Posts

In Response to NYT Lawsuit, FBI Reclassifies 26 Words

Last week, a number of people hailed the further declassification of DOJ Inspector General’s Report on FBI’s use of Exigent Letters.

That enthusiasm is misplaced, however. What too few people noticed is the thankless work Charlie Savage did to identify what was newly declassified. He had FOIAed the IG Report, which is what set off the declassification review.

In fact, FBI redacted three things that had previously been visible. On page 55/PDF 68, it redacted the title, “Diagram 2.1: Calling Circle or “Community of Interest.” On page 105/PDF 118 they redacted language indicating they use a certain kind of “language” to order what are probably also communities of interest. Finally, on page 207/PDF 220, FBI newly redacted the title, “Chart 4.3 Records for 10 Telephone Numbers Uploaded to FBI Databases With the Longest Periods of Overcollection.”

So the NYT sued the FBI to declassify language that should be declassified, given everything we’ve learned about related programs subsequent to the Snowden leaks, and FBI responded by trying to pretend we don’t know they were getting (and still get, per DOJ IG’s most recently report) call chains from telecoms.

To be fair, FBI did declassify some new stuff. That includes:

  • Roughly 44 uses of some form of the word “search”
  • Roughly 33 uses of some form of “target”
  • Roughly 24 references to years, either 2004 or 2005
  • The names of 3 of a number of journalists whose records had been improperly collected and details of the collection

About the  most interesting declassification was a citation to a Carrie Johnson story, published well over a year before the IG Report came out, describing the collection on those 3 journalists. The IG Report invoked this language in the story…

Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.

… as evidence to support a footnote, which (except for the reference to Johnson’s article) had been unclassified, explaining,

In addition to the letter, Director Mueller called the editors of the two newspapers to express regret that the FBI agents had not followed proper procedures when they sought the reporters’ telephone records.

That is, they had classified reference to a published news article as S/NF! (Though I suppose it is possible that the fact they were hiding is that Glenn Fine had to read the WaPo to figure out what happened here, because Mueller wasn’t speaking directly to him.)

Congratulations to Carrie Johnson who I guess now classifies as a state secret!

I asked the Savage (and through him, NYT’s lawyer, David McCraw) how the NYT felt about FBI classifying, rather than declassifying language in response to his suit, and he suggested NYT expects DOJ to pay them for their time. “We have incurred no outside counsel fees and anticipate that the government will be required to pay us for the time spent by in-house counsel.”

Still, I think Savage (and FOIA requesters generally) should get finder’s fees every time the government newly classifies stuff years later … impose some kind of fine for stupid overclassification.

Update: Corrected timing on Johnson story which came out in August 2008, so 17 months before the IG Report.

Even as Congress Prepares to Legislate, Intelligence Community Stalling on Section 215 IG Report

I’ve been covering the DOJ Inspector General’s billion-day old review of Section 215.

  • June 2010: Then DOJ IG Glenn Fine lays out investigation
  • June 2013: Transition to Michael Horowitz stalls PATRIOT investigation
  • August 2013: The investigation has been ongoing
  • September 2013: Pat Leahy calls for an IC IG investigation into 215 and 702; IC IG Charles McCullough declines
  • December 2013: Horowitz states current investigation limited by AG/DNI declassification of earlier reports
  • April 2014: The Section 215 review has a baby!

If my calculation is correct, that report has been pending for 1,616 days.

Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.

Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data.  Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.

This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.

But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?

Update: From Glenn Fine’s original letter scoping out the review, here’s some of what it includes.

It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review also will examine the progress the FBI has made in addressing recommendations contained in our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.

We also intend to conduct a programmatic review of the FBI’s use of its pen register and trap and trace authority under the FISA. That part of the review will examine issues such as how the FBI uses the authority to collect information, what the FBI does with the information it collects, and whether there have been any improper or illegal uses of the authority either reported by the FBI or identified by the OIG.

In addition to identifying any improper uses of these authorities (the report should provide some sense of how rigorous the First Amendment review is), it will certainly lay out how FBI has refused to implement minimization procedures are required by law and recommended in DOJ IG’s last Section 215 report (we know this to be the case because the FISC is imposing minimization procedures itself, and requiring compliance reviews).

All that would be rather important to know before extending Section 215 for another 3 years.

The Black Holes in USA Freedumber’s Inspector General Reports

I’m still working on understanding all the crud that is included in the USA Freedumber Act. And for the first time, I have looked really closely at the language on Inspector General Reports, which effectively modifies Section 106 of the 2005 PATRIOT Act Reauthorization. Not only does the language add a DOJ IG Report roughly parallel to the ones mandated for the years through 2006 for 2012 through 2014, but it adds an Intelligence Community IG Report for those 3 years.

I’ve long noted that that seems to leave 2010 and 2011 unexamined. That might be covered in the IG report Pat Leahy requested of the Intelligence Committee IG, Charles McCullough, though the dates are different and McCullough said he didn’t really have the time. So 2010 and 2011 may or may not currently being reviewed; they’re not required to be by the bill, however.

But upon closer review I’m just as interested in some holes the two reports will likely have, in combination.

What I realized when I reviewed the actual language, below, is that USA Freedumber is exploiting the fact that Section 215 was originally written exclusively for the FBI, even if the NSA and CIA and probably a bunch of other agencies are using it too (they’re doing this with minimization procedures elsewhere in the bill, too). Thus, they can leave language that applies specifically to FBI, and pretend that it applies to other agencies.

In practice, that leaves the DOJ IG to investigate general things about Section 215 use, including:

  • any noteworthy facts or circumstances relating to orders under such section, including any improper or illegal use of the authority provided under such section; and

  • the categories of records obtained and the importance of the information acquired to the intelligence activities of the Federal Bureau of Investigation or any other Department or agency of the Federal Government;

So long as FBI retains a role in the application process, it will have access to and can review the categories of records obtained, which is critical because this is one of the ways Congress will learn what those categories are.

