I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.
Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.
Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.
Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.
Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.
One holdup was disagreement over what constituted US person identifying information.
Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.
(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)
One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.
When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.
While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.
And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.
Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.