July 26, 2006
Testimony of Mary B. DeRosa
Senior Fellow, Center for Strategic and International Studies
Committee on the Judiciary, United States Senate
July 26, 2006
Mr. Chairman, Senator Leahy, and members of the Committee, thank you for the opportunity to testify on the subject of the Foreign Intelligence Surveillance Act (FISA) in the 21st Century.
I am a Senior Fellow at the Center for Strategic and International Studies (CSIS). Before coming to CSIS, I was the Legal Adviser at the National Security Council and, earlier, I was a lawyer in the General Counsel's office of the Department of Defense. Through both of those experiences I came to appreciate not only the great value of electronic surveillance for national security, but also the need for flexible tools and authorities for conducting surveillance. Particularly with the threat from terrorists who operate all over the world, including within our borders, national security professionals must be able to act nimbly and to leverage the most advanced technological tools to collect intelligence.
Electronic surveillance - intercepting people's private communications - is also one of the most invasive tools that the government can use. When the government conducts this surveillance within our borders it must be done in a manner that protects civil liberties and, critically, in a way that the public accepts as legitimate. The experts in the Executive Branch and Congress who crafted FISA in the late 1970s concluded that the critical mechanism for ensuring public acceptance of national security electronic surveillance at home was to create a process that ensured careful court oversight of surveillance decisions, and to make that process exclusive. That was an extraordinarily wise judgment. The government can act most effectively to protect national security when it has all of us behind it in this critical task; this is harder if it is lurching from controversy to controversy, trying to explain and defend its actions. Court oversight of surveillance decisions enhances public trust and it must remain at the core of any discussion of FISA in the 21st Century.
I have two other observations before discussing in greater detail some possible updates to FISA and existing legislative proposals. First, FISA is actually more flexible than many people give it credit for. It is certainly not a model of clarity - its language is dense almost to the point of being unreadable (an area where improvement would be welcome, as I will discuss). But those who have interpreted and applied FISA through the years know it has been flexible enough to adapt to many changes in technology and threat. In addition, the showing required to receive a surveillance order - probable cause that a person is an agent of a foreign power or terrorist group - is not particularly rigorous and a number of tools exist - pen registers, trap and trace devices, and National Security Letters, for example - that permit those seeking a warrant to develop the evidence they need to meet the probable cause requirement. The FBI has not found itself "paralyzed" in attempting to pursue possible connections to terrorism, as some have suggested. Many of the hurdles that national security professionals do encounter in seeking FISA warrants are due to burdensome administration, misunderstanding, or conflicting interpretations of the law. This is a problem, surely, and FISA is far from perfect, but it is important to clear away the hyperbole and misunderstanding and look at what truly needs fixing.
A related observation is that to make informed revisions to FISA, Congress must hear from the Executive Branch about the ways in which FISA is inadequate or overly burdensome. Congress can not be expected to guess at what about FISA is broken; the consequences of making a mistake are too high. Certainly with an issue this important Congress can not be expected simply to accept the Executive Branch's proposals for change, without an explanation of why they are needed. Congress must be able to evaluate itself the need for change and to balance competing priorities.
With the remainder of my testimony I will first discuss some ways in which FISA might be improved. Finally, I will comment specifically on some aspects of the current draft of S.2453, which the Chairman has introduced in this Committee.
I discuss here a number of potential areas for improvement to FISA. For some of these areas, there is sufficient information already from the Executive Branch about the problems that exist to craft informed legislation. For others, more information from the Executive Branch would be necessary before any useful legislation is possible.
Streamline FISA Procedures
The most consistent complaint about FISA from those who must use it is that the administrative requirements for seeking a warrant make the process unduly difficult and time-consuming. People speak of burdensome paperwork and significant delays in the Justice Department approval process. Applications can be put on a fast track if they are urgent, but this is an ad hoc and unsatisfactory process. In addition, FISA's emergency provision permits the conduct of surveillance for 72 hours before seeking a warrant, but procedures within the Executive Branch for exercising this option are also burdensome. In any event, it is bad governance at best if the government must invoke an emergency procedure because its own bureaucracy is too stifling.
It is not clear that these bureaucratic problems are due to the language of FISA itself; many can be attributed to Executive Branch procedures that have developed over time. The Executive Branch has the responsibility to improve its own procedures if it finds them to be an impediment to national security. But in this case, where there is plenty of evidence of a problem, Congress can and should act to improve the situation.
Several pieces of proposed legislation would address this problem. S.3001, introduced in this Committee, would streamline the approval process by, among other things, requiring development of a secure electronic system for submitting and approving applications, and authorizes adding personnel at the Justice Department Office of Intelligence Policy and Review (OIPR), the office responsible for shepherding the FISA approval process. The draft legislation also would add flexibility to FISA's emergency procedures. In the House, H.R.5371, the LISTEN Act, would also authorize increased resources to process FISA applications to ensure more timely and efficient processing. Of the provisions in these drafts, the requirement to develop a secure electronic system for submitting applications is the most promising because it would force the Executive Branch to refine and modernize its approval process. By all accounts the current process needs thorough reform, not just more resources.
Reaffirm FISA's Exclusivity
National security surveillance decisions must receive disciplined, transparent oversight from a court. Public acceptance of domestic electronic surveillance requires clarity about the manner in which that surveillance is authorized and overseen. Oversight by the judicial branch, although not always easy, is a critical check on the Executive Branch when it employs such an intrusive tool. The language and legislative history of FISA leave no doubt that it was intended to be the exclusive avenue for conducting national security electronic surveillance of domestic communications (that is, at least one party is located within the United States). The Bush Administration's conduct and legal defense of the controversial NSA surveillance program - which targets communications in which one party is located in the United States - has challenged that exclusivity. The Administration concedes that the program involves communications that FISA's terms cover, but says it may proceed outside of the FISA scheme because of the President's authority as Commander in Chief. If Congress does not act to reaffirm FISA's exclusivity, there is a danger that this and later administrations will assert that Congress has acquiesced in the Administration's legal theory. There might then be many surveillance programs that do not receive oversight by the Foreign Intelligence Surveillance Court (FISC) or any other court.
To say judicial oversight is critical does not mean that the Executive Branch and its employees are untrustworthy. In fact, the people carrying out national security electronic surveillance, on the whole, care a great deal about protecting privacy and have absolutely no interest in violating civil liberties. The problem is human nature: because protecting national security is potentially in tension with protecting individual liberties, it is unrealistic to ask one person to balance both goals and check their own behavior. The national security agencies and their employees are charged with protecting the United States from harm. When faced with a decision about whether to take a step that invades liberties they will not always be able to judge whether it is the only way or the best way to address a problem - or whether it is simply the easiest way. If they fear that failure to take action might cause people to die, their instinct will be to push as far as they can push. We want them to have this instinct, but when it comes to something as intrusive as electronic surveillance, we also need someone else to balance other interests and draw clear lines. With national security electronic surveillance, FISA provides those lines, and FISC oversight enforces them. If there are no lines and there is no FISC oversight, the instinct of national security employees to push to the line in order to protect becomes a threat to our nation, rather than the comfort that it should be.
That is the reason FISA's drafters determined that its mechanism, including oversight by the FISC, should be the exclusive route for the exercise of the President's authority to conduct electronic surveillance. Congress has this power. The President has authority in the national security area to conduct electronic surveillance without a criminal warrant, but that authority is not exclusive. Congress has constitutional authorities in the national security area and it may pass laws that regulate the exercise of the President's powers. Congress did this with FISA - it permitted the President to exercise his authority, but provided the exclusive mechanism for him to use. In the face of the Bush Administration's legal arguments, Congress should reaffirm that the FISA scheme is exclusive so there can be no question that the carefully constructed oversight scheme is the only route available for electronic surveillance programs that FISA, by its terms, covers.
Some proposed legislation would reaffirm FISA's exclusivity. S.3001 and the LISTEN Act (H.R.5371) reiterate the exclusivity provisions of FISA. S.3001 also would prohibit the use of funds for electronic surveillance except in accordance with FISA or the criminal wiretap provisions. As I will discuss in greater detail later, S.2453, in its most recent form, would move in the opposite direction; it not only fails to reaffirm exclusivity, but in fact explicitly rejects it.
Clarify Certain FISA Provisions
As I have mentioned, FISA is a very dense and often confusing piece of legislation. Clarifying some aspects of the law would be helpful to the Executive Branch in carrying out its responsibilities. For example, there appears to be some confusion about whether a communication that is entirely foreign - that is, made between parties all of whom are located overseas - may still become subject to FISA's requirements if it passes through a communications node located in the United States. It is my understanding that intercepting this type of communication would not be "electronic surveillance" subject to FISA's provisions because it does not involve targeting a communication to or from at least one person who is located in the United States. If there is confusion about this point that causes the Executive Branch difficulty in carrying out its surveillance activities, the legislation should be clarified.
Similarly, FISA could be clearer about the treatment of "metadata." There is an important difference in the degree of intrusiveness between interception of the actual content - spoken or written words - of a communication and interception of the "metadata" or descriptive information about that communication. Metadata might include information like identity or location of the parties and the time and duration of the call. Most laws reflect the difference in intrusiveness by placing less stringent controls on government access to metadata. Treatment of metadata under FISA, however, is somewhat confused. FISA contains sections on the use of "pen registers" and "trap and trace" devices - which collect "to" and "from" information about communications - that permits use of these tools with fewer controls than the collection of content. FISA's definition of "contents" of a communication, however, includes not only the "substance, purport, or meaning" but also the "identity of the parties to" or "the existence" of that communication. These latter categories are usually considered metadata, not content. This definition could be read to apply to a fairly broad range of metadata - even information like a phone number can be used to identify a party. Metadata about communications can have very significant intelligence value and is becoming increasingly important with the growing sophistication of tools to analyze communications "traffic." FISA should be as clear as possible about the distinction between content and metadata and the protections afforded each type of data. S.2453 would clarify this matter.
There may be other areas where confusion about legal direction runs the risk of interfering with effective action pursuant to FISA. If so, the Executive Branch should identify problems to Congress so that it can act to correct them.
Consider Adaptations to Address Changing Technology, Including Programmatic Approvals
In the almost 30 years since FISA became law, communications technology has changed radically. Perhaps the most significant change for purposes of electronic surveillance is the move from circuit-based to packet-based communications technology. Increasingly, interception of communications does not involve "tapping" a dedicated line as it did when FISA was drafted, but instead requires sifting through and connecting discrete packets of information that together make up an electronic or voice communication. As I mentioned earlier, FISA's provisions actually have been far more flexible than many would suggest. FISA is adequate to the current task of electronic surveillance, but it almost certainly is not optimal. A careful review by Congress of FISA's definitions and requirements, informed by Administration input, could result in useful changes to make FISA even more adaptable.
One particular change to adapt to technology that has been proposed is a move to permit FISC approval of programs of surveillance in addition to individual warrants. I believe this is an area where revisions might well be appropriate. On this subject, however, far more information is needed from Executive Branch operators about what they need and why before Congress can legislate responsibly.
FISA's procedures were designed generally to authorize electronic surveillance on individual targets that have been identified through other means as foreign powers, terrorists, or their agents. But increasingly, analysts seek to use transactional data involving large numbers of people, including communications metadata or even content, to help with the job of identifying the terrorists in the first place. Using automated programs that employ algorithms (often referred to as "data mining"), analysts will seek to detect links between subjects or patterns of activity that will help unmask terrorists who might then be the subject of individual surveillance. Although the current FISA procedures are flexible, it is fair to say that they were not designed for this use of surveillance. This issue has been raised in discussions of the NSA domestic surveillance program, although it is not clear from public descriptions of that program what type of analysis it involves.
One thing that is crucial in any discussion of programmatic approvals under FISA is how the FISC would authorize and oversee those programs. The need for careful Court oversight is at least as great with this type of surveillance. I believe any authority for advance approval of programs must provide a standard for review that is something akin to probable cause and require the FISC to evaluate the purpose of the program and the basis for concluding that it will collect foreign intelligence. The court should take into consideration in its review what type of analysis will be used, how intrusive it is and its level of accuracy; what data is involved; procedures that will be used to protect privacy, such as the use of anonymization or other technology; procedures for dissemination and use of the information obtained; and what auditing and other techniques will be employed to assure compliance with guidelines. The authority would also have to provide for regular court oversight of the programs.
Comments on S.2453
The legislation that the Chairman has introduced after discussions with the White House is an attempt to create a route for obtaining judicial review of the controversial NSA surveillance program, while permitting FISC approval of surveillance programs and addressing some of the Administration's concerns about FISA as it is currently written. I agree that judicial review of the NSA program is a high priority, but I have some serious concerns with this proposed legislation.
Would Make the FISA Process Optional
As I have said, it is my view that FISA's carefully constructed oversight scheme must be the only route available for the national security electronic surveillance that FISA addresses. Therefore, my most significant concern with S.2453 is that it would make FISA optional. Section 9 of S.2453 reads: "Nothing in the Act shall be construed to limit the constitutional authority of the President to collect intelligence with respect to foreign powers and agents of foreign powers." That section also repeals the provisions that now make FISA exclusive. This is a dramatic rejection of the judgment of FISA's drafters that FISC oversight is crucial to protection of civil liberties and maintenance of public trust in the conduct of electronic surveillance for national security.
Congress has the authority to make FISA the exclusive process for conducting national security electronic surveillance in the United States, even if the President has constitutional authority in this area. A long line of separation of powers analysis, beginning with Justice Jackson's concurrence in Youngstown Sheet & Tube Co. v. Sawyer, makes it clear that Congress may limit or regulate the President's exercise of his constitutional authority. In Youngstown, Justice Jackson stated:
When the President takes measures incompatible with the express or implied will of Congress, his power is at its lowest ebb, for then he can rely only upon his own constitutional powers minus any constitutional powers of Congress over the matter. Courts can sustain exclusive executive Presidential control in such case only by disabling the Congress from acting upon the subject.
As recently as last month, in the Hamden v. Rumsfeld case, the Supreme Court has reaffirmed this line of analysis. In Hamden's footnote 23 the Court cites Youngstown and explains:
Whether or not the President has independent power, absent congressional authorization, to convene military commissions, he may not disregard limitations that Congress has, in proper exercise of its own war powers, placed on his powers. (Emphasis added.)
There is little question that Congress has its own powers in this area. Indeed, the "Findings" section of S.2453, Section 2(9), lists and describes those powers. Therefore, by regulating the President's exercise of surveillance power with FISA and directing that the process be exclusive, Congress placed the President's independent authority at its "lowest ebb." The provision in S.2453 that recognizes and specifically declines to limit the President's authority lifts those powers from their "lowest ebb" and provides the President the option to choose avenues for national security electronic surveillance at home that will not involve any court oversight.
Would Limit, and Distort the Outcome of, Judicial Review
A second problem with S.2453 concerns the quality of the judicial review it would provide. Although I agree that it is important to obtain a judicial determination of the constitutionality of the controversial NSA surveillance program that has been disclosed publicly, this legislation would actually cut off several promising avenues for that review. The proposal gives the FISC authority to review and approve an "electronic surveillance program," which presumably would include the NSA program in question. It does not require the Executive Branch to submit any program for approval. The White House has committed to submit the current NSA program to the FISC, but for other programs created under the authority of this legislation, review would be optional. While providing this optional avenue, the bill would cut off review by other federal courts requiring a transfer of any such cases to the Foreign Intelligence Surveillance Court of Review if the Executive Branch requests it. This would affect the several cases currently under consideration in federal district courts. Moreover, the Foreign Intelligence Surveillance Court of Review, or any other federal court hearing such a case, is permitted to dismiss a legal challenge to a surveillance program "for any reason."
The Legislation also would increase significantly the Administration's chances of prevailing in any review that does occur by changing the relative positions of the Executive and Legislative Branches in a separation of powers analysis. For the reasons discussed in the previous section, the provision in S.2453 recognizing and specifically declining to limit the President's authority would be read by a court as an expression by Congress that it supports, or at the least is silent on, the President's pursuit of this program outside of the FISA scheme. The exclusivity provisions of FISA as currently written, on the other hand, would be seen specifically to prohibit this independent route. The expression of Congress's will is a critical aspect of separation of powers analysis under Youngstown and its progeny.
Would Allow for Program Approvals with Little Review or Oversight
Sections 5 and 6 of S.2453 would permit applications for and approval of electronic surveillance programs. Although, as I stated earlier, I believe permitting programmatic approvals could be a useful innovation, these sections as written would not provide the kinds of protections that would be essential with this type of change. First, Congress must have more information from the Executive Branch before it can legislate in this area. In the absence of a clear understanding of what the operators feel they need and why, Congress is left to guess, or simply to accept general statements from the Administration about the authority it believes it needs. Neither is acceptable in an area this sensitive. Programs of surveillance have the potential to be extraordinarily intrusive and Congress has a responsibility to consider carefully and balance the benefit to security and the potential for harm. Second, the provisions are overly general, allowing approvals based only on a showing that the program is "reasonably designed" to lead to a broad category of communications. Finally, the legislation does not provide for the kind of careful oversight by the FISC of the ongoing conduct of the program that I believe is essential.
Would Loosen Many Existing Protections in FISA
Other aspects of S.2453 would create exceptions, change definitions, and lower standards in a way that, taken together, would significantly reduce the protections that FISA affords. Although I have not had the opportunity to do a thorough analysis of the proposal's many provisions, I will mention a few about which I have particular concerns. The expansion of the definition of non-U.S. person agent of a foreign power (section 10(b)(1)) to include an individual who "otherwise possesses or is expected to transmit or receive foreign intelligence information while in the United States" could permit surveillance of a considerably broader range of individuals under FISA than is now possible. The redraft of FISA's section 102, which permits surveillance without application to the FISC, would increase the types of communications that are exempted from court review under this authority. And the expansion of the time limit for all surveillance orders to 1 year would reduce FISC participation and could allow surveillance well past when it is providing useful intelligence.
I am grateful to the Committee for giving me the opportunity to provide my views on FISA and efforts to modernize that legislation to meet 21st Century requirements.