One of the interesting things about the very controversial Foreign Intelligence Surveillance Act is that lots of people criticize it but few offer any alternatives. FISA, as it is known for short, is the set of laws that regulates most evidence collection within the United States in national security and terrorism cases. Whenever you hear about FISA, you tend to hear about its dangers: FISA creates a secret court that allows the government to obtain secret Section 215 orders, it imposes gag orders such as those struck down last week in Doe v. Ashcroft, its privacy protections were eroded by the Patriot Act, etc. But I wonder: what rules might we come up with from first principles to regulate this sort of evidence collection, and how far are those rules from the rules that FISA creates? In other words, if FISA is so bad, what are the better rules that should replace it?
This is an enormous topic, obviously, so let me try to focus on just one example. Let’s imagine the FBI learns that a suspected Al-Qaeda associate believed to be located in Saudi Arabia regularly uses a Hotmail e-mail account. They have heard rumors from sources in Saudi Arabia that the suspect and others are planning a terrorist attack in the United States. To try to identify the other members of the cell, the FBI might reasonably want to get a list of incoming and outgoing e-mail addresses used to send mail to and from the account. It might then go to those other accounts and repeat the process and look for connections, with the goal of using the linking of e-mail accounts to try to uncover the cell.
Here’s the big question: what rules should regulate the process by which the government can obtain this information? Hotmail is a California company, and the information relating to the 1st account would be stored in and obtainable from California. Let’s assume that the FBI goes to Hotmail in California and explains the situation to its lawyers. Hotmail might reasonably decide that they don’t want to cooperate absent some kind of official order: they want some official showing that this is a real investigation, not just a rogue officer. But what kind of showing should the government be required to make under the law before the investigators can compel the information?
Should the government have to get a court order before compelling the information (as would be the case with a warrant), or it is enough that the ISP can challenge the request to compel if they find it faulty (as would be the case with a subpoena, or, at least according to DOJ, a national security letter)? What should the government have to show? Is it enough that sources in Saudi Arabia tell the FBI that this particular e-mail account is believed to belong to a member of Al Qaeda? Should there be a requirement that the government has to provide a court with more specific information than that? Should the government have to provide specific evidence of acts that the suspect has committed that lead the government to believe the suspect is planning attacks? Should the government have to show that the suspect is an agent of a foreign power? That he has known co-conspirators, and is not a “lone wolf”? Should there be any restrictions on Hotmail contacting the suspect to inform him of the government’s order to compel? If so, what limits?
I am no FISA expert, but my understanding is that some of the most controversial Patriot Act changes to FISA were designed to give the FBI powers to obtain information in cases such as this. Under the Patriot Act, as it amends the original FISA Act and the Electronic Communications Act, FBI intelligence investigators have two choices: they can issue National Security Letters without any prior judicial review under 18 U.S.C. 2709 — at least to the extent that this statute is not struck down by the Second Circuit in the DOJ appeal of Doe v. Ashcroft — or, they can go to the FISA Court and get Section 215 court orders. The low relevance standard is used (implicitly or explicitly) in both provisions: the information obtained just has to be relevant to a terrorism investigation, with no showing of specific facts or any connection to a foreign power.
If the approach of Section 2709 and Section 215 is inappropriate, as I gather many people think it is, then exactly what set of rules should govern cases like this? (And no, I don’t have the answer myself — I just think it’s a very important question and wanted to get it out there for debate.)