The Federal Bureau of Investigation (FBI) is authorized to conduct warrantless searches of certain types of digital information under the terms of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Passed in 2008, the amendment is supposed to be used to investigate foreign nationals outside of the United States. However, “incidental collection” provisions allow for the data of Americans to be swept up, mostly in the form of “large batch queries” that cover particular keywords.
The FBI releases annual information on these queries and at the end of April revealed that it had run nearly 3.4 million of these FISA searches in the prior year, nearly triple the 1.3 million in the prior year. The FBI defended the increase by claiming that the searches were necessary to curtail a wave of foreign threat actors conducting operations against domestic firms, and that a “quirk” in the system often causes a search that returns the name of one American to be counted as 100 searches.
Warrantless searches jump in midst of increase in cyber crime
Section 702 must be renewed by Congress every five years, and has been an ongoing source of controversy. The renewals are sometimes tweaked over privacy concerns, something that happened with the most recent version (revised in 2018); it was expanded to restore powers that had been nixed in the prior renewal of the bill.
The information comes from an annual transparency report that the agency issues, in which it is required to disclose some amount of information about its warrantless searches. The agency was more detailed than it has ever been before in the current edition of the report, saying that 1.9 million of these searches in 2021 (more than the full total for 2020) were related to cyber threats based in Russia. These were not the only threats against critical infrastructure, however, with the report suggesting that the vast majority of 2021’s warrantless searches focused on cyber threats to the US perpetrated by an assortment of foreign actors.
The FBI did not specify exactly what the threats that merited warrantless searches were, only indicating that the majority came from Russia. 2021 was the year of notorious attacks on critical infrastructure, headlined by the disruptive breaches of fuel provider Colonial Pipeline and meat packer JBS, in which a line was crossed by criminal groups in terms of temporarily shutting down distribution of real world essentials via ransomware. Though the perpetrators had no direct ties to the Russian government, the hacking groups were based in Russia and the issue publicly highlighted the Putin administration’s unofficial policy of letting cyber criminals have a free hand so long as they avoided domestic targets and did not cause major problems overseas.
One incident that was linked to the Russian government was the SolarWinds attack, which was aimed at collecting intelligence from US government agencies but incidentally compromised thousands of private companies (and could have leveraged ransomware or malware against them should the attackers have desired) in the process.
In addition to the need created by these foreign hacking campaigns, the FBI also defended its warrantless searches by pointing out a “quirk” in the FISA search system. When a resident of the US is identified in one of these searches, every term in a bulk keyword search must be associated with that person’s name even if most of the keywords did not apply to them. The FBI says that this can cause a hit on one particular name for one particular keyword to be counted as many as 100 times in terms of the overall search total, with the name associated with as many as 99 other keyword searches that ended up having nothing to do with it. Additionally, if the same search is conducted more than once, each new search is added to the total even if it turns up identical results.
FISA bulk searches vastly outnumber open investigations, targets under surveillance
Related data released by the Office for the Director of National Intelligence indicates that the FBI’s warrantless searches dwarf the amount of open cases that involve surveillance of foreign nationals that may be on US soil but do not have resident status. The agency identified 376 warrants issued for wiretaps or physical searches of individuals in this category, a decrease in the number (451) served in 2020.
There were 232,432 named targets of FISA warrantless searches authorized by Section 702 in 2021, all of these foreign nationals residing outside of the US that made use of some US-based product (such as Google’s GMail) that federal agencies have the legal authority to search as part of an investigation but without the need for an individual court order.
Critics have argued that FISA bulk collection constitutes a legal loophole that is sometimes knowingly applied for domestic surveillance and warrantless searches that would otherwise not be permitted. Chris Hauk, consumer privacy champion at Pixel Privacy, takes this view and recommends that Americans perform a privacy checkup with this practice in mind: “As we’ve seen in the past, the FBI and other government agencies will use any excuse they can to spy on U.S. citizens and their activities. While the usual terrorist and hacker fears are usually used as an excuse, unconstitutional searches like these are worrying to anyone that is concerned about their personal and business privacy. The government will continue to practice unconstitutional searches such as are mentioned in the report, at least until someone speaks up to put a stop to it. Until then, U.S. citizens will need to stay vigilant about who accesses their information, protecting as much as they possibly can by using encrypted storage to protect their information and by using VPNs and privacy focused browsers and search engines to protect their online activities from the nosy digging of the government and other bad actors.”
Section 702 is also once again up for renewal in 2023, and there is broad expectation that the Biden administration will allow warrantless searches to remain in spite of a greater legislative focus on digital privacy in recent years. Paul Bischoff, privacy advocate with Comparitech, observes: “Given that Obama renewed FISA’s powers with the Freedom Act in 2015, I expect Biden will follow suit and renew the FBI’s surveillance powers under FISA. FISA was originally enacted prior to the proliferation of the internet and was only intended to target foreigners, not US citizens. Bulk surveillance of private correspondence is a violation of the 4th Amendment because it targets Americans who have not been suspected of any crime. The lack of transparency, due to FISA courts being secret, makes it impossible to know which or even how many Americans were targeted. The announcement underscores the necessity of end-to-end encrypted messaging apps in lieu of unencrypted emails and SMS messages.”