As longtime readers know, I have long tracked a DOJ Inspector General investigation into FBI’s use of Section 215 and other PATRIOT Act authorities.
A good healthy obsession!
Since it’s been a while — the investigation is now 1,403 days old — yesterday I decided to nag the IG office.
They were mum on when we might finally see the report. Instead of offering details, they directed me to their new (apparently brand spanking new) “in the interest of transparency” page on their ongoing work.
It shows the long-promised report, still focusing on Section 215 use through 2009, as well as NSLs and pen register.
Use of National Security Letters, Section 215 Orders, and Pen Register and Trap-and-Trace Authorities under FISA from 2007 through 2009
The OIG is again examining the FBI’s use of NSLs and Section 215 orders for business records. This review is assessing the FBI’s progress in responding to the OIG’s recommendations in its first and second reports on the FBI’s use of NSLs and its report on the FBI’s improper use of exigent letters and other informal means to obtain telephone records. A focus of this review is the NSL subsystem, an automated workflow system for NSLs that all FBI field offices and headquarters divisions have been required to use since January 1, 2008, and the effectiveness of the subsystem in reducing or eliminating noncompliance with applicable authorities. The current review is also examining the number of NSLs issued and Section 215 applications filed by the FBI between 2007 and 2009, and any improper or illegal uses of these authorities. In addition, the review is examining the FBI’s use of its pen register and trap-and-trace authority under FISA.
But it also shows a report not mentioned in Michael Horowitz’ last report.
A report on the dragnet.
Bulk Telephony Review
The OIG is reviewing the FBI’s use of information derived from the National Security Agency’s (NSA) collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, and any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads, and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts.
In truth, this investigation may not be all that distinct from the known PATRIOT authorities investigation. The minimization procedures for both – and therefore the way the information gets used, an issue central to both investigations — appear to be the same. And to the extent that the number of 215 orders with minimization procedures has been growing since 2010 indicates the FBI is collecting other information in bulk, the programs may well interrelate.
At first, I thought that this investigation, with the very significant exception of the way the dragnet serves to identify informants, might not reveal anything that problematic. Upon review, I’m not so sure. I’ll explain why in a follow-up report.
The one big difference between the two investigations, however (and I’ll discuss this at more length in the follow-up), is that dragnet investigation, unlike the PATRIOT Authority one, appears not to be time delimited. Whereas the older investigation only looks at practices through 2009, the dragnet investigation appears to be examining on-going practices. It seems to be investigating all the 215-related issues identified by Pat Leahy that the IC IG should investigate that come under DOJ’s jurisdiction.
So bad news good news! DOJ is still, 1,403 days later, investigating how the FBI used PATRIOT Act authorities 5 years ago, meaning more recent developments are not getting much attention.
But there is a potentially related investigation looking at what the FBI ingests from the phone dragnet (at least the small part relating to Section 215) right now.
I Con the Record reissued less classified versions of two Section 215 orders: the March 2, 2009 one that sharply restricted the phone dragnet without much new declassified, and the June 22, 2009 one that dealt, in part, with FBI and CIA access to the data in both the Internet and phone dragnet, showing both those parts unclassified in the same order (previously the government had released two separate versions — phone, Internet — with different things declassified).
The only new document was a November 23, 2010 order, modeled closely on a December 12, 2008 one. The earlier one had judged that the Stored Communication Act’s limits on collection did not preclude the use of Section 215 to collect phone records. This one judged that the Right to Financial Privacy Act did not preclude the use of Section 215 to collect financial records. Both opinions basically find that because those laws permit the use of National Security Letters to obtain such records without judicial review, clearly it’s okay to obtain the same records with judicial review under Section 215.
Of course, we know that in the phone context — and so presumably also in the financial records context — the use of Section 215 also entailed bulk, potentially comprehensive collection. While some bulk collection occurred under NSLs, especially for phone records (we know that because that’s the only category of NSL that doesn’t get accounted individually in public records), and while we assume bulk collection occurred under Bush’s illegal program via other means, moving a new kind of record under Section 215 may represent the institutionalization of bulk collections of another type of document.
