FISA Reauthorization Fearmongering and Disinformation Kicks Into Overdrive

Wyden also flagged what the Williams report omits: 

The PCLOB report fails in another respect. I have raised concerns about a secret interpretation of Section 702 that affects the privacy of Americans. While this matter was addressed in the classified annex to the PCLOB’s 2023 report on Section 702, it was omitted entirely from today’s report. 

Wyden has been warning about this secret legal interpretation for years, and his track record on these warnings is worth noting: in 2011, Wyden warned that the government had secretly reinterpreted the PATRIOT Act. Nobody believed it could be that bad. The Snowden revelations confirmed it was worse.

The FBI’s Office of Internal Auditing
The booklet’s FBI compliance section presents the RISAA reforms as a functioning compliance infrastructure. It doesn’t mention that in May 2025 — nine months before the booklet was produced — FBI Director Kash Patel disbanded the Office of Internal Auditing (OIA), the body established in 2020 specifically to monitor and improve compliance with national security surveillance, including §702. The OIA’s responsibilities were folded into the Inspection Division, a unit whose primary function is investigating agent misconduct and officer-involved shootings. Its leader, Cindy Hall, retired, most likely involuntarily.

The OIA was the central mechanism that produced the findings underlying the reforms the booklet celebrates. It was OIA audits that surfaced the 278,000 noncompliant queries documented in the FISC’s 2022 opinion — the same violations Patel himself cited when attacking the previous FBI leadership. As Elizabeth Goitein of the Brennan Center noted after the closure: “Without a separate office dedicated to surveillance compliance, [the FBI’s] abuses could go unreported and unchecked.” 

The DOJ Inspector General’s 2025 review found that from 2019 through 2023, the FBI had implemented remedial measures that “reduced, but did not eliminate” compliance issues, and that “concerns about US person queries persisted” through the RISAA reauthorization.

The post-RISAA compliance picture the booklet implies is improving is also belied by recent disclosures. 

FBI queries of Americans’ data rose 35 percent between December 2024 and November 2025, according to a March 2026 letter from FBI acting Assistant Director Ted Groves to the Senate Judiciary Committee. Wyden’s April 2 statement added that “sensitive” searches — those involving American journalists, political organizations, and religious groups — more than tripled in 2025, with “the FBI refus[ing] to explain why.” This is precisely the category of abuse that RISAA’s sensitive query approval requirements were supposed to curtail.

The Backdoor Search Problem Is Systematically Minimized
Both documents prominently feature the statutory prohibition on targeting US persons under §702 as the definitive answer to civil liberties concerns. “The US Government cannot use Section 702 to target Americans’ electronic communications for collection,” the CIA fact sheet states in bold. The booklet repeats variations of this claim throughout.

This framing is technically accurate and operationally misleading. 

What both documents omit is that once foreign targets’ communications — including their communications with Americans — are collected, the FBI, CIA, NSA, and NCTC may query that database using American identifiers (names, phone numbers, email addresses) without a warrant. This is the “backdoor search” problem. The government collected the data without targeting Americans; it then searched for Americans in the collected data without any individualized judicial authorization. In 2022 alone, the FBI conducted more than 200,000 such searches. The Foreign Intelligence Surveillance Court (FISCcharacterized the pattern of violations in those searches as “persistent and widespread.”

The warrant question is not merely a civil liberties talking point. In February 2025, a federal district court ruled that under the Fourth Amendment, the government must obtain a warrant to search §702 data using US-person terms, unless a specific established exception applies. That ruling is on appeal, but it represents the most direct judicial engagement with the constitutional question the IC’s documents treat as settled.

The CIA fact sheet’s closing argument — “Adding a new warrant requirement for FISA 702 will prevent the use of lawfully collected information to identify and stop threats to the American people” — is a policy assertion dressed as a factual claim. Reformers have argued that a warrant requirement applying only to queries using US-person identifiers would not impair collection against foreign targets, since collection occurs before any query. The warrant question applies to the search of already-collected data, not to the collection itself.

RISAA’s Surveillance Expansion Goes Unmentioned
The booklet discusses RISAA as a reform law. Neither document mentions RISAA’s most significant expansion of government surveillance authority: a new definition of “electronic communication service provider” that extends §702 compulsion orders to any entity with “access to equipment that is being or may be used to transmit or store wire or electronic communications.” 

