United States Department of Justice Office of the Inspector General, A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 Through 2009 , May 2015. Unclassified.

UNCLASSIFIED Office of the Inspector General U.S. Department of Justice

A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009

Oversight & Review Division 15-05 May 2015

TABLE OF CONTENTS

EXECUTIVE SUMMARY ............................................................................................................ iii

I. INTRODUCTION ...................................................................................................................... 1 A. Methodology of the OIG Review .................................................................................... 1 B. Organization of the Report .............................................................................................. 3

II. BACKGROUND ....................................................................................................................... 3 A. Legal Background ............................................................................................................ 3 B. The Process for Seeking Section 215 Orders .................................................................. 7 C. Retention, Dissemination, and Compliance .................................................................... 8

1. Retention and Dissemination ...................................................................................... 8
2. Compliance Issues ...................................................................................................... 12

III. STATUS OF RECOMMENDATIONS .................................................................................. 12 A. Background ...................................................................................................................... 13 B. Recommendations ............................................................................................................ 15

1. Recommendation 1 – Resolved .................................................................................... 16
2. Recommendation 2 – Closed ....................................................................................... 17
3. Recommendation 3 – Resolved .................................................................................... 18 C. Handling of Metadata under the Final Procedures ....................................................... 22 D. Effect of Final Procedures on OIG’s Access to FISA Information ............................... 24 E. Conclusion and Recommendation ................................................................................. 26

IV. OVERVIEW OF SECTION 215 ORDERS ISSUED FROM 2007 THROUGH 2009 ............................................................................................................................................ 27 A. The Number of Section 215 Applications ..................................................................... 28 B. An Overview of [illegible] of the 51 Section 215 Orders Issued by the FISA Court in 2007 through 2009 ............................................................................................ 28

1. Types of Records Requested in Section 215 Orders Filed on Behalf of the FBI .......................................................................................................... 29
2. FBI Field Offices that Submitted Requests for Section 215 Orders in 2007 through 2009 ...................................................................................... 29
3. Types of Investigations from which Section 215 Requests Originated ...................................................................................................................... 30
4. Subjects of Section 215 Applications .......................................................................... 30

V. SELECTED SECTION 215 ORDERS OBTAINED IN 2007 THROUGH 2009 ....... 31 A. Selected Uses of Section 215 Authority ....................................................................... 32

i

1. [illegible] 32
2. Request for Electronic Communications Transactional Records (Section 215 Orders Issued May 2009) 33
3. [illegible] 36
4. [illegible] 38
5. [illegible] 40
6. [illegible] 42 B. Summary of Findings 44 VI. [illegible] 46 A. Bulk Telephony Metadata 46
7. Background 46
8. May 23, 2006, Section 215 Application 47
9. May 24, 2006, FISA Court Order 49
10. Modifications to and Renewals of the May 24, 2006, FISA Court Order 49
11. Non-Compliance with Section 215 Orders 50
12. August 17, 2009, Report to Court and September 3, 2009, Court Order Lifting Access Restrictions 55
13. July 19, 2013, FISA Court Order Renewing Collection and Current Status of Collection 57 B. [illegible] 59 VII. CONCLUSION AND RECOMMENDATION 63 ii

EXECUTIVE SUMMARY

This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General’s (OIG) third review of the Federal Bureau of Investigation’s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act.1 Section 215 is often referred to as the “business record” provision. The OIG’s first report, A Review of the Federal Bureau of Investigation’s Use of Section 215 Orders for Business Records, was issued in March 2007 and covered calendar years 2002 through 2005. The OIG’s second report, A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. This third review was initiated to examine the progress the Department and the FBI have made in addressing the OIG recommendations which were included in our second report. We also reviewed the FBI’s use of Section 215 authority in calendar years 2007, 2008, and 2009.

To conduct this review, the OIG reviewed the Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title V of the Foreign Intelligence Surveillance Act adopted by the Attorney General on March 7, 2013. We also examined over 10,000 documents obtained from the FBI and the Department’s National Security Division’s (NSD) Office of Intelligence, including files relating to each of the FBI’s applications to use Section 215 authority, and Department reports to Congress concerning that use during calendar years 2007 through 2009. We interviewed over 50 individuals from the FBI and the Department, including Section Chiefs from the FBI’s National Security Law Branch (NSLB) and NSD’s Office of Intelligence as well as the attorneys, case agents, and analysts who worked on individual Section 215 orders.

In this review, we examined the progress the Department and the FBI have made in addressing the three recommendations in the OIG’s March 2008 report. In the 2008 report, we recommended that the Department implement minimization procedures for the handling of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, as required by the Reauthorization Act. We also recommended that the FBI

1 In February 2015, the OIG provided a classified version of this report, with certain information redacted, to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We did not issue a public version of the report at that time because, although we had provided a final draft of the report to the FBI and the Intelligence Community in June 2014 for a classification review, we had not been informed of when that review would be completed.

This report follows the completion of the classification review and contains redactions of information that the FBI and [redacted] determined is classified, law enforcement sensitive, or “for official use only.” The report also contains several redactions of information that the FBI asserted is protected by the deliberative process privilege. The OIG disagrees with those FBI assertions. With this report, the OIG has also issued an updated classified report, without redactions, to the relevant Congressional oversight and intelligence committees, and to DOJ leadership offices.

iii

develop procedures for reviewing materials received in response to Section 215 orders to ensure that the materials do not contain information outside the scope of the Foreign Intelligence Surveillance Court (FISA Court or the Court) orders. Finally, we recommended that the FBI develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order.

The Reauthorization Act required that the Department adopt minimization procedures to govern the retention and dissemination of material produced pursuant to a Section 215 order. In response to the statutory requirement, the Department adopted Interim Minimization Procedures in September 2006. The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be "construed" to meet the statutory definitions of minimization procedures contained in the Reauthorization Act. FBI agents were already required to comply with the NSI Guidelines in their entirety when seeking a Section 215 order and handling Section 215 productions. Thus, the Interim Procedures did not add any new requirements and did not affect the application of the NSI Guidelines to Section 215 material.

In our March 2008 report, we found that the Interim Procedures did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with specific guidance regarding the retention and dissemination of non-public U.S. person information obtained under Section 215 authority. We therefore recommended that the FBI develop final standard minimization procedures for business records that provided such guidance. In response to our report, the Department stated that it would replace the Interim Procedures with standard minimization procedures "specifically tailored to collection under Section 215."

As we describe in our current report, our review of the FBI's implementation of this recommendation revealed that the Department had not yet replaced the Interim Procedures by mid-2009. Beginning in June 2009, FISA Court judges began to issue Supplemental Orders with Section 215 orders. The Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's implementation of the Interim Procedures to U.S. person information produced in response to Section 215 orders. The Supplemental Orders also required that the reports be of sufficient detail to allow the FISA Court to assess the adequacy of the implementation of the Interim Procedures. NSD and NSLB attorneys told us that they believed that the FISA Court judges would continue to issue Supplemental Orders until the Department replaced the Interim Procedures with final procedures specifically designed for Section 215 matters.

We found the Supplemental Orders significant because the practice began almost 3 years after the Department was required by the Reauthorization Act to adopt specific minimization procedures for material produced in response to Section 215 orders, and over a year after we found that the Interim Procedures implemented by the Department in September 2006 failed to meet the requirements of the Reauthorization Act. The Department and FBI ultimately produced final minimization procedures specifically designed for Section 215

iv

materials in 2013. The Attorney General adopted the FBI Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title V of the Foreign Intelligence Surveillance Act on March 7, 2013 (Final Procedures), and in August 2013 the Department began to file Section 215 applications with the FISA Court which stated that the FBI would apply the Final Procedures to the Section 215 productions.

Given the significance of minimization procedures in the Reauthorization Act, we do not believe it should have taken 7 years for the Department to develop minimization procedures or 5 years to address the OIG recommendation that the Department comply with the statutory requirement to develop specific minimization procedures designed for business records. Nevertheless, as we describe in our report, we concluded that with the Final Procedures the Department and FBI have addressed the three recommendations in the OIG's March 2008 report. With respect to our recommendation that the Department develop final standard minimization procedures, we consider the recommendation to be closed.

As for the other two recommendations regarding the review of Section 215 materials and procedures for handling overproduced material, we found that both recommendations were addressed in the Final Procedures and therefore are resolved. These two recommendations remain resolved and not closed so that the Department and FBI may consider clarifying specific aspects of those procedures in training materials, policy implementation guidelines, or future versions of the procedures. We encourage the Department and the FBI to periodically evaluate the Final Procedures' implementation to determine whether additional clarifications or explanations through updates in training or revisions to the guidelines are appropriate.

We also examined the provisions in the Final Procedures that pertain to the OIG's access to Section 215-acquired information for purposes of conducting its reviews and investigations. The General Provisions section of the Final Procedures states,

The FBI has in the past taken the position that the FBI's minimization procedures for electronic surveillance and physical searches conducted under FISA restricted the OIG's access to FISA information. The Department made revisions to those procedures in 2013 that included inserting the statement above, which was subsequently also incorporated into the Final Procedures for Section 215 material. As described further in this report, the NSD Deputy Assistant Attorney General for the Office of Intelligence and the FBI's General Counsel stated to us in this review their position that the Final Procedures allow the OIG's access to Section 215-acquired information needed for the OIG's reviews and investigations.

In addition to examining the Department's progress in addressing the recommendations from our last report, we provide an overview of the FBI's use of Section 215 authority during the 2007-2009 time period that describes the number of Section 215 orders obtained, the type of information requested, the

v

number of FBI offices using the authority, and the collection of U.S. person information. Our review found that the FBI processed [illegible] requests for Section 215 applications, 51 of which were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009.

The Department filed [illegible] of the 51 applications in connection with counterterrorism programs [illegible]. The other [illegible] applications were formally submitted to the FISA Court on behalf of the FBI.

The [illegible] requests that were not submitted to the FISA Court were withdrawn after being submitted to either NSLB or NSD. We did not identify any applications that were withdrawn after being submitted to the FISA Court. The FISA Court approved each of the 51 formally submitted applications.

We found that [illegible] of the [illegible] applications submitted to the FISA Court on behalf of the FBI requested material related to internet activity. The remaining [illegible] applications requested records similar to those discussed in our previous reports such as [illegible].

We also found that the number of U.S. persons identified as the subjects of the underlying investigations in Section 215 applications we reviewed was not equivalent to the number of U.S. persons about whom information was collected in response to the Section 215 orders. Several reasons account for this. First, Section 215 permits the FBI to request records of persons or entities who are not subjects of the underlying investigation. Second, the classified directive to the definition of U.S. persons provides that [illegible] [illegible]. Third, records produced in response to Section 215 orders may include records about U.S. persons who are neither the subjects of the underlying investigation nor the persons whose records were requested in the Section 215 order.

Our report also describes several Section 215 applications from the 2007- 2009 time period which illustrate the use of Section 215 authority to obtain new and varied types of information. We found that agents' descriptions of why they sought Section 215 orders and whether they considered the material produced to be valuable were consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continued to be a valuable investigative tool particularly when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. As with our previous reviews, the agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to Section 215 orders, but told us that the material produced pursuant to Section 215 orders was valuable in that it was used to support other investigative requests, develop investigative leads, and corroborate other information. We

vi

did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders.

As in our previous report, we identified several instances during the 2007-2009 period where the Department or the FISA Court modified Section 215 applications and orders. For example, the FISA Court identified instances where subjects were inaccurately identified as non-U.S. persons and when the orders were drafted in a manner that might cause the production of material not authorized by the FISA Court's order.

This report also includes our review of the [illegible] applications that the Department filed with the FISA Court for [illegible] of information in connection with [illegible] We previously described [illegible] Classified Appendices of our March 2008 report. In June 2013, former NSA contract employee Edward Snowden caused to be publicly released documents relating to the bulk collection of telephony metadata and the Office of the Director of National Intelligence has since declassified aspects of this program. We have included a description of the NSA program, [illegible] in the body of this report.

The Department relied on [illegible] to obtain FISA Court orders [illegible]. In the applications, the Department stated that all of the data collected is relevant because it is necessary to create a data archive from which to identify known and unknown terrorists that may be in the United States or in contact with U.S. persons. The Department acknowledged in the applications that the [illegible] include records of U.S. persons who were not the subject of or associated with the subjects of authorized investigations. The FISA Court's orders approving the Section 215 requests for the [illegible] included specialized minimization procedures for the [illegible] that differed from the Interim and Final Procedures mentioned above. We describe the specialized minimization procedures in this report.

Finally, we note that the use of Section 215 authority continues to expand to reflect legislative, technological, and strategic changes. The legislative changes expanded both the types of businesses upon which Section 215 orders could be served and the categories of documents that could be obtained. The legislative changes also lowered the evidentiary threshold for obtaining Section 215 orders to a "relevance" standard and provided a presumption of relevance for items requested in applications that involve foreign powers, agents of foreign powers, subjects of authorized investigations, and individuals known to associate with subjects of such investigations.

Technological advancements to and society's use of the Internet have also expanded the quantity and quality of electronic information available to the FBI, [illegible], through use of Section 215 authority. Materials

vii

produced in response to Section 215 orders now range from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information.

The FBI [illegible] made strategic use of the legislative and technological changes by broadening the scope of materials sought in applications. Section 215 authority is not limited to requesting information related to the known subjects of specific underlying investigations. The authority is also used in investigations of groups comprised of unknown members and to obtain information in bulk concerning persons who are not the subjects of or associated with any FBI investigation.

While the expanded scope of these requests can be important uses of Section 215 authority, we believe these expanded uses require continued significant oversight by the FISA Court, NSD, and other oversight entities.

viii

I. INTRODUCTION

This is the Department of Justice (Department or DOJ) Office of the Inspector General's (OIG) third review of the Federal Bureau of Investigation's (FBI) use of the investigative authority granted by Section 215 of the Patriot Act.2 Section 215 of the Patriot Act allows the FBI to seek orders from the Foreign Intelligence Surveillance Court (FISA Court) for "any tangible things," including books, records, and other items from any business, organization, or entity provided the item or items are for an authorized investigation to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a U.S. person is not conducted solely on the basis of activities protected under the first amendment to the Constitution.

