Lawfare › Senator Leahy’s NSA Reform Bill: A Quick and Dirty Summary

As Wells reported this morning, Senate Judiciary Committee Chairman Patrick Leahy unveiled his version of the NSA reform bill today. Leahy’s bill is important because, well, it’s not just Leahy’s bill. It’s the bill. It represents a compromise between the intelligence community, the administration more generally, civil liberties groups, industry, and fairly wide range of senators. And it will be the legislative vehicle that’s going to move forward with the sometimes nose-holding support of most of the major parties. It thus warrants close attention.

Leahy’s 97-page bill is decidedly tougher in its requirements on NSA than was the 43-page bill the House of Representatives passed back in May, the perceived laxness of which had drawn vociferous objections from civil libertarians. Leahy’s bill, by contrast, has civil libertarian hearts aflutter. On Sunday, even before the bill’s public release, the New York Times editorial page issued a ringing endorsement, commending it as “a breakthrough in the struggle against the growth of government surveillance power.” The ACLU also has endorsed the bill, in rather strong terms:

To put this in historical context: If the Senate passes the bill, it will be the first time since passage of the Foreign Intelligence Surveillance Act in 1978 that the chamber has taken action to constrain the intelligence community, and the first time Congress has a real shot at restoring the crucial privacy protections lost in the Patriot Act. To quote Joe Biden during the signing of the healthcare bill, “This is a big f—ing deal.”

But the administration also makes significant gains here. Most importantly, it codifies an authority that is now highly contested, and it pushes back a scheduled sunset of that authority that is approaching rather quickly.

In this post, we refrain from opining on the bill’s merits and instead describe what it would do, how it differs from the House bill, and where in the bill lie the major advances that make the various parties with stakes in NSA reform all line up behind it.

Like the House bill, the Senate bill bans bulk collection under Section 215 of the Patriot Act. Section 101 of Leahy’s Senate bill would, like its House counterpart, accomplish this by requiring that FISA business records applications—whether for tangible things, call detail records, or something else—be based on a “specific selection term.” And Section 101 would incorporate the same language the House bill set forth with respect to ordering production of information within two hops of a specific selection term: the government would be able to use (1) a specific selection term to order production of a first set of call detail records, the first hop; or (2) “call detail records with a direct connection to such specific selection term” to order production of a second set of call detail records, the second hop. 

But “specific selection term” has a much narrower meaning in the Senate bill than in the House bill. Section 107 would define “specific selection term” generally as a term that “specifically identifies a person, account, address, or personal device”—which matches the House language. But the Senate definition goes on to require not only that a specific selection term “limit the scope of information or tangible things,” as the House bill would require, but that it should “narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things” (emphasis added). What’s more, the Leahy bill would exclude terms that do not narrowly limit in such a manner as specific selection terms. Examples of impermissible specific selection terms include terms “based on a broad geographic region, including a city, State, zip code, or area code, when not used as part of a specific identifier,” as well as terms “identifying an electronic communication service provider . . . or a provider of remote computing service, when not used as part of a specific identifier . . . unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.”

The tighter definition of “specific selector requirement” created a problem for the government: What happened, say, if the government knew a terrorist was staying a hotel and making calls from it, but didn’t know which guest he was? Under these standards, it would not be able seek call detail records for all of the guests in the hotel. This is hardly bulk collection in the sense that worries Glenn Greewald and others, but would seem to be precluded by a law that restricts collection to the identification of individual accounts or people.

The Senate bill offers a novel solution to this problem, one based on minimization procedures. The House version directs the government to “adopt minimization procedures that require the prompt destruction of all call detail records” determined not to be “foreign intelligence information,” and Leahy’s bill retains that common-sense requirement. Section 103 of the Senate bill, however, adds further minimization procedures for “orders in which the specific selection term does not specifically identify an individual, account, or personal device.”

In other words, the government could get a block of call records from all guests at the hypothetical hotel, but in such cases, the law would require procedures that would “prohibit the dissemination” and “require the destruction within a reasonable time period” of “any tangible thing or information therein that has not been determined to relate to a person” belonging to a certain list—including “a subject of an authorized investigation,” “a foreign power or a suspected agent of a foreign power,” or a person “reasonably likely to have information about the activities of a subject of an authorized investigation.”

Section 101 goes on to introduce specific procedures for applications to obtain call detail records. As compared to the House bill, the Leahy bill would raise the bar on what such applications must state. In both versions, there are two general requirements: (1) “reasonable grounds to believe” the call detail records are relevant to an investigation; and (2) “a reasonable, articulable suspicion” that a specific selection term is associated with a foreign power.

