The FBI Is Using NSLs to Target “Facilities” Now

The Freedom of the Press Foundation has been looking for more details about when the FBI can use NSLs to obtain records including the communication records of journalists, and they just obtained initial response to a FOIA on the subject. There is abundant reason to believe the government does this in leak cases, though as Trevor Timm noted in his piece on this, “a ‘broad reading’ of the media guidelines [was] allegedly hindering leak investigations” in the summer of 2015.

As part of DOJ’s response to FPF’s FOIA, the provided a section of the Domestic Investigations and Operations Guide for the FBI that covers NSLs generally. While I don’t think the FOIA response provides the date of the DIOG (it was declassified on November 6, 2015), it appears to post-date last June’s passage of USA Freedom Act, because it incorporates the language on disclosure from that bill (see the last section).

I was particularly interested in the discussion of reporting to Congress, as that’s something DOJ’s Inspector General found FBI to have serious problems with in the 2014 IG Report on NSLs.

There are two potentially significant changes in the passage on “notice and reporting requirements” in what FPF obtained (see page 9) from the 2011 version (see page 106) that was the last to be released on comprehensive fashion (see below for the text).

First, and probably most importantly, the 2015 version envisions targeting “facilities/accounts,” whereas the 2011 version envisioned targeting “phone numbers/e-mail accounts/financial accounts.” The reason this is so concerning is that, in 2007, the government invented a new meaning for “facility” that could mean an entire data switch. The language is all the more concerning if, as I believe, this DIOG post-dates USAF, because that law limits bulk collection by requiring a selection term for NSLs and other collection. But if they’re using that expansive definition of “facility,” then selection terms may not be all that limiting.

That language is accompanied by a change I don’t entirely understand (I can’t figure out whether this alleviates or magnifies my concern about “facilities” being targeted). It appears the FBI has entirely reversed the meaning of the words “target” and “subject” here. Whereas they used to refer to the “target” of an investigation and then track individual “subjects” named in NSLs, they now refer to the “subject” of an investigation (which would more closely match how prosecutors would describe someone not yet charged and might cover enterprise investigations without one identified culprit) and the “target” of an NSL (which would allow all others collected to be treated as incidental collection). In both cases, they’re surely accounting for the fact that the FBI may investigate a suspect by investigating other people known to have ties to the suspect. This pertains directly to tracking of US persons swept up, but I’m not entirely sure the net effect. Note, too, the language tying NSLs to “predicated” investigations is different in other parts of the DIOG fragment.

Again, I’m not entirely sure what all this means (aside from the fact that using “facility” instead of email or phone number is very concerning). But it is rather alarming, in any case.

2015 version

i.e., delineate the number of targeted facilities/accounts in each NSL issued to an NSL recipient.

NSLB also reports to Congress the USPER status of the target (as opposed to the subject of the investigation) of all NSLs, other than NSLs that seek only subscriber information. While the subject of the investigation is often the target of the NSL, that is not always the case. The EC must record the USPER status of the target of the NSL — the person whose information the FBI is seeking. If the NSL is seeking information about more than one person, the EC must record the USPER status of each person.

2011 version

The EC must delineate the number of targeted phone numbers/e-mail accounts/financial accounts that are addressed to each NSL recipient. For example, if there are three targets, ten accounts, and six recipients of an NSL, the EC must state how many accounts are the subject of the NSL as to Recipient 1, Recipient 2, etc. It is not sufficient to indicate only that there are ten accounts and six recipients.

In addition, the FBI must report the USPER status of the subject of all NSLs (as opposed to the target of the investigation) other than NSLs that seek only subscriber information. While the subject is often the target of the investigation, that is not always the case. The EC must reflect the USPER status of the subject of the request–the person whose information the FBI is seeking. If the NSL is seeking information about more than one person, the EC must reflect the USPER status of each person.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

3 replies
  1. Giles Byles says:

     
    So what you’re telling us is that rather than targeting a journalist, they use an NSL to query the “facility” (ISP) the journalist uses to obtain her communications AND keep the ISP quiet about it.
     
    Would T. Jefferson consider an NSL “constitutional”?  Methinks he would find the notion nauseating.  This is the cost of a do-nothing (impotent) judiciary.

    • emptywheel says:

      They usually get the journos by collecting on the suspect (say, Thomas Drake) and then figure out who among his calls is a journalist.

      The facility concern is that they’ll go after entire ISPs in search of one person’s traffic.

Comments are closed.