Aside from revealing that this order pertained to financial records, we don’t know much about the underlying order. The order says the records were provided to the FBI (though WSJ and NYT reported CIA used Section 215 to get money order records). It uses “financial records” in scare quotes, so it is possible it is something beyond just bank records. And the fact that it was stamped by John Bates (then the presiding judge) suggests it may have been regarded as rather significant.
All that said, this opinion doesn’t necessarily mark November 2010 as the date the government started using Section 215 to collect (presumably bulk) financial records. After all, the government collected phone records for over 2 years before answering the seemingly obvious question of whether doing so violated other laws. I suspect they did so in 2008 in response to questions then DOJ Inspector General Glenn Fine kept raising about Section 215. And it is perhaps instructive that Fine was, in November 2010, working on a new Section 215 review, one that has since been delayed, in part by ODNI and DOJ refusal to declassify a number of documents, for 1,371 days.
Perhaps it’s just a remarkable coinkydink, but Fine resigned 6 days after this FISC ruling was issued.
Two more details about this. First, as I have shown, DOJ appears to have been hiding details about Section 215 from Congress during this period, though the only financial records they would have been obliged to disclose were tax records.
In addition, the number Section 215 orders started going up drastically in 2010, along with the number of orders the FISC modified to require minimization procedures.
Nevertheless, the reports show us two new things.
First, while we knew the number of modifications has gone up significantly in the last three years (we now know that many of the modifications in 2009 had to do with phone dragnet violations), the latest reports ODNI released say this:
The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).
The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).
I’ve suggested that 176 modified applications may suggest the government has as many as 44 bulk collection programs, which would be renewed every three months (or, alternately, a whole lot more specific bulk collection orders).
That is, this rise in what are almost certainly bulk collection orders came around the same time as FISC “Bates-stamped” the collection of financial records with Section 215.
Finally, consider one more thing. Last year, 26 Senators raised concerns about credit card records; last week’s RuppRoge House Intelligence Committee dragnet fix doesn’t prohibit the bulk collection of credit card records (their list, I now realize, is based off the list of sensitive records currently written into Section 215). Credit card records are covered under FRPA.
So while it would be a wildarsed guess, it would not be unreasonable to guess that some of this spike in bulk collection involved credit card records, approved by this November 2010 opinion.
Any bets we’ll finally get that DOJ IG Report on Section 215, showing that’s what they’ve been doing?
SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.
DIR. CLAPPER: I realize that.
SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.
Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.
But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.
FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.
Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.
And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.
Consider a key problem with the dragnet – another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.
Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.
Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]
The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.
Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.
The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:
- An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
- 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
- A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
- The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)
An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:
1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]
2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …
3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]
Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:
An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government's filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:
1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …
That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.
Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:
Here’s what 50 USC 1861 (c)(1), in its entirety, says:
(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.
And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.
(a) Application for order; conduct of investigation generally
(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things
(2) shall include—
(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.
FBI … FBI … FBI.
The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.
And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.
Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.
Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.
This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)
Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.
Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.
The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.
But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).
Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.
But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.
Better to just disappear the FBI Director and hope no one starts investigating the disappearance.
I’m aiming to have some rough guesses about what kind of bulk collection the FBI might use National Security Letters for (spoiler alert: my wildarseguess is that they’re getting subscriber lists from the same telecoms they’re getting phone dragnet data from).
But first, I want to return to the exigent letter program and consider how it may have complemented the dragnet during the period the dragnet had no court sanction.
As a reminder, starting in 2002, the FBI started getting phone calling records on individual users directly from telecoms using “exigent letters” — basically letters saying they needed the records urgently and promising some kind of legal documentation in the future. In 2003, representatives of the telecoms started moving onsite, so FBI Agents could ask for this information while looking over the representatives’ shoulders. As part of it, the FBI got “community of interest” data (basically, the 3-degrees information the phone dragnet provides) and “hot number” data (an alert when a number was used, which also became part of the phone dragnet). The program spun out of control because FBI often would never go back and provide that paperwork (and also they used it for improper purposes).