But only the DOJ IG assesses whether Section 215 is adhering to law (as opposed to protecting Americanas’ constitutional rights). At one level, I’d much rather have DOJ IG perform this review, because we’ve never seen anything out of the IC IG resembling real oversight. Plus, under Glenn Fine, DOJ’s IG did point to real legal problems with the dragnet (which DOJ largely refused to fix, but which may have led to addition FISC opinions on those subjects). But I have questions whether DOJ’s IG would get enough visibility into what NSA and CIA and other agencies are doing with this data to perform a real review of the legality of it.

Then there are some somewhat parallel things both DOJ’s and IC’s IG would review, including:

  • the importance (IC IG) or effectiveness (DOJ IG) of Section 215

  • the manner in which that information was collected, retained, analyzed, and disseminated by the intelligence community;

  • the minimization procedures used by elements of the intelligence community under such title and whether the minimization procedures adequately protect the constitutional rights of United States persons; and

  • any minimization procedures proposed by an element of the intelligence community under such title that were modified or denied by the FISC

These are all well and good, and there’s the possibility that an IC IG review of how NSA analyzes and disseminates Section 215 data would find any of the most concerning potential practices.

I find the last two things DOJ’s IG would review at FBI but not even at DEA (if DEA uses Section 215), and which the IC IG would not review at all, the most telling.

  • whether, and how often, the Federal Bureau of Investigation used information acquired pursuant to an order under section 501 of such Act to produce an analytical intelligence product for distribution within the Federal Bureau of Investigation, to the intelligence community or to other Federal, State, local, or tribal government Departments, agencies, or instrumentalities; and
  • whether, and how often, the Federal Bureau of Investigation provided such information to law enforcement authorities for use in criminal proceedings

That is, the DOJ IG reports on how often the FBI uses Section 215 for finished intelligence products and how often it serves supports criminal proceedings. But it doesn’t track how often NSA uses Section 215 for finished intelligence products, nor does it track how often NSA uses Section 215 to investigate an American further.

The latter fact — that NSA isn’t counting how many Americans its targets because of Section 215 derived information — is not all that surprising. NSA has worked hard to obscure how many Americans have been sucked up in its analytical maw. Still, if we were serious about providing some transparency to the corporate store — where anyone 2 or 3 degrees from a RAS approved selector can get dumped and subjected to all of NSA’s analytical tradecraft forever — we’d require the IC IG to count this number, too.

And the fact that no one asks NSA and CIA how many finished intelligence reports they’re generating out of Section 215 is problematic both because it doesn’t identify how often NSA and CIA are sharing intelligence with FBI or National Counterterrorism Center or other agencies like DEA (which was one of the big problems with both the phone and Internet dragnet in 2009-10). But it also makes it harder for Congress to get a real understanding of how effective these tools are.

You can’t judge the efficacy of something you don’t measure.

To understand how important this is, consider the discussions about the phone dragnet we’ve had since last year. Everything has been measured in terms of reporting to FBI, which not only doesn’t disclose how many people are stuck in NSA’s maw, but to outsiders made the program look totally useless. We still don’t know precisely how the government is using the phone dragnet, because the data they’ve shared to describe its efficacy is probably not the most significant way it is used.

It seems the intelligence community would like to keep it that way. Read more

David Barron’s ECPA Memo

Last week, I laid out the amazing coinkydink that DOJ provided Sprint a bunch of FISA opinions — including the December 12, 2008 Reggie Walton opinion finding that the phone dragnet did not violate ECPA — on the same day, January 8, 2010, that OLC issued a memo finding that providers could voluntarily turn over phone records in some circumstances without violating ECPA.

Looking more closely at what we know about the opinion, I’m increasingly convinced it was not a coinkydink at all. I suspect that the memo not only addresses FBI’s exigent letter program, but also the non-Section 215 phone dragnet.

As a reminder, we first learned of this memo when, in January 2010, DOJ’s Inspector General issued a report on FBI’s practice of getting phone records from telecom provider employees cohabiting at FBI with little or no legal service. The report was fairly unique in that it was released in 3 versions: the public unclassified but heavily redacted version, a Secret version, and a Top Secret/SCI version. Given how closely parallel the onsite telecom provider program was with the phone dragnet, that always hinted the report may have touched on other issues.

Roughly a year after the IG Report came out, EFF FOIAed the memo (see page 30). Over the course of the FOIA litigation — the DC Circuit rejected their appeal for the memo in January — DOJ provided further detail about the memo.

Here’s how OLC Special Counsel Paul Colborn described the memo (starting at 25):

The document at issue in this case is a January 8, 2010 Memorandum for Valerie Caproni, General Counsel of the Federal Bureau of Investigation (the “FBI”), from David J. Barron, Acting Assistant Attorney General for the Office of Legal Counsel (the “Opinion”). The OLC Opinion was prepared in response to a November 27, 2009 opinion request from the FBI’s General Counsel and a supplemental request from Ms. Caproni dated December 11, 2009. These two requests were made in order to obtain OLC advice that would assist FBI’s evaluation of how it should respond to a draft Report by the Office of Inspector General at the Department of Justice (the “OIG”) in the course of a review by the OIG of the FBI’s use of certain investigatory procedures.In the context of preparing the Opinion, OLC, as is common, also sought and obtained the views of other interested agencies and components of the Department. OIG was aware that the FBI was seeking legal advice on the question from OLC, but it did not submit its views on the question.