The House and Senate agree as to the first requirement, both requiring that applications would have to state “reasonable grounds to believe that the call detail records sought to be produced based on [a] specific selection term . . . are relevant to [an authorized] investigation.” They differ, however, as to the second. Whereas the House version would require that there are “facts giving rise to a reasonable, articulable suspicion,” the Senate would demand simply “a reasonable, articulable suspicion.” More importantly, whereas the House version would require that there must be a reasonable, articulable suspicion that a specific selection term is “associated with a foreign power or an agent of a foreign power,” the Senate bill would require the specific selection term to be “associated with a foreign power engaged in international terrorism or activities in preparation therefor; or an agent of a foreign power engaged in international terrorism or activities in preparation therefor” (emphasis added). This would effectively limit call records acquisition to counterterrorism—something the current 215 program is but the House bill would not have required in the future.

Not only would the Senate bill provide a higher application threshold than the House bill for call detail records, it would also contain more specific prohibitions than the House bill does concerning what a “call detail record” may include. Although both the House and Senate bills would specify that a call detail record may not include the address of a subscriber or customer, Section 107 of Leahy’s bill clarifies that the term “address” is not confined to a mailing address: it can also be “a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.”

Under current FISA, persons ordered to produce tangible things must also comply with “nondisclosure orders,” which may be challenged in certain circumstances. Section 104 would make it easier to challenge or set aside such nondisclosure orders. First, the provision would nix FISA’s current ban on challenging a nondisclosure order for a one-year period after the issuance of the relevant production order. Second, the section would eliminate the Attorney General and FBI’s ability to issue a certification—which is treated as conclusive by a judge considering a petition to modify or set aside a nondisclosure order—that disclosure may endanger the national security of the United States or interfere with diplomatic relations. Under current FISA, such a certification can all but end a judge’s consideration of a challenge to a nondisclosure order.

Like the House bill, the Leahy bill contains protections for those ordered to produce tangible things or provide information, such as internet service providers. Section 105 immunizes such persons from liability, while Section 106 requires the government to compensate such persons for “reasonable expenses incurred” in complying with production orders.

Section 108 outlines the Inspector General’s duties to audit the minimization procedures used in making production orders and to report the results of the audit.

Critically for the government, Title VII of the bill amends the Patriot Act sunset date from the middle of next year to the end of the 2017, harmonizing the business records sunset with those of the Section 702 authorities.

Put simply, there are wins and losses here for all sides (except industry, for which Title I is almost all win). Civil libertarians get a tighter definition of “specific selection term” over the House’s version—and various tightenings of other provisions as well. They get an end to bulk collection and a substantive rollback of the metadata collection. The administration, meanwhile, gets codification of its authority to do contact chaining using call records. And it gets relief from the fast-approaching 2015 sunset of the Section 215 authority. Industry, for its part, gets an important absence—perhaps the biggest loss for the government in the entire legislation: The bill contains no requirement that telecommunications carriers retain call record data.

Title II deals with pen register and trap and trace devices under FISA. In similar fashion as Title I handles call records, Section 201 would ban bulk collection from such programs by imposing the requirement that “a specific selection term . . . be used as the basis for the installation or use of the pen register or trap and trace device.” Section 202 would demand privacy protections beyond those for which the House bill would provide.

Title V applies the “specific selection term” requirement to various other provisions in the U.S. Code that would otherwise permit the FBI to issue bulk collection national security letters. In Section 501, the Senate bill would, like the House bill, replace bulk collection with specific selection term requirements in four areas: (1) counterintelligence access to telephone toll and transactional records, 18 U.S.C. § 2709(b); (2) access to financial records for certain intelligence and protective purposes, 12 U.S.C. § 3414(a)(2); (3) disclosures to FBI of certain consumer records for counterintelligence purposes, 15 U.S.C. § 1681u; and (4) disclosures to governmental agencies for counterterrorism purposes of consumer reports, 15 U.S.C. § 1681v.

Section 502 of the Senate bill then goes further than the House bill by establishing circumstances under which persons issued national security letters may be subject to nondisclosure requirements. In brief, the bill would more or less forbid disclosure in instances in which the FBI certifies that failing to forbid disclosure could result in “a danger to the national security of the United States”; “interference with a criminal, counterintelligence investigation”; “interference with diplomatic relations”; or “danger to the life or physical safety of any person.” However, the bill would permit persons subject to nondisclosure requirements to request judicial review.

Title III briefly touches upon Section 702 collection. Section 301 of the Senate bill tracks the House bill closely and would prohibit the use in trials, investigations, or regulatory proceedings of information obtained through procedures deemed by a FISA Court to be “deficient.” An exception to the rule would arise where the government “corrects any deficiency” and a FISA Court allows its use under minimization procedures. Curiously missing in Title III, however, is language present in the House version relating to minimization procedures for 702 collection. Whereas the House bill emphasized the need to “minimize the acquisition, and prohibit the retention and dissemination, of any communication as to which the sender and all intended recipients are determined to be located in the United States at the time of acquisition,” the Senate bill is silent.

