For 4 years, it has been clear that DOJ Inspector General Glenn Fine used his 2008 report on the FBI’s use of Section 215 to address how it had been used for what was then a secret program. For that reason, I want to look more closely at what he had to say about minimization.
Glenn Fine reveals how FBI minimization procedures are self-referential nonsense
As I noted, as part of a congressionally-mandated review completed in March 2008, DOJ’s Inspector General Glenn Fine reviewed whether DOJ had complied with PATRIOT Reauthorization’s requirement that the Attorney General craft minimization procedures to use with Section 215 collection.
He described how, in advance of a September 5, 2006 deadline, two parts of DOJ squabbled over what the minimization procedures should be.
Several months after enactment of the Reauthorization Act, the Office of Intelligence Policy and Review (OIPR) and the FBI — both of whom had been developing minimization procedures related to Section 215 orders — exchanged draft procedures. The drafts differed in fundamental respects, ranging from definitions to the scope of the procedures.
The fight seems to have been significantly fought between OIPR’s Counsel James Baker (who had a record of trying to get DOJ to follow the law) and FBI’s General Counsel Valerie Caproni (who got confirmed as a Federal Judge for NY this year literally at the same moment the Administration started releasing the most damning details on the dragnet).
Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.
A couple of months would put this debate squarely in the time period when the first dragnet order would be signed (two months would be May 9; the first order was signed May 24).
And you can see how these issues would go squarely to the heart of whether or not the government could use Section 215 to authorize the dragnet. The dragnet introduces immediate retention issues, given that it authorizes collection on data not yet in existence; imagine if OIPR mandated an immediate search, with all non-responsive numbers to be destroyed. NSA itself treated phone numbers as “identifiers,” and yet this entire program fails to meet the most basic dissemination limits if you treat them as identifiers here. We know NSA had recurrent problem with receiving data that was beyond the scope, including credit card numbers and international data. Unloading this into the FBI database presents immense problems, given that the foreign intelligence value of a query is based on a algorithm, not more concrete evidence. And of course, Fine’s mention of the debate over “handling large or sensitive data collections” must implicate the dragnet, which is the quintessential large and sensitive data collection.
Almost the entirety of the detailed discussion of these issues is redacted.
To meet the statutory requirement, DOJ adopted several sections of the 2003 AG National Security Investigations (see sections I.B.3, I.C, VII.A.1 and VII.B, and VIII). Fine gives hints about why the solution DOJ eventually adopted (as an interim solution) pretty much served only as a circular word game dodging the requirement altogether. For example, the NSI doesn’t define one of the most critical terms laid out in the Section 215 Minimization requirement and, we know, the phone dragnet.
The Definition section of the NSA Guidelines defines terms such as “foreign intelligence,” “international terrorism,” and “publicly available.” However, the Guidelines do not define “U.S. person identifying information.”
In addition, because the NSI governs everything that would be included under Section 215, particularly given the involvement of the FISA Court, the entire document is incorporated by definition, including this language describing minimization procedures.
The Special Statutory Requirements section requires that FISA-derived information be disseminated pursuant to the minimization procedures approved by the FISA Court and as specified in the FISA statute. Although not formally adopted in the Interim Standard Minimization Procedures, this section — as with every section adopted in the Guidelines — governs the use of Section 215 derived information because compliance with the NSA Guidelines in their entirety is already a prerequisite to obtaining a Section 215 order.
And then there’s the fact that the Guidelines don’t actually provide hard guidelines on Information Sharing.
The Information Sharing subsection identifies the Department’s policy to share information with relevant agencies unless there is a specific provision limiting such information sharing.
Fine believed the Guidelines did not meet the terms laid out in the Reauthorization. But DOJ did.
We asked FBI and OIPR officials whether they believed the interim procedures met the minimization requirements of the Reauthorization ACt. We specifically inquired whether the interim procedures could meet the statutory requirement for obtaining a Section 215 order, the NSI Guidelines were not specific, and the NSI Guidelines applied to all documents the FBI collected in the course of a national security investigation and were not “designed in light of the purpose and technique” of Section 215 requests, as required by the Reauthorization Act.
OIPR and FBI attorneys responded that they believed the interim procedures met the statutory requirement because the Reauthorization Act did not require that the minimization procedures be “new” or “in addition to” existing requirements.
When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.
And when Fine asked OIPR and FBI if using the NIS addressed the constitutional language included in the statute, they dismissed that concern.
When discussing the issue raised by the Reauthorization Act of whether the minimization procedures “protect the constitutional rights of United States persons,” OIPR and FBI attorneys asserted that most government requests for business records do not raise constitutional concerns.
All this sounds absurd even if you don’t know that you’re really talking about using Section 215 to create a database of every phone-based relationship in the US. But once you understand that, then it becomes obscene. Because the primary application they had in mind, of course, presented a very real constitutional concern.
DOJ adopted equally self-referential nonsense to replace its original self-referential nonsense
That was March 2008, and Fine made it clear that, “as of early February 2008, the Department had not finalized the updated minimization procedures for full FISA orders” to which Section 215 had been tied. In his letter commenting on the report, Director Robert Mueller made not one mention of the minimization concerns or recommendation, which took up a full chapter of the report; he effectively just blew off the observation that FBI was not following the law.
We do know DOJ made at least a cosmetic (and that is likely all it was) change. At least by September 3, 2009, the primary order began to name the AG’s Guidelines for Domestic FBI Operations rather than NIS (indeed, primary orders still do,
even though that document has been superseded by the 2011 Domestic Investigation and Operations Guide). [See correction below.] The AG Guidelines were adopted in September 2008, so that’s likely when the change got made.
