Analysis US Senators have told intelligence agency officials that they are unlikely to renew authorization to use Section 702 of the US Foreign Intelligence Surveillance Act (FISA) without setting stricter limits on how and when government snoops can wield its powers.

A key point of contention between the lawmakers and intelligence agencies is that the surveillance powers conferred by the Act - which are supposed to be used against foreign targets who pose a threat to the United States - are also used to allow warrantless snooping on US citizens' communications.

During a Senate Judiciary Committee hearing on Tuesday, representatives from the CIA, NSA, FBI and Justice Department repeatedly told lawmakers that Section 702 is a critical national security tool.

"The reauthorization of 702 is perhaps the single most consequential national security decision that this Congress will make," Matt Olsen, assistant attorney general for national security at the Justice Department, argued. "The stakes could not be higher."

Senators from both sides of politics, however, told Olsen and the other intelligence officials that they weren't happy with the continued reports of Section 702 abuse.

"I will only support the reauthorization of Section 702 if there are significant, significant reforms," Senate Judiciary chair Dick Durbin (D-IL) said. "And that means first and foremost, addressing the warrantless surveillance of Americans in violation of the Fourth Amendment" which protects against unreasonable searches and seizures by the government.

We don't want this to be used to get around a warrant requirement.

The committee's top Republican, South Carolina's senator Lindsey Graham, said threats to the US are increasing, and the country would be "much at risk" if Congress doesn't reauthorize Section 702. But even Graham acknowledged "it has been abused."

"There's a warrant requirement to investigate an American citizen for potential wrongdoing," Graham continued. "And we don't want this to be used to get around a warrant requirement. Bottom line is, let's reauthorize this program and build in some safeguards."

The Senate committee hearing "made clear that there's definite skepticism of 702 from both Republicans and Democrats, and it's clear that this program isn't being reauthorized without significant reforms," ACLU senior federal policy counsel Kia Hamadanchy told The Register. "And it's also clear that the administration hasn't really come to terms with the fact that their proposed reforms aren't going to be enough to satisfy Congress."

Wait, FISA allows spying on Americans?

As the name suggests, FISA - and specifically Section 702 - is supposed to be limited to surveillance of foreign communications. But the surveillance dragnet can, and often does, sweep up phone calls, texts and emails involving US citizens - who the suspect talked to, who their contact spoke to, and the next few links in the communications chain.

The FBI, CIA and NSA can search these communications without a warrant, and these messages can be - and have been - used to inform prosecutions.

Section 702 is set to expire at the end of the year unless Congress renews it. The first step toward any type of surveillance reform - which lawmakers and civil liberties groups alike have called for - was today's hearing.

During their opening statements, intelligence officials touted several new examples of how Section 702 has been used to mitigate threats against US citizens. The DoJ's Olsen said it helped prevent Chinese hackers from attacking a critical infrastructure company in the US.

"The FBI queried its Section 702 data with US person identifiers, and they found out that it was Chinese hackers who were behind the attack, and that they had compromised the network and they figured out how they did it," Olsen said. "It was this information that the FBI got from querying its data that allowed the FBI to alert the network operators and mitigate the cyber attack against a critical infrastructure company here in the United States."

In 2022, Section 702 data helped law enforcement identify an Iranian ransomware attack against an American nonprofit, to "mitigate the damage and recover the victim organization's data without resorting to ransom payments," NSA deputy director George Barnes said.

Information collected under Section 702 also led to the recovery of most of the ransom payment made to the Colonial Pipeline attackers in 2021, and has been "vital" in warning about North Korea's digital fraud efforts intended to generate revenue for the country's nuclear weapons program, Barnes claimed.

About those 278,000 cases of FBI abuse …

Those wins, however, were seemingly overshadowed by a newly unclassified court opinion that found the FBI misused Section 702 surveillance powers more than 278,000 times between 2020 and early 2021. Senate committee members repeatedly referenced this document - which detailed thousands of warrantless searches on Black Lives Matter protesters, January 6 rioters who stormed the Capitol, victims of crimes, and donors to a congressional campaign.

"Why should we ever trust the FBI and the DOJ again to police themselves under FISA, when they've shown us repeatedly, for more than a decade, that they cannot be trusted to do so," asked senator Mike Lee (R-UT).

To this end, FBI deputy director Paul Abbate announced new FISA "accountability procedures." These are in addition to the processes around Section 702 searches that the Bureau has been rolling out over the past 12 months - including mandatory query training, stronger approval requirements for "sensitive" queries, and requiring agents to "opt-in" if they wish to run a search against Section 702-acquired data.

Three strikes and you're out. Maybe

The accountability measures announced today included a "three strike policy for query compliance," Abbate told the Senate committee. It applies even to unintentional misuse, and establishes a "range of rapidly escalating consequences, and even stronger disciplinary action for those incidents deemed deliberate, reckless, or particularly egregious," Abbate said.

"Penalties, based on the facts, range up to dismissal from the agency."

Only one agent was fired as a result of the FBI's 278,000 instances of Section 702 FBI misuse.

No warrant, no deal

"This, and the other items the FBI touted at the hearing felt like when McDonald's started advertising how its chicken nuggets were now all chicken meat - it's not a very appetizing pitch, and really just makes you ask 'wait, you weren't even doing that before?'" said Jake Laperruque, deputy director of the Center for Democracy and Technology's (CDT) Security and Surveillance Project.

"Self-policing hasn't worked before," he told The Register. "The FBI promised sweeping new policies for last year and still had over 200,000 US person queries to pull up Americans' emails without a warrant, and an estimated 8,000 US person queries that were compliance violations. And it's not going to magically work now. The only way to actually solve the problem is to require a warrant and have independent oversight from courts."

Ahead of the hearing, a coalition of groups led by CDT called on Congress to enact surveillance reforms [PDF], including warrant requirements for spying on US citizens and better judicial oversight.

The Electronic Frontier Foundation was among the signatories, and EFF's director of federal affairs India McKinney said the Foreign Intelligence Surveillance Court's April 2022 opinion [PDF], released last month, is "a really big deal, and it's nice to see members on both sides of the aisle taking it appropriately seriously."

McKinney said she was encouraged by the bipartisan support for surveillance restrictions and increased transparency.

"We're still a long way from actually passing a bill, and I'd like to see legislative language sooner rather than later, but I thought a number of members of Congress were appropriately pissed off." ®

https://www.theregister.com//2023/06/14/us_section_702/