The government has been releasing a bunch of documents under FOIA while we’re all out celebrating: a classification review of the two earlier Section 215 IG Reports, as well as NSA’s reports to the Intelligence Oversight Board (though thus far, NSA has mistakenly linked to 1Q 2012 rather than 2Q 2012, which should be one of the most important reports for reasons I’ll come back to).
In this post I just want to review the phone dragnet classified appendix included as part of the 2008 DOJ IG Report on the use of Section 215. We’ve known this appendix — one of two attached to this report (the other, which may be as long as 16 pages, remains classified) — dealt with the phone dragnet since the phone dragnet was revealed. One thing this report provides are clear dates (which I used to update the dates in my phone dragnet tracker), including exact (in case of the first addition) and rough updates for additional “agents of a foreign power” that may be chained on.
Here are details of interest:
The fourth redaction on the 2nd page of the appendix — in the sentence starting “The queries would attempt to identify…” — is rather interesting syntactically. The redaction should read something like “terrorist associates” or something similar. But in this context, it ties the contact chaining much more closely to the contact-chaining process. Somewhere there must be language purporting to make this case specifically, but the redaction here is remarkably short to do so.
The appendix notes in the first full paragraph on page 3 that the dragnet application promised the NSA Director would inform the Intelligence Committees (but not the Judiciary Committees) about the dragnet. That’s curious because we have every reason to believe the NSA did not inform the Intel Committees about the Internet dragnet until after PATRIOT reauthorization, as reflected by this April 27, 2005 briefing to SSCI. Presumably, the December 15, 2005 disclosure of the dragnet led the FISC to discover that Congress hadn’t been briefed.
The discussion of the additional terrorist group approved for contact chaining on page 4 seems heavily redacted. I wonder if NSA got Iran approved as early as 2006, with the later approvals being additional al Qaeda affiliates?
At least according to the changes noted in the dragnet orders, the only known addition in the second dragnet order was the pre-approval for FISA targets to be RAS seeds under the dragnet. I’m not sure whether the redaction here would refer to this change, but if it does, it is odd it remains redacted. But it’s also possible the government started collecting some other kind of telephony metadata in that order.
With the exception of the first order, it appears DOJ’s IG was working from the applications for the dragnet, not the orders. And the narrative of the dragnet appears to be silent on a number of changes, including the elimination of the compensation paragraph, the addition of spot checks (both in the November 15, 2006 order), and the exception of pre-authorized RAS approval for dockets 06-2081, 07-449, and PAA.
Most interesting still is the report’s silence on the change allowing NSA to put the BRFISA data in with other data for the purposes of analytical efficiency. That first shows up in the first dragnet order of 2008 — which the appendix helpfully clarifies was signed on January 10, 2008. It’s possible the IG Report doesn’t note it (or some of the other changes) because it was only supposed to treat Section 215 for 2006. Perhaps the other changes were done via amendment not shared with the IG (perhaps because of that scope issue). In any case, I find the timing of the order (which admittedly was dictated by the expiration date of the prior order). That would put the change — which I’ve speculated might relate to the roll-out of ICREACH — just days after Michael Mukasey signed the SPCMA order which allowed chaining on EO 12333 data on US persons. I increasingly believe all these things — ICREACH, SPCMA, and the insertion of FBI into the heart of the FISA process — were necessarily rolled out together.
One other silence of note: This appendix, at least, makes no mention of the 4- and 15-page October 31, 2006 opinions withheld from the EFF and ACLU FOIAs. That’s not surprising: if it had been central to the phone dragnet, the government probably would have had to release it. I wonder, though, if they pertain to the dragnet program discussed in the second, still unreleased appendix (and I wonder if that is the CIA money transfer program).
In addition to liberating the document dump pertaining to the Internet dragnet program. (See my working threads: one, two, three, four, five.), EPIC has been fighting several other parts of the FOIA for the PRTT documentation to Congress. I’m going to have three more posts on these materials. This post will comment on the reports to Congress, all of which (except the December 2006 one, which I’ll ask them to fix) are available here.
