In June, as part of its annual cycle, the Senate Select Committee on Intelligence (SSCI) approved a bill authorizing funds to be appropriated “for the conduct of the intelligence and intelligence-related activities of the Federal Government” (the Intelligence Authorization Act (IAA) for Fiscal Year 2025). This year’s IAA includes a provision amending Section 702(i) of the Foreign Intelligence Surveillance Act (FISA), to narrow the recently expanded definition of “electronic communication service provider” (ECSP) after FISA was reauthorized in April. This is an important term because the government can only serve a Section 702 directive on entities that fall within the parameters of the ECSP definition.
Background
When Congress amended FISA as part of its reauthorization of Section 702, it broadened the definition of ECSP to include “any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications.” During the FISA reauthorization debate, civil society and industry stakeholders criticized the expanded ECSP provision under the FISA reauthorization bill that was eventually passed (RISAA). The primary concern was that the definition was now overbroad.
According to the Center for Democracy and Technology, the expanded definition could include local businesses like hotels, coffee shops, AirBnB hosts, news media headquarters, and journalist offices. Senator Wyden also expressed alarm stating that “anyone with access to a server, a wire, a cable box, a wifi router, a phone, or a computer” could become a spy for the U.S. government with this provision. As enacted in April, the expanded definition sought to assuage concerns by clarifying that an ECSP would not include a public accommodation facility, a dwelling, a community service facility, or a food service establishment.
Attorney General, Merrick Garland, stated that the amended ECSP definition was a “technical change”, “narrowly tailored”, and “does not in any way change who can be a target of Section 702.” Under Section 702, the government should only target non-United States persons who are located outside the United States who are expected to possess, receive, or communicate certain categories of foreign intelligence information. The government is also supposed to follow court-approved procedures to target, query, retain, and disseminate the collected information. The new ECSP definition expands the services subject to Section 702 directives, but those directives must still comply with the requirements of Section 702, including the applicable court-approved procedures.
Advocates are raising concerns about the new definition, calling it a “truly breathtaking expansion of surveillance authority” that “sweeps in almost every business in the United States,” because “every business has access to equipment on which communications may be transmitted.”
The IAA amendment seeks to address such issues in an unusual way. Rather than narrowing the language of the ECSP definition to focus it more precisely on certain types of companies or services, the amendment instead seeks to limit the definition’s scope by tying it to the type of service at issue in a recent opinion of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review (FISC-R). The challenge is that the type of service remains classified.
Specifically, the IAA states that a directive under Section 702 may only be served on an ECSP that “is a provider of the type of service at issue in the covered [FISC] opinions.” This refers to the still-redacted FISC and FISC-R opinions, discussed below, that the Office of Director of National Intelligence released last August where a company challenged the government’s claim that it is an ECSP after receiving a Section 702 directive.
FISC Opinion
The FISC opinions, although heavily redacted, provide some insight into the government’s and provider’s arguments. A provider received a FISA Section 702 directive in April 2022 requiring it to “immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition of foreign intelligence information authorized by the 2021 Certifications.” This included compelling the provider’s “affiliates, subsidiaries, assigns and successors, and [any officer, employer, or agent]” to produce the foreign intelligence information necessary to meet the directive’s requirements. The provider filed a petition to the FISC against the application of the directive stating it was not an ECSP; therefore, the directive is unlawful as applied.
The FISC held that the provider challenging its status as an ECSP did not qualify as one based on the service in question. The provider argued that it was not an ECSP under 50 U.S.C. § 1881(b)(4)(B) or (D):
50 U.S.C. § 1881(b)(4)(B): a provider of electronic communication service, as that term is defined in 18 U.S.C. §2510(15) (any service which provides to users thereof the ability to send or receive wire or electronic communications);
50 U.S.C. § 1881(b)(4)(D): any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored
For (B), the FISC stated that its qualification as an ECSP must be determined on a per-service basis and the service in question was not an electronic communication service because it does not provide users the ability to send or receive wire or electronic communications under 18 U.S.C. § 2510(15). The provider asserted that its classification as an ECSP for other services does not mean it can be “compelled to provide assistance” under this directive. Under (D), the provider claimed that it was not offering a communication service and therefore would not be an “authorized recipient” of a Section 702 directive.
The government responded that the provider qualified as an ECSP under both definitions. Under (B), it argued that “electronic communication service” has been broadly interpreted by the courts and should apply to the service in question. The government also contended that the cited case law supports a “broader construction of the statutory definition of ECSPs.” For the second definition, it maintained that the provider’s service meets the ordinary meaning of “access” in (D).
The FISC held that the provider was not an ECSP under 50 U.S.C. §. 1881(b)(4)(B) or (D). For (B), the Court stated that the provider did not provide electronic communication services because it did not allow users to send or receive electronic communications. Specifically, it stated that the service in question was “not the type of services that courts have previously found to fall within the definition of ECS.” However, it said that courts have found the definition to apply to providers of communication services that include “telephone companies, internet or e-mail service providers, and bulletin board services.” It also asserted the provider was offering a resource that was more “akin to a product or service” and therefore does not qualify as an ECSP.
For (D), the FISC, by applying statutory interpretation rules, said that the provider was not an “other communication service provider.” The Court also confirmed that it did not have access to wire or electronic communications by applying its plain meaning.
FISC-R Opinion
The government appealed the FISC’s decision to the FISC-R, which affirmed the FISC’s order. The FISC-R relied on Electronic Communications Privacy Act (ECPA) and Stored Communications Act (Title II of ECPA) case law to analyze the definitions at issue. The FISC-R first looked at whether the provider was an “electronic communication service” (50 U.S.C. § 1881 (b)(4)(B)) by determining if it “provides users . . . the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510(15).
The FISC-R discussed that the “reach of 2510(15)” included network service providers, web hosting, and social networking services, but it did not include certain services that may enable communications (e.g. a smartphone that can send or receive wire or electronic communications). It also analyzed cases involving in-car and cruise ship communication systems to maintain that providers, even if they do not rely on “cellular or Internet connectivity” to send or receive wire or electronic communications, can still qualify as an ECSP. Additionally, the Court asserted that a provider can be an ECSP even if the service in question is not its “primary business function.”
After reviewing case law applying §2510(15), the FISC-R found that the provider was not an “electronic communication service provider.” Key portions of the FISC-R opinion remain redacted, making it impossible to discern how the court reached that conclusion.
Analyzing (D), the FISC-R acknowledged the FISC’s discussion on using statutory interpretation to determine the application of “access” because FISA does not define the term. It looked to other definitions in the statute to determine how “access” is utilized by remote computing services and telecommunications carriers. With this, FISC-R affirmed the FISC’s analysis and holding.
Current Status of the IAA
The IAA for Fiscal Year 2025 was introduced in SSCI and is awaiting a vote on the Senate floor. SSCI rejected an amendment introduced by Senator Wyden to revise the ECSP definition. Wyden asserted that although the DOJ stated that the ECSP definition in RISAA would be updated only to include the type of provider at issue in the 2022 FISC opinion, there was not a limitation in the statute. The IAA narrows RISAA’s ECSP definition, which Wyden expressed approval for, but he wanted to replace the definition with an amendment “[clearly articulating] which providers are now subject to Section 702.”
The current ECSP definition in the IAA seems to have bipartisan support, but it is unclear whether it will survive a Senate vote.