Yesterday the House Permanent Select Committee on Intelligence unanimously approved the FISA Reform and Reauthorization Act of 2023 (FRRA), which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). The full House is expected to vote on this bill next Tuesday. Like other competing reauthorization bills that have been introduced (see here and here), the FRRA would impose new restrictions on the government’s access to and use of information about U.S. persons that has been incidentally acquired pursuant to FISA 702, a provision that permits the government to conduct warrantless surveillance of non-U.S. persons located outside the United States.
Although the FRRA is ostensibly a reform bill, it contains one notable provision that would significantly expand the government’s authority under FISA 702 by broadening the definition of “electronic communication service providers” (ECSPs) whom the government may compel to assist in FISA 702 surveillance. The statutory definition of ECSP currently covers:
(1) a telecommunications carrier;
(2) a provider of an electronic communication service or a remote computing service, as defined in the Electronic Communications Privacy Act;
(3) “any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored”; and
(4) an officer, employee, or agent of any such entity.
Section 504 of the FRRA would broaden the “catch all” definition in (3) above to cover:
“any service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or equipment that is being or may be used to transmit or store such communications.”
Section 504 would also expand the definition in (4) above to include not only an officer, employee, or agent of an ECSP, but also any “custodian” of such an entity.
These changes would vastly widen the scope of businesses, entities, and their affiliates who are eligible to be compelled to assist 702 surveillance. By including any “service provider”—rather than any “other communication service provider”—that has access not just to communications, but also to the “equipment that is being or may be used to transmit or store . . . communications,” the expanded definition would appear to cover data centers, colocation providers, business landlords, shared workspaces, or even hotels where guests connect to the Internet. And the addition of the term “custodian” in (4) above could be understood to sweep in any third party involved in providing equipment, storage, or even cleaning services to such entities.
The FRRA’s new definition of ECSP would effectively overrule recent decisions of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR) that interpreted the current “catch all” definition much more narrowly, seemingly to exclude those communication service providers who merely have access to equipment on which communications are transmitted or stored. The expanded definition would also effectively restore the broad assistance provision of Section 702’s predecessor, the Protect America Act, which Congress specifically rejected when it originally enacted Section 702 as part of the FISA Amendments Act. The new definition, when combined with NSA’s ability to conduct “upstream collection,” could give the government warrantless access to any communication system in America through which any one-side-foreign communication could be found.
If the FRRA is enacted in its current form, the broadened definition of ECSP could put U.S. companies that offer co-location computer storage and commercial landlords at a competitive disadvantage to foreign service providers and property owners given the possibility that customer or tenant communications could be obtained from them.
UPDATED – December 12, 2023:
Since the posting of this blog, we have been asked about a variety of topics related to this potential expansion of 702. First, we agree that the expansion cannot be used to target Americans and we never suggested otherwise. But it can be used to obtain many communications in which Americans participated or are discussed. This collection occurs when a properly targeted non U.S. person located abroad communicates with a U.S. person or refers to a U.S. person in communications with others. In addition, the expansion of the definitions in the proposed bill is specifically problematic with regard to the part of 702 collection known as “Upstream Collection.” As of 2021, NSA acquired approximately 85.3 million Internet transactions per year from upstream collection. See Privacy and Civil Liberties Oversight Board report on 702 at 61. The amount of U.S. person traffic contained in these communications is unknown, but likely quite extensive. The intelligence community to date has said that it would be infeasible to provide an estimate of this. In response, the PCLOB has warned that such collection “should not be understood as occurring infrequently or as an inconsequential part of the Section 702 program” and it recommended that the NSA be required to provide such estimates. See id. at 10, 13.
Various supporters of the new legislation have pushed back on our concerns about the new bill, claiming that it is merely “intended to modify the statute to ensure that it remains relevant to ever-evolving communications technology.” That response is quite misleading. By dropping “other communication service” from the definition, it is specifically designed to apply to non-communication service providers. Eliminate that change from the bill, and the supporters would be on firmer ground. But that single amendment confirms their intentions to expand the bill into the scenarios we described in our original blog post.
Second, we have been asked to describe more fully a hypothetical scenario where this change would come into play. Consider this one: a Fortune 100 U.S. company has a foreign-based Board Member on its Board of Directors, and it also has a foreign-based affiliate. The U.S. company rents space in One Vanderbilt in NYC, a Class A building with pre-wired connectivity to a communications center in the building where each tenant’s wiring connects to the internet. The USG wants to target either the communications of the foreign-based director or other executives of the foreign affiliate who are located outside the U.S. but who communicate with their U.S. counterparts. Using upstream collection authority, it goes to the owner of One Vanderbilt and asks for access to the equipment and/or the wires in the building that would have the communications stream between the U.S. company and its overseas Board Member and/or the foreign affiliate. The change to 702 would likely allow that entire communication stream to be routed off to secret government equipment so that the communications between the U.S. company and its foreign director and its foreign affiliate could be examined even though the landlord isn’t a communication service provider. This could be allowed under the new bill merely because the landlord has access to the communications equipment of the tenant or even the wires in the building. And if the government doesn’t want to go the landlord, it could go to the U.S. company’s managed security service provider, cleaning service, or shredding company, all of whom are service providers with access to the equipment. And it is no answer to say that this is not what the current administration intends to do. The law has to be written so it cannot be abused by whoever the next inhabitant of the White House happens to be.