Here’s a summary of the changes from report to report.
Here’s an explanation of what I make of these details:
Throughout this reporting requirement, DOJ has been obligated to include the number of US persons targeted. How it has done so has varied by period. Here’s how it breaks out by reporting period (I’m doing it this way so we can match it up to known techniques).
July 2000 through December 2001: US person subjects of investigation described by sketch but not broken out by number
January 2002 through June 2002: US person targets identified by number and sketch
July 2002 through December 2004: US person targets identified by number “who were targeted”; sketches replaced by general language about First Amendment review
January 2005 through June 2006: Orders include a definition of aggregate that includes corporations and other non-individual legal persons, these orders provided an “at least” aggregate number (with a footnote explaining why that is redacted). This method covers most of the reports during the “combined” period. Update: The DOJ IG Report on Section 215 use in 2006 may explain some of this: for 215 orders in this period, FBI did not count the requested records of non-subjects, which would likely apply to combined orders.
July 2006 through December 2006: This report includes no discernible US person breakout.
January 2007 through June 2008: These reports used an “at least” number to count US persons.
July 2008 through June 2010:This period included exact numbers for USP targets, and also no longer includes modifications (which often are minimization procedures).
July 2010 through December 2012: This period uses “named US persons” as a reporting category, and to the extent it’s relevant, breaks out the NSA orders.
Note, some of the differential reporting (such as the “aggregate” language for the period before Congress got briefed on the bulk PRTT) to be get around informing Congress of certain collections. Some–such as the apparently still-current “named USP” suggests there’s a lot of incidental collection the government doesn’t count (which would be likely in the use of stingrays, though the prior use of target could be done there too).
Note the variation in agencies named, with PRTT being listed as FBI only, then being listed as NSA and FBI, then all government, then both again, and finally, broken out by agency. This likely stems most significantly from efforts to hide that they were using PRTT for the dragnet, then incorporation of NSA into the FBI dragnet numbers.
The NSA numbers first get broken out for the December 2010 report, with a statement there were no NSA applications in the first half of 2010. That accords with the understanding that the Internet dragnet got shut down around October 30, 2009, then Bates approved it again in July 2010 (which would be the partial declination marked).
I was interested that John Ashcroft didn’t a bunch of reports during a period when DOJ provided narratives of the Americans targeted. Also, for the first few periods of Stellar Wind, the signee was not read into Stellar Wind. I’ve increasingly noticed AGs having someone else sign something as a workaround, and that may have been true here, too (remember that the government was obtaining Internet metadata even before Stellar Wind).
But then, to the extent we still got transmittal letters (they stopped entirely in June 2007), they were signed by the Congressional Liaison.
Update: I realize something about this classification guide. While it was updated in 2012 (so after the Internet dragnet got shut down) it was dated August 2009, so while it was still running. So that part of this may not be location data. But the FBI almost certainly still does do fun stuff w/PRTT because it’s the one part of PRTT that remains classified.
Ed Markey, who is absolutely superb on tracking Title III surveillance, continues that tradition today with a letter to Eric Holder asking about the US Marshall Program DirtBox surveillance program revealed last week by WSJ.
Among his questions are:
Do other agencies within DOJ operate similar programs, in which airplanes, helicopters or drones with attached cellular surveillance equipment are flown over US airspace?
What types of court order, if any, are sought and obtained to authorize searches conducted under this program?
In what kind of investigations are the “dirtbox” and similar technology used to locate targets? Are there any limitations imposed on the kinds of investigations in which the dirtbox and similar technology can be used?
According to media reports, the dirtbox technology, which is similar to a so-called “stingray” technology, works by mimicking the cellular networks of U.S. wireless carriers. Upon what specific legal authority does the Department rely to mimic these cellular networks?
Do the dirtbox and stingray send signals through the walls of innocent people’s homes in order to communicate with and identify the phones within?
What, if any, policies govern the collection, retention, use and sharing of this information?