In 2006, at the same time the the phone dragnet from the illegal wiretap program was moving to Section 215 orders, FBI was trying to clean up the exigent letter problems with “blanket National Security Letters.” FBI issued the first blanket NSL on May 12, 2006; FISC approved the first Section 215 order on May 24. And while it took until January 2008 for the last telecom personnel to move out of FBI digs, FBI started phasing out the program by imposing new restrictions in 2006.
There’s a lot we don’t know yet about the exigent letters program — and the actions of those telecom personnel camping out at the FBI. That the 2010 IG Report on was produced in TS/SCI, classified, and unclassified versions (the other two NSL IG Reports (2007, 2008) came in classified and unclassified versions) suggests it had some tie to more sensitive counterterrorism programs, quite likely the illegal program.
And to some degree, the onsite telecom personnel were duplicating what we understand NSA to have been doing with phone call records in the illegal wiretap program: tracking activity and establishing 3-degree-of-separation maps around phone identifiers of interest. At least for those FBI Agents who knew of the illegal dragnet, they could get the same information from the NSA, though for FBI Agents it was likely more immediate to go directly to the telecom person and provide requests on post-it notes (as sometimes occurred). Moreover, the FBI could and did quickly check whether queries would be fruitful before they formally queried a number. That means they could use the telecom presence to run contact-chaining on people who were not yet formally identified as terrorist suspects (though that seems to have been possible with the NSA program at that point too).
But the duplicative nature of the program suggests the possibility (particularly given that it started in earnest in May 2003, after the illegal program had gotten started) that the telecom presence was used to launder results back through the telecoms to make them usable for both FISC and other Title III Courts.
One more thing of interest, given my spoiler alert. As far as I understand, the FBI would have access not just to a number’s community of interest, but also to the name of a phone subscriber (or, alternately, immediately be able to learn if a telecom served a particularly person or number). That is, the onsite telecom program provided the FBI with something that the current dragnet, as publicly understood, did not: easy access to contact-chaining, with identities attached.
As I have noted before, DOJ’s Inspector General has said he may be limited in what he presents in his 1,297-day old study of the use of Section 215 through 2009, started under his predecessor (who authored all the other reports), Glenn Fine, unless DOJ will declassify the earlier NSL and Section 215 reports. So there’s clearly a tie between what was done with Section 215 as it moved under FISC review and what had been done earlier with NSLs.
One thing I’m wondering about is whether FBI uses(d) NSLs to accomplish the parts of the previous programs that haven’t been authorized under the use of Section 215.
DOJ’s Inspector General Michael Horowitz released his annual list of challenges today (which includes a focus on prison problems). In his section on national security and civil liberties he spends 4 paragraphs calling for more information sharing before he turns to civil liberties. In that section, he once again promises the report on the use of Section 215 his office has been working on for 1,265 days.
But he adds something new. He suggests this report may be limited by whether or not DOJ and ODNI declassify sections of the past reports.
The OIG’s ongoing reviews also include our third review of the Department’s requests for business records under Section 215 of the Foreign Intelligence Surveillance Act (FISA), as well as our first review of the Department’s use of pen register and trap-and-trace devices under FISA. Although the full versions of our prior reports on NSLs and Section 215 all remain classified, we have released unclassified versions of these reports, and we have requested that the Department and the Office of the Director of National Intelligence (ODNI) conduct declassification reviews of the full classified versions. The results of any declassification review may also affect how much information we will be able to publish regarding our pending reviews when they are complete.
As I have noted in the past, the 2008 report includes two appendices on then-secret uses of Section 215, one of which almost certainly pertains to the phone dragnet. In addition, it includes a sharply critical section on DOJ’s failure to institute new minimization procedures specific to Section 215 (which would dramatically affect its use for the phone dragnet).