The absence of any substantial change to 702 is a significant win for the administration.

Title IV of the Leahy bill offers three key reforms to the FISA Court system. First, Section 401 clarifies the role of a FISA Court-appointed amicus curiae. Civil libertarians had criticized the House bill for authorizing only an amicus presentation by non-government counsel, rather than creating a public advocate who could intervene on his own.

The Senate version also falls short of a full public advocate model but it goes further than the House bill, which made the appointment of amicus solely a function of the FISA Court’s judgment in any given case. The Senate bill, by contrast, would require the FISA Court to consult with the Privacy and Civil Liberties Oversight Board (PCLOB) to “jointly appoint not fewer than 5 attorneys to serve as special advocates.” The bill then would require that the court “shall designate” one of the special advocates as an amicus to assist the court “in the consideration of any certification . . . , or any application for an order or review that . . . presents a novel or significant interpretation of the law.” But there’s an escape hatch, one on which Steve Vladeck has written with respect to the House bill: the court can avoid designating an amicus by “issu[ing] a written finding that such appointment is not appropriate.” The language, in other words, still leaves the appointment of outside counsel up to the FISA Court, but it creates a stronger presumption in favor of outside involvement and involves the PCLOB institutionally in the appointment of special advocates.

Moreover, Section 401 affords the special advocate substantial duties and powers not present in the House bill. For instance, the amicus “shall advocate, as appropriate, in support of legal interpretations that advance individual privacy and civil liberties” and “shall have access to all relevant legal precedent” and any other materials that are relevant to the special advocate’s duties. Moreover, the advocate “may request that the court appoint technical . . . experts, not employed by the Government” to “assist” the advocate. Both the special advocate and any experts appointed to assist the special advocate would have access to classified information, so long as they would be eligible for such access and access would be consistent with national security.

This is a mixed bag, in other words. Civil libertarians have gotten stronger presumptions of amicus participation, and they have won an institutionally stronger amicus in a number of ways. But the advocate is still an amicus and cannot intervene on his or her own authority.

Second, Section 401 would establish additional procedures for appellate review of FISA Court decisions. The Senate bill would require review by the FISA Court of Review in instances where an order addresses a “question of law” that potentially challenges the “need for uniformity,” as well as where such review “would serve the interests of justice.” In turn, the FISA Court of Review would be permitted to certify “a question of law to be reviewed by the Supreme Court of the United States” in any decision that approves a government application. Upon certification, the Court of Review would be able to designate a special advocate to provide briefing.

This is a big deal. For a number of reasons, the FISA Court has tended to be the final word on a lot of questions it considers. This will change that, involving more often the largely-dormant FISA Court of Review and potentially involving the justices in FISA interpretations from which they have always stayed away.

Finally, Section 402 of the Leahy bill would, like the House version, require the DNI to perform declassification review of any opinion that “includes a significant construction or interpretation of law, including any novel or significant construction or interpretation of the term ‘specific selection term.” The DNI would be obliged to “make publicly available to the greatest extent practicable” all such opinions.

Finally, Title VI lays out a whole series of new disclosure obligations on the part of the government and gives companies permission to publish data about their interactions with the intelligence sector. Sections 601 and 602 require governmental disclosure of extensive data on the number of orders and certifications sought and received—and estimates of the number of people targeted and affected by surveillance—under a number of different FISA authorities. Section 603 gives companies ordered to produce material the ability to publish aggregated data on the number of orders they received. The disclosures contemplated by Title VI would add a significant amount of data to the public discussion—significantly more than would the analogous provisions in the House bill. But at the same time, the bill would also exempt the FBI from several disclosure requirements. Still, Leahy’s Title VI represents a significant win for civil libertarians and for industry, the latter of which has been itching to publish more data by way of alleviating overseas anxieties about the degree of its cooperation with NSA.

In short, the trade throughout this bill seems to be institutionalization of governmental authority in exchange for regulation the government will regard as burdensome and a great deal of transparency. Whether this works ultimately in favor of the government or the civil libertarians probably depends on whether industry ends up maintaining call records—in which case the institutionalization of governmental access to them will probably prove more important than the added hurdles attached to that access. If, on the other hand, industry stops maintaining these records, government will have won the authority to access records that no longer exist.

 

http://www.lawfareblog.com/2014/07/senator-leahys-nsa-reform-bill-a-quick-and-dirty-summary/