Are individuals–either those suspected of committing crimes or innocent individuals–provided notice that information about their phones was collected? If yes, explain how. If no, why not?
I could be spectacularly wrong on this point, but I very very strongly believe the answer to some of his questions lie in a bill Markey is all set to vote for tomorrow.
We know that the government — including the FBI — uses Title III Pen Registers to obtain authorization to use Stingrays; so one answer Markey will get is “Title III PRTT” and “no notice.”
Given that several departments at DOJ use PRTT to get Stingrays on the criminal side, it is highly likely that a significant number of the 130-ish PRTT orders approved a year are for Stingray or related use.
Using that logic gets us to the likelihood that FBI’s still unexplained PRTT program — revealed in this 2012 NSA declassification guide — also uses Stingray technology to provide location data. That’s true especially given that NSA would have no need to go to FBI to get either phone or email contacts, because it has existing means to obtain that (though if the cell phone coverage of the Section 215 dragnet is as bad as they say, it may require pen registers for that).
The guide distinguishes between individual orders, which are classified SECRET, and “FBI Pen Register Trap Trace,” which therefore seems to be more programmatic. The FBI PRTT is treated almost exactly like the then undisclosed phone dragnet was in the same review, as a highly classified program where even minimized information is TS/SCI.
Now, it’s possible (ha!) that this is a very limited program, just targeting individual targets in localized spots for a brief period of time.
It’s also possible the government scaled this back after the US v. Jones decision.
But it’s equally possible that this is a bulky dragnet akin to the phone dragnet, one that will be invisible in transparency measures under USA Freedom Act because location trackers are excluded from that reporting.
I do hope Markey insists on getting answers to his questions before he votes for this bill tomorrow.
As you likely know, there have been two developments with NSLs in the last few days. First, Twitter sued DOJ, on First Amendment grounds, to be able to publish how many NSLs and FISA orders it has received. And EFF argued before the 9th Circuit that the entire NSL statute should be declared unconstitutional.
These developments intersect with the USA Freedom Act in an interesting way. In the 9th Circuit, the Court (I believe this is Mary Murguia based on tweets from lawyers who were there, but am not certain) asked why Congress hasn’t just fixed the Constitutional problems identified in Doe v. Mukasey with NSL gag orders.
That set off DOJ Appellate lawyer Douglas Letter hemming and hawing in rather unspecific language (my transcription).
Mary Murguia: Have any measures been taken to Congress to try to change that reciprocal notice procedure, to make it legal as the 2nd Circuit suggested?
Douglas Letter: Your honor, my understanding is, and I’m a little hesitant to talk about this in this sense, as we know proposals can be made to Congress and who knows what will happen? The government is working on some, a, is working with Congressional staffers etcetera, we would hope that at some point we would have legislation. We do not as this point. I’m not, I’m not going to here make any predictions whether anything passes.
What Letter was talking about — bizarrely without mentioning it — was a provision addressing the unconstitutional NSL gags in USA Freedom Act.
The provision fixes one part of the NSLs by putting the onus on FBI to review every year whether gags must remain in place.
(A) IN GENERAL.—In the case of any request under subsection (b) for which a recipient has submitted a notification to the Government under section 3511(b)(1)(A) or filed a petition for judicial review under subsection (d)—
(i) an appropriate official of the Federal Bureau of Investigation shall, until termination of the nondisclosure requirement, review the facts supporting a nondisclosure requirement annually and upon closure of the investigation; and
(ii) if, upon a review under clause (i), the facts no longer support the nondisclosure requirement, an appropriate official of the Federal Bureau of Investigation shall promptly notify the wire or electronic service provider, or officer, employee, or agent thereof, subject to the nondisclosure requirement, and the court as appropriate, that the nondisclosure requirement is no longer in effect.
This would fix the problem identified by the 2nd Circuit.
Except that, bizarrely, it would require FBI to do what Letter represented to the Court FBI could not do — review the gags every year. Presumably, they assume so few providers will challenge the gag that they’ll be able to manage those few yearly reviews that would be required.