Now Horowitz is saying that, unless DOJ and ODNI declassify these past reports, he won’t be able to present in unclassified form all the findings in his current report (which covers the period through 2009, and therefore the violations discovered in that year).
Horowitz suggests something similar is going on with DOJ IG’s work on content collection as well. Both a report he did last year on the FISA Amendments Act (which may suggest the FBI has not always abided by its targeting and minimization procedures) and Glenn Fine’s DOJ-specific review on the illegal wiretap program remain classified.
The OIG has also conducted oversight of other programs designed to acquire national security and foreign intelligence information, including the FBI’s use of Section 702 of the FISA Amendments Act (FAA), which authorizes the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information. The OIG’s 2012 review culminated in a classified report released to the Department and to Congress that assessed, among other things, the number of disseminated FBI intelligence reports containing a reference to a U.S. person identity and the FBI’s compliance with the targeting and minimization procedures required under the FAA. Especially in light of the fact that Congress reauthorized the FAA for another 5 years last session, we believe the findings and recommendations in our report will be of continuing benefit to the Department as it seeks to ensure the responsible use of this foreign intelligence tool. This report also was included in our request to the Department and ODNI for a declassification review, as was the full, classified version of our 2009 report on the President’s Surveillance Program, which described certain intelligence-gathering activities that took place prior to the enactment of the FAA. [my emphasis]
Elsewhere, Horowitz alludes to the Snowden leaks. Clearly, much of what appears in the 2009 and 2012 reports has been covered in leaks and releases to Congress. And yet, it seems, someone is stalling the declassification of DOJ IG’s work.
What has DOJ’s IG found that Eric Holder and James Clapper are trying to hide?
For 4 years, it has been clear that DOJ Inspector General Glenn Fine used his 2008 report on the FBI’s use of Section 215 to address how it had been used for what was then a secret program. For that reason, I want to look more closely at what he had to say about minimization.
Glenn Fine reveals how FBI minimization procedures are self-referential nonsense
As I noted, as part of a congressionally-mandated review completed in March 2008, DOJ’s Inspector General Glenn Fine reviewed whether DOJ had complied with PATRIOT Reauthorization’s requirement that the Attorney General craft minimization procedures to use with Section 215 collection.
He described how, in advance of a September 5, 2006 deadline, two parts of DOJ squabbled over what the minimization procedures should be.
Several months after enactment of the Reauthorization Act, the Office of Intelligence Policy and Review (OIPR) and the FBI — both of whom had been developing minimization procedures related to Section 215 orders — exchanged draft procedures. The drafts differed in fundamental respects, ranging from definitions to the scope of the procedures.
The fight seems to have been significantly fought between OIPR’s Counsel James Baker (who had a record of trying to get DOJ to follow the law) and FBI’s General Counsel Valerie Caproni (who got confirmed as a Federal Judge for NY this year literally at the same moment the Administration started releasing the most damning details on the dragnet).
Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.
A couple of months would put this debate squarely in the time period when the first dragnet order would be signed (two months would be May 9; the first order was signed May 24).
And you can see how these issues would go squarely to the heart of whether or not the government could use Section 215 to authorize the dragnet. The dragnet introduces immediate retention issues, given that it authorizes collection on data not yet in existence; imagine if OIPR mandated an immediate search, with all non-responsive numbers to be destroyed. NSA itself treated phone numbers as “identifiers,” and yet this entire program fails to meet the most basic dissemination limits if you treat them as identifiers here. We know NSA had recurrent problem with receiving data that was beyond the scope, including credit card numbers and international data. Unloading this into the FBI database presents immense problems, given that the foreign intelligence value of a query is based on a algorithm, not more concrete evidence. And of course, Fine’s mention of the debate over “handling large or sensitive data collections” must implicate the dragnet, which is the quintessential large and sensitive data collection.
Almost the entirety of the detailed discussion of these issues is redacted.
While a number of the changes to Section 215 passed just before the government started relying on it to create a database of all phone-based relationships in the United States watered down the law, one provision made the law stricter.
