If the Executive Had Followed Clear Minimization Requirements of PATRIOT, Dragnet Abuses Might Have Been Avoided

For 4 years, it has been clear that DOJ Inspector General Glenn Fine used his 2008 report on the FBI’s use of Section 215 to address how it had been used for what was then a secret program. For that reason, I want to look more closely at what he had to say about minimization.

Glenn Fine reveals how FBI minimization procedures are self-referential nonsense

As I noted, as part of a congressionally-mandated review completed in March 2008, DOJ’s Inspector General Glenn Fine reviewed whether DOJ had complied with PATRIOT Reauthorization’s requirement that the Attorney General craft minimization procedures to use with Section 215 collection.

He described how, in advance of a September 5, 2006 deadline, two parts of DOJ squabbled over what the minimization procedures should be.

Several months after enactment of the Reauthorization Act, the Office of Intelligence Policy and Review (OIPR) and the FBI — both of whom had been developing minimization procedures related to Section 215 orders — exchanged draft procedures. The drafts differed in fundamental respects, ranging from definitions to the scope of the procedures.

The fight seems to have been significantly fought between OIPR’s Counsel James Baker (who had a record of trying to get DOJ to follow the law) and FBI’s General Counsel Valerie Caproni (who got confirmed as a Federal Judge for NY this year literally at the same moment the Administration started releasing the most damning details on the dragnet).

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

A couple of months would put this debate squarely in the time period when the first dragnet order would be signed (two months would be May 9; the first order was signed May 24).

And you can see how these issues would go squarely to the heart of whether or not the government could use Section 215 to authorize the dragnet. The dragnet introduces immediate retention issues, given that it authorizes collection on data not yet in existence; imagine if OIPR mandated an immediate search, with all non-responsive numbers to be destroyed. NSA itself treated phone numbers as “identifiers,” and yet this entire program fails to meet the most basic dissemination limits if you treat them as identifiers here. We know NSA had recurrent problem with receiving data that was beyond the scope, including credit card numbers and international data. Unloading this into the FBI database presents immense problems, given that the foreign intelligence value of a query is based on a algorithm, not more concrete evidence. And of course, Fine’s mention of the debate over “handling large or sensitive data collections” must implicate the dragnet, which is the quintessential large and sensitive data collection.

Almost the entirety of the detailed discussion of these issues is redacted.

To meet the statutory requirement, DOJ adopted several sections of the 2003 AG National Security Investigations (see sections I.B.3, I.C, VII.A.1 and VII.B, and VIII).  Fine gives hints about why the solution DOJ eventually adopted (as an interim solution) pretty much served only as a circular word game dodging the requirement altogether. For example, the NSI doesn’t define one of the most critical terms laid out in the Section 215 Minimization requirement and, we know, the phone dragnet.

The Definition section of the NSA Guidelines defines terms such as “foreign intelligence,” “international terrorism,” and “publicly available.” However, the Guidelines do not define “U.S. person identifying information.”

In addition, because the NSI governs everything that would be included under Section 215, particularly given the involvement of the FISA Court, the entire document is incorporated by definition, including this language describing minimization procedures.

The Special Statutory Requirements section requires that FISA-derived information be disseminated pursuant to the minimization procedures approved by the FISA Court and as specified in the FISA statute. Although not formally adopted in the Interim Standard Minimization Procedures, this section — as with every section adopted in the Guidelines — governs the use of Section 215 derived information because compliance with the NSA Guidelines in their entirety is already a prerequisite to obtaining a Section 215 order.

And then there’s the fact that the Guidelines don’t actually provide hard guidelines on Information Sharing.

The Information Sharing subsection identifies the Department’s policy to share information with relevant agencies unless there is a specific provision limiting such information sharing.

Fine believed the Guidelines did not meet the terms laid out in the Reauthorization. But DOJ did.

We asked FBI and OIPR officials whether they believed the interim procedures met the minimization requirements of the Reauthorization ACt. We specifically inquired whether the interim procedures could meet the statutory requirement for obtaining a Section 215 order, the NSI Guidelines were not specific, and the NSI Guidelines applied to all documents the FBI collected in the course of a national security investigation and were not “designed in light of the purpose and technique” of Section 215 requests, as required by the Reauthorization Act.

