Charlie Savage liberated a 2012 Inspector General Report on Section 702 which he wrote about here. Here’s my working thread on the report.

Cover: This was released sometime (undated) in September 2012. Around that time, Pat Leahy was complaining they hadn’t received everything from Inspectors General they were due. That said, there was a counterpart NSA report that initially said there had been violations, but after its release changed its mind.

(ix) IG had to rely on “a former senior Justice Department official” for details on the 2007 fight.

(x) No mention of the extension in February for PAA, or the approval process.

(xii) Note the b7E (law enforcement method) in redaction on this page.

(xiii) During the period of IG’s review, only NSA could initiate targets.

(xiv) Note the PRISM reference, which is the second way FBI reviews selectors (presumably for certain kinds of investigations, likely CT ones).

(xvi, footnote 9) NSA got snippy by the suggestion that FBI didn’t have authority to override NSA, it appears

(xvi) Note the discussion of some “factor” the NSA uses to determine foreignness. I find it particularly interesting that the FBI IG found this legit because FISC had already approved it outside the FAA context.

(xvii footnote 10) NSA’s targeting procedures remained the same throughout the review period. But we know NSA changed them in 2011.

(xxii) This section describes that FBI would start nominating selectors in 2012.

(xxii) Report says it was being finalized in April 2012, which suggests another long delay in agency review.

(xxii) Late 2007, ODNI Cv Libs raised concerns about people who had traveled to US. This is interesting given the discussion of Yahoo case.

(xxv) FBI got a draft of this in February 2012. Also, FBI wasn’t doing its yearly reviews of what USP data it had gotten.

(xxv) FBI submitted its 2010 and 2011 annual reviews on May 22, 2012. They were received too late for DOJ IG to consider them here.

(xxvii) Claims the first time FBI dual routed data was October 14, 2009.

(xxvii) Description of SMPs.

(xxx) Note reference to Art Cummings retirement in April 2010, after several months of dual routing.

(xxxi) FBI does label 702 data as 702 so it can be distinguished and tracked if it needs to be purged.

(xxxii) FBI disseminates by uploading it into a system.

(xxxii) “relatively few” disseminations were misfiled.

(xxxiii footnote 16) 4 cases went out w/o FISA warning.

(7) Note the reference to the DOJ IG report on STELLAR WIND, which it says was done July 2009 (as was the joint IG report).

(8) Note how it refers to “proponents” of the view that FISA’s exclusivity clause means exclusive.

(13) I’ll need to go back, but I think this IG report offers a different start date for first PAA cert than Yahoo docs (which say August 10 signed, but submitted August 17, IIRC). It’s also still hiding the dates of the other certificates.

(13) This seems to confirm that the certification that Kollar-Kotelly approved in April 2008 was an entirely new cert; it didn’t lapse until April 2009. Also note the short reference to the new FBI involvement on January 31, 2008.

(13) “The FBI’s role under the PAA thus became virtually identical to its current role under the Section 702 of the FAA” (which would suggest something lapsed in between the expiration of PAA certs and the reintegration of FBI in October 2009.

(14) In a footnote that must modify a passage discussing how FBI’s role under PAA was identical to what it subsequently became under FAA (because it is not visible) it says:

According to an attorney in the FBI’s Office of General Counsel who participated in drafting the [redacted]), the document took a long time to negotiate and was not finalized until after the PAA expired. However, the attorney stated that the [redacted] remained in effect after the PAA expired because certifications issued under the PAA were valid for one year, and thus the use of PAA authority extended beyond the PAA’s expiration. This attorney also stated that the [redacted] remains in effect under the FAA to the extent it is relevant to the FAA’s provisions. Thus, provisions in the [redacted] concerning targeting the accounts of U.S. persons, which is prohibited are the FAA, are considered void.

(18) Footnote seems to suggest someone else is angling for targeting authorities under FAA. (Remember that CTC would issue minimization, though not targeting, procedures following year.

(19) Top secret paragraph–parallels an earlier one. Both probably talk about nature of certifications.

(24)  FBI keeps data “primarily” in international terrorist investigations. Former tasking under traditional retained under PAA (which we knew) and FAA (which was obvious but not known).

(25) FBI’s nominating procedures will mirror CIA ones, but they will own the process.

(26) FBI had told IG they’d start nominations in early 2013 but started in 2012.

(30) See the unredacted reference to the MOU.

(30 footnote 43) This modifies the claim that the FISC approved all the targeting procedures during the period of review. Depending on what they’re referencing, the period ends before the 2011 hesitation over those targeting procedures. That either means FISC also balked at some earlier ones or that the description of the problem in 2011 doesn’t accord with what we know about it.

(31) Internet communications = communications that traverse the Internet.

(46) A change in the way they nominate selectors (at the time they were switching over to nominate more actively).

(48) 12 pieces of information on a selector?

(53) SSA “can assume the facts provided are accurate”

(60) Describes some concern about foreignness designation just at transition from PAA and FAA. First certificate under FAA dealt with the issue.

(70) Use of dated information for foreignness reviews: may explain problem with nonexistent accounts for Yahoo

(71) Confirms earlier claim that NSA provides the strongest – not necessarily the most recent – foreignness designation.

