JURIST Guest Columnist Fred Cate of Indiana University School of Law Bloomington says that a series of dramatic moves over the past five years - most recently the passage of the Protect America Act - has weakened statutory and judicial oversight of domestic surveillance to the point that one wonders whether, by the time the Bush Administration and Congress are finished, there is going to be any legal oversight of domestic surveillance at all...
The government conducts surveillance outside of the United States without statutory (or apparently constitutional) constraint, but within the nation's borders, surveillance is regulated by two statutes. FISA permits the Attorney General to authorize domestic electronic surveillance (and physical searches) of foreign powers, but requires recourse to the Foreign Intelligence Surveillance Court where U.S. persons who are acting as the agents of foreign powers are involved and a "significant purpose" of the surveillance is to obtain foreign intelligence information. The Electronic Communications Privacy Act applies to all other domestic surveillance.
Or so we thought until December 16, 2005, when the New York Times revealed that the National Security Agency was intercepting communications within the United States and without complying with either FISA or ECPA. In the face of the ensuing controversy, the Bush Administration acknowledged the existence of the "Terrorist Surveillance Program," which it described as involving communications into and out of the United States where there is a "reasonable basis to conclude that one party to the communications is a member of al Qaeda, affiliated with al Qaeda, or a member of an organization affiliated with al Qaeda." Rather than seeking review by a court, as required by statute, the Administration was operating pursuant to an order by the Attorney General that was renewed "approximately every 45 days."
In an effort to blunt the controversy over the TSP, the Administration agreed in January 2007 to subject it to the oversight of the FISC, the eleven-judge court responsible for authorizing surveillance under, and ensuring compliance with, FISA. But in May 2007, a FISC judge refused to renew a "basket warrant" (under which the Court would authorize surveillance on a programmatic, rather than a case-by-case basis). The Administration responded by withdrawing its commitment to comply with FISA and seek review by the FISC of surveillance conducted under the TSP, and demanding that Congress enact statutory authorization that would not require future recourse to the FISC.
Congress responded in August with the Protect America Act of 2007, which permits the Director of National Intelligence and the Attorney General to authorize surveillance "directed at a person reasonably believed to be located outside of the United States," whether or not the person is an agent of a foreign power. The role of the FISC is reduced to reviewing the Attorney General's procedures for implementing the Act to determine whether they are "clearly erroneous." The Attorney General is also required to inform four congressional committees on a semi-annual basis of "acquisitions" made under the statute, including incidents of noncompliance.
The Protect America Act sunsets in six months, which has set the stage for the current debate in Congress and press over its reauthorization and the future role of FISA. Much of that debate has focused on whether telecommunications carriers that aided the Administration in its warrantless surveillance should receive retroactive as well as prospective immunity. But there are bigger issues at stake, especially with regard to the protection of individual privacy from government intrusion.
The most important by far is whether by the time the Bush Administration and Congress are finished with the law, there is going to be any legal oversight of domestic surveillance at all. In the USA PATRIOT Act, Congress already changed the requirement that to qualify for the lower standard of review under FISA, the collection of foreign intelligence must be only "a significant purpose," rather than the "primary purpose," of the surveillance. The Act also permitted greater sharing of information obtained from FISA warrants with criminal investigators, which was then further expanded by a decision by the Foreign Intelligence Surveillance Court of Review. Even before the Protect America Act, commentators worried whether the FISA process was in danger of becoming an end run around the requirements of ECPA and the Constitution for protecting U.S. persons from surveillance by their government.
But FISA itself increasingly appears in danger of being undermined, and even its minimal requirements avoided in the pursuit of unsupervised surveillance. The Administration initially ignored FISA in its operation of the TSP. Then, after initially pledging to comply with the law, the Administration backed away from that commitment, and then collaborated with Congress in enacting legislation that undermines its most basic principleâthe focus on foreign powers.
Simultaneously, the government has been moving away from FISA orders, which require judicial authorization, to other tools, such as National Security Letters, which do not. In 2005, the government reported seeking and obtaining 2,072 FISA orders, but issuing 9,254 NSLs. Then in March 2007, the Justice Department Inspector General reported that the FBI had underreported and in fact had issued at least 47,221 NSLs in 2005â22 times the number of FISA orders the government sought.
Recall that while domestic surveillance has been subject to statutory protection and judicial oversight, surveillance abroad has not. The NSA reports receiving more than 650 million foreign intelligence intercepts every day, all without any judicial or legislative oversight. The Protect America Act is focused solely on domestic surveillance; no additional legal authority is needed for foreign intelligence gathering conducted outside of the United States. Similarly, surveillance of foreign powers even within the United States is generally exempted from FISC authorization.
The only thing left for the Protect America Act to exempt is domestic surveillance of U.S. persons, which is precisely what it does. It permits domestic surveillance without recourse to a court, so long as the target of the surveillance is "reasonably believed to be" abroad. It eliminates the fundamental requirement of prior U.S. surveillance law that eavesdropping on U.S. persons requires compliances with ECPA (and obtaining an appropriate warrant issued by a court) unless the targets were agents of a foreign power, in which case compliance with FISA was required.
The Protect America Act is only the most recent in a series of dramatic moves over the past five years to weaken statutory and judicial oversight of domestic surveillance from the requirements of ECPA to those of FISA, and from FISA to the virtually unregulated regime of NSLs and foreign intelligence gathering outside of the United States. The challenge for Congress, and ultimately for the courts, is whether this trend will be allowed to continue and our privacy to be the next victim of the war on terror.
Fred H. Cate is a Distinguished Professor and director of the Center for Applied Cybersecurity Research at Indiana University, and a senior policy advisor to the Center for Information Policy Leadership at Hunton & Williams. He is a member of the National Academy of Sciences Committee on Technical and Privacy Dimensions of Information for Terrorism Prevention and Other National Goals, and reporter for the American Law Institute's project on Principles of the Law on Government Access to and Use of Personal Digital Information.