Which might be what this language is about.
(B) CLOSURE OF INVESTIGATION.—Upon closure of the investigation—
(i) the Federal Bureau of Investigation may petition the court before which a notification or petition for judicial review under subsection (d) has been filed for a determination that disclosure may result in the harm described in clause (i), (ii), (iii), or (iv) of paragraph (1)(B), if it notifies the recipient of such petition;
(ii) the court shall review such a petition pursuant to the procedures under section 3511; and
(iii) if the court determines that there is reason to believe that disclosure may result in the harm described in clause (i), (ii), (iii), or (iv) of paragraph (1)(B), the Federal Bureau of Investigation shall no longer be required to conduct the annual review of the facts supporting the nondisclosure requirement under subparagraph (A).
That is, in addition to fixing the constitutional problem with NSLs, USAF provides FBI way out of the supposedly onerous problem that fix requires, by establishing a way to get a permanent gag.
The NSL provisions in USAF have not gone totally unnoticed. Perhaps appropriately, one of the few public comments on it came from the EFF. It lumps it in with FBI’s exemption from reporting back door searches.
The FBI is exempt from Section 702 reporting, and the bill appears to provide a path for the FBI to get permanent gag orders in connection with national security letters.
And bill champion Kevin Bankston is acutely aware of the dynamic as well; after Twitter announced his suit he suggested this was a good reason to pass USAF.
Me, I’d rather let the courts work and get the leverage we might get that way.
Especially since it seems like FBI is more able to review yearly gag renewals that Letter told the court.
Last week, Dustin Slaughter published a story using a new deck of slides on the Hemisphere program, the Drug Czar program that permits agencies to access additional telecommunications analytical services to identify phones, which then gets laundered through parallel construction to hide both how those phones were found, as well as the existence of the program itself.
It has some significant differences from the deck released by the New York Times last year. I’ve tried to capture the key differences here:
The biggest difference is that the NYT deck — which must date to no earlier than June 2013 — draws only from AT&T data, whereas the Declaration deck draws from other providers as well (or rather, from switches used by other providers).
In addition, the Declaration deck seems to reflect approval for use in fewer states (given the mention of CA court orders and the recent authorization to use Hemisphere in Washington in the AT&T deck), and seems to offer fewer analytical bells and whistles.
Thus, I agree with Slaughter that his deck predates — perhaps by some time — the NYT/AT&T deck released last year. That would mean Hemisphere has lost coverage, even while it has gained new bells and whistles offered by AT&T.
While I’m not yet sure this is my theory of the origin of Hemisphere, some dates are worth noting:
From 2002 to 2006, the FBI had telecoms onsite to provide CDRs directly from their systems (the FBI submitted a great number of its requests without any paperwork). One of the services provided — by AT&T — was community of interest tracking. Presumably they were able to track burner phones (described as dropped phones in these decks) as well.
In 2006, FBI shut down the onsite access, but retained contracts with all 3 providers (AT&T, Verizon, and probably Sprint). In 2009, one telecom — probably Verizon — declined to renew its contract for whatever the contract required.
AT&T definitely still has a contract with FBI, and in recent years, it has added more services to what it offers the FBI.
It’s possible the FBI multi-provider access moved under ONCDP (the Drug Czar) in 2007 as a way to retain its authorities without attracting the attention of DOJ’s excellent Inspector General (who is now investigating this in any case). Though I’m not sure that program provided the local call records the deck at least claims it could have offered. I’m not sure that program got to the telecom switches the way the deck seems to reflect. It’s possible, however, that the phone dragnet in place before it was moved to Section 215 in 2006 did have that direct access to switches, and the program retained this data for some years.
The phone dragnet prior to 2006 and NSL compliance (which is what the contracts with AT&T and one other carrier purportedly provide now) are both authorized in significant part (and entirely, before 2006) through voluntary compliance, per David Kris, the NSA IG Report, and the most recent NSL report. That’s a big reason why the government tried to keep this secret — to avoid any blowback on the providers.
