Requiring the FBI to get a court order before it looks at its own legally acquired information is not just unnecessary—it’s also dangerous to our national security.
Editor’s Note: Portions of this article appeared in a paper prepared by the author for The Federalist Society.
Only two months remain before the most important operational statute in the national security area expires. Yet Congress struggles to agree on the terms of any extension.
Republicans and Democrats in both the Senate and House broadly concur that Section 702 of the Foreign Intelligence Surveillance Act, which lapses on April 19, is of critical value. Even so, there’s widespread acceptance of the need for some level of reform, in part to address past abuses of the statutory authority by the FBI. Members of Congress are sharply divided, however, over whether to amend the statute to require the FBI to obtain a court order before it looks in its computer database for Americans’ information incidentally acquired under that section.
While such a proposal might seem attractive, it’s misguided. Requiring the FBI to get a court order before it looks at its own legally acquired information is not just unnecessary but also, and more importantly, dangerous to our national security.
The Facts
Under Section 702 of the Foreign Intelligence Surveillance Act, about three percent of the surveillance targets in 2022—approximately 7,900 foreigners and no U.S. citizens—were relevant to what the FBI calls a “fully predicated national security investigation” (basically the most serious type of formal investigation). The emails and other communications of only those targets were sent to the FBI for inclusion in its Section 702 computer database, which contains information from prior years’ targets as well.
If it has a “specific factual basis” to believe an American individual or entity is the victim or otherwise related to that national security investigation, the FBI can search or “query” that database for that American’s name, email address, or other identifying information. As both an intelligence and a law enforcement agency, the FBI can also search the database for evidence solely of domestic crimes; but this rare use is likely to be eliminated in any Congressional reauthorization of Section 702.
Critics have labeled this querying “warrantless surveillance”—but that wrongly insinuates that a warrant might otherwise be legally required. Moreover, querying is not surveillance—no new communication is being acquired by the government, and no behavior is being newly monitored; the government is simply looking at something it lawfully obtained and put in its files. Another myth is that Section 702 allows the FBI to scour vast troves of Americans’ emails to their loved ones, their medical providers, or their religious advisers. For example, three members of the Privacy and Civil Liberties Oversight Board ominously noted that “Americans’ communications captured through surveillance can include discussions of political and religious views, personal financial information, mental and physical health information, and other sensitive data.”
Of course, surveillance in general can include such sensitive material. But this kind of statement is disingenuous if not misleading. Section 702 isn’t remotely aimed, directly or indirectly, at any such information about Americans. In the first place, it’s highly unlikely that such sensitive information would even be communicated by Americans to foreign national security targets. And if such information was communicated to foreign adversaries, overseas terrorists, international cybercriminals, or the like, there arguably is a heightened national security rationale to learn more about such connections, which should outweigh individual privacy concerns in balancing interests to meet the reasonableness test of the Fourth Amendment.
No Court Has Ever Said a Warrant Is Required
Every court to have expressly ruled on whether a warrant is needed for the FBI to query its Section 702 database for Americans’ information has said there is no such requirement. Although some like to suggest that this is a genuinely open question, there is indeed a judicial consensus on the point.
Significantly, the court most familiar with the specialized nature of these queries, the Foreign Intelligence Surveillance Court (FISC), explicitly rejected any such requirement in separate reviews in 2015, 2018, 2022, and 2023.
After noting that two federal district courts had similarly declined to impose a warrant requirement, one court of appeals reexamined the issue and stated that the act of querying should entail a separate Fourth Amendment analysis that might trigger a warrant requirement in some situations. But recognizing it did not have enough facts, it declined to rule on the question.
The court stated:
What kinds of querying, subject to what limitations, under what procedures, are reasonable within the meaning of the Fourth Amendment, and when (if ever) such querying of one or more databases, maintained by an agency of the United States for information about a United States person, might require a warrant, are difficult and sensitive questions. We do not purport to answer them here, or even to canvass all of the considerations that may prove relevant or the various types of querying that may raise distinct problems. US v. Hasbajrami, 945 F.3d 641 at 672-673 (2019) (emphasis added).
Tellingly, in the two most recent reviews of the issue—after explicitly considering the court of appeals discussion and amicus briefs on the point—the FISC declined both times to follow the court of appeals’ analysis.
Requiring a Warrant Requirement Won’t Advance Americans’ Privacy
Americans’ privacy is not being invaded in any meaningful way by FBI queries, even without a warrant. The only emails and communications of an American that are ever included in the FBI’s Section 702 database are those directly to or from foreign national security targets. While the number of Americans in contact with Islamic State recruiters, Chinese spies, or other foreign national security targets under Section 702 is unknown, it must surely be a miniscule fraction of the population.
