[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Base Bill for 702 Reauthorization: Serial Admissions Oversight Committees Haven’t Been Doing Their Jobs

On Tuesday, the Rules Committee will do rules for a 702 reauthorization bill that is based on the HPSCI bill, but with some improvements designed to get Adam Schiff and Bob Goodlatte on board.

The changes are:

Eliminates expansion to definition of foreign power

The HPSCI bill had expanded the definition of a foreign power to include those engaged in “international malicious cyber activity” defined as someone who,

engages in international malicious cyber activity that threatens the national defense or security of the United States, or activities in preparation therefor, for or on behalf of a foreign power, or knowingly aids or abets any person in the conduct of such international malicious cyber activity or activities in preparation therefor, or knowingly conspires with any person to engage in such international malicious cyber activity or activities in preparation therefor;

It was particularly problematic given that activity that was merely “directed by” persons located outside the US qualified. This provision has been struck. (Note, the inclusion and then removal of it seems to confirm that there is not yet a separate Cyber certificate, beyond the cyber collection on designated foreign hacking groups currently done under the Foreign Government certificate.)

Adds a stripped down version of the meaningless HJC warrant requirement

The bill adds a warrant requirement before accessing the communications identified by metadata for use in a fully predicated criminal investigation (this is basically the existing HPSCI optional warrant, made obligatory for a narrow use), one that is as meaningless as the HJC warrant requirement. The caveats make it clear how meaningless it is, particularly clause iii that permits FBI to run queries even before they’ve opened an assessment.

(F) RULE OF CONSTRUCTION.—Nothing in this paragraph may be construed as—

(i) limiting the authority of the Federal Bureau of Investigation to conduct lawful queries of information acquired under subsection (a);

(ii) limiting the authority of the Federal Bureau of Investigation to review, without a court order, the results of any query of information acquired under subsection (a) that was reasonably designed to find and extract foreign intelligence information, regardless of whether such foreign intelligence information could also be considered evidence of a crime; or

(iii) prohibiting or otherwise limiting the ability of the Federal Bureau of Investigation to access the results of queries conducted when evaluating whether to open an assessment or predicated investigation relating to the national security of the United States.

In other words, back door searches will still function as Google for FBI (perhaps even at a more basic level), except for the one time a year when an Agent discovers communications she wants when she’s already deep into an a criminal investigation and can’t justify accessing the information on national security (including recruiting someone as an informant) grounds.

Or to put it more bluntly: FBI can access information more easily if they have zero suspicion than if they have probable cause, effectively flipping the Fourth Amendment on its head.

Ends a requirement FBI count how many acquisitions from criminal queries they obtain

The bill eliminates this requirement from reporting obligations under the old HPSCI bill.

‘(D) the number of instances in which the Federal Bureau of Investigation has received and reviewed the unminimized contents of electronic communications or wire communications concerning a United States person obtained through acquisitions authorized under such section in response to a search term that was not designed to find and extract foreign intelligence information;

think this would have the effect of hiding any criminal investigations that get opened off queries at the assessment stage (which would also serve to hide how the warrant requirement doesn’t actually protect the searches that most need protection).

Adopts the HJC definition of about collection

The HPSCI bill replaces its old definition of about collection,

(5) may not intentionally acquire communications that contain a reference to, but are not to or from, a facility, place, premises, or property at which an acquisition authorized under subsection (a) is directed or conducted, except as provided under section 203(b) of the FISA Amendments Reauthorization Act of 2017;

With the HJC one.

(5) may not intentionally acquire communications that contain a reference to, but are not to or from, a target of an acquisition authorized under subsection (a), except as provided under section 103(b) of the FISA Amendments Reauthorization Act of 2017; and

In reality, the government is collecting on facilities in any case (though the HJC definition is the one Rosemary Collyer adopted in last year’s reauthorization).

That said, the bill adopts the HPSCI method of restarting about collections, which (IMO) will result in an emergency reauthorization, followed by Congress failing to use its veto power to turn about back off again.

Eliminates unmasking changes

The bill takes out the unmasking changes that were in the HPSCI bill, which had offended Schiff. This will result in far too many Democrats reauthorizing 702 without meaningful changes.

Adds in inadequate whistleblower protections

The bill adds in the worse-than-nothing whistleblower protections from the HJC bill.

