November 12, 2013 / by emptywheel

 

The Phone Dragnet Did Not (and May Still Not) Meet the PATRIOT Act’s Minimization Requirements

While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.

The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.

(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:

(g) Minimization Procedures-

(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.

(2) DEFINED- In this section, the term `minimization procedures’ means–

(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.

(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.

But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).

Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.

According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.

[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]

And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.

With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]

Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.

In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.

These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.

[snip]

[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.

As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).

But the implications of this have more immediate significance.

After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.

Update: With regards to Moalin’s case, this seems pertinent.

As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.

This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.

Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.

“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”

Copyright © 2013 emptywheel. All rights reserved.
Originally Posted @ https://www.emptywheel.net/2013/11/12/the-phone-dragnet-did-not-and-may-still-not-meet-the-patriot-acts-minimization-requirements/