The factual information contained in the FBI’s requests to OLC for legal advice concerned certain sensitive techniques used in the context of national security and law enforcement investigations — in particular, significant information about intelligence activities, sources, and methodology.

Later in his declaration, Colborn makes it clear the memo addressed not just FBI, but also other agencies.

The Opinion was requested by the FBI and reflects confidential communications to OLC from the FBI and other agencies. In providing the Opinion, OLC was serving an advisory role as legal counsel to the Executive Branch. In the context of the FBI’s evaluation of its procedures, the general counsel at the FBI sought OLC advice regarding the proper interpretation of the law with respect to information-gathering procedures employed by the FBI and other Executive Branch agencies. Having been requested to provide counsel on the law, OLC stood in a special relationship of trust with the FBI and other affected agencies.

And FBI Record/Information Dissemination Section Chief David Hardy’s declaration revealed that an Other Government Agency relied on the memo too. (starting at 46)

This information was not examined in isolation. Instead, each piece of information contained in the FBI’s letters of November 27, 2009 and December 11, 2009, and OLC’s memorandum of January 8, 2010, was evaluated with careful consideration given to the impact that disclosure of this information will have on other sensitive information contained elsewhere in the United States intelligence community’s files, including the secrecy of that other information.

[snip]

As part of its classification review of the OLC Memorandum, the FBI identified potential equities and interests of other government agencies (“OGAs”) with regard to the OLC memo. … FBI referred the OLC Memo for consultation with those OGAs. One OGA, which has requested non-attribution, affirmatively responded to our consultation and concurs in all of the classification markings.

Perhaps most remarkably, the government’s response to EFF’s appeal even seems to suggest that what we’ve always referred to as the Exigent Letters IG Report is not the Exigent Letters IG Report!

Comparing EFF’s claims (see pages 11-12) with the government’s response to those claims (see pages 17-18), the government appears to deny the following:

  • The Exigent Letters IG Report was the 3rd report in response to reporting requirements of the USA PATRIOT reauthorization
  • FBI responded to a draft of the IG Report by asserting a new legal theory defending the way it had obtained certain phone records in national security investigations, which resulted in the January 8, 2010 memo
  • The report didn’t describe the exception to the statute involved and IG Glenn Fine didn’t recommend referring the memo to Congress
  • In response to a Marisa Taylor FOIA, FBI indicated that USC 2511(2)(f) was the exception relied on by the FBI to say it didn’t need legal process to obtain voluntary disclosure of phone records

Along with these denials, the government reminded that the report “contained significant redactions to protect classified information and other sensitive information.” And with each denial (or non-response to EFF’s characterizations) it “respectfully refer[red] the Court to the January 2010 OIG report itself.”

The Exigent Letters IG Report is not what it seems, apparently.

With all that in mind, consider two more details. First, as David Kris (who was the Assistant Attorney General during this period) made clear in his paper on the phone (and Internet) dragnet, in addition to Section 215, the government obtained phone records from the telecoms under USC 2511(2)(f), the clause in question.

And look at how the chronology maps.

November 5, 2008: OLC releases opinion ruling sneak peak and hot number requests (among other things) impermissible under NSLs

December 12, 2008: Reggie Walton rules that the phone dragnet does not violate ECPA

Throughout 2009: DOJ confesses to multiple violations of Section 215 program, including:

  • An alert function that serves the same purpose as sneak peaks and also violates Section 215 minimization requirements
  • NSA treated Section 215 derived data with same procedures as EO 12333 data; that EO 12333 data included significant US person data
  • One provider’s (which I originally thought was Sprint, then believed was Verizon, but could still be Sprint) production got shut down because it included foreign-to-foreign data (the kind that, according to the OLC, could be obtained under USC 2511(2)(f)

Summer and Fall, 2009: Sprint meets with government to learn how Section 215 can be used to require delivery of “all” customer records

July 9, 2009: Sprint raises legal issues regarding the order it was under; Walton halts production from provider which had included foreign-to-foreign production

October 30, 2009: Still unreleased primary order BR 09-15

November 27, 2009: Valerie Caproni makes first request for opinion

December 11, 2009: Caproni supplements her request for a memo

December 16, 2009: Application and approval of BR 09-19

December 30, 2009: Sprint served with secondary order

January 7, 2010: Motion to unseal records

January 8, 2010: FISC declassifies earlier opinions; DOJ and Sprint jointly move to extend time when Sprint can challenge order; and OLC releases OLC opinion; FISC grants motion (John Bates approves all these motions)

January 11, 2010: DOJ moves (in a motion dated January 8) to amend secondary order to incorporate language on legality; this request is granted the following day (though we don’t get that order)

January 20, 2010: IG Report released, making existence of OLC memo public

This memo is looking less and less like a coinkydink after all, and more and more a legal justification for the provision of foreign-to-foreign records to accompany the Section 215 provision. And while FBI said it wasn’t going to rely on the memo, it’s not clear whether NSA said the same.

Golly. It’d sure be nice if we got to see that memo before David Barron got to be a lifetime appointed judge.

January 8, 2010: A Remarkably Busy Day in Telecom Law

I Con the Record has just released a bunch of new documents, showing how (according to Ellen Nakashima) Sprint challenged a dragnet order, and in response got to see the FISA Court opinions authorizing the program. (Well, not really the telecom opinion; rather they mostly authorize the PRTT program.)

The official story goes like this:

In early 2009, Sprint received an order saying that all customer call records had to be turned over to the government, current and former officials said. Over the summer and fall, the company’s executives met several times with Justice Department officials to understand how Section 215, which compelled companies to turn over records relevant to investigations, could be used to mandate the transfer of all call records.

