Championing Responsible National Security Policy

PATRIOT Act Morass: Gains and Stalled Reforms

(Illustration: Leslie Garvey/POGO)

Last week the House of Representatives passed the USA FREEDOM Reauthorization Act, which would extend three controversial provisions of the PATRIOT Act—a law that massively expanded national security surveillance following the September 11 attacks and has led to widespread violations of civil liberties—until December 1, 2023. With this bill, Congress is also poised to enact several major reforms, including ending an invasive program that allowed the government to collect potentially millions of Americans’ phone records. The legislation is on hold, as yesterday the Senate passed a short-term extension of the expiring provisions with the promise of taking up the bill in May, along with three pro-privacy amendments.

With this bill, Congress is poised to enact several major reforms.

As we prepare for the Senate to vote on amendments and the bill itself, we’ve put together an explainer on what exactly this legislation would do. The bill includes numerous reforms to national security surveillance, and while some of these measures signify real progress for privacy rights and oversight, others fall short or would do more harm than good.

Ending the Call Detail Records Program

Most significantly, the House bill terminates the authority for the highly invasive “call detail records” program, which allowed the government to collect, in one fell swoop, all phone records of a person—whom the government does not need to suspect of wrongdoing—as well as anyone the person spoke to. Ending the call detail records program would mark the first time in modern history that Congress has fully stripped a national security surveillance authority from the executive branch. In addition to infringing on Americans’ privacy rights, the program provided practically nothing of unique intelligence value, and has been fraught with technical problems. Given all these factors, ending the call detail records program authority was rightly thought of as low-hanging fruit, but it’s nevertheless a crucial reform.

Ending the call detail records program marks the first time in modern history that Congress has fully stripped a national security surveillance authority from the executive.

Created as a compromise measure when Congress banned bulk collection of call records in 2015, the call detail records program collected sensitive records from a huge number of people—likely millions—based on court orders that had targeted fewer than 100 people. Ending the legal authority for the program, contained in Section 215 of the PATRIOT Act, would be a huge victory for privacy rights. And this victory would finish the work begun with the USA FREEDOM Act in 2015, which prohibited nationwide bulk collection of sensitive records, but still allowed some overbroad collection of phone records with the call detail records program.

The House’s move to end the program is also a rebuke of the intelligence community’s claims that mass collection of call records—first with nationwide bulk collection, and then with the call detail records program—is essential for national security. By ending the program, Congress would show that it will not accept the government’s unfounded claims of necessity and secrecy, and will stop surveillance systems that improperly infringe on privacy rights.

Clear Warrant Protections (aka “The Carpenter Fix”)

In another key reform, the House bill establishes a clear rule for when a warrant is required in national security cases: If a warrant is required for collection of certain records in the domestic law enforcement context, it would now be required in the foreign intelligence context as well.

This reform addresses a question left open by the Supreme Court’s groundbreaking 2018 ruling in Carpenter v. United States, which held that cellphone location data can be so sensitive that, in the law enforcement context the government must obtain a warrant to collect it, even if that information is held by a third party, like a cell phone provider, or involves the person’s activities in public. The Carpenter ruling did not address whether this extends to the national security context, so the rule established by the bill would ensure there is a consistent standard, and prevent the government from using the PATRIOT Act to obtain cellphone location data that would otherwise require a warrant in criminal investigations.

If a warrant is required for collection of certain records in the domestic law enforcement context, it would now be required in the foreign intelligence context as well.

Additionally, because the protection in the bill is written to apply to any situations in which a warrant is required in the law enforcement context, it will likely expand as courts take the rationale of Carpenter—that sensitive data deserve a warrant protection even if they are held by a third-party or describe public activities—and establish warrant requirements as a new prerequisite for the government to obtain types of information, such as collecting individuals’ web browsing data.

However, there is one aspect in which this provision of the bill falls short: It fails to make clear that lower court rulings, and not just Supreme Court precedent, would trigger the warrant protection. If a district or circuit court rules that certain sensitive information requires a warrant, that ruling should prevent the federal government from using a Section 215 order in that court’s jurisdiction to circumvent the warrant requirement.

An especially valuable element of the bill’s warrant protection is that it explicitly states that the government needs a warrant to obtain cellsite and geolocation data, the types of data used for cellphone tracking. The Carpenter ruling set the warrant requirement to trigger when the government seeks seven or more days of tracking, and left protections for location tracking over shorter periods uncertain. In contrast, the bill sets a warrant rule for obtaining cellphone location data for any period of time. This reform was not in the bill before privacy advocates called for additional reforms.

This provision should also prompt Congress to pass comprehensive rules on cellphone location tracking. Ironically, there would be a much clearer warrant protection from cellphone location tracking in the national security context than in the criminal context, where there is still legal ambiguity for short-term electronic location tracking.