As the Center for Democracy and Technology documented at the time, this language is broad enough to cover data centers, colocation providers, business landlords, shared workspace operators, and others with incidental physical access to communications infrastructure. Senator Wyden called it “one of the most dramatic and terrifying expansions of government surveillance authority in history.” The DOJ issued a letter promising to apply the provision narrowly, but as Wyden noted, that commitment binds neither the current nor any future administration, and the underlying statutory authority remains on the books.

Wyden’s April 2 statement flags a related problem neither IC document addresses: “the government has used a loophole to more than quadruple warrantless collection under expired authorities” — specifically under PATRIOT Act “business records” provisions that expired more than six years ago. The IC’s public-facing materials present a bounded, tightly constrained program. The public record describes one that is expanding at every margin.

What the “Stopped an Attack” Claims Actually Show
The CIA fact sheet and booklet make sweeping claims about attacks §702 has prevented. These claims range from “needs caveats” to “never independently verified.”

The public record contains one well-documented, independently corroborated case of §702 contributing to the prevention of a terrorist attack on the American homeland: the 2009 Najibullah Zazi subway bomb plot. NSA §702 collection against an email address used by an al-Qaeda courier in Pakistan captured a communication from Zazi — then located in Colorado — urgently seeking advice on making explosives. The NSA passed the lead to the FBI, which identified Zazi and disrupted the plot before he reached New York. The ODNI’s own Guide to Section 702 Value Examples states that the PCLOB’s 2014 report concluded: “without the initial tip-off about Zazi and his plans, which came about by monitoring an overseas foreigner under Section 702, the subway bombing plot might have succeeded.” It is worth noting the PCLOB used “might have succeeded” — a hedge the IC routinely drops. It is also worth noting that the initial foreign email address was allegedly provided to the NSA by British intelligence partners, meaning the success resulted from combined allied intelligence sharing and §702 collection, not §702 alone.

That is one documented potential near-miss on American soil in nearly 18 years of program operation. The CIA fact sheet lists a foiled attack on a Taylor Swift concert in Vienna (not the United States); Operation Absolute Resolve (classified, unverifiable); a raid on drug kingpin El Mencho (a foreign partner operation in Mexico); fentanyl interdictions (drug enforcement, not terrorism prevention); and North Korean ransomware warnings (cyber threat notification). The booklet similarly leads with overseas operations, cyber intrusion detections, and drug interdictions.

This conflation of “contributed to national security operations” with “stopped an attack on the United States” runs throughout both documents. It may be that §702 has contributed to preventing additional homeland attacks that remain classified — program supporters assert this — but by definition, those claims cannot be independently verified. 

Congress is being asked to grant a clean 18-month reauthorization based on classified threat vignettes produced by the agencies seeking reauthorization, evaluated by an oversight board that has been politically gutted, with the internal compliance watchdog that would catch abuses abolished, in a context where sensitive FBI searches of Americans’ communications tripled last year with no explanation, while a senator with an excellent predictive track record on surveillance abuses warns that the Section 702 program is operating under a secret legal interpretation that would “stun” the American public if declassified.

The Crawford bill
HR 8035, introduced March 24, 2026, amends the FISA Amendments Act of 2008 to push the §702 sunset to October 20, 2027. It contains no warrant requirement for backdoor searches. It contains no restoration of the PCLOB. It contains no reconstitution of the OIA. It contains no fix for the RISAA ECSP expansion. It contains no response to the secret legal interpretation Wyden has raised. And the bill completely ignores the ability of federal law enforcement and intelligence agencies to simply buy sensitive information on Americans, completely bypassing the normal Fourth Amendment requirement that government agents obtain a warrant before seizing and searching Americans’ data—something Wyden and Rep. Warren Davidson (R‑OH) have spent years trying to fix. It is three pages of legislative text extending a surveillance authority whose oversight infrastructure has been systematically dismantled, under circumstances its supporters’ own promotional materials cannot honestly describe. 

All of those are reasons for Congress to hit the “pause” button on FISA Section 702 reauthorization, unless and until the problems described above are eliminated.

Patrick G. Eddington is a senior fellow in homeland security and civil liberties at the Cato Institute. This article, originally posted to the CATO Institute website, is published courtesy of the Cato Institute.