In any case, if I’m right that the program has lost coverage (though gained AT&T’s bells and whistles) in the interim, then it’s probably because providers became unwilling, for a variety of reasons (and various legal decisions on location data are surely one of them) to voluntarily provide such information anymore. I suspect that voluntary compliance got even more circumscribed with the release of the first Horizon deck last year.
Which means the government is surely scrambling to find additional authorities to coerce this continued service.
On February 19, 2013, John Bates approved a Section 215 order targeting an alleged American citizen terrorist. He hesitated over the approval because the target’s actions consisted of protected First Amendment speech.
A more difficult question is whether the application shows reasonable grounds to believe that the investigation of [redacted] is not being conducted solely upon the basis of activities protected by the first amendment. None of the conduct of speech that the application attributes to [4 lines redacted] appears to fall outside the ambit of the first amendment. Even [redacted] — in particular, his statement that [redacted] — seems to fall well short of the sort of incitement to imminent violence or “true threat” that would take it outside the protection of the first amendment. Indeed, the government’s own assessment of [redacted] points to the conclusion that it is protected speech. [redacted] Under the circumstances, the Court is doubtful that the facts regarding [redacted] own words and conduct alone establish reasonable grounds to believe that the investigation is not being conducted solely on the basis of first amendment.
He alleviated his concerns by apparently relying on the activities of others to authorize the order.
The Court is satisfied, however, that Section 1861 also permits consideration of the related conduct of [redacted] in determining whether the first amendment requirement is satisfied. The text of Section 1861 does not restrict the Court to considering only the activities of the subject of the investigation in determining whether the investigation is “not conducted solely on the basis of activities protected by the first amendment.” Rather, the pertinent statutory text focuses on the character (protected by the first amendment or not) of the “activities” that are the “basis” of the investigation.
Later in the opinion, Bates made it clear these are activities of someone besides the US citizen target of this order, because the activities in question were not being done by US persons.
Such activities, of course, would not be protected by the first amendment even if they were carried out by a United States person.
If I’m right that behind the redactions Bates is saying the activities of associates were enough to get beyond the First Amendment bar for someone only expressing support, then it would seem to require Association analysis. But then, Bates, the big fan of not having any help on his FISC opinions, wouldn’t consider that because the government never does.
Ah well. At least we can finally clarify about whether or not the FISC is a rubber stamp for Administration spying. No. It’s a Bates stamp — in which judges engage in flaccid legal analysis in secret before approving fairly troubling applications. Which is just as pathetic.
I’ll have a more substantive post about what we learn about NSA’s broader dragnet from the Intercept’s ICREACH story.
But for the moment I want to reiterate a point I made the other day. ICREACH is important not just because it makes NSA data available to CIA and FBI. But also because it makes CIA and FBI data available for the metadata analysis the NSA conducts.
The documents describe that to include things like clandestine intelligence and flight information.
But there’s one other program that ought to be of particular concern with regards to NSA’s programs. As I laid out here, FBI had a Pen Register/Trap and Trace “program” that shared information with the NSA at least until February 2012, several months after NSA had ended its PRTT Internet dragnet program.
The secrecy behind the FBI’s PRTT orders on behalf of NSA
Finally, there’s a series of entries on the classification guide for FISA programs leaked by Edward Snowden.
These entries show that FBI obtained counterterrorism information using PRTTs for NSA — which was considered Secret.
But that the FBI PR/TT program – which seems different than these individual orders — was considered TS/SI/NOFORN.
If you compare these entries with the rest of the classification guide, you see that this information — the fact that NSA gets PRTT information from FBI (in addition to information from Pen Registers, which seems to be treated differently at the Secret level) – is treated with the same degree of secrecy as the actual targeting information or raw collected data on all other programs.
This is considered one of the most sensitive secrets in the whole FISA package.
Even minimized PRTT data is considered TS/SCI.
Now, it is true that this establishes an exact parallel with the BR FISA program (which the classification guide makes clear NSA obtained directly). So it may be attributable to the fact that the existence of the programs themselves was considered a highly sensitive secret.