Requires a DOJ IG Report on FBI’s use of queries

The bill adds a DOJ IG Report — due within a year of the bill — that lays out,

(b) MATTERS INCLUDED.—The report under sub20 section (a) shall include, at a minimum, an assessment of the following:

(1) The interpretations by the Federal Bureau of Investigation and the National Security Division of the Department of Justice, respectively, relating to the querying procedures adopted under subsection (f) of section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a(f)), as added by section 101.

(2) The handling by the Federal Bureau of Investigation of individuals whose citizenship status is unknown at the time of a query conducted under such section 702.

(3) The practice of the Federal Bureau of Investigation with respect to retaining records of queries conducted under such section 702 for auditing purposes.

(4) The training or other processes of the Federal Bureau of Investigation to ensure compliance with such querying procedures.

(5) The implementation of such querying procedures with respect to queries conducted when evaluating whether to open an assessment or predicated investigation relating to the national security of the United States.

(6) The scope of access by the criminal division of the Federal Bureau of Investigation to information obtained pursuant to the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.), including with respect to information acquired under subsection (a) of such section 702 based on queries conducted by the criminal division.

(7) The frequency and nature of the reviews conducted by the National Security Division of the Department of Justice and the Office of the Director of National Intelligence relating to the compliance by the Federal Bureau of Investigation with such querying procedures.

(8) Any impediments, including operational, technical, or policy impediments, for the Federal Bureau of Investigation to count—

(A) the total number of queries where the Federal Bureau of Investigation subsequently accessed information acquired under subsection (a) of such section 702;

(B) the total number of such queries that used known United States person identifiers; and

(C) the total number of queries for which the Federal Bureau of Investigation received an order of the Foreign Intelligence Surveillance Court pursuant to subsection (f)(2) of such section 702.

Thus, like the requirement that the AG and DNI tell the oversight committees what really goes on with notice to aggrieved persons, the bill adds another requirement that should have been done in 2012 (when FBI started devolving its access to 702 data to field offices, which — among other things — resulted in fewer reviews of how this data was used).

And this report does something that should have been done in 2015, when new transparency was added under the USA Freedom Act — require FBI to count how much of this goes on.

Extends 702 for almost six years

The revised bill extends 702 through 2023, as opposed to through 2021, as the HPSCI bill had originally done. This, in spite of the fact that a number of provisions in the bill (the notice study, the IG report, and the GAO study on classification, and a report on challenges to surveillance) that are basically admissions that all oversight committees have been negligent in recent years, and are only now requiring the IC produce the knowledge that should influence legislation.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

5 replies
    • greengiant says:

      Congress already voted to allow ISPs to sell your internet activity.  Not that it mattered much because cookies and FB and all were already tracking not just web clicks but mouse movements and mal ad ware is capturing any stored usernames and passwords. Makes one wonder if mal actors bought data from CA and such for blackmail purposes as well as using it for targeting phishes.  https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/

      On twitter EW says TOR is much better because VPNs can sell us out. ( And if not VPNs then AWS cause the cloud computers the cheapest dynamic VPNs hire is guess who ).

      Thought is that today Big Data has more web/smart phone data per person than the NSA did 10 years ago in the “uncollected” storeroom archive? And Trump used your data to win in 2016,  at least according to Parscale.

  1. uncle tungsten says:

    Wow what a great country where both Dems and Repugnants have created this disgusting legislation over a decade and more. As bad as Stalinist Russia was waaayyyyy back then. Maybe Trump had a typo and he meant MACA: Make america Craven Again.

  2. Christopher says:

    Rodent pleasure’rs and birth mother pleasure’rs are metaphors to good for the office holders who swore an oath to defend and protect the constitution. This bill is a wet dream for cyber security contractors or the congressional-military-intelligence-industrial complex we were warned about. Thank you EW for your accurate timely reporting.

  3. imasmakurmomsdum says:

    Disturbing…

    I’d like to make a few suggestions to help the readability of some of your articles. There are a few grammatical mistakes (extra words, missing words, misspelling) in most of your articles that would be easily fixed by downloading Grammarly. Also, you use a VERY large amount of acronyms, and while most are easy to decipher often I don’t have any clue what you are talking about. Obviously, this is because I am not as informed as you, but adding links or just writing out the actual words for some more obscure acronyms would really help the readability for me and probably some others.

    Thank you for continuing to produce such great work.

Comments are closed.