Posts

Amid Discussions of FISA Reform, James Boasberg Pushes for Greater Reform

It’s not entirely clear what will happen in a few weeks when several existing FISA provisions expire; there are ongoing discussions about how much to reform FISA in the wake of the Carter Page IG Report. But before anyone passes legislation, they would do well to read the order presiding FISA Judge James Boasberg issued yesterday.

On its face, Boasberg’s order is a response to DOJ’s initial response to FISC’s order to fix the process, Amicus David Kris’ response to that, and DOJ’s reply to Kris. The order ends by citing In re Sealed Case, the 2002 FISCR opinion that limited how much change the FISA Court can demand of DOJ, and “acknowledging that significant change can take time, and recognizing the limits of its authority.” By pointing to In re Sealed Case, Boasberg highlights the limits of what FISC can do without legislation from Congress — and, importantly, it highlights the limits of what FISC could do to improve the process if Bill Barr were to convince Congress that DOJ can fix any problems itself, without being forced to do so by Congress.

After invoking In Re Sealed Case, Boasberg orders reports (due March 27, May 4, May 22, June 30, and July 3) on the progress of a number of improvements. He orders that any DOJ or FBI personnel under disciplinary or criminal review relating to work on FISA applications may not participate in preparing applications for FISC, and he requires additional signoffs on applications, including Section 215 orders, which currently don’t require such affirmations.

Boasberg recognizes that DOJ, not just FBI, needs to change

Remarkably, Boasberg notes what I have — the IG Report provides evidence, its focus on FBI notwithstanding, that some of the blame for the Carter Page application belongs with DOJ, not FBI.

According to the OIG Report, the DOJ attorney responsible for preparing the Page applications was aware that Page claimed to have had some type of reporting relationship with another government agency. See OIG Rpt. at 157. The DOJ attorney did not, however, follow up to confirm the nature of that relationship after the FBI case agent declared it “outside scope.” Id. at 157, 159. The DOJ attorney also received documents that contained materially adverse information, which DOJ advises should have been included in the application. Id. at 169-170. Greater diligence by the DOJ attorney in reviewing and probing the information provided by the FBI would likely have avoided those material omissions.

As a result, Boasberg requires the DOJ attorney signing off on a FISA application to attest to the accuracy of it as well. He also suggests DOJ attorneys “participate in field-office visits to assist in the preparation of FISA applications.”

Boasberg recognizes that DOJ’s existing plan doesn’t address any root cause

Similarly, Boasberg recognizes that if the real problem with the Carter Page FISA applications involved information withheld from the application, improving the Woods procedure won’t fix the problem. In an extended section on oversight, Boasberg strongly suggested that DOJ needs to review whether information was withheld from the application.

Amicus agrees that reviews designed to elicit any pertinent facts omitted from the application, rather than merely verifying the facts that were included, would be extremely valuable, but also recognizes that such in-depth reviews would be extremely resource intensive. See Amicus Letter Br. at 12. He thus recommends that such reviews be conducted periodically at least in some cases and, echoing Samuel Johnson, advises that selection of cases for such reviews should be unpredictable because the possibility that any case might be reviewed “should help concentrate the minds of FBI personnel in all cases.” Id. In its response, the government advised that “it will expand its oversight to include additional reviews to determine whether, at the time an application is submitted to the FISC, there was additional information of which the Government was aware that should have been included and brought to the attention of the Court.” Resp. to Amicus at 13. DOJ advised, however, that given limited personnel to conduct such reviews, it is still developing a process for such reviews and a sampling methodology to select cases for review. ld. The Court sees value in more comprehensive completeness reviews, and random selection of cases to be reviewed should increase that value. As DOJ is still developing the necessary process and methodology, the Court is directing further reporting on this effort.

Amicus also encouraged the Court to require a greater number of accuracy reviews using the standard processes already in place. See Amicus Letter Br. at 12. He believes that the FBI and DOJ have the resources to ensure that auditing occurs in a reasonable percentage of cases and suggested that it might be appropriate to audit a higher percentage of certain types of cases, such as those involving U.S. persons, certain foreign-agent definitions, or sensitive investigative matters. Id. The government did not address Amicus’s recommendation that it increase the number of standard reviews.

Even though accuracy reviews are conducted after the Court has ruled on the application in question, the Court believes that they have some positive effect on future accuracy. In addition to guarding against the repetition of errors in any subsequent application for the same target, they should provide a practical refresher on the level of rigor that should be employed when preparing any FISA application. It is, however, difficult to assess to what extent accuracy reviews contribute to the process as a whole, partly because it is not clear from the information provided how many cases undergo such reviews. The Court is therefore directing further reporting on DOJ’s current practices regarding accuracy reviews, as well as on the results of such reviews.

Finally, the FBI has directed its Office of Integrity and Compliance to work with its Resource Planning Office to identify and propose audit, review, and compliance mechanisms to assess the effectiveness of the changes to the FISA process discussed above. See OIG Rpt. app. 2 at 429. Although the Court is interested in any conclusions reached by those entities, it will independently monitor the government’s progress in correcting the failures identified in the OIG Report.

Again, as I already noted, Boasberg himself found DOJ’s oversight regime inadequate in a 702 opinion written last year. He knows this is insufficient.

But as noted above, all Boasberg can do is order up reports and attestations.

At a minimum, Congress should put legal language behind the oversight he has now demanded twice.

A far better solution, however, would be to provide the oversight on FISA applications that other criminal warrant applications receive: review by defense attorneys in any cases that move to prosecution, which by itself would build in “unpredictabl[y] because the possibility that any case might be reviewed.”

James Boasberg, the presiding judge of the FISA court, issued an order in the middle of a debate about reform that points to several ways FISA should be improved, ways that the he can’t do on his own.

Congress would do well to take note.

FISC Reveals DOJ Has Withdrawn Probable Cause Assertion for Two of Carter Page Applications

The FISA Court just declassified an order — issued on January 7 — revealing that along with the previously released December 9 order listing problems with the Carter Page applications, DOJ also reassessed its previous probable cause assessment.

DOJ assesses that with respect to the applications in Docket Number 17-375 and 17-679, “if not earlier, there was insufficient predication to establish probable cause to believe that [Carter] Page was acting as an agent of a foreign power.”

[snip]

The Court understands the government to have concluded, in view of the material misstatements and omissions, that the Court’s authorizations in Docket Numbers 17-375 and 17-679 were not valid. The government apparently does not take a position on the validity of the authorizations in Docket Numbers 16-1182 and 17-52, but intends to sequester information acquired pursuant to those dockets in the same manner as information acquired pursuant to the subsequent dockets.

The function of this January 7 order is to demand that FBI follow up on a previous agreement to “sequester all collection the FBI acquired pursuant to the Court’s authorizations in the above-listed four docket numbers targeting [Carter] Page pending further review of the OIG Report and the outcome of related investigations and any litigation,” to explain how it is doing so, how it has chased down all information collected pursuant to the Page orders, and why it needs to keep the data at all.

The reason it needs to keep the data, incidentally, is in case it is sued or John Durham decides to prosecute someone (including Kevin Clinesmith, who altered an email that was used as back-up to the final renewal application) or Page decides to sue. Indeed, one of the most unprecedented aspects of this order is that the docket numbers have been declassified, which will make FOIAing the records far easier.

Which is probably what the only substantive redaction remaining in the order pertains to: the possibility that someone will be held liable under FISA for illegal surveillance.

A lot of people are assuming that DOJ took this stance only because Bill Barr wanted to prove that Trump was illegally wiretapped (which would only be true if he was in direct contact with Page, which everyone has denied). That’s certainly possible!