Dissatisfied with their answers, Sussmann, the Sprint attorney, wrote a detailed petition to challenge the order. In late 2009, shortly before the petition was to be filed, Robert S. Litt, the top intelligence official for the U.S. intelligence community, pressed officials to provide the legal rationale to the company, according to a former administration official.

Intelligence officials then furnished several court rulings, in particular, a 2004 opinion written by Colleen Kollar-Kotelly, then chief judge of the surveillance court, according to the documents released Wednesday. While the opinion related to the collection of e-mail addressing information, the legal rationale was identical.

But there are a few more details I find exceedingly interesting.

First, here’s what the government declassified in response to Sprint’s challenge:

  • Colleen Kollar-Kotelly’s July 24 [14], 2004 opinion (the government is only now admitting the date)
  • Response to Orders for Additional Briefing (it’s unclear whether this is PRTT or phone dragnet, but given the order, I’m guessing PRTT)
  • Opinion (again, it’s unclear whether this is PRTT or phone dragnet)
  • The original application for the dragnet, including all exhibits, and the original dragnet order (note, we’ve not seen all the exhibits)
  • The application, including all exhibits, the Primary Order, and Reggie Walton’s supplemental order finding the phone dragnet did not violate ECPA

That is, not only the opinions authorizing the “relevant to” bullshit used to justify the program, but also the opinion stating that the dragnet did not violate ECPA.

And here’s the other thing I find so interesting. The motion to unseal the records is dated January 7, 2010. The motion for more time, the order granting it, and the order approving the unsealing of the records were all dated January 8, 2010.

January 8, 2010, January 8, 2010, January 8, 2010.

On January 8, 2010, DOJ’s OLC issued an order finding that ECPA permitted telecoms to hand over toll records to the government voluntarily for certain kinds of investigations. OLC wrote that opinion because DOJ Inspector General Glenn Fine had been investigating National Security Letters (and, oh by the way, Section 215) for years, and found big problems, at least, with the paperwork FBI handed 3 telecoms who were living onsite at FBI. We found out about the order almost immediately, when Fine issued his report later that month.

I’ve long suspected that Reggie Walton only considered the ECPA question both because of Fine’s ongoing NSL investigation but, probably, also because of whatever conclusions Fine drew in his examination of the illegal wiretap program (I suspect FISC only considered financial records for the same reason, Fine’s 215 investigation in 2010) and potentially his ongoing investigations of Section 215.

And now we know that just as Fine was raising real questions about the legality of the incestuous record-sharing the government and the telecoms had been engaged in for years (one that’s about to start again with the new “reformed” dragnet), Sprint not only demanded the underlying records authorizing the dragnet, but even the supplemental opinion finding the dragnet didn’t violate ECPA.

Here’s what I wrote 4 years ago about that OLC opinion.

  • As I will explain at length later, this OLC opinion may not relate exclusively to the use of exigent letters, not least because Inspector General Glenn Fine appears worried the FBI will use it prospectively, not just to retroactively rationalize abuses from the past.
  • Fine appears to disagree whether the FBI has represented what it was doing with exigent letters honestly in its request for an opinion to the OLC. This is at least the second time they have done so, Fine alleges, in their attempts to justify these practices. In this case, the dispute may pertain to whose phone records they were, what was included among them, and whether they pertained to an ongoing investigation.
  • My guess is that the OLC opinion addresses whether section 2701 of the Stored Communications Act allows electronic communication providers to voluntarily provide data to someone above and beyond the narrow statutory permission to do so in 2702 and 2709 of the Act.
  • Whatever the loophole FBI is exploiting, it appears to be a use that would have no protections for First Amendment activity, no requirement that the data relate to open investigations, and no minimization or reporting requirements. That is, through its acquisition of this OLC opinion, the FBI appears to have opened up a giant, completely unlimited loophole to access phone data that it could use prospectively (though the FBI claims it doesn’t intend to). Much of Fine’s language here is an attempt to close this loophole.

In January, EFF lost its bid to obtain that memo in the DC Circuit.

Now, what are the chances that Sprint also didn’t get a looksee at the OLC memo authorizing not just what the FISC had approved, but also the violative Section 215 collection that had been in place until early 2009?

What are the chances that that OLC opinion, dated January 8, 2010 and pertaining to ECPA, is unrelated to the decision to declassify the FISC opinion assessing whether the phone dragnet violated ECPA?

Surprise! DOJ IG’s 1,403 Day Old Section 215 Investigation Had a Baby!

As longtime readers know, I have long tracked a DOJ Inspector General investigation into FBI’s use of Section 215 and other PATRIOT Act authorities.

  • June 2010: Then DOJ IG Glenn Fine lays out investigation
  • June 2013: Transition to Michael Horowitz stalls PATRIOT investigation
  • August 2013: The investigation has been ongoing
  • September 2013: Pat Leahy calls for an IC IG investigation into 215 and 702; IC IG Charles McCullough declines
  • December 2013: Horowitz states current investigation limited by AG/DNI declassification of earlier reports

A good healthy obsession!

Since it’s been a while — the investigation is now 1,403 days old — yesterday I decided to nag the IG office.

They were mum on when we might finally see the report. Instead of offering details, they directed me to their new (apparently brand spanking new) “in the interest of transparency” page on their ongoing work.

It shows the long-promised report, still focusing on Section 215 use through 2009, as well as NSLs and pen register.

