Last night, I Con the Record released last year’s 702 opinion, approved by current presiding FISA Judge James Boasberg. It’s stinky. It shows continued violations of querying procedures (which I’ll describe below), as well as on new troubling issue at NSA (which I hope to describe in a follow-up).
Worse still, the opinion, the timing, and recent Bill Barr actions suggest we’ll see an even stinkier opinion in maybe another year.
The opinion we’re getting on September 3, 2020, was released by FISC on December 6, 2019. Not only has it taken nine months to release this opinion, but ODNI sat on it in anticipation of and in the aftermath of the DOJ IG Report on Carter Page, which was publicly released December 9, 2019. That means that the delay in releasing this led to a disproportionate focus on events that happened three or four years ago, but not on events that have persisted under Billy Barr.
But the timing is important for several other reasons: the government has to be preparing its next reapproval package now (assuming the 2019 certificates are good until December 5, it would need to submit a new package by November 5). That’s significant for several reasons. First, as laid out by the timeline below, while the FBI waited for a FISCR review of an October 2018 Boasberg decision that its querying procedures didn’t comply with a new requirement passed by Congress, there were ongoing querying problems of the same type, including both the deliberate querying of 702 information to vet sources (and cops), but also at least one mass query that ended up finding seven leads out of 16,000 Americans. There was a significant delay in reporting some of these:
- Querying violations found in June reported September 18, 2019
- Querying violations found in July reported September 6, 2019
- August querying violation involved 16,000 people reported November 25, 2019
In addition, there were several more reports on querying violations, one on September 17, and another on September 20.
That is, the reports on some of these were delayed until after FISCR ruled (on July 12), and for many of them, there was a delay until around the same time as the government submitted their new reauthorization packet on September 17, 2019 (which is the package that led to this December 6 opinion).
Then, after submitting the reauthorization package, starting on October 4, 2019, the FBI asked to be excused from two reporting requirements imposed in 2018.
In one case — requiring that FBI has retained 702 information in some archival systems — the FBI waited to comply with a change in reporting requirements made in October 2018 until it was prepping the 2019 certificates, and then asked for a weaker reporting requirement (and got it, prospectively).
It must be noted, however, that the government has unjustifiably disregarded the current reporting requirement. Instead of taking concrete steps to comply even partially with the Court’s directive (or timely seeking relief from it), it chose to wait while the FBI reportedly worked on guidance to instruct its personnel on how to handle unminimized Section 702 information on these archival systems. See Letter Regarding the FBI’s Steps to Implement an Aspect of the Court’s 2018 Section 702 Opinion and Order, Sept. 27, 2019, at 3. In fact, it has taken so long to prepare this guidance that, instead of using it to instruct personnel on the October 2018 reporting requirement, which the government reports was the original plan, the FBI now intends to address only the narrower reporting requirement incorporated into the FBI’s proposed minimization procedures. See Letter Regarding the FBI’s Steps taken by the FBI to implement an aspect of the Comt’s 2018 Section 702 Opinion and Order, Nov. 20, 2019, at 4.
It should be unnecessary to state that government officials are not free to decide for themselves whether or to what extent they should comply with Court orders. The government has not sought retrospective relief from the reporting requirement imposed by the Court on October 18, 2018. Although the AG and DNI have amended the prior Section 702 certifications to authorize the FBI to apply its proposed minimization procedures to information acquired under prior certifications, that authorization only becomes “effective on October 17, 2019, or on the date upon which [this Court] issues an order concerning [the] amendments pursuant to subsection 702(j)(3) of the Act, whichever is later.”[redacted] The Court’s approval of those amendments does not have any nunc pro tune effect, nor does it excuse the government from reporting instances of retention that it is already obligated to report. With respect to those instances of retention, the October 2018 reporting requirement remains in effect.
