For 7 Years, FBI Defied Law for Seeking a Person’s Records Under Patriot Act
A Justice Department inspector general’s report shows that for seven years the Federal Bureau of Investigation violated statutory law designed to restrict the agency’s surveillance power. During this period, the agency sought individuals’ records under the business records provision of the PATRIOT Act without adopting proper “minimization procedures” to protect privacy of US persons.
The FBI’s use of orders under Section 215 between 2007 and 2009 was examined by the inspector general. Whether the FBI complied with recommendations the inspector general made back in March 2008.
Section 215 makes it possible for the government to obtain “any tangible things,” such as books, records and other items from a business, organization or entity. They are supposed to be “relevant” to an “authorized investigation to obtain foreign intelligence information not concerning a US person or to protect against international terrorism or clandestine intelligence activities.” But the standard for relevance is very low.
The Section 215 provision is set to expire on June 1, and, as Senator Rand Paul comprehensively outlined while he held the Senate floor for over ten hours, there are many reasons to not reauthorize the provision. This report, which was completed eleven months ago but is dated May 2015, adds substantially to those reasons.
Under the PATRIOT Improvement and Reauthorization Act of 2005, the law required that certain “minimization procedures” be adopted to ensure the handling of US persons’ data was done appropriately. It was not until March 7, 2013, that the Attorney General and the Justice Department officially incorporated these procedures into requests for records. (Marcy Wheeler points out the Justice Department did not actually fully comply with legally required procedures until after NSA whistleblower Edward Snowden disclosed information.)
“The Attorney General’s and the [Justice] Department’s actions came 7 years after such procedures were required by the Reauthorization Act and 5 years after we concluded the interim procedures in 2006 were deficient,” the inspector general’s report [PDF] indicates.
In an understatement, the inspector general declares that the Justice Department “should have met its statutory obligation considerably earlier than March 2013.”
The report suggests that FBI personnel have made “strategic use of the legislative and technological changes by broadening the scope of materials sought in applications. Section 215 authority is not limited to requesting information related to the known subjects of specific underlying investigations. The authority is also used in investigations of groups comprised of unknown members and to obtain information in bulk concerning persons who are not the subjects of or associated with any FBI investigation.”
That seems hugely significant. FBI personnel are permitted to request records of persons who are not subjects of underlying investigations. The FBI uses the PATRIOT Act to request records on people when they do not even have an FBI investigation into those individuals.
FBI personnel with authorized access are apparently permitted to engage in some action involving records, which the Justice Department believes must keep secret. This action is used to determine whether records “reasonably appear to be foreign intelligence information, necessary to understand foreign intelligence information or evidence of a crime.”
National Security Division attorneys in the Justice Department and FBI case agents provided the inspector general with a “range of examples of material that would qualify under this criteria.” It is impossible for the public to know what this means because the Justice Department had it censored in the report.
Another term the FBI has conjured to expand its surveillance powers is “investigative value.” This is a term the inspector general discovered the FBI had introduced for allowing case agents “unconnected with the underlying investigation access to material received in response” to a Section 215 order. However, what “investigative value” means to the FBI and just how it stretches the boundaries of what the agency is authorized to do is anyone’s guess because, again, the agency’s definition is censored in the released report.
The “type of information that is categorized as metadata will likely continue to evolve and expand,” the report acknowledges. The FBI is obtaining “large collections of metadata,” which is data about the records but not the exact content from the records themselves. “Electronic communication transaction information” and two other types of data, which the FBI does not want the public to know about, are being sought through this provision of the PATRIOT Act.
Similar to the conclusion of the Privacy & Civil Liberties Oversight Board and President Barack Obama’s own review group, it was found that Section 215 had resulted in zero “major case developments.” In other words, no terrorist attacks were thwarted because the FBI was able to use the PATRIOT Act to obtain specific records on an individual.
Examples of investigations in which the FBI used Section 215 are included in the report. In January 2007, the FBI investigated Roy Lynn Oakley, an employee of the Oak Ridge National Laboratory in Tennessee. The employee was targeted as part of a “counterintelligence” investigation for attempting to sell “stolen parts of a nuclear converter” to a foreign government. Oakley was ultimately pled guilty to violating the Atomic Energy Act because he “unlawfully disclosed” “restricted data.” (The FBI targeted Oakley with an undercover sting operation.)
In July 2009, the FBI requested US persons’ data from a “private employer in a preliminary counterterrorism investigation.” And, in December 2009, the FBI requested records in a “counterintelligence” investigation of “cyber network exploitation.” The FBI sought to “obtain information regarding other cyber activity,” while engaged in this investigation.
Nearly all of the records obtained in these investigations were retained by the FBI.
Sections of the inspector general’s report, which describe in detail the FBI’s collection (or sometimes protection) of data on US persons, are blacked out. The FBI has criteria related to how it determines whether a US person really is a US person, which it does not want to become public.
Here is one example of a section on US persons that seems quite ominous because of the redactions.
It refreshes our understanding of the definition the FBI uses for US person and then it says, “In general, absent other information.” For whatever reason, the public cannot know generally what all this specific information about US persons means to the agency.
The following section details policies around retention of US persons’ data. However, almost all of it is blacked out.
There is a “classified directive to the definition of US persons.” The FBI has a secret definition for what it means to be a US person.
Between 2002 and 2009, 83 Section 215 applications were “processed and formally submitted” to the FISA court. Fifty-one were submitted between 2007 and 2009. They “originated from counterintelligence, counterterrorism, cyber and positive foreign intelligence investigations.” All were approved.
While it was previously reported by news media in 2013, the inspector general devoted a significant portion of the report to a huge example where the National Security Division of the Justice Department worked to bail out the NSA after it was found to be violating the law.
The NSA queried metadata of thousands of “telephone identifiers” from an “alert list” that was determined by the FISA court to not satisfy the “reasonable articulable suspicion” standard required to be met before the NSA accessed “archived data” for search or analysis. The NSA falsely described data so it could continue to collect data of Americans between 2006 to 2008, which it was not legally authorized to collect.
On January 15, 2009, the Justice Department notified the FISA Court that the NSA had been committing these violations and only 1,935 of 17,835 telephone identifiers on the alert list had been approved, which was quite an abuse of surveillance power that showed stunning indifference toward need to protect privacy.