In December 2023, the House Permanent Select Committee on Intelligence (HPCSI) unsuccessfully tried to expand the government’s authority under FISA 702 by permitting it to compel a broader swath of U.S. companies and persons to assist in such surveillance. We described that effort here. Ultimately, the HPSCI-sponsored bill (the FRRA) was pulled from the floor without receiving a vote.
HPSCI is back with a new effort, with the same goal—to overrule decisions of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR) interpreting the current statutory definition of “electronic communication service providers” (ECSPs) eligible to receive FISA 702 directives much more narrowly than the government wanted. Consistent with the plain statutory language, those decisions appear to have excluded from compelled assistance under FISA 702 non-communication service providers who lack direct access to communications streams but who merely have access to equipment on which communications are transmitted or stored.
As described in our prior blog post, the FRRA painted with too broad a brush and would have permitted the government to compel assistance not only from data centers, colocation providers, and business landlords, but also from operators and employees of shared workspaces, hotels where guests connect to the Internet, as well as from any third party involved in providing equipment, storage, or even cleaning services to such entities. It did so by dropping the requirement that the recipient of a FISA 702 directive be a “communication” service provider, by expressly making access to equipment alone enough for eligibility, and by adding the term “custodian” as a person that could be asked to provide assistance.
The new amendment is a marginal improvement over the last go-around, but it is still problematic. It is not a change that “narrowly updates the definition of electronic communication service provider under Section 702.” Like the FRRA, it: (1) drops the qualifier “communication” from the class of covered “service providers;” (2) makes access to communications-carrying equipment enough to establish eligibility; and (3) adds “custodian” to the list of individuals who can be forced to provide assistance. But unlike the FRRA, it then enumerates a list of business types that cannot be considered ECSPs, including public accommodations, dwellings, restaurants, and community facilities.
The new amendment would — notwithstanding these exclusions — still permit the government to compel the assistance of a wide range of additional entities and persons in conducting surveillance under FISA 702. The breadth of the new definition is obvious from the fact that the drafters felt compelled to exclude such ordinary places such as senior centers, hotels, and coffee shops. But for these specific exceptions, the scope of the new definition would cover them—and scores of businesses that did not receive a specific exemption remain within its purview.
And even with these specific exceptions, the definition would include, for example, the owners and operators of facilities that house equipment used to store or carry data, such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space. It could also include other persons with access to such facilities and equipment, including delivery personnel, cleaning contractors, and utility providers. It also means that any U.S. business could have its communications (if one side is foreign) tapped by a landlord with access to office wiring, or the data centers where their computers reside, even if it eliminates the possibility that the same surveillance could be conducted with the assistance of hotels, restaurants, or community centers. For a specific hypothetical example of how this surveillance could occur, see our prior blog post. That’s not a “narrow” change.
Does the new HPSCI amendment represent a significant expansion of the universe of 702 recipients? Absolutely. Like the FRRA, it would go a long way toward effectively restoring the broad assistance provision of FISA 702’s predecessor, the Protect America Act, which Congress specifically rejected when it originally enacted FISA 702 in 2008. While it would (relative to the FRRA) reduce the likelihood that individual U.S. persons’ communications could be collected by someone other than their communication service providers, it’s still a clear play for more access to communications among businesses that employ many U.S. persons.
Most problematically, it would expand the use of warrantless surveillance under FISA 702 into a variety of new contexts where there is a particularly high likelihood that the communications of U.S. citizens and other persons in the U.S. will be “inadvertently” acquired by the government. This amendment will expand the government’s use of FISA 702 to acquire communications. Congress should be fully aware of that when it considers this amendment.