So maybe that’s it. Maybe this just reflects paranoia about the way NSA was secretly relying on the PATRIOT Act to conduct massive dragnet programs.
Except there’s the date.
This classification guide was updated on February 7, 2012 — over a month after NSA shut down the PRTT program. Also, over a month after — according to Theresa Shea — the NSA destroyed all the data it had obtained under PRTT. (Note, her language seems to make clear that this was the NSA’s program, not the FBI’s.)
That is, over a month after the NSA ended its PRTT program and destroyed the data from it (at least according to sworn declarations before a court), the NSA’s classification guide referred to an FBI PRTT program that it considered one of its most sensitive secrets. And seemed to consider active.
I have no idea what this program entailed — and no one else has even picked up on this detail. It’s possible NSA’s Internet dragnet just moved under the FBI’s control. It’s possible (this is my current operative wildarseguess) that FBI’s PRTT program collects location data; the Bureau uses PRTT orders to get individualized location data, after all.
Whatever it is, though, the existence of ICREACH would make that data available to NSA in a form it could use to include it in contact chaining of metadata (which may be why it figures so prominently in NSA’s classification guide). And note: FBI’s minimization procedures are far more lenient than NSA’s, so whatever this data is, NSA may be able to do more with it given that FBI collected it.
And as with a number of other things, even the Pat Leahy version of USA Freedom would weaken protections for PRTT data.
At some point (perhaps at the end of 2009, but sometime before this application), the government tried to reapply, but withdrew their application. The three letters below were sent in response to that. But they were submitted with the reapplication.
(15/27) In addition to tagging data itself, the source now gets noted in reports.
(16/27) NSA wanted all analysts to be able to query.
(16/27) COntrary to what redaction seemed to indicate elsewhere, only contact chaining will be permitted.
(17/27) This implies that even technical access creates a record, though not about what they access, just when and who did it.
(17/27) NSA asked for the same RAS timelines as in BRFISA — I think this ends up keeping RAS longer than an initial PRTT order.
(18/27) “Virtually every PR/TT record contains some metadata that was authorized for collection, and some metadata that was not authorized for collection … virtually every PR/TT record contains some data that was not authorized by prior orders and some that was not.”
(21/27) No additional training for internal sharing of emails.
(21/27) Proof they argue everything that comes out of a query is relevant to terrorism:
Results of queries of PR/TT-sourced metadata are inherently germane to the analysis of counterterrorism-related foreign intelligence targets. This is because of NSA’s adherence to the RAS standard as a standard prerequisite for querying PR/TT metadata.
(22/27) Note “relevance” creep used to justify sharing everywhere. I really suspect this was built to authorize the SPCMA dragnet as well.
(23/27) Curious language about the 2nd stage marking: I think it’s meant to suggest that there will be no additional protection once it circulates within the NSA.
(24/27) NSA has claimed they changed to the 5 year age-off in December 2009. Given the question about it I wonder if that’s when these letters were sent?
(24/27) Their logic for switching to USSID-18:
these procedures form the very backbone for virtually all of NSA’s dissemination practices. For this reason, NSA believes a weekly dissemination report is no longer necessary.
(24-5/27) The explanation for getting rid of compliance meetings is not really compelling. Also note that they don’t mention ODNI’s involvement here.
(25/27) “effective compliance and oversight are not performed simply through meetings or spot checks.”
(27/27) “See the attached word and pdf documents provided by OIG on an intended audit of PR/TT prior to the last Order expiring as an example.” Guess this means the audit documents are from that shutdown period.
(2) DNI adopted new serial numbers for reports, so as to be able to recall requests.
(3) THey’re tracking the query reports to see if they can withdraw everything.
(3) THis is another of the places they make it clear they can disseminate law enforcement information without the USSID requirements.
(4) It appears the initial application was longer than the July 2010, given the reference to pages 78-79.
There are some very interesting comparisons with the early 2009 application, document AA.
