On August 23, 2023, the Office of the Director of National Intelligence (ODNI) and Department of Justice (DOJ) released redacted versions of a 2022 Foreign Intelligence Surveillance Court (FISC) Opinion and Order and related 2023 Opinion of the Foreign Intelligence Surveillance Court of Review (FISC-R) regarding whether a provider of certain services is an “electronic communication service provider” (ECSP) under the Foreign Intelligence Surveillance Act (FISA).
The dispute concerns an unnamed provider (“Provider”) who received an order from the government (so-called Section 702 orders) and challenged its own status as an ECSP before the FISC. The FISC determined that the provider in question did not satisfy the definition of an ECSP after conducting a per-service analysis of the provider’s services.
The inquiry is significant because when a provider is an ECSP as defined by FISA, the provider must comply with a government directive requiring the provider’s assistance in the acquisition of foreign intelligence.
The declassified opinions reveal that the FISC-R affirmed the FISC’s decision and per-service analysis, confirming that it is the service being rendered – and nothing else about the provider – that is the crux of any definition of ECSP.
FISA Section 702 Orders
Section 702 authorizes the Government to direct an ECSP to provide the assistance necessary to accomplish the acquisition of foreign intelligence.
To accomplish this, Section 702 provides procedures under which the government may target non-US persons located outside the United States without a warrant supported by probable cause. Specifically, pursuant to Section 702:
“upon the issuance of an order . . . the Attorney General and the Director of National Intelligence may authorize jointly, for a period of up to 1 year from the effective date of the authorization, the targeting of persons reasonably believed to be outside the United States to acquire foreign intelligence information”
For the FISC to issue an order, the Attorney General and DNI must provide the FISC with a certification that includes, among other things, an attestation that “the acquisition involves obtaining foreign intelligence information from or with the assistance of an electronic communication service provider.”
The definition and circumstances of when a provider constitutes an ECSP is at the center of this dispute, raising two issues of first impression for the FISC-R.
Provider’s Challenge to ECSP Status
Provider challenged the Section 702 order and argued that it was not an ECSP under 50 U.S.C. § 1881(b)(4)(B) or (D):
- (B) defines an ECSP as “a provider of electronic communication service, such as that term is defined in section 2510 of title 18.” In other words, it borrows the Electronic Communication Privacy Act’s (ECPA) definition of ECSP.
- (D) defines an ECSP as “any other communication provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored.”
Provider’s supporting arguments were not declassified, but the opinion shows the broad contours of its legal positions. First, Provider asserted that it was not an ECSP under (B)’s definition because it did not give users the ability to send or receive wire or electronic communications. Second, Provider argued it was not an other communications service provider because it did not have “access” to communications as they were transmitted or stored, which fell short of the requirement under (D).
In rebuttal, the government claimed Provider was an ECSP under both disputed definitions. Specifically, the government contended that courts broadly interpret (B)’s statutory definition, which encompassed Provider’s service, and that the plain meaning of “access” under (D)’s definition likewise covers Provider’s service.
The FISC determined that Provider was not an ECSP under either statutory prong because Provider’s service is not the type of service that courts have found to satisfy the definition of ECSP under (B), and Provider does not provision its service(s) in a manner sufficient to satisfy (D).
The government appealed the FISC’s opinion and order, presenting the FISC-R with two issues of first impression: the meaning of ECSP under both (B) and (D).
Provider of Electronic Communication Service
For the first issue, the FISC-R analyzed the ECPA’s body of case law reviewing the meaning of “electronic communication service” (ECS). In its review, the FISC-R found that courts have traditionally found network service providers (e.g., telephone companies, Internet or e-mail service providers, and bulletin board services) to be providers of ECS. But this understanding grew to include web hosting and social network services, too, before ultimately growing again to cover novel services and providers. Thus, the definition is not limited to what courts have found, and evolving technology will make more providers an ECS in unique ways.
In search of a rule or common thread, the FISC-R dissected several cases that challenged courts’ understandings of the definition of ECS. These included, for example, car companies and cruise ships that offered communications services in a manner sufficient to make them providers of ECS, even though the services may have been ancillary to the companies’ main business services. The court also reviewed precedent where services did not satisfy the statutory definition, despite relating in some way to communications (including, for example, cell phones and personal computers).
According to the court, the central inquiry is whether a provider’s specific service gives its users the ability to send or receive wire or electronic communications. Though the specifics are unknown, the FISC-R was unequivocal that Provider’s services did not rise to that level.
Other Communication Service Provider with “Access” to Wire or Electronic Communications in Transmission or Storage
Analyzing the second issue, the FISC-R considered the meaning of “access” under subparagraph (D). The FISC-R held that Provider is not an ECSP under this definition primarily because it did not have a sufficient level of access to communications.
The FISC-R engaged in a discussion on statutory interpretation and weighed the government’s argument for a plain-meaning reading of “access.”However, the FISC-R ultimately assigned a technical meaning to the term “access.”
The FISC-R found support in the technical reading of “access” from the landmark decision Van Buren v. United States, which analyzed access under the Computer Fraud and Abuse Act (CFAA). In addition, the court noted that consideration of FISA’s other assistance provisions reinforces its decision to impute a technical meaning to the statute’s use of “access.” While the rest of the analysis is redacted, FISA does contain other assistance provisions such as 50 U.S.C. 1805(c)(2)(B) and 50 U.S.C. 1824(c)(2)(B), which permit an order compelling any “specified person [to] furnish . . . all information, facilities, or technical assistance necessary to accomplish the electronic surveillance” or physical search, and therefore are broader than the assistance provision under Section 702.
Takeaways for Service Providers
The FISC’s and FISC-R’s analyses provide new support for service providers that seek to challenge their status as an ECSP under FISA. Service providers are more likely to successfully challenge a Section 702 order when: (1) the service in question does not facilitate users’ ability to send or receive communications; or (2) the provider is an “other” communication service provider (i.e., not a provider of ECS or RCS) that lacks technical access to communications to assist the government.
Modern technology companies increasingly offer a wide variety of products and service, some of which may qualify the company as an ECSP, and others not. The FISC and FISC-R decisions are impactful because they show that these companies – which are commonly the “providers” targeted by Section 702 orders – can successfully challenge compelled government assistance when an order fails the per-service analysis outlined by the FISC and FISC-R.