(73) Standard of diligence dates back to PAA period, prior to completion of the MOU. [Note redacted MOU reference]

(73) Caproni insists on FBI having role in authorization process because the collection (???) done under their authority.

(73) “Caproni stated that a ‘presumption of regularity’ applies to the NSA’s [redacted] and that ‘there is no reason to presume that the NSA is not upholding its constitutional duty’ with respect to the rights of United States persons, or otherwise violating the FAA or its own FISA Court-approved targeting procedures. The Policy Attorney stated that the [redacted; MOU] and other documents governing the interagency targeting process were careful drafted to make it clear that the FBI would only [redacted]”

(78) “After the OIG presented the above information to the General Counsel Caproni, she stated that she was unaware of the gap in the procedures, called it a ‘mistake,’ and that the Operations Attorney should ‘fix it.’” [Note the timing of this. It describes Caproni as active GC, suggesting that the interview happened before she left in 2011. That would also suggest that this (as is much of this report) was done under Fine, not Horowitz.]

(80) Note the footnote referencing attorney-client privilege. Again, this would have withheld stuff from Congress, as well as other agencies (including NSA and DNI?).

(92) The IG Report does encompass the October 3, 2011 Bates opinion approving new targeting procedures for FBI. (I wonder if this relates to the more active role in nominations?)

(106) Note the citation to the MOU unredacted.

(111) A big section of this discussion pertains to travel to the US, which was also something Yahoo was concerned about. Is this what got fixed in the first FAA certification?

(116) The meeting on annual reports happened in July 2011. Compare that w/Caproni’s departure (to NSD, where she’d be in charge of this).

(117) IG defines compliance incident: “NSA or FBI’s failure to comply with a specific requirement in its targeting (or minimization) procedures, whether or not the incident results in the improper collection of 702 data.” Goes on to note that FBI is not reporting. “We determined that these reports did not cite any compliance incidents attributed to the FBI that resulted in [redacted] in which the user of the targeted account was in the United States at the time of the acquisition.”

(118) This passage is crucial. FBI’s targeting procedures say that if NSA discovers someone is in the US, they must tell FBI and FBI must (do something—presumably detask, but it’s not clear whether they have to purge in the same way). This invokes some of the dual tracking reporting we had in IOB reports, where NSA would not worry about whether the other agency (which is almost certainly FBI) had detasked/purged.

(119) The passage following up on the targeting procedures appears to be a reference to the MOU (though could be FBI’s SOPs).

(120) Important:

Witnesses stated that the FBI did not request or receive NSA notifications of 702 acquisitions that were later determined to be ineligible for 702 coverage (reportable incidents) until at least October 2009, when the FBI began to retain 702 data for its own analysis. The 702 Team Lead Program Coordinator stated that the FBI first received these notifications in the form of purge reports after it began retaining 702 data, but only concerning accounts for which the FBI had requested dual routing. He and the [redacted] Unit Chief stated that the NSA subsequently began to send purge reports to the FBI whether or not the account was being dual routed to the FBI, although they could not pinpoint when this practice changed.

(121) SO NSA approves stuff, then FBI tasks it, then NSA determines they were improper targets.

(127) The existence of a section on “review of communications of persons later determined to be in the United Stats” suggests not all this stuff gets purged; it comes much closer to getting purged at NSA.

(128) Suggests FBI is not using its own information to help on foreignness determinations.

(129) FBI says its review of foreignness is tied to presence outside US.

(139) Meeting with GC was July 2011 too.

(144) Really curious redaction after minimization procedures.

(144) Makes clear they were still using the old MPs, with “conforming language.” Makes no mention of FBI’s requirement that they put it into one document.

(144) Note they redact the reference to certifications.

(147) They cut off the discussion of who is authorized to access 702 data (those trained on it, for a start). We know some of that from the PCLOB report.

(151) LOL! They left in a reference to upstream being called “backbone” production.

(152) They include “other identifiers targeted under Section 702” in description of upstream.

(159) Note the reference to HSGA’s report on Fort Hood. Could be a reference to multiple email accounts, or to the way in which they were targeting Awlaki.

(172) This passage seems to reinforce possibility that FBI manages to keep data that NSA would otherwise have to purge.

(175) By this point (but I don’t believe, in 2008) OIG was treating names as PII, but not phone numbers. In any case AGG does the same.

(202) Really important passage. Note that at some point NSA treated any US domain as a USP, but obviously had to change that. But that – and NSA’s treatment of a USP identifier as a USP, is a more strict standard than FBI uses.

(206) In January 2011, the 702 team “had never been audited on this information [USP dissemination] and therefore had not been keeping track of it.”

(225) The footnote points to a problem, in conjunction with the IOB reports: When something has been dual routed and NSA discovers someone is in the US, they let the other Agency (presumably FBI) deal with the data under its own SMPs. But it sounds like FBI may not be doing this.

(PDF 278) Note FBI promises to define PII, but doesn’t say what it is. Given that FBI was fighting about this a bunch in 2008, I suspect the definition will not be meaningful.