJC bill would prohibit law enforcement and intelligence agencies from purchasing certain personal data of U.S. persons from third-party data brokers. This prohibition could limit the growth of the data broker market, which has provided an additional source of revenue to many companies that collect valuable customer data.

Section 508 of the GSRA includes a similar prohibition, but it only applies to law enforcement. Although the ban does not apply to intelligence agencies, Senator Wyden recently placed a hold on the nominee for Director of the NSA until the NSA publicly confirms or denies whether it purchases Americans’ personal data. Opponents of the data broker ban have pointed out that it would amount to “unilateral disarmament” because foreign government agencies would be able to purchase the same data that U.S. agencies would be prohibited from acquiring.

Stored Communications Act (SCA) Reform

Section 501 of the GSRA reaches beyond Section 702 and would amend the SCA by imposing a probable cause warrant requirement for the government to obtain historical (older than 180 days) location information, web browsing records, and search engine queries, including requests to smart assistants. If enacted, this provision would thus require warrants to obtain data from electronic communication or remote computing services that can now potentially be obtained without a warrant. Following the Supreme Court’s decision in Carpenter v. United States, the government must obtain a warrant to obtain seven days’ or more worth of historical cell site location information (CSLI).[5] Before Carpenter, the government could obtain historical CSLI via a court order that only requires the government to establish “reasonable grounds to believe” the records sought are “relevant and material to an ongoing criminal investigation,” a lesser standard than probable cause.[6] The GSRA would extend Carpenter’s holding to any historical location information, as well as other categories of information.

Technical Assistance Reform

Section 106 of the GSRA would impose greater constraints on the government’s ability to compel technical assistance from ECSPs and may result in a lessened burden on ECSPs. The provision would amend Section 702’s technical assistance provision, which currently authorizes the Attorney General and Director of National Intelligence to direct an ECSP to provide the government with “all information, facilities, or assistance necessary to accomplish the acquisition” of targeted communications.[7] The GSRA would require the government to seek prior approval from the FISC for such a directive and demonstrate that the assistance requested is both necessary and narrowly tailored, and that it would not impose an undue burden on the ECSP.

This reform reflects Senator Wyden’s longstanding concern that the government will attempt to use Section 702’s technical assistance provision to compel an ECSP to circumvent the end-to-end encryption it provides. During the last Section 702 reauthorization debate in 2017, Wyden sought assurances from the Office of the Director of National Intelligence (ODNI) that the government would not attempt to obtain such an order. While ODNI confirmed that the government had not to date sought to compel decryption under the provision, it did not disclaim the authority to do so. Here again, the language is broader than the stated goal, as it applies to all forms of technical assistance, and we expect that the government will argue that requiring FISC approval of all technical assistance directives would be impractical.

Standing to Challenge Surveillance

Section 210 of the GSRA could result in ECSPs being drawn into lawsuits challenging U.S. government surveillance by making it easier for U.S. persons to bring civil actions challenging the legality of Section 702 surveillance—or any other federal government surveillance. Past challenges have largely failed because plaintiffs have been unable to establish that their communications had actually been collected, and therefore they lacked standing to challenge the law.[8] The GSRA would give standing to any person who communicates with foreign persons and takes measures to evade surveillance. Although Congress’s ability to define injuries for the purpose of bolstering standing has been limited by recent Supreme Court decisions,[9] and the provision would still leave largely intact the existing laws providing immunity for entities that comply with lawful surveillance orders,[10] ECSPs could still be drawn into the discovery process of lawsuits against the government.

Notably, Section 210 does not apply to non-U.S. persons. It therefore neither provides them access to U.S. courts, nor codifies the redress mechanism in the EU-U.S. Data Privacy Framework, which, once implemented, will allow EU individuals to bring challenges before a newly established body in the U.S. Justice Department if they believe they have been unlawfully targeted by U.S. signals intelligence activities.

What’s Next

Under the short-term extension, Section 702 will sunset on April 19, 2024, although the program may continue for up to a year thereafter under a “grandfather” provision.[11] The extension buys Congress more time, but sharp disagreements remain and will be a focus of legislative attention in the new session. Congress will have only a few months to sort the issues out. Potentially affected businesses, including ECSPs, data brokers, and companies that may fall under the expanded definition of ECSP, should pay close attention to legislative developments.

[1] 50 U.S.C. § 1881a(i)(1).

[2] 18 U.S.C. § 2510(15).

[3] 18 U.S.C. § 2711(2).

[4] 50 U.S.C. § 1881(b)(4).

[5] 138 S. Ct. 2206 (2018).

[6] 18 U.S.C. § 2703(d).

[7] 50 U.S.C. § 1881a(i)(1).

[8] See Clapper v. Amnesty International, 568 U.S. 398 (2013). Courts of Appeals that have reached the merits of the issue have found Section 702 constitutional. See United States v. Hasbajrami, 945 F.3d 641, 670 (2d Cir. 2019); United States v. Mohamud, 843 F.3d 420, 424 (9th Cir. 2016); United States v. Muhtorov, 20 F.4th 558, 594 (10th Cir. 2021), cert. denied, 143 S. Ct. 246 (2022).

[9] See TransUnion v. Ramirez, 594 U.S. __ (2021); Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).

[10] 50 U.S.C. § 1805(i); 18 U.S.C. § 2511(2)(a)(ii).

[11] See Sec. 404, Pub. L. No. 110-261 (2008).