But that document doesn’t address any of Fine’s concerns. The Guidelines are still very general. Information sharing is explicitly called “permissive.” The Guidelines still don’t define what US person identifying information is.
In short, by all appearances, FBI still hasn’t complied with the PATRIOT Act Reauthorization, 7 years and two new reauthorizations later.
The 2009 violations reveal NSA didn’t really have or follow minimization procedures either
And while NSA has minimization requirements (still ultimately based in SID-18, though there were additional requirements from FISC) many of the problems underlying the 2009 disclosures had to do with the failure to set up a system to obey minimization procedures.
The report submitted to the FISC in August 2009 presents the problem as stemming from failing to follow the primary RAS limitation on the database, as well as subsidiary failures. And over the course of the report, it admits several instances in which NSA simply didn’t think through how a practice — like sharing unminimized results with other agencies — implicated minimization procedures.
In June 2009, during the course of NSA’s end-to-end review of the Agency’s implementation of the BR Order, NSA identified as a compliance matter the use of the database to make unminimized BR and [redacted] query results available to FBI, CIA, and NCTC, NSA
To determine why this compliance issue occurred, NSA spoke with the senior analysts and oversight personnel who were aware of the Court-ordered minimization requirements and of how the database was used. These conversations revealed NSA personnel generally followed the minimization requirements when the Agency issued formal reports based on queries of the metadata acquired pursuant to the Court’s BR FISA Orders. However, even though the applicability of the minimization requirements to the shared database is clear in hindsight, until the issue was discovered during NSA’s end-to-end review [redacted]
Tellingly, the underlying End-to-End report that accompanied that submission still prioritized NSA’s SID-18 minimization procedures.
If NSA has reason to believe the information constitutes valid threat-related activity, NSA applies USSID 18 to minimize information concerning U.S. persons and then reports the information to the FBI, NCTC and ODNI, and other customers, as appropriate.
These detailed working aids, together with required IJSSID 18 training for all BR FISA-approved intelligence analysts, require that any NSA. BR. MA-based reporting that contains U.S. person information follow NSA’s standard minimization procedures found in USSID 18 and the Court order.
NSA has well-documented and long-standing minimization procedures for ensuring protection of U.S. persons’ information in SIGINT analysis and reporting under all SIGINT authorities, to include the FISA Order.
In light of the compliance issues that surfaced specific to the handling of BR FISA metadata, NSA reviewed its minimization procedures as well as its oversight procedures, to include auditing, documentation, and training, to identify areas for potential improvement. All were identified as areas for enhancement to ensure that personnel handling the BR FISA metadata. are aware of and compliant with the Court Orders governing its use and dissemination.
Every NSA intelligence analyst is required to complete training and pass a test on USSII) 18 minimization procedures every two years as a pre-requisite for access to unminimized/unevaluated SIGINT data. Additionally, intelligence analysts must receive an OGC compliance briefing and on-the-job training (OJT) regarding their responsibilities for handling metadata containing U.S. person information prior to being granted access to the BR FISA metadata, They also have on-line access to detailed working aids including required minimization procedures. NSA will continue to emphasize the critical importance of applying USSID l8 and the Court Order requirements as they relate to the handling and dissemination of BR. RSA.
All of which is to say that a year after DOJ’s IG told DOJ they had failed to fulfill the terms of PATRIOT, after DOJ partly addressed minimization for FBI, albeit completely cosmetically, NSA got caught violating the program in all sorts of ways, largely because they had never really instituted minimization procedures specific to the program.
Glenn Fine told you so.
Fine, Sensenbrenner, and Leahy suggest there still aren’t adequate minimization procedures
Yet key people seem to believe there still aren’t minimization procedures that meet the terms of PATRIOT.
When Fine set out to review the 215 program again in 2010 (that’s the review that has been ongoing for 1,235 days with no sign of a report), he promised to review whether FBI had yet met the terms of PATRIOT.
n addition, our review will cover the FBI’s use of Section 215 orders for business records. It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review will also examine the progress the FBI has made in addressing recommendations contained our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.
And the Leahy-Sensenbrenner bill focuses on improving minimization procedures by,
- Allowing the judge to review minimization procedures before approving an order to ensure they meet the requirements
- Allowing the judge to review compliance with minimization procedures
- Adding “acquisition and” after “the minimization of” in this phrase of the definition: “to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons”
- Renewing the mandate for a DOJ IG review of Section 215, akin to the one Fine completed in 2008, covering the years 2010 to 2013
- Mandating a review for the Intelligence Committee Inspector General, not only of efficacy of the program, but also of minimization procedures and any procedures rejected by the FISC
- Requiring any sub-reports to be shared with the oversight committees as well
Obviously, if the main thrust of their bill passed, it would make bulk collection illegal, eliminating the huge disparity between the implementation of the program and the minimization requirements laid out in the law. But if not — and for whatever use of Section 215 remains — Patrick Leahy and Jim Sensenbrenner seem intent to offer far more protection than the scant protection offered for the last 2007, in defiance of the 2006 Reauthorization.
As I noted earlier today, Jim Sensenbrenner has complained that the Executive “ignored restrictions painstakingly crafted by lawmakers.” Given the focus on putting teeth to minimization procedures, Sensenbrenner may be thinking of the way DOJ completely blew off a clear mandate of PATRIOT.
They should have listened. It could have saved them a bunch of trouble.
Update: I was incorrect that the DIOG replaced the AGG. Rather, the AGG is the policy statement that the DIOG implements, so effectively, in response for being busted for using a too-general document, FBI adopted an even more general one. The AGG was first implemented in 1976 to stave off legislative mandates about FBI’s policy.