But it’s quite possible that DOJ and FBI feel the need to be proactive on this point and FISC — particularly given the letters it has received from Congress — feels the need to look stern. Moreover, it is in everyone’s interest for DOJ to withdraw at least the last application (the one influenced by Clinesmith’s actions). It’s an important precedent, and there’s no reason Carter Page’s personal data should be floating around the FBI after discovering he was improperly surveilled. This doesn’t mean the FBI didn’t have reason to investigate Page. In a March 23, 2017 interview, after all, Carter Page was quite clear he knew he was being recruited by Russian intelligence officers and he believed the more immaterial non-public information he gives them, the better off we are.

But, first of all, he wasn’t hiding his happiness to share information with Russian spies, meaning he wasn’t acting in the clandestine matter that would merit a FISA order. And by April 2017, it was pretty clear that the Russians had lost all interest in recruiting Page.

In any case, FISC’s demand for what the government is doing with the data is not unusual. Similar things have happened virtually every other time the government did something improper.

There’s one more important lesson, though: Even from the start, people raised questions about whether the applications targeting Page were prudential. By the third application — the first one being withdrawn — there were not only real questions about whether it would yield anything more, but whether Page was central enough to their investigation to want to surveil him. Had the FBI simply not pursued surveillance it questioned whether it really needed, the worst revelations of the IG Report would have been avoided.

So one of the lessons of this whole fiasco is that the FBI would benefit from giving greater consideration about whether its most intrusive methods are necessary.

Useful But Not Sufficient: FBI’s FISA Fix Filing

As one of her last acts as presiding FISA judge, Rosemary Collyer ordered the government to explain how it will ensure the statement of facts in future FISA applications don’t have the same kind of errors laid out in the DOJ IG Report on Carter Page.

THEREFORE, the Court ORDERS that the government shall, no later than January 10, 2020, inform the Court in a sworn written submission of what it has done, and plans to do, to ensure that the statement of facts in each FBI application accurately and completely reflects information possessed by the FBI that is material to any issue presented by the application. In the event that the FBI at the time of that submission is not yet able to perform any of the planned steps described in the submission, it shall also include (a) a proposed timetable for implementing such measures and (b) an explanation of why, in the government’s view, the information in FBI applications submitted in the interim should be regarded as reliable.

DOJ and FBI submitted their response on Friday. (This post lays out new revelations about the FISA process in it.) While I think there are useful fixes, most laid out in FBI Director Chris Wray’s response to the IG Report itself, the fixes are insufficient to fix FISA.

The filing largely focuses on the institution and evolution of the current accuracy review process. It promises to review the memorandum guiding that process (though doesn’t set a deadline for doing so), and adds some forms and training to try to ensure that FBI Agents provide DOJ all the information that the lawyers should include in an application to FISA. One of those forms — pertaining to human sources — seems important though might lead to counterintelligence problems in the future. Another, requiring agents to provide all exculpatory information, may improve the process. But fundamentally, DOJ and FBI assume that the process they currently use just needs to be improved to make sure it works the way they intend it to.

They’re probably insufficient to fix the underlying problems in the Carter Page FISA application.

The FISA Fix Filing is based on faulty assumptions

I say that, first of all, because the FISA Fix Filing adopts certain assumptions from the DOJ IG Report that may not be valid. The FISA Fix Filing assumes that:

  • FBI was responsible for all the errors on the Carter Page application
  • The right people at FBI had the information they needed
  • The Carter Page application was an aberration

The IG Report ignored where DOJ’s National Security Division contributed to errors

As I note in this post, possibly because of institutional scope (DOJ IG cannot investigate DOJ’s prosecutors), possibly because of its own confirmation bias, the IG Report held the FBI responsible for all the information that was known to investigators, but not included in the Carter Page FISA applications. Yet the report showed that at least two of the things it says should have been included in the Page applications — Page’s own denials of a tie with Paul Manafort, and Steele’s own derogatory comments about Sergei Millian — were shared with DOJ’s Office of Intelligence, which writes the applications. Indeed, Rosemary Collyer even noted the latter example in her letter. It also shows DOJ’s National Security Division had confirmed a fact — that Carter Page had no role in the platform change at the RNC — before FBI had.

Because the FISA Fix Filing assumes FBI is responsible for everything mistakenly excluded from the applications, the proposed fixes shift even more responsibility to FBI, requiring agents, with FBI lawyers, to identify the information that should be in an application. But if — as the IG Report shows — sometimes FBI provides the relevant information but it’s not included by the lawyers, then ensuring they provide all the relevant information won’t be sufficient to fix the problem.

The focus on FBI to the detriment of NSD has one other effect. NSD includes few changes to their behaviors in the FISA Fix Filing (largely limited to training and inadequate accuracy reviews). And where they do consider changes, they do not — as ordered by the court — set deadlines for themselves.

The IG Report barely noted the import of the failure to share information in timely fashion

The IG Report deviates radically from almost twenty years of after-action reports that have consistently advocated for more sharing of national security information. It recommends that Bruce Ohr be disciplined for doing just that. Perhaps to sustain that bizarre conclusion, the IG Report focuses almost no attention on an issue that is critical to fixing the problems in the Carter Page applications: ensuring that the people submitting a FISA application have all the information available to the US government. The IG Report showed a 2 month delay before the Crossfire Hurricane team obtained the Steele reports, a month delay in getting feedback from State Department official Kathleen Kavalec, and delays in obtaining the full extent of Bruce Ohr’s knowledge on the dossier, all of which contributed to the delayed vetting of the dossier. But the IG Report doesn’t explore why this happened. And the FBI FISA Fix only addresses it by reminding agents to consult with other agencies.

In another of the 17 problems with the FISA applications, the people submitting the applications apparently did not learn that Christopher Steele had admitted meeting with Yahoo in court filings.

According to the Rule 13 Letter and FBI officials, although there had been open source reporting in May 2017 about Steele’s statements in the foreign litigation, the FBI did not obtain Steele’s court filings until the receipt of Senators Grassley and Graham’s January 2018 letter to DAG Rosenstein and FBI Director Christopher Wray with the filings enclosed. We found no evidence that the FBI made any attempts in May or June 2017 to obtain the filings to assist a determination of whether to change the FBI’s assessment concerning the September 23 news article in the final renewal application.

In other instance (as noted above), while NSD had affirmative knowledge that Carter Page had not been involved in the change to the RNC platform, FBI had a different view, yet this issue was not resolved to fully discount the claim in FISA applications. The IG Report also faults FBI managers (but never NSD ones) for not aggressively questioning subordinates to get a full sense of problems with the applications. All of these are information sharing problems, not errors of transparency. Making the case agent fill out forms about what he or she knows will have only limited effect on ensuring that those agents obtain all the information they need, because if they don’t know it, they won’t know to look for it.

With the Crossfire Hurricane investigation, that problem was exacerbated by the close hold of the investigation (most notably by running the investigation out of Main Justice) and, probably, by the urgency of investigating an ongoing attack while it’s happening, which likely led personnel to focus more on collecting information about the attack than exculpatory information.

The FISA Fix Filing includes a vaguely worded document describing technological improvements — including a workflow document that sounds like bureaucratic annoyance as described — that suggest FBI is considering moving some of this to the cloud.

Corrective Action #11 requires the identification and pursuit of short- and long-term technological improvements, in partnership with DOJ, that aid in consistency and accountability. I have already directed executives in the FBI’s Information Technology Branch leadership to work with our National Security Branch leadership and other relevant stakeholders to identify technological improvements that will advance these goals. To provide one example of a contemplated improvement, the FBI is considering the conversion of the revised FISA Request Form into a workflow document that would require completion of every question before it could be sent to OI. The FBI proposes to update the Court on its progress with respect to this Corrective Action in a filing made by March 27, 2020.

It’s still not clear this would fix the problem (it’s still not clear how Bruce Ohr would have shared the information he had in such a way that he wouldn’t now be threatened with firing for doing so, for example). And for a close hold investigation like this, such a cloud might not work. But it would be an improvement (if FBI could keep it secure, which is a big if).

The FISA Fix Filing does have suggests to improve information sharing. But because the scope of the problem, as defined in the IG Report, doesn’t account for information that simply doesn’t get to the people submitting the application, it’s not clear it will fix that problem.

No one knows whether the Page applications are an aberration or not

Finally, no one yet knows whether the Carter Page application was an aberration, and thus far, no one at DOJ has committed to finding out. DOJ IG has committed to doing an audit of the Woods Procedure process that failed in the Carter Page case (and the FISA Fix Filing committed to respond to any findings from that).

The Government further notes that the OIG is conducting an audit of FBI’s process for the verification of facts included in FISA applications that FBI submits to the Court, including an evaluation of whether the FBI is in compliance with its Woods Procedures requirements. The Department will work with the OIG to address any issues identified in this audit.

Yet everyone involved admits that the most serious problems with the Page applications consisted of information excluded from the application, not inaccurate information in it.

Many of the most serious issues identified by the OIG Report were … [when] relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney.

Doing an audit of the Woods Procedures, then, does not test the conclusion that Page’s applications are an aberration, and therefore does not test whether more substantive fixes are necessary.

DOJ IG has considered doing more — and PCLOB suggested last year they might get involved (though technically, their counterterrorism scope wouldn’t even permit them to look at counterintelligence cases like Page’s) — but thus far there’s no plan in this filing to figure out of this is a broader problem.

The existing oversight for FISA may be inadequate

There are several reasons to believe that the existing oversight regime for FISA may be inadequate.

As noted, the existing IG plan to audit the Woods Procedure is insufficient to identify whether the existing FISA Fix Filing is sufficient to fix the problem. Also as noted above, the jurisdiction of DOJ’s IG, because it cannot review the actions of prosecutors, might not (and in this case, pretty demonstrably did not) adequately review all parts of the process, because it could not subject NSD attorneys to the same scrutiny it did FBI.

Then there are shortcomings to NSD’s oversight regime — shortcomings that Judge James Boasberg — the new presiding FISA Judge and so the just now in charge of overseeing these fixes — already highlighted in an opinion on problems with Section 702 queries.

As the FISA Fix Filing describes, OI (the same office that the IG Report let off when it received information but did not include it in applications) does a certain number of oversight reviews each year. But they don’t do reviews in every FBI field office (to which FBI devolved the FISA application process some years ago), and they don’t do accuracy reviews at every office where they do an oversight review.

OI’s Oversight Section conducts oversight reviews at approximately 25-30 FBI field offices annually. During those reviews, OI assesses compliance with Court-approved minimization and querying procedures, as well as the Court orders. Pursuant to the 2009 Memorandum, OI also conducts accuracy reviews of a subset of cases as part of these oversight reviews to ensure compliance with the Woods Procedures and to ensure the accuracy of the facts in the applicable FISA application. 5 OI may conduct more than one accuracy review at a particular field office, depending on the number ofFISA applications submitted by the office and factors such as whether there are identified cases where errors have previously been reported or where there is potential for use of FISA information in a criminal prosecution. OI has also, as a matter of general practice,_ conducted accuracy reviews of FISA applications for which the FBI has requested affirmative use of FISA-obtained or -derived information in a proceeding against an aggrieved person. See 50U.S.C. §§ 1806(c), 1825(d).

During these reviews, OI attorneys verify that every factual statement in the categories of review described in footnote 5 is supported by a copy of the most authoritative document that exists or, in enumerated exceptions, by an appropriate alternate document. With regard specifically to human source reporting included in an application, the 2009 Memorandum requires that the accuracy sub-file include the reporting that is referenced in the application and further requires that the FBI must provide the reviewing attorney with redacted documentation from the confidential human source sub-file substantiating all factual assertions regarding the source’s reliability and background.

As Boasberg noted in his 702 opinion last year, this partial review may result in problems going unaddressed for years.

Personnel from the Office of Intelligence (OI) within the Department of Justice’s National Security Division (NSD) visit about half of the FBI’s field offices for oversight purposes in a given year. Id at 35 & n 42. Moreover OI understandably devotes more resources to offices that use FISA authorities more frequently, so those offices [redacted] are visited annually, id at 35 n. 42, which necessitates that some other offices go for periods of two years or more between oversight visits. The intervals of time between oversight visits at a given location may contribute to lengthy delays in detecting querying violations and reporting them to the FISC. See, e.g., Jan. 18, 2019, Notice [redacted] had been conducting improper queries in a training context since 2011, but the practice was not discovered until 2017).

Furthermore, OI’s review of a subset of a subset of applications targeting Americans only reviews for things included in the application, not things excluded from it.

OI’s accuracy reviews cover four areas: (1) facts establishing probable cause to believe that the target is a foreign power or an agent of a foreign power; (2) the fact and manner of FBI’s verification that the target uses or is about to use each targeted facility and that property subject to search is or is about to be owned, used, possessed by, or in transit to or from the target; (3) the basis for the asserted U.S. person status of the target(s) and the means of verification; and (4) the factual accuracy of the related criminal matters section, such as types of criminal investigative techniques used (e.g., subpoenas) and dates of pertinent actions in the criminal case.

DOJ admits that this is a problem, and considers doing a check for the kind of information excluded from Carter Page’s applications, but doesn’t commit to doing so and (again, unlike FBI) doesn’t give itself a deadline to do so.

Admittedly, these accuracy reviews do not check for the completeness of the facts included in the application. That is, if additional, relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney, these accuracy reviews would not uncover the problem. Many of the most serious issues identified by the OIG Report were of this nature. Accordingly, OI is considering how to expand at least a subset of its existing accuracy reviews at FBI field offices to check for the completeness of the factual information contained in the application being reviewed. NSD will provide a further update to the Court on any such expansion of the existing accuracy reviews.

Improving these oversight reviews will have a salutary effect on all FISA authorities, not just individualized orders. Since Boasberg has already identified the inadequacies of the current reviews, I would hope he’d ask for at least an improved oversight regime.

Treating alleged subpoenas like they’re not subpoenas

There’s a change promised that I’m unsure about: Chris Wray’s voluntary decision to subject Section 215 and pen register orders to heightened accuracy reviews.

Currently, the accuracy of facts contained in applications for pen register and trap and trace surveillance pursuant to 50 U.S.C. § 1841 , et seq. , or applications for business records pursuant to 50 U.S. C. § 1861 , et seq. , must, prior to submission to the Court, be reviewed for accuracy by the case agent and must be verified as true and correct under penalty ofpeijury pursuant to 28 U.S.C. § 1746 by the Supervisory Special Agent or other designated federal official submitting the application. Historically, the Woods Procedures described herein have not been formally applied by the FBI to applications for pen register and trap and trace surveillance or business records. As discussed in the FBI Declaration, FBI will begin to formally apply accuracy procedures to such applications and proposes to update the Court on this action by March 27, 2020.

FBI has, for years, told the public these are mere grand jury subpoena equivalents, and so the privacy impact is not that great. That Wray thinks these need accuracy reviews suggests they’re more intrusive than that, in which case by all means FBI should add these reviews.

But as I suggested in this post, some of the problems with the Carter Page applications might have been avoided had the Crossfire Hurricane team obtained call records from both Page and George Papadopoulos early in the process, which would not only have confirmed Page’s accurate claim that Paul Manafort never returned his emails (undermining a key claim from the dossier), but it would have revealed Papadopoulos’ interactions with suspect Russian asset Joseph Mifsud, thereby pinpointing where the investigative focus should have been (and making it a lot harder for Papadopoulos to obstruct the investigation in the way he did). The IG Report doesn’t ask why this didn’t happen, but it seems an important question because if the FBI chose not to use ostensibly less intrusive legal process because existing Section 215 applications are not worth the trouble, then making the purportedly less-intrusive applications even more onerous will only lead to a rush to use full FISA, as appears to have happened here.

Further breaking the affiant-officer of the court relationship

One of the more insightful observations from the IG Report described how OI attorneys and FBI agents applying for FISA orders don’t work as closely as prosecutors and agents on a normal case.

NSD officials told us that the nature of FISA practice requires that OI rely on the FBI agents who are familiar with the investigation to provide accurate and complete information. Unlike federal prosecutors, OI attorneys are usually not involved in an investigation, or even aware of a case’s existence, unless and until OI receives a request to initiate a FISA application. Once OI receives a FISA request, OI attorneys generally interact with field offices remotely and do not have broad access to FBI case files or sensitive source files. NSD officials cautioned that even if OI received broader access to FBI case and source files, they still believe that the case agents and source handling agents are better positioned to identify all relevant information in the files.

The proposed FISA fixes seem to derive from this OI viewpoint, that because OI don’t work closely with agents they need to replace cooperation that is often inadequate on normal criminal investigations with a process that has even less cooperation for applications that are supposed to have a higher degree of candor.

The FISA Fix Filing seems to envision FBI lawyers picking up this slack, but especially since DOJ devolved the application process to Field Agents some years ago, it’s not clear, at all, why this would result in better lawyering.

Formalizing the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal review;

[snip]

Corrective Action #7 requires the formalization of the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal reviewer. Through this Corrective Action, the FBI seeks to encourage legal engagement throughout the FISA process, while still ensuring that case agents and field supervisors maintain ownership of their contributions.

As it is, the FISA process requires a more senior agent to be the affiant on an application, which in at least one of the Page applications, resulted in someone who had less knowledge of the case making the attestation under penalty of perjury.

It may be that these changes go in the opposite direction from where FISA should go, which would be closer to the criminal warrant model where a judge will have an FBI affiant who anticipates taking the stand at a trial (and therefore needs to retain his or her integrity to avoid damaging the case), and an office of the court signing off on applications (whom judges can sanction directly). That is, by introducing more layers and absolving OI from some of the direct responsibility for the process, these proposed changes may make FISA worse, not better.

Remarkably, the court might consider something far more effective.

On Friday, Boasberg appointed David Kris as amicus for this consideration. Kris literally wrote the book on all this, in addition to writing the 2001 OLC memo that eliminated the wall between the intelligence collected under FISA and the prosecutions that arise out of them. In a recent podcast, he mused that the way to fix all this may be to give defendants review of their applications, something always envisioned by Congress, but something no defendant has done. That — along with a more robust oversight process — seems like it has a better chance of changing the way the FBI and DOJ approach FISA applications than adding a bunch more checklists for the process.

The frothy right is in a lather over Kris’ appointment, which is a testament to how little these people (up to and especially Devin Nunes) understand FISA. But he has the institutional clout to be able to recommend real fixes to FISA, rather than a bunch of paperwork to try to make the Woods Procedure to work the way it’s supposed to.

DOJ could, voluntarily, provide review to more defendants. Alternately, Congress could mandate it in whatever bill reauthorizes Section 215 this year. Or Kris could suggest that’s the kind of thing that should happen.

Update: David Kris submitted his recommendations to Boasberg. Like me, he finds Wray’s plan useful but not sufficient. Like me he notes that the agents doing the investigation should be the ones signing off on affidavits (and he suggests the FISC review more applications until new procedures are in place). Kris also focuses on cultural changes that need to happen.

One thing he doesn’t do is review DOJ’s role (though he does argue that part of this stems from conflict between DOJ and FBI).

He also notes that DOJ has not imposed deadlines for itself.

The Revelations about FISA Bureaucracy in FBI’s FISA Fix Filing

The government submitted the filing ordered by now (thankfully) former FISA presiding Judge Rosemary Collyer on Friday, explaining how it’ll avoid the problems identified in the DOJ IG Report on Carter Page. As I’ll show in a follow-up, I believe the changes — with one possible exception — are worthwhile, if inadequate to the task.

In this post, however, I’d like to lay out what the filing reveals about two aspects of the FISA process that I did not know before.

Other agencies and state and local law enforcement can use FISA: While minimization procedures have revealed that FBI can share FISA information with other agencies, including state and local authorities, this filing reveals those other agencies can serve as the affiant for FISA applications.

Agents from other federal law enforcement agencies or state or local law enforcement officers serving on a Joint Terrorism Task Force with the FBI may, in some cases, act as the declarants for applications submitted by the FBI after reviewing receiving the necessary training. In the case of state or local law enforcement officers, such officers are deputized as Special Deputy United States Marshals for this purpose. (4)

I’ve never heard of this before and there are a whole lot of questions this raises, both about whether non-DOJ agencies are submitting FISA applications (CIA would be unsurprising, but ICE would be alarming and under this administration, not at all crazy), but also about the accountability for people who aren’t Federal employees. How many “Special Deputy United States Marshals” does SDNY have, for example, and was FISA used during the worst excesses of its intelligence program?

The timeline of updates to the Woods Procedures: The filing explains (I’m sure some of this is public, but it’s laid out here as well) that the Woods Procedures have been updated:

  • On February 2, 2006, FBI reminded its agents they need to,”create, maintain, and update a sub-file that contains all materials that document the support for each factual assertion contained in FISA applications.” Given the timing, this change may have been part of the effort to clean up Stellar Wind, which had been used to substantiate FISA applications without notice for the previous five years.
  • On March 24, 2006, DOJ’s OIPR advised the court about the sub-file requirement, though focused especially on ensuring that, “the federal official currently handling the source (or the federal official who is responsible for liaison to another entity who is handling the source) [confirms] that the source remains reliable, and that all material information regarding the reliability of the source is reported accurately in the FISA application.” This would have been the period when the FBI was cleaning up after Katrina Leung, one of the worst double agents in recent history, so may have pertained to her reporting.
  • In February 2009, NSD and FBI together required the FBI to remove any asserted fact for which there is no documentation, and do so retroactively. It also implemented quarterly accuracy reviews that have since been made semi-annual. The Section 215 disclosures in this same time period suggest Bush got sloppy in its last years, so this may have reflected a need to clean that up, too.
  • August 2016. There was an update to the Woods Procedure and 2009 Memorandum in 2016, but the filing doesn’t describe it (or why).

How OI’s accuracy reviews work:

As DOJ has revealed in the past, OI’s Oversight Section does FISA oversight reviews at 25-30  (of the 56) Field offices a year. They review the compliance with minimization and querying procedures, the latter of which only recently got imposed.

In addition, they do an accuracy review of a subset of FISA applications that reviews:

  • The facts establishing probable cause to believe that the target is a foreign power or agent thereof
  • The verification process that the targeted facilities are used by, owned by, possessed by, or in transit to or from the target
  • The basis for the US person status of the target
  • The factual accuracy of the related criminal matters section, such as types of criminal investigative techniques used (e.g., subpoenas) and dates of pertinent actions in the criminal case

As the filing makes clear, “these accuracy reviews do not check for the completeness of the facts included in the application,” which is the real source of the problems identified in the Page application. Right now, OI is “considering” expanding a subset of reviews to check for completeness, but is not committing to doing so.

Two things are of interest here. The definition of FISA “facilities,” has long been of interest, not least because the government likes to pretend it consists mostly of phone numbers and email addresses. Indeed, 2007, FISC approved a broad definition of “facility” that can be used to target suspects of a terrorist group (and, presumably now, other clandestine networks), in large numbers. The language in this bullet all comes from statute, but the use of “about to be used,” would support the kind of monitoring of a new computer or phone we’ve heard of. This language also might support the monitoring of Amazon and bank accounts. The validation of facilities (both to be sure Page was still using them and to sustain FISA coverage to be able to get to new ones) was something important to the renewal process of Page’s FISAs.

