Response to Hearing Question Posed by Senator Ron Wyden (D-OR)
SSCI Nomination Hearing – Lieutenant General Timothy D. Haugh
12 July 2023

QUESTION: With a few exceptions, the National Security Agency (NSA) currently requires a
probable cause determination for U.S. person queries of communications collected pursuant to
E.O. 12333. Is there any reason that standard could not be applied to U.S. person queries of
communications collected under Section 702 of FISA?
RESPONSE:
My answer below is predicated on my current understanding of the issue, noting that in
my current role I am not directly involved in the oversight of NSA’s use of FAA Section 702.
E.O. 12333 and FISA Section 702 are distinct collection authorities with different
governing procedures to address differences in the privacy and civil liberties concerns unique
to each authority. The procedures governing these authorities have been carefully crafted through
a thoughtful, deliberative process that resulted in approval by the Attorney General after
consultation with the Director of National Intelligence for E.O. 12333 and by multiple judges on
the Foreign Intelligence Surveillance Court (FISC) over the course of many years for 702. I
understand that under the Attorney General-approved guidelines for E.O. 12333, a probable
cause standard applies to a prescribed subset of U.S. person queries into E.O. 12333 data. I also
understand that the FISC-approved standard for queries into FISA Section 702 data (including
U.S. person queries) is that they must be reasonably likely to retrieve foreign intelligence
information. I understand that there are technical, operational, and legal reasons for the
differences and that each of these standards has been carefully considered at the time of
adoption, and, with regards to the FISC-approved standard for queries into FISA Section 702
data, that standard is carefully considered by the FISC at every 702 renewal. In my opinion, the
Attorney General and FISC have approved appropriate procedures for each of these
authorities. Further, each set of procedures is well tailored to protect privacy and civil liberties
in the distinct contexts presented by the unique characteristics and limitations of the data
acquired pursuant to each authority. I do not believe that the E.O. 12333 U.S. person query
standards could be applied effectively to data collected under FISA Section 702 authority
without impairing NSA's ability to identify timely and actionable foreign intelligence.
Further, it is my understanding that E.O. 12333 activities are governed by the SIGINT
Annex, which permits U.S. person queries in a range of circumstances. Certain, but not all, U.S.
person queries in 12333 data require a finding by the Attorney General that there is probable
cause to believe that the U.S. individual is an agent of a foreign power. Other types of U.S.
person queries in 12333 can be approved internally by NSA personnel, with varying
requirements and limitations. The applicable standard depends on the circumstances of the query,
and the type of 12333 data being queried. For example, no probable cause determination is
required if the pool of data to be queried is limited to the communications of certain foreign
intelligence targets, or when the subject of the query is the victim of a foreign cyber attack, a
hostage, or has given consent. Importantly, no U.S. person queries into 12333 data require a

separate finding of probable cause from the FISC; all such determinations are conducted within
the Executive Branch, or may be based on existing FISC decisions on FISA applications
With respect to FISA Section 702, information acquired through the compelled assistance
of U.S.-based electronic communications service providers is tailored and precise—specific to
the communications of non-U.S. persons located outside of the United States who are expected
to communicate foreign intelligence as defined by the specific intelligence topics that are
authorized in certifications approved by the FISC. NSA's Section 702 Querying Procedures
account for this precision and permit the use of U.S. person queries that are reasonably likely to
retrieve foreign intelligence information. NSA recognizes the sensitivity associated with the use
of U.S. person query terms to review Section 702-acquired information and has deployed
specialized training, technology, and policy protections to ensure that it uses U.S. person query
terms compliantly. All such queries are subject to review by the Department of Justice, and any
errors in the use of U.S. person query terms must be reported to the FISC.
NSA’s use of U.S. person query terms is limited, carefully controlled, and subject to
robust internal and external oversight. Restricting NSA's authority to conduct queries using U.S.
person query terms in Section 702 data, including requiring a probable cause determination or
prior FISC authorization on some or all such queries, would undermine the effectiveness of the
tool for national security purposes in several ways. First, it would create a significant
administrative burden and time delay in a process that is valuable particularly for its efficiency.
When time is of the essence, such a change may require NSA to identify alternative means of
locating critical foreign intelligence. In many circumstances, it would be extremely challenging,
if not impossible, to pinpoint this information in time to protect U.S. national security interests,
including victims of malicious cyber activity, hostages, or targets of malign activity by hostile
foreign intelligence services. Second, it is unclear what would be the required showing under a
blanket requirement for probable cause. For the limited examples of U.S. person queries into
E.O. 12333 data that require a probable cause determination by the Attorney General, the
standard is probable cause to believe that the U.S. person is an agent of a foreign
power. However, for many of the permissible query purposes under 702 - like many of the
permissible query purposes under E.O. 12333 - that standard could not be met. For example,
U.S. persons who have been taken hostage, who are the victims of malicious cyber activity, or
who are being targeted by a hostile foreign intelligence service are not agents of a foreign
power. If NSA were required to demonstrate probable cause to believe they are, then NSA
would lose the ability to run the very queries that are most essential to protecting victims of
foreign intelligence threats. For all of these reasons, it is my view that the carefully crafted
procedures that have been approved by the Attorney General for E.O. 12333 and by the FISC for
Section 702 strike the right balance in supporting the government’s ability to detect and counter
vital national security threats while protecting the privacy and civil liberties of Americans.
As noted at the outset, this position is based on my current understanding. I also
understand that the Administration and the Congress are currently considering a variety of
reforms to U.S. person queries into Section 702 data. If confirmed, I look forward to studying
this issue further and participating in those discussions. I commit to further engagement with the
Senator on this and other important matters.