The USA PATRIOT Improvement and Reauthorization Act of 2005 (Reauthorization Act or the Act) directed the OIG to review the FBI's use of Section 215 for two separate time periods.3 The OIG issued its first report in March 2007. That report, A Review of the Federal Bureau of Investigation's Use of Section 215 Orders for Business Records, covered calendar years 2002 through 2005. The OIG's second report, A Review of the FBI's Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006.

Although not required by the Reauthorization Act, the OIG undertook this third review in order to examine the progress the Department and the FBI have made in addressing the recommendations in our second report. We also review in this report the FBI's use of Section 215 authority in calendar years 2007 through 2009.4

A. Methodology of the OIG Review

To conduct this review, the OIG examined over 10,000 documents consisting of over 89,000 pages of material obtained from the FBI and the Department's National Security Division's (NSD) Office of Intelligence, including files relating to each of the FBI's applications to use Section 215 authority, Department reports to Congress concerning that use during calendar years 2007 through 2009, and the new minimization procedures for Section 215 productions adopted by the Attorney General in March 2013 (Final Procedures). We reviewed each of the [illegible] requests for Section 215 applications processed by the FBI Office of General Counsel's National Security Law Branch (NSLB) during our review period.

2 The term "USA PATRIOT Act" is an acronym for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). It is commonly referred to, and referred to in this report as "the Patriot Act."

3 The Reauthorization Act of 2005 was signed into law on March 9, 2006.

4 We note subsequent developments brought to our attention where relevant.

1

Of the requests, 51 applications were submitted to and granted by the FISA Court. Of the 51 applications, the Department filed on behalf of the FBI and filed in connection with counterterrorism programs .5 The requests not submitted to the FISA Court were withdrawn after being submitted by the FBI either to NSLB or NSD.

With regard to the Section 215 applications filed on behalf of the FBI, we summarize information about them in order to provide an overview of the Section 215 orders obtained between 2007 and 2009. The information includes the types of investigations from which the Section 215 requests originated and the types of records sought in the applications. We also selected eight applications for more detailed analysis in order to highlight the evolving and varied uses of Section 215 authority.

With regard to the Section 215 applications the FBI submitted , we summarize which use Section 215 orders to obtain of information from certain providers of telecommunications service .6 We also provide an overview of the unique aspects of the Section 215 applications which support . The overview includes a description of the , the specialized minimization procedures that apply to the , and reported compliance incidents.

We interviewed over 50 people from the FBI and the Department, including Section Chiefs from NSLB and NSD's Office of Intelligence as well as the attorneys, case agents, and analysts who worked on individual Section 215 orders. We also interviewed FBI personnel responsible for administering various FBI databases.

We did not conduct an independent compliance review of each use of Section 215 authority in 2007 through 2009 to determine whether there was any improper use of the authority, or whether recipients of Section 215 orders produced material outside the scope the orders. For purposes of this report, we relied on the Department's reporting to the FISA Court to describe any compliance incidents that occurred during the 2007-2009 time period. However, we do highlight with respect to some uses of Section 215 authority the challenges the Department faces in ensuring that the government collects or uses only that information it is lawfully permitted to obtain, and we identify

5 Because Section 215 provides the FBI with the sole authority to make Section 215 applications to the FISA Court, the FBI initiates the Section 215 applications See 50 U.S.C. § 1861(a)(1). As a matter of Department procedure, NSD files all Section 215 applications with the FISA Court irrespective of the agency designated in an application to receive the production.

6

2

several instances where the Department's reporting to the FISA Court contained inaccuracies.

B. Organization of the Report

This report is divided into seven sections. After this introduction, we describe in Section II the legal background related to Section 215 authority, the process for obtaining a Section 215 order, and the procedures applicable to the use of Section 215 material.

In Section III, we discuss the status of the recommendations the OIG made in its second and most recent report concerning the FBI's use of Section 215 authority.

In Section IV, we provide an overview of the FBI's use of Section 215 authority during the relevant time period. We describe the number of Section 215 orders obtained, the type of information requested, the number of FBI offices using the authority, and the collection of U.S. person information.

In Section V, we provide a detailed description of a sample of the FBI's use of Section 215 authority in 2007 through 2009. We describe the material requested, the purpose of the request, the material produced, and the manner in which the material was used.

In Section VI, we update the information about the uses of Section 215 authority described [illegible] Classified Appendices to our last report. These appendices described the FBI's use of Section 215 authority on behalf of the NSA to obtain bulk collections of telephony metadata [illegible]. Section VII contains our conclusions.

II. BACKGROUND

This section provides a brief description of the legal background related to Section 215 authority and the process for obtaining Section 215 orders.

A. Legal Background

Pursuant to Section 215 of the Patriot Act, the FBI may obtain "any tangible things," including books, records, and other items from any business, organization, or entity provided that the item or items are for an authorized investigation. The tangible things are available "for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the

3

Constitution."7 50 U.S.C. § 1861. Section 215 did not create any new investigative authority but instead expanded existing authority found in the Foreign Intelligence Surveillance Act of 1978 (FISA). 50 U.S.C. § 1801 et seq.

FISA requires the FBI to obtain an order from the FISA Court in order to conduct electronic surveillance to collect foreign intelligence information.8 In 1998, Congress amended FISA to authorize the FBI to apply to the FISA Court for orders compelling four kinds of businesses to "release records in [their] possession" to the FBI: common carriers, public accommodation facilities, physical storage facilities, and vehicle rental facilities. The amendment did not further define "records." This provision, which was codified at 50 U.S.C. § 1862, became known as the "business records" provision and was the provision expanded by Section 215 of the Patriot Act.9

The 1998 business records amendment required a FISA application to specify that the records were sought for an investigation to gather foreign intelligence information or an investigation concerning international terrorism, and that there were "specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power." 50 U.S.C. § 1862 (2000 ed.) This language meant that the FBI was limited to obtaining information regarding a specific person or entity the FBI was investigating and about whom the FBI had individualized suspicion. In addition, the amendment prohibited the entity complying with the order from disclosing either the existence of the order or any information produced in response to the order.

Subsequent to the 1998 FISA amendment creating this investigative authority and prior to passage of the Patriot Act in October 2001, the FBI obtained only one FISA order for business records. This order was obtained in 2000.

Section 215 of the Patriot Act significantly expanded the scope of the FBI's investigative authority pursuant to the business records provision of FISA and lowered the standard of proof required to obtain this type of business record. The pertinent part of Section 215 provides:

The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States

7 The FISA statute defines U.S. persons as U.S. citizens, permanent resident aliens, corporations incorporated in the United States, and associations substantially composed of U.S. persons. 50 U.S.C. § 1801(i). 8 The NSD's Office of Intelligence prepares and presents applications for Section 215 orders to the FISA Court at the request of the FBI. 9 50 U.S.C. § 1862(b)(2)(B) (1998), as amended, 50 U.S.C. § 1861 (2001).

4

person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution. 50 U.S.C. § 1861(a)(1).

While the 1998 language limited the reach of this type of investigative authority to four types of entities, the new language did not explicitly limit the type of entity or business that can be compelled by an order. Section 215 of the Patriot Act also expanded the categories of documents that the FBI can obtain under the business records provision of FISA. The categories are no longer limited to "records"; instead, Section 215 provides that the FBI may obtain an order for "the production of any tangible things (including books, records, papers, documents, and other items)." Id.

Section 215 also lowered the evidentiary threshold to obtain such an order. As a result, the number of people whose information could be obtained was expanded because the FBI is no longer required to show that the items being sought pertain to a person whom the FBI is investigating. Instead, the items sought need only be requested "for an authorized investigation conducted in accordance with [applicable law and guidelines] to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities." 50 U.S.C. § 1861(b)(2). This standard, referred to as the relevance standard, permits the FBI to seek information concerning persons not necessarily under investigation but who are connected in some way to a person or entity under investigation.

In 2006, the Reauthorization Act further amended Section 215 by requiring that an application establish "reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation." Id. At the same time, the Reauthorization Act provided a presumption of relevance for tangible things that pertain to any of four specified entities or individuals: foreign powers, agents of foreign powers, subjects of authorized investigations, and individuals known to associate with subjects of such investigations. Id. When the statement of facts in an application demonstrates the tangible things requested pertain to any of these four entities or individuals, the government has presumptively established the items' relevance. In other words, in these cases the FISA Court is required to find that the statutory threshold has been met.

The Reauthorization Act included other substantive amendments to Section 215. For example, the Act specifically authorized the collection of certain sensitive records, including library, medical, educational, and tax return records. The Act also required that applications for these sensitive records be approved by the FBI Director or a specified designee, and specific congressional

5

reporting regarding them.10 In addition, the Reauthorization Act specifically provided that Section 215 orders must, among other things, contain a particularized description of the items sought and provide for a reasonable time (not defined in the statute) to assemble them. The Act also established a detailed judicial review process for recipients of Section 215 orders to challenge their legality before a FISA Court judge.

Additional changes to Section 215 were adopted with the enactment of the USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006. For example, the 2006 amendments provided that a recipient of a Section 215 order may petition the FISA Court to modify or set aside the nondisclosure requirement after 1 year from the issuance of the order if certain findings are made.11

Section 215, along with other provisions of the Patriot Act, was originally scheduled to sunset on December 31, 2005. The Reauthorization Act extended Section 215 for 4 years until December 31, 2009. Since the Reauthorization Act, Section 215 has been extended on several occasions and is currently extended to June 1, 2015.

Discussions about the future of Section 215 authority have been affected by public disclosures of information about the NSA's counterterrorism program involving the bulk collection of telephony metadata. The disclosures began in June 2013 and revealed, among other things, that the FISA Court approved Section 215 orders that authorized the collection of billions of call detail records. The records included those of millions of U.S. persons who were not the subjects of or associated with the subjects of authorized investigations, or believed to be associated with a specified Foreign Power. The collection was predicated on the theory that the government needed to build a vast archive of call detail records in order to identify communications between known and unknown terrorists and potential operatives located in the United States. The telephony metadata

10 As permitted by the Reauthorization Act, the FBI Director delegated approval authority for these records to the Deputy Director and the Executive Assistant Director for the FBI's National Security Branch.

11 USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006, Pub. L. No. 109-178. The Court may grant a petition to modify or set aside the non-disclosure provision if the Court finds there is no reason to believe that disclosure may endanger the national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person. However, if the Attorney General, Deputy Attorney General, or FBI Director certifies that the disclosure may endanger the national security or interfere with diplomatic relations, the certification will be treated as conclusive, unless the Court finds that such a certification was made in bad faith.

[black bar]. However, after reviewing a draft of this report, NSD informed the OIG that in 2010, the FISA Court granted a joint request by the Department and a provider to extend the time in which the provider could challenge a Section 215 order related to the bulk collection of telephony metadata. Ultimately, the parties resolved the issue of the order's legality and a challenge was not filed with the FISA Court. On May 14, 2014, the Office of the Director of National Intelligence declassified the FISA Court pleadings relating to this event.

6

included information from local and long-distance telephone calls such as the numbers dialed as well as the date, time, and duration of the telephone calls, but not the content of the telephone conversations.

B. The Process for Seeking Section 215 Orders

As we described in our first and second Section 215 reports, the process to obtain a Section 215 order generally involves five phases: FBI field office initiation and review, FBI Headquarters review, NSD Office of Intelligence review, FISA Court review, and FBI service of the order.

The process to obtain a Section 215 order generally begins when an FBI case agent in a field office prepares a business records request form, which requires the agent to provide, among other things, the following information: a brief summary of the investigation, a specific description of the items requested, an explanation of the manner in which the requested items are expected to provide relevant information, and the identity of the custodian or owner of the requested items.¹² The request form must be approved by the agent's supervisor and the field office's Chief Division Counsel and Special Agent in Charge. The approval process is automated through the FBI's FISA Management System (FISAMS), which sends electronic notifications to each individual responsible for taking the next action in order to process the business record in the field office. After the approvals are completed in the field office, the FISAMS notifies the "substantive desk" (in the Counterterrorism Division or Counterintelligence Division) at FBI Headquarters.

At FBI Headquarters, the business records request form is reviewed and approved by both the substantive desk and NSLB. Once the FISAMS delivers the request to the substantive desk, it is assigned to an NSLB attorney who works with the case agent and other FBI personnel to obtain the information the NSLB attorney believes is necessary to include in the draft application and order. The draft application package is then reviewed by NSLB supervisors and forwarded to NSD, where the request is assigned to an NSD attorney.

The NSD attorney works with the NSLB attorney, case agents, and occasionally FBI intelligence analysts to obtain any additional information the NSD attorney believes is necessary to include in the draft application and order.¹³ An NSD supervisor then reviews the draft application package. The final application package is returned to the FBI for an accuracy review and additional edits may be made based on the FBI's review of the final package. Upon completion of the final version, signatures of designated senior FBI

¹² Some Section 215 requests originate from FBI Headquarters. ¹³ According to an NSLB attorney, in 2011 the NSLB and NSD adjusted the drafting process for certain Section 215 applications and orders to reduce duplicative efforts. The agencies agreed that NSLB would submit a factual summary of the investigation to NSD instead of a draft application and order and that NSD would draft the Section 215 application and order based on the facts in the NSLB summary.

7

personnel are obtained and an NSD attorney prepares the package for presentation to the FISA Court.

While the final signatures are collected, NSD schedules the case on the FISA Court's docket and, pursuant to the FISA Court Rules of Procedure, provides the FISA Court with a "proposed application" which is an advance copy of the application commonly called a "read" copy. The FISA Court, through a FISA Court legal advisor, may identify questions or concerns and request changes or additional information to the documents after reviewing the "read" copy. NSD and the FBI then address these questions or concerns and make any necessary revisions to the application and order prior to submitting a formal or final application and order for the Court's approval. The FISA Court will either sign the formal submission or request that NSD present the formal application package to the FISA Court at a scheduled hearing. If the FISA Court judge approves the formal application, the judge signs the order. The judge may make handwritten changes to the order (for example, to clarify the U.S. person status of the person or entity for which the records were sought) and, if so, will sign the order with the handwritten modifications.

The order is then entered into the FISAMS and served by the FBI field office nearest to the provider designated in the order. Among other things, the order sets forth the deadline for producing the items.

C. Retention, Dissemination, and Compliance

In this section we describe the policies and procedures that governed the retention and dissemination of material produced pursuant to a Section 215 order during the 2007-2009 time period. We also describe the Department's obligation to report compliance issues related to the use of Section 215 authority.

1. Retention and Dissemination

The Reauthorization Act required that the Department adopt minimization procedures to govern the retention and dissemination of material produced pursuant to a Section 215 order. These minimization procedures apply to nonpublic U.S. person information. The Act required that the procedures minimize the retention and dissemination of nonpublic U.S. person information consistent with the needs of the United States to obtain and disseminate foreign intelligence. The Reauthorization Act also required that the procedures prohibit the dissemination of nonpublic U.S. person information unless the identity of the U.S. person was foreign intelligence, necessary to understand foreign intelligence, or evidence of a crime.14

14 The FISA statute defines minimization procedures as: (A) Specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information

(Cont'd.)

8

In response to the statutory requirement, the Department adopted Interim Minimization Procedures in September 2006. The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be "construed" to meet the statutory definitions of minimization procedures contained in the Reauthorization Act. FBI agents were already required to comply with the NSI Guidelines in their entirety when seeking a Section 215 order and handling Section 215 productions. Thus, the Interim Procedures did not add any new requirements and did not affect the application of the NSI Guidelines to Section 215 material.15

The Interim Procedures included several concepts that appear in Section V of this report, where we describe specific uses of Section 215 authority from 2007 to 2009. First, the Interim Procedures included the definition of minimization procedures from the Reauthorization Act. The definition stated that nonpublicly available information that is not foreign intelligence cannot be disseminated in a manner that identifies a U.S. person unless the identity is "necessary to understand foreign intelligence information or assess its importance" or is evidence of a crime. Although the Interim Procedures referenced the definition of "foreign intelligence information" from the Reauthorization Act, neither the Interim Procedures nor the NSI Guidelines included a definition or guidance about what is meant by the phrase "necessary to understand foreign intelligence information."16 Similarly, neither the Interim

concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; (B) Procedures that require that nonpublicly available information, which is not foreign intelligence information as defined in section 1801(e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person's consent, unless such person's identity is necessary to understand foreign intelligence information or assess its importance; and (C) Notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes.

50 U.S.C. § 1861(g)(2)

15 During our review period the Attorney General Guidelines were updated. Specifically, the 2003 NSI Guidelines were superseded by the 2008 Attorney General Guidelines for Domestic FBI Operations (AGG-DOM). Although the new AGG-DOM were not incorporated into the Interim Procedures, the AGG-DOM did not substantively change the NSI Guidelines provisions adopted in the Interim Procedures.

16 The FISA Statute defines Foreign Intelligence as: (1) Information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against – (a) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; (b) sabotage or international terrorism by a foreign power or an agent or foreign power; or (c) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or

(Cont'd.)

9

Procedures nor the NSI Guidelines included a definition or guidance regarding what constitutes U.S. person identifying information.

Second, the Interim Procedures adopted the "Determination of United States Persons Status" and "Respect for Legal Rights" sections of the NSI Guidelines. The "Determination of United States Person Status" section included the definition of U.S. person contained in the FISA statute noted above. This section also provided [illegible]. In sum, absent other information, [illegible]. See NSI Guidelines § I.C.2 and AGG-DOM Classified Provisions § VIII.C.

The "Respect for Legal Rights" section of the NSI Guidelines prohibited investigating or maintaining U.S. person information solely for the purpose of monitoring First Amendment activities or the lawful exercise of Constitutional or statutory rights.

Third, the Interim Procedures adopted provisions of the "Retention and Dissemination of Information" section of the NSI Guidelines.17 With respect to retaining information, the Interim Procedures required that the FBI retain investigative records in accordance with a plan approved by the National Archives and provided for NSD oversight of information obtained in the course of investigations. With respect to disseminating information, the Interim Procedures provided that the FBI could disseminate information within the Department, with other federal, state, and local entities, and with foreign authorities when the information related to the recipient's authorized responsibilities and dissemination was consistent with national security interests.18

In our March 2008 report, we found that the Interim Procedures adopted by the Department did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with specific guidance regarding the retention and dissemination of non-public U.S. person information obtained under Section 215 authority. We therefore recommended that the FBI develop final standard minimization procedures for business records that provided such

(2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to (a) the national defense or the security of the United States; or (b) the conduct of the foreign affairs of the United States. 50 U.S.C. § 1801(e).

17 The Interim Procedures adopted the retention provision requiring compliance with the National Archives and Records Administration and the Information Sharing provisions. 18 The "Definitions" section was the fourth section of the NSI Guidelines adopted in the Interim Procedures.

10

guidance. We also recommended that the FBI require an initial review of the records received in response to Section 215 orders and develop a policy for handling overproductions, or material outside the scope of the Section 215 order.

In response to the latter recommendations, the FBI wrote a December 16, 2009, letter to the OIG which stated that the FBI added a compliance requirement to the FISA Business Records section of the FBI Domestic Investigations and Operations Guide (DIOG). In addition to requiring that agents implement the minimization procedures required by the Department and the FISA Court, the compliance requirement mandated that prior to uploading Section 215 material into FBI databases, agents review productions to determine whether the documents were responsive to the Section 215 orders, and included procedures for handling overproduced material.19 (DIOG 11.9.4(F)) During the course of the OIG's correspondence with the FBI regarding the adequacy of the new DIOG compliance requirement, the FBI informed us in an October 28, 2009, letter that it expected the Final Procedures to address all three of the OIG recommendations.

With respect to our recommendation to develop final standard minimization procedures for business records, the Department stated that it would replace the Interim Procedures with standard minimization procedures "specifically tailored to collection under Section 215." However, by spring 2009, the Department had not yet replaced the Interim Procedures. In May 2009, a FISA Court judge requested that the FBI voluntarily apply additional minimization procedures [illegible] Section 215 orders. The Department agreed to implement the additional minimization procedures in these [illegible] matters and also filed reports with the FISA Court describing how the FBI implemented the additional procedures for the [illegible] matters.

Subsequently, in June 2009, FISA Court judges began to issue Supplemental Orders with most Section 215 orders.20 The Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's implementation of the Interim Procedures to materials produced in response to Section 215 orders. [illegible] . NSD and NSLB attorneys told us that they believed that the FISA Court judges would continue to issue Supplemental

19 The review requirement and overproduction procedures were removed from the 2011 edition of the DIOG and a new section entitled "FISA Overcollection" was added. The new section addressed the circumstances in which overproduced material would be sequestered with the FISA Court, and directed FBI personnel to NSLB attorneys for additional guidance for handling FISA overcollections. According to NSLB attorneys, the change reflected the fact that NSLB was then reviewing the overproduction guidance. 20 The FISA Court did not issue Supplemental Orders for Section 215 productions that were subject to specialized minimization procedures, which are discussed in Section IV, or for the Section 215 production in the Positive Foreign Intelligence investigation that we describe in Section V of this report.

11

Orders until the Department replaced the Interim Procedures with final procedures specifically designed for Section 215 matters. In Section V, we describe several of the reports submitted to the FISA Court in response to Supplemental Orders.

2. Compliance Issues

The Department is required to report compliance issues related to the use of Section 215 authority. The Rules of Procedure for the FISA Court require the Department to correct misstatements of material fact and to disclose non-compliance with an order to the FISA Court. In addition, the FBI is required to report activities that may be unlawful or contrary to executive orders or directives to the Intelligence Oversight Board (IOB) and Director of National Intelligence. See Exec. Order 12863 and Exec. Order 13470 § 1.6(c), amending Exec. Order 12333 on United States Intelligence Activities. The subjects of these reports to the IOB are commonly referred to as "IOB violations." FBI policy requires employees to report potential IOB violations to NSLB within 30 days of discovery.

In Sections V and VI, we describe the compliance incidents reported during the 2007-2009 time period that occurred in the Section 215 matters we selected for review. We do not attempt to independently identify or describe all of the compliance incidents that occurred during our review period.

III. STATUS OF RECOMMENDATIONS

In the OIG's second report about the FBI's use of Section 215 authority, A Review of the FBI's Use of Section 215 Orders for Business Records in 2006 (March 2008), we made the following three recommendations:

• The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders;
• The FBI should develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order; and
• The FBI should develop final standard minimization procedures for business records that provide specific guidance for the retention and dissemination of U.S. person information.

In this section, we provide some background information about the FBI's and the Department's efforts to implement the recommendations and the statutory requirement that the Attorney General adopt specific minimization procedures for Section 215 material. We then assess the status of the each of the three recommendations. Where the FBI or Department has taken action on a recommendation that fully addresses the issue the OIG identified, we consider the recommendation "closed." Where the FBI or the Department has taken

12

action on a recommendation but we request additional action or information to address any issue the OIG identified, we consider the recommendation "resolved" but not yet closed. Upon completion of the requested action or receipt of the requested information, we will consider whether to close the recommendation.

A. Background

As described in Section II, the Reauthorization Act required the Attorney General to adopt minimization procedures for business records obtained pursuant to Section 215 orders. 50 U.S.C. § 1861(g)(1). The Reauthorization Act defined "minimization procedures" as:

specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things to minimize the retention, and prohibit the dissemination, of non-publicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.

Id. at § 1861(g)(2)(A). The Reauthorization Act required that the Attorney General adopt minimization procedures within 180 days of the enactment of the Reauthorization Act (that is, by September 5, 2006). Id. at § 1861(g)(1).

On September 5, 2006, the Attorney General signed and filed with the FISA Court Interim Standard Minimization Procedures (Interim Procedures). The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be "construed" to meet the statutory definitions of minimization procedures contained in the Reauthorization Act.21

As stated in our March 2008 report, we found that the Interim Procedures failed to meet the requirements of the Reauthorization Act because the Interim Procedures did not provide FBI agents with specific guidance regarding the retention and dissemination of nonpublic U.S. person information. In response to our report, the then-Assistant Attorney General for NSD wrote a letter to the then-Inspector General stating that the Department would replace the Interim Procedures with standard minimization procedures "specifically tailored to collection under Section 215."

[illegible]

21 The four sections of the NSI Guidelines were: 1) Respect of Legal Rights; 2) Determination of U.S. Person Status; 3) Retention and Dissemination of Information; and 4) Definitions.

13

The Final Procedures govern the retention and dissemination of information the FBI receives in response to Section 215 orders. According to the procedures, and as required by the Reauthorization Act, they are designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” In other words, Section 215 information concerning U.S. persons may be possessed, used, and disclosed by the FBI in accordance with the Final Procedures.22 The Final Procedures incorporate the definitions and a classified directive for determining U.S person status established in the Attorney General Guidelines for Domestic FBI Operations (AGG-DOM).23 The procedures do not apply to publicly available U.S. person information or to the handling of U.S. person information for which consent has been given, and generally do not apply to non-U.S. person information as discussed in more detail in Section III.B.3., below.

The “Retention” section of the Final Procedures contains provisions that address how the FBI handles Section 215 information after it is received. These provisions require

. The Retention section also identifies where the information may be stored and the time periods in which the FBI can retain particular Section 215 material. In addition, the Retention section defines the conditions under which the FBI can retain and disclose information that has not been assessed as foreign intelligence information.

22 FBI policies and procedures govern instances where the Final Procedures are silent. For example, the Final Procedures do not identify the time period in which the FBI is authorized to retain material produced in response to a Section 215 order that is determined to be foreign intelligence, necessary to understand foreign intelligence, or evidence of a crime. Therefore the time period for retaining this material is subject to applicable FBI policies, the Attorney General Guidelines, and the relevant National Archives and Records Administration procedures. 23

14

The Final Procedures also include a “Compliance” section. According to this provision, the Attorney General is authorized to implement policies and procedures to ensure good faith compliance with the requirements of the Final Procedures, and NSD is required to review compliance with the Final Procedures. In order for NSD to perform this oversight function, the Final Procedures provide that NSD “shall have access to all FISA [business records] material and other necessary information to facilitate minimization reviews and for all other lawful purposes.” Similar language is contained in the FBI’s minimization procedures for electronic surveillance and physical searches under FISA. The FBI has in the past taken the position, over the OIG’s objections, that it was prohibited from disclosing FISA-acquired information to the OIG for oversight purposes because the Attorney General has not designated anyone in the OIG as having access to this information for minimization reviews or other lawful purposes, and because there were no specific provisions in the procedures authorizing such access. We, therefore, in connection with this review raised concerns about whether the FBI would apply a similar, and in our view erroneous, interpretation to the Final Procedures. As we describe below, NSD informed us that it included language in the General Provisions section of the Final Procedures that was intended to make clear that nothing in the procedures should be interpreted to restrict the OIG’s access to FISA-acquired information needed for OIG reviews and investigations.

In August 2013, the Department began to reference the Final Procedures instead of the Interim Procedures in Section 215 applications and the FISA Court has since granted such applications.

B. Recommendations

As described below, we concluded that with the Final Procedures the Department and FBI have addressed the three recommendations in the OIG’s

24

15

March 2008 report.25 We consider one recommendation to be closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying certain aspects of the procedures in training materials, policy implementation guidelines, or future versions of the procedures.

1. Recommendation 1 – Resolved

The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders.

[illegible]

[illegible]

[illegible]

[illegible]

25 As described in Section II, in a December 16, 2008, letter the FBI informed the OIG of a new Section 215 compliance requirement which was temporarily added to the DIOG. The compliance requirement partially addressed two of our recommendations by requiring a review of Section 215 material before it was uploaded into FBI databases and creating a procedure for handling overproduced material. In an October 28, 2009, letter, the FBI informed the OIG that the Final Procedures would address all three of the OIG's recommendations.

16

26 Accordingly, we consider this recommendation resolved but not yet closed in order to provide the FBI and the Department an opportunity to clarify in training or guidelines, or in any future versions of the procedures, that the Final Procedures "initial review" requirement applies to metadata.

2. Recommendation 2 – Closed

The FBI should develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order.

The Final Procedures include a provision for handling [illegible]

However, the Final Procedures [illegible]

26 After reviewing a draft of this report, NSD submitted comments in which it [illegible]

27 [illegible]

17 (Cont'd.)

