The US Person Back Door Search Number DOJ Could Publish Immediately
The Senate Judiciary Committee had a first public hearing on Section 702 today, about which I’ll have several posts.
One piece of good news, however, is that both some of the witnesses (Liza Goitein and David Medine; Ken Wainstein, Matt Olsen, and Rachel Brand were the other witnesses) and some of the Senators supported more transparency, including requiring the FBI to provide a count of how many US person queries of 702-collected data it does, as well as a count of how many US persons get sucked up by Section 702 more generally.
Liza Goitein presented a very reasonable view of the efforts the privacy community is making to work with the government to come up with reasonable counts.
But no one mentioned the very easy count of US person back door searches that FBI could provide today.
As I noted when this was released, as part of last year’s 702 Certification process, Judge Thomas Hogan required FBI to report every time FBI reviews data on a US person query of 702 data that doesn’t pertain to National Security.
[Hogan] imposed a requirement that FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” Such reporting, if required indefinitely, is worthwhile — and should have been required by Congress under USA Freedom Act.
But FBI can and presumably will game this information in two ways. First, FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)
Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.
FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.
It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.
Hogan imposed a worthwhile new reporting requirement. But that’s still a very far cry from conducing a fair assessment of whether FBI’s back door searches are constitutional.
This requirement went into effect on December 4, 2015, and Hogan required updates on such reporting by January 27, 2016, so FBI is already reporting on this.
It would take minimal effort for ODNI to release how many of these notices got sent to FISC — it could do it quarterly so we didn’t learn too much from the process. Maybe there wouldn’t be any notices, though for a variety of reasons I doubt it. Maybe, as I note, the number is too fake to be useful.
But it is a number, one FBI is already required to report. So they should start reporting it.