In addition to everything else several of us have been pointing out in the original Internet metadata opinion and the phone metadata application, there are two more problems with the phone dragnet.
They’re using the wrong agency and the wrong minimization procedures.
Section 215 reads, in part:
[T]he Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things [my emphasis]
Here’s who signed the application that kicked off the phone dragnet program:
This is probably the lesser of these two problems. After all, the law permits the FBI Director to delegate this, and delegating the application to your boss is probably perfectly fine. Though it is a bit of a conflict if the boss in question was, in part, trying to legalize a program that had operated under his purview when he worked at the White House.
The problem becomes bigger still given that there’s no explanation of how it is that an NSA declaration serves as backup for an application to obtain data for the NSA, the use of which is limited to FBI. At least in what we get (which, remember, is what got produced to Congress, not what got submitted to the Court), there’s no discussion of that process.
The other problem is a bit more complicated. As I described last week, the 2006 Reauthorization of the PATRIOT Act included a new requirement that the Attorney General develop minimization procedures for Section 215.
(1) IN GENERAL- Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this title.
(2) DEFINED- In this section, the term `minimization procedures’ means–
(A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;
(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 101(e)(1), shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;
This post describes how DOJ basically blew off that requirement and — at least according to former DOJ Inspector General Glenn Fine — instead used existing procedures that didn’t meet the terms of the law.
Given that this application passed just 2 months after the Reauthorization, this dragnet application was probably one of the earliest Section 215 applications submitted after the Reauthorization so there might have been a discussion about this new requirement anyway. But in this case, the new requirement should have posed an additional problem. The data went not to FBI, but immediately to NSA, an enormous database of non-publicly available of information pertaining to US persons, handed off without a hint of minimization first.
Here’s how the application dealt with minimization procedures.
NSA will apply the existing (Attorney General approved) guidelines in United States Signals Intelligence Directive 18 (1993) … to minimize the information reported concerning U.S. persons.
USSID 18 is supposed to be less restrictive than FBI minimization procedures (though FBI data gets shared freely with other agencies).
There’s not only no discussion in this application of how USSID 18 meets the terms of the law, but there’s no discussion of what it means that NSA basically got unminimized data for which FBI is, by law, the proper recipient, which should be the most voluminous minimization violation ever.
And yet … the application doesn’t even acknowledge this problem at all.