(1) Holder applied directly this time rather than a designee (Holder may not have been confirmed yet for the early 2009 one).
(2) The redacted definition of foreign power in AA was longer.
(3) “collect” w/footnote 3 was redacted in AA.
(3) Takes out reference to “email” metadata.
(3) FN 4 both focuses on “Internet communication” rather than “email [redacted]” as AA did, but it also scopes out content in a nifty way.
I give up. I’m going to have to do a working thread on the IG Report on FBI’s use of NSLs. Here goes. References are to page numbers, not PDF numbers (PDF numbers are page+15).
ix: The report noted that NSL numbers dropped off what they had been 2007 to 2009. It speculates that may have been because of heightened scrutiny. I wonder it wasn’t because they were misusing the phone and Internet dragnet programs and getting the information that way. In 2009, after which the NSL numbers grew again, Reggie Walton shut that option down.
x: About half of NSLs during this period were used to investigate USPs.
x: “certain Internet providers refused to provide electronic communication transactional records in response to ECPA NSLs.”
xii: They’re hiding the current status of permitting the use of NSLs to get journo contacts. Which would seem to confirm they are doing so.
xiii: They’re also hiding the status of the OLC memo they used to say they could get phone records voluntarily (see this post for why). They don’t hide things very well.
2: It just makes me nuts we’re only now reviewing NSL use from 2009. Know what has happened in the interim, for example? A key player in this stuff, Valerie Caproni, has become a lifetime appointed judge.
11: Report notes that FBI tends to always use “overproduction” whether or not it was unauthorized or simply too broad.
17: Footnote 35 seems to suggest they have exceptions to the mandatory reporting requirements. What could go wrong?
39: So as recently as 2009, the tracking system did not alert OGC of manual NSLs in some percentage of the cases.
57 The numbers reported to Congress are off from the numbers shown to IG by as much as 2,800.
58: Love footnote 73, which aims to explain why the NSL numbers reported to Congress are significantly lower than those reported to OIG.
After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals.
The FBI just gives up on 100% accuracy in its NSL numbers.
After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.
59: On the discrepancies, OIG points out the obvious:
[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.
61: The database tracking 2007 requests — a year where there were discrepancies for 215 orders too — “is retired and unavailable.”
62: The report doesn’t have subscriber only data, which I suspect is obtained in bulk.
63: There is a significant change in the make-up of what FBI is getting in 2009, from subscriber records and toll and financial records in 2008 to toll records, then subscriber and electronic communication records in 2009. I strongly suspect that says some of the 214 and 215 collection moved to NSLs.
71: Apparently it was the release of an earlier OLC memo that led at least 2 Internet companies to refuse NSLs.
The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.
Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electornic communication transactional records because that term does not appear in subsection (b).
Today’s Inspector General Report on FBI’s use of National Security Letters has set off a bunch of alarm bells in my head.
At issue are two unexplained problems.
First, the Inspector General identified a huge drop in NSL use for the years covering this report: FBI obtained 49,425 NSLs in 2006, the year before this report. It obtained 54,935 afterwards. The years in-between — the 3 years covered by this report — NSLs dropped off a relative cliff, with 20% fewer in 2007 and even fewer in 2009.
The IG wasn’t able to offer any explanation for this, besides the possibility that increased scrutiny on NSL use led people to use other methods to get this information.
However, two supervisors and a division counsel told us that they believe agents use NSLs less often now than they did five years ago. These individuals told us that because of increased scrutiny on NSL use agents employ alternative investigative tools when possible.
In testimony last year, Jim Comey said FBI agents would just use grand jury subpoenas rather than NSLs if the NSLs became too onerous, so that may be where the activity disappeared to.
Hey, if 20% of FBI NSLs could be grand jury subpoenas without any problem, let’s make them do that!
It’s FBI’s other counting problems — and its non-answers — that have me even worried.
According to the IG, the FBI is not reporting as much as
7.3% [update, 10/16: I think the correct number is 6.8%] of its NSL use to Congress. For example, when the IG tried to pull NSLs by NSL type (that is, toll billing, financial records, electronic transaction records), it found a significant discrepancy between what had been reported to Congress and what FBI’s internal spreadsheets showed.
