The Foreign Intelligence Surveillance Act (FISA)

• Establishes standards and procedures for electronic surveillance that collects foreign intelligence

within the U.S. FISA orders can issue when foreign intelligence gathering is a significant purpose

of the investigation.

• Orders issue from a special court of federal district court judges, the Foreign Intelligence

Surveillance Court (FISC).

• FISA authorizes wiretap orders, pen register, and trap and trace orders (for phone numbers,

email addresses, and other addressing and routing info) and orders for video surveillance

• Entities that receive FISA orders to produce records generally cannot disclose the fact of the

order to targets of the investigation. There is generally no disclosure after the fact to the target

of a FISA wiretap as there is for law enforcement wiretaps.

• Section 702 refers to a provision in the FISA Amendments Act which revised FISA

o Applies to a collection of electronic communications of targeted individuals for listed

foreign intelligence purposes

o Must annually approve certifications by the director of national intelligence and the

attorney general setting the terms for section 702 surveillance. To target the

communications of any person, the gov must have a foreign intelligence purpose to

conduct the collection and a reasonable belief that the person is a non-U.S citizen

located outside the U.S

o Two surveillance programs:

▪ PRISM: collection, acting under a section 702 court order, the government sends a judicially approved and judicially supervised directive requiring collection of certain selectors such as an email address. The company’s lawyers have the opportunity to challenge the request

▪ Upstream: targets Internet based communications as they pass through physical Internet infrastructure located w/in the U.S. Designed to only acquire Internet communications that contain a tasked selector. Emails and other transactions that make it through the filters are stored for access by the NSA, while info that does not make it through the filters is never accessed by the NSA or anyone else.

The USA Patriot Act

• Section 217 permits, but does not require, the owner or operator of a computer system to

provide such access in defined circumstances. For computer trespassers, law enforcement can

now perform interceptions if:

o The owner or operator of the protected computer authorizes the interception of the

computer trespasser’s communications on the protected computer

o The person acting under color of law is lawfully engaged in an investigation

o The person acting under color of law has reasonable grounds to believe that the

contents of the computer trespasser’s communications will be relevant to the

investigation

o Such interception does not require communications other than those transmitted

• Expanded definition of pen register/trap and trace beyond telephone numbers to include

dialing, routing, addressing, or signaling info

• Section 215: provides that a federal court order can require the production of any tangible thing

for defined foreign intelligence and anti-terrorism investigations

o Disclosure is permitted to the persons necessary to comply with the order and to an

attorney

• Expanded the use of National Security Letters

o Included strict rules against disclosing that an org had received an NSL

o 2006 amendment said that recipients are bound to the confidentiality only if there is a

finding by the requesting agency of interference with criminal or counterterrorism

investigation or for other listed purposes

o Recipients could petition the court to modify or end the secrecy requirement

o As of 2015, the FBI now presumptively terminates NSL secrecy for an individual order

when an investigation closes, or no more than three years after the opening of a full

investigation

USA FREEDOM Act

• Set new rules for national security investigations prohibiting the use of pen register/trap and

trace orders for bulk collection and restricting their use to circumstances where there were

specific selectors such as an email address or telephone number.

• Ended bulk collection of Section 215 PATRIOT ACT

The Cybersecurity Information Sharing Act (CISA) 2015

• Permits the federal gov to share unclassified technical data with companies about how networks

have been attacked and how successful defenses against such attacks have been carried out.

CISA encourages companies to voluntarily share the same info with gov

• Company’s release of info about cyber threat indicators and defensive measures receive certain

protections

o Limitations on liability

o Non-waiver of privileges

o Exemption from FOIA disclosure

• Provisions:

o Authorization for a company to share or receive cyber threat indicators or defensive

measures

o Requirement for company to remove personal info before sharing

o Sharing info with federal gov does not waive privileges (no similar provision for sharing

with state/local gov)

o Share info exempt from federal and state FOIA laws

o Prohibition on gov using shared info to regulate or take enforcement actions against

lawful activities

o Authorization for company’s monitoring and operating defensive measures

o Protection from liability for monitoring activities