.28 NSD and NSLB attorneys told us that the scope of the exception will be addressed in the implementation guidelines.

Because the FBI has developed procedures for the handling of overproduced material, the OIG considers this recommendation closed.

3. Recommendation 3 – Resolved

The FBI should develop final standard minimization procedures for business records that provide specific guidance for the retention and dissemination of U.S. person information.

As described earlier, the Final Procedures are designed to “minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” In other words, Section 215 information concerning U.S. persons may be possessed, used, and disclosed by the FBI in accordance with the Final Procedures.29 The procedures do not apply to publicly available information concerning U.S. persons or to the handling of information concerning U.S. persons for which consent has been given.

28

29 As noted above, where the Final Procedures are silent on a matter, FBI policies and procedures control.

18

The Final Procedures incorporate the definitions and the classified directive for determining the U.S person status of individuals contained in the AGG-DOM. As noted in the introduction, the definition of U.S. person under the statute includes U.S. citizens, permanent resident aliens, corporations incorporated in the United States, and associations substantially composed of U.S. persons. In general, absent other information,

We describe below specific guidance the Final Procedures provide for the retention and dissemination of nonpublic information that concerns U.S. persons produced in response to Section 215 orders.

a. Retention

30

The time period for which the FBI is permitted to retain Section 215 material depends on the type of material and how it is stored. According to the Final Procedures, that reasonably appears to be foreign intelligence, necessary to understand foreign intelligence information, or evidence of a crime.

30

19

b. Dissemination

According to NSD and NSLB attorneys, personnel with authorized access to FISA databases must have completed training on the minimization procedures related to other FISA authorities but there is no current or anticipated requirement that they also receive training on the Section 215 minimization procedures.31

31 According to an NSLB Section Chief, persons with access to FISA material must have completed training on the minimization procedures that apply to full electronic surveillance and collections conducted under Section 702 of the statute.

20

FBI personnel with authorized access to FISA material may [illegible] for the purpose of determining whether particular Section 215 material reasonably appears to be foreign intelligence information, necessary to understand foreign intelligence information, or evidence of a crime. As noted in Section II, the term "foreign intelligence information" is defined by the FISA statute. The term "necessary to understand foreign intelligence information" is not defined and during interviews, NSD attorneys and FBI case agents provided us a range of examples of material that would qualify under this criterion. The examples included [illegible] 32 The Final Procedures provide that after the above determination is made, Section 215 material may be accessible to [illegible] "33 However, the universe of personnel authorized to review FISA material is greater than the group of individuals connected to any particular investigation. [illegible] 34 32 After reviewing a draft of our report, NSD submitted comments to the OIG in which it [illegible] 33 [illegible] 34 [illegible] 21

35 We consider this recommendation resolved but not yet closed. As we recommended, and as the Reauthorization Act required, the FBI and Department developed final standard minimization procedures for Section 215 material that provide specific guidance for the retention and dissemination of U.S. person information. However, we identified several areas in the Final Procedures that we believe NSD and the FBI should consider clarifying in training or implementation guidelines for the procedures, or in any future versions of the Final Procedures.

36

C. Handling of Metadata under the Final Procedures

35

36 After reviewing a draft of this report, NSD submitted comments to the OIG in which it

22

Thus, under the terms of the "Metadata Analysis" provision in the Final Procedures, the FBI may, ." The FBI may also use metadata 37 . We believe the FBI's treatment of metadata is important because of the increasing use of Section 215 authority to obtain large collections of metadata such as , electronic communication transactional information, and transaction information described in Section V. The Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identified two potential issues regarding the application of the metadata provisions that will require attention and oversight.

First, we believe that it will be important for NSD and the FBI to periodically review the application of . With regard to this type of material, and in the absence of other information, 38 This raises the question of whether there are or 37 ." 38 In our September 2012 report, A Review of the Federal Bureau of Investigation's Activities Under Section 702 of the FISA Amendments Act of 2008, we described . In that report, we described an example (Cont'd.) 23

will be circumstances [illegible], thus making the Final Procedures fully applicable to the material. For these reasons, we believe it will be important that NSD and the FBI continue to evaluate the application of the [illegible], particularly in circumstances where metadata contains information concerning U.S. persons, to ensure that the Final Procedures are applied appropriately and the information is handled responsibly.

Second, the attention NSD and the FBI pay to the treatment of metadata will also be important because the type of information that is categorized as metadata will likely continue to evolve and expand. [illegible] Metadata generally is considered to exclude the content of communications. However, NSD and NSLB attorneys told us that the terms used to define metadata themselves lack standardized definitions and that applying them to rapidly changing technology can be difficult. Indeed, the U.S. Court of Appeals for the Ninth Circuit has recognized that there are circumstances where “addressing information” – one of the categories of metadata – may constitute content and therefore would likely have to be obtained with a warrant.39 [illegible].40 We nevertheless believe that such decisions evidence the importance for NSD and the FBI of remaining cognizant of developments in this area in order to guard against the inadvertent request for or collection of metadata that is not authorized under Section 215 authority.

D. Effect of Final Procedures on OIG’s Access to FISA Information

We also examined the provisions in the Final Procedures that pertain to the OIG’s access to Section 215-acquired information for purposes of conducting

[illegible]

39 In United Stated v. Forrester, 512 F.3d 500 (9th Cir. 2008), the Court held that IP addresses and to/from entries in e-mails are the Internet equivalent of dialed phone numbers and can be obtained without a warrant. The Court also suggested that a uniform resource locator (URL) address, which can identify the particular pages an individual browsed within a website, is close to content in substance and thus, without deciding the issue, that the government would likely need a warrant to obtain such information. Id. at 510 n.6. 40 After reviewing a draft of this report, NSD submitted comments to the OIG in which it [illegible]

24

its reviews and investigations. As described above, the "Compliance" section of the Final Procedures states that the Attorney General is authorized to implement policies and procedures to ensure good faith compliance with the requirements of the Final Procedures, and that NSD is required to review compliance with the Final Procedures. In order for NSD to perform this oversight function, the Final Procedures provide that NSD "shall have access to all FISA [business record] material and other necessary information to facilitate minimization reviews and for all other lawful purposes." Although the Final Procedures' "General Provisions" state that "[n]othing in these procedures shall restrict the . . . lawful oversight functions of the NSD or the Department of Justice Office of Inspector General," the Final Procedures do not expressly authorize the OIG's access to Section 215 material as they do NSD's access for purposes of compliance reviews.

The FBI has previously asserted to the Department and the OIG its belief that unless the Attorney General specifically designates the OIG in FISA minimization procedures as part of the Department's oversight function, or the OIG is functioning as a law enforcement official, the FBI is prohibited by the minimization procedures from disclosing FISA-acquired information to the OIG.41 However, the Inspector General Act of 1978, as amended, provides an independent basis for the OIG to obtain Section 215 and other FISA material for its investigations and reviews. In fact, we have received such material from the FBI in previous OIG reviews without any objection from the FBI, even though we were not designated by the Attorney General as part of the Department's oversight function, and were not functioning in a manner the FBI interprets as that of a law enforcement official. Examples include our reviews of the FISA Amendments Act of 2008, the President's Surveillance Program, and our reviews of the FBI's use of Section 215 authority.

In light of the FBI's previous stated position, we expressed our concern that a similar interpretation of the Final Procedures will prevent or impede the OIG's future ability to obtain the material necessary to review the Department's use of FISA authorities. An interpretation of the Final Procedures to preclude our access to information necessary for future reviews of the Department's use of Section 215 authority would be particularly problematic given that our prior Section 215 reviews exposed the Department's noncompliance with the requirement to develop minimization procedures. Similarly, an interpretation of the Final Procedures that would require the Attorney General's advance permission for the OIG to exercise its oversight authority would seriously undermine the independence of the Inspector General and be inconsistent with the dictates of the Inspector General Act.

41 The FBI's assertion was based on its interpretation of the 2008 Standard Minimization Procedures for FBI Electronic Surveillance and Physical Search conducted under FISA and the 2006 Interim Standard Minimization Procedures for the production of tangible things under FISA. The "Compliance" provision in the Final Procedures is similar to the oversight provisions in these other procedures.

25

In response to our concern, NSD informed us that the statement contained in the General Provisions section of the Final Procedures was specifically incorporated to make clear that nothing in the procedures should be interpreted to prohibit the OIG's access to Section 215-acquired information for its reviews and investigations. NSD had previously made similar revisions for the same purpose to the FBI's minimization procedures for electronic surveillance and physical searches, and acquisition of foreign intelligence information under Section 702 of FISA. The FBI's General Counsel confirmed to us that he agreed with NSD that there is nothing in the Final Procedures, or the other current FBI FISA minimization procedures, that would prohibit the OIG's access to FISA-acquired information.

We also sought clarification from NSD and the FBI about the language in the General Provisions section, "[n]othing in these procedures shall restrict the . . . lawful oversight functions" of the OIG (emphasis added). The FBI has in the past explained its disclosure to the OIG of FISA information acquired under Section 702 of FISA – notwithstanding its position that the OIG is prohibited from obtaining other FISA-acquired information for oversight purposes – by suggesting that Section 702's authorization of an OIG review of the FBI's compliance with applicable targeting and minimization procedures constitutes specific congressional authorization of the OIG's access to Section 702 FISA information. The OIG has strongly disagreed with this distinction and we therefore sought clarification from NSD and the FBI that the phrase, "lawful oversight functions," includes reviews and investigations the OIG conducts on its own initiative as well as reviews and investigations conducted at the request of members of Congress or as required or authorized by Congressional legislation. The NSD Deputy Assistant Attorney General for the Office of Intelligence and the FBI's General Counsel informed us that they share our understanding of the phrase.

E. Conclusion and Recommendation

As described in this section, we recommended in our March 2008 report that the Department implement minimization procedures for the handling of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, as required by the 2006 Reauthorization Act. We also recommended that the FBI develop procedures for reviewing materials received in response to Section 215 orders to ensure that the materials do not contain information outside the scope of the FISA Court orders. Finally, we recommended that the FBI develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order.

We concluded that with the Final Procedures certified by the Attorney General in March 2013 the Department and FBI have fully implemented one of the three recommendations from our March 2008 report and we consider it closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying aspects of the procedures that we identified above in training materials and policy implementation guidelines, or in any future versions of the Final Procedures. We will consider closing the

26

remaining two recommendations upon receiving the Department's and the FBI's responses to this report.

The Final Procedures fulfilled a significant requirement of the 2006 Reauthorization Act. The Final Procedures are also the Department's response to the OIG's 2008 finding that the Interim Procedures failed to meet the requirements of the Reauthorization Act. Nevertheless, we believe that in light of the importance of minimization procedures to the Department's authority to use Section 215, the Department should have met its statutory obligation considerably earlier than March 2013.42

The Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identified two potential issues regarding the application of the metadata provisions that will require attention and oversight.

In addition, we established that nothing in the Final Procedures restricts the OIG's access to Section 215-acquired information if it is needed as part of the OIG's reviews and investigations, including for oversight purposes. In this regard, the language described above in the General Provisions section of the Final Procedures, and similar language incorporated into other FBI minimization procedures, appears to resolve what we believe has been a misguided interpretation of minimization procedures and the Inspector General Act by the FBI.

IV. OVERVIEW OF SECTION 215 ORDERS ISSUED FROM 2007 THROUGH 2009

In this section we provide an overview of Section 215 applications and orders issued from 2007 through 2009. We describe the number of Section 215 applications filed and orders obtained, the type of information requested, the number of FBI offices that used the authority, and the types of investigations in which Section 215 orders were sought. We also provide information about the number of Section 215 applications and orders in which U.S. persons were the subject of the underlying investigations.

42 After reviewing a draft of this report, NSD submitted comments in which it stated our conclusion does not recognize the efforts the Department made over the years to craft new procedures, including extensive interaction with the FISA Court on drafts of the procedures. While we agree that some of the time was attributable to the Department's interaction with the FISA Court, we found a significant amount of the delay is attributable to the Department, specifically to disagreements between the FBI and NSD over the new SMP provisions as described in part in our last Section 215 report. These disagreements continued after issuance of that report, and the parties asked the Attorney General's Office to intervene in 2010. The resulting SMPs were subsequently presented to and rejected by the FISA Court, which resulted in additional discussions within the Department.

27

A. The Number of Section 215 Applications

During the period from 2007 through 2009, the FISAMS showed that NSLB processed [illegible] requests for Section 215 applications.43 Of these, 51 were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009. The remaining [illegible] requests were withdrawn before being presented to the FISA Court. Of these [illegible] withdrawn requests, [illegible] were withdrawn before being sent to NSD for review and [illegible] were withdrawn after NSD review. According to NSD, no applications were withdrawn after a read copy was presented to the FISA Court.44 Each of the 51 Section 215 applications formally submitted to the FISA Court was approved.

In total, between 2002 and 2009, 83 Section 215 applications were processed and formally submitted to the FISA Court. Each of the 83 applications was approved, as indicated in Table 3.1.

TABLE 3.1 Section 215 Orders Issued by the Foreign Intelligence Surveillance Court

Source: NSD and FBI

B. An Overview of [illegible] of the 51 Section 215 Orders Issued by the FISA Court in 2007 through 2009

As described above, the FISA Court issued 51 Section 215 orders in 2007 through 2009. The FBI submitted [illegible] of these applications [illegible]

43 The FISAMS electronically tracks the status of the FBI's Section 215 requests from the time the Section 215 request is entered into the system until it is either signed by the FISA Court or withdrawn. 44 NSD officials informed us that in addition to the Section 215 applications formally submitted to the FISA Court, in 2008 the Department provided the FISA Court with a proposed Section 215 application [illegible]

28

as part of counterterrorism programs [illegible]. [illegible] NSA's bulk collection of telephony metadata from certain telecommunications service providers. [illegible] We discuss [illegible] in Section VI. With respect to the remaining [illegible] applications, all of which were filed on behalf of the FBI, we provide a description immediately below.

1. Types of Records Requested in Section 215 Orders Filed on Behalf of the FBI

We compiled the types of business records that were sought in the [illegible] Section 215 orders filed on behalf of the FBI. Table 3.2 shows the types of records identified in the Section 215 orders, as well as the number of requests for each type of record.