The language on criminal matters reveals how the FBI deals with parallel investigations, such as the one that happened with Keith Gartenlaub (where they government used both criminal subpoenas and FISA searches, which ultimately led to a child porn prosecution unrelated to any FISA suspicion). I knew this section existed, but thought it did so just to comply with a statutory requirement, when targeting US persons, that their clandestine activities may involve violating criminal statute. But this language makes it clear that this part of the FISA application also serves to provide notice of such parallel proceedings. Given that the FBI has to declare that they can’t obtain information under FISA via other means, this raises more questions about the degree to which FISA can serve as an additive authority for certain kinds of investigations that will let the FBI use techniques they wouldn’t use otherwise.

The section on OI reviews also reveals that they review FISA applications before information from an application is used in a proceeding against someone picked up in it.

OI has also, as a matter of general practice, conducted accuracy reviews ofFISA applications for which the FBI has requested affirmative use ofFISA-obtained or -derived information in a proceeding against an aggrieved person.

It’s hard to tell whether this is a good thing or a bad thing. That’s because it doesn’t necessarily help the defendant. After all, if the OI review discovers problems with FISA applications, then DOJ would be more likely to parallel construct the prosecution, thereby burying a problematic part of the investigation. And a review at the period when FBI is already considering using it in a proceeding is too late in the process to protect the civil liberties of the person who is aggrieved if there was a problem with the application.

The section describing these reviews also reveals that, “in enumerated exceptions,” the FBI doesn’t have to rely on “the most authoritative document that exists” in the Woods Procedure. A footnote makes clear that one of the areas where the application itself may not include everything in the underlying documentation is human sources, which permits the lawyer submitting the application to ask a human source coordinator to verify the application matches the underlying documentation. Remember that the language about Christopher Steele used in the Carter Page application didn’t come from his handling agent’s assessment, but it came from a serialized intelligence report based off his reporting. That’s not what this describes, but may be one of the reasons the FBI took that shortcut.

The Guy Who Defended Roger Stone’s Campaign Finance Shenanigans Did Not Testify to the Grand Jury

In response to an order from DC Chief Judge Beryl Howell, the government has revealed the two witnesses of interest to Congress who did not testify to the grand jury. The first, Don Jr, should not surprise anyone who has been following closely, as that was clear as soon as the Mueller Report came out.

The other–Don McGahn–is far more interesting, especially since he was interviewed on five different occasions: November 30, December 12, December 14, 2017; March 8, 2018; and February 28, 2019.

Most likely, the reason has to do with privilege, as McGahn’s testimony, more than almost anyone else’s, implicated privilege (in part because many witnesses’ testimony cut off at the transition). McGahn ended up testifying far more than Trump knew, and it’s possible he did that by avoiding a subpoena, but had he been subpoenaed, it would provide the White House opportunity to object.

Elizabeth De la Vega said on Twitter it likely had to do with how valuable McGahn was in his five interviews. By not making him testify to the grand jury, she argued, you avoid creating a transcript that might undermine his credibility in the future. That’s certainly consistent with the Mueller Report statement finding McGahn to be “a credible witness with no motive to lie or exaggerate given the position he held in the White House.” But that reference is footnoted to say, “When this Office first interviewed McGahn about this topic, he was reluctant to share detailed information about what had occurred and only did so after continued questioning.” Plus, while McGahn testified more than any other witness not under a cooperation agreement, Steve Bannon and Hope Hicks testified a bunch of times, too (four and three times respectively), but were almost certainly put before the grand jury.

But there is a different, far more intriguing possibility.

First, remember that Roger Stone was investigated for more than lying to Congress (indeed, just the last four warrants against him, all dating to this year, mentioned just false statements and obstruction). Which crimes got named in which warrants is not entirely clear (this government filing and this Amy Berman Jackson opinion seem to conflict somewhat). Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), was named in all Stone’s warrants before this year. But at least by August 3, 2018, the warrants against Stone listed a slew of other crimes:

  • 18 U.S.C. § 3 (accessory after the fact)
  • 18 U.S.C. § 4 (misprision of a felony)
  • 18 U.S.C. § 371 (conspiracy)
  • 18 U.S.C. §§ 1505 and 1512 (obstruction of justice)
  • 18 U.S.C. § 1513 (witness tampering)
  • 18 U.S.C. § 1343 (wire fraud)
  • 18 U.S.C. § 1349 (attempt and conspiracy to commit wire fraud)
  • 52 U.S.C. § 30121 (foreign contribution ban)

For whatever reason, the government seems to have decided not to charge CFAA (if, indeed, Stone was the actual target of that investigation). They may have given up trying to charge him for encouraging or acting as an accessory after the fact.

The Mueller Report explains — albeit in mostly redacted form — what happened with the 52 U.S.C. § 30121 investigation. First Amendment and valuation concerns about a prosecution led Mueller not to charge it, even though he clearly seemed to think the stolen emails amounted to an illegal foreign campaign donation.

But that leaves wire fraud and conspiracy to commit wire fraud. During the month of August 2018, DOJ obtained at least 8 warrants relating to Stone including wire fraud. Beryl Howell — who in her order requiring the government unseal McGahn’s name, expressed puzzlement about why Don McGahn didn’t testify before the grand jury — approved at least five of those warrants. Rudolph Contreras approved one and James Boasberg approved two. So apparently, very late in the Stone investigation, three different judges thought there was probable cause Stone and others engaged in wire fraud (or tried to!).

And it’s not just those judges. Roger Stone’s aide, Andrew Miller, was happy to testify about WikiLeaks and Guccifer 2.0. But at least when his subpoena first became public, he wanted immunity to testify about the campaign finance stuff he had done for Stone.

Miller had asked for “some grant of immunity” regarding financial transactions involving political action committees for which he assisted Stone, according to Alicia Dearn, an attorney for Miller.

On that issue, Miller “would be asserting” his Fifth Amendment right to refuse to answer questions, Dearn said.

I’d like to consider the possibility that McGahn, Donald Trump’s campaign finance lawyer before he became White House counsel, was happy to testify about Trump’s attempt to obstruct justice, but less happy to testify about campaign finance issues.

Mind you, McGahn is not one of the personal injury lawyer types that Stone runs his campaign finance shenanigans with. Whatever else he is, McGahn is a professional, albeit an incredibly aggressive one.

That said, there are reasons it’s possible McGahn limited what he was willing to testify about with regards to work with Stone.

At Roger Stone’s trial the government plans (and has gotten permission) to introduce evidence that Stone lied about one additional thing in his HPSCI testimony, one that wasn’t charged but that like one of the charged lies, involves hiding that Stone kept the campaign in the loop on something.

At the pretrial conference held on September 25, 2019, the Court deferred ruling on that portion of the Government’s Notice of Intention to Introduce Rule 404(b) evidence [Dkt. # 140] that sought the introduction of evidence related to another alleged false statement to the HPSCI, which, like the statement charged in Count Six, relates to the defendant’s communications with the Trump campaign. After further review of the arguments made by the parties and the relevant authorities, and considering both the fact that the defendant has stated publicly that his alleged false statements were merely accidental, and that he is charged not only with making individual false statements, but also with corruptly endeavoring to obstruct the proceedings in general, the evidence will be admitted, with an appropriate limiting instruction. See Lavelle v. United States, 751 F.2d 1266, 1276 (D.C. Cir. 1985), citing United States v. DeLoach, 654 F.2d 763 (D.C. Cir. 1980) (given the defendant’s claim that she was simply confused and did not intend to deceive Congress, evidence of false testimony in other instances was relevant to her intent and passed the threshold under Rule 404(b)). The Court further finds that the probative value of the evidence is not substantially outweighed by the danger of unfair prejudice.

A September hearing about this topic made clear that it pertains to what Stone’s PACs were doing.

Assistant U.S. Attorney Michael J. Marando argued that Stone falsely denied communicating with Trump’s campaign about his political-action-committee-related activities, and that the lie revealed his calculated plan to cover up his ties to the campaign and obstruct the committee’s work.