OIPR and FBI attorneys responded that they believed the interim procedures met the statutory requirement because the Reauthorization Act did not require that the minimization procedures be “new” or “in addition to” existing requirements.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

And when Fine asked OIPR and FBI if using the NIS addressed the constitutional language included in the statute, they dismissed that concern.

When discussing the issue raised by the Reauthorization Act of whether the minimization procedures “protect the constitutional rights of United States persons,” OIPR and FBI attorneys asserted that most government requests for business records do not raise constitutional concerns.

All this sounds absurd even if you don’t know that you’re really talking about using Section 215 to create a database of every phone-based relationship in the US. But once you understand that, then it becomes obscene. Because the primary application they had in mind, of course, presented a very real constitutional concern.

DOJ adopted equally self-referential nonsense to replace its original self-referential nonsense

That was March 2008, and Fine made it clear that, “as of early February 2008, the Department had not finalized the updated minimization procedures for full FISA orders” to which Section 215 had been tied. In his letter commenting on the report, Director Robert Mueller made not one mention of the minimization concerns or recommendation, which took up a full chapter of the report; he effectively just blew off the observation that FBI was not following the law.

We do know DOJ made at least a cosmetic (and that is likely all it was) change. At least by September 3, 2009, the primary order began to name the AG’s Guidelines for Domestic FBI Operations rather than NIS (indeed, primary orders still do, even though that document has been superseded by the 2011 Domestic Investigation and Operations Guide). [See correction below.] The AG Guidelines were adopted in September 2008, so that’s likely when the change got made.

But that document doesn’t address any of Fine’s concerns. The Guidelines are still very general. Information sharing is explicitly called “permissive.” The Guidelines still don’t define what US person identifying information is.

In short, by all appearances, FBI still hasn’t complied with the PATRIOT Act Reauthorization, 7 years and two new reauthorizations later.

The 2009 violations reveal NSA didn’t really have or follow minimization procedures either

And while NSA has minimization requirements (still ultimately based in SID-18, though there were additional requirements from FISC) many of the problems underlying the 2009 disclosures had to do with the failure to set up a system to obey minimization procedures.

The report submitted to the FISC in August 2009 presents the problem as stemming from failing to follow the primary RAS limitation on the database, as well as subsidiary failures. And over the course of the report, it admits several instances in which NSA simply didn’t think through how a practice — like sharing unminimized results with other agencies — implicated minimization procedures.

In June 2009, during the course of NSA’s end-to-end review of the Agency’s implementation of the BR Order, NSA identified as a compliance matter the use of the database to make unminimized BR and [redacted] query results available to FBI, CIA, and NCTC, NSA

[snip]

To determine why this compliance issue occurred, NSA spoke with the senior analysts and oversight personnel who were aware of the Court-ordered minimization requirements and of how the database was used. These conversations revealed NSA personnel generally followed the minimization requirements when the Agency issued formal reports based on queries of the metadata acquired pursuant to the Court’s BR FISA Orders. However, even though the applicability of the minimization requirements to the shared database is clear in hindsight, until the issue was discovered during NSA’s end-to-end review [redacted]

Tellingly, the underlying End-to-End report that accompanied that submission still prioritized NSA’s SID-18 minimization procedures.

If NSA has reason to believe the information constitutes valid threat-related activity, NSA applies USSID 18 to minimize information concerning U.S. persons and then reports the information to the FBI, NCTC and ODNI, and other customers, as appropriate.

[snip]

These detailed working aids, together with required IJSSID 18 training for all BR FISA-approved intelligence analysts, require that any NSA. BR. MA-based reporting that contains U.S. person information follow NSA’s standard minimization procedures found in USSID 18 and the Court order.

[snip]

NSA has well-documented and long-standing minimization procedures for ensuring protection of U.S. persons’ information in SIGINT analysis and reporting under all SIGINT authorities, to include the FISA Order.

[snip]

In light of the compliance issues that surfaced specific to the handling of BR FISA metadata, NSA reviewed its minimization procedures as well as its oversight procedures, to include auditing, documentation, and training, to identify areas for potential improvement. All were identified as areas for enhancement to ensure that personnel handling the BR FISA metadata. are aware of and compliant with the Court Orders governing its use and dissemination.