Use of National Security Letters, Section 215 Orders, and Pen Register and Trap-and-Trace Authorities under FISA from 2007 through 2009

The OIG is again examining the FBI’s use of NSLs and Section 215 orders for business records. This review is assessing the FBI’s progress in responding to the OIG’s recommendations in its first and second reports on the FBI’s use of NSLs and its report on the FBI’s improper use of exigent letters and other informal means to obtain telephone records. A focus of this review is the NSL subsystem, an automated workflow system for NSLs that all FBI field offices and headquarters divisions have been required to use since January 1, 2008, and the effectiveness of the subsystem in reducing or eliminating noncompliance with applicable authorities. The current review is also examining the number of NSLs issued and Section 215 applications filed by the FBI between 2007 and 2009, and any improper or illegal uses of these authorities. In addition, the review is examining the FBI’s use of its pen register and trap-and-trace authority under FISA.

But it also shows a report not mentioned in Michael Horowitz’ last report.

A report on the dragnet.

Bulk Telephony Review

The OIG is reviewing the FBI’s use of information derived from the National Security Agency’s (NSA) collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, and any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads, and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts.

In truth, this investigation may not be all that distinct from the known PATRIOT authorities investigation. The minimization procedures for both — and therefore the way the information gets used, an issue central to both investigations — appear to be the same. And to the extent that the number of 215 orders with minimization procedures has been growing since 2010 indicates the FBI is collecting other information in bulk, the programs may well interrelate.

At first, I thought that this investigation, with the very significant exception of the way the dragnet serves to identify informants, might not reveal anything that problematic. Upon review, I’m not so sure. I’ll explain why in a follow-up report.

The one big difference between the two investigations, however (and I’ll discuss this at more length in the follow-up), is that dragnet investigation, unlike the PATRIOT Authority one, appears not to be time delimited. Whereas the older investigation only looks at practices through 2009, the dragnet investigation appears to be examining on-going practices. It seems to be investigating all the 215-related issues identified by Pat Leahy that the IC IG should investigate that come under DOJ’s jurisdiction.

So bad news good news! DOJ is still, 1,403 days later, investigating how the FBI used PATRIOT Act authorities 5 years ago, meaning more recent developments are not getting much attention.

But there is a potentially related investigation looking at what the FBI ingests from the phone dragnet (at least the small part relating to Section 215) right now.

Newly-Released Dragnet Order Suggests Spike in 215 Orders May Include Financial Records

I Con the Record reissued less classified versions of two Section 215 orders: the March 2, 2009 one that sharply restricted the phone dragnet without much new declassified, and the June 22, 2009 one that dealt, in part, with FBI and CIA access to the data in both the Internet and phone dragnet, showing both those parts unclassified in the same order (previously the government had released two separate versions — phone, Internet — with different things declassified).

The only new document was a November 23, 2010 order, modeled closely on a December 12, 2008 one. The earlier one had judged that the Stored Communication Act’s limits on collection did not preclude the use of Section 215 to collect phone records. This one judged that the Right to Financial Privacy Act did not preclude the use of Section 215 to collect financial records. Both opinions basically find that because those laws permit the use of National Security Letters to obtain such records without judicial review, clearly it’s okay to obtain the same records with judicial review under Section 215.

Of course, we know that in the phone context — and so presumably also in the financial records context — the use of Section 215 also entailed bulk, potentially comprehensive collection. While some bulk collection occurred under NSLs, especially for phone records (we know that because that’s the only category of NSL that doesn’t get accounted individually in public records), and while we assume bulk collection occurred under Bush’s illegal program via other means, moving a new kind of record under Section 215 may represent the institutionalization of bulk collections of another type of document.

Aside from revealing that this order pertained to financial records, we don’t know much about the underlying order. The order says the records were provided to the FBI (though WSJ and NYT reported CIA used Section 215 to get money order records). It uses “financial records” in scare quotes, so it is possible it is something beyond just bank records. And the fact that it was stamped by John Bates (then the presiding judge) suggests it may have been regarded as rather significant.

All that said, this opinion doesn’t necessarily mark November 2010 as the date the government started using Section 215 to collect (presumably bulk) financial records. After all, the government collected phone records for over 2 years before answering the seemingly obvious question of whether doing so violated other laws. I suspect they did so in 2008 in response to questions then DOJ Inspector General Glenn Fine kept raising about Section 215. And it is perhaps instructive that Fine was, in November 2010, working on a new Section 215 review, one that has since been delayed, in part by ODNI and DOJ refusal to declassify a number of documents, for 1,371 days.

Perhaps it’s just a remarkable coinkydink, but Fine resigned 6 days after this FISC ruling was issued.

Two more details about this. First, as I have shown, DOJ appears to have been hiding details about Section 215 from Congress during this period, though the only financial records they would have been obliged to disclose were tax records.

In addition, the number Section 215 orders started going up drastically in 2010, along with the number of orders the FISC modified to require minimization procedures.

Nevertheless, the reports show us two new things.

Screen shot 2013-11-22 at 8.52.29 AM

First, while we knew the number of modifications has gone up significantly in the last three years (we now know that many of the modifications in 2009 had to do with phone dragnet violations), the latest reports ODNI released say this:

The FISC modified the proposed orders submitted with forty-three such applications in 2010 (primarily requiring the Government to submit reports describing implementation of applicable minimization procedures).

The FISC modified the proposed orders submitted with 176 such applications in 2011 (requiring the Government to submit reports describing implementation of applicable minimization procedures).

I’ve suggested that 176 modified applications may suggest the government has as many as 44 bulk collection programs, which would be renewed every three months  (or, alternately, a whole lot more specific bulk collection orders).

That is, this rise in what are almost certainly bulk collection orders came around the same time as FISC “Bates-stamped” the collection of financial records with Section 215.

Finally, consider one more thing. Last year, 26 Senators raised concerns about credit card records; last week’s RuppRoge House Intelligence Committee dragnet fix doesn’t prohibit the bulk collection of credit card records (their list, I now realize, is based off the list of sensitive records currently written into Section 215). Credit card records are covered under FRPA.

