What CISOs need to know about the renewal of FISA Section 702

Section 702 of the Foreign Intelligence Surveillance Act sets out the rules for the US intelligence community around gathering information abroad—but is it inadvertently being used at home too?

In our hyperconnected world, multinational organizations operate within and across multiple nation-states. Those who do business within the United States will want to keep their eye on the status of Section 702 of the Foreign Intelligence Surveillance Act (FISA), which sets out procedures for physical and electronic surveillance and collection of foreign intelligence.

Section 702 specifically addresses how the US government can conduct targeted surveillance of foreign persons located outside the US, with the compelled assistance of electronic communication service providers, to acquire foreign intelligence information. Note that the act does not apply to US citizens—only foreign nationals abroad.

It's important for CISOs to understand the depth to which their communications into and out of the US are subject to surveillance. In addition, one must keep one’s eye on one-off requests by the intelligence and law enforcement communities to provide material support under the rubric of FISA Section 702.

The pending renewal of Section 702

On January 12, 2023, Paul Nakasone, the commander of US Cyber Command and National Security Agency (NSA) director, urged Congress to renew Section 702, which expires on December 31, 2023. Speaking before the Privacy and Civil Liberties Oversight Board’s public forum on Section 702, Nakasone said emphatically: “Section 702 cannot be used to target Americans anywhere in the world or any person inside the United States regardless of nationality. No exceptions.”

He continued, that “under Section 702, both national security and civil liberties and privacy are preserved and protected. It is an ‘and’ and not an ‘or’ that connects these two important goals. Neither is compromised for the other. 702 authorities provided exquisite foreign intelligence that is focused on non-US persons outside the United States and specific invaluable insights that protect our nation, intelligence that cannot be obtained through other means.”

In September 2022, the Privacy and Civil Liberties Oversight Board (PCLOB) requested public comments “regarding questions it should explore, and recommendations it should consider making” in preparation for their work to advise Congress on the efficacy of Section 702. There were 10 comments submitted.

Four key comments on Section 702

I selected four to share below. I posit these are emblematic of the tenor, tone, and focus on the need for the PCLOB to use this opportunity between now and when Section 702 expires on the need for Congress to tighten up the authorities conferred within the current implementation.

Industry, privacy, and civil liberty groups are unhappy with the current implementation and do not see the “successes” in the same manner Nakasone describes. In sum, they believe US individuals and others operating within the US are unwittingly subjected to surveillance by the NSA, FBI, and others under the auspices of Section 702.

The Brennan Center for Justice at the NYU School of Law submitted an opinion piece that highlighted the shortcomings of Section 702, including mission creep and allegations of FBI overreach with respect to implementation. The center recommends that the PCLOB assist in developing reforms and recommend changes to Congress that “will bring Section 702 surveillance in line with US constitutional rights and legitimate privacy expectations.”

The Center for Democracy and Technology calls Section 702 “a massive and powerful surveillance system,” yet notes that “lawmakers and the public lack key information about how it affects civil rights and civil liberties.” It posited in a comment document several recommendations of items for the PCLOB to investigate and report on, some of which are worthy of approbation and summed up here:

• Why there has been a significant increase in Section 702 targets in recent years, and how much this has amplified incidental or mistaken collection of communications unrelated to foreign intelligence?
• Why the Office of the Director of National Intelligence reversed a commitment to estimate how many US persons were affected by Section 702 and advocate in the strongest terms possible for that to be publicly released before it expires.
• What methodologies the intelligence community could use to better understand and report on the degree to which Section 702 incidental collection—as well as other components of FISA—disproportionately affects racial and ethnic minorities, religious minorities, immigrants, and other marginalized communities. Also, to what degree do First Amendment-protected activities and membership of protected classes such as race, ethnicity, and religion affect targeting decisions.
• To what extent would limiting Section 702 surveillance to attacks, sabotage, international terrorism, weapon of mass destruction proliferation, and clandestine intelligence activities of a foreign power hamper national security?
• What is the full range of domestic law enforcement investigations in which Section 702 data has been queried or used, and how frequently is information collected under Section 702 used for domestic policing?

The center also had several policy recommendations for the PCLOB. Included among those were:

• That it support legislative reforms that significantly limit the degree to which membership of protected classes or exercise of First Amendment-protected activities can be the basis of FISA targeting designations.
• Whether the new Signals Intelligence Executive Order bars any surveillance activities previously conducted under Section 702, or if the purposes authorized in the Signals Intelligence Executive Order fully encompass the existing purposes for which Section 702 is used.
• That it support legislative reforms that close existing loopholes and properly limit use of Section 702 for domestic law enforcement. Use limits should focus on a narrow set of national security and public safety priorities, be clearly enumerated rather than subject to broad interpretation by the Executive and apply to all stages of domestic law enforcement activities and investigation, rather than just court proceedings.

Princeton University urged the PCLOB to explore the question: “How has the intelligence community implemented the provision of Section 702 that addresses quantitatively estimating incidental collection of US person communications?” In addition, they recommended that the board “should independently evaluate methods for estimating incidental collection and, if it identifies a viable method, recommend implementation by the intelligence community in advance of the December 2023 sunset.”

The Open Technology Institute urged the PCLOB to strive for greater transparency regarding the Section 702 efforts and surrounding the rules dealing with US surveillance. The OTI is spot-on with their urging that “collection is proportionate to the intelligence needs.”

Understanding FISA Section 702

Section 702 is a complex tool that sets out just how the US intelligence community can gather intelligence on foreign nationals abroad, but CISOs should be aware of its limitations and acquaint themselves with how it works. That watchdog organizations are flagging that people and entities within the US may be targeted inadvertently or otherwise by the intelligence community should be a matter of concern, especially for organizations that operate around the world.

As the Center for Democracy and Technology notes: “Section 702 has a tremendous impact on the privacy and civil liberties of individuals both in the United States and across the world.” With the section set to expire at the end of 2023, “now is a critical time to review current practices under the law and consider potential reforms that would strengthen civil rights and civil liberties,” the Center states.

Just so—now is also a good time for CISOs to ensure they understand and are watching the process to renew this controversial section of FISA.