Alright. I lied. I’m not going to post on why I think FBI went to the trouble of getting an OLC opinion that, apparently, opens a huge loophole in privacy protections from data collection until I first lay out all four OLC opinions that we know of that appear to be at least partly responses to Glenn Fine’s efforts to make FBI clean up this program. These are:
- January 15, 2009: OLC says FBI only has to inform journalists that their data has been subpoenaed if the person approving the subpoena could be expected to know that the subpoena would collect reporters’ data, regardless of the intent of the person who prepared the subpoena
- November 8, 2008: OLC says that ECPA normally bars the use of sneak-peek and hot number searches
- January 16, 2009: OLC says that Acting DADs (and certain other acting officials) are authorized to sign NSLs
- January 8, 2010: OLC says that ECPA allows the FBI to ask for and obtain certain call records on a voluntary basis from the providers, without legal process or a qualifying emergency
Note that of these, only the November 8, 2008 (which is, perhaps not incidentally, the one that restricted, rather than expanded, FBI conduct) has been released by OLC. And of course, two of the opinions appear to have been rushed through in the last days of the Bush Administration, possibly even by Steven Bradbury (though given the delays on approving Dawn Johnsen, fat lot of difference that made).
In this post, I want to show how these opinions appear to be responses to (at a minimum) Glenn Fine’s work, Though, as I said before, probably also to pressure about the warrantless wiretap program.
Notice to Journalists
The January 15, 2009 OLC opinion is at least partly a response to two incidences in which FBI collected or almost collected reporters’ data in the course of leak investigations but had not yet–as of 2009–told the reporters.
In one, a case agent asked AT&T representative at CAU for boilerplate language to use to get “to and from” data for specific target calls. The case agent would have known this would collect information on communication with a reporter, though the prosecutor in the case had notes showing the case agent had said the contrary. Later, after talking to another FBI agent, the prosecutor realized the request from AT&T would collect reporters’ calls. The prosecutor had the case agent remove all the data from the computer and seal it. In this case, the reporter was not told her data might have been collected, because any collection was inadvertent and no one used it.
In the second case, a Special Agent served a subpoena on an AT&T’s onsite person for toll billing records. Following that, the Special Agent provided the AT&T person a reporter’s cell phone number because the analyst “asked for” it. The AT&T analyst basically did a “sneak peak” on the reporters’ calls and found no record of calls related to the leak investigation. Then, working through one of CAU’s supervisors, the AT&T analyst “requested” information on the reporters calls of the Verizon and MCI analysts. The Company B (Verizon?) analyst did find responsive data, though the FBI claims that it was not in the database when checked. There is no further discussion in the IG Report of whether this reporter was informed that cell records had been searched.
In spite of the lack of any comment about notice to the reporter in the second case, Fine describes the OLC opinion pertaining to notice to reporters in the context of the first instance. (PDF 125 to 126)
The Criminal Division and the OIG asked the Department’s Office of Legal Counsel (OLC) to opine on the questions when the notification provision in the regulation would be triggered. OLC concluded in an informal written opinion dated January 15, 2009, that the notification requirement would be triggered if, using an “objective” standard and based on the totality of the circumstances, a reasonable Department of Justice official responsible for reviewing and approving such subpoenas would understand the language of the subpoenas to call for the production of the reporters’ telephone toll numbers, the subpoenas would be subject to the notification requirement of subsection (g)(3), regardless of the subjective intent of the individuals who prepared them.
The OLC opinion also concluded that the notification requirement would be triggered even if reporters’ toll billing records were not in fact collected in response to such a subpoena.
Based on the OLC opinion, the Criminal Division did not inform the reporters in the first case that records had been subpoenaed. As I said, it is unclear whether the second instance–in which the reporter data was gathered after a subpoena was issued–resulted in notification to the journalist in question.
