Update: Bob Schacht asked for more context, so here goes. This IG Report was the third DOJ’s Inspector General, Glenn Fine, has done on the FBI’s use of National Security Letters and “exigent letters,” though this is the first to focus almost exclusively on exigent letters. In 2003, the FBI installed representatives of AT&T and (later) Verizon and MCI onsite, with computers hooked up to their respective companies’ databases. Rather than using a subpoena or a National Security Letter to get phone records from them (both of which would have required a higher level of review), the FBI basically gave them a boilerplate letters saying it was an emergency (thus the “exigent”) and could they please give the FBI the phone data; the FBI promised grand jury subpoenas to follow. Only, in many cases, these weren’t emergencies, they never sent the grand jury subpoenas, and many weren’t even associated with investigations into international terrorism. In other words, FBI massively abused this system to get phone data without necessary oversight. Fine has been pressing FBI to either establish some legal basis for getting this data or purging it from FBI databases for three years, and they have done that with some, but not all, of the data collected. But the FBI has tried about three different ways to bring this practice into conformity with legal guidelines, all unpersuasive to Fine. The OLC opinion is the most recent of these efforts.
I’ve been very slowly trudging through the DOJ IG Report on Exigent letters. My notes on it are here and a timeline of key dates is here. In this post, I’m going to look more closely at the content of passages in the IG Report referring to a January 8, 2010 OLC opinion relating in some way to telephone records. The OLC opinion was first reported by Ryan Singel in this post. Discussion of it starts on PDF page 276 of the report. In a follow-up post, I will contextualize this close reading with other material from the report.
What follows is the entire text of sections relating to the OLC opinion (in blockquote) interspersed with my comments. Because the footnotes provide the only context for many of the redacted paragraphs, I put them immediately after the paragraphs invoking them.
My preliminary conclusions on this are:
Here’s the discussion.
After reviewing a draft of this report, the FBI also asserted for the first time that as a matter of law the FBI is not required to serve NSLs to obtain “records associated [half line redacted]” in national security investigation. According to the FBI, the majority of exigent letters and other informal requests discussed in this report were for telephone records [one line redacted] the FBI could have obtained these records without any legal process or qualifying emergency through voluntary production by the communications service providers. 278
278 We disagree with the FBI’s statement that the majority of exigent letters and other information requests discussed in this report were for telephone records [several words redacted] In fact, we determined, based on the FBI’s records, that the majority of its exigent letter requests for for toll billing records associated [half line redacted] We were unable to reach a conclusion concerning the percentage [half line redacted] requested through information means other than exigent letters, because the records for these requests (some of which were oral or written on post-it notes) are incomplete and therefore unreliable.
Elsewhere, Fine tells us FBI provided comments to a draft of the report as early as July 2009, so they–and OLC–have had some time to work on this memo. It’s important to keep that in mind, though, that there may be additional context to the OLC memo, it may serve to do more than just justify the FBI’s abusive use of exigent letters. Given the possible timing the question and the response, for example, it might also be a response to Najibullah Zazi’s arrest.
These two passages make a few things clear. First, after trying a number of other different methods to justify the access of phone records without proper legal process, the FBI started asserting that they could do so in some circumstances with no legal process.
This is also where the disagreement as to what the content of the exigent letters arises. FBI says the majority qualified as something, Fine says they do not. Three guesses for what the dispute is about: whether the phone records came from someone definitely associated with an investigation, whether these were toll records or something else, and whether they were the particular carrier’s own call data, or another carrier’s. An earlier OLC opinion associated with the exigent letters focuses on defining toll records, so it may be the FBI, to try to get around the restrictions in that opinion, decided to claim these weren’t toll records.
[One line redacted]
This line must introduce the statutory basis on which FBI is making the case.
[One 9 line paragraph long citation and a reference to footnote 279 redacted]
279 The Stored Communications Act, codified in Chapter 121 of Title 18 at 18 USC 2701-2712, was enacted in 1986 as part of the ECPA. The Stored Communications Act contains the relevant NSL and other FBI access to toll billing records provisions at issue in this report.
