My Take on the New FISA Amendment:
Last night the House of Representatives approved a temporary amendment to the Foreign Intelligence Surveillance Act that passed the Senate on Friday night. President Bush will sign it shortly. The language is here. On the merits, I think this legislation on the whole seems relatively well done. I would have tinkered with it in some ways, and there are parts I'm not sure about, but the basic structure seems pretty good. Given that this is a 6-month temporary fix, not a permanent change, I tend to support it.
Of course, we're talking about policy here, not law, and different people will have different reactions based on their policy preferences and sense of the threat. Some will think the new legislation is tepid; others will think it signals the coming of the National Surveillance State. Some people think Al Qaeda is about to nuke America, and others think Al Qaeda poses no threat at all. For the most part, our reactions to new surveillance laws hinge on where we fall on those two lines. My own preferences and sense of the threat are both somewhere roughly in the middle (or so I think -- it's hard to guess exactly what the distribution is). Based on those preferences and sense of the threat, as well as my initial read of the legislation, I think this legislation on the merits is relatively well done.
So what does the legislation do? As I see it, there are three key parts of the new legislation. The first change is a clarification that FISA warrants are not needed for "surveillance directed at a person reasonably believed to be located outside of the United States." That is, if the government is monitoring someone outside the United States from a telecom switch in the U.S., it can listen in on the person's calls and read their e-mails without obtaining a FISA warrant first. The Fourth Amendment may still require reasonableness in this setting when one or more people on the call of e-mail are inside the U.S. or are United States citizens, but there is no statutory warrant requirement.
The second change is a requirement of a formal authorization of a program to do such monitoring. The Director of National Intelligence and the AG have to approve a program (for up to one year) reasonably designed to be limited to the monitoring of persons outside the United States. Those procedures have to be submitted to the FISA court, which then reviews whether the Executive's conclusion that the procedures are reasonably designed to only pick up the communications of people reasonably believed to be outside the U.S. is "clearly erroneous." If the conclusion is clearly erroneous, the court sends them back and tells the Executive to try again. The government can also appeal that determination to the FISA Court of Review and if needed the Supreme Court. I'm not exactly sure, but my sense is that this is a one-size-fits-all order; that is, the one authorization covers all the providers.
The third change -- and probably the most important, albeit something that a lot of people will overlook -- is that ISPs and telcos have to comply with the program. They will get compensation for their time and effort "at the prevailing rate," and they can challenge the legality of the program in the FISA court, but they can't opt out of the program if it is held to be legal. In effect, the government's certification of the program is akin to a court order; it makes the program mandatory instead of optional. So long as the program passes legal muster, the providers have to go along with it; if they refuse to cooperate, the FISA Court can hold them in contempt. (Note that the providers can't be held civilly liable for their mandatory participation in the program, either.)
This is pretty complicated legislation, and my morning-after blogging isn't going to capture a lot of the nuances. Still, here are some reactions. First, I have a number of concerns about the legislation from a civil liberties perspective. For example, limiting judicial review to whether it is clearly erroneous that something is reasonably designed to target those reasonably believed to be outside the U.S. seems like a pretty weak threshold. I'm guessing that the FISA Court judges will be pretty tough on this despite the statutory language, but the statutory language itself is obviously very deferential. I also would want the courts to pass on the reasonableness of the government's method more than once a year (note that under the sunset, an authorization can go on for a year even if the legislation has been sunsetted; I gather this means that the legislation is really effective for a year, not six months). I also have an instinctive difficulty with the mandatory nature of the program without individualized court orders forcing compliance.
At the same time, this legislation does a number of things well. I think I basically agree with the idea that if someone is outside the United States, FISA should not regulate the monitoring of their communications. Intelligence agencies have long been able to monitor such calls from listening posts outside the U.S. without triggering FISA (think Echelon); this legislation makes the same rule apply regardless of where the communication is routed. Although I'm not happy about forcing ISPs and providers to comply with a mandatory program, the basic idea of letting the government access those communications without a statutory warrant requirement seems appropriate.
I also like the idea of submitting the means of implementing FISA to the judges for evaluation. Although the review is deferential, it recognizes that the technical means of implementing FISA's broad guidance is really critical to how the statute operates. I also think it's important that this is a temporary fix. If the Patriot Act experience is any guide, any reauthorization will come with some serious legislative scrutiny and a ratcheting up of oversight mechanisms as a condition of re-approval.
Anyway, those are my tentative thoughts. More reactions can be found at Balkinization and Obsidian Wings.
Of course, we're talking about policy here, not law, and different people will have different reactions based on their policy preferences and sense of the threat. Some will think the new legislation is tepid; others will think it signals the coming of the National Surveillance State. Some people think Al Qaeda is about to nuke America, and others think Al Qaeda poses no threat at all. For the most part, our reactions to new surveillance laws hinge on where we fall on those two lines. My own preferences and sense of the threat are both somewhere roughly in the middle (or so I think -- it's hard to guess exactly what the distribution is). Based on those preferences and sense of the threat, as well as my initial read of the legislation, I think this legislation on the merits is relatively well done.
So what does the legislation do? As I see it, there are three key parts of the new legislation. The first change is a clarification that FISA warrants are not needed for "surveillance directed at a person reasonably believed to be located outside of the United States." That is, if the government is monitoring someone outside the United States from a telecom switch in the U.S., it can listen in on the person's calls and read their e-mails without obtaining a FISA warrant first. The Fourth Amendment may still require reasonableness in this setting when one or more people on the call of e-mail are inside the U.S. or are United States citizens, but there is no statutory warrant requirement.
The second change is a requirement of a formal authorization of a program to do such monitoring. The Director of National Intelligence and the AG have to approve a program (for up to one year) reasonably designed to be limited to the monitoring of persons outside the United States. Those procedures have to be submitted to the FISA court, which then reviews whether the Executive's conclusion that the procedures are reasonably designed to only pick up the communications of people reasonably believed to be outside the U.S. is "clearly erroneous." If the conclusion is clearly erroneous, the court sends them back and tells the Executive to try again. The government can also appeal that determination to the FISA Court of Review and if needed the Supreme Court. I'm not exactly sure, but my sense is that this is a one-size-fits-all order; that is, the one authorization covers all the providers.
The third change -- and probably the most important, albeit something that a lot of people will overlook -- is that ISPs and telcos have to comply with the program. They will get compensation for their time and effort "at the prevailing rate," and they can challenge the legality of the program in the FISA court, but they can't opt out of the program if it is held to be legal. In effect, the government's certification of the program is akin to a court order; it makes the program mandatory instead of optional. So long as the program passes legal muster, the providers have to go along with it; if they refuse to cooperate, the FISA Court can hold them in contempt. (Note that the providers can't be held civilly liable for their mandatory participation in the program, either.)
This is pretty complicated legislation, and my morning-after blogging isn't going to capture a lot of the nuances. Still, here are some reactions. First, I have a number of concerns about the legislation from a civil liberties perspective. For example, limiting judicial review to whether it is clearly erroneous that something is reasonably designed to target those reasonably believed to be outside the U.S. seems like a pretty weak threshold. I'm guessing that the FISA Court judges will be pretty tough on this despite the statutory language, but the statutory language itself is obviously very deferential. I also would want the courts to pass on the reasonableness of the government's method more than once a year (note that under the sunset, an authorization can go on for a year even if the legislation has been sunsetted; I gather this means that the legislation is really effective for a year, not six months). I also have an instinctive difficulty with the mandatory nature of the program without individualized court orders forcing compliance.
At the same time, this legislation does a number of things well. I think I basically agree with the idea that if someone is outside the United States, FISA should not regulate the monitoring of their communications. Intelligence agencies have long been able to monitor such calls from listening posts outside the U.S. without triggering FISA (think Echelon); this legislation makes the same rule apply regardless of where the communication is routed. Although I'm not happy about forcing ISPs and providers to comply with a mandatory program, the basic idea of letting the government access those communications without a statutory warrant requirement seems appropriate.
I also like the idea of submitting the means of implementing FISA to the judges for evaluation. Although the review is deferential, it recognizes that the technical means of implementing FISA's broad guidance is really critical to how the statute operates. I also think it's important that this is a temporary fix. If the Patriot Act experience is any guide, any reauthorization will come with some serious legislative scrutiny and a ratcheting up of oversight mechanisms as a condition of re-approval.
Anyway, those are my tentative thoughts. More reactions can be found at Balkinization and Obsidian Wings.
Related Posts (on one page):
- Are Telcos Still Liable for NSA Cooperation?
- My Take on the New FISA Amendment:
- More on What FISA and the Fourth Amendment Requre -- And What They Don't: