As we speak, a bunch of privacy experts are on Twitter trying to make sense of I Con the Record’s transparency report, which is a testament to the fact that the Transparency Report obfuscates as much as makes transparent (and the degree to which you need to have read a great deal of other public reports to understand these things).
So I’m going to deal with the obvious errors I’m seeing made as I see them, then will do a more comprehensive working thread.
The first confusion I’m seeing pertains to this factoid showing how many US person queries designed to return criminal information returned a positive hit.
First, it is not the case that this number, 1, means the FBI affirmatively searched a dedicated FISA 702 database for criminal data and only found data once. The FISA 702 data, the traditional FISA data, and other data are all mixed in together. What this means is when the FBI searched databases including that FISA 702 data and other stuff looking for information on a criminal case, on just one occasion did they get a positive hit showing evidence of a non-national security crime that landed in the database via Section 702 and no other authority (some amount of this information will come into the database via multiple authorities), then obtain that information (whether via their own 702 clearance or by asking a buddy cleared into 702), and review it.
So right off the bat, there are some things this number doesn’t include: positive hits on criminal queries that a person receives but doesn’t receive and review. One reason they might get a positive hit they don’t review is if a non-cleared person doesn’t go through the effort to get a FISA-cleared person to access it. But as I pointed out when the opinion ordering this count got released, there are other possibilities.
FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)
Furthermore, this will only count a positive hit if the Agent is making an exclusively criminal search. Hogan’s opinion and (we now know from some recently liberated documents) the underlying discussion didn’t deal with the full scope of queries done for assessment reasons in the name of national security, such as profiling various ethnic communities or more generally searching on leads identified via national security mapping. Those queries would count as national security queries, but a big point of doing them would be to find derogatory information, including evidence of criminal behavior, to use to recruit informants.
Finally, consider how the Attorney General Guidelines defines Foreign Intelligence information.
Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.
FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.
It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.
As I understand it, the reporting to Congress on this has been a bit more circumspect than members might have liked. That means the other details FISC judge Thomas Hogan required about this one positive hit — what query resulted in a positive hit, what kind of investigative action it led to, and why FBI believes it to fall under minimization procedures — aren’t as sexy as this number, 1.
Prior to this positive hit, the FBI had always assured oversight authorities that the possibility that Section 702 data would result in criminal information was “theoretical.”
Even as a factoid of limited meaning, it does mean the possibility is no longer theoretical.