This long citation must be the passage of the Stored Communications Act that the FBI is now citing as their authority to do this. Julian Sanchez makes a strong argument that the loophole in question is from section 2702, which covers the acceptable examples of voluntary disclosure. But I wonder whether they’re not just relying on 2701(c)(1), which states that access to stored communications is not illegal with respect to “conduct authorized … by the person or entity providing a wire or electronic communications service.” That is, my guess is that the FBI and OLC are saying that the Stored Communications Act allows telecoms (who, of course, may be immunized under other statutes) to give others phone data with absolutely no limitations.
The FBI did not rely on this section when it requested and obtained the records discussed in this report. However, after reviewing a draft of the OIG report the FBI asked the Office of Legal Counsel (OLC) for a legal opinion on this issue. 280 When making the request for an OLC opinion, the FBI stated that [three lines redacted]
280 The FBI presented the issue to the OLC as follows: “Whether Chapter 121 of Title 18 of the United States Code applies to call detail records associated [2.5 lines redacted]
This section does confirm that the request for an OLC opinion was at least partly a response to the draft of this IG report. In both the text and the footnote, there’s a 3 line redaction that must show how FBI described what they were doing with these records. Note the use of “call detail records” in the footnote, as opposed to “toll records.” They may be using that language to avoid very specific language about toll records elsewhere, including in an earlier OLC opinion that was fairly restrictive about what the FBI could use.
On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.
281 [Entire footnote of 7.5 lines redacted]
Note that Fine made some kind of response to the language OLC used in its opinion at footnote 281. Given the evidence that he disagrees with the FBI’s characterization of what they’re doing, it may be a comment on the OLC’s use of what he sees as misleading language from the FBI.
It is important to note that the FBI acknowledged in its July 2009 comments to a draft of this report that it had never considered or relied upon [several words redacted] when it obtained any of the telephone records at issue in this report. Moreover, it cannot be known at this point whether any provider would have divulged such records based on [several words redacted] alone, and without the FBI’s representation to the provider that an NSL or other compulsory legal process would be served.
Over the last 9 years, the FBI changed its rationale several times for what it was doing with exigent letters. This passage reflects that process. As with earlier excuses, the FBI was providing excuses they didn’t use contemporaneously, including claiming that telecoms turned over data voluntarily even though they had been given a letter promising a subpoena, meaning documentation exists to show it was mandatory. In both this IG Report and an earlier one, Fine takes them to task for claiming a justification retroactively, particularly where they claimed phone companies worked voluntarily.
For the reasons discussed below, we believe the FBI’s potential use of [several words redacted] to obtain records has significant policy implications that need to be considered by the FBI, the Department, and the Congress.
Here, I think Fine is trying to call attention to the larger issue, what FBI intends to do with US person call data.
[5 line paragraph redacted]282
282 [Entire footnote of 3 lines redacted]
[9 line paragraph redacted]283
283 The FBI has stated that it does not intend to rely on [one line redacted] However, that could change, and we believe that appropriate controls on such authority should be considered now, in light of the FBI’s past practices and the OLC opinion.
I think the original 9 line paragraph, deals with how outrageous this new claim is, with the footnote explaining why Fine is concerned even though the FBI claims it won’t use this opinion prospectively.
[8 line paragraph redacted, including reference to footnote 284]285
284 Under 18USC 2709(b) the FBI may only use NSLs to obtain such records upon the certification that the records sought are relevant to an authorized counterterrorism or counterintelligence investigation. In the voluntary context, the FBI may request and obtain such records under 18USC2702(c)(4) only if “the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.
285 For example, requests for voluntary disclosure under the emergency circumstances provisions of the ECPA NSL statute must be approved at a level not lower than an Assistant Special Agent in Charge in a field office and a Section Chief at Headquarters. See FBI OGC Electronic Communication (EC) to all Divisions (March 1, 2007), at 4. The EC also advises that approval of such requests must be in writing, even if the initial approval was oral. The rank of the approving official for NSLs is set by statute at Special Agent in Charge in field officers and Deputy Assistant Director at Headquarters. See 18 USC 2709(b).
These two footnotes are one of the reasons I think the FBI might be relying on 2701(c)(1). Both of these footnotes deal with requirements that appear elsewhere in the Stored Communications Act. My theory is that Fine was showing how 2791(c)(1) can’t be considered to apply generally, since there are such specific rules limiting voluntary disclosure elsewhere. That is, Fine seems to be saying, “if the voluntary emergency disclosure is so specific, then how can it be that Congress would at the same time include a non-specific voluntary disclosure with none of those requirements on it?”