It sounds like Stone cleared up this testimony (Stone sent two letters to HPSCI in 2018, and one of those would have come after Steve Bannon testified about emails that included a Stone demand that Rebekah Mercer provide him funding), which may be why he didn’t get charged on that front.

As I’ve suggested, if Stone was actively trying to deny that the work of his PACs had any interaction with the Trump campaign, it might explain why he threatened to sue me when I laid out how McGahn’s continued work for Trump related to Stone’s voter suppression efforts in 2016.

And remember: when Stone aide Andrew Miller did finally testify — after agreeing to at virtually the moment Mueller announced he was closing up shop — he did so before a new grand jury, after Beryl Howell agreed with prosecutors that they were in search of evidence for charges beyond what Stone had already been indicted on or against different defendants.

McGahn’s campaign finance work for Stone and Trump is one of the things he’d have no Executive Privilege claims to protect (though barring a showing of crime-fraud exception, he would have attorney-client privilege), since it all happened before inauguration.

Again, there are lot of more obvious explanations for why he didn’t testify before the grand jury. But we know that Mueller investigated these campaign finance issues, and we know McGahn was right in the thick of them.

Surveillance Reform Can No Longer Ignore EO 12333

Yesterday, a bunch of civil liberties groups issued a letter calling for FISA 702 reform as part of the Section 215 reauthorization this year. I agree that the reauthorization this year should address the problems with 702 that weren’t addressed last year, though even on FISA, the letter doesn’t go far enough. DOJ IG will soon issue a report partly addressing the Carter Page FISA application, and that will provide an opportunity to push to make reforms to traditional (individual) FISA, such as making it clear that some defendants must get to review the underlying affidavit. Similarly, it doesn’t make sense reforming Section 215’s subpoena function without, at the same time, reforming the subpoena authority that DEA uses for a similar dragnet that undergoes far less oversight, particularly given that Bill Barr is the guy who first authorized that DEA dragnet in his first go-around as authoritarian Attorney General.

But it’s also the case that the surveillance community could — and arguably has an opportunity to — address EO 12333 as well.

The Executive branch has been exploiting the tension between EO 12333 (foreign surveillance that, because it is “foreign,” is conducted under the exclusive authority of Article II) and FISA (“domestic” surveillance overseen by the FISA court) since Dick Cheney launched Stellar Wind on bogus claims the collection on foreign targets in the US amounted to “foreign” surveillance. From 2004 to 2008, Congress moved parts of that under FISA. But at several points since, the government has reacted to FISA restrictions by moving their surveillance under EO 12333, most notably when it moved much of its collection of Internet metadata under EO 12333 in 2012.

Unfortunately, most of the surveillance community and reporters covering such issues have been woefully unaware of even the limited public disclosures on EO 12333 surveillance (which for a time was branded as SPCMA). That made activism around Section 215 far less effective, as few people understood that Section 215 data was and remains just a small part of a larger, duplicative dragnet, and a lot of the claims made about the need for USA Freedom Act didn’t account for precisely what role the Section 215 dragnet played in the larger whole.

As one of its last acts, the Obama Administration institutionalized EO 12333 sharing across intelligence agencies, formalizing what Dick Cheney had been aiming for all along, just before Donald Trump took over.  At least as soon as that happened, the FBI (and other agencies, including but not limited to CIA) obtained a source of content that paralleled (and like the metadata dragnet, surely is significantly duplicative with) Section 702 collection.

That means the Section 702 opinion released last week discusses querying methods that may also be applied, in the same systems, to EO 12333 data. Indeed, one aspect of the querying procedures FBI finally adopted — that queries limited “such that it cannot retrieve unminimized section 702-acquired information” — is the kind of setting that NSA used to re-run queries that returned FISA information so as to return, instead, only EO 12333 data that could be shared under different rules with less oversight. Furthermore, the regime set up under EO 12333, which already includes squishy language about queries “for the purpose of targeting” a US person (suggesting other purposes are permissible), has the same kind of internal approval process that the government wanted to adopt with 702.

If FBI is querying both 702 and EO 12333 raw content in the same queries, it means the standards laid out by James Boasberg in his opinion should apply. Notably, Boasberg wrote at some length about what constituted “reasonable” procedures to govern querying, and under a balancing analysis, found that the procedures in place did not comply with the Fourth Amendment.

Whether the balance of interests ultimately tips in favor of finding the procedures to be inconsistent with the Fourth Amendment is a close question. Reasonableness under the Fourth Amendment does not require perfection. See In Re Directives, 551 F.3d at J 015 (“the fact that there is some potential for error is not a sufficient reason to invalidate” surveillances as unreasonable under the Fourth Amendment). Nonetheless, if “the protections that are in place for individual privacy interests are … insufficient to alleviate the risks of government error and abuse, the scales will tip toward a finding of unconstitutionality.” kl at 1012. Here, there are demonstrated risks of serious error and abuse, and the Court has found the government’s procedures do not sufficiently guard against that risk, for reasons explained above in the discussion of statutory minimization requirements.

By contrast, under the EO 12333 procedures, the only reasonableness review takes place when NSA decides whether to share its SIGINT, which doesn’t include risk of error and abuse.

Reasonableness. Whether approving the request is reasonable in light of all the circumstances known at the time of the evaluation of the request, including but not limited to:

[snip]

e. (U) The likelihood that sensitive U.S. person information (USPI) will be found in the information and, if known, the amount of such information;

f. (U) The potential for substantial harm, embarrassment, inconvenience, or unfairness to U.S. persons if the USPI is improperly used or disclosed;

And that’s with the additional minimization procedures under 702 that are stronger than the dissemination rules under the EO 12333 rules.

There are limits to this. Boasberg based his Fourth Amendment review in statutory considerations, statute that doesn’t yet exist with 12333. He did not determine that the act of querying, by itself, warranted Fourth Amendment protection (though the amici pushed him to do so).

But that shouldn’t stop Congress from requiring that FBI adhere to the same practices of querying with EO 12333 collected data as it does with Section 702 collected data, which would in turn limit the value, to FBI, of engaging in surveillance arbitrage by doing things under EO 12333 that it couldn’t do under 702.

How Twelve Years of Warning and Six Years of Plodding Reform Finally Forced FBI to Do Minimal FISA Oversight

Earlier this week, the government released the reauthorization package for the 2018 Section 702 certificates of FISA. With the release, they disclosed significant legal fights about the way FBI was doing queries on raw data, what we often call “back door searches.” Those fights are, rightly, being portrayed as Fourth Amendment abuses. But they are, also, the result of the FISA Court finally discovering in 2018, after 11 years, that back door searches work like some of us have been saying they do all along, a discovery that came about because of procedural changes in the interim.

As such, I think this is wrong to consider “FISA abuse” (and I say that as someone who was very likely personally affected by the practices in question). It was, instead, a case where the court discovered that FBI using 702 as it had been permitted to use it by FISC was a violation of the Fourth Amendment.

As such, this package reflects a number of things:

  • A condemnation of how the government has been using 702 (and its predecessor PAA) for 12 years
  • A (partial — but thus far by far the most significant one) success of the new oversight mechanisms put in place post-Snowden
  • An opportunity to reform FISA — and FBI — more systematically

This post will explain what happened from a FISA standpoint. A follow-up post will explain why this should lead to questions about FBI practices more generally.

The background

This opinion came about because every year the government must obtain new certificates for its 702 collection, the collection “targeted” at foreigners overseas that is, nevertheless, designed to collect content on how those foreigners are interacting with Americans. Last we had public data, there were three certificates: counterterrorism, counterproliferation, and “foreign government,” which is a too-broadly scoped counterintelligence function. As part of that yearly process, the government must get FISC approval to any changes to its certificates, which are a package of rules on how they will use Section 702. In addition, the court conducts a general review of all the violations reported over the previous year.