TABLE 3.2 Records Requested in Section 215 Orders Filed on Behalf of FBI Issued in 2007 through 2009

[illegible]

Source: NSD and FBI

In total, [illegible] different types of records were requested in the [illegible] Section 215 orders filed on behalf of the FBI. [illegible] of the [illegible] Section 215 applications requested material related to internet activities.

2. FBI Field Offices that Submitted Requests for Section 215 Orders in 2007 through 2009

The OIG analyzed the number of FBI field offices that requested and received Section 215 orders in 2007 through 2009. We determined that 13 of

29

the FBI's 56 field offices (23 percent) requested the Section 215 orders filed on behalf of the FBI during this period.

3. Types of Investigations from which Section 215 Requests Originated

We also examined the types of investigations from which Section 215 applications originated. The [illegible] Section 215 applications originated from counterintelligence (CI), counterterrorism (CT), cyber, and positive foreign intelligence (PFI) investigations. According to FISAMs, [illegible] Section 215 applications originated from CI investigations, [illegible] originated from CT investigations, [illegible] originated from cyber investigations, and [illegible] originated from a PFI investigation.45

TABLE 3.3 Types of Investigations from which Section 215 Applications were Submitted to and Approved by the FISA Court

Source: NSD and the FBI

4. Subjects of Section 215 Applications

We determined the number of Section 215 applications in which at least one subject of the underlying investigation was identified as a U.S. person. We relied on the final Section 215 applications or orders for this information.46 Of the [illegible] applications from which we compiled this data, we found that [illegible] applications or orders identified the subjects of the underlying investigations as U.S. persons and [illegible] applications or orders identified the subjects of the

45 [illegible] DIOG § 9.1. 46 [illegible]

30

underlying investigations as non-U.S. persons. In [illegible] of the [illegible] applications that identified the subject of the application and underlying investigation as a non-U.S. person, the subject [illegible]. These [illegible] applications involved cyber investigations. As described in Section II, in these instances, the Interim Procedures provided that [illegible].

The number of U.S. persons identified in these applications as the subjects of the underlying investigations is not equivalent to the number of U.S. persons about whom information was collected in response to the Section 215 orders. There are three reasons for this. First, the number of persons identified as subjects in the applications does not include U.S. persons whose records were targeted by the Section 215 order but who were not themselves subjects of the underlying investigation. For example, [illegible] related Section 215 applications we reviewed requested [illegible]. Another Section 215 application we reviewed requested [illegible].

Second, the classified directive for determining U.S. person status provides that [illegible]. We reviewed [illegible] related Section 215 applications that requested subscriber and transactional information for [illegible] e-mail accounts from U.S. providers.

Third, the figure does not reflect the number of U.S. persons whose information was included in the production compelled by the Section 215 order, but who were neither the subjects of the underlying investigations nor the identified targets of the Section 215 application. For example, we reviewed a production that included [illegible].^47

V. SELECTED SECTION 215 ORDERS OBTAINED IN 2007 THROUGH 2009

In this section we describe several Section 215 applications and orders obtained by the FBI between 2007 and 2009. We selected these matters to illustrate various uses of Section 215 authority. For each selected use, we summarize the underlying investigation, describe the material requested, and

^47 The bulk [illegible] include millions of records of U.S. persons who are neither the subject of nor associated with the subjects of national security investigations.

31

identify modifications to or notable issues regarding the application and order. We then describe, where applicable, the material produced in response to the order, how the material was used, and any compliance incidents. We did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders. We present the examples in chronological order. We conclude the section with a summary of our examination of the FBI's use of Section 215 authority.

A. Selected Uses of Section 215 Authority

1. Request for [illegible] (Section 215 Order Issued January 2007)

An FBI agent submitted a Section 215 request for [illegible] in a counterintelligence investigation. 48

According to the application, the FBI initiated the investigation when it learned that a [illegible] in the United States and offered to sell stolen parts of a nuclear converter. The unidentified caller stated that he was an employee at the Oak Ridge National Laboratory in Tennessee.

[illegible]. This was an expedited Section 215 application that was approved by the FISA Court 3 days after the FBI sent the request to NSD.49

The same day the FISA Court issued the Section 215 order, the Department filed a notice of misstatement of a material fact with the FISA Court. The notice corrected a statement in the application regarding the basis of the FBI's knowledge that [illegible]. The Section 215 application stated that the FBI knew [illegible]

48 According to NSD supervisors, [illegible]

49 Unlike other FISA authorities, the Section 215 statute does not include a provision for emergency requests. However, the Department and the FISA Court have established a process to expedite Section 215 requests when necessary.

32

. The notice did not include an explanation for the discrepancy. The FBI agent who submitted the Section 215 request is no longer with the FBI and we did not interview him. However, FBI documents indicate that [illegible]. The caller eventually pled guilty to unlawful disclosure of restricted data under the Atomic Energy Act, in violation of 42 U.S.C. § 2274(b). According to the FBI, the Section 215 information was not used in the criminal proceeding.

2. Request for Electronic Communications Transactional Records (Section 215 Orders Issued May 2009)

An FBI agent submitted a Section 215 request for subscriber and transactional records [illegible].

The NSLB attorney who drafted the applications told us that the agent sought the Section 215 orders to [illegible]. As the e-mail addresses were from three different major U.S. e-mail providers, the Department submitted three separate applications and orders to the FISA Court.

These Section 215 applications were unusual because they sought information the FBI routinely requested through National Security Letters (NSL) under the Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2709. ECPA authorizes the FBI to use an NSL to obtain subscriber and "electronic communication transactional records" from e-mail providers.

The NSLB attorney said that he sought Section 215 orders instead of ECPA NSLs for two reasons. First, [illegible].

33

50 The second reason the NSLB attorney indicated that the FBI sought Section 215 orders was because [illegible].

After reviewing the "read" copy of the Section 215 applications, the FISA Court, through the legal advisor, identified three concerns. First, [illegible]. Accordingly, the draft applications and orders specified that the business records [illegible].

Second, [illegible]. As described earlier, the Interim Procedures (which simply incorporated provisions from the NSI Guidelines) provided that in the absence of other information, [illegible].

The NSLB attorney told us that to address the second and third concerns, the FISA Court judge asked [illegible].

50 These Section 215 applications were drafted in February 2009. Beginning in 2010, [illegible]. We describe this further in the OIG's 2014 report, A Review of the FBI's Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage from 2007-2009. We recommend in that report that the Department revive its efforts to bring about a legislative amendment to ECPA that will define the categories of electronic records that fall within the scope of the statute.

34

The judge suggested that . The judge also asked 51 The NSD and FBI attorneys agreed and the FISA Court judge issued the orders.

Because NSLB was concerned about the scope of the FISA Court's expectations, the FBI did not immediately serve the orders. Instead, the Department filed a notice with the FISA Court identifying the additional minimization procedures that the FBI would apply to the retention and dissemination of U.S. person information contained in the production. NSD and NSLB attorneys collaborated on the additional minimization procedures. After the additional procedures were filed and approximately 5 weeks after the orders were issued, the FBI served the Section 215 orders.

Notably, the additional procedures introduced "investigative value" as the standard for allowing persons unconnected with the underlying investigation access to material received in response to the Section 215 order. "Investigative value" was defined in the procedures . The procedures specified that material that was determined to be of such "investigative value" could be uploaded into FBI databases and made available to persons authorized to access those databases. The procedures allowed the FBI to "52

. The report stated

51 As described in Section II, in June 2009 other FISA Court judges began issuing Supplemental Orders imposing similar reporting requirements. 52 As noted above, an attorney in the FBI's Office of General Counsel informed us that national security investigative records are generally maintained for 30 years after case closure at which time they are reviewed and either destroyed or transferred to the National Archives and Records Administration according to the approved retention schedule.

35

The second report, . According to the report, report did not state . The . The second report also stated . The report stated . An FBI case agent told us that the information produced to the FBI in response to the Section 215 order was useful. The agent said that . 3. Request for Records Relating to (Section 215 Order Issued June 2009) An FBI agent submitted a Section 215 request in a counterterrorism investigation . The Section 215 application sought customer information . The Department filed a read copy application in February 2009. Upon reviewing the read copy, the FISA Court notified the Department that 36

. In this matter, the did not apply because, according to a case agent, . The Department's final Section 215 application and order filed in June 2009 changed the status of the . The FISA Court issued a Supplemental Order to the Department in addition to the Section 215 orders to the companies. The Supplemental Order required the Department .53 The Supplemental Order required the Department to include information about the " ." The Department filed in response to the Supplemental Order in this case. The first report . The reports described . According to the reports, 54 . 53 54 The second report stated . We brought these issues, and several other apparent factual inaccuracies in , to NSD's attention. In response, NSD reviewed the matters, consulted with the FBI, and then sent a June 13, 2013, letter to the FISA Court advising it of the inaccuracies. With respect to this matter, ." 37

The reports also stated .55 The case agents summarized the information in Electronic Communications (EC) reports that were “uploaded, retained and disseminated” in ACS. According to the first . The FBI made this finding with respect to the companies that provided records responsive to the Section 215 order as well as to those that informed the FBI that they had no responsive records.56 The second report did not .

FBI case agents stated that Section 215 authority and the information produced to the FBI in response to the orders were useful. The initial case agent stated that the Section 215 tool was valuable because it allowed him to . The agent assigned to the case when the Section 215 records were received stated that .

4. Request for (Section 215 Order Issued July 2009) An FBI agent submitted a Section 215 request for a U.S. person’s from a private employer in a preliminary counter-terrorism investigation.

. By the time the Section 215 order was requested, the subject .

55 With regard to one company that produced records, the second report failed to indicate whether . 56 According to the underlying Section 215 application, the FBI had conducted FISA Court-authorized electronic surveillance . The application stated .

38

. According to the Section 215 application, the FBI sought the information . The Department filed the read copy application with the FISA Court in June 2009. Upon reviewing the read copy application, the FISA Court legal advisor noted that . As described in Section II, Section 215 requests for medical and educational records must be authorized by the FBI Director, Deputy Director, or Executive Assistant Director for the FBI's National Security Branch. In July 2009, the Department filed the final Section 215 application with the FISA Court. The final application . According to the agent and NSLB attorney, . The FISA Court approved the Section 215 application and order and also issued a Supplemental Order that required the Department . The Department's report stated . The FBI retained all of the records. According to the report, the production included was "foreign intelligence information or [was] necessary to understand foreign intelligence information." The . According to the . The report stated that the . The report stated that .57 The first 57 The erroneously stated that . This was one of the errors we identified during our review that was (Cont'd.) 39

reason was that . The second reason was that . The case agent who submitted the Section 215 request told us that one of the ECs that he uploaded into ACS contained his analysis of the . This agent stated that . The agent also told us that . An FBI analyst stated that she uploaded an EC into ACS with her . The agent to whom the case was transferred said that ." The agent also told us that . The agent said that . According to the FBI EC closing the preliminary investigation, the field office determined that the U.S. person subject had "no nexus to terrorism." 5. Request for (Section 215 Order Issued November 2009) An FBI agent submitted a Section 215 request . 58 subsequently corrected in the June 13, 2013, letter NSD filed with the FISA Court that we discussed above in footnote 45. In the letter, NSD . 58 As described in Section IV, the FBI conducts PFI investigations to collect information for the U.S. intelligence community. PFI investigations are distinct from FBI criminal or national security investigations, and are predicated on foreign intelligence collection requirements (Cont'd.) 40

The agent said that once the investigation was opened, he initially considered using an NSL . This was the FBI's first PFI investigation to use Section 215 authority. The Section 215 application stated that . The application stated that . The application also stated that . The Section 215 order requested account information and electronic communication transactional records, 59 The case agent who reviewed the Section 215 material told us that in response to the Section 215 order, . The case agent stated that . She told us the electronic file was placed in the case file and identified in an EC that was uploaded to ACS. The case agent also told us that . According to the case agent, . The case agent for this PFI said that . The agent said that . The agent told us that . She said that established by specified authorities such as the President, Attorney General, or Director of National Intelligence. 59 . We describe the FBI's use of this authority in our forthcoming report, A Review of the FBI's Use of Pen Register and Trap and Trace Device Authority under FISA in 2007-2009. 41

." 6. Request for [illegible] (Section 215 Order Issued December 2009)

An FBI agent submitted a Section 215 request for [illegible] in a counterintelligence investigation of cyber network exploitation.60 Before filing the request, the FBI had [illegible] . Through this Section 215 application, the FBI sought to obtain information regarding other cyber activity [illegible].

According to an NSLB attorney, [illegible] . The Section 215 order required the production of [illegible].

This Section 215 order was [illegible]

60 [illegible]

42

After filing the read copy application, NSD attorneys met with the FISA Court legal advisor to discuss specific concerns regarding the application. Among other questions, the legal advisor requested additional information regarding the manner in which [illegible]. In response to these concerns, the final Section 215 application and order stated that [illegible]. With regard to the legal advisor's question regarding the FBI's [illegible], the final application also stated that [illegible]. The FISA Court granted the final application as modified and issued a Supplemental Order requiring a report to the FISA Court as discussed above.

The case agent stated that in response to the Section 215 order, the company produced a [illegible] of the [illegible].⁶¹ This [illegible] document identified [illegible] in the Section 215 order [illegible].

According to the Department's [illegible] filed with the FISA Court, the [illegible] did not include any non-publicly available U.S. person information and thus was not subject to minimization procedures.

The case agent told us that this use of Section 215 authority was effective because [illegible].⁶² In addition, the agent said that [illegible].

⁶¹ The case agent told us that he could not locate the original Section 215 production and that it appeared that the original return was never placed in the case file. However, the agent stated that the FBI has an electronic copy of the return.

⁶² We also discuss the FBI's use of FISA's pen register authority to obtain [illegible] in our forthcoming report, A Review of the Federal Bureau of Investigation's Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009.

43

However, the agent stated that [illegible] and that he did not follow up on the information received because of other investigative priorities and his transfer to a different FBI field office. The agent told us that [illegible], which is what he had hoped that this Section 215 order would have produced.