[10 line paragraph redacted, including reference to footnote 286]287
286 Under ECPA NSL statute, the FBI is required to report to certain congressional committees, on a semiannual basis, concerning all NSL requests made under Section 2709(b). See 18USC 2709(e).
287 Moreover, other collections of similar types of records for intelligence activities contain statutorily mandated approval, minimization, and reporting requirements. For example, the FISA business records provisions provide useful comparisons as to how such intelligence activities are regulated, [half line redacted] Under these provisions, the FBI may apply to the FISA Court for an order requiring the production of business records and other tangible things “to obtain foreign intelligence information not concerning a United States person.” See 50 USC 1861. By statute, use of this authority is subject to extensive Attorney General-approved minimization procedures governing how information acquired concerning US persons must be retained and disseminated. Id at 1861(g). The FBI is subject to comprehensive congressional reporting requirements as to all orders it obtains, [half line redacted] Id at 1862.
Here, again, Fine seems to be saying it is impossible to imagine that Congress would have approved this generalized voluntary disclosure without further restrictions on it. He shows how generalized access to similar records in non-emergency situations (that is, under Section 215) require much greater levels of Congressional oversight, reporting, and minimization. Note, this discussion may be particularly relevant in cases where the FBI has not purged records collected illegally from its databases. While they have done so for a significant number of records collected without proper legal process, they did not do so for some of the community of interest data that AT&T collected.
[7.5 line paragraph, followed by 10.5 line paragraph redacted, including references to footnotes 288, 289, 290]
288 As discussed in this report, under the ECPA NSL statute, the FBI may only seek toll billing records when relevant to an authorized counterterrorism or counterintelligence investigation, provided that the investigation of a US person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution. See 18 USC 2709(b). Provisions in the FISA statute similarly protect US persons with respect to FBI applications to the FISA Court seeking orders to produce business records (50USC1861(a)(2)(B)) and to conduct electronic surveillance (50 USC 1805(a)).
Here, Fine appears to be pointing out another danger of a generalized voluntary disclosure practice: the ability to get records from anyone, not just those with some connection to a CT/CI investigation, and not people based on activities protected under the First Amendment.
289 We recognize that the FBI’s Domestic Investigations and Operations Guide (DIOG) and Executive Order 12,333, as amended, contain restrictions on how the FBI can collect, use, and disseminate intelligence, particularly with respect to the privacy and civil liberties of US persons. However, these constraints are not statutory.
Here, Fine seems to be responding to the FBI’s assurances that it would not abuse such a generalized search ability, because of DIOG and EO 12333. But since those are not statutory constraints, they carry neither permanency (we know Bush pixie dusted 12333 without telling anyone, for example) nor penalties for abuse.
290 [Entire footnote of 3 lines redacted]
In sum, the potential use of [several words redacted] by the FBI has important policy implications for [1.5 lines redacted] We believe that [several words redacted] creates a significant gap in FBI accountability and oversight that should be examined closely by the FBI, the Department, and Congress.
It is also important to recognize that the FBI advanced the [several words redacted] only after OIG found repeated misuses of its statutory authority to obtain telephone records through NSLs or the ECPA’s emergency voluntary disclosure provisions. We believe that, given the abuses described in this report, it is critical for the Department and Congress to consider appropriate controls on any use by the FBI of its authority to obtain records voluntarily [half line redacted]
The OIG therefore recommends that the FBI and the Department consider how the FBI may use [several words redacted] when seeking telephone billing records, particularly with respect to [1.5 lines redacted] We also recommend that the Department notify Congress of this issue and of the OLC opinion interpreting the scope of the FBI’s authority under it, so that Congress can consider [several words redacted] and the implications of its potential use.
Having made his argument that the use of this loophole is terribly dangerous and prone to abuse, Fine argues that DOJ must tell Congress about it so they can close the loophole.
Of course, DOJ promptly took that caution and redacted the hell out of it so people couldn’t know just how unprotected their privacy was. You get the feeling that DOJ wants this loophole kept open?