So while it would be a wildarsed guess, it would not be unreasonable to guess that some of this spike in bulk collection involved credit card records, approved by this November 2010 opinion.

Any bets we’ll finally get that DOJ IG Report on Section 215, showing that’s what they’ve been doing?

When Judge Reggie Walton Disappeared the FBI Director: The Tell that FISC Wasn’t Following the Law

SEN. MIKULSKI: General Clapper, there are 36 different legal opinions.

DIR. CLAPPER: I realize that.

SEN. MIKULSKI: Thirty-six say the program’s constitutional. Judge Leon said it’s not.

Thirty-six “legal opinions” have deemed the dragnet legal and constitutional, its defenders say defensively, over and over again.

But that’s not right — not by a long shot, as ACLU’s Brett Max Kaufman pointed out in a post yesterday. In its report, PCLOB confirmed what I first guessed 4 months ago: the FISA Court never got around to writing an opinion considering the legality or constitutionality of the dragnet until August 29, 2013.

FISC judges, on 33 occasions before then, signed off on the dragnet without bothering to give it comprehensive legal review.

Sure, after the program had been reauthorized 11 times, Reggie Walton considered the more narrow question of whether the program violates the Stored Communications Act (I suspect, but cannot yet prove, that the government presented that question because of concerns raised by DOJ IG Glenn Fine). But until Claire Eagan’s “strange” opinion in August, no judge considered in systematic fashion whether the dragnet was legal or constitutional.

And the thing is, I think FISC judge — now Presiding Judge — Reggie Walton realized around about 2009 what they had done. I think he realized the program didn’t fit the statute.

Consider a key problem with the dragnet — another one I discussed before PCLOB (though I was not the first or only one to do so). The wrong agency is using it.

Section 215 does not authorize the NSA to acquire anything at all. Instead, it permits the FBI to obtain records for use in its own investigations. If our surveillance programs are to be governed by law, this clear congressional determination about which federal agency should obtain these records must be followed.

Section 215 expressly allows only the FBI to acquire records and other tangible things that are relevant to its foreign intelligence and counterterrorism investigations. Its text makes unmistakably clear the connection between this limitation and the overall design of the statute. Applications to the FISA court must be made by the director of the FBI or a subordinate. The records sought must be relevant to an authorized FBI investigation. Records produced in response to an order are to be “made available to,” “obtained” by, and “received by” the FBI. The Attorney General is directed to adopt minimization procedures governing the FBI’s retention and dissemination of the records it obtains pursuant to an order. Before granting a Section 215 application, the FISA court must find that the application enumerates the minimization procedures that the FBI will follow in handling the records it obtains. [my emphasis, footnotes removed]

The Executive convinced the FISA Court, over and over and over, to approve collection for NSA’s use using a law authorizing collection only by FBI.

Which is why I wanted to point out something else Walton cleaned up in 2009, along with watchlists of 3,000 Americans who had not received First Amendment Review. Judge Reggie Walton disappeared the FBI Director.

>>>Poof!<<<

Gone.

The structure of all the dragnet orders released so far (save Eagan’s opinion) follow a similar general structure:

  • An (unnumbered, unlettered) preamble paragraph describing that the FBI Director made a request
  • 3-4 paragraphs measuring the request against the statute, followed by some “wherefore” language
  • A number of paragraphs describing the order, consisting of the description of the phone records required, followed by 2 minimization paragraphs, the first pertaining to FBI and,
  • The second paragraph introducing minimization procedures for NSA, followed by a larger number of lettered paragraphs describing the treatment of the records and queries (this section got quite long during the 2009 period when Walton was trying to clean up the dragnet and remains longer to this day because of the DOJ oversight Walton required)

Here’s how the first three paragraphs looked in the first order and (best as I can tell) the next 11 orders, including Walton’s first order in December 2008:

An application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (the Act), Title 50, United States Code (U.S.C.), § 1861, as amended, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, the Court finds that:

1. The Director of the FBI is authorized to make an application for an order requiring the production of any tangible thing for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the First Amendment to the Constitution of the United States. [50 U.S.C. § 1861 (c)(1)]

2. The tangible things to be produced are all call-detail records or “telephone metadata” created by [the telecoms]. Telephone metadata includes …

[snip]

3. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12,333 to protect against international terrorism, … [my emphasis]

Here’s how the next order and all (released) following orders start [save the bracketed language, which is unique to this order]:

An verified application having been made by the Director of the Federal Bureau of Investigation (FBI) for an order pursuant to the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended, 50 U.S.C. § 1861, requiring the production to the National Security Agency (NSA) of the tangible things described below, and full consideration having been given to the matters set forth therein, [as well as the government’s filings in Docket Number BR 08-13 (the prior renewal of the above-captioned matter),] the Court finds that:

1. There are reasonable grounds to believe that the tangible things sought are relevant to authorized investigations (other than threat assessments) being conducted by the FBI under guidelines approved by the Attorney General under Executive Order 12333 to protect against international terrorism, …

That is, Walton took out the paragraph — which he indicated in his opinion 3 months earlier derived from the statutory language at 50 U.S.C. § 1861 (c)(1) — pertaining to the FBI Director. The paragraph always fudged the issue anyway, as it doesn’t discuss the FBI Director’s authority to obtain this for the NSA. Nevertheless, Walton seems to have found that discussion unnecessary or unhelpful.