B. Summary of Findings

Our review of the matters detailed in this section resulted in agents describing for us the FBI's use of Section 215 authority in a manner that was consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continues to be a valuable investigative tool. Agents said they relied on Section 215 authority when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. The agents we interviewed did not identify any major case developments that resulted from the records obtained in response to Section 215 orders, but told us the authority is valuable when it is the only means to obtain certain information. As described in this section, agents told us that the material produced pursuant to Section 215 orders was used to support other investigative requests, develop leads, and corroborate information obtained from other sources. As previously noted, we did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders.

We also identified in this review, as we did in our prior reviews, several instances where the Department or the FISA Court modified Section 215 applications or orders.63 For example, the FISA Court questioned in four applications (three applications were related) whether the [illegible] of individuals whose records were sought had been properly applied. The Department responded by changing the status of the target in one of the applications and an NSLB attorney told us that with regard to the three related applications, he believes that the legal advisor's concerns were addressed by the implementation of additional minimization procedures. The Department also made revisions to applications following discussions with the FISA Court that had the effect of specifically excluding particular categories of records and limiting the scope of the requests to ensure that only non-content information was produced in response to the orders from electronic service providers to the public.

We believe that the most significant modification made during the 2007-2009 period was the FISA Court's general practice, beginning in June 2009, of

63 As noted in our previous reports, NSD considers modifications to be limited to any changes by the FISA Court after the Department filed the final application and order. NSD does not consider revisions to applications and orders made at the request of the FISA Court after it reviewed read copies to be modifications. In this review, we considered any revision to a Section 215 submission – whether after the review of the read copy or after final submission – to be a modification.

44

issuing Supplemental Orders in Section 215 matters. As described in this section and Section II, these orders required the Department to report to the FISA Court on the implementation of the Interim Minimization Procedures to U.S. person information received in Section 215 productions. Each Supplemental Order required that [illegible]

We reviewed each of the reports filed in the Section 215 matters we examined. According to the reports, the FBI retained nearly all of the material produced in response to the Section 215 orders and disseminated material to persons unconnected with the underlying investigation that was determined to be “foreign intelligence information” or “necessary to understand foreign intelligence information.” The reports indicated that disseminations were made to individuals authorized to access the FBI’s electronic case management systems, other U.S. intelligence agencies, and foreign governments.

As described in this section, we identified factual inaccuracies the Department made in several of the reports we reviewed, including incorrectly identifying the number of U.S. persons in a document and providing the FISA Court with incorrect information regarding the quantity and type of material produced in response to an order. We informed NSD of the inaccuracies we identified and, after reviewing the instances and consulting with the FBI, NSD sent a June 13, 2013, letter to the FISA Court identifying the errors.

We found the Supplemental Orders significant because the practice began almost three years after the Department was required by the Reauthorization Act to adopt specific procedures to govern the retention and dissemination of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, and over a year after we found that the Interim Procedures that the Department had implemented in September 2006 failed to meet the requirements of the Reauthorization Act and recommended that the Department take steps to address the issue. Yet, it was not until March 2013 that the Department filed with the FISA Court final minimization procedures specifically tailored to Section 215 collections and not until August 2013 that the Department began to file Section 215 applications with the FISA Court which stated that the FBI would apply the final minimization procedures to the Section 215 productions.

In Section III of this report, we describe aspects of the final minimization procedures that are relevant to the recommendations we made in our last report about the FBI’s use of Section 215 authority. Some of the issues identified in our review of the reports filed in response to Supplemental Orders, such as the broad application of the term “foreign intelligence information” and the meaning of “necessary to understand foreign intelligence information,” figure prominently in the rules about retention and dissemination set forth in the final minimization procedures.

45

VI. 64 A. Bulk Telephony Metadata

1. Background On May 23, 2006, the U.S. Department of Justice filed an application with the FISA Court seeking a Section 215 order requiring the production of certain records to the NSA. Specifically, the application sought telephone call-detail records, also known as telephony metadata, relating to all telephone communications maintained by certain telecommunications providers. The records were sought for investigations against international terrorism concerning the activities of [illegible] persons in the United States and abroad. In the OIG's second report about the FBI's use of Section 215 authority, A Review of the FBI's Use of Section 215 Orders for Business Records in 2006 (March 2008), we provided an appendix that summarized the May 23, 2006, FISA application, the FISA Court's May 24, 2006, order authorizing the collection, and the subsequent modifications to and renewals of the order. In the OIG's report, A Review of the Department of Justice's Involvement with the President's Surveillance Program (July 2009), we also described the application and order, as well as significant compliance incidents related to the order that the Department reported to the FISA Court in January 2009. In this section of the current report, we include a summary of the May 2006 application and order and significant compliance incidents that draws from the descriptions contained in our March 2008 report about the FBI's use of Section 215 authority and in our January 2009 report concerning the President's Surveillance Program. In addition, we describe significant changes to the order or compliance incidents involving the collection or use of the metadata since 64 46

2009, and the current status of the order. Much of the information contained in this section was declassified and made publicly available by the Office of the Director of National Intelligence in the months following the public disclosures of classified information beginning in June 2013.

2. May 23, 2006, Section 215 Application

The records sought by the FBI on behalf of the NSA in the May 23, 2006, Section 215 application were all telephone call-detail records, or telephony metadata, maintained as business records by certain telecommunications carriers. The application sought the production of metadata on an ongoing basis for the duration of the period covered by the Court order. This metadata is a defined term in the application and essentially consists of routing information that includes the originating and terminating telephone number of each call, and the date, time, and duration of each call. Telephony metadata does not include the substantive content of any communication or the name, address, or financial information of a subscriber or customer. According to the application, the vast majority of the telephony metadata provided to the NSA was expected to involve communications that were (1) between the United States and abroad, or (2) wholly within the United States, including local telephone calls.

The purpose of this bulk collection of data, as explained in the application, was to allow metadata analysis, which the application called a significant tool available to the U.S. government in its conflict with [illegible]. According to the application, the call-detail records provided to the NSA on an ongoing basis would be placed in an archive. The NSA could then run "queries" against this archive to identify [illegible]. The queries would attempt to identify communications links to individuals reasonably suspected of being [illegible] (an intelligence technique known as "contact chaining")

[illegible]

According to the application, the telephone numbers selected by the NSA to query the archive would be known telephone numbers for which, "based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that the telephone number is associated with [illegible] terrorist organization," provided that a telephone number believed to be used by a U.S. person will not be regarded as associated with the Foreign Powers solely on the basis of activities protected by the First Amendment to the Constitution.

The FISA application stated that the Section 215 order over the course of a year would result in the collection of telephony metadata pertaining to [illegible] telephone communications (approximately [illegible] call-detail records per day), including records of communications of U.S. persons located within the United States who were not the subjects of any FBI investigation. The stated justification for this broad collection was the NSA's determination that a data archive was needed for the NSA to perform analysis to find known operatives and to identify unknown operatives [illegible] terrorist organization, some of whom may be in the United States or in

47

communication with U.S. persons. The application stated that the primary advantage of metadata analysis – the ability to identify past connections and [illegible] – was possible only if the NSA “has collected and archived a broad set of metadata that contains within it the subset of communications that can later be identified as terrorist-related.”65

According to the application, the NSA estimated that only a tiny fraction (0.000025 percent or one in four million) of the call detail records included in the archive were expected to be analyzed. The results of any such analysis would be provided, or “tipped,” to the FBI or other federal agencies. The application stated that the NSA expected to provide on average approximately two telephone numbers per day to the federal agencies. The application also stated that the FBI would handle tipped information in a manner consistent with the Attorney General’s Guidelines for FBI National Security Investigations and Foreign Intelligence Collection.

The FISA application proposed restrictions on access to, and the processing and dissemination of, the data collected. The restrictions included the requirement that queries be approved by one of seven NSA officials or managers, and that queries only be performed with telephone numbers for which there was a reasonable, articulable suspicion that they were associated with [illegible] terrorist organization. In addition, the application stated that the NSA’s OGC would review and approve proposed queries of telephone numbers reasonably believed to be used by U.S. persons, and that prior to disseminating any U.S. person information outside the NSA, the designated NSA official must have determined that the information is related to counterterrorism information and is necessary to understand the counterterrorism information or assess its importance. The application also pointed to several mechanisms for oversight of the use of metadata, including the creation of a capability to audit NSA analysts with access to the metadata, and the destruction of collected metadata after a period of 5 years. The application also stated that the Director of the NSA would inform the Congressional Intelligence Oversight Committees of the FISA Court’s order, if granted, requiring the communications carriers to produce the call-detail records.

65 The application to obtain call detail records in bulk relied on the precedent established by a July 2004 FISA Court opinion and order authorizing the government to obtain specified categories of metadata in bulk from Internet communications. The OIG previously described this authorization and its implementation in our July 2009 report, A Review of the Department of Justice’s Involvement with the President’s Surveillance Program, and the authorization is also described in the OIG’s forthcoming report, A Review of the FBI’s Use of Pen Register and Trap and Trace Device Authority under FISA in 2007-2009. The FISA Court stated in its July 2004 opinion and order authorizing the bulk collection of Internet communications metadata that the FISA statute’s “relevance” requirement is a relatively low standard and that in evaluating whether bulk metadata is “relevant” to an investigation into [illegible] groups, “deference should be given to the fully considered judgment of the executive branch in assessing and responding to national security threats and in determining the potential significance of intelligence-related information.” The government cited this precedent in the bulk Section 215 application, stating, “[j]ust as the bulk collection of e-mail metadata was relevant to FBI investigations into [illegible], so is the bulk collection of telephony metadata described herein.”

48

3. May 24, 2006, FISA Court Order

The FISA Court approved the Department’s Section 215 application on May 24, 2006. The Court found that there were reasonable grounds to believe that the records sought – the telephony metadata – were relevant to authorized investigations being conducted by the FBI to protect against international terrorism. The Court’s order also incorporated each of the procedures proposed in the government’s application relating to access to and use of the archived metadata. This included a requirement that any application to renew or reinstate the authority for the bulk collection include a report describing: (1) the queries made since the order was granted; (2) the manner in which the procedures relating to access and use of the metadata were applied; and (3) any proposed changes in the way in which the call detail records would be received from the communications carriers.

The Court’s order was accompanied by [illegible] secondary orders to the telecommunications providers directing each to produce the records identified in the order and to continue producing such on an ongoing daily basis for the duration of the order, which was set to expire on August 18, 2006.

4. Modifications to and Renewals of the May 24, 2006, FISA Court Order

On August 8, 2006, the FBI presented to the FISA Court a Verified Motion for an Amended Order authorizing the use of the telephony metadata “to protect against the threat of international terrorism posed by [illegible] persons in the United States and abroad.” The terms of the prior May 23 application and May 24 order had been limited to [illegible] terrorism organizations. The proposed modification would allow the NSA also to query the archive of telephony metadata for information associated with [illegible] persons in the United States and abroad. The government’s motion asked that all other provisions of the FISA Court’s May 24, 2006, order remain in place. The motion was supported by a declaration of the Director of the National Counterterrorism Center describing the use of telephone communications by [illegible]. The Court granted the government’s motion for an amended order on August 8, 2006.

On August 18, 2006, the FBI filed a renewal application requesting that the FISA Court authorize the continued collection of the telephony metadata authorized in the May 24, 2006, order, as amended by the Court’s August 8, 2006, order. However, the August 18 application modified the prior applications in a few respects, including a request that the FISA Court increase the number of individuals at the NSA authorized to approve queries of the telephony metadata from seven to eight, and that the FISA Court authorize the collection and use of [illegible] information that the telecommunications providers were sometimes including in the bulk data provided to the NSA. The August 18 application also included the report required by the FISA Court’s May 24, 2006, order describing the queries that had been made since the May 24

49

order was granted and the manner in which the procedures relating to access and use of the metadata had been applied.

The Court approved the government's August 18 application the same day it was filed and issued the accompanying secondary orders to the communication carriers. The August 18, 2006, order was set to expire on November 15, 2006.

On November 14, 2006, the FBI filed a renewal application requesting that the FISA Court reauthorize the collection of the telephony metadata authorized in the August 18, 2006, order. The renewal application included a notice that two additional organizations had recently been determined to be affiliated with [illegible] and that the NSA expected to provide an average of approximately [illegible] telephone numbers per day to the FBI, an increase of [illegible] from the estimate provided in the May 23, 2006, application. The November 14 application also included the report required by the FISA Court's May 24, 2006, order describing the queries that had been made since the August 18 order was granted and the manner in which the procedures relating to access and use of the metadata had been applied.

The Court approved the government's application on November 15, 2006, and issued the accompanying secondary orders to the communications carriers. Since that time, the government has filed additional renewal applications at approximately 90-day intervals. Each of these applications has been approved by the Court, most recently on February 26, 2015.66

5. Non-Compliance with Section 215 Orders

The FISA Court drastically changed the authority previously granted to NSA by the March 2009 order for several months following the government's disclosure of incidents involving the NSA's failure to comply with the terms of the Court's prior orders. On January 9, 2009, representatives from NSD attended a briefing at the NSA concerning the telephony metadata collection. During the course of this briefing, and as confirmed by the NSA in the days that followed, the Department came to understand that the NSA was querying the telephony metadata in a manner that was not authorized by the FISA Court's Section 215 orders. Specifically, the NSA was on a daily basis automatically querying the metadata with thousands of telephone identifiers from an "alert list" that had not been determined to satisfy the reasonable articulable suspicion (RAS) standard the Court required be met before the NSA was authorized to "access the archived data" for search or analysis purposes.67

66 In June 2007, the government sought approval to add the [illegible] terrorist organizations as targets of the Section 215 collection. The FISA Court granted his request on June 14 and then incorporated these groups into the FISA Court's July 25, 2007, order.

67 The term "telephone identifier" used by the government means a telephone number as well as other unique identifiers associated with a particular user or telecommunications device for purposes of billing or routing communications.

50

The alert list contained telephone identifiers that were of interest to NSA counterterrorism analysts responsible for tracking the targets of the Section 215 orders. The list was used to compare the incoming telephony metadata obtained under FISA authority, as well as other NSA sources of signals intelligence collection (collection authorized under Executive Order 12333, for example), and alert the NSA if there was a match between a telephone identifier on the list and an identifier in the incoming data. Under the procedures the NSA had developed to implement the Section 215 authority, alerts (or matches) generated from RAS-approved identifiers could be used to automatically conduct contact chaining [illegible] of the telephony metadata. However, automated analysis for alerts generated by non-RAS approved identifiers were not permitted; instead, the alerts were sent to analysts to determine whether contact chaining [illegible] was warranted in accordance with the RAS standard.