Indeed, in response to most queries, especially in cybersecurity investigations, FBI agents don’t see Americans’ communications. The overwhelming number of queries don’t produce any Section 702 database hits at all—and even when they do, that doesn’t automatically mean agents see an American’s communications. More specifically, when a query yields a hit, the FBI’s computer systems at the first stage display only the frequency and nature of the contacts or references, not the content.
If an FBI agent wants to see the content (after complying with heightened requirements to do so), there are only two possibilities: One is that the agent will see a reference to the American person or company in a communication purely between foreigners, say, where two foreign ransomware criminals talk about targeting an American hospital. But this involves no communication of any American. The other possibility is that the specific emails or other communications directly between the American and the foreign target will be revealed. That might involve, for example, an email from an American replying to a Russian agent in a blackmail case. The important consequence is that only the individual communication directly to or from the foreign target is available to the FBI—not the entire email inbox of that American.
Recognizing that a warrant is not legally required but still seeking some compromise, a split Privacy and Civil Liberties Oversight Board proposed that after the FBI determined there was a hit in the 702 database, it should obtain a FISC order based on a showing of likely foreign intelligence information (the current standard) before it could access the content. That’s mostly privacy theater: A FISC judge is highly unlikely to disbelieve an affidavit that on its face asserts that a query is reasonably likely to retrieve foreign intelligence information.
Yet a more dangerous problem would be created if a new, higher standard for queries was imposed, such as probable cause to believe that the American is an agent of a foreign power or that evidence of a crime will be revealed. That would indeed have the effect of shielding many emails from the FBI, since an agent would rarely be able to establish probable cause at the early stages of an investigation—exactly the point at which the 702 database is used to find initial connections. But the Bureau would miss opportunities to uncover Americans who might be the victims or targets of foreign espionage or blackmail efforts, or Americans who are engaging with overseas narco-terrorists, for example.
A Warrant Requirements Will Damage Cybersecurity
Section 702 has proved vital to defending American companies and individuals from foreign cyberattacks; apparently about half of all FBI queries are cyber related.
Say, for example, a hospital sustained a ransomware attack. The FBI might immediately run a query involving an email address to see, for example, if a foreign ransomware gang whose members were Section 702 targets planned on attacking other hospitals in the same chain or city, or if the hospital CEO’s name was being talked about by the gang in anticipation of “doxing” exfiltrated medical records. A warrant requirement would be devastating in this example, since perpetrators of cyber-malevolence routinely hop (sometimes within hours) from one internet server to another to avoid detection. In an ongoing cyberattack, queries must often be run within hours and would rarely reveal the content of Americans’ emails or other communications. Yet requiring a warrant, which would take days to obtain, would render tardy queries useless, and advance no privacy interest at all, since no personal communications content would be involved. The most likely beneficiary of a warrant requirement in this example: a foreign ransomware gang.
A Warrant Requirement Will Endanger National Security and Counterterrorism Efforts
Imposing a requirement to obtain a warrant in the preliminary stages of an investigation—precisely when the Section 702 database is most useful—is contrary to the fundamental recommendations of national commissions on the 9/11 and Fort Hood terrorist attacks, which urged federal authorities to quickly “connect the dots” by looking at all information in the hands of the government. Citing this very point in its review of Section 702, the President’s Intelligence Advisory Board recently noted:
U.S. person queries are necessary in order to identify foreign threats to the homeland. … A U.S. person query serves as a preliminary exploratory tool to retrieve the most basic data needed to determine whether there is either a threat to a U.S. person or the nefarious involvement of a U.S. person.
Especially given the volume of cyber investigations, even under the new, more restrictive rules, the FBI would still run at least tens of thousands of queries annually, so the logistics of requiring a warrant would be a major impediment to that objective. Preparation of an affidavit, internal review, judicial consideration, and final issuance of a warrant would consume critical resources and take days or weeks, and might not even be possible if probable cause needed to be established.
A Better Solution Is Available
Unlike legislation involving social programs where it’s often possible to recalibrate if the original objectives aren’t achieved, a mistake in national security law that proves harmful can’t be undone. Congress should recognize the costs and risks of imposing a warrant requirement and continue to pursue the other solutions on the table to ensure that past abuses in FBI querying are not repeated. These solutions include a combination of increased oversight, stricter approvals, more audits, restrictions on the number of personnel who conduct queries, and greater training. Such a thoughtful and tailored approach will provide better safeguards for cybersecurity, national security, and Americans’ privacy.
It makes no sense to hobble the universally recognized effectiveness of the Section 702 program with a gratuitous warrant requirement, which will trivially affect the privacy of a tiny group of Americans but endanger the security of all Americans.
– Glenn S. Gerstell served as general counsel of the National Security Agency from 2015 to 2020 and writes frequently on the intersection of national security and technology. Published courtesy of Lawfare.