Section 702 of the Foreign Intelligence Surveillance Act (FISA) is set to expire at the end of the year. Amid the regular drumbeat of revelations regarding the abuses of the program, Mozilla calls on Congress to significantly reform FISA now.
FISA Reform is Critical for Civil Liberties and Human Rights
Mozilla has advocated through dozens of blog posts, regulatory filings, and amicus briefs for more transparency and due process in government surveillance in the United States. Our Surveillance Principles for a Secure, Trusted Internet have served as the guiding force of our advocacy in this space. These principles were created in the aftermath of the Snowden revelations of 2013 that showed the world the catastrophic breadth of US government surveillance. Our advocacy here also stems from Principle 4 of Mozilla’s Manifesto: “Individuals’ security and privacy on the internet are fundamental and must not be treated as optional.” The status quo of US government surveillance violates this principle and can threaten the human rights of journalists, dissidents, and even members of Congress.
The current FISA process is overbroad, restricted only by weak legislation and executive orders that, experience has shown, do not create real accountability. It has been clear for some time that any meaningful reform to FISA 702 would create accessible due process available to subjects of surveillance accompanied by effective oversight.
FISA reform should focus on transparency, oversight, and due process.
Transparency: Subjects of surveillance should be appropriately notified when 702 intelligence is being used in a criminal case against them, unless a court certifies that doing so would have a material impact on a specific active investigation. Subjects of surveillance have a basic right to know how the government obtained otherwise private communications in a criminal case, and whether that information was obtained lawfully. Congress should also change the secrecy requirements behind 702 data requests to be time-bound and limited to the potential risks.
Accountability: Potential checks on inappropriate surveillance in FISA are not sufficiently independent or empowered. While the President’s recent executive order makes some progress on this front, it does not go far enough – and any such protections should be codified into law. Additionally, the government has repeatedly snuffed lawsuits aimed at accountability by asserting that plaintiffs do not have standing to sue or that the lawsuit is incompatible with protections for state secrets. Congress should therefore make clear that FISA’s dispute resolution procedures (i) preempt the state secrets privilege and (ii) allow suits challenging 702 surveillance outside of narrow contexts where the government is bringing a case using 702-derived evidence.
Due process: In its current form, Section 702 has operated as an end-run around the Fourth Amendment. Information should be collected on or queried for American citizens by intelligence agencies only after a showing of probable cause. Congress should furthermore prohibit intelligence agencies from buying information from data brokers to circumvent statutory and Constitutional guardrails. All Americans deserve the basic level of scrutiny aligned with Constitutional rights against unreasonable search and seizure. And for non-American citizens, Congress should require the necessity and proportionality of any collection, and codify enforceable remedies against missteps or abuses of power.
The Business Case for FISA Reform
FISA is not just a national security or civil liberties issue. Meaningful FISA reform would create critical operational certainty for businesses of all sizes.
In July of 2020, the European Court of Justice (CJEU) ruled that FISA does not provide adequate protections for European individuals’ data transferred to the US. In so doing, the Court of Justice struck down the EU-US Privacy Shield, which thousands of US businesses used as a safe harbor to transfer data between the EU and the US.
Data transfers between the US and EU are an essential part of doing business, and an American company that serves European customers must almost always transfer some data from the EU to the US. But FISA’s flaws mean that those basic parts of doing business are in limbo, with significant legal risk for companies who get it wrong.
The effects of the loss of Privacy Shield on small and medium-sized businesses were immediate. Thousands of US businesses which previously relied on Privacy Shield were forced to do expensive case-by-case transfer impact assessments to evaluate the privacy risks for each transfer they did. In short, FISA’s inadequate surveillance protections led to onerous business obligations – and increased legal risk – for thousands of businesses. And the decision has been accompanied by millions of dollars in fines for companies.
The Biden administration and EU have struck and finalized a new deal, but this safe harbor, too, is expected to be challenged in court with a significant likelihood of success. That is because some of the protections called for by the European Court of Justice can only truly be implemented legislatively. EU courts may therefore be unwilling to depend on an executive order as a guarantee for EU citizens. Another failed EU-US data transfer agreement could mean existential risk for thousands of US companies.
If Congress makes the reforms we described above, the European Court of Justice is more likely to find that US surveillance practices respect the rights of Europeans. That is because each of these fundamental flaws in FISA were part of the CJEU’s ruling that FISA does not provide surveillance targets with “substantially equivalent” protections compared to European surveillance law.
Congress has many competing priorities in the next six months. For businesses all over the US, and for the rights and dignity of all Americans and global citizens, Congress should spend its time on FISA 702 reform. With such intense bipartisan concern over the program, reauthorization without reform would be a missed opportunity to do right by Americans and American businesses.