The baseless exigent letters
As to the three other OLC memos, they all seem to arise at least partly out of Fine’s findings that the FBI had no legal basis for which to collect some of the phone records it did, starting in 2007. The March 2007 IG Report on NSLs (which includes a section on exigent letters) has the following to say about the FBI’s efforts to retroactively invent a legal basis for their use. (PDF pages 146-147)
As of March 2007, the FBI is unable to determine whether NSLs or grand jury subpoenas were issued to cover the exigent letters. However, at FBI-OGC’s direction, CAU is attempting to determine if NSLs were issued to cover the information obtained in response to each of the exigent letters. If CAU is unable to document appropriate predication for the FBI’s retention of information obtained in response to the exigent letters, the Deputy General Counsel of NSLB stated that FBI will take steps to ensure that appropriate remedial action is taken. Remedial action may include purging of information from FBI databases and reports of possible IOB violations.
The Assistant General Counsel also told us that a different provision of ECPA could be considered in weighing the legality of the FBI’s use of the exigent letters: the provision authorizing voluntary emergency disclosures of certain non-content customer communications or records (18 U.S.C. 2702(c)(4)). The Assistant General Counsel stated that while the FBI did not rely upon this authority in issuing the exigent letters from 2003 through 2005, the FBI’s practice may in part be justified by the ECPA’s recognition that emergency disclosures may in part be justified by the ECPA’s recognition that emergency disclosures may be warranted in high-risk situations. The Assistant General Counsel argued that in serving the exigent letters on the telephone companies the FBI did its best to reconcile its mission to prevent terrorist attacks with the strict requirements of the ECPA NSL statute.
The FBI General Counsel told us that the better practice in exigent circumstances is to provide the telephone companies letters seeking voluntary production pursuant to the emergency voluntary disclosure provision of 18 U.S.C. 2702 (c)(4) and to follow up promptly with NSLs to document the basis for the request and capture statistics for reporting purposes. But the General Counsel said that, if challenged, the FBI could defend its past use of the exigent letters by relying on ECPA voluntary emergency disclosure authority. The General Counsel also noted that the manner in which FBI personnel are required to generate documentation to issue NSLs can make it appear to an outsider that the records requested without a pending investigation when in fact there is a pending investigation that is not referenced in the approval documentation due to the FBI’s recordkeeping and administration procedures. 132
132 FBI-OGC attorneys told us that the FBI’s acquisition of telephone toll billing records and subscriber information in response to the exigent letters has not been reported to the IOB as possible violations of law, Attorney General Guidelines, or internal FBI policy. We believe that under guidance in effect during the period covered by our review these matters should be reported as possible IOB violations.
This passage makes several things clear. From the first IG Report on the exigent letters practice, Fine held out the possibility that if FBI couldn’t fix this problem, they would have to purge information and/or report inappropriate collection to the Intelligence Oversight Board (which could lead to further investigation). And faced with that threat, both the AGC and the GC suggested they might rely on 2702(c)(4) rather than 2709(b)(1) or to rationalize their collection activity.
Fine responded to this suggestion by pointing out all the reasons doing so didn’t make any sense. (PDF 148 to 149)
Moreover, the FBI’s justification for the exigent letters was undercut because they were (1) used, according to information conveyed to an NSLB Assistant General Counsel, mostly in non-emergency circumstances, (2) not followed in many instances within a reasonable time by the issuance of national security letters, and (3) not catalogued in a fashion that would enable FBI managers or anyone else to validate the justification for the practice or the predication required by the ECPA NSL statute.
We also disagree with the FBI’s second justification: that use of the exigent letters could be defended as a use of ECPA’s voluntary emergency disclosure authority for acquiring non-content information pursuant to 18 U.S.C. 2702(c)(4). First, we found that the exigent letters did not request voluntary disclosure. The letters stated, “Due to exigent circumstances, it is requested that records … be provided” but added “a subpoena requesting this information has been submitted to the United States Attorney’s Office and “will be processed and served formally … as expeditiously as possible.” In addition, we found that the emergency voluntary disclosure provision was not relied upon by the CAU at the time, the letters were not signed by FBI officials who had authority to sign ECPA voluntary emergency disclosure letters, and the letters did not recite the factual predication necessary to invoke that authority.