In another — far more important — case, the FBI asked for the reporting requirement (on when an Agent conducts a criminal search and finds 702 information) to be eliminated entirely, again, after the reauthorization package was completed. This reporting requirement was designed to test the FBI’s now provably false claim that agents would never find 702 information when conducting criminal searches. It goes to the heart of concerns about Fourth Amendment violations.
Boasberg relaxed, though did not eliminate, that reporting requirement.
The government has not reported such instances in timely fashion. Rather, they have been reported to the Court belatedly, usually after they were uncovered during oversight reviews. The government now seeks relief from this reporting requirement “because the requirements in Section 702(f)(2) are a sufficient mechanism for the Court to assess the risk that the results of a query designed to elicit evidence of crimes unrelated to foreign intelligence will be viewed or otherwise used in connection with an investigation that is unrelated to national security.” October 4, 2019, Request at 8. But it would be premature to regard the government’s implementation of Section 702(f)(2) as a sufficient source of information. As discussed above, the FBI has repeatedly accessed Section 702-acquired contents under circumstances requiring a FISC order under Section 702(£)(2), but has never applied for such an order.
Closer to the mark is the government’s contention that implementing both Section 702(f)(2) and the November 2015 reporting requirement could complicate training and systems design. See October 4, 2019, Request at 8-9. For example, Section 702(f)(2) looks to whether a query involves a U.S.-person query term, while the applicability of the November 2015 reporting requirement depends on whether U.S.-person information is retrieved. And Section 702(f)(2) is implicated only when contents are accessed, while the November 2015 reporting requirement · does not distinguish between contents and non-contents information.
The Court has decided to retain a reporting requirement separate from Section 702(f)(2) because the obligation to get a FISC order under that section is limited to queries conducted in the context of a predicated criminal investigation. The FBI conducts numerous queries of Section 702 information at earlier investigative stages. See October 18, 2018, Opinion at 75. Reports about queries at those stages remain relevant to the Court’s interest in receiving information about the extent to which U.S.-person privacy interests are implicated by queries that are not designed to find and extract foreign-intelligence information. The Court has concluded, however, that it is appropriate to modify the prior reporting requirement so that it will focus on the use of U.S.-person query terms, rather than on whether U.S.-person information is accessed as a result of a query, and will be triggered only when contents information is accessed. Such modifications should make it considerably simpler for the government to implement the requirement in combination with Section 702(f)(2), while still requiring reporting in situations where Fourth Amendment concerns are likely to be implicated. See October 18, 2018, Opinion at 93 (queries that use U.S.-person query terms and result in review of contents are “the subset of queries that are particularly likely to result in significant intrusion into U.S. persons’ privacy”).
Ultimately, Boasberg approved the certifications, effectively arguing that FBI just needed time to be trained on them.
The Court has previously assessed that requiring FBI personnel to document why a query involving a U.S.-person query term is reasonably likely to have returned foreign-intelligence information or evidence of crime before examining contents returned by the query should “help ensure that FBI personnel … have thought about the querying standard and articulated why they believe it has been met” and prompt them “to recall and apply the guidance and training they have received on the querying standard.” See id. at 93; see also In re DNI/AG Certifications at 41 (that requirement may “motivate FBI personnel to carefully consider … whether a query satisfies” the standard). The recently reported querying violations suggest that some FBI personnel still need such help. That is not altogether surprising. As discussed above, the FBI is really just sta11ing to implement that documentation requirement on a comprehensive basis. For that reason, the improper queries described above do not undermine the Court’s prior determination that, with that requirement, the FBI’s querying and minimization procedures meet statutory and Fourth Amendment requirements.
I suggested when the 2018 package was released last year, we’d start learning details of back door searches that had been implicit since 2007.