[T]he NSL data in the itemized spreadsheets does not exactly match the NSL data reported to Congress in 2008 and 2009. The total number of requests reported for each year [by transaction type] is more than the total number of NSL requests reported to Congress by 2,894 and 2,231 requests, respectively. (63)
So for 2009, where FBI requested just 30,442 NSLs, FBI did not report 7.3% of the NSLs it requested.
(I can’t double check my math here because FBI redacted some of these tables, but I guess that’s one of the hazards of overclassifying things.)
That’s troubling enough, as is FBI’s lackadaisical attitude towards correcting the disparity.
After reviewing the draft of this report, the FBI told the OIG that while 100 percent accuracy can be a helpful goal, attempting to obtain 100 percent accuracy in the NSL subsystem would create an undue burden without providing corresponding benefits. The FBI also stated that it has taken steps to minimize error to the greatest extent possible.
Ho hum, we’re just the FBI, why expect us to be able to police ourselves?
But it gets weirder.
First, the one theory the IG came up with to explain the discrepancy is that FBI is not counting all the manual NSLs that bypass their automatic counting system implemented in response to the first IG Reports on NSLs.
In fact, they’re not: FBI’s Inspection Division found they’re not counting some significant (not single digit) percentage number of their manual NSLs (they redact how much they’re not counting on page 39).
But the IG seems to suspect there may be even more manual requests that are not being counted at all.
[T]he total number of manually generated NSLs that the FBI inspectors identified is relatively small compared to the total number of 30,442 NSL requests issued by the FBI that year. What remains unknown, however is, whether the FBI inspectors identified all the manually identified generally NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported.(58)
If you guessed that FBI redacted under what circumstances FBI permits agents to bypass this automatic counting system, you’d be right. That discussion is in footnote 35 on page 17, and again on pages 113-115.
But I worry, given one observation from the IG, that they’re bypassing the automatic system in cases of “sensitive” investigations. Some apparent moron tried to explain why the IG found higher numbers for NSLs than Congress because the NSLs related to sensitive investigations were being reported to Congress but not the IG.
After reviewing the draft of this report, the FBI told the OIG for the first time that the NSL data provided to Congress would almost never match the NSL data provided to the OIG because the NSL data provided to Congress includes NSLs issued from case files marked “sensitive,” whereas the NSL data provided to the OIG does not. According to the FBI, the unit that provided NSL data to the OIG does not have access to the case files marked “sensitive” and was therefore unable to provide complete NSL data to the OIG. The assertion that the FBI provided more NSL data to Congress than to the OIG does not explain the disparities we found in this review, however, because the disparities we found reflected that the FBI reported fewer NSL requests to Congress than the aggregate totals. (58)
Aside from the revelation that FBI doesn’t understand how numbers work — that if Congressional reporting reflected a larger universe of NSLs than what the IG got to see, Congressional numbers should be higher, now lower — this also seems to mean that the IG is not being permitted to review the NSLs relating to sensitive investigations.
Now, it’s not entirely clear what FBI means by “sensitive” in this circumstance. But generally, “sensitive” investigations at FBI are those that investigate reporters, faith leaders, and politicians.
So it seems possible the FBI is not permitting the IG to review precisely the practices he should review.
Which brings me to another matter that is almost entirely redacted.
As I’ve reported repeatedly, one thing the last IG report on Exigent Letters showed is that a number of journalists have had their phone records collected by FBI. In addition, the 2011 DIOG made it acceptable to use NSLs to do so. Here’s the section of the executive summary of this report that describes whether FBI has resolved this issue.
From which I can only assume that FBI is continuing to use NSLs to collect journalist records (if FBI would like to declassify this language to prove me wrong, I welcome their transparency!).
So to sum up:
All that could be badly wrong — much of this information is redacted from both me, and in some cases, from Congress.
But doesn’t it raise some awfully big questions?