The 2006 Reauthorization required the Attorney General to establish minimization procedures for the data collected under the program.
(g) Minimization Procedures and Use of Information- Section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) is further amended by adding at the end the following new subsections:
(g) Minimization Procedures-
(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.
(2) DEFINED- In this section, the term `minimization procedures’ means–
(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and
(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.
(h) Use of Information- Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees without the consent of the United States person only in accordance with the minimization procedures adopted pursuant to subsection (g). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.’.
But from the very start, the FISA Court and the Administration set out to ignore this requirement. After all, well before anyone did any analysis about the foreign intelligence value of the phone dragnet data, the FBI disseminated all of it, by having the telecoms hand it over directly to the NSA. And phone numbers are US person identifiers (best demonstrated by NSA’s use of phone numbers as identifiers to conduct searches in other contexts).
Thus, before any Agency even touched the data, the phone dragnet scheme violated this provision by disseminating non-publicly available information about US person identifiers on every single American without their consent.
According to FISC’s original Section 215 phone dragnet order, the NSA only had to abide by the existing SID-18 minimization procedures.
[D]issemination of U.S. person information shall follow the standard NSA minimization procedures found in the Attorney General-approved guidelines (U.S. Signals Intelligence Directive 18). [link added]
And the FBI only applied the minimization procedures it used to fulfill the statute after the NSA had already run queries on it.
With respect to any information the FBI receives as a result of this Order (information that is passed or “tipped” to it by NSA), the FBI shall follow as minimization procedures the procedures set forth in The Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (October 31, 2003). [link added]
Even after this initial order, the Attorney General did not comply with the mandate to come up with minimization procedures specific to Section 215. Instead, then Attorney General Alberto Gonzales just adopted four sections of the National Security Investigations Guidelines.
In analysis included in a 2008 review of the FBI’s use of Section 215, DOJ Inspector General Glenn Fine deemed this measure to fall short of the statute’s requirements.
These interim minimization procedures use general hortatory language stating that all activities conducted in relation to national security investigations must be “carried out in conformity with the Constitution.” However, we believe this broad standard does not provide the specific guidance for minimization procedures that the Reauthorization Act appears to contemplate.
[T]he Reauthorization Act required the Department to adopt “specific procedures” reasonably designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” We believe that the interim procedures do not adequately address this requirement, and we recommend that the Department continue its efforts to construct specific minimization procedures relating to Section 215 orders, rather than rely on general language in the Attorney General’s NSI Guidelines.
As I’ll show in a follow-up post, presumably in response to Fine’s report, Attorney General Michael Mukasey adopted new, arguably even more general guidelines to fulfill this requirement, the AG Guidelines for Domestic FBI Operations. (I strongly suspect the August 20, 2008 FISC opinion the government won’t release authorizes the language that would appear in those Guidelines).
But the implications of this have more immediate significance.
After all, the only known American who got busted based on a Section 215 tip, Basaaly Moalin, argues for a new trial tomorrow. And he was tipped based on dissemination that took place in 2007 — that is, before DOJ even tried to address these problematic minimization procedures. He was tipped based on dissemination that — under the letter of the PATRIOT Act — should never have happened.
Update: With regards to Moalin’s case, this seems pertinent.
As of early December 2007, the [Director of National Intelligence] working group [trying to harmonize defintions] had not defined “U.S. person identifying information.
This means that, at the time he was identified in the dragnet, the entire intelligence community was still fighting over whether phone numbers constituted US person identifying information entitled to additional protection.
Update: In an address to the EU Parliament, Jim Sensenbrenner accuses NSA of ignoring civil liberty protections in the PATRIOT Act.
“I firmly believe the Patriot Act saved lives by strengthening the ability of intelligence agencies to track and stop potential terrorists, but in the past few years, the National Security Agency has weakened, misconstrued and ignored the civil liberty protections we drafted into the law,” he said, adding that the NSA “ignored restrictions painstakingly crafted by lawmakers and assumed a plenary authority we never imagined.”