[snip]

Every NSA intelligence analyst is required to complete training and pass a test on USSII) 18 minimization procedures every two years as a pre-requisite for access to unminimized/unevaluated SIGINT data. Additionally, intelligence analysts must receive an OGC compliance briefing and on-the-job training (OJT) regarding their responsibilities for handling metadata containing U.S. person information prior to being granted access to the BR FISA metadata, They also have on-line access to detailed working aids including required minimization procedures. NSA will continue to emphasize the critical importance of applying USSID l8 and the Court Order requirements as they relate to the handling and dissemination of BR. RSA.

All of which is to say that a year after DOJ’s IG told DOJ they had failed to fulfill the terms of PATRIOT, after DOJ partly addressed minimization for FBI, albeit completely cosmetically, NSA got caught violating the program in all sorts of ways, largely because they had never really instituted minimization procedures specific to the program.

Glenn Fine told you so.

Fine, Sensenbrenner, and Leahy suggest there still aren’t adequate minimization procedures

Yet key people seem to believe there still aren’t minimization procedures that meet the terms of PATRIOT.

When Fine set out to review the 215 program again in 2010 (that’s the review that has been ongoing for 1,235 days with no sign of a report), he promised to review whether FBI had yet met the terms of PATRIOT.

n addition, our review will cover the FBI’s use of Section 215 orders for business records. It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review will also examine the progress the FBI has made in addressing recommendations contained our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.

And the Leahy-Sensenbrenner bill focuses on improving minimization procedures by,

  • Allowing the judge to review minimization procedures before approving an order to ensure they meet the requirements
  • Allowing the judge to review compliance with minimization procedures
  • Adding “acquisition and” after “the minimization of” in this phrase of the definition: “to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons”
  • Renewing the mandate for a DOJ IG review of Section 215, akin to the one Fine completed in 2008, covering the years 2010 to 2013
  • Mandating a review for the Intelligence Committee Inspector General, not only of efficacy of the program, but also of minimization procedures and any procedures rejected by the FISC
  • Requiring any sub-reports to be shared with the oversight committees as well

Obviously, if the main thrust of their bill passed, it would make bulk collection illegal, eliminating the huge disparity between the implementation of the program and the minimization requirements laid out in the law. But if not — and for whatever use of Section 215 remains — Patrick Leahy and Jim Sensenbrenner seem intent to offer far more protection than the scant protection offered for the last 2007, in defiance of the 2006 Reauthorization.

As I noted earlier today, Jim Sensenbrenner has complained that the Executive “ignored restrictions painstakingly crafted by lawmakers.” Given the focus on putting teeth to minimization procedures, Sensenbrenner may be thinking of the way DOJ completely blew off a clear mandate of PATRIOT.

They should have listened. It could have saved them a bunch of trouble.

Update: I was incorrect that the DIOG replaced the AGG. Rather, the AGG is the policy statement that the DIOG implements, so effectively, in response for being busted for using a too-general document, FBI adopted an even more general one. The AGG was first implemented in 1976 to stave off legislative mandates about FBI’s policy.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

13 replies
  1. Snoopdido says:

    According to SSCI Chair Senator Diane Feinstein today – Report to Accompany S. 1631, the FISA Improvements Act (November 12, 2013) – http://www.intelligence.senate.gov/131113pdfs/113119.pdf

    “the NSA telephone metadata program was approved by federal judges and overseen by Congress, where every member of the Senate had access to information concerning how the programs were conducted and an opportunity to voice objections and debate their efficacy.”

    Sure they did. And Emptywheel hasn’t proved this wrong over and over again. Yeah, right!

    And:

    “Some would like to believe these disclosures have started a debate about the propriety and efficacy of NSA surveillance programs but, in fact, to a substantial degree, recent unauthorized disclosures have ended the debate because, once disclosed, the programs at issue become substantially less effective. The nation will suffer as a result.”

    It is true that in Senator Dianne Feinstein’s closed mind, the debate has surely ended, if it ever at all began.