Establishing New Transparency Requirements

A final area where the House legislation takes substantial steps is increasing transparency for national security surveillance, especially in ways that will support an informed public debate going forward.

The bill would eliminate an exception that allowed the FBI to avoid reporting how often it queries warrantless communications surveillance databases—which store data obtained from Section 702 of the Foreign Intelligence Surveillance Act (FISA)—for U.S. persons’ communications. (A U.S. person is defined as “U.S. citizens or lawful permanent residents of the United States, as well as U.S. corporations and unincorporated associations where a substantial number of members are U.S. persons.”) Even though Section 702 can only be used to target non-U.S. persons abroad, the government can still deliberately seek out U.S. persons’ communications collected through this system (such as a U.S. citizen emailing a British citizen abroad), and can do so for reasons with no connection to national security or foreign intelligence. The false notion that Section 702 doesn’t impact Americans was a key reason reforms to the provision failed several years ago. Reporting how often the FBI is searching for U.S. persons’ communications collected from warrantless FISA surveillance will finally allow the public to know how much this ostensibly foreign-focused system actually impacts Americans.

The legislation also requires the Justice Department to explain how it interprets when evidence is “derived” from FISA surveillance. This is important because the government has previously circumvented legal requirements to notify defendants that they were subject to FISA surveillance by claiming that evidence wasn’t “derived” from that surveillance. Instead, the government launders the actual source of evidence through something known as parallel construction, which essentially means that the government creates an alternative explanation for how it acquired the evidence, to avoid disclosing the original means. Shedding light on how the government interprets “derived” will bolster efforts by civil liberties advocates to ensure that prosecutors are required to abide by a reasonable definition that protects defendants’ rights under the Constitution and federal law.

The bill also aids transparency by requiring the Privacy and Civil Liberties Oversight Board to report on the extent to which FISA surveillance is focused on First Amendment-protected activities, and the degree to which FISA surveillance disproportionately affects people of certain protected classes (based on race, ethnicity, religious affiliation, and national origin, among others). However, while increased transparency around potential problems in this area is important, there is no excuse for Congress to fail to enact stronger direct protections for First Amendment-protected activities. There are clear substantive protections the House could have enacted, but chose not to, as part of this reauthorization.

Improvements and Half-Measures for the FISA Court

The bill contains meaningful but limited reforms to FISA Court proceedings—a missed opportunity for Congress to take much-needed steps to increase accountability.

The bill contains marginal improvements for how the amicus curiae, or “friend of the court”—a role created by the USA FREEDOM Act to provide the court with added expertise, particularly on novel questions of law—conducts their work. These improvements address three main areas: the ability to request appellate review of the FISA Court’s decisions, the ability to access critical information, and the ability to participate in court deliberations that impact the First Amendment. But all of these measures fell short in key ways. There are still many more improvements that need to be made, some of which were present in the bill when it was introduced, but removed before the House voted on the bill.

It’s important for the public to hold the House accountable for the reforms it cut out at the last minute, and for neither the public nor Congress to treat concerns about accountability of FISA Court proceedings as “solved” by this legislation. The most important way the Senate can improve the FISA Court in this legislation is by empowering the amicus to a greater degree.

It’s important for the public to hold the House accountable for the reforms it cut out at the last minute.

An important reform that was removed from the bill would have allowed the amicus to directly petition the Foreign Intelligence Court of Review to examine a FISA Court ruling the amicus disagreed with. This is a commonsense measure. Currently, if the FISA Court sides with the amicus, the Justice Department can appeal to the review court, but the amicus does not have the same option if the FISA Court sides with the Justice Department. But instead, the final bill only permits the amicus to ask the FISA Court to submit a petition to the Foreign Intelligence Court of Review, requesting that it review the case on appeal. The effect is that the amicus essentially must ask FISA Court judges to facilitate an effort to get their own opinions overruled. The bill does require the judges to provide a written explanation (which will then become public) if they refuse the amicus’s request, which will hopefully limit bad-faith refusals of petitions for review. But there is no practical reason for the FISA Court to serve as a gatekeeper for petitions to the review court, which already has the authority to choose to accept or refuse cases.

In a positive, but too-limited step, the House bill also expands the amicus’s ability to participate in cases involving First Amendment-protected activities. The bill requires the amicus to be brought in for cases that present “exceptional” concerns to First Amendment-protected activities; in contrast, a previous version of the bill contained a broader provision that would have allowed the amicus to participate in cases involving “significant” concerns. While the final language is a positive expansion of the amicus’s role, it is indefensible to cut the amicus out of situations that present significant—but not necessarily exceptional—concerns to First Amendment-protected activities.