We are also troubled that the FBI issued exigent letters that contained factual misstatements. The exigent letters represented that “[s]ubpoenas requesting this information have been submitted to the U.S. Attorney’s Office who will process and serve them formally to [information redacted] as expeditiously as possible.” In fact, in examining the documents CAU provided in support of the first 25 of the 88 randomly selected exigent letters, we could not confirm one instance in which a subpoena had been submitted to any United States Attorney’s Office before the exigent letter was sent to the telephone companies. Even if there were understandings with the three telephone companies that some form of legal process would later be provided to cover the records obtained in response to the exigent letters, the FBI made factual misstatements in its official letters to the telephone companies either as to the existence of an emergency justifying shortcuts around lawful procedures or with respect to steps the FBI supposedly had taken to secure lawful process.
Thus, at this point, FBI was faced with either trying to legally rationalize how they had collected all this information, or purging it from their databases (without adequate record-keeping to show what they’d have to purge).
One thing the FBI did in response to Fine’s report, was to issue new guidelines on June 1, 2007 limiting who could sign NSLs. While that guidance appears to have provided needed management guidance for the NSL process, it also created a problem with earlier attempts to clean up the exigent letter problems. In 2006, FBI issued a series of “blanket NSLs” basically providing cover for all the exigent letters for which providers still hadn’t received a subpoena. Yet the people who signed those (in 2006) were not eligible to sign under the June 1, 2007 guidelines.
Then, five months after that first IG Report–in the aftermath of the passage of the Protect America Act and at a time when the debate on the FISA Amendments Act was ratcheting up–the FBI asked OLC for clarity on the meaning of Electronic Communication Privacy Act. (PDF 86)
On August 28, 2007, the FBI OGC requested a legal opinion from the Department’s Office of Legal Counsel (OLC) regarding three questions relating to the FBI’s authority under the ECPA, including sneak peeks. One question stated that, “on occasion, FBI employees may orally ask an electronic communications provider if it has records regarding a particular facility (e.g., a telephone number) or person.” The request asked whether under the ECPA the FBI can lawfully “obtain information regarding the existence of an account in connection with a given phone number of person,” by asking a communications service provider, “‘Do you provide service to 555-555-5555?’ or ‘Is John Doe your subscriber?'”
However, based on information we developed in our investigation, we determined that the hypothetical example used by the FBI OGC in the question it posed to the OLC did not accurately describe the type of information the FBI often obtained in response to sneak peek requests. As described above the FBI sometimes obtained more detailed information about calling activity by target numbers, such as whether the telephone number belonged to a particular subscriber, the number of calls to and from the telephone number within certain date parameters, the area codes [redacted] called, and call duration.
The response to that query did not come until November 5, 2008–after the FAA was already passed. Tellingly, at least twice during the debate over the FAA, NSA and SSCI personnel tried to prevent DOJ’s IG (that is, Fine) from having any involvement in the IG review of the warrantless wiretap program. While Fine didn’t end up leading that process, he did contribute his own report.
Here is that November 2008 OLC opinion and its three general conclusions:
The Federal Bureau of Investigation may issue a national security letter to request, and a provider may disclose, only the four types of information—name, address, length of service, and local and long distance toll billing records—listed in 18 U.S.C. § 2709(b)(1).
The term “local and long distance toll billing records” in section 2709(b)(1) extends to records that could be used to assess a charge for outgoing or incoming calls, whether or not the records are used for that purpose, and whether they are linked to a particular account or kept in aggregate form.
Before issuance of a national security letter, a provider may not tell the FBI whether that provider serves a particular customer or telephone number, unless the FBI is asking only whether the number is assigned, or belongs, to that provider.
This ruling included one piece of good news for those trying to conduct massive surveillance using phone records: it interpreted the meaning of “toll records” for counterterrorism broadly, including any data that tracked individual calls, regardless of whether the phone company actually used the data in that way. But it ruled against the use of sneak peeks (where a provider tells the FBI whether they have data on a customer) explicitly, though Fine argues that the FBI misrepresented what they were doing to OLC and as a result may have gotten sneak peeks approved even though the practice should not be legal. Fine would come back to the specific language of this OLC opinion in his recent IG Report.
But first, the FBI tried to clean up the problem created on June 1, 2007, when its own guidelines on who could sign NSLs seemingly invalidated the blanket NSLs used to clean up the exigent letters in 2006. In another last minute Bush OLC opinion (the other being the one that limited the requirements for journalist disclosure) the FBI asked OLC about whether certain people could sign NSLs. The response came back on January 16, 2009 (185-186):
Michael Heimbach, then a Section Chief for the ITOS-I of the CTD, signed the July 5  blanket NSL. At the time he was temporarily assigned as an Acting Deputy Assistant Director (Acting DAD) of the CTD. Heimbach signed the NSL as Acting DAD. At the time Heimbach signed this NSL, the FBI had not issued guidance on whether FBI personnel serving as Acting DADs were authorized to sign NSLs. The FBI OGC later issued guidance on June 1, 2007, stating that Acting Deputy Assistant Directors are not authorized to sign NSLs. However, on January 16, 2009, the Department’s Office of Legal Counsel (OLC), in response to a request for a legal opinion by the FBI General Counsel Caproni, opined that Acting DADs (and certain other acting officials) are authorized to sign NSLs under three of the NSL statutes, including the ECPA NSL statute, 18 USC 2709. Caproni notified the OIG in March 2009 that the FBI is revising its June 1, 2007 guidance in light of the OLC opinion.
How much do you want to bet those “certain other acting officials” signed other documentation that would be even more interesting? In any case, with this OLC opinion, FBI eliminated one problem with the story it told about how it had cleaned up its exigent letter problem, by verifying that all those who had signed retroactive authorizations were legally authorized to do so.
But that left the November 5, 2008 OLC opinion, with Glenn Fine continuing to work on both the exigent letter report and (as I point out here) his report on the warrantless wiretapping program.
Fine used the OLC opinion’s comments on “sneak peeks” to argue that it also ruled out of use of hot numbers (in which a provider “follows” a number and tells the FBI if there is activity on it). (PDF 100 to 101)
[T]he Department’s Office of Legal Counsel concluded, and we agree, that the ECPA ordinarily bars communications service providers from telling the FBI, prior to service of legal process, whether a particular account exists. We also concluded that if that type of information falls within the ambit of “a record or other information pertaining to a subscriber to or customer of such service” under 18 USC 2702(a)(3), so does the existence of calling activity by particular hot telephone numbers, absent a qualifying emergency under 18 USC 2702(c)(4).
Therefore, we believe that the practice of obtaining calling activity information about how numbers in these matters without service of legal process violated the ECPA.
We believe the FBI should carefully review the circumstances in which FBI personnel asked the on-site communications service providers [redacted] “hot numbers” to enable the Department to determine if the FBI obtained calling activity information under circumstances that trigger discovery or other obligations in any criminal investigations or prosecutions.
And Fine goes on in his report to read the 2008 memo fairly broadly.
On November 5, 2008, the OLC issued its legal opinion on the three questions posed by the FBI. In evaluating if a provider could tell the FBI consistent with the ECPA “whether a provider serves a particular subscriber or a particular phone number,” the OLC concluded that the ECPA “bars providers from complying with such requests.” In reaching its conclusion, the OLC opined that the “phrase ‘record or other information pertaining to a subscriber’ [in 18 USC 2702(a)(3)] is broad” and that since the “information [requested by the FBI] is associated with a particular subscriber, even if that subscriber’s name is unknown” it cannot be disclosed under the ECPA unless the disclosure falls within one of the ECPA exceptions.
Which brings us to the conclusions that Fine made by July 2009, when the FBI asked OLC for another memo. We know his draft of the warrantless wiretap program warned that DOJ might need to reveal how that information was collected to terrorism defendants.
Based upon its review of DOJ’s handling of these issues, the DOJ OIG recommends that DOJ assess its discovery obligations regarding PSP-derived information, if any, in international terrorism prosecutions. The DOJ OIG also recommends that DOJ carefully consider whether it must re-examine past cases to see whether potentially discoverable but undisclosed Rule 16 or Brady material was collected under the PSP, and take appropriate steps to ensure that it has complied with its discovery obligations in such cases. In addition, the DOJ OIG recommends that DOJ implement a procedure to identify PSP-derived information, if any, that may be associated with international terrorism cases currently pending or likely to be brought in the future and evaluate whether such information should be disclosed in light of the government’s discovery obligations under Rule 16 and Brady.