Originally, those certificates included proposed targeting (governing who you can target) and minimization (governing what you can do once you start collecting) procedures; last year was the first year the agencies were required to submit querying procedures governing the way agencies (to include NSA, CIA, National Counterterrorism Center, and FBI) access raw data using US person identifiers. The submission of those new querying procedures are what led to the court’s discovery that FBI’s practices violated the Fourth Amendment.

In the years leading up to the 2018 certification, the following happened:

  • In 2013, Edward Snowden’s leaks made it clear that those of us raising concerns about Section 702 minimization since 2007 were correct
  • In 2014, the Privacy and Civil Liberties Oversight Board (which had become operational for the first time in its existence almost simultaneously with Snowden’s leaks) recommended that CIA and FBI have to explain why they were querying US person content in raw data
  • In 2015, Congress passed the USA Freedom Act, the most successful reform of which reflected Congress’ intent that the FISA Court start consulting amicus curiae when considering novel legal questions
  • In 2015, amicus Amy Jeffress (who admitted she didn’t know much about 702 when first consulted) raised questions about how queries were conducted, only to have the court make minimal changes to current practice — in part, by not considering what an FBI assessment was
  • In the 2017 opinion authorizing that year’s 702 package, Rosemary Collyer approved an expansion of back door searches without — as Congress intended — appointing an amicus to help her understand the ways the legal solution the government implemented didn’t do what she believed it did; that brought some (though not nearly enough) attention to whether FISC was fulfilling the intent of Congress on amici
  • In the 2017 Reauthorization (which was actually approved in early 2018), Congress newly required agencies accessing raw data to submit querying procedures along with their targeting and minimization procedures in the annual certification process, effectively codifying the record-keeping suggestion PCLOB had made over two years earlier

When reviewing the reauthorization application submitted in March 2018, Judge James Boasberg considered that new 2017 requirement a novel legal question, so appointed Jonathan Cederbaum and Amy Jeffress, the latter of whom also added John Cella, to the amicus team. By appointing those amici to review the querying procedures, Boasberg operationalized five years of reforms, which led him to discover that practices that had been in place for over a decade violated the Fourth Amendment.

When the agencies submitted their querying procedures in March 2018, all of them except FBI complied with the demand to track and explain the foreign intelligence purpose for US person queries separately. FBI, by contrast, said they already kept records of all their queries, covering both US persons and non-US persons, so they didn’t have to make a change. One justification it offered for not keeping US person-specific records as required by the law is that Congress exempted it from the reporting requirements it imposed on other agencies in 2015, even though FBI admitted that it was supposed to keep queries not just for the public reports from which they argued they were exempted, but also for the periodical reviews that DOJ and ODNI make of its queries for oversight purposes. FBI Director Christopher Wray then submitted a supplemental declaration, offering not to fix the technical limitations they built into their repositories, but arguing that complying with the law via other means would have adverse consequences, such as diverting investigative resources. Amici Cedarbaum and Amy Jeffress challenged that interpretation, and Judge James Boasberg agreed.

The FBI’s querying violations

It didn’t help FBI that in the months leading up to this dispute, FBI had reported six major violations to FISC involving US person queries. While the description of those are heavily redacted, they appear to be:

  • March 24-27, 2017: The querying of 70K facilities “associated with” persons who had access to the FBI’s facilities and systems. FBI General Counsel (then run by Jim Baker, who had had these fights in the past) warned against the query, but FBI did it anyway, though did not access the communications. This was likely either a leak or a counterintelligence investigation and appears to have been discovered in a review of existing Insider Threat queries.
  • December 1, 2017: FBI conducted queries on 6,800 social security numbers.
  • December 7-11, 2017, the same entity at FBI also queried 1,600 queries on certain identifiers, though claimed they didn’t mean to access raw data.
  • February 5 and 23, 2018: FBI did approximately 30 queries of potential sources.
  • February 21, 2018: FBI did 45 queries on people being vetted as sources.
  • Before April 13, 2018: an unspecified FBI unit queried FISA acquired metadata using 57,000 identifiers of people who work in some place.

Note, these queries all took place under Trump, and most of them took place under Trump’s hand-picked FBI Director. Contrary to what some Trump apologists have said about this opinion, it is not about Obama abuse (though it reflects practices that likely occurred under him and George Bush, as well).

These violations made it clear that Congress’ mandate for better record-keeping was merited. Boasberg also used them to prove that existing procedures did not prevent minimization procedure violations because they had not in these instances.

As he was reviewing the violations, Boasberg discovered problems in the oversight of 702 that I had noted before, based off my review of heavily redacted Semiannual Reports (which means they should have been readily apparent to everyone who had direct access to the unredacted reports). For example, Judge Boasberg noted how few of FBI’s queries actually get reviewed during oversight reviews (something I’ve pointed out repeatedly, and which 702 boosters have never acknowledged the public proof of).

As noted above, in 2017 the FBI conducted over three million queries of FISA-acquired information on just one system, [redacted]. See Supplemental FBI Declaration at 6. In contrast, during 2017 NSD conducted oversight of approximately 63,000 queries in [redacted] and 274,000 queries in an FBI system [redacted]. See Gov’t Response at 36.

Personnel from the Office of Intelligence (OI) within the Department of Justice’s National Security Division (NSD) visit about half of the FBI’s field offices for oversight purposes in a given year. Id at 35 & n 42. Moreover OI understandably devotes more resources to offices that use FISA authorities more frequently, so those offices [redacted] are visited annually, id at 35 n. 42, which necessitates that some other offices go for periods of two years or more between oversight visits. The intervals of time between oversight visits at a given location may contribute to lengthy delays in detecting querying violations and reporting them to the FISC. See, e.g., Jan. 18, 2019, Notice [redacted] had been conducting improper queries in a training context since 2011, but the practice was not discovered until 2017).

He also noted that the records on such queries don’t require contemporaneous explanation from the Agent making the query, meaning any review of them will not find problems.

The FBI does not even record whether a query is intended to return foreign-intelligence information or evidence of crime. See July 13, 2018, Proposed Tr. at 14 (DOJ personnel “try to figure out” from FBI query records which queries were run for evidence of crime purposes). DOJ personnel ask the relevant FBI personnel to recall and articulate the bases for selected queries. Sometimes the FBI personnel report they cannot remember. See July 9, 2018, Notice.

Again, I noted this in the past.

In short, as Boasberg was considering Wray’s claim that the FBI didn’t need the record-keeping mandated by Congress, he was discovering that, in fact, FBI needs better oversight of 702 (something that should have been clear to everyone involved, but no one ever listens to my warnings).

FISC rules the querying procedures do not comply with the law or Fourth Amendment

In response to Boasberg’s demand, FBI made several efforts to provide solutions that were not really solutions.

The FBI’s first response to FISC’s objections was to require General Counsel approval before accessing the result of any “bulk” queries like the query that affected 70K people — what it calls “categorical batch queries.”

Queries that are in fact reasonably likely to return foreign-intelligence information are responsive the government’s need to obtain and produce foreign-intelligence information, and ultimately to disseminate such information when warranted. For that reason, queries that comply with the querying standard comport with § 1801 (h), even insofar as they result in the examination of the contents of private communications to or from U.S. persons. On the other hand, queries that lack a sufficient basis are not reasonably related to foreign intelligence needs and any resulting intrusion on U.S. persons’ privacy lacks any justification recognized by§ 1801 (h)(l). Because the FBI procedures, as implemented, have involved a large number of unjustified queries conducted to retrieve information about U.S. persons, they are not reasonably designed, in light of the purpose and technique of Section 702 acquisitions, to minimize the retention and prohibit the dissemination of private U.S. person information.

But Boasberg was unimpressed with that because the people who’d need to consult with counsel would be the most likely not to know they did need to do so.

He also objected to FBI’s attempt to give itself permission to use such queries at the preliminary investigation phase (before then, FBI was doing queries at the assessment stage).

