A nation must think before it acts.
Websites, blogs, and newspapers were chattering last week when the Administrative Office of U.S. Courts (AOUSC), reporting on the activities of the Foreign Intelligence Surveillance Court (FISC) for calendar year 2017, revealed that the FISC had denied more foreign intelligence surveillance applications than in any other year since the court was created as part of the Foreign Intelligence Surveillance Act of 1978 (FISA).
Here is what the AOUSC numbers show for calendar year 2017:
While the raw numbers themselves provide insight into the aggregate workload of the FISC, standing alone they offer little analytic insight. Some additional clarity may be gained by juxtaposing the 2017 workload against the AOUSC’s FISC report card for calendar year 2016 (the last year of the Obama administration), but other factors must be considered before drawing any conclusions from the statistics themselves. For comparative purposes, here are the 2016 AOUSC statistics:[1]
Despite receiving more application and certification submissions in 2016 than in 2017, the AOUSC records reveal that the FISC’s total number of full “denials” increased from 9 to 26 between 2016 and 2017, and the number of “partial denials” increased from 26 to 50. This is the arithmetic that recently has raised eyebrows, but does this increase signify that the Trump Justice Department is more aggressively pursuing the use of intrusive national security authorities at the expense of privacy and civil liberties concerns? Perhaps, but it may be premature to draw such a politically or ideologically tinged conclusion without considering the methodologies used in compiling FISC data.
The reporting obligation to Congress fulfilled by the AOUSC last week was included as part of the USA Freedom Act[2] passed in June 2015, partly in reaction to the increased scrutiny drawn to the FISC accompanying the Edward Snowden disclosures. Consequently, there is a partial report from the AOUSC for 2015, and full-year reports only for calendar years 2016 and 2017.
A separate reporting requirement directed to the Department of Justice (DoJ) has existed in a different section of FISA since its passage in 1978.[3] The language of both reporting requirements, while not identical, essentially calls for disclosure of much of the same information as it relates to the work of the FISC: i.e., “the total number of applications made for orders and extensions of orders approving electronic surveillance” (language used in §1807(a)) compared to “the number of applications or certifications for orders submitted under [FISA’s electronic surveillance and other identified national security authorities]” (language used in §1873(a)); “the total number of such orders and extensions either granted, modified, or denied” (language found in §1807(a)); and “the number of such orders granted or modified or denied under each of the [identified national security authorities]” (language found in §1873(a)).
Despite these apparently similar reporting mandates, in the brief time since the AOUSC began reporting in 2015, the arithmetic has not always matched. For example, in 2016, the last year of the Obama administration, the DoJ reported “1,477 final applications to the Foreign Intelligence Surveillance Court for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes.”[4] The DoJ stated that:
None of these filed final applications were withdrawn by the Government. The FISC did not deny any final filed applications in whole, or in part. The FISC made modifications to the proposed orders in 112 final filed applications.[5]
Conversely, the AOUSC’s report on the FISC for 2016 cited 1,485 applications submitted for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes, but listed 26 of those applications as having been “Denied in Part,” and 8 as having been “Denied.”[6]
These eight “denials” seem to contradict the DoJ’s assertion that, for the same period covered by the AOUSC report, “[t]he FISC did not deny any final filed applications in whole, or in part.” However, the discrepancy is explained by the manner in which applications are categorized by these two disparate reporting sources. The FISC Rules of Procedure require that, except for emergency authorizations,[7] the government must file an application seeking authority for its proposed activity at least 7 days prior to the date it seeks to have the application entertained by the FISC.[8] This affords the FISC the opportunity to review the proposed application and inform the government of any concerns it has regarding its content and/or any modifications it proposes be made prior to submission of a “final” application. “Final” applications are intended to reflect the FISC’s inputs and may be filed up until 10:00 AM on the day the government requests that the FISC entertain the “final” application.[9]
At times, for reasons never publicly disclosed, the government elects not to proceed with an application that has been filed as a “proposed” application pursuant to FISC Rule of Procedure 9(a). These “proposed” applications that never become “final” applications are documented as “denials” in the AOUSC reports. Thus, for example, the 2016 AOUSC Report shows a total of 1,485 applications submitted for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes, and lists 8 of those applications as having been “denied.”[10] Covering the same period of FISC activity, the DoJ annual FISA report shows 1,477 applications submitted for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes, and states that “[t]he FISC did not deny any final filed applications in whole, or in part.”[11] This indicates that, at least to the DoJ, the decision not to proceed with a proposed application submitted under Rule 9(a) is not equivalent to a “denial” of the application. Both tabulations are correct, using their respective definitional constructs, but provide different measures of how many FISA applications are being “denied” by the FISC.[12]
Differing definitional approaches also produce a similar disparity with respect to how the DoJ and the AOUSC reflect “modifications” and “denials in part.” According to the AOUSC, dispositions where the FISC granted in part and denied in part the authorizations requested by the government by approving some targets, facilities, places, premises, property, or specific selection terms, but not others, are categorized as “partial denials.”[13] In 2016, the AOUSC counted 26 such “partial denials” of applications submitted for authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes.[14] Moreover, by including as “modifications” those changes made to “proposed” applications submitted pursuant to FISC Rule 9(a) (whether or not those “proposed” applications eventually are submitted as “final” applications), the AOUSC report reflects that a total of 310 orders were “modified” in 2016, along with the 26 that were “denied in part,” and the 8 identified as “denied.”[15]
Again, this seems to contradict the DoJ’s assertion that “[t]he FISC did not deny any final filed applications in whole, or in part.”[16] But, using its different definitions, the DoJ counts only “final” applications filed pursuant to FISC Rule 9(b) and, with this narrower view, only counts FISC modifications to those “final” applications. In this context, the DoJ reported that there were 112 such modifications in 2016.[17] Although not specifically stated in the DoJ report, the differing counts suggest that the DoJ considers only those FISC dispositions involving “final” applications and, where the FISC approves some targets, facilities, places, premises, property, or specific selection terms but not others in a “final” application, the DoJ characterizes this court action as a “modification” rather than a “partial denial.” The DoJ annual reports include no category that separately records what the AOUSC terms “partial denials.”
These two separate statutory reporting requirements for FISA were created by Congress using substantially similar language to specify what is to be reported but, perplexing as it may be, produced reports for 2016 FISC activity that show significant differences in the categorization of “denials,” “partial denials,” and “modifications.” The AOUSC report for 2016 activity shows 35 applications denied in whole or in part, while the corresponding DoJ report shows zero. And the AOUSC report shows nearly three times as many “modifications” as reported by the DoJ (310 versus 112). Thus, caution is needed before assigning substantive import to any of these statistical measures: apples must be compared to apples to allow for meaningful analysis.
It would be instructive to make these same comparisons using all available reports for the 2017 calendar year, but, at the time this article was written, neither the DoJ nor the Director of National Intelligence (DNI) had yet released its annual reporting on activities conducted pursuant to FISA for 2017.[18] Consequently, these other measures of FISC activity in 2017 are not yet available for comparison to the AOUSC report.
In reporting on the AOUSC disclosures, headlines announced, for example, “In Trump’s first year, FISA court denied record number of surveillance orders.”[19] True enough; but past experience suggests that the forthcoming numbers from the DoJ and the DNI will almost certainly be different, albeit without necessarily changing the reported conclusion that the “denials” constitute a “record” for the FISC. But, with the terminology employed by the AOUSC, it is impossible to know how many of the “record number” of denials apply to “proposed” applications submitted under FISC Rule 9(a) that, for whatever reason, the government elected not to pursue.
This distinction is significant, and perhaps materially so. By way of example, there is no reason for the government to pursue a “proposed” FISA surveillance application with respect to a foreigner who then leaves the United States since FISA no longer governs the surveillance; but the AOUSC would record the decision to forego submitting a “final” application as a “denial.” Similarly, a “proposed” FISA application targeting a U.S. person who leaves the United States might be granted, but, if initially filed while the U.S. person was in the United States, the initial “proposed” application would be identified by the AOUSC as a “denial” because the “final” application would be pursued under an entirely different FISA authority as categorized in the AOUSC report. Using another example, the government might initially file a “proposed” application that seeks authority to conduct both electronic surveillance and a physical search but, due to a change of circumstances, in the “final” application omit the request for physical search authority. Again, the categorizations used by the AOUSC to reflect the difference in content between the “proposed” and “final” applications likely would record the decision not to proceed with the request for a physical search as either a “denial” or a “partial denial” when, in reality, the FISC has not actually “denied” anything.
Intelligence activities often are conducted against a background of extremely fluid or volatile circumstances. Consequently, for the aforementioned and many other possible reasons, any number of permutations might produce “final” FISA applications that differ from the initial “proposed” applications, and the categorization of those differences in the corresponding AOUSC statistics will differ from those released by the DoJ and DNI. Thus, if past practice is a guide, the DoJ and DNI 2017 reports will supply numbers associated only with “final” applications that show considerably fewer “denials” than the AOUSC just reported for the same 2017 FISC activity.
Ironically, the same Zero Day commentator who last week announced the record number of FISC denials for 2017 greeted the release of the AOUSC report for 2016 in an article headlined “In Obama’s final year, US secret court denied record number of surveillance requests.”[20] This, too, was true, but also largely reflected the differing approaches to measuring and categorizing the FISC’s work that exist among the AOUSC, DoJ, and DNI reports.
What can be said about the 2016 numbers in all the reports collectively, and those now contained in the AOUSC’s 2017 report, is that they show a trend towards a more “active” FISC. Between FISA’s adoption in 1978 and 2002, the FISC approved more than 15,000 FISA applications without a single denial.[21] The DoJ first reported a “modification” of a FISA application by the FISC in the year 2001 (related to a calendar year 2000 FISC order), more than 20 years after FISA’s enactment. Only 11 denials are recorded in the entire history of the DoJ’s annual FISA reports from 1979 through 2016.
Those numbers have spiked in 2016 and 2017, at least according to the AOUSC, with 73 “partial denials” and 32 “denials” in those two years alone.[22] However, drawing definitive conclusions from these numbers is problematic because of the different approaches taken by the AOUSC and the DoJ in quantifying the FISC’s work. While there were more “partial denials” and “denials” recorded by the AOUSC in 2017 than in 2016, it is difficult to extrapolate meaningfully from this data because (1) the AOUSC categorizes FISC activity differently than either the DoJ or the DNI, and (2) there are only two full years of AOUSC reporting on the FISC’s activities. This latter point is particularly important given the differences used by the AOUSC and DoJ in categorizing those activities.
It may be that the AOUSC’s reporting is indicative of increased FISC scrutiny of a more aggressive use of national security authorities, but it is difficult to premise such a conclusion on numbers that may only reflect the way in which FISC dispositions are characterized by the AOUSC, as opposed to either DoJ and/or the DNI.
On the other hand, while the federal judiciary’s independence is intended to isolate it from partisan debate, FISC judges are unlikely to have been unaware of the criticisms of the FISC voiced during the recent debate over the reauthorization of the FISA Amendments Act or of recent legislative initiatives exploring alternative procedures for selecting FISC judges (those initiatives also being spawned by the notion that the FISC is not serving as an adequate buffer against excessive executive branch use of FISA authorities).[23] Whether viewed as an unacknowledged response to public criticism, or as a judicial reaction to the perceived congressional call for added judicial scrutiny of FISA applications, or as a recognition that the FISC’s work was going to be examined more carefully in light of the congressionally mandated release of FISC opinions, it is entirely plausible that the AOUSC numbers reflect a judicial intention to view requests for FISA authorizations with a stricter scrutiny than has been used historically. However, those hypotheses can only be validated by further examination of the forthcoming 2017 DoJ and DNI reports, as well as a more extensive body of AOUSC statistics.
[1] Edifying the terminology is helpful. “Orders Granted” include those orders sought by the government and approved without substantive modification. “Orders Modified” reflects those orders where a substantive modification was made to the application or certification as submitted by the government (e.g., imposition of a new reporting requirement or modifying the one proposed by the government; changing the description of the targeted person, facility or property that is the subject of the application or certification; modifying the minimization procedures proposed by the government; or shortening the duration of the intrusive authority requested). “Orders Denied in Part” reflects dispositions where the FISC granted some, but denied other, authorizations sought by the government with respect to targets, facilities, places, premises, property or specific selection terms. “Applications or Certifications Denied” include both applications or certifications (1) denied entirely by the FISC, or (2) withdrawn by the government after being advised that the FISC would not grant the requested authority.
[2] P.L. 114-23 (2015). The reporting requirement for the AOUSC is codified at 50 U.S.C. §1873(a)(1).
[3] 50 U.S.C. § 1807(a).
[4] Department of Justice annual report to Congress pursuant to 50 U.S.C. § 1807, dated April 28, 2017.
[5] Id.
[6] AOUSC annual report to Congress pursuant to 50 U.S.C. § 1873(a), dated April 20, 2017.
[7] Emergency authority is provided, for example, in 50 U.S.C. § 1805(e) (“traditional” electronic surveillance), §1824(e) (physical searches), §1843 (pen registers and trap & trace devices), §1881b(d) (electronic surveillance targeting U.S. persons outside the U.S. but collected in the U.S.), and §1881c(d)(electronic surveillance targeting U.S. persons outside the U.S. and collected outside the U.S.)
[8] FISC Rule of Procedure 9(a).
[9] FISC Rule of Procedure 9(b).
[10] AOUSC report to Congress pursuant to 50 U.S.C. § 1873(a), dated April 20, 2017.
[11] Department of Justice report to Congress pursuant to 50 U.S.C. § 1807, dated April 28, 2017.
[12] Separately, the Director of National Intelligence files an annual “Statistical Transparency Report Regarding the Use of National Security Authorities.” The 2016 report, dated April 2017, appears to use the DoJ method of counting; i.e., it counts only “final” applications entertained by the FISC without including “proposed” applications as to which the government elects not to proceed.
[13] AOUSC report to Congress pursuant to 50 U.S.C. § 1873(a), dated April 20, 2017. In the parlance of the AOUSC, these “partial denials” differ from “modifications” in that the FISC declines to approve one or more targets, facilities, places, premises, property, or specified selection terms for which the government requests surveillance or search authority. “Modifications,” on the other hand, are considered to result from the FISC’s (1) imposing a new reporting requirement, (2) changing the description or specification of a targeted person or facility subject to surveillance or search, (3) modifying the proposed minimization procedures, or (4) shortening the duration of some or all of the authorities requested. Id.
[14] Id.
[15] Id.
[16] Department of Justice report to Congress pursuant to 50 U.S.C. § 1807, dated April 28, 2017.
[17] Id.
[18] Past experience indicates a likely issuance date in May for the DoJ and DNI reports.
[19] Zack Whittaker, In Trump’s first year, FISA court denied record number of surveillance orders, Zero Day, April 25, 2018, available at https://www.zdnet.com.
[20] Zack Whittaker, In Obama’s final year, US secret court denied record number of surveillance requests, Zero Day, April 20, 2017, available at https:www.zdnet.com.
[21] See, Department of Justice annual reports to Congress pursuant to 50 U.S.C. § 1807 for the years 1979-2002.
[22] These numbers are limited to those applications seeking authority to conduct electronic surveillance and/or physical searches for foreign intelligence purposes. The AOUSC 2016 report also reflects a FISC denial of a request for authority to order the production of business records (18 U.S.C. § 1861), and the AOUSC 2017 report records FISC denials of both a request for authority to order the production of business records (18 U.S.C. § 1861) and a request for authority to use a pen register or trap and trace device (18 U.S.C. § 1842).
[23] See, e.g., Andrew Nolan and Richard N. Thompson II, Reform of the Foreign Intelligence Surveillance Courts: Procedural and Operational Changes, Congressional Research Service (August 26, 2014); Vivian S. Chu, Reform of the Foreign Intelligence Surveillance Court (FISC): Selection of Judges, Congressional Research Service (May 7, 2014); and Jared Cole and Andrew Nolan, Reform of the Foreign Intelligence Surveillance Courts: A Brief Overview, Congressional Research Service (March 31, 2014).