FBI’s Open NSL Requests

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.


I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.