Expansion of FISA Electronic Communications Service Provider Definition Must Be Removed - Information Technology Industry Council (2024)

April 16, 2024byJohn Miller (ITI) View all posts by John Miller

There is no greater responsibility of the U.S. government than to provide for the security of the country, and as the Privacy and Civil Liberties Oversight Board (PCLOB) reaffirmed in 2023, Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) is “highly valuable” to national security. While H.R. 7888, the Reforming Intelligence and Securing America Act, would reauthorize FISA 702, the U.S. House of Representatives-passed bill unfortunately includes an amendment that changes the definition of “electronic communications service provider,” dramatically expanding the scope of entities and individuals covered by FISA 702.

Although the effects of this amendment may be unintentional, its impacts would be very real. The language in the amendment vastly expands the U.S. government’s warrantless surveillance capabilities, damaging the competitiveness of U.S. technology companies large and small, and arguably imperiling the continued global free flow of data between the U.S. and its allies. On behalf of the technology industry, we urge members of the U.S. Senate to remove this vast expansion before reauthorizing FISA 702.

What does the amendment change?

Under current law, FISA 702 only applies to entities such as telecommunications or internet service providers providing communications services such as telephone calls, emails and text messages. The recently adopted amendment expands the definition of “electronic communications service (ECS) provider” to include “any service provider” with “access to equipment that is being or may be used to transmit or store wire or electronic communications,” as well as “custodians” of such entities. While the amendment has been portrayed as a “narrow” and technical fix to update 702 to conform with the changing landscape of the telecommunications ecosystem, in the age where nearly everything is interconnected, the practical impact of the revised definition is significant and means any company, vendor, or any of their employees who touch the physical infrastructure of the internet could now be swept under FISA’s scope and compelled to assist with FISA surveillance.

Who would be impacted by the change?

While the changes to the definition of ECS provider seem small if measured by the number of words, if measured by their impacts the changes in fact constitute a significant expansion due to the nature and complexity of the information and communications technology (ICT) infrastructure underlying communications flows in the U.S. and globally and the wide array of service providers operating who provide services within that ecosystem.

Adding “access to equipment” is a big change because, from routers and switches to servers and virtual networking gear to the internet and communications that ride on it, all global communications transmissions and storage are powered by real-life physical ICT equipment, and there are tens of thousands of such companies providing hardware or other physical technology equipment in the U.S.

Expanding the definition to “any” service provider by dropping “communications” has equally wide-ranging implications when we factor in the multiplicity of service providers who play a role in helping to transmit or store the ICT communications. For example, on its face the amendment would appear to cover data centers, cloud storage providers, co-location providers, managed security services providers and a variety of other companies who provide services underlying or related to ICT communications transmission and storage, or merely those many companies and individuals who have access to the equipment necessary to provide such services – from building and facilities owners/landlords to cleaning/janitorial staff to the many types of commercial entities that provide a WiFi connection to their guests.

For proof of the breadth of the amendment we need only examine the recently added exemptions which specify use cases of equipment that are carved out of the expanded definition – the clear implication is that a wide array of scenarios not expressly exempted are in scope. The specific exemptions for public accommodation facility, dwellings, community facilities, and food service establishments indicates it is likely not the technology itself, or those that handle it in all cases that is the target of the amendment, but certain use cases of those technologies and those with access to it. The tension between the operative language and the exemptions may make the new authorities difficult to implement in a real-world setting, and we urge lawmakers to engage industry stakeholders to clarify the intended scope to ensure it effectively addresses the gap in authorities raised by the FISA court.

What are the impacts of the change?

If this amendment were to become law, any electronic communications service equipment provider or others with access to that equipment, including their employees or the employees of their service providers, would be subject to compelled FISA disclosure or assistance. This is a dramatic change to the existing scope of the telecommunications and technology communities covered under existing FISA requirements. While proponents of this change have argued it is intended to be narrow, they must consider the full universe of entities and people who touch the infrastructure that makes telecommunications and internet communications a reality.

Beyond the immediate impacts of sweeping a multitude of additional entities within FISA 702’s scope, we should also consider the wider impacts on the competitiveness of U.S. technology companies and, potentially, trusted data flows with U.S. allies. First, if large U.S. companies who provide core services enabling data communications transmission, or storage – such as data centers, cloud, or managed security services – are suddenly compelled to assist with FISA surveillance, some of their customers will likely look to foreign competitors who they perceive will not similarly expose their or their customers’ data to government requests. Second, just last year, as part of implementing its commitments pursuant to the new EU-U.S. Data Privacy Framework, President Biden issued Executive Order 14086, Enhancing Safeguards for United States Signals Intelligence Activities, and the Office of the Director of National Intelligence (ODNI) updated Intelligence Community policies and procedures to enhance privacy and civil liberties safeguards with respect to U.S. surveillance activities, enabling the continued free flow of data across the Atlantic. It would be a step backwards to embrace an amendment that now, less than a year later, would greatly expand the scope of a key foreign surveillance authority.

For these reasons, we urge members to remove this the vast expansion currently being debated before reauthorizing FISA 702. We sincerely appreciate the hard work of the U.S. House of Representatives Permanent Select Committee on Intelligence and Committee on the Judiciary in advancing this important legislation and are eager to continue partnering with the U.S. Congress to craft legislation that addresses national security concerns in a focused way.