For the second time in two years, Section 702 of the Foreign Intelligence Surveillance Act is back on Congress's clock. The authority — which lets the National Security Agency compel US communications providers to assist in collecting the communications of non-US persons reasonably believed to be located outside the United States — was renewed in April 2024 under the Reforming Intelligence and Securing America Act (RISAA, P.L. 118-49). But instead of the standard multi-year extension, lawmakers granted only two years. That sunset arrives in April 2026, and the debate is already louder than last time.
Civil liberties groups, led by the Electronic Frontier Foundation and the American Civil Liberties Union, are again pressing for a warrant requirement before federal agents can query the Section 702 database for information about US persons — the so-called "backdoor search" issue. Their argument is straightforward: data lawfully collected for foreign intelligence purposes still includes the communications of Americans who happen to talk to foreign targets, and accessing those communications without judicial authorization sidesteps the Fourth Amendment.
The compliance problem is real — and partially addressed
The reformers are not crying wolf. Declassified opinions from the Foreign Intelligence Surveillance Court have repeatedly documented FBI noncompliance with Section 702 querying procedures, including queries that swept up communications of US senators, a state senator, and participants in the January 6 investigation and the 2020 racial-justice protests. The pattern was bad enough that the FBI rolled out internal reforms in 2021 and 2022, and RISAA codified additional guardrails: stricter access controls, mandatory training, supervisory approval for sensitive queries, and a new criminal penalty for willful misuse.
The Office of the Director of National Intelligence's Annual Statistical Transparency Report shows the reforms have had measurable effect. FBI US-person queries reportedly dropped from roughly 3.4 million in 2021 to under 60,000 in 2023, according to ODNI figures — an order-of-magnitude reduction driven primarily by tighter procedures and a narrower definition of what counts as a query. That is a real win for civil liberties without dismantling the program.
Why a blanket warrant requirement is the wrong fix
The warrant proposal that failed by a tied 212-212 House vote in April 2024 would have required probable cause and a court order for nearly every US-person query of Section 702 data. The intuition is appealing. The mechanics are not.
A warrant requires probable cause that a crime has been or will be committed. Section 702 queries often happen at the front end of a defensive investigation — when the FBI receives a tip that a US company has been targeted by a foreign state actor, or that a US person abroad may be in contact with a hostile intelligence service. The query is precisely how investigators determine whether there is anything to act on. Requiring probable cause before that lookup inverts the investigative sequence and, in practice, would mean many threat-identification queries simply do not happen.
Section 215 of the USA PATRIOT Act lapsed in 2020 after Congress could not agree on reauthorization terms. The bulk metadata program quietly died with it. Few in the intelligence community mourn it — but that history is a useful reminder that surveillance authorities, once allowed to expire, rarely return in better form. Section 702, unlike the old metadata program, is something most independent observers agree provides genuine intelligence value, including against the kinds of foreign cyber operations targeting US infrastructure, semiconductor IP, and election systems.
The provider problem nobody is discussing
There is a second dimension to this debate that gets far less attention than the warrant fight: what Section 702 does to the credibility of US tech providers in foreign markets. Every time a Federal Intelligence Surveillance Court opinion lands documenting another compliance failure, European data-protection regulators, Indian critics of cross-border data flows, and Brazilian sovereignty hawks have fresh ammunition for data-localization mandates. The Court of Justice of the European Union's Schrems II ruling explicitly cited Section 702 as a reason to invalidate the EU-US Privacy Shield, and the current Data Privacy Framework remains under legal challenge in Luxembourg.
Every billion dollars of cloud and SaaS revenue that flows to US firms because customers trust them is, in part, a function of whether those customers believe US surveillance law is bounded and predictable. A reauthorization that includes targeted reforms — codified query auditing, mandatory notice to defendants who face evidence derived from 702 queries, narrower retention windows for incidentally collected US-person data, and independent inspector-general review with declassified summaries — would strengthen both civil liberties and the commercial case for American cloud services abroad.
What proportionate reform looks like
A workable middle path is visible. It includes: a probable-cause requirement for queries seeking evidence of ordinary domestic crimes unrelated to national security; mandatory court approval for queries on elected officials, journalists, and clergy; expanded amicus participation at the FISC; a statutory definition of "query" to prevent future definitional gamesmanship; and a sunset short enough to keep Congress engaged but long enough — five years — to avoid the perpetual cliff dynamic that breeds short-term compromises.
The choice in front of Congress is not really between surveillance and privacy. It is between a Section 702 regime that is durable, auditable, and commercially defensible, and one that lurches between expiring authorities and rushed reauthorizations every two years. The first version serves Americans, the open internet, and the US technology sector. The second serves no one — least of all the next person whose lawful communications get caught in an unaudited query.