House Intelligence Committee FISA “Reform” Bill Would Greatly Expand the Class o...

Published: Dec. 08, 2023

Yesterday the House Permanent Select Committee on Intelligence unanimously approved the FISA Reform and Reauthorization Act of 2023 (FRRA), which would reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). The full House is expected to vote on this bill next Tuesday. Like other competing reauthorization bills that have been introduced (see here and here), the FRRA would impose new restrictions on the government’s access to and use of information about U.S. persons that has been incidentally acquired pursuant to FISA 702, a provision that permits the government to conduct warrantless surveillance of non-U.S. persons located outside the United States.  

Although the FRRA is ostensibly a reform bill, it contains one notable provision that would significantly expand the government’s authority under FISA 702 by broadening the definition of “electronic communication service providers” (ECSPs) whom the government may compel to assist in FISA 702 surveillance. The statutory definition of ECSP currently covers:

(1) a telecommunications carrier; 

(2) a provider of an electronic communication service or a remote computing service, as defined in the Electronic Communications Privacy Act; 

(3) “any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored”; and 

(4) an officer, employee, or agent of any such entity.  

Section 504 of the FRRA would broaden the “catch all” definition in (3) above to cover: 

“any service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored or equipment that is being or may be used to transmit or store such communications.”

Section 504 would also expand the definition in (4) above to include not only an officer, employee, or agent of an ECSP, but also any “custodian” of such an entity.

These changes would vastly widen the scope of businesses, entities, and their affiliates who are eligible to be compelled to assist 702 surveillance. By including any “service provider”—rather than any “other communicationservice provider”—that has access not just to communications, but also to the “equipment that is being or may be used to transmit or store . . . communications,” the expanded definition would appear to cover data centers, colocation providers, business landlords, shared workspaces, or even hotels where guests connect to the Internet. And the addition of the term “custodian” in (4) above could be understood to sweep in any third party involved in providing equipment, storage, or even cleaning services to such entities.

The FRRA’s new definition of ECSP would effectively overrule recent decisions of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISCR) that interpreted the current “catch all” definition much more narrowly, seemingly to exclude those communication service providers who merely have access to equipment on which communications are transmitted or stored. The expanded definition would also effectively restore the broad assistance provision of Section 702’s predecessor, the Protect America Act, which Congress specifically rejected when it originally enacted Section 702 as part of the FISA Amendments Act. The new definition, when combined with NSA’s ability to conduct “upstream collection,” could give the government warrantless access to any communication system in America through which any one-side-foreign communication could be found.

If the FRRA is enacted in its current form, the broadened definition of ECSP could put U.S. companies that offer co-location computer storage and commercial landlords at a competitive disadvantage to foreign service providers and property owners given the possibility that customer or tenant communications could be obtained from them.