And the exigent letters IG report recommended that DOJ review existing FISA surveillance to make sure it didn’t come from improperly collected information. (PDF 141 to 142; 301)
We recommend that the FBI, in conjunction with the NSD, should determine whether any FISA Court orders for electronic surveillance or pen register/trap and trace devices currently in place relied upon declarations containing FBI statements as to the source of subscriber information for telephone numbers listed in exigent letters or the 11 blanket NSLs. If the FBI and the NSD identify any such pending orders, we recommend that the FBI and the NSD determine if any of the statements characterizing the source of subscriber information are inaccurate or incomplete. If any declarations are identified as containing inaccurate or incomplete statements, we recommend that the FBI and the NSD determine whether any of these matters should be referred to the FBI Inspection Division or the Department’s Office of Professional Responsibility for further review.
It also recommended that DOJ review to make sure information was not collected pursuant to hot numbers.
The FBI should carefully review the circumstances in which FBI personnel asked the on-site communications service providers [redacted] on specified “hot numbers” to enable the Department to determine if the FBI obtained calling activity information under circumstances that trigger discovery or other obligations in any criminal investigations or prosecutions.
Curiously, however, he does not warn DOJ about information collected using communities of interest (he says it can be appropriate if the person approving the EC agrees that the community itself is relevant to the investigation, but he makes clear that that didn’t happen with the thousands of numbers now in FBI databases collected through exigent letters; he also says they need to develop better guidelines on its use, and he says they need to make sure they haven’t effectively subpoenaed other journalist call records in addition to those identified in this report). And he does not warn that the fruit of sneak peeks should be purged (perhaps because the FBI claims that the 2008 OLC opinion authorized it, even though, Fine claims, they misrepresented what they were doing).
Now, that left two obvious loopholes apparently still open. The 2008 OLC opinion contained this caveat:
The conclusions in this memorandum apply only to disclosures under section 2709. We do not address other statutory provisions under which law enforcement officers may get information pertaining to electronic communications. See, e.g., 18 U.S.C. § 2702(b)(8), (c)(4) (West Supp. 2008) (authorizing disclosure of communications and customer records to governmental entities if the provider reasonably “believes that an emergency” involving “danger of death or serious physical injury to any person” justifies disclosure of the information); id. § 2703(a) (authorizing disclosure to a governmental entity of “the contents of a wire or electronic communication” pursuant to a warrant).
And it also did not take a stand on purging information.
In a passage that the FBI Memorandum cites, the House Judiciary Committee Report for the 1993 amendments stated that “[t]he Committee intends . . . that the authority to obtain subscriber information . . . under section 2709 does not require communications service providers to create records which they do not maintain in the ordinary course of business.” H.R. Rep. No. 103-46, at 3 (1993), reprinted in 1993 U.S.C.C.A.N. 1913, 1915. While the legislative history of ECPA therefore suggests that the statute does not require a provider to “create” new records, it does not follow that the statute would authorize the FBI to seek, or the provider to disclose, any records simply because the provider has already created them in the ordinary course of business. The universe of records subject to an NSL is still restricted to the types listed in the statute.5
5 We do not address whether the FBI must purge its files of any additional information given to it by communications providers.
I find this particular one interesting: In 2007 Fine said the FBI would have to purge improperly collected information. We know that in fall 2007, the FBI did an extensive purge of information collected pursuant to exigent letters (purging up to a third of what it had gotten from some providers). But now his discussion on FISA and hot number reviews doesn’t include a discussion of purging this information? Is there some opinion somewhere that says that doesn’t have to occur? Or is it part of the January 8, 2010 opinion?
In any case, some time around or after July 2009, the FBI asked OLC for yet another opinion. Fine describes it this way:
The FBI presented the issue to the OLC as follows: “Whether Chapter 121 of Title 18 of the United States Code applies to call detail records associated [2.5 lines redacted]
And he describes the response this way:
On January 8, 2010, the OLC issued its opinion, concluding that the ECPA “would not forbid electronic communications service providers [three lines redacted]281 In short, the OLC agreed with the FBI that under certain circumstances [~2 words redacted] allows the FBI to ask for and obtain these records on a voluntary basis from the providers, without legal process or a qualifying emergency.
While we have only hints at what remaining problem this OLC opinion was designed to solve (did it solve discovery problems associated with FISA collections and/or community of interest collections?), it seems to be yet another attempt to clear up ongoing problems with the illegal collection that occurred under Bush.