The bill provides some improved access to information for the amicus. It allows the amicus to request the FISA Court provide access to “any particular materials or information (or category of materials or information)” that are relevant to the amicus’s duties, which will aid the amicus in participating effectively in proceedings. And including “category of materials or information” is especially important to prevent a situation where the amicus wouldn’t know what materials to ask for without seeing what materials exist. It’s worth noting, though, that this provision was watered down from a previous version of the bill, which included a requirement for the FISA Court to disclose basic information, such as applications, certifications, petitions, and motions.

Given the recent concerns about the veracity of claims the government makes in FISA Court proceedings, it’s disappointing to see such limited reforms to the role of the amicus—particularly in the wake of the inspector general report on government misrepresentations of fact related to surveillance of former Trump campaign aide Carter Page. Experts have highlighted how the amicus should serve as a watchdog against this type of abuse, and a bill introduced by Republicans on the House Intelligence Committee included a thoughtful proposal to involve the amicus in surveillance applications targeting U.S. persons. (Several minor provisions of that bill were incorporated into the USA FREEDOM Reauthorization Act, but its expansion of the amicus role was not.)

Given the recent concerns about the veracity of claims the government makes in FISA Court proceedings, it’s disappointing to see such limited reforms.

But, apparently in response to pressure from Attorney General Bill Barr, reform efforts shifted away from strengthening the role of the amicus and instead centered on adding three reforms to the USA FREEDOM Reauthorization Act: Requiring the creation of transcripts of communications between the FISA Court and the government, requiring certifications from the Justice Department that it is providing relevant information to the FISA Court, and requiring the attorney general to review applications for FISA surveillance of elected federal officials and candidates in federal elections. The first is a valuable reform that may deter misconduct, though it is no substitute for the direct oversight a more empowered amicus would provide. The second essentially codifies existing procedural rules at the FISA Court, a welcome measure but not a new protection. The third is very limited in application, but also adds new concerns about the politicization of the FISA Court application process, especially in light of concerns that Barr has prioritized politics on important investigative matters.

Major Flaws: Problematic Provisions on Notice and Retention

The House bill contains two provisions that may do more harm than good, and present threats to civil rights and civil liberties.

First, the bill contains a weak provision on extending notice to defendants who were affected by Section 215 orders. The bill applies to evidence that was derived from this type of surveillance effort, but does not offer any definition of what “derived” means. So long as Congress leaves the Justice Department free rein on this issue, the executive will continue to frame “derived” in a narrow manner that makes it far too difficult for defendants to discover the impact of FISA surveillance on their case. Even more troublingly, the provision contains an exception that allows the government to withhold notice from defendants altogether if “providing notice to an aggrieved person would harm the national security of the United States.” The notion that basic rights such as notice can be overridden by prosecutors’ national security claims sets a dangerous precedent, and is directly at odds with constitutional principles of fairness and due process.

Second, the bill establishes a five-year retention limit for records collected using Section 215. This allows unnecessarily long retention of sensitive records, which is problematic because such retention extends the risk of both internal abuse and data breaches (something not even the National Security Agency is immune from), and fosters the “collect it all” mentality that has led to disastrous programs like nationwide bulk collection of Americans’ communications records.

This exception codifies a blank check for the FBI to indefinitely retain records collected using Section 215.

Even worse, the bill also includes sweeping exceptions that will likely undermine the rule, and undercut the small value that a five-year retention limit would provide. One exception allows permanent retention of encrypted information, which could allow the government to retain information even after an item is readable, simply because it was originally encrypted. Because encryption is now a common and innocuous personal security technique, this exception is ripe for overuse.

Most troublingly, the bill allows for ongoing retention whenever the director of the FBI certifies that certain categories of information are necessary for national security. In fact, the director need not cite specific records, but only needs to “generally” describe the “information to be retained.” This empowers the FBI director to make a certification based on a claim of necessity for national security without sufficient oversight—there’s no requirement for them to convince a court or Congress that the retention is necessary. Effectively, this exception codifies a blank check for the FBI to indefinitely retain records collected using Section 215.

How to Move Forward

While Americans deserve more robust checks on the government’s ability to spy on its citizens, we can be encouraged by the reforms in the House legislation. The USA FREEDOM Reauthorization Act contains several significant reforms that safeguard privacy and other constitutional rights, but it’s clear there are many more changes lawmakers should make going forward.

The most important action Congress can take in the near future is to pass amendments that strengthen the bill when the Senate votes on it in May. The three amendments the Senate will consider focus on strengthening the amicus, enhancing privacy protections for U.S. persons, and requiring a warrant for the government to track web browsing activities.

But even if the bill is improved, major problems with national security surveillance will remain. The three provisions of the PATRIOT Act that would be extended in this bill, as well as the warrantless surveillance provision of FISA (Section 702), are set to expire in 2023. Civil liberties supporters have a lot of work to do to before then to ensure Congress places meaningful safeguards on government surveillance. The new transparency requirements and reports set forth in the bill will help shape the public debate in the months and years to come.