Is Section 702 of the Foreign Intelligence Surveillance Act (FISA) currently being used by the National Security Agency to make requests to U.S. companies for data stored outside the United States? I have asked this question to many legal and technical experts over the last year (I have pointedly not asked this of anybody in a position to impart classified knowledge of the 702 program). The responses have varied widely, from “Of course – I’ve always assumed it was used that way,” to “I don’t know, but it could be used that way,” and “No. Why would NSA use 702 when it could collect the same information internationally using E.O. 12333 authorities?”
The answer has big implications for both the national security and tech communities. I am writing here to highlight the three considerations that are important to answering this question.
First, can NSA use Section 702 authorities to legally collect data stored abroad? Section 702 was written to govern access to the communications of individuals outside the United States that are flowing through or being stored inside the United States. The original collection programs put in place after 9/11 exploited the fact that much of the world’s Internet traffic flowed through the United States. Additional provisions of FISA, including Section 702, were subsequently added to govern that type of collection.
However, from my lay reading, there is nothing in the statute to preclude NSA from asking U.S. companies to turn over data that they control and that is stored outside the United States. I am not a legal expert, and would defer to law scholars colleagues on this issue. They have told me that this is an open legal question but that the answer is likely yes—NSA can use Section 702 authorities in this way
Second, what presents a greater challenge for NSA, legal hurdles to using Section 702 authorities or technical hurdles to acting under Executive Order 12333? E.O. 12333 establishes the authority for intelligence agencies, including NSA, to collect intelligence outside of the United States. The data at issue here is outside the United States but can be accessed by U.S. companies from inside the United States. As argued in point number one above, this means that NSA can legally use either Section 702 or E.O. 12333 authorities to gain access to this data. The key difference is the way the data is accessed and the hurdles NSA faces when drawing upon those different authorities.
Section 702 activities, which involve intelligence collection from inside the United States and therefore implicate constitutional concerns, operate under a much stricter legal regime compared to collection abroad taking place under E.O. 12333. Intelligence agencies have relatively free reign to collect abroad under the executive order, so long as that collection has foreign intelligence value. Activities conducted under E.O. 12333 are inherently more technically challenging, however. This is because they require the use of some type of surreptitious collection tool. This might involve the exploitation of a vulnerability on a target’s computer or the installation of a piece of hardware on an Internet exchange. No such device is necessary for Section 702 collection because, once legal hurdles are overcome, NSA can just go directly to U.S companies and ask for a target’s communications.
Put simply, Section 702 presents NSA with a more substantial legal hurdle when collecting domestically. E.O. 12333 presents NSA with a more substantial technical hurdle when collecting abroad. If the legal hurdle NSA faces when collecting data abroad from U.S. companies is lower than the technical hurdle when collecting abroad under E.O. 12333, this would mean that NSA has good reason to utilize Section 702.
Third, where is the data of 702 targets actually stored? As noted above, Section 702 was put in place in the near past when the vast majority of the world’s Internet traffic was flowing through and being stored in the United States. That may be changing; U.S. companies, for performance reasons, are now storing user content geographically closer to the user. This decreases the time it takes to deliver that content. For example, in a recent opinion about law enforcement access to data that is controlled by Microsoft and stored abroad, Judge James Francis noted:
Microsoft stores e-mail messages sent and received by its users in its datacenters. Those datacenters exist at various locations both in the United States and abroad, and where a particular user’s information is stored depends in part on a phenomenon known as “network latency”; because the quality of service decreases the farther a user is from the datacenter where his account is hosted, efforts are made to assign each account to the closest datacenter. When this is done, all content and most non-content information associated with the account is deleted from servers in the United States.
This case pertained to authorities under the Stored Communications Act, not to Section 702 of FISA, but the same technical considerations are relevant to both. In accordance with the statute, all individuals targeted under Section 702 are non-Americans located outside the United States. This would suggest that, at least when it comes to Microsoft email users on NSA’s target list, the emails for these targets will often be stored outside the United States.
Conclusion: My informed guess is that NSA is in fact using Section 702 to collect emails abroad. It appears to have the legal authority to do so. I think the legal hurdle it faces is low compared to the technical hurdle to using E.O. 12333 (there are 89,138 individuals on the 702 target list, according to the DNI, so the legal hurdle must not be especially high). And given current tech industry trends and the fact that all 702 targets are abroad, it seems likely that many of the communications of those targets are being stored abroad by U.S. companies.
I am torn about the appropriateness of this activity. As noted earlier, it is inconsistent with the intent (if not the language) of Section 702, which was written to govern access to data stored inside the United States. The use of Section 702 in this way also places an economic burden on U.S. companies, whose international customers will be more distrustful and more likely to use Internet services of non-U.S. companies that are outside the reach of Section 702.
Alternatively, this activity is perfectly in line with NSA’s mission, which has traditionally focused on collecting data abroad about non-U.S. persons. To limit NSA’s ability to fulfill that mission because of where the data is accessed would seem capricious. Moreover, most commentators would agree that it is better for intelligence agencies to work through legal processes pursuant to Section 702 to request data from U.S. companies rather than using E.O. 12333 to surreptitiously steal U.S. company data stored abroad.
Ultimately, I think the solution here lies in allowing NSA to use Section 702 to collect data stored abroad but ensuring that the legal and policy hurdles it faces when doing so are high enough to discourage abuse and bolster trust in U.S. companies.