When Is Congress Going to Rein In FBI Surveillance?
We've heard a lot about NSA spying thanks to Edward Snowden, but the Federal Bureau of Investigation is no stranger to unaccountable snooping.
The FBI's record-keeping practices are archaic (and obscure) to the point of absurdity.
According to James Comey, director of the Federal Bureau of Investigation, "Americans should be deeply skeptical of government power. You cannot trust people in power."
So it's been jarring to learn new details about his own agency's activity in recent months, many of which raise questions about whether the FBI is fulfilling its constitutional obligations. The most alarming of these revelations is that the Bureau is reading the emails of people--they don't know how many people--without court orders.
The FBI does this under what have been called "backdoor searches." When the feds collect content from people overseas who are suspected of terrorism or spying, they dump that into a database that the FBI can (and does) query when it gets tips. Director Comey said in response to a question after his speech at the Brookings Institution last month that this only happens "pursuant to an investigation." But that's not true--FBI's personnel can access Americans' emails even before they start a formal investigation.
Senator Ron Wyden of Oregon has been warning obliquely about backdoor searches for years now. In June, he finally got the government to provide details about how frequently its agencies conduct them. While the numbers for the NSA were fairly limited (the CIA less so), Director of National Intelligence James Clapper's office told Wyden they couldn't come up with a figure for how often the FBI accesses such content.
"The FBI does not track how many queries it conducts using US person identifiers," Clapper's office revealed. Still, the FBI routinely conducts such queries "to locate relevant information that is already in its possession when it opens new national security investigations and assessments. Therefore, the FBI believes the number of queries is substantial."
In July, the Privacy and Civil Liberties Oversight Board (PCLOB), a government body mandated to provide privacy reviews of counterterrorism programs, released a report on Foreign Intelligence Surveillance Act (FISA) Section 702, the law authorizing the PRISM program that obtains intelligence from US internet providers. PCLOB's report revealed these searches are conducted "whenever the FBI opens a new national security investigation or assessment," as well as sometimes "in the course of criminal investigations and assessments that are unrelated to national security efforts." In a statement to VICE, the FBI confirmed that "agents and analysts may query those communications in an assessment."
What we still don't know is precisely how the FBI is using this database of content during assessments. The Bureau's Domestic Investigations and Operations Guide (DIOG)--the procedures guiding its agents as they conduct investigations within the US--lays out several potential applications. They can be used before opening a criminal or national security investigations for "prompt and extremely limited checking out of initial leads." They can be used to map out the ethnic and religious makeup of communities, just in case the FBI needs to find that community in a pinch--a practice sometimes called racial profiling. And they can be used to learn about people who might be persuaded to become informants.
When I asked the FBI specifically whether they conduct backdoor searches for assessments used to profile communities or find informants, a Bureau spokesman would only point me back to the DIOG. But a former FBI agent with knowledge of how the process worked confirmed the Bureau does, in fact, conduct backdoor searches to assess potential informants in order to make sure the informant actually has contact with the target in question.
The Bureau says it has no way of knowing how many of these searches it is doing but is clear that the number is quite high.
The thing is, assessments are different from investigations because FBI doesn't need any evidence of wrongdoing. While the Bureau can't use a person's speech, politics, or religion as the sole reason for assessments (that pesky Constitution) it can use those characteristics as one reason among several. In other words, the FBI may have nothing more than a called-in tip before searching to see if an American's communications, perhaps years old, are in this database. Agents and analysts who have undergone training to access this information can read it without a warrant (though PCLOB notes that those without training can easily get a colleague to query the data).
The Bureau says it has no way of knowing how many of these searches it is doing, but are clear that the number is quite high. After all, the FBI keeps content from both individual (FISA) collection of US in the same database as content from Section 702, which requires no more than a foreign intelligence purpose to target foreigners. In the statement to VICE, the Bureau said it does this to "allow the FBI to 'connect the dots' between the different types of collection." The Bureau doesn't track whether the queries it makes in that database are of US persons or foreigners. It simply doesn't keep the records needed to track how many backdoor searches it conducts.
Even worse: Congress won't make it start doing so.
In the USA Freedom Act, the Senate bill meant to reform the NSA's sprawling surveillance regime, the FBI--and only the FBI--is exempted from having to count its backdoor searches. The bill also exempts the FBI from counting how many US persons get swept up in its use of another authority, Section 215 of the Patriot Act, the statute currently used to collect some significant subