Home / Articles / FISA Renewal Controversy: The Suddenly Very Conspicuous Foreign Intelligence Surveillance Act
For quite some time now, it has been virtually impossible not to hear or read something about the Foreign Intelligence Surveillance Act (FISA), its use by the Federal Bureau of Investigation (FBI) to secure orders from the Foreign Intelligence Surveillance Court (FISC) authorizing the electronic surveillance of one-time Trump campaign advisor Carter Page, and the political fencing over whether the government’s Carter Page FISA applications misled the FISC by including unverified information drawn from the infamous Steele Dossier. I have written previously on these controversies, which have now spawned investigations both by the Inspector General of the Department of Justice and, as recently reported by The New York Times,a criminal inquiry specifically initiated by the Attorney General and now being conducted by John Durham, the U.S. Attorney for Connecticut. All of this has thrown a rare and unusually bright spotlight on FISA—the exclusive statutory authority that governs the manner by which the U.S. government conducts, executes, or acquires in the United States, for foreign intelligence purposes, electronic surveillance, physical searches, pen registers and trap and trace devices, and business records and other tangible things.
The fallout from the FBI’s now well-known Crossfire Hurricane covert counterintelligence investigation into Russian interference in the 2016 presidential election has been more than sufficient to draw FISA from the shadows where the government’s foreign intelligence collection authorities generally reside into stark public view. Adding to this spate of publicity is the recent release by the Director of National Intelligence (DNI) of the redacted opinions of both the FISC and the Foreign Intelligence Surveillance Court of Review (FISCR) declaring that the government’s 2018 certifications authorizing collection under FISA Section 702 were deficient because the FBI’s querying procedures failed to include “a technical procedure whereby a record is kept of each United States person query term used for a query.” Even in redacted form, the DNI’s release of these opinions generated the reaction typified by the Wall Street Journal’s headline: “FBI’s Use of Surveillance Database Violated Americans’ Privacy Rights, Court Found.”
There will be time enough for discourse on these multiple investigations and disclosures as events continue to unfold, but, for now, Congress must address the issue of reauthorizing three particular FISA provisions.
Before December 15, 2019, Congress must decide whether it will renew three distinct FISA authorities. While none of the provisions facing sunset on December 15 constitutes legislative authority for an entire collection program as was the case with the debate surrounding the reauthorization of FISA Section 702 in 2017, each of these provisions represents authority for other discrete components added to the FISA framework as part of the legislative response to the September 11, 2001 attacks. The three authorities are: (1) the “business records” provision (known variously as Section 215 of the USA Patriot Act of 2001 or FISA Section 501 and presently codified as 50 U.S.C. §1861); (2) the “roving wiretap” provision (also known as Section 206 of the USA Patriot Act of 2001 or FISA Section 105(c)(2)(B) and presently codified as 50 U.S.C. §1805(c)(2)(B)); and (3) the “lone wolf” amendment to the FISA definition of “agent of a foreign power” (added by Section 6001 of the Intelligence Reform and Terrorism Prevention Act of 2004 and presently codified as FISA Section 101(b)(1)(C), or simply 50 U.S.C. §1801(b)(1)(C)).
What follows is a discussion of the current surveillance authority embodied in each of these provisions and what one might expect as the reauthorization process proceeds in Congress.
FISA’s Business Records Authority
Section 215 of the USA Patriot Act broadened the authority of federal officials to pursue materials in connection with (1) a foreign intelligence investigation that is not concerning a U.S. Person, (2) an investigation to protect against international terrorism, or (3) an investigation to protect against clandestine intelligence activities. As currently written, the provision authorizes the FISC to order third parties to produce specific “tangible things (including books, records, papers, documents, and other items)” where the government (almost always the FBI in the case of this particular FISA authority) satisfies these statutory prerequisites.
Section 215 expanded the scope of materials available to the government from that prescribed in the 1998 FISA amendment where Congress had first amended FISA to include the authority to acquire “business records.” The 1998 version permitted acquisition from only four specific records sources: common carriers, public accommodation facilities, storage facilities, and vehicle rental facilities. Through Section 215, Congress made “tangible things” available from any source so long as the FISC is satisfied that the other criteria required by the business records provision are satisfied.
To employ FISA’s business records feature, the application submitted to the FISC must identify a “specific selection term” (SST) “to be used as the basis for production of the tangible things sought.” An “SST” must establish an individualized association with particularity, such as a personal account, address, or device while avoiding identifiers while “limit[ing], to the greatest extent reasonably practicable, the scope of tangible things sought consistent with the purpose for seeking the tangible things.”
A business records application also must provide a statement of facts sufficient to show “reasonable grounds” to believe that the “tangible things” requested are relevant to the statutorily authorized form of investigation. Prior to the enactment of Section 215, the FISA business records authority required that an applicant have “specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power.” Section 215 generously modified this typically FISA-like standard to simply require a “statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to a [foreign intelligence, international terrorism, or espionage investigation.]” Moreover, Section 215 further relaxes the standard by providing that the requested tangible things are presumptively relevant if they pertain to an authorized foreign intelligence investigation into international terrorism or clandestine intelligence activities and the requested business records or tangible things pertain to “a foreign power or an agent of a foreign power,” to “the activities of a suspected agent of a foreign power who is the subject of an authorized investigation,” or “an individual in contact with, or known to, a suspected agent of a foreign power.”
These basic features of a § 1861 (i.e., Section 215) request for business records or tangible things have proven relatively uncontroversial, and their renewal would likely have generated minimal attention but for the public disclosure by Edward Snowden that the FISC had relied on this statutory provision to approve government applications ordering communications service providers to furnish records of telephone metadata in bulk under the theory that a comprehensive compilation of such metadata could, collectively, be “relevant” to a terrorism investigation since that compilation might then be queried for “contact-chains” initiated by the government’s acquisition of a terrorism-related phone number.
Responding to the controversy generated by the disclosure of this scope of metadata production, Congress intervened in 2015 and passed the USA Freedom Act, which eliminated bulk collection of metadata in favor of a more limited ability to pursue “contact-chain” analysis through acquisition of “call detail records” (CDRs) from the repositories of telecommunications providers. In its current iteration, Section 215 now permits the government to request production of call-detail records (CDRs) on a daily basis when the government: (1) shows that the CDRs are sought in connection with an international terrorism investigation; and (2) presents the FISC with facts establishing “a reasonable, articulable suspicion” that a particular SST identified in the application is associated with a foreign power (or agent thereof) who is engaged in international terrorism. When these criteria are satisfied, the FISC can issue a production order for CDRs that authorizes daily production of those CDRs for 180 days “in a form that will be useful to the [g]overnment.” Moreover, in a diluted echo of its earlier incarnation, the revised CDR process implemented by the USA Freedom Act specifies that the government also may obtain a second set of CDRs using “session-identifying information or a telephone calling card number” identified through use of the initial SST. This latter feature is often described as contact “hopping” with the original SST being the “seed” and the additional records then generated by the “hop” from the SST. A key feature of the USA Freedom Act was limiting the government to two “hops” of contact data (the CDRs produced as responsive to the initial SST, and the second set of CDRs representing contact with the first set of CDRs). Third, and finally, as is consistently true regarding all FISA authorities, a government application under the business records provision must specify to the FISC the minimization procedures to be used that will, in the words of FISA’s definition of minimization procedures, “minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.”
In the event that Congress fails to reauthorize the current form of 50 U.S.C. § 1861, the statutory language for this particular authority will revert to the status quo as it existed on October 25, 2001 (immediately prior to passage of the USA Patriot Act). The effect of this “sunset” would be to circumscribe the “business records” to its much narrower, pre-October 2001 scope. In practical terms, this would restrict the FISC to authorizing production of records only from a that limited group of entities (e.g., common carriers, public accommodation facilities, storage facilities, or vehicle rental facilities) specified in the initial 1998 FISA amendment in marked contrast to the current statutory language, which imposes no limit on the type of entity holding the information. Further, the government previously was obliged to limit its requests to situations where the information sought directly concerned the investigative target while the current language supplies both a more relaxed production standard and imposes no mandate that the records actually pertain to a specified target.
There are several points of potential friction in the developing debate on the renewal of the Section 215 business records provision, especially with respect to the CDR component of this authority. Congress is likely to have pointed questions about the June 2018 revelation by the National Security Agency (NSA) that various telecommunication companies providing CDRs under the USA Freedom Act model turned out to be providing more CDRs than were authorized by the FISC order. When NSA found that it was not technically feasible to correct the overproduction by segregating the improperly produced CDRs, it took the extraordinary minimization step of deleting all the CDRs that it had acquired under the post-USA Freedom Act authority enacted in 2015. This led many critics, and even commentators generally favorable to existing FISA authorities, to question the utility and, ultimately, the necessity of the entire CDR program. In April 2019, the Wall Street Journal reported that NSA’s experience had led the Agency to recommend that the White House abandon the CDR program. Still, in what many commentators regarded as an entirely tone-deaf action, the Trump administration requested, in an August 2019 letter to Congress, not only that Congress renew the entire CDR program, but that it do so permanently—even as the administration simultaneously acknowledged that the program has been indefinitely suspended.
At a hearing held by the House Judiciary Committee on September 18, 2019, several Committee members displayed a visible hostility to the CDR provisions—closely questioning the NSA witness, Susan Morgan, who, in response to probing by House Judiciary Chairman Jerry Nadler, was unable to identify any specific instance where CDRs had made a concrete difference in the outcome of a counterterrorism investigation. Morgan insisted that Nadler’s question presupposed an insufficient metric for evaluating the CDR program while noting that, as an intelligence professional, she sought to maintain every tool available for later use. In Morgan’s defense, Nadler’s question incorporated all the problems attendant to proving a negative; i.e., articulating a coherent presentation of how the CDR provision affected the outcome of an event that did not happen (if Morgan had responded affirmatively, any discussion of a specific counterterrorism investigation and the sources and methods used in that investigation would almost certainly not have occurred in an open hearing). Still, her testimony seemed unlikely to sway any legislator troubled by either the existence, or use, of the CDR program as currently constituted, and none of the legislators at the House Judiciary Committee’s September 2019 hearing showed any appetite for a permanent reauthorization.
While this September 2019 Judiciary Committee hearing represents an opening act in the renewal debate, it seems safe to posit that the CDR component of the FISA business records provision is on tenuous footing, particularly in the House, with virtually no likelihood that it will be renewed permanently as sought by the Trump administration. As for the remainder of the FISA business records authority, no consensus has emerged suggesting that the current statutory construct will be materially altered.
FISA’s Roving Wiretap Authority
Another surveillance authority furnished by the USA Patriot Act, Section 206 amended FISA to permit multipoint, or “roving,” wiretaps by adding flexibility to the degree of specificity with which the location or facility subject to electronic surveillance under FISA must be identified. It is often colloquially described as allowing FISA wiretaps to target “persons” rather than “places.” As Brad Wiegmann, a deputy assistant attorney general in the Justice Department’s National Security Division, testified at the September 2019 House Judiciary Committee hearing, FISA’s “roving wiretap” provision allows the government to respond quickly to targets trying to thwart electronic surveillance by, for example, by repeatedly switching their cell phones.
Thus, in approving a typical FISA surveillance application, the FISC would issue one order to the government and a separate supplemental order to a third party (such as a telecommunications provider) instructing that third party to provide such information, facilities, and technical assistance as was required to accomplish the surveillance. In situations where the target acted to evade the surveillance, however, the statute previously required the government to engage in the cumbersome process of returning to the FISC with a new application solely to secure a new set of orders to insure obtaining the third-party cooperation and assistance necessary to continue the surveillance.
Actions taken by a target to elude surveillance were problematic given that conducting electronic surveillance generally requires the assistance of telecommunications providers, landlords, or other third parties, and telecommunications providers are generally prohibited from assisting in electronic surveillance for foreign intelligence purposes except as authorized by FISA. In cases where the location or facility to be surveilled was initially unknown, the identity of the person or provider needed to assist in effectuating the government’s surveillance could not be specified in the order, effectively limiting the reach of FISA surveillance to known and identifiable locations.
Section 206 of the USA Patriot Act sought to remedy this conundrum by amending FISA Section105(c)(2)(B) to authorize FISA orders to direct “other persons” to assist with electronic surveillance if “the Court finds, based on specific facts provided in the application, that the actions of the target . . . may have the effect of thwarting the identification of a specified person.” Then, in a technical amendment passed later in 2001, the requirement that the order specify the location of the surveillance was also changed so that this requirement only applies if the facilities or places are known.
These modifications have the effect of permitting FISA orders to direct unidentified individuals to assist the government in performing electronic surveillance, thus permitting court orders to authorize surveillance of places or locations that are unknown at the time the order is issued. Later amendments required that the FISC be notified within 10 days after “surveillance begins to be directed at any new facility or place.” Additionally, the FISC must be told the nature and location of each new facility or place, the facts and circumstances relied upon to justify the new surveillance, a statement of any proposed minimization procedures that differ from those contained in the original application or order, and the total number of facilities or places subject to surveillance under the authority of the existing FISC order.
The Fourth Amendment imposes specific requirements upon the issuance of warrants authorizing searches of “persons, houses, papers, and effects.” One of those mandates, referred to as the “particularity” requirement, states that warrants shall “particularly describ[e] the place to be searched.” Under FISA as amended by Section 206 of the USA Patriot Act, roving wiretaps are not required to identify the location that may be subject to surveillance, raising the question of whether roving wiretaps comport with the particularity requirement of the Fourth Amendment. This constitutional debate has been a point of contention between supporters and opponents since the roving wiretap was added to the arsenal of FISA surveillance authorities in 2001.
That debate is likely to resurface in the reauthorization hearings considering the renewal of FISA’s roving wiretap. Proponents of renewing the authority point to the fact that a similar roving wiretap authority has been part of Title III’s law enforcement surveillance structure since 1986 and, while that analogy is facially attractive, there are three significant differences between the FISA authority and the Title III provisions. First, a roving wiretap under Title III must definitively identify the target of the surveillance while a roving surveillance under FISA need only identify the target if the target’s identity is known. Thus, FISA permits roving surveillance pursuant to court orders issued on the basis of applications that provide only a specific description, but not necessarily the identity, of the surveillance target. Second, some (but not all) roving surveillances in criminal cases are subject to an “ascertainment” requirement mandating that surveillance cannot begin at any particular location or facility until the target’s presence at the location, or use of the facility, is determined or “ascertained.” FISA contains no similar requirement arguably leading to the possibility that a FISC surveillance order might be issued without either the target or the facility identified in that order—an anomalous result that critics insist cannot be squared with the Fourth Amendment. Last, Title III requires that the surveilled individuals be notified of the surveillance, generally 90 days after surveillance terminates; FISA contains no similar notification provision.
Notwithstanding these distinctions and the potential Fourth Amendment quandaries they raise, none of the arguments against FISA’s roving wiretap authority are “novel” in the context of this 2019 reauthorization debate. There was no indication at the September House Judiciary Committee hearing that any Committee member was entertaining any particular concern about reauthorizing the FISA roving wiretap authority, and, given that the FISCR has recognized that there is a foreign intelligence exception to the Fourth Amendment warrant requirement, which would arguably subject any FISA roving wiretap solely to the Fourth Amendment’s “reasonableness” standard, it seems unlikely that reauthorization of this FISA provision will encounter significant opposition.
FISA’s “Lone Wolf” Authority
Commonly referred to as FISA’s “lone wolf” provision, Section 6001(a) of the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 simplified the evidentiary standard used to determine whether an individual, other than a U.S. person (as defined in FISA), who engages in international terrorism may be the target of a FISA court order. It does not modify other standards contained in FISA that bear upon the secondary question of whether electronic surveillance or a physical search of the target of a court order is justified in a specific situation.
The historical impetus for the “lone wolf” provision involved Zacarias Moussaoui, alleged at one time to be the 20th hijacker in the September 11 attacks. During the examination of the events leading up to the attacks, it was reported that the investigation regarding Moussaoui’s involvement was hampered by limitations in FISA authorities. Although critics have argued subsequently that nothing in, or missing from, the language of FISA at the time hampered the investigation of Moussaoui so as to require any sort of legislative “fix,” Congress responded in IRTPA by providing that persons, other than U.S. persons, engaged in international terrorism are presumptively considered to be agents of a foreign power. The amendment obviates any need for an application seeking surveillance authority and relying on the “lone wolf” provision to provide an evidentiary connection between an individual and a foreign government or terrorist group.
Practically speaking, a congressional decision to allow the “lone wolf” feature of FISA to lapse means that, in future cases involving non-U.S. persons suspected of involvement in international terrorism, the government will be required to use the “traditional” Title I probable cause standard and show the “target” is acting on behalf of a particular entity (i.e., a foreign power as defined in FISA) engaged in international terrorism.
This would represent a questionable exercise of congressional judgment. Much like the disappearance of the bipolar world order after the collapse of the Soviet Union, the evolution of international terrorism has produced a less hierarchical command and control structure among international terrorists. The emerging trend demonstrated in more recent terrorist episodes of actions based more on inspiration and individual radicalization than on organizational direction and control suggests that reverting to a statutory construct requiring an established connection to an international terrorist organization that meets the FISA definition of a “foreign power” is both practically and conceptually unsound. As any counterterrorism expert would surely confirm, a non-U.S. Person radicalized by the philosophies espoused and promoted by international terrorists but lacking sufficient contacts to support the probable cause determination of acting “on behalf of a foreign power” as required before Section 601 was added by IRTPA poses every bit as much a foreign intelligence concern as a self-declared adherent of al-Qaeda or ISIL.
The Prospects for Congressional Reauthorization
As the calendar turns to November, and the sunset date (December 15, 2019) for these FISA authorities draws closer, present circumstances suggest that the roving wiretap and lone wolf provisions will have little opposition to congressional reauthorization. At the House Judiciary Committee hearing in September 2019, there was no particular probing of the roving wiretap authority and the only committee member to address the lone wolf provision did so in the context of asking whether the provision could be used to combat domestic terrorism—something it is definitionally unable to do since its specific descriptive scope includes only those who “engage[s] in international terrorism or activities in preparation wherefore.” While less controversial than FISA’s Section 215 business records authority and its CDR component, the roving wiretap and lone wolf provisions carry their own importance in the toolbox of national security authorities. Each provision, however, stretches (unnecessarily in the view of critics) the constitutional boundaries imposed by the Fourth Amendment, and it remains possible that those constitutional concerns may still surface as the reauthorization debate proceeds. Nonetheless, if the September 2019 House Judiciary Committee hearing offers any insight, there is no significant opposition to the congressional renewal of either of these FISA authorities.
For all the reasons elaborated upon earlier, the business records (Section 215) authority, and particularly the CDR feature of that authority, face a more difficult path towards renewal. Additionally, in the case of all three FISA authorities, reauthorization will likely include a new “sunset” date as there appears no particular appetite, especially in the House, for the permanent reauthorization sought by the Trump administration of any of these provisions.
Stay tuned because, for now, the 2019 reauthorization debate is only one act in an ongoing drama that has brought unprecedented attention to the Foreign Intelligence Surveillance Act.
 Katie Benner and Adam Goldman, Justice Dept. is Said to Open Criminal Inquiry into Its Own Russia Investigation, The New York Times, October 24, 2019. According to a Justice Department statement announcing the inquiry, Durham is charged with “exploring the extent to which a number of countries, including Ukraine, played a role in the counterintelligence investigation directed at the Trump campaign during the 2016 election.” Tessa Berenson, Meet John Durham, The Man Tasked with ‘Investigating the Investigators,’ Time, October 4, 2019.
 The congressional reauthorization of FISA Section 702 in the FISA Amendments Reauthorization Act of 2017 includes a requirement that the Attorney General and the Director of National Intelligence develop procedures (i.e., querying procedures) governing the querying of the Section 702 database of acquired unminimized communications. That requirement includes a specific direction that these querying procedures “include a technical procedure whereby a record is kept of each United States person query term used for a query.” 50 U.S.C. § 1881a(f)(1)(B). I discuss the FISA Amendments Reauthorization Act of 2017 in greater detail in Terrorists: America is Still Listening, FPRI E-Notes, January 22, 2018, https://www.fpri.org/article/2018/01/terrorists-america-still-listening-section-702-alive-well/.
 50 U.S.C. § 1861(a)(1). An investigation to protect against international terrorism or clandestine intelligence activities and involving a U.S. Person may not be “conducted solely upon the basis of activities protected by the first amendment to the Constitution.” Id.
 The USA Patriot Act’s 2004 expansion of the business records provision of FISA precipitated particularly strong opposition from the library community representing, perhaps, a vestige of that community’s discomfort with the government’s pursuit of information on suspected Communists during the 1950s. In response to this opposition, Congress passed a modification to the Patriot Act in 2005 (the “USA Patriot Improvement and Reauthorization Act of 2005”) that requires approval by a designated senior-level FBI official where the “tangible things” sought are “library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, or medical records containing information that would identify a person.” See 50 U.S.C. § 1861(a)(3).
 50 U.S.C. § 1861(k)(4)(A)(i)(II). This statutory language precludes the use of broad identifiers like zip codes, area codes, geographic regions, and telecommunications providers that are more likely to return “tangible things” indiscriminately without relevance to the purpose of the investigation. Those SST exclusions are specifically identified in the statute. See id. at 50 U.S.C. § 1861(k)(4)(A)(ii)(I) and (II).
 FISA § 1861(k)(3) now defines “call detail records” as “session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and (B) does not include—(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication; (ii) the name, address, or financial information of a subscriber or customer; or (iii) cell site location or global positioning system information.” Functionally, this definition also describes the telephone metadata collected in bulk prior to the USA Freedom Act.
 Charlie Savage, Trump Administration Asks Congress to Reauthorize N.S.A.’s Deactivated Call Records Program, The New York Times, August 15, 2019, https://www.nytimes.com/2019/08/15/us/politics/trump-nsa-call-records-program.html.
 By way of example, compare FISA’s requirement for establishing a U.S. Person as an agent of a foreign power by “knowingly engag[ing] in sabotage or international terrorism, or activities in preparation therefor, for or on behalf of a foreign power.” (emphasis added). 50 U.S.C. § 1801(b)(2)(C).