- RISAA extends FISA for two years, ensuring continued authority for intelligence gathering.
- Sec. 25 considerably expands the legal definition of the Electronic Communication Service Provider (ECSP).
- ECSP now potentially covers any organization with access to devices for the transmission or storage of electronic communications.
- The extension is apparently a response to a FISC ruling and could even cover atypical service providers such as cleaning companies.
FISA, the Foreign Intelligence Surveillance Act, the centerpiece of US intelligence gathering, is only enacted for a limited period of time. The last extension was granted on December 22, 2023 until April 19, 2024. Hours after it expired, President Biden signed another extension for a further two years in the form of the “Reforming Intelligence and Securing America Act” (RISAA).
The RISAA not only extends the validity of FISA, but also introduces a number of changes to its content. Among other things, Sec. 25 of RISAA amends the legal definition of an Electronic Communication Service Provider (ECSP) has been expanded. The Relevant provision reads new (changes in bold):
(4) Electronic communication service provider ‑The term ‘electronic communication service provider’ means-
(A) a telecommunications carrier, as that term is defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);
(B) a provider of electronic communication service, as that term is defined in section 2510 of title 18United States Code;
(C) a provider of a remote computing service, as that term is defined in section 2711 of title 18United States Code;
(D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or
(E) any other service provider who has access to equipment that is being or may be used to transmit or store wire or electronic communications, but not including any entity that serves primarily as-
(i) a public accommodation facility, as that term is defined in section 501(4);
(ii) a dwelling, as that term is defined in section 802 of the Fair Housing Act (42 U.S.C. 3602);
(iii) a community facility, as that term is defined in section 315 of the Defense Housing and Community Facilities and Services Act of 1951 (42 U.S.C. 1592n); or
(iv) a food service establishment, as that term is defined in section 281 of the Agricultural Marketing Act of 1946 (7 U.S.C. 1638); or
(F) an officer, employee, custodian or agent of an entity described in subparagraph (A), (B), (C), (D), or E.
In principle, any service provider who has access to equipment that is or can be used for the transmission or storage of electronic communications is now also considered an ECSP.
This is not an insignificant expansion. The term ECSP was already very broadly defined – in principle, any company that provided communication services for third parties was covered. However, any service provider that has access to a server, a router, a PC or a telephone would now potentially be covered – so possibly even a cleaning company. It would appear that the US government is thus aiming for a Judgment of the FISC which had not classified a company – presumably a data center – as an RCSP, as the online medium Just Security has reported.