On January 15, 2009, the Department notified the FISA Court that the NSA had been accessing the telephony metadata with non-RAS approved identifiers. As of that date, only 1,935 of the 17,835 telephone identifiers on the alert list were RAS-approved.68 On January 28, 2009, the Court issued an order stating that it was “exceptionally concerned about what appears to be a flagrant violation of its Order in this matter[.]” The Court required the government to file a brief to “help the Court assess whether the Orders in this docket should be modified or rescinded; whether other remedial steps should be directed; and whether the Court should take action regarding persons responsible for any misrepresentations to the Court or violation of its Orders, either through its contempt powers or by referral to appropriate investigative offices.” The Court also required the government to address several additional specific issues, including who knew that the alert list being used to query the metadata included identifiers that had not been determined to meet the RAS standard, how long the “unauthorized querying” had been conducted, and why none of the entities the Court directed to conduct reviews of the metadata collection program identified the problem earlier.69

On February 17, 2009, the government responded to the Court’s Order and acknowledged that the NSA’s previous descriptions to the Court of the alert list process were inaccurate and that the Section 215 Order did not authorize the government to use the alert list in the manner that it did. The government described for the Court in detail how the NSA developed procedures in May 2006 to implement the Section 215 authority that resulted in the NSA querying the

68 Following the Department’s notice to the Court, the NSA attempted to complete a software fix to the alert process so that “hits” against the telephony metadata generated by non-RAS-approved telephone identifiers were deleted and that only “hits” generated by RAS-approved identifiers were sent to NSA analysts for further analysis. The NSA also attempted to construct a new alert list consisting of only RAS-approved telephone identifiers. However, the implementation of these modifications was unsuccessful and on January 24, 2009, the NSA shut down the alert process completely.

69 The entities directed to conduct such reviews under the Section 215 Orders were the NSA’s Inspector General, General Counsel, and Signals Intelligence Directorate Oversight and Compliance Office.

51

telephony metadata with non-RAS approved telephone identifiers for over two years in violation of the Court's orders, and how those procedures came to be described incorrectly to the Court. According to the government, the situation resulted from the NSA's interpretation of the term "archived data" used in the Court's orders and the NSA's mistaken belief that the alert process under the Section 215 authority operated the same as the alert process under the Pen Register and Trap and Trace authority.70 The government told the Court that "there was never a complete understanding among key personnel" who reviewed the initial report to the Court describing the alert process about what certain terminology was intended to mean, and that "there was no single person who had complete technical understanding of the [business records] FISA system architecture."

The government argued that the Section 215 orders should not be rescinded or modified "in light of the significant steps that the Government has already taken to remedy the alert list compliance incident and its effects, the significant oversight modifications the Government is in the process of implementing, and the value of the telephony metadata collection to the Government's national security mission[.]"71 Among the several measures the government highlighted to the Court was the NSA Director's decision to order "end-to-end system engineering and process reviews (technical and operational) of NSA's handling of [telephony] metadata." Less than 2 weeks after the government filed the response summarized above, the government informed the Court that the NSA had identified additional compliance incidents during these reviews.72

70 The NSA understood the term "archived data" in the Court's Order to refer to the NSA's analytical repository for the telephony metadata. As the term is normally used by the NSA, "archived data" excludes the processing steps the NSA uses to make raw collection of signals intelligence useful to individual intelligence analysts. The NSA viewed the alert process as an "intermediate step" because it was applied as the metadata flowed from the telecommunications service providers to the NSA - before it was stored in a repository, thus becoming "archived data." The NSA believed that the requirement to satisfy the RAS standard was only triggered "when the NSA sought access to the stored, or archived," repository of telephony metadata. For this reason, in the NSA's view, it was not required to limit the alert list to RAS-approved identifiers.

71 The government also reported that of the 275 reports (totaling 2,549 telephone identifiers) the NSA had disseminated since May 2006 as a result of contact chaining [illegible], 31 reports resulted from the automated alert process and no reports were identified that resulted from the use of a non-RAS approved identifier. The NSA also determined that in all instances that a U.S. telephone identifier was used to query the metadata for a report, the identifier was either already the subject of a FISA Court Order or had been reviewed by the NSA's Office of General Counsel to ensure the RAS determination was not based solely on a U.S. person's First Amendment-protected activities.

72 The additional compliance incidents involved the NSA's handling of the telephony metadata in an unauthorized manner. The first incident involved the NSA's use of an analytical tool to query (usually automatically) the metadata with non-RAS approved telephone identifiers. The tool determined if a record of a telephone identifier was present in NSA databases and, if so, provided analysts with information about the calling activity associated with that identifier. The second incident involved 3 analysts who conducted chaining analyses in the telephony metadata using 14 non-RAS approved identifiers. According to the government's notice to the Court, the analysts conducted queries of non-FISA authorized telephony metadata and were unaware their (Cont'd.)

52

In orders dated March 2 and 5, 2009, the FISA Court addressed the compliance incidents reported by the government and imposed drastic changes to the Section 215 authorities previously granted. The Court first addressed the NSA's interpretation of the term "archived data." The Court said the interpretation "strains credulity" and observed that an interpretation that turns on whether the metadata being accessed has been "archived" in a particular database at the time of the access would "render compliance with the RAS requirement merely optional."

The Court next addressed the misrepresentations the government made to the Court from August 2006 to December 2008 in reports that inaccurately described the alert list process. The Court recounted the specific misrepresentations and summarized the government's explanation for their occurrence. The Court then concluded:

Regardless of what factors contributed to making these misrepresentations, the Court finds that the government's failure to ensure that responsible officials adequately understood the NSA's alert list process, and to accurately report its implementation to the Court, has prevented, for more than two years, both the government and the [FISA Court] from taking steps to remedy daily violations of the minimization procedures set forth in [FISA Court] orders and designed to protect billions of call detail records pertaining to telephone communications of U.S. persons located within the United States who are not the subject of any FBI investigations and whose call detail information could not otherwise have been legally captured in bulk.

The Court also addressed the additional non-compliance incidents that were identified during the initial review ordered by the NSA Director, observing that the incidents occurred despite the NSA implementing measures specifically intended to prevent their occurrence. In view of the record of compliance incidents the government had reported to date, the Court stated:

[I]t has finally come to light that the [FISA Court]'s authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses [business records] metadata. This misperception by the [FISA Court] existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government's submissions, and despite a government-devised and Court-mandated oversight regime. The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the [FISA Court] have been so frequently and systemically violated that it can fairly be said that this critical

queries also ran against the FISA-authorized metadata. The government stated that none of the queries used an identifier associated with a U.S. person or telephone identifier and none of the queries resulted in intelligence reporting.

53

element of the overall [business records] regime has never functioned effectively.

Despite the Court's concerns with the telephony metadata program, and its lack of confidence "that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders," it authorized the government to continue collecting telephony metadata under the Section 215 orders. The Court stated that in light of the government's repeated representations that the collection of the telephony metadata is vital to national security, taken together with the Court's prior determination that the collection properly administered conforms with the FISA statute, "it would not be prudent" to order the government to cease the bulk collection.

However, believing that "more is needed to protect the privacy of U.S. person information acquired and retained" pursuant to the Section 215 Orders, the Court prohibited the government from accessing the metadata collected "until such time as the government is able to restore the Court's confidence that the government can and will comply with previously approved procedures for accessing such data."73 The Court ruled that the government may, on a case-by-case basis, request authority from the Court to query the metadata to obtain foreign intelligence.74 The Court required that the requests specify the telephone identifier to be used and the factual basis for the NSA's RAS determination.

The Court ordered that upon completion of the NSA's end-to-end system engineering and process reviews, the government was to file a report that described the results of the reviews, discussed the steps taken to remedy non-compliance incidents, and proposed minimization and oversight procedures to employ should the Court authorize resumption of regular access to the telephony metadata. The government's report also was required to include an affidavit from the FBI Director and any other government national security official deemed appropriate describing the value of the telephony metadata to U.S. national security.

Additionally, the Court ordered the government to implement oversight mechanisms proposed in the government's response to the compliance incidents. These mechanisms generally required NSD to assume a more prominent role in the NSA's administration of the bulk collection program, such

73 The Court also stated, "Given the Executive Branch's responsibility for and expertise in determining how best to protect our national security, and in light of the scale of this bulk collection program, the Court must rely heavily on the government to monitor this program to ensure that it continues to be justified, in the view of those responsible for our national security, and that it is being implemented in a manner that protects the privacy interests of U.S. persons[.]"

74 The Court authorized the government to query the metadata without Court approval to protect against an imminent threat to human life, with notice to the Court within the next business day of the query being conducted. The Court also authorized the government to access the metadata to ensure "data integrity" and to develop and test technological measures designed to enable to the NSA to comply with previously approved procedures for accessing the metadata.

54

as the requirement that NSA's OGC consult with the NSD on all significant legal opinions that relate to the interpretation, scope, or implementation of past, current, and future Section 215 orders related to the telephony bulk metadata collection.

For the next several months, the government filed requests with the Court seeking approval of queries the NSA sought to make against the metadata archive. NSD submitted the requests to the Court as the NSA identified telephone numbers that it believed satisfied the RAS standard. The requests were made by motion to the Court and typically included multiple telephone numbers, or identifiers. For each identifier, the government identified the telephone number and country of origin, if known, and set forth the justification for the belief the identifier satisfied RAS. The justification was typically a paragraph that included information about the suspected user of the telephone number and that individual's connection to [illegible] terrorist organizations. The justifications also stated whether the suspected user of the telephone number was a non-U.S. person or U.S. person. Between March and September 2009, NSD submitted about [illegible] telephone identifiers to the FISA Court for approval. Each of these was approved.75

6. August 17, 2009, Report to Court and September 3, 2009, Court Order Lifting Access Restrictions

In August 2009, NSD submitted the report to the FISA Court required by the March 2009 orders. The report "aim[ed] to provide the Court with assurance that NSA has addressed and corrected the instances of non-compliance and is taking additional steps to monitor and ensure compliance with the Court's Orders going forward." The report included, as required by the Court's Orders, the results of NSA's end-to-end review, the remedies for instances of non-compliance, the testing of technological remedies, and additional measures to ensure compliance, such as creating a new position of Director of Compliance. The report also included, through declarations from NSA Director Alexander and FBI Director Mueller, assertions about the value of the program to the national security. The government informed the Court in the report that it intended to request in the next renewal application authority for certain NSA analysts to resume conducting queries of the telephony metadata archive using identifiers approved by the NSA.

According to the report, the end-to-end review did not identify any single cause for the instances of non-compliance that had been reported to the Court, including the additional instances discovered during the end-to-end review. The review determined that the non-compliance instances "were exacerbated by a

75 As described earlier in this report, FISA Court rules require that NSD submit "proposed applications" or "read" copies of applications with the FISA Court before making formal applications. The FISA Court, often through a staff legal advisor, occasionally identifies questions or concerns or requests changes after reviewing "read" copies. When this occurs, NSD and the NSA address the issues identified by the Court and made revisions where necessary before formally submitting the requests.

55

primary focus on analyst use of the data, the complexity of the overall [business record] FISA system, and a lack of shared understanding among the key stakeholders as to the full scope of the [business record] FISA system and the implementation of the [business record] FISA Orders."

The report described each of the non-compliance incidents that had been identified and the associated remedy. For example, the NSA discovered during the end-to-end review that between May 2006 and February 2009, 3,000 domestic telephone numbers were determined to satisfy the RAS standard and authorized for use as query identifiers without obtaining NSA OGC approval, as required by the Court's Orders. NSA remedied this by re-designating the identifiers as non-RAS approved and also verified that none of the identifiers generated alerts that resulted in reports to Intelligence Community agencies. The review also discovered instances of inappropriately disseminating U.S. person information derived from the FISA metadata archive, such as authorizing disseminations pursuant to NSA's dissemination requirements and not the more restrictive dissemination provisions of the Court's Orders. This non-compliance was to be remedied through additional training and oversight and weekly reports to the Court summarizing disseminations that had been made. For these and other instances of non-compliance, the NSA also implemented technological remedies, such as implementing software that prevented analysts from querying the archive with non-RAS identifiers.

The report also described additional measures that the government had implemented and the Court had imposed to maintain compliance with the Court's Orders. These included regular communications between NSA and NSD on significant legal interpretations and compliance issues, the NSA's creation of the position of Director of Compliance who reports directly to the NSA's Director and Deputy Director, the requirement that NSA obtain NSD approval before implementing any automated query process, and broader training requirements. In addition, any renewal application for the bulk collection was required to include a report on a meeting NSA and NSD were required to have regarding compliance with past Orders prior to filing the renewal application, and the NSA was required to file a report every week with the Court describing any dissemination of the Section 215 data and certifying that the Orders' dissemination requirements were followed. The report also proposed measures the NSA would take with respect to the RAS standard, including reviewing determinations at regular intervals (at least every 180 days for U.S. telephone numbers believed to be used by a U.S. person and every year for all other identifiers).

With respect to the value of the bulk collection of telephony metadata to national security, the report, through declarations from Directors Alexander and Mueller, asserted that the metadata "addresses a critical, threshold issue for the Government's efforts to detect and prevent terrorist acts affecting the national security" by identifying terrorists and their associates. The report elaborated that the historical nature of the metadata allows NSA analysts to identify recent and past contacts and [illegible] of individuals believed to be associated with terrorists. In addition, according to the report, the metadata provides information about the activities of terrorists and their associates that is not

56

available from other sources of telephony metadata, such as NSA's signal intelligence collection under Executive Order 12333, . The report asserted that the Section 215 metadata collection "helps fill these foreign intelligence gaps" and allows the NSA to provide the FBI with information about contacts between U.S. telephone numbers and individuals believed to be associated with terrorist organizations. These leads or tips to the FBI "can act as an early warning of possible domestic terrorist activity." According to Director Alexandar's declaration, the NSA tipped telephone numbers to the FBI between May 2006 and May 2009. The report also stated that the FBI opened 27 full investigations between May 2006 and the end of 2008 "based, at least in part" on Section 215 metadata tips. Director Mueller's declaration described as examples four such cases.