Nevertheless, 12 years after this system was first moved under FISA (notably, two key Trump players, White House Associate Counsel John Eisenberg and National Security Division AAG John Demers were involved in the original passage), we’re only now going to start getting real information about the impact on Americans, both in qualitative and quantitative terms. For the first time,
- We will learn how many queries are done (the FISC opinion revealed that just one FBI system handles 3.1 million queries a year, though that covers both US and non US person queries)
- We will learn that there are more hits on US persons than previously portrayed, which leads to those US persons to being investigated for national security or — worse — coerced to become national security informants
- We will learn (even more than we already learned from the two reported queries that this pertained to vetting informants) the degree to which back door searches serve not to find people who are implicated in national security crimes, but instead, people who might be coerced to help the FBI find people who are involved in national security crimes
- We will learn that the oversight has been inadequate
- We will finally be able to measure disproportionate impact on Chinese-American, Arab, Iranian, South Asian, and Muslim communities
- DOJ will be forced to give far more defendants 702 notice
The thing is, 11 months after the release of that opinion, we’re still not seeing results — in the form of declassified opinions — of what FBI’s querying really looks like, once they’re forced to actually track it. The entirely of this 2019 opinion still shows what Boasberg considers the pre-implementation period for this reporting regime.
And the FBI has been trying to weaken it for two years now!
There’s one more indication that we may see troubling details once we get the next 702 opinion in a year’s time, if we do get it.
Less than a week ago, Billy Barr issued a memo imposing a new national security auditing function on the FBI.
To enhance the FBI’s existing compliance efforts, the Director of the FBI is taking steps to build a more robust and exacting internal audit capability, including the creation of an office focused on auditing the FBI’s national security activities. To support that effort, I hereby authorize the Director of the FBI to commence the process of establishing, consistent with law and policy, the Office ofInternal Auditing (“OIA”). A separate office devoted to internal auditing and headed by a senior FBI official will ensure that ri gorous and robust auditing, which is an essential ingredient to an effective compliance regime, is canied out. The FBI shall work with the Justice Management Division to make the required reorganization notifications regarding this new office. Once established, OJA shall be led by an Assistant Director who shall have the same reporting chain as the Assistant Director for OIC and the Assistant Director for INSD. The Director of the FBI shall appoint the Assistant Directors for OIC, INSD, and OIA, with the approval of the Deputy Attorney General.
OIC, INSD, and OIA shall be responsible for carrying out the internal compliance functions of the FBI as assigned by the Director of the FBI, who shall ensure that each office does not duplicate responsibilities and is adequately staffed to perform its assigned functions. The Deputy Attorney General and the Assistant Attorney General for Administration shall coordinate with the Director to ensure that those functions are resourced and funded appropriately.
Even though Barr says the newly created OIA won’t overlap with the compliance and inspection functions at FBI, it’s not clear why not. Further, Barr’s memo does not explicitly say why FBI needed a new compliance review for national security cases rather than the existing legal reviews that had conducted such review.
Don’t get me wrong, done correctly, this could be a long-needed reform. It’s not clear it is being done correctly. It seems partly timed to the elections (with a report on implementation due just before then). And DOJ IG — which has, historically, found abundant problems with the functions enumerated here — will not review the efficacy of this until around May 2022.
The Department ofJustice Inspector General has agreed to assess the implementation of this memorandum (“initial assessment”) no sooner than 18 months after the establishment of OIA and to report such assessment, consistent with the Inspector General Act, to the Attorney General, Deputy Attorney General, Director of the FBI, and Assistant Attorney General for National Security. The Inspector General has furt her agreed to conduct a subsequent assessment no later than five years after the initial assessment, and periodically thereafter as determined by the Inspector General, and to report such assessments, consistent with the Inspector General Act, to the Attorney General, Deputy Attorney General, Director of the FBI, and Assistant Attorney General for National Security.
Within 60 days of the date of the Inspector General’s initial assessment, the Director of the FBI shall provide the Attorney General and Deputy Attorney General an assessment of the implementation of this memorandum, including an assessment of the effectiveness of the FBI’s compliance structure and whether compliance functions should be consolidated under an Executive Assistant Director.
