Back in January, I noted that both the President’s Review Group and those behind the Leahy-Sensenbrenner USA Freedom Act seemed very concerned that the government is using NSLs to conduct bulk collection (which is the term I used, based off the fact that both made parallel changes to Section 215 and NSL collection). Both required (recommended, in the case of PRG) that the government fix that by requiring that NSL’s including language asserting that the particular information sought has a tie to the investigation in question, and some limits on the amount of information collected.
Here’s how the PRG phrased it.
Recommendation 2 We recommend that statutes that authorize the issuance of National Security Letters should be amended to permit the issuance of National Security Letters only upon a judicial finding that:
(1) the government has reasonable grounds to believe that the particular information sought is relevant to an authorized investigation intended to protect “against international terrorism or clandestine intelligence activities” and
(2) like a subpoena, the order is reasonable in focus, scope, and breadth.
The thing is, because NSLs haven’t shown up in any troves of leaked documents, we don’t know why USA Freedom original backers and PRG are so concerned NSLs today collect data beyond reasonable breadth (though IG reports done years ago raised big concerns, many of them about whether FBI was meeting the legal standards required).
We don’t know what kind of bulk collection they’re engaging in.
Because FBI — not NSA — primarily uses NSLs, we don’t know what the problem is.
I raise this now because — in addition to having planned on writing this post since January — of questions about whether the HjC HJC and HPSCI “reform” bills will really end what you and I (as distinct from the Intelligence Community) would consider bulk collection.
And NSL reporting — unlike that for Section 215 — provides some hints on where the bulk collection might be.
Here’s what the most recent FISA report to Congress says about (most) NSLs issued last year.
Requests Made for Certain Information Concerning Different United States Persons Pursuant to National Security Letter Authorities During Calendar Year 2013 (USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177 (2006))
Pursuant to Section 118 of the USA PATRIOT Improvement and Reauthorization Act, Pub. L. 109-177 (2006), the Department of Justice provides Congress with annual reports regarding requests made by the Federal Bureau of Investigation (FBI) pursuant to the National Security Letter (NSL) authorities provided in 12 U.S.C. § 3414, 15 U.S.C. § 1681u, 15 U.S.C. § 1681v, 18 U.S.C § 2709, and 50 U.S.C. § 436.
In 2013, the FBI made 14,219 requests (excluding requests for subscriber information only) for information concerning United States persons. These sought information pertaining to 5,334 different United States persons.2
2 In the course of compiling its National Security Letter statistics, the FBI may over-report the number of United States persons about whom it obtained information using National Security Letters. For example, NSLs that are issued concerning the same U.S. person and that include different spellings of the U.S. person’s name would be counted as separate U.S. persons, and NSLs issued under two different types of NSL authorities concerning the same U.S. person would be counted as two U.S. persons.
The report would seem to say that the 14,219 requests were based off requests about 5,334 US persons. That’s not really bulk collection, at least on its face! So where is the bulk collection PRG and USAF seem worried about?
It’s possible this report hides some bulk collection in a different Agency. The law requiring this report only requires DOJ to report on the number of requests DOJ made in the previous year.
In April of each year, the Attorney General shall submit to Congress an aggregate report setting forth with respect to the preceding year the total number of requests made by the Department of Justice for information concerning different United States persons under–
(A) section 2709 of title 18, United States Code (to access certain communication service provider records), excluding the number of requests for subscriber information;
[the law goes on to list the other NSL provisions]
While DOJ’s report should cover both FBI and DEA, I suppose it’s possible that some other entities — not just NSA but also Treasury, NCTC, and CIA — are submitting NSLs themselves, particularly in the case of financial records (though I think Treasury doesn’t have to use NSLs to do this).
The other obvious place the language of the report hides bulk collection is in subscriber records. The law exempts subscriber information requests from the reporting pertaining to US persons. The FBI could be applying for what amount to phone books of all the subscribers of all the phone companies and Internet service providers in the United States and it wouldn’t show up in this report, even though those requests might pertain to hundreds of millions of US persons.
I assume to some extent it is doing this, because there must be a reason subscriber records were excluded from this law. And this would count as bulk collection even according to the Intelligence Community definition of the term.
Via the PRG, we can get a sense of how many such subscriber requests there are. It says FBI issued 21,000 NSLs in FY 2012.
FBI issued 21,000 NSLs in Fiscal Year 2012, primarily for subscriber information.
While the reporting period is different, DOJ reported that FBI obtained 15,229 NSLs in 2012. Which means the balance — so around 5,500 NSLs — would be for subscriber data. Even if only a significant fraction of those are for all of companies’ subscribers, that’s still a fairly comprehensive list of subscriber information across a broad range of providers.
Those 5,500 requests could each be 50 US persons or 120 million US persons; we don’t know. That would be pretty significant bulk collection. But not the same kind of privacy risk PRG seems to have in mind (and if that were the only problem, why change all 4 NSL statutes, as USA Freedom Act did and to the extent it makes a difference still does)?
Still, we know that even the other NSLs — the ones for which we have real data about how many US persons the NSLs “pertained to” — affected far more US persons. That’s because the Exigent Letters IG Report made it clear that two providers (one of these is AT&T, which did it routinely; see page 75ff) provided community of interest information — multiple hops of call records — in response to NSLs. In discovering that, DOJ’s IG complained that FBI was routinely getting information — the derivative call records — that it had not done a relevancy determination for, but it didn’t object across the board.
That concern about ensuring that records obtained via a national security request are “relevant” according to the plain meaning of the term sure seems quaint right now, doesn’t it?
But the potential that FBI is using NSLs to obtain derivative records off of the original selector would sure explain why PRG and Pat Leahy and others are concerned about NSLs (and what we would call — but IC wouldn’t — “bulk collection”).
I assume they can only do this with complicit providers (and I suspect this explains the rise of Section 215 orders with attached minimization requirements in recent years).
But if it happens in significant number at all, it would explain why Leahy and PRG consider it an equivalent problem to Section 215. Because it would mean FBI was using NSLs — not just with telecom and Internet records, but possibly with other things (though I don’t see how you could do this on credit reports) — to get data on associations several levels removed from the target of the NSL.
Here’s the immediate takeaway, though.
Aside from the phone book application (which is significant and I think would be curtailed given the HJC bill, unless FBI were to make requests of AT&T using “AT&T” as the selection term) and financial records (which I’m still thinking through), NSLs appear to include a great deal of “bulk” collection (that is, collection of innocent persons’ data based on association). But they appear to do so from specific identifiers.
And that will not be curtailed by the HJC bill, not at all. It is clear these requests for NSLs are already currently based off selectors — it shows in this reporting.
So at least for two uses of NSLs — credit reports and call details (but not subscriber records) — the House bill simply codifies the status quo.
Update: Here’s the financial records language on NSLs:
Financial institutions, and officers, employees, and agents thereof, shall comply with a request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation when the Director of the Federal Bureau of Investigation (or the Director’s designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director) certifies in writing to the financial institution that such records are sought for foreign counter intelligence  purposes to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.
It’s clearly intended to work for things that would be a selection term — “customer” or “entity” (which in this context would seem to be different from a customer!) — but I’m not sure it requires that the collection be based off the customer selection term.