On September 3, 2009, the FISA Court approved the government's renewal application and lifted the restrictions it had placed on the NSA's authority to make RAS determinations and approve telephone numbers as queries, in effect generally returning the program to the process that was in place prior to the discovery of the compliance issues NSD identified in January 2009. The Order incorporated the oversight measures identified in the government's August 2009 report and described above.

Since the September 3, 2009, Order the FISA Court has continued to approve the renewal applications at approximately 90-day intervals and the government has continued to submit to the Court the required reports about meetings between NSD and NSA and about disseminations of information obtained or derived from the Section 215 metadata. According to NSD staff with primary responsibility for these applications, there have been occasional compliance incidents reported to the Court since those identified in January 2009, but none as consequential. For example, NSD reported to the FISA Court in March 2011 that in December 2010 and January 2011 NSA technical personnel discovered that telephony metadata produced by a telecommunications carrier included . NSA contacted the carrier and was informed that a software change made in October 2010 resulted in this occurrence. According to NSD's compliance notice filed with the Court, beginning on or about January 14, 2011, the telephony metadata produced by the carrier did not include . The NSA subsequently provided updates to the FISA Court describing the measures taken to purge the from its databases.

7. July 19, 2013, FISA Court Order Renewing Collection and Current Status of Collection

As noted earlier, in June 2013 Edward Snowden caused the public disclosure of classified documents related to the use of Section 215 authority to obtain telephony metadata in bulk. This resulted in a significant amount of public discussion about the program, and led to the decision by the Office of the Director of National Intelligence to declassify and release to the public a substantial volume of information about the program.

57

The government's first renewal application in the wake of the Snowden disclosures was filed on July 18, 2013. Judge Claire V. Eagan of the FISA Court approved the application on July 19 and the Office of the Director of National Intelligence informed the public of the application and order that same day. In her August 29, 2013, Amended Memorandum Opinion explaining the basis for her decision to grant the government's application, Judge Eagan requested under applicable FISA Court rules that her opinion and order be published because of the public interest in the case. The Office of the Director of National Intelligence publicly released a declassified version of the opinion and order on October 18, 2013.

Judge Eagan addressed the constitutionality of the requested production and the relevance of telephony metadata in bulk to authorized investigations, compared Section 215 to its counterpart in criminal investigations (18 U.S.C. § 2703), and considered the applicability of the doctrine of legislative re-enactment to Section 215. Judge Eagan did not find any constitutional impediment to the collection and stated that she agreed with the Court's prior findings that bulk collections are necessary and, therefore, relevant in order for the NSA to use its analytical tools to identify the calls of known and unknown terrorists contained within the bulk data. Judge Eagan also found that the "complementary" operation of Section 215 and § 2703 "is an indication that Congress intended this Court to apply a different, and in specific respects lower, standard to the government's Application under Section 215 than a court reviewing a request under Section 2703(d)."76 Lastly, Judge Eagan found that the doctrine of legislative re-enactment applied to the government's use of Section 215 authority because Congress's reauthorization of the provision in the Patriot Sunsets Extension Act of 2011 "carried with it this Court's interpretation of the statute, which permits the bulk collection of telephony metadata under the restrictions that are in place."77

Judge Eagan's order expired on October 11, 2013, and a new order authorizing the collection for another 90 days was issued that same day by Judge Mary A. McLaughlin. Judge McLaughlin also requested under FISA Court rules that her Memorandum and Order be published, and they were among the documents the Office of the Director of National Intelligence publicly released on October 18, 2013. Judge McLaughlin stated in her memorandum that she had conducted an independent review of the relevant issues and "agrees with and

76 Section 2703 is used by criminal investigators to obtain the content of communications or non-content records of communications from electronic communications service providers. Investigators can obtain court orders for non-content records by demonstrating "specific and articulable facts showing that there are reasonable grounds to believe . . . the records or other information sought, are relevant and material to an ongoing criminal investigation." 18 U.S.C. § 2703(d). Section 215 requires only "a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation . . .." 50 U.S.C. § 1861(b)(2)(A).

77 Judge Eagan quoted from the U.S. Supreme Court's decision in Lorillard v. Pons, 434 U.S. 575, 580 (1978): "Congress is presumed to be aware of an administrative or judicial interpretation of a statute and to adopt that interpretation when it re-enacts a statute without change."

58

adopts Judge Eagan's analysis as the basis for granting the application." Judge McLaughlin's order expired on January 3, 2014. On that same day, Judge Thomas F. Hogan issued an order authorizing the collection for another 90 days, to March 28, 2014.

On January 17, 2014, the President publicly announced two changes that would be made to the bulk collection of telephony metadata. The first was to require the government, absent an emergency, to obtain FISA Court approval of query term prior to conducting queries of the database. The second change was to limit query results to those that are two levels or "hops" – instead of three – from the query terms used to query the database. These changes became effective on February 5, 2014, after the FISA Court granted the government's motion to amend the January 3, 2014, order.

The President also directed the Intelligence Community and the Attorney General "to develop options for a new approach to match the capabilities and fill gaps that the Section 215 program was designed to address without the government holding the metadata." Alternative approaches were provided to the President and on March 27, 2014, he announced that the government would end its collection of bulk telephony metadata. In its place, the President proposed an arrangement in which the metadata is maintained by the providers and queries are conducted with specific telephone numbers approved by the FISA Court through individual orders.

The President's proposal requires new legislation. In order to provide the government time to work to implement the proposal while maintaining its ability to query the bulk telephony metadata, the President directed the Department to file an application with FISA Court seeking to renew the January 3, 2014, order (as amended in February) that was set to expire on March 28. The FISA Court granted the Department's application, and has since that time granted four additional renewal applications, most recently on February 26, 2015. The current order expires on June 1, 2015.

B. [illegible]

[illegible] 78 [illegible]

[illegible]

78[illegible]

59

79 80 81 82 79 80 81 82 60

83

83

61

84 85

84 85

62

VII. CONCLUSION AND RECOMMENDATION

We examined in this report the progress the Department and the FBI made in addressing the three recommendations in the OIG's second report about the FBI's use of Section 215 authority, A Review of the FBI's Use of Section 215 Orders for Business Records in 2006 (March 2008). We recommended then that the FBI develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders, and for handling material that is produced in response to, but outside the scope of, a Section 215 order. We also recommended that the FBI develop final standard minimization procedures for business records that provide specific guidance for the retention and dissemination of U.S. person information.

On March 7, 2013, the Attorney General adopted and the Department filed final minimization procedures for Section 215 material with the FISA Court. The Department began to implement the procedures in August 2013. The Attorney General's and the Department's actions came 7 years after such procedures were required by the Reauthorization Act and 5 years after we concluded the Interim Procedures implemented in 2006 were deficient. We believe that in light of the importance of minimization procedures to the

63

Department's authority to use Section 215, the Department should have met its statutory obligation considerably earlier than March 2013.

We reviewed aspects of the procedures that were relevant to our recommendations. For reasons described in Section III of this report, we concluded that with the Final Procedures the Department and FBI have fully implemented one of the three recommendations from our March 2008 report on the use of Section 215 authority, and we consider it closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying aspects of the procedures that we identified above in training materials or policy implementation guidelines, or in any future versions of the Final Procedures. We encourage the Department and the FBI to periodically evaluate the final procedures' implementation to determine whether additional clarifications or explanations through updates in training or revisions to the guidelines are appropriate.

We noted the FISA Court's general practice, beginning in June 2009, of issuing Supplemental Orders in Section 215 matters. These orders required the Department to report to the FISA Court on the implementation of the Interim Minimization Procedures to U.S. person information received in Section 215 productions, [illegible] ." We found the Supplemental Orders significant because the practice began almost 3 years after the Department was required by the Reauthorization Act to adopt specific procedures to govern the retention and dissemination of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders and over a year after we found that the Interim Procedures that the Department had implemented in September 2006 failed to meet the requirements of the Reauthorization Act.

We also identified some factual inaccuracies the Department made in several of the reports required by the Supplemental Orders we reviewed, including incorrectly identifying the number of U.S. persons in a document disseminated by the FBI and providing the FISA Court with incorrect information regarding the quantity and type of material produced in response to an order. We informed NSD of the inaccuracies we identified and, after reviewing the instances and consulting with the FBI, NSD sent a letter to the FISA Court identifying the errors.

In addition to reviewing the status of the OIG recommendations, we examined in this report the FBI's use of Section 215 authority to obtain "any tangible things" in calendar years 2007 through 2009. Our review of Section 215 applications and orders for that period showed that the FBI processed [illegible] requests for Section 215 applications, 51 of which were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009. The Department filed [illegible] of the 51 applications formally submitted to the FISA Court in connection with [illegible] . The other [illegible] applications were formally submitted to the FISA Court on behalf of the FBI. The [illegible] requests that were not submitted to the FISA

64

Court were withdrawn after being submitted to either NSLB or NSD. We did not identify any applications that were withdrawn after being submitted to the FISA Court. The FISA Court approved each of the applications submitted.

We found that the Section 215 applications filed on behalf of the FBI sought a variety of "tangible things," including [redacted], e-mail transactional records, [redacted]. We determined that 13 of the FBI's 56 field offices requested the [redacted] Section 215 orders filed on behalf of the FBI and that the requests for orders originated from counterintelligence, counterterrorism, cyber, and positive foreign intelligence investigations.

We also selected several Section 215 applications from the 2007-2009 time period to illustrate various uses of Section 215 authority and to conduct a more detailed review of the types of material requested, the purposes of the requests, the materials produced, and the manner in which the materials were used. This examination resulted in agents describing for us the FBI's use of Section 215 authority in a manner that was consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continues to be a valuable investigative tool. Agents said they relied on Section 215 authority when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. The agents we interviewed did not identify any major case developments that resulted from the records obtained in response to Section 215 orders, but told us the authority is valuable when it is the only means to obtain certain information. Agents told us that the material produced pursuant to Section 215 orders was used to support other investigative requests, develop investigative leads, and corroborate other information. The agents' descriptions of these uses of the authority were consistent with what we were told during our last two reviews. As with our past reviews, we did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders.

We also identified, as we did in our prior reviews, several instances during the 2007-2009 period where the Department or the FISA Court modified Section 215 applications or orders. In several instances the FISA Court questioned whether subjects were properly identified as non-U.S. persons. The FISA Court also requested that additional language be inserted into applications and orders to public electronic service providers to ensure that any content was excluded from the material produced to the FBI in response to the orders.

We also described in this report the [redacted] Section 215 applications that the Department submitted to the FISA Court in connection with the [redacted]. We previously described [redacted] Classified Appendices of our March 2008 report. The Office of the Director of National Intelligence declassified aspects of the NSA's program following the public disclosure of documents relating to the collection beginning

65

in June 2013. As described earlier, the Department relied on the legal theory that all of the data collected is relevant as a whole because it is necessary to create a data archive from which to identify the specific records that are pertinent to authorized investigations to protect against international terrorism activities of specified Foreign Powers. The Department acknowledged that the data includes records of U.S. persons who were not the subject of or associated with the subjects of authorized investigations, and the FISA Court's orders approving the government's applications have included specialized minimization procedures for handling the U.S. person information that is collected.

We note that the use of Section 215 authority continues to expand to reflect legislative, technological, and strategic changes. The legislative changes described in Section II expanded both the types of businesses upon which Section 215 orders could be served and the categories of documents that could be obtained. The legislative changes also lowered the evidentiary threshold to a "relevance standard" for obtaining Section 215 orders and provided a presumption that for applications that demonstrate the tangible things sought pertain to foreign powers, agents of foreign powers, subjects of authorized investigations, or individuals known to associate with subjects of such investigations, the FISA Court is required to find that the statutory threshold of relevance has been met.

Technological advancements to and society's use of the Internet have also expanded the quantity and quality of electronic information available to the FBI, , through use of Section 215 authority. Materials produced in response to Section 215 orders now range from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information.

The FBI made strategic use of the legislative and technological changes by broadening the scope of materials sought in applications. Section 215 authority is not limited to requesting information related to the known subjects of specific underlying investigations. The authority is also used in investigations of groups comprised of unknown members and to obtain information in bulk concerning persons who are not the subjects of or associated with an authorized FBI investigation.

While the expanded scope of these requests can be important uses of Section 215 authority, we believe these expanded uses require continued significant oversight by the FISA Court, NSD, and other oversight entities.

Finally, the Department's Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identified two potential issues regarding the application of the metadata provisions that will require attention and oversight. First, we believe that it will be important for NSD and the FBI to periodically review the application of the . Second, NSD and the FBI must remain cognizant of developments in the type of

66

information that is categorized as metadata in order to guard against the inadvertent request for or collection of metadata that is not authorized under Section 215 authority.

In addition, we examined the provisions in the Final Procedures that pertain to the OIG's access to Section 215-acquired information for purposes of conducting its reviews and investigations. The General Provisions section of the Final Procedures states, [illegible]

The FBI has in the past taken the position, over the OIG's objections, that the FBI's minimization procedures for electronic surveillance and physical searches restricted the OIG's access to such information. NSD made revisions to those procedures in 2013 that included inserting the statement above, which was subsequently also incorporated into the Final Procedures for Section 215-acquired information. The NSD Deputy Assistant Attorney General for the Office of Intelligence informed us that NSD included this statement in the FBI's minimization procedures to make clear that nothing in the procedures should be interpreted to restrict the OIG's access to FISA-acquired information needed for OIG reviews and investigations. As part of this review, the FBI's General Counsel informed us that he concurs with this position.

67

UNCLASSIFIED

The Department of Justice Office of the Inspector General (DOJ OIG) is a statutorily created independent entity whose mission is to detect and deter waste, fraud, abuse, and misconduct in the Department of Justice, and to promote economy and efficiency in the Department's operations. Information may be reported to the DOJ OIG's hotline at www.justice.gov/oig/hotline or (800) 869-4499.

Office of the Inspector General U.S. Department of Justice www.justice.gov/oig

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu