National security observers explain FISA ins and outs

The amendments to the Foreign Intelligence Surveillance Act that President Bush signed on July 10 may be the most significant rewrite of the government's spying powers in a generation.

But you might not know that from reading the legislation. It is a dense, often opaque, and patchworked set of new authorities that has puzzled even the few people who can actually call themselves FISA experts.

In many ways, the "new" FISA legalizes what the Bush administration was doing outside the purview of the "old" FISA for years after 9/11 -- collecting and monitoring, without court orders, communications coming into and going out of the United States.

But in important respects the revised legislation also places a check on the government's powers to gather intelligence. The law is by no means clear on every point, and to say that it represents a political compromise masks the deep divisions between its critics and supporters. Everyone agrees on only a couple of points: This law is a dramatic change, and the next president will have to wrestle with it again. The legislation expires in four years.

In an attempt to cut through the confusion, National Journal consulted experts in national security law who have been closely tracking FISA's evolution. We do not dissect every component of the legislation or air all of the passionate arguments for and against it. Rather, we hope to explain the basics of what the law allows; what it doesn't; and how it affects Americans' everyday communications, their civil liberties, and their security. Following are some of the most frequently asked questions about the new FISA, and a first crack at the answers.

What kinds of surveillance does the revised FISA allow?

First, remember that FISA does not apply to domestic criminal surveillance. This is a law about foreign spies and terrorists, not domestic mobsters and bank robbers. Its sole domain is foreign intelligence. We'll get to that definition, but remember this key point.

The law encompasses various kinds of surveillance, including traditional wiretapping as well as physical searches -- of a target's home or computer, for example. It applies to phone calls, e-mails, and other forms of electronic communication. When and how the government can collect intelligence under FISA depends largely on two factors: where the surveillance target is located, and whether the target is a "U.S. person," meaning an American citizen or a legal resident.

If the government wants to monitor a "non-U.S. person," someone who is neither a citizen of the United States nor a legal resident, it doesn't need a court order to do so, as long as that individual is located outside the United States. In these cases, the attorney general and the director of national intelligence must simply prepare a "certification" for the Foreign Intelligence Surveillance Court stipulating that the target of surveillance is "reasonably believed" to be located outside the United States. Gone is the requirement that the government have "probable cause" to believe the target is, say, a terrorist or a spy.

The government must also certify to the court that so-called minimization procedures are in place to shield the identities of any U.S. persons whose communications are intercepted in the process of surveilling this non-U.S. person. The shielding is not an absolute rule, however, and FISA leaves much to the government's discretion. For instance, if a known terrorist abroad calls an American in the United States to plan an attack, that American's name, at the very least, would show up in an intelligence report, and the government would almost certainly seek a court order to monitor that U.S. person.

How are these rules different from the old FISA?

The government no longer needs individual warrants to monitor non-U.S. persons who it reasonably believes are located overseas. To put it simply, the government is allowed to conduct warrantless surveillance of international communications, as long as the targets of that surveillance are not Americans or legal U.S. residents. (Americans' communications can, and likely will, be intercepted in the process, however. More on that below.)

Who are the targets covered by these certifications?

A lot of people could be targets. The certifications aren't limited to individuals, and the government could specify that an entire terrorist group --such as al Qaeda and all its members, current and future -- is the subject of surveillance. Some experts suggest that FISA allows a certification as broad as "all Islamic terrorists." Even an entire country. The surveillance can continue for up to one year, and the law gives the government the authority to add new targets to a certification.

The surveillance isn't limited to suspected terrorists, though. The government can issue a surveillance certification as long as "a significant purpose of the acquisition is to obtain foreign-intelligence information." The law defines "foreign-intelligence information" as that necessary to "protect against actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power." Sabotage, international terrorism, clandestine intelligence activities, and information that relates to national defense, security, or the conduct of foreign affairs are all included.

Can the government monitor multiple phone numbers and e-mails?

Yes. The surveillance need not be limited to a particular place or device. If the government receives authority to monitor all members of al Qaeda, it can monitor any and all phone numbers or e-mail addresses that officials believe Qaeda members are using. One certification can cover many people and many modes of communication. Additionally, if the government wants to access e-mails stored by a communications service provider, including a provider in the United States, it needs only a certification to get those messages. Again, however, the target must be a non-U.S. person located overseas.

Does this law "legalize" President Bush's terrorist surveillance program?

After 9/11, Bush authorized the interception -- without FISA court orders -- of international communications in which at least one party was located overseas and at least one party was believed to have connections to terrorists. Inasmuch as the new FISA allows the government to monitor these kinds of communications without court orders, the law does legalize some of what the administration was doing for several years outside of FISA. The key difference is that the government cannot now intentionally target an American, as the president's surveillance program allowed it to do.

Who ensures that the government meets all of these requirements -- that a target is actually overseas, or that the minimization procedures are in place?

The Foreign Intelligence Surveillance Court, a panel of federal District judges that has issued warrants under FISA since its creation in 1978, reviews the government's certifications. This happens before the government begins surveillance. A FISA judge must verify that the government's methods for determining a target's location are reasonable. A judge must also review and approve the minimization procedures.

The government cannot begin surveillance until the court has approved a certification, except in "exigent circumstances." In those cases, the attorney general and the DNI have seven days to bring their certification to the court for review; the surveillance can begin in the meantime.

What if the government wants to target an American?

To target a U.S. person, the government needs an individual court order whether or not that person is in the United States. This is another important change in the surveillance law. The government has always needed a warrant to monitor someone inside the country; but in the past, when a U.S. person was abroad, individual agency procedures usually governed surveillance. The government could, for example, spy on an American overseas without a warrant if it had reason to believe that he was spying for a foreign power.

Under the new law, if the government wants to monitor a U.S. person located outside the United States, it must meet a higher standard than the one for monitoring non-U.S. persons. A "federal officer" must file with the FISA court an application, approved by the attorney general, for a court order of surveillance. The application must identify the federal officer and identify or describe the U.S. person being targeted. It must include a "statement of the facts and circumstances" justifying the government's belief that the target is located outside the United States and is "a foreign power, an agent of a foreign power, or an officer or employee of a foreign power." And, yes, a terrorist group qualifies as a foreign power.

A FISA judge must also find that the government has probable cause for its actions and has put the appropriate minimization procedures in place. What counts as probable cause? A judge "may consider past activities of the target," as well as the "facts and circumstances relating to current and future activities of the target." The government stipulates to those activities, of course. But there is an important off-limits provision: No U.S. person can fall under the foreign-power categories solely on the basis of activities that are protected by the First Amendment, such as protesting at a rally, making a speech, or engaging in political activism.

If the government wants to monitor a U.S. person inside the United States, officials must obtain a traditional FISA warrant, which sets similar restrictions and requires the government to show probable cause that the target is a foreign power or the agent of a foreign power. For this type of surveillance -- direct targeting of a known U.S. person inside the country --the law hasn't changed. Similarly, if the government wants to target a non-U.S. person inside the United States, it must obtain an order from the court.

So, does this mean that U.S. persons are protected from warrantless surveillance?

That depends on how you ask the question. Can Americans be fairly confident that they are not the target of warrantless surveillance? Yes. And the new law puts significant requirements on the government to tell Congress about its surveillance activities. But the fact is, under the warrantless regime the government will almost certainly collect the communications of U.S. persons.

"What FISA protected against was the government acquiring Americans' communications without a warrant or probable cause," says Kate Martin, the director for the Center for National Security Studies in Washington, which opposed the new law. "Proponents now talk about 'targeting' to disguise the effect of the bill. The major purpose of this legislation is to allow the acquisition of millions of American communications without any of those protections."

While conducting surveillance of targets overseas, under the authority of broad certifications submitted by the attorney general and the DNI, the government will, of course, collect the communications of anyone inside the United States with whom the targets are communicating. Congress mandated the minimization procedures in the new law partly to reduce the risk of exposing U.S. persons' identities in intelligence reports. And the law directs the inspectors general of various agencies to review how the government is handling information on U.S. persons. But it's not clear how much discretion a judge will have to modify these minimization procedures.

The government will almost surely end up inadvertently targeting and acquiring some Americans' communications without warrants, because it's difficult to determine for sure where a target of surveillance is located and whether the target is a U.S. person.

Why is that so hard?

Because of the global architecture of the Internet and of telecommunications systems, phone calls and e-mails travel circuitous paths. Most of the world's international telecom traffic passes through the United States. E-mail messages bounce through servers that might be spread across multiple countries, and they travel as dispersed "packets" of data that are reassembled at their final destination.

Complicating the challenge even further, a target can somewhat easily mask his location, by using a cellphone purchased in a third country, say. More-sophisticated masking techniques involve using a server in another country, or even hijacking an individual's computer without his knowledge. It's not clear how many potential surveillance targets are trying to cover their tracks this way, but for all of these reasons, FISA experts worry about the new law's emphasis on a target's geographic location.

"For now, that may be the best we can do," David Kris, the former associate deputy attorney general who supervised the government's use of FISA from 2000 until 2003, wrote recently on the legal-issues blog Balkinization. "For the long run, however, we may need more radical change. If the government genuinely cannot determine a person's location, it makes no sense to use geography as a trigger for FISA's warrant requirements. In those circumstances, a geographical approach will always be too broad or too narrow--treating all communicating parties, or none, as if they were in the United States."

Could the government target someone abroad in order to capture the communications of someone inside the United States?

Yes, and that is why the new law includes a prohibition on this so-called reverse targeting. For example, the National Security Agency cannot monitor someone in Cairo who calls his cousin in Brooklyn if the whole point was really to monitor the cousin in Brooklyn. If the government does want to monitor the cousin in Brooklyn, FISA's normal warrant provisions apply. The law requires the attorney general to establish guidelines to prevent reverse targeting, but that means that the prohibition will be only as strong as the government makes it. For now, no oversight mechanisms are in place.

Some skeptics remain unconvinced that the reverse targeting prohibition is airtight. The law states that the government "may not intentionally target" a person located outside the United States in order to monitor the U.S.-based party. The word "intentionally" may offer some wiggle room. Of course, if the government wanted to spy on the U.S.-based party, it should get a normal FISA court order. In a statement last year, the White House said, "If the government believes a person in the United States is a terrorist, it is more useful to obtain a court order to collect all of the person's communications than to conduct surveillance on that person by listening only to a fragment of the person's calls to individuals overseas."

Say the government is monitoring a suspected terrorist abroad who is communicating with an American in the United States. Can officials use intelligence gathered from spying on that foreign target to apply for a FISA order on the American?

Yes. Say the NSA intercepts a call between a known terrorist in Pakistan and a collaborator in Washington. The government would likely have probable cause to obtain a FISA warrant for the person in Washington.

Does the new FISA provide immunity for the telecommunications companies that assisted the government with warrantless surveillance after the 9/11 attacks?

Not immunity per se, but the law practically guarantees that courts will dismiss the 40 or so civil suits pending against various electronic service providers that helped the government.

The law directs a U.S. District Court judge to "promptly" dismiss a lawsuit if the attorney general certifies that the assistance was "authorized by the president" and "designed to detect or prevent a terrorist attack, or activities in preparation for a terrorist attack, against the United States." It is generally presumed that all of the sued companies received such assurances, so they are probably off the hook. The law does not apply to government officials, however, and it does not grant immunity for any criminal activity.

FISA may contain a small window for an ambitious judge to challenge the government's claims. Suzanne Spaulding, a former staff director of the House Intelligence Committee and a onetime assistant general counsel at the CIA, notes that the law directs a judge to grant the attorney general's certification "unless the court finds that such certification is not supported by substantial evidence provided to the court." Spaulding thinks that this provision has been overlooked, and that it could conceivably complicate the telecom companies' case for dismissal.

Can a judge make public the letters or other assurances that the government gave these companies? The attorney general can declare that disclosure of this information would harm national security. In that case, judges could do little more than dismiss or refuse to dismiss a case without comment.

So, we will never know the full details of Bush's warrantless surveillance program?

Maybe not. The law requires a long list of inspectors general to "complete a comprehensive review" of the president's surveillance program. Relevant agencies include the NSA, the Justice Department, the Office of the Director of National Intelligence, and the Defense Department, as well as any other intelligence bodies that participated in the program. (For purposes of the law, the program began on September 11, 2001, and ended on January 17, 2007, when the administration struck a still-secret arrangement with the FISA court about the previously warrantless surveillance activities.)

The inspectors general will issue a slew of reports?

Maybe not. The law directs the inspectors general to designate one from their ranks who was appointed by the president and confirmed by the Senate, "to coordinate the conduct of the reviews and the preparation of the reports." Within a year, the IGs must submit a "comprehensive report" to Congress. The report must be unclassified -- although it may have a classified annex -- but it "shall not disclose the name or identity of any individual or entity of the private sector that participated in the program or with whom there was communication about the program, to the extent that information is classified."

The inspectors general may well uncover new information about the administration's warrantless surveillance. But don't look to them to finger companies that helped the administration. And don't depend on them to reveal a whole lot more than what is already known about the details of the program. The chances for a full report, experts say, depend greatly on which inspector general the group selects to lead the effort. The Justice Department's watchdog, Glenn Fine, has delved deeply into the department's use of surveillance powers, and some observers believe that if he is chosen, he would mount an aggressive investigation of the president's surveillance program.