The FBI may open a preliminary investigation with even less of a factual predicate: “on the basis of information or an allegation indicating the existence of a circumstance” described in paragraph a. orb. above. Id. § II.B.4.a.i at 21 (emphasis added). A query using identifiers for persons known to have had contact with any subject of a full or preliminary investigation would not require attorney approval under § IV.A.3, regardless of the factual basis for opening the investigation or how it has progressed since then.

Boasberg’s Fourth Amendment analysis was fairly cautious. Whereas amici pushed for him to treat the queries as separate Fourth Amendment events, on top of the acquisition (which would have had broad ramifications both within FISA practice and outside of it), he instead interpreted the new language in 702 to expand the statutory protection under queries, without finding queries of already collected data a separate Fourth Amendment event.

Similarly, both Boasberg and the amici ultimately didn’t push for a written national security justification in advance of an actual FISA search. Rather, they argued FBI had to formulate such a justification before accessing the query returns (in reality, many of these queries are automated, so it’d be practically impossible to do justifications before the fact).

Boasberg nevertheless required the FBI to at least require foreign intelligence justifications for queries before an FBI employee accessed the results of queries.

The FBI was not happy. Having been told they have to comply with the clear letter of the law, they appealed to the FISA Court of Review, adding apparently new arguments that fulfilling the requirement would not help oversight and that the criminal search requirements were proof that Congress didn’t intend them to comply with the other requirements of the law. Like Boasberg before them, FISCR (in a per curium opinion from the three FISCR judges, José Cabranes, Richard Tallman, and David Sentelle) found that FBI really did need to comply with the clear letter of the law.

The FBI chose not to appeal from there (for reasons that go beyond this dispute, I suspect, as I’ll show in a follow-up). So by sometime in December, they will start tracking their backdoor searches.

FBI tried, but failed, to avoid implementing a tool that will help us learn what we’ve been asking

Here’s the remarkable thing about this. Something like this has been coming for two years, and FBI is only now beginning to comply with the requirement. That’s probably not surprising. Neither the Director of National Intelligence (which treated its intelligence oversight of FBI differently than it did CIA or NSA) nor Congress had demanded that FBI, which can have the most direct impact on someone’s life, adhere to the same standards of oversight that CIA and NSA (and an increasing number of other agencies) do.

Nevertheless, 12 years after this system was first moved under FISA (notably, two key Trump players, White House Associate Counsel John Eisenberg and National Security Division AAG John Demers were involved in the original passage), we’re only now going to start getting real information about the impact on Americans, both in qualitative and quantitative terms. For the first time,

  • We will learn how many queries are done (the FISC opinion revealed that just one FBI system handles 3.1 million queries a year, though that covers both US and non US person queries)
  • We will learn that there are more hits on US persons than previously portrayed, which leads to those US persons to being investigated for national security or — worse — coerced to become national security informants
  • We will learn (even more than we already learned from the two reported queries that this pertained to vetting informants) the degree to which back door searches serve not to find people who are implicated in national security crimes, but instead, people who might be coerced to help the FBI find people who are involved in national security crimes
  • We will learn that the oversight has been inadequate
  • We will finally be able to measure disproportionate impact on Chinese-American, Arab, Iranian, South Asian, and Muslim communities
  • DOJ will be forced to give far more defendants 702 notice

Irrespective of whether back door searches are themselves a Fourth Amendment violation (which we will only now obtain the data to discuss), the other thing this opinion shows is that for twelve years, FISA boosters have been dismissing the concerns those of us who follow closely have raised (and there are multiple other topics not addressed here). And now, after more than a decade, after a big fight from FBI, we’re finally beginning to put the measures in place to show that those concerns were merited all along.

Behold, BR 15-24, the Longest-Serving Phone Dragnet Order Ever

By my calculation today marks the 91st day of the life of phone dragnet order BR 15-24, making it the longest running dragnet order ever. Though the order offered no explanation, FISC judge James Boasberg approved a 95-day expiration for this order back on February 26 so the dragnet order expiration would coincide with PATRIOT Act’s sunset.

It probably seemed wise at the time, but it definitely exacerbates the impact of Mitch McConnell’s miscalculation last week, as it means there’s is no grace period after the current order expires.

The 90-day renewals appear to arise out of both the Stellar Wind practice and the FISA Pen Register practice. Under the former, the Bush Administration reviewed the dragnet every 45 days to make sure it was still necessary and give it the appearance of oversight. (The renewal dates appear on this timeline.) When FISC approved the use of the Pen Register statute to collect the Internet dragnet, it adhered to that statute’s renewal process, which requires 90-day renewals. I assume the phone dragnet adopted the same, even though Section 215 has no renewal requirement, because the phone dragnet collected even more data than the Internet dragnet did.

So already, we’re a day longer than the spirit of the law should permit, four days before Sunday’s scheduled resolution (or lack thereof) of the current impasse.

Given Charlie Savage’s account, it appears the Administration did not — as ordered by Boasberg — brief the FISC on the impact of the 2nd Circuit decision if it would change the program. Rather, they’re just hiding out, hoping they don’t need to raise this or any other issue with regards to the dragnet with the FISC.

The Foreign Intelligence Surveillance Court had given the government a deadline of last Friday to file a new application to extend the bulk phone records program for 90 days. Given the disarray in the Senate and the looming deadline, the Justice Department did not file, the official said, speaking on condition of anonymity to discuss intelligence-related matters.

[snip]

The administration is holding to its decision not to invoke the grandfather clause to keep collecting bulk phone records past next Monday, the official said. But the government has not ruled out invoking such a clause for using the business records provision — as well as the other two powers that are expiring — to gather specific records for more routine investigations.

“We will not use the grandfather clause in the Patriot Act to continue the bulk metadata collection program; it would not be tenable for us to do so,” the senior official said.

“Thus, because of the pending sunset of the current authority, we have not filed an application with the FISA court to continue collection,” the official said, referring to the Foreign Intelligence Surveillance Act court, also known as FISC.

The official added, “We will consider, in light of our national security needs and the status of our authorities, whether to make an appropriate filing with the FISC about accessing previously collected metadata.”

[snip]

The administration is hoping to avoid any need to go to the court for permission to query already-acquired bulk phone data, which would raise additional legal complications.

But one plan being floated — Dianne Feinstein’s non-compromise compromise — would simply permit the FISC to extend the current order until a year after whenever her bill might be passed into law (which couldn’t be Sunday night), as if nothing had ever happened.

CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a) [that is, one year after the passage of this bill]

In other words, Feinstein proposes to take a dragnet collecting the phone records of all Americans, and extend it for an entire year, when even a Pen Register targeting an individual would need to be formally renewed.

How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

Did the Government Comply with FISC Requirement of Notice on Appellate Decision

I’m prepping a post on how all the various deadlines over the next several weeks will work together. So I’ve been reviewing the instructions James Boasberg laid out in the most recent dragnet order, which he signed on February 26.

First, Boasberg reminded the government — which had turned in its homework late in February — that FISC gets a week to consider any application. That means they need the next application by May 22.

Remember, the House breaks for Memorial Day on May 21 (that is, they’re not scheduled to be in session on May 22) and the Senate breaks on May 22.

The government will almost certainly have to submit a new dragnet order by May 22. That’s because USA F-ReDux allows bulk collection to continue for 6 months as it sets up PRISM-lite for provider compliance. But as I understand it, the new dragnet order has to happen under USA F-ReDux, not PATRIOT.

That may shave one day off the legislative schedule.

More interesting is Boasberg’s order that if any of the three appellate court reviewing the dragnet issues an opinion “prior to the expiration of this Order, the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result of such opinion(s).”

Now, in actually, the government might only have to send a short note saying, “the Second Circuit ruled, told us this is unlawful, but also did not issue an injunction because Congress is about to act on it.” But they have to send some kind of notice, per this order.

Did they?