In April 2024, Section 702 of FISA was reauthorized with the passage of the Reforming Intelligence and Securing America Act (RISAA). Section 702 permits U.S. intelligence agencies to conduct warrantless surveillance of foreigners abroad. In practice, Section 702 surveillance also collects U.S. persons’ communications. The FBI and other agencies abuse their access to this database, querying and accessing U.S. person communications without a warrant, in contravention of the Fourth Amendment.
RISAA is a nominal reform law that was meant to address the previous abuses of Section 702 surveillance and prevent future misuses. However, RISAA expanded surveillance in ways that emboldened the IC to continue their harmful ways. One of the more problematic provisions in RISAA expanded the definition of electronic communications service providers (ECSP). Previously, ECSPs were defined as telecommunications company like AT&T, who were required under law to cooperate with NSA orders for communications data. Under the expanded ECSP definition, businesses and entities that, for example, provide wi-fi to their patrons, would be required to assist with Section 702 surveillance.
Senate Intelligence Committee Chairman Mike Warner (D-VA) vowed to fix the vague, expansive language in RISAA to specifically define which ECSPs are subject to NSA directives. The Intelligence Reauthorization Act for Fiscal Year 2025 is the legislative vehicle for this amendment.
Below is the full text of the amendment. There’s a glaring issue – the ECSP covered in RISAA is classified information, contained in an unreleased August 23, 2023 FISC opinion. Therefore, we still do not know what new kind of ECSP is subject NSA directives. Classifying important knowledge in public law is a dangerous precedent. Intelligence budget reauthorizations always contain classified annexes, but an amendment clarifying who is compelled to provide the NSA with their communications data should be accessible public knowledge.
Sec 1202. Limitation on Directives Under Foreign Intelligence Surveillance Act (FISA) of 1978 Relating to Certain Electronic Communication Service Providers (ECSP)
SEC. 1202. LIMITATION ON DIRECTIVES UNDER FOREIGN INTELLIGENCE SURVEILLANCE ACT OF 1978 RELATING TO CERTAIN ELECTRONIC COMMUNICATION SERVICE PROVIDERS.
Section 702(i) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1881a(i)) is amended by adding at the end the following:
“(7) Limitation relating to certain electronic communication service providers.—
“(A) Definitions.—In this paragraph:
“(i) Appropriate committees of congress.—The term ‘appropriate committees of Congress’ means—
“(I) the congressional intelligence committees;
“(II) the Committee on the Judiciary of the Senate; and
“(III) the Committee on the Judiciary of the House of Representatives.
“(ii) Covered electronic communication service provider.—The term ‘covered electronic communication service provider’ means—
“(I) a service provider described in section 701(b)(4)(E); or
“(II) a custodian of an entity as defined in section 701(b)(4)(F).
“(iii) Covered opinions.—The term ‘covered opinions’ means the opinions of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review authorized for public release on August 23, 2023 (Opinion and Order, In re Petition to Set Aside or Modify Directive Issued to [REDACTED], No. [REDACTED], (FISA Ct. [REDACTED] 2022) (Contreras J.); Opinion, In re Petition to Set Aside or Modify Directive Issued to [REDACTED], No. [REDACTED], (FISA Ct. Rev. [REDACTED] 2023) (Sentelle, J.; Higginson, J.; Miller J.)).
“(B) Limitation.—A directive may not be issued under paragraph (1) to a covered electronic communication service provider unless the covered electronic communication service provider is a provider of the type of service at issue in the covered opinions.
“(C) Requirements for directives to covered electronic communication service providers.—
“(i) In general.—Subject to clause (ii), any directive issued under paragraph (1) on or after the date of the enactment of the Intelligence Authorization Act for Fiscal Year 2025 to a covered electronic communication service provider that is not prohibited by subparagraph (B) of this paragraph shall include a summary description of the services at issue in the covered opinions.
“(ii) Duplicate summaries not required.—A directive need not include a summary description of the services at issue in the covered opinions if such summary was included in a prior directive issued to the covered electronic communication service provider and the summary has not materially changed.
“(D) Foreign intelligence surveillance court notification and review.—
“(i) Notification.—
“(I) In general.—Subject to subclause (II), each time the Attorney General and the Director of National Intelligence issue a directive under paragraph (1) to a covered electronic communication service provider that is not prohibited by subparagraph (B) and each time the Attorney General and the Director materially change a directive under paragraph (1) issued to a covered electronic communication service provider that is not prohibited by subparagraph (B), the Attorney General and the Director shall provide the directive to the Foreign Intelligence Surveillance Court on or before the date that is 7 days after the date on which the Attorney General and the Director issue the directive, along with a description of the covered electronic communication service provider to whom the directive is issued and the services at issue.
“(II) Duplication not required.—The Attorney General and the Director do not need to provide a directive or description to the Foreign Intelligence Surveillance Court under subclause (I) if a directive and description concerning the covered electronic communication service provider was previously provided to the Court and the directive or description has not materially changed.
“(ii) Additional information.—As soon as feasible and not later than the initiation of collection, the Attorney General and the Director shall, for each directive described in subparagraph (i), provide the Foreign Intelligence Surveillance Court a description of the type of equipment to be accessed, the nature of the access, and the form of assistance required pursuant to the directive.
“(iii) Review.—
“(I) In general.—The Foreign Intelligence Surveillance Act Court may review a directive received by the Court under clause (i) to determine whether the directive is consistent with subparagraph (B) and affirm, modify, or set aside the directive.
“(II) Notice of intent to review.—Not later than 10 days after the date on which the Court receives information under clause (ii) with respect to a directive, the Court shall provide notice to the Attorney General, the Director, and the covered electronic communication service provider, indicating whether the Court intends to undertake a review under subclause (I) of this clause.
“(III) Completion of reviews.—In a case in which the Court provides notice under subclause (II) indicating that the Court intends to review a directive under subclause (I), the Court shall, not later than 30 days after the date on which the Court provides notice under subclause (II) with respect to the directive, complete the review.
“(E) Congressional oversight.—
“(i) Notification.—
“(I) In general.—Subject to subclause (II), each time the Attorney General and the Director of National Intelligence issue a directive under paragraph (1) to a covered electronic communication service provider that is not prohibited by subparagraph (B) and each time the Attorney General and the Director materially change a directive under paragraph (1) issued to a covered electronic communication service provider that is not prohibited by subparagraph (B), the Attorney General and the Director shall submit to the appropriate committees of Congress the directive on or before the date that is 7 days after the date on which the Attorney General and the Director issue the directive, along with description of the covered electronic communication service provider to whom the directive is issued and the services at issue.
“(II) Duplication not required.—The Attorney General and the Director do not need to submit a directive or description to the appropriate committees of Congress under subclause (I) if a directive and description concerning the covered electronic communication service provider was previously submitted to the appropriate committees of Congress and the directive or description has not materially changed.
“(ii) Additional information.—As soon as feasible and not later than the initiation of collection, the Attorney General and the Director shall, for each directive described in subparagraph (i), provide the appropriate committees of Congress a description of the type of equipment to be accessed, the nature of the access, and the form of assistance required pursuant to the directive.
“(iii) Reporting.—
“(I) Quarterly reports.—Not later than 90 days after the date of the enactment of the Intelligence Authorization Act for Fiscal Year 2025 and not less frequently than once each quarter thereafter, the Attorney General and the Director shall submit to the appropriate committees of Congress a report on the number of directives issued, during the period covered by the report, under paragraph (1) to a covered electronic communication service provider and the number of directives provided during the same period to the Foreign Intelligence Surveillance Court under subparagraph (D)(i).
“(II) Form of reports.—Each report submitted pursuant to subclause (I) shall be submitted in unclassified form, but may include a classified annex.
“(III) Submittal of court opinions.—Not later than 45 days after the date on which the Foreign Intelligence Surveillance Court or the Foreign Intelligence Surveillance Court of Review issues an opinion relating to a directive issued to a covered electronic communication service provider under paragraph (1), the Attorney General shall submit to the appropriate committees of Congress a copy of the opinion.”.