Truman National Security Project

The NSA Revelations and FISA: What It Is — and Isn’t


Edward Snowden’s “revelations” to the Guardian’s Glenn Greenwald are now over three weeks old. Civil Liberties advocates have painted the revelation that the NSA received a court order for Verizon call records (not content) as an egregious assault on civil liberties, some asking pointed questions and some resorting to demagoguery. After hearings, U.S. Senators have now been briefed three times about the program and what it has done. For the 47 Senators who attended these briefings, some have softened their stances after the facts, as Senator Al Franken has. The subtle push and pull between privacy and security, along with the complexity of the PRISM program begs the question: what are the laws that apply here?


The main statute under discussion is the Foreign Intelligence Surveillance Act (FISA). Normally the Fourth Amendment protects everyone (citizen and non-citizen) from unreasonable search and seizure without reasonable just cause, sometimes a warrant approved by a judge, often with notice to the person whose items are being searched. However, if people who were engaging in acts of planning terrorism or spying were notified of a pending search, they could just stop what they were doing until they found another means of communicating with their co-conspirators.

FISA allows law enforcement and intelligence agencies to track communications, make searches and track communications patters of persons and foreign powers engaged in spying or planning acts of terrorism with the approval of a Foreign Intelligence Surveillance Courts (FISC) made up of a panel of Federal Judges. The FISC process requires an application with reasonable cause, just as any other warrant would require. They must specify the time and place/method of search and have expiration points, even in the case of “pen trap” or roving warrants that go on for long periods of time to track specific communications sources. For instance, the FISA authorization that was made public was only to track a several week period following the Boston Marathon bombings.

There are real differences though: 1) in emergencies, a search may be done with a warrant application within 72 hours after the search commences; 2) there is never notice or a right to appeal (just as a grand jury does not always give the investigated party the right to present evidence); 3) FISC records are not public for national security reasons, and 4) the search may never be directed at or used against U.S. Citizens, permanent residents, U.S. corporations or associations.

Each of these exceptions have checks and balances. Emergency applications are still subject to the same reasonable cause standard. They applications are rare, but also rarely turned down. Actually very few applications have been outright refused: eleven since 2001 on over 20,000 applications. Instead the FISC will often push back and serve as both judge and advocate, pushing to restrict or reduce the scope in over 200 cases according to U.S. intelligence officials. Amicus Curae briefs are also accepted from outside parties at times.

There are also reporting requirements. The Attorney General must report  and certify to Congressional Intelligence and Judiciary Committees, the number of applications, specifics as to those investigations and whether any unintended acquisitions took place.  The number of applications made (emergency and normal) and refused are public record, and select cases, the Attorney General can disclose to defense counsel the terms of a FISC warrant.

As stated earlier, communications of U.S. Persons, such as citizens, permanent residents, U.S. corporations and associations that are picked up as a result of FISA may not be used against those persons.

If the NSA’s descriptions are accurate, the NSA’s PRISM program allows them to seek electronic data on non-U.S. Persons under FISA warrants applied to foreign electronic traffic travelling through U.S. servers with filters and controls to prohibit use of data of U.S. Persons that may get caught up in the dragnet. The expressly prohibits the use of FISA warrants toward U.S. Persons, but it is not as clear as to what happens to data on U.S. Persons that get picked up in large dragnets aimed at non-U.S. Persons.   Much of the accuracy of claims depend on the certified disclosures to Congress by the Attorney General that such safeguards exist and are in place.

Of course, the Attorney General can lie, but that carries criminal consequences as lying to Congress and perjury are both crimes. That being said, the placement of reporting on a single cabinet member has led to calls for more stringent oversight by privacy advocacy groups such as the ACLU, Electronic Privacy Information Center (EPIC) and Electronic Frontier Foundation  These organizations are vigilant watchdogs and critics of the FISA courts.

FISA has faced many challenges, including calls for greater oversight and clearer lines between criminal and intelligence surveillance, especially when it comes to the need for increased information sharing between criminal investigations and intelligence efforts as the line of authority for investigations has blurred since the passage of the Patriot Act.


The newest, and most applicable portion of FISA to the NSA revelations is Section 702. Section 702 allows surveillance without a court order or warrant for non-U.S. Person targets certified as targets by both the Attorney General and the Director of National Intelligence (DNI).

These targets must not be U.S. Persons, may not be intentionally targeted at U.S. Persons or persons in the United States. The FISC is required to receive minimization procedures to protect the data of these protected groups from the Attorney General and DNI.

Because Section 702 certifications have the least transparent safeguards, they have been subject to the most criticism, especially in light of the recent NSA revelations.   Like other applications of FISA, there are mandatory semi-annual reviews of certifications and procedures that have to be in place. However, with reporting limited to Congressional Committees only. A gray area of Section 702 that it is not always clear to outside parties what the safeguards or use restrictions are to ensure that data on U.S. Persons that accidentally get swept up in Section 702 surveillance. Some have posited that current interpretations by the Court of Review allow such collection, as long as it is broad or general enough not to be targeted at a particular U.S. Person.

On the other hand, these data sweeps have been effective means of finding patterns (and content) of terrorist communications, especially when algorithms are applied to call data patterns as was the case here. The law also gives some leeway when it comes to U.S. Person data accidentally swept up in surveillance targeted toward non U.S. Persons located outside of the United States. It is also worth noting that many private companies use similar algorithms to the NSA PRISM program to track user behaviors based on Internet cookies, user data and other aggregations of marketing data without much public outcry.


The other tool used by law enforcement and intelligence agencies is the National Security Letter program. NSLs may be issued by the FBI to any telecommunications or financial services provider to require them, without a warrant or public disclosure, to provide credit information, phone records and electronic records such as email regarding a specific person.  It does not authorize wiretaps and only applies to electronic records.  NSLs may only be issued in connection with a specific investigation involving national security (leaks, spying, etc.).

Like FISA, the Attorney General must report both specific and aggregate information to Congressional Intelligence and Judiciary Committees. Further, companies such as Microsoft, Facebook and Google have provided the public with aggregate data to show each company had received about one thousand of these NSL letters per year out of hundreds of millions of users.


Granted the breadth of power of these NSLs and their circumvention of the 4th Amendment, privacy rights organizations have understandably been vocal advocates for greater oversight and transparency to prevent abuse. The law, and its interpretation by the Court of Review, FISC and agencies is not always clear or known to the public.  Restrictions on FISA also depend a great deal on accurate disclosures to Congress and checks by the FISC and a Court of Review meant to issue classified legal opinions on the interpretation of these laws.

On the other hand, law enforcement and intelligence have asserted that dozens of terrorist plots have been foiled because of the availability of these tools. The public has yet to be moved to see this as a major issue with less than 48% of the public citing concern.

Are these programs always consistent with democratic values? As with many national security programs, necessity for secrecy and surprise may not make that possible, but there are many understandable cries for greater accountability to ensure that to the greatest extent possible, the public can be assured that their rights are still being protected.

Part of the question is what other methods are reasonable alternatives to these programs, and there aren’t many other ways to track the often clandestine electronic communications of terrorists and spies.

Usually it takes actual abuse of the system, such as the Watergate scandal using government resources to target political enemies under the guise of national security.   While there have been claims of potential abuse, no actual abuse of FISA or NSLs have been uncovered. Until any actual abuses are uncovered, it may be unlikely that the Snowden “disclosures” or any other credible calls for greater oversight are likely to be gain traction and the tug of war between privacy/transparency and security will continue.

Andrew Lachman is a Truman Political Partner.