Walton’s March 5, 2009 order and all others since have just 3 statutory paragraphs, which basically say:

  1. The tangible things are relevant to authorized FBI investigations conducted under EO 12333 — Walton cites 50 USC 1861 (c)(1) here
  2. The tangible things could be obtained by a subpoena duces tecum (50 USC 1861 (c)(2)(D)
  3. The application includes an enumeration of minimization procedures — Walton doesn’t cite statute in this May 5, 2009 order, but later orders would cite 50 USC 1861 (c)(1) again

Here’s what 50 USC 1861 (c)(1), in its entirety, says:

(1) Upon an application made pursuant to this section, if the judge finds that the application meets the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested, or as modified, approving the release of tangible things. Such order shall direct that minimization procedures adopted pursuant to subsection (g) be followed.

And here are two key parts of subsections (a) and (b) — in addition to “relevant” language that has always been included in the dragnet orders.

(a) Application for order; conduct of investigation generally

(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things

[snip]

(2) shall include—

[snip]

(B) an enumeration of the minimization procedures adopted by the Attorney General under subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of Investigation of any tangible things to be made available to the Federal Bureau of Investigation based on the order requested in such application.

FBI … FBI … FBI.

The language incorporated in 50 USC 1861 (c)(1) that has always been cited as the standard judges must follow emphasizes the FBI repeatedly (PCLOB laid out that fact at length in their analysis of the program). And even Reggie Walton once admitted that fact.

And then, following his lead, FISC stopped mentioning that in its statutory analysis altogether.

Eagan didn’t even consider that language in her “strange” opinion, not even when citing the passages (here, pertaining to minimization) of Section 215 that directly mention the FBI.

Section 215 of the USA PATRIOT Act created a statutory framework, the various parts of which are designed to ensure not only that the government has access to the information it needs for authorized investigations, but also that there are protections and prohibitions in place to safeguard U.S. person information. It requires the government to demonstrate, among other things, that there is “an investigation to obtain foreign intelligence information … to [in this case] protect against international terrorism,” 50 U.S.C. § 1861(a)(1); that investigations of U.S. persons are “not conducted solely upon the basis of activities protected by the first amendment to the Constitution,” id.; that the investigation is “conducted under guidelines approved by the Attorney General under Executive Order 12333,” id. § 1861(a)(2); that there is “a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant” to the investigation, id. § 1861(b)(2)(A);14 that there are adequate minimization procedures “applicable to the retention and dissemination” of the information requested, id. § 1861(b)(2)(B); and, that only the production of such things that could be “obtained with a subpoena duces tecum” or “any other order issued by a court of the United States directing the production of records” may be ordered, id. § 1861(c)(2)(D), see infra Part III.a. (discussing Section 2703(d) of the Stored Communications Act). If the Court determines that the government has met the requirements of Section 215, it shall enter an ex parte order compelling production.

This Court must verify that each statutory provision is satisfied before issuing the requested Orders. For example, even if the Court finds that the records requested are relevant to an investigation, it may not authorize the production if the minimization procedures are insufficient. Under Section 215, minimization procedures are “specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” Id. § 1861(g)(2)(A)

Reggie Walton disappeared the FBI Director as a statutory requirement (he retained that preamble paragraph, the nod to authorized FBI investigations, and the perfunctory paragraph on minimization of data provided from NSA to FBI) on March 5, 2009, and he has never been heard from in discussions of the FISC again.

Now I can imagine someone like Steven Bradbury making an argument that so long as the FBI Director actually signed the application, and so long as the FBI had minimization procedures for the as few as 16 tips they receive from the program in a given year, it was all good to use an FBI statute to let the NSA collect a dragnet potentially incorporating all the phone records of all Americans. I can imagine Bradbury pointing to the passive construction of that “things to be made available” language and suggest so long as there were minimization procedures about FBI receipt somewhere, the fact that the order underlying that passive voice was directed at the telecoms didn’t matter. That would be a patently dishonest argument, but not one I’d put beyond a hack like Bradbury.

The thing is, no one has made it. Not Malcolm Howard in the first order authorizing the dragnet, not DOJ in its request for that order (indeed, as PCLOB pointed out, the application relied heavily on Keith Alexander’s declaration about how the data would be used). The closest anyone has come is the white paper written last year that emphasizes the relevance to FBI investigations.

But no one I know of has affirmatively argued that it’s cool to use an FBI statute for the NSA. In the face of all the evidence that the dragnet has not helped the FBI thwart a single plot — maybe hasn’t even helped the FBI catch one Somali-American donating less than $10,000 to al-Shabaab, as they’ve been crowing for months — FBI Director Jim Comey has stated to Congress that the dragnet is useful to the FBI primarily for agility (though the record doesn’t back Comey’s claim).

Which leaves us with the only conclusion that makes sense given the Executive’s failure to prove it is useful at all: it’s not the FBI that uses it, it’s NSA. They don’t want to tell us how the NSA uses it, in part, because we’ll realize all their reassurances about protections for Americans fall flat for the millions of Americans who are 3 degrees away from a potential suspect.

But they also don’t want to admit that it’s the NSA that uses it, because then it’ll become far more clear how patently illegal this program has been from the start.

Better to just disappear the FBI Director and hope no one starts investigating the disappearance.

What Was the Purpose of the Exigent Letter Program?

I’m aiming to have some rough guesses about what kind of bulk collection the FBI might use National Security Letters for (spoiler alert: my wildarseguess is that they’re getting subscriber lists from the same telecoms they’re getting phone dragnet data from).

But first, I want to return to the exigent letter program and consider how it may have complemented the dragnet during the period the dragnet had no court sanction.

As a reminder, starting in 2002, the FBI started getting phone calling records on individual users directly from telecoms using “exigent letters” — basically letters saying they needed the records urgently and promising some kind of legal documentation in the future. In 2003, representatives of the telecoms started moving onsite, so FBI Agents could ask for this information while looking over the representatives’ shoulders. As part of it, the FBI got “community of interest” data (basically, the 3-degrees information the phone dragnet provides) and “hot number” data (an alert when a number was used, which also became part of the phone dragnet). The program spun out of control because FBI often would never go back and provide that paperwork (and also they used it for improper purposes).

In 2006, at the same time the the phone dragnet from the illegal wiretap program was moving to Section 215 orders, FBI was trying to clean up the exigent letter problems with “blanket National Security Letters.” FBI issued the first blanket NSL on May 12, 2006; FISC approved the first Section 215 order on May 24. And while it took until January 2008 for the last telecom personnel to move out of FBI digs, FBI started phasing out the program by imposing new restrictions in 2006.

There’s a lot we don’t know yet about the exigent letters program — and the actions of those telecom personnel camping out at the FBI. That the 2010 IG Report on was produced in TS/SCI, classified, and unclassified versions (the other two NSL IG Reports (2007, 2008) came in classified and unclassified versions) suggests it had some tie to more sensitive counterterrorism programs, quite likely the illegal program.

And to some degree, the onsite telecom personnel were duplicating what we understand NSA to have been doing with phone call records in the illegal wiretap program: tracking activity and establishing 3-degree-of-separation maps around phone identifiers of interest. At least for those FBI Agents who knew of the illegal dragnet, they could get the same information from the NSA, though for FBI Agents it was likely more immediate to go directly to the telecom person and provide requests on post-it notes (as sometimes occurred). Moreover, the FBI could and did quickly check whether queries would be fruitful before they formally queried a number. That means they could use the telecom presence to run contact-chaining on people who were not yet formally identified as terrorist suspects (though that seems to have been possible with the NSA program at that point too).

But the duplicative nature of the program suggests the possibility (particularly given that it started in earnest in May 2003, after the illegal program had gotten started) that the telecom presence was used to launder results back through the telecoms to make them usable for both FISC and other Title III Courts.

One more thing of interest, given my spoiler alert. As far as I understand, the FBI would have access not just to a number’s community of interest, but also to the name of a phone subscriber (or, alternately, immediately be able to learn if a telecom served a particularly person or number). That is, the onsite telecom program provided the FBI with something that the current dragnet, as publicly understood, did not: easy access to contact-chaining, with identities attached.

As I have noted before, DOJ’s Inspector General has said he may be limited in what he presents in his 1,297-day old study of the use of Section 215 through 2009, started under his predecessor (who authored all the other reports), Glenn Fine, unless DOJ will declassify the earlier NSL and Section 215 reports. So there’s clearly a tie between what was done with Section 215 as it moved under FISC review and what had been done earlier with NSLs.

One thing I’m wondering about is whether FBI uses(d) NSLs to accomplish the parts of the previous programs that haven’t been authorized under the use of Section 215.

Will DOJ’s 1,265-Day Old Section 215 Review Be Squelched By Past Classifications?

DOJ’s Inspector General Michael Horowitz released his annual list of challenges today (which includes a focus on prison problems). In his section on national security and civil liberties he spends 4 paragraphs calling for more information sharing before he turns to civil liberties. In that section, he once again promises the report on the use of Section 215 his office has been working on for 1,265 days.

But he adds something new. He suggests this report may be limited by whether or not DOJ and ODNI declassify sections of the past reports.

The OIG’s ongoing reviews also include our third review of the Department’s requests for business records under Section 215 of the Foreign Intelligence Surveillance Act (FISA), as well as our first review of the Department’s use of pen register and trap-and-trace devices under FISA.  Although the full versions of our prior reports on NSLs and Section 215 all remain classified, we have released unclassified versions of these reports, and we have requested that the Department and the Office of the Director of National Intelligence (ODNI) conduct declassification reviews of the full classified versions.  The results of any declassification review may also affect how much information we will be able to publish regarding our pending reviews when they are complete.

As I have noted in the past, the 2008 report includes two appendices on then-secret uses of Section 215, one of which almost certainly pertains to the phone dragnet. In addition, it includes a sharply critical section on DOJ’s failure to institute new minimization procedures specific to Section 215 (which would dramatically affect its use for the phone dragnet).

Now Horowitz is saying that, unless DOJ and ODNI declassify these past reports, he won’t be able to present in unclassified form all the findings in his current report (which covers the period through 2009, and therefore the violations discovered in that year).

Horowitz suggests something similar is going on with DOJ IG’s work on content collection as well. Both a report he did last year on the FISA Amendments Act (which may suggest the FBI has not always abided by its targeting and minimization procedures) and Glenn Fine’s DOJ-specific review on the illegal wiretap program remain classified.

The OIG has also conducted oversight of other programs designed to acquire national security and foreign intelligence information, including the FBI’s use of Section 702 of the FISA Amendments Act (FAA), which authorizes the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information.  The OIG’s 2012 review culminated in a classified report released to the Department and to Congress that assessed, among other things, the number of disseminated FBI intelligence reports containing a reference to a U.S. person identity and the FBI’s compliance with the targeting and minimization procedures required under the FAA.  Especially in light of the fact that Congress reauthorized the FAA for another 5 years last session, we believe the findings and recommendations in our report will be of continuing benefit to the Department as it seeks to ensure the responsible use of this foreign intelligence tool.  This report also was included in our request to the Department and ODNI for a declassification review, as was the full, classified version of our 2009 report on the President’s Surveillance Program, which described certain intelligence-gathering activities that took place prior to the enactment of the FAA. [my emphasis]

Elsewhere, Horowitz alludes to the Snowden leaks. Clearly, much of what appears in the 2009 and 2012 reports has been covered in leaks and releases to Congress. And yet, it seems, someone is stalling the declassification of DOJ IG’s work.

What has DOJ’s IG found that Eric Holder and James Clapper are trying to hide?