  2. Snoopdido says:

    @Snoopdido: From page 5 of that same document regarding Section 215 queries:

    “The Committee believes that, to the greatest extent practicable, all queries conducted pursuant to the authorities established under this section should be performed by Federal employees. Nonetheless, the Committee acknowledges that it may be necessary in some cases to use contractors to perform such queries. By using the term “government personnel” the Committee does not intend to prohibit such contractor use.”

    Just who are these contractors that have been running Section 215 queries? Did Senator Diane Feinstein just leak classified information herself?

  3. Snoopdido says:

    @Snoopdido: From page 6 of that same document regarding Section 702 (hoovering of upstream internet pipes) queries:

    “Section 6 does not limit the authority of law enforcement agencies to conduct queries of data acquired pursuant to Section 702 of FISA for law enforcement purposes.”

    This seems to be a rather explicit statement that the federal, state and local law enforcement can query the hoovered upstream internet pipe collection for whatever they damn well please.

  4. emptywheel says:

    @Snoopdido: They changed the minimization procedures in 2011 to incorporate that, though they claimed it was about overseas military (it’s not: some contractor broke hte law).

  5. orionATL says:

    @Snoopdido:

    when is feinstein going to be overtly, publicly attacked

    – for misrepresenting the legality and the utility of nsa’s domestic spying (including spying on americans using foreign subterfuge),

    – for ignoring repeated nsa lies and evasions

    – for repeatedly ignoring warnings and information on nsa overreach available to her committee and staff

    – for failing, in an extraordinary display of ignorance or dishonesty, to conduct nsa oversight in the interests of the american people?

    until those attacks begin and persist, feinstein is going to bulldoze ahead.

    if aclu, eff, and other interested parties think they can sit on their hands politically while filing foia’s and lawsuits to stop the nsa behemoth, rather than directly and persistently attacking feinstein,

    i got news for them – you’re going to lose, big time!

    wake up!

  6. Snoopdido says:

    @Snoopdido: From page 10 of that same document concerning bulk cell site location collection:

    “By a vote of 7 ayes to 8 noes the Committee rejected an amendment by Senator Heinrich to prohibit the collection of bulk cell site location information. The votes on the amendment in person or by proxy were as follows: Chairman Feinstein—no; Senator Rockefeller—aye; Senator Wyden—aye; Senator Mikulski—no; Senator Udall—aye; Senator Warner—aye; Senator Heinrich—aye; Senator King—aye; Vice Chairman Chambliss—no; Senator Burr—no; Senator Risch—no; Senator Coats—no; Senator Rubio—no; Senator Collins—aye; Senator Coburn—no.”

  7. Snoopdido says:

    @Snoopdido: From page 17 of that same document concerning the Minority Views of Senators Wyden, Udall and Heinrich about the Heinrich amendment to prohibit the collection of bulk cell site location information:

    “Senator Heinrich also offered an amendment that would have prohibited the NSA from collecting Americans’ cell phone location information in bulk, while still permitting the government to acquire this information with an individualized warrant. We are particularly disappointed that this amendment was rejected by the Committee. NSA officials have testified that they are not engaged in the bulk collection of Americans’ cell-site location information today, and have acknowledged collecting “samples” of this data in the past, but they have repeatedly declined to publicly answer questions from the three of us and other Senators about whether they have previously collected or made plans to collect this information in bulk, and they have specifically said that the NSA could collect this information in bulk in the future. By rejecting the Heinrich amendment and still approving the underlying bill, the Intelligence Committee has effectively voiced support for giving the executive branch the authority to turn the cell phone of every man, woman, and child in America into a tracking device. We strenuously disagree with this approach and we will continue to work to ensure that Americans’ daily movements are not tracked without evidence of wrongdoing.”

  8. Snoopdido says:

    @emptywheel: I wonder if the general reference to “law enforcement” doesn’t mean that places like the Fusion centers in all the states don’t have access to either Prism or its doppelganger. It would seem probable that the various federal, state, and local members of the various Joint Terrorism Task Forces around the country would have access to Prism, and it wouldn’t be too much of a stretch to think that search access to Prism or something similar that was fed by NSA collection was available to all levels of law enforcement.

Comments are closed.