Early this morning, Senate Majority Leader John Thune (R‑SD) secured cloture on S.4344, Senator Tom Cotton’s (R‑AR) bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) for three years with no reforms. This afternoon, House Speaker Mike Johnson (R‑LA) introduced the latest version of the House GOP leadership’s 702 reauthorization bill. That bill, like the one that never made it to the House floor last week, does not do what its authors claim.
Both House bills marginally reform the compliance and oversight apparatus while leaving the core Fourth Amendment violation—warrantless access to collected US-person communications—structurally intact. Both are legislative Trojan Horse bills masquerading as something Fourth Amendment compliant. They are, however, exactly what the House and Senate Intelligence Committees and their intelligence community allies are clearly in favor of if the Cotton “clean” 702 reauthorization bill cannot pass (which is likely).
The reality is and always has been that mandating that the FBI live with a Fourth Amendment warrant requirement to get the digital data of Americans isn’t just what the Constitution requires. It’s absolutely technologically possible to do it in the FISA Section 702 context. What follows is what I believe the public, press, and all members of Congress need to know before they take final action one way or another on this massive and constitutionally dubious surveillance power.
One Argument Section 702 Defenders Will Make Between Now and Monday—and Why It Collapses
In every Section 702 debate since 2015, defenders of so-called upstream (i.e., internet backbone) collection fall back on the same technical claim: that the National Security Agency (NSA) cannot, as a matter of engineering, reliably differentiate US-person communications from foreign communications in real time on the internet backbone. The claim is offered as a brute fact of physics. Packets are packets. You cannot look inside them at collection time. Therefore incidental collection of Americans’ communications is regrettable but unavoidable.
This argument will likely be repeated during House and Senate floor debates. It has been repeated in Privacy and Civil Liberties Oversight Board (PCLOB) reports, closed-door Hill briefings, Office of the Director of National Intelligence (ODNI) talking points, and the sworn testimony of senior intelligence officials. It is the load-bearing technical premise under the entire upstream-collection regime.
It is also, as anyone who has worked in global banking compliance for the last three decades will tell you, an argument that does not survive contact with the financial sector.
What Wall Street Has Been Doing Since the 1990s
Large global financial institutions have spent more than 30 years building, deploying, patenting, and operating exactly the kind of jurisdictional-tagging and information-barrier architecture that the NSA insists is technically infeasible. They have done this at global trading speeds, across tens of millions of daily communications and transactions, under regulatory frameworks that impose severe penalties for failure.
The driver was not civil liberties. It was Singapore’s Banking Act, Monetary Authority of Singapore technology-risk guidance, EU data-protection regimes, UK FCA rules, US Glass-Steagall and later Gramm-Leach-Bliley requirements, and a long list of jurisdiction-specific bank secrecy and insider-trading statutes. Every major bank operating across borders had to build systems that answered, in real time, a question structurally similar to the one the NSA claims is impossible: Given this communication or transaction, which legal regime governs it and what rules apply?
A recently retired managing director in quantitative risk at a top-three global financial institution—someone who personally oversaw the implementation of such systems over a multidecade career—reached out this week after hearing my recent comments on Section 702. His assessment, in his words: The software “exists in the private sector.” His institution “implemented analogous software for several global compliance needs, some of those requirements existed since the early 1990s e.g. Singapore.” His teams “developed and patented sales and trading tools that had to restrict the types of shareable information based on the geographic location of the originating transaction.”
This is not a civil libertarian making theoretical arguments. This is a senior quantitative-risk executive describing the systems he helped build and patent.
The Patent Evidence
The existence of the underlying capability is documented in the public record. Bank of America alone holds nearly 7,000 granted patents and pending patent applications, the most of any US financial services company, with substantial clusters in information security, data analytics, and compliance domains. JPMorgan, Citi, Goldman, and the other major global institutions hold thousands more.
As my source put it bluntly: “Banks have a lot of patents: mutually ensured destruction.” The portfolios are defensive—built to ensure that no institution can successfully sue any other for infringement on the compliance and information-handling technologies every major bank had to develop to operate across jurisdictions. That is a tell. You do not build a patent portfolio as mutual deterrence against infringement claims unless the underlying technology is mature, well understood, and in active production use across the industry.
The Privacy Architecture the NSA Won’t Build
Bank of America publicly operates a research arm called the Bank of America Institute, which publishes a monthly Consumer Checkpoint report drawn from the bank’s proprietary transaction data. The Institute’s published methodology is worth quoting in full, because it describes—in plain English, on a public website—an operational privacy architecture of the kind Section 702 critics have spent a decade asking the intelligence community to adopt:
Any household consumer deposit data based on Bank of America internal data is derived by anonymizing and aggregating data from Bank of America consumer deposit accounts in the US and analyzing that data at a highly aggregated level.
That is the public, commercial baseline for handling tens of millions of Americans’ financial transactions. Aggregate and anonymize by default. Disclose methodology. Permit analysis only at the aggregated level. The small cohort of employees with access to identifying transaction data operates under internal “bright lines”—my source’s phrase—about what can be known internally but not shared, even within the bank.
The NSA’s Section 702 upstream posture is the inverse. Collect in the raw. Retain identifying content. Query later under standards the Foreign Intelligence Surveillance Court (FISC) itself has found to be routinely violated. The “minimization procedures” that are supposed to perform a function analogous to the bank’s anonymization step are applied post-collection, by the same agencies whose Section 702 compliance failures triggered the 28-page order Judge Boasberg issued on April 10.
One of these operational models is consistent with the Fourth Amendment. The other is not. The private sector picked the right one 30 years ago, without being asked, because the regulatory environment in which it operates does not permit the alternative.
The Honest Technical Rebuttal
Defenders of Section 702 will object that banking compliance and signals intelligence face different identity-resolution problems. That objection is partially correct, and it is worth stating precisely what is and is not analogous, because precision is what the intelligence community’s argument cannot survive.
Banking compliance systems operate on already-identified parties. Counterparty identity is resolved through KYC records, booking-entity routing, authenticated-endpoint data, and HR-location records before the compliance-labeling layer runs. The NSA’s upstream collection, by contrast, intercepts backbone traffic where endpoint identity is not yet resolved, where IP addresses do not reliably indicate nationality, and where “US person” is a legal status—citizenship or lawful permanent residence—rather than a geography. This is the real technical gap.
Asked directly whether any private-sector tooling could close that gap for the NSA, my source conceded the harder problem—and then offered a professional assessment that Section 702 defenders will not want on the record before a final Section 702 reauthorization vote:
Admittedly easier than the NSA’s identification problem, but I think the bright folks at the NSA or Palantir have already cracked this nut.
That is the considered judgment of a senior quantitative-risk executive who spent his career building adjacent systems at scale—not a civil libertarian, not a critic, not a partisan. His professional read is that the identity-resolution problem the NSA has spent a decade invoking as insuperable has in all likelihood already been solved, either inside the agency or by one of its most prominent contractors.
Either he is right, in which case the NSA’s “technical infeasibility” defense is false on the merits and has been for some time.
Or he is wrong, in which case the NSA has had three decades, a budget measured in billions of dollars annually, the cryptanalytic and traffic-analysis capabilities of the most sophisticated signals-intelligence agency in human history, and complete control over its own collection endpoints—and has nevertheless failed to solve a problem that an informed industry observer assesses to be tractable.
In that case, the defense is not technical at all. It is a policy choice not to build what could be built, retained by an agency whose Section 702 compliance failures currently sit largely unproduced on Judge Boasberg’s docket.
What Section 702’s Own Oversight Body Already Directed the NSA to Do
If any of this sounds like an outsider’s wishful thinking about what the NSA should be capable of, consider the directive that the NSA’s own statutory oversight body issued in 2023. The PCLOB—the independent agency Congress established within the executive branch specifically to oversee counterterrorism programs’ compliance with civil liberties and privacy law—published Recommendation 8 of its 2023 Section 702 report in language that deserves to be read verbatim by any senator preparing to vote on Section 702’s fate.
PCLOB asked the NSA to document and formalize measures to:
“a. Screen and collect only traffic likely to contain communications of targeted selectors during upstream acquisition;
b. Remove traffic that is purely domestic or is neither to nor from a targeted selector; and
c. Remove traffic not likely to contain foreign intelligence information.”
Read line (b) again.
PCLOB, the federal oversight body with statutory responsibility for Section 702, explicitly challenged the NSA in 2023 to develop and document measures to remove purely domestic traffic from its upstream collection. That is precisely the US-person differentiation capability the NSA has historically invoked as technically infeasible. The Board did not accept the infeasibility defense. It said the NSA should build the capability, evaluate its performance annually, submit those evaluations to the FISC as part of the annual certification process, and make them available to appropriate oversight bodies.
That recommendation is now three years old. The question House and Senate members should ask the NSA is simple: Where are the annual PCLOB Recommendation 8 evaluations?
If the NSA has implemented Rec 8, the evaluations exist, and they would document the capability the intelligence community has spent a decade telling Congress does not exist.
If the NSA has not implemented Rec 8, it has spent three years in defiance of a formal recommendation from its own statutory oversight body—and the infeasibility defense reduces to an agency saying it will not build what it has been told to build.
If the NSA has partially implemented Rec 8, the annual reports either have not been filed, have not been declassified, or have been filed in forms that obscure what the NSA is and is not actually doing.
All three branches of that disjunction destroy the technical premise. A House or Senate member who votes “yes” without demanding the PCLOB Rec 8 evaluations is voting to extend, for three years, an authority whose technical justification the executive branch has declined to document to its own oversight body.
The remedy is straightforward and should be noncontroversial on its face.
No Section 702 reauthorization vote should occur in either chamber until the director of National Intelligence and the director of the NSA have provided, in writing, to every member of the House and Senate, a substantive answer to the following question: Has the NSA implemented PCLOB Recommendation 8, and if so, where are the annual evaluations required under subparagraphs (2) through (4) of that recommendation?
This is a transparency ask, not a declassification ask.
The PCLOB recommended that those evaluations be submitted to the FISC as part of the annual certification process; the existence, frequency, and basic scope of those filings can be conveyed to members of Congress without compromising sources or methods.
If the answer is yes and the evaluations exist, members of both chambers need to see them before they vote on any extension of the authority those evaluations concern.
If the answer is no, then any reauthorization that does pass must include, as a statutory condition, the formal codification of PCLOB Recommendation 8—the screening, collection-limiting, and purely-domestic-traffic-removal measures the Board directed the NSA to build, along with the annual evaluation, FISC reporting, and oversight-disclosure requirements the Board attached to them. It should also include language mandating Government Accountability Office compliance audits—a practice that has already uncovered massive FBI First Amendment violations involving a separate investigative authority: “Assessments.”
Either the capability exists and the evaluations prove it, or the capability does not exist and Congress should require it to be built. There is no defensible third option, because compliance with the Fourth Amendment should never be optional.