Which is to say, this initiative, while it may be long overdue, feels like Barr trying to get ahead of something or somethings.
Billy Barr is an authoritarian. He doesn’t care about surveillance (indeed, he’s the grandfather of the dragnets that Edward Snowden revealed).
But something must have led him to take action to make it look like he cares.
Timeline
March 24-27, 2017: The querying of 70K facilities “associated with” persons who had access to the FBI’s facilities and systems. FBI General Counsel (then run by Jim Baker, who had had these fights in the past) warned against the query, but FBI did it anyway, though did not access the communications. This was likely either a leak or a counterintelligence investigation and appears to have been discovered in a review of existing Insider Threat queries.
December 1, 2017: FBI conducted queries on 6,800 social security numbers.
December 7-11, 2017, the same entity at FBI also queried 1,600 queries on certain identifiers, though claimed they didn’t mean to access raw data.
February 5 and 23, 2018: FBI did approximately 30 queries of potential sources.
February 21, 2018: FBI did 45 queries on people being vetted as sources.
March 27, 2018: Initial 2018 package submitted.
April 5, 2018: Extension order.
Before April 13, 2018: an unspecified FBI unit queried FISA acquired metadata using 57,000 identifiers of people who work in some place.
October 17, 2018: Order finding FBI querying procedures do not comply with FISA.
February 21, 2019: NSA submits notice of Upstream violations.
February 26, 2019: Date after which NSA fixes Upstream violations.
June 2019: Oversight review finds violations of querying rules, including to vet a source, a candidate to be a local cop, and to find information about a planned visit by foreign officials.
June 26, 2019: Notice that CIA assistance to NCTC does not comply with rules.
July 2019: Oversight review finds violations of querying rules, including of college students in a “Collegiate Academy” and individuals who visited an FBI office.
July 12, 2019: FISCR opinion finding that FBI querying procedures do not comply with FISA.
August 2019: Query of 16,000 persons identifies seven leads.
August 12, 2019: FBI submits new querying procedures.
August 23, 2019: NSA complains about post-tasking for some collections.
September 4, 2019: Approval of amended FBI querying procedures.
September 6, 2019: Report of July 2019 query violations.
September 13, 2019: Notice regarding 702 query response showing 100 characters of text surrounding search term.
September 17, 2019: Application submitted, including proposed improvements on targeting procedures.
September 17, 2019: Notice of at least four querying violations involving taking steps to access 702 products without getting a warrant.
September 18, 2019: Report on June 2019 query violations.
September 20, 2019: Reports of other FBI querying violations, including to vet sources, to search on complainants, and to vet potential cops.
September 26, 2019: 45-day report on fulfilling FBI query rules.
October 1, 2019: Review period extended to December 16, 2019 (because of NSA and NCTC compliance issues, not FBI ones).
October 3, 2019: FISC orders further information.
October 4, 2019: FBI requests relief from requirement to report 702 access in response to criminal search.
October 10, 2019: Notice of overly attenuated NSA queries, including content searches using 23 US person identifiers.
October 11, 2019: Notice on FBI violations tied to not opting out of including FISA in searches.
November 4, November 13, 2019: Government provides additional information.
November 8, 2019: 45-day report on fulfilling FBI query rules.
November 14, 2019: Notice on violations tied to not opting out of including FISA in searches.
November 20, 2019: Government tells FISC that they never tried to comply with reporting requirement imposed in October 2018, are instead training their new proposed compliance method.
November 25, 2019: Notice regarding August 2019 mass query.
mid-December 2019: Date FBI promised to impose new record-keeping on FBI’s queries.
January 2020: Date NSA promised to have purged improperly acquired communications.
![[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]](https://www.emptywheel.net/wp-content/uploads/2017/08/NationalSecurityAgency_HQ-FortMeadeMD_Wikimedia.jpg)