As I noted earlier, Charlie Savage describes how, after Don Verrilli made false representations to the Supreme Court about whether defendants get an opportunity to challenge FISA Amendments Act derived evidence, it set off a discussion in DOJ about their discovery obligations.
Mr. Verrilli sought an explanation from national security lawyers about why they had not flagged the issue when vetting his Supreme Court briefs and helping him practice for the arguments, according to officials.
The national security lawyers explained that it was a misunderstanding, the officials said. Because the rules on wiretapping warrants in foreign intelligence cases are different from the rules in ordinary criminal investigations, they said, the division has long used a narrow understanding of what “derived from” means in terms of when it must disclose specifics to defendants.
In national security cases involving orders issued under the Foreign Intelligence Surveillance Act of 1978, or FISA, prosecutors alert defendants only that some evidence derives from a FISA wiretap, but not details like whether there had just been one order or a chain of several. Only judges see those details.
After the 2008 law, that generic approach meant that prosecutors did not disclose when some traditional FISA wiretap orders had been obtained using information gathered through the warrantless wiretapping program. Division officials believed it would have to disclose the use of that program only if it introduced a recorded phone call or intercepted e-mail gathered directly from the program — and for five years, they avoided doing so.
For Mr. Verrilli, that raised a more fundamental question: was there any persuasive legal basis for failing to clearly notify defendants that they faced evidence linked to the 2008 warrantless surveillance law, thereby preventing them from knowing that they had an opportunity to argue that it derived from an unconstitutional search? [my emphasis]
It’s not entirely true that only judges learn if there are a series of orders leading up to a traditional FISA that incriminates a person. For example, we know it took 11 dockets and multiple orders to establish probable cause to wiretap Basaaly Moalin, the one person allegedly caught using Section 215. We also know there was a 2-month delay between the time they identified his calls with (probably) Somali warlord Aden Ayrow and the time they started wiretapping him under traditional FISA. Even before that point, Ayrow would have been — and almost certainly was — a legal FISA Amendments Act target. Meaning it’d be very easy for the government to watch Moalin’s side of their conversations in those two months to develop probable cause — or even to go back and read historical conversations (note, Ken Wainstein may have signed some of the declarations in question, which would make a lot of sense if they took place during the transition between Attorneys General earlier in 2007).
But Moalin’s attorneys didn’t — and still haven’t — learned whether that’s what happened. (Note, I’m overdue to lay out the filings in the case since I last covered it; consider it pending.)
But for the moment, I want to note that he strongly implies the US is relying on 18 U.S.C. § 2511(2)(f) to collect international metadata. He does it when he first introduces the phone dragnet secondary order (page 2).
The order excluded production of metadata concerning “communications wholly originating and terminating in foreign countries.”5 215 Bulk Secondary Order at 2; see Business Records FISA NSA Review at 15 (June 25, 2009) [hereinafter NSA End-to-End Review], available at http://www.dni.gov/files/documents/section/pub_NSA%20Business%20Records%20
FISA%20Review%2020130909.pdf; August 2013 FISC Order at 10 n.10; cf. 18 U.S.C. §2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). [my emphasis]
And he does it just after suggesting that the FISA Court may have approved the phone dragnet in 2006 — however shabby the legal case — just to have it under FISC supervision (note, he also nods to the Internet metadata dragnet, but as I’ll note he goes through some contortions to avoid addressing it all that directly).
More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.147
147 With respect to metadata concerning foreign-to-foreign communications, which the FISC’s order expressly does not address, see 18 U.S.C. § 2511(2)(f)
This is important because it is precisely the clause (the one Kris cites above) that the Office of Legal Counsel reinterpreted in 2010 to cover past illegal access to phone metadata, including US based phone metadata.
The existence of that memo was first disclosed by Glenn Fine in his Exigent Letter IG Report. (See also this post.) He described how, in the context of its effort to clean up the legal process free access of phone data from the telecoms, DOJ had ordered up this opinion (though they claimed they were not relying on it). In 2011, DOJ provided enough information in response to a FOIA to make it clear the memo pertained to this passage.
Now, in context, Kris is just implying that the government is using this clause to get the telecoms to voluntarily turn over foreign to foreign communications.
Except we know precisely how the NSA defines “foreign communications.”
Foreign communication means a communication that has at least one communicant outside of the United States. All other communications, including communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition, are domestic communications.
That is, so long as just one end of a communication is foreign, the NSA considers it a foreign communication (and therefore the telecoms can voluntarily disclose it under their interpretation of this clause of ECPA).
And remember: this opinion reinterpreting ECPA was written under the direction of — if not written by — David Barron, the guy Obama wants to have a lifetime appointment on the First Circuit.
I need to think through whether this means what I think it means. But it sure seems like Kris is not only saying that the government did use this loophole to collect metadata involving foreigners (and Americans). But given that DOJ claimed it could use this memo to clean up its entirely domestic communications problems (per the Fine IG Report), it sure seems like Kris is saying if we close the Section 215 collection, the government will just resume using ECPA.
Update: I just realized this post, which adopts an argument I made almost two weeks ago (that there is no original opinion for the phone dragnet) was written by Marty Lederman (who was at OLC during roughly the same period that Barron was).
Which is why I find it weird that Lederman makes an extended argument noting that an earlier clause in ECPA tweaked during the original PATRIOT Act bill prohibits this sharing of phone metadata.
You wouldn’t know it from Judge Eagan’s opinion–or from David Kris’s paper, for that matter–but Congress has actually considered the specific question about whether and under what circumstance service providers may disclose to the government the telephony metadata of their customers, and has enacted a statute dealing specifically with that question–a statute that expressly prohibits such disclosure. Moreover, the prohibition in question was enacted as part of the very same law that includes Section 215, namely, the PATRIOT Act of 2001.
A provision of the Electronic Communications Protection Act (ECPA), 18 U.S.C. 2702(a)(3), states that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.”
Statutory language doesn’t often get much clearer than that: A provider of remote computing service or electronic communication service to the public — a category that includes phone service providers — cannot knowingly convey consumer records or information to any governmental entity.
Remarkably, Congress added this prohibition to ECPA in section 212(a)(1)(B)(iii) of the 2001 PATRIOT Act itself–the same law in which section 215 expanded the “business records” provision upon which the government relies here. The two provisions are only three pages apart in the Statutes at Large. In other words, the government is relying here upon a broad, general “business records” provision included in the PATRIOT Act; but in that very same legislation, Congress included another provision specifically involving the business records of telephone customers, and in that more specific provision it precluded the very sort of records transfer at issue here.
The thing is, I find it almost impossible to believe that Lederman wouldn’t know about (or even didn’t review) that January 8, 2010 opinion. And he certainly must know what the implications of invoking foreign communications in the context of 18 U.S.C. § 2511(2)(f) to be.
Update: I missed one other mention of 2511(2)(f), which comes in Kris’ incomplete description of all the violations in the phone dragnet program (it is incomplete, in part, because he cites from the June report of the problems rather than the August filing presenting them, which includes several more, probably more troubling violations; but he also misses details of a few of the other violations which is particularly interesting because he, of all people, must know this stuff).
(8) acquisition of metadata for foreign-to-foreign telephone calls from a provider that believed such metadata to be within the scope of the FISC’s orders, when it was not, NSA End-to-End Review at 15; cf. August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); see generally 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”);
His inclusion of it here is interesting because this violation is likely the collection that Reggie Walton shut down temporarily on July 9, 2009. Does that mean they just kept collecting from this provider (I wonder, by the way, whether it’s something exotic like Skype), and deemed it covered by 18 U.S.C. § 2511(2)(f)? If so, Kris would have been among those who made the decision to do so.
Starting in 2007, DOJ’s Inpector General Glenn Fine did a series of reports on the FBI’s use of National Security Letters and Exigent Letters. In response (and as the FBI tried to clean up the mess from its inappropriate use of those tools), in 2007 the government asked OLC for an interpretation on the Electronic Communications Privacy Act. That opinion, which was issued on November 8, 2008, ruled that ECPA barred telecom providers from responding to certain kinds of requests without legal process.
Finally, you have asked whether a provider, in answer to an oral request before service of an NSL, may tell the FBI whether a particular account exists. This information would be confined to whether a provider serves a particular subscriber or a particular phone number. We believe that ECPA ordinarily bars providers from complying with such requests.
In the last of his IG Reports on NSLs and Exigent Letters, Fine argued that that OLC opinion made two of FBI’s practices with exigent letters — “sneak peeks” and “hot numbers” — illegal.
[T]he Department’s Office of Legal Counsel concluded, and we agree, that the ECPA ordinarily bars communications service providers from telling the FBI, prior to service of legal process, whether a particular account exists. We also concluded that if that type of information falls within the ambit of “a record or other information pertaining to a subscriber to or customer of such service” under 18 USC 2702(a)(3), so does the existence of calling activity by particular hot telephone numbers, absent a qualifying emergency under 18 USC 2702(c)(4).
Therefore, we believe that the practice of obtaining calling activity information about how numbers in these matters without service of legal process violated the ECPA.
We believe the FBI should carefully review the circumstances in which FBI personnel asked the on-site communications service providers [redacted] “hot numbers” to enable the Department to determine if the FBI obtained calling activity information under circumstances that trigger discovery or other obligations in any criminal investigations or prosecutions.
The “hot number” practice is functionally equivalent to the “alert list” the NSA used on the Section 215 dragnet database, in which it checked daily incoming calls to see if there had been any US contact with both approved and unapproved identifiers; if there was activity in both cases, it would spark further investigation.
The practice Fine focused on in this report was the requests FBI would get onsite telecom providers to fill without a subpoena. But at the same time Fine was working on that series of reports (the last one wasn’t issued until 2010) he was also working on a report on the FBI’s 2006 use of Section 215 (issued in March 2008), which included two classified appendices on bulk collection programs including (presumably) the phone dragnet from May until December 2006, and the 2009 Joint IG Report on the illegal wiretap program (which would have covered the dragnet program through May 2006).
We now know that both the pre May 2006 dragnet program and the post May 2006 dragnet program included a practice that, in wake of that OLC opinion (and perhaps before), Fine would find required some legal attention (the Pen Register equivalent in a grand jury context might put the post May 2006 practice in good stead, the 2008 opinion would seem to make the use of alerts earlier illegal, along with everything else).
Which may be why the government asked Judge Reggie Walton to consider whether the dragnet program complied with ECPA for his December 12, 2008 opinion.
That’s just a hypothesis (though the December 2008 would have been the first dragnet application after the OLC memo).
But if it’s right, it makes the NSA”s “discovery” of the alert process the following month all the more ridiculous. The alert process had been in place for years. FBI was being scolded for an equivalent practice (that ended in 2006) within FBI. And yet NSA somehow didn’t think to tell Walton about it until he had ruled ECPA did not present a problem for the dragnet more generally.
These three programs — the illegal program and the exigent letters, which both became the early dragnet in 2006 — are all closely related. Once you read them in tandem, though, it makes NSA”s claims to ignorance completely incredible.
Which brings me back to a reminder I’ve made several times. In the wake of the 2009 discoveries, Pat Leahy tried to mandate a DOJ review of the ongoing Section 215 activity, an effort the Administration thwarted. Fine agreed to do one anyway … then left. His replacement, Michael Horowitz, keeps claiming he’s still working on that investigation (but only covering the activities through 2009). That investigation has been going on 1,191 days now.
Update: Another interesting timing detail. According to the White Paper, the Intelligence and Judiciary Committees had all received the initial application and Primary Order on the dragnet by December 2008. So did they wait until the Walton opinion? Or did they know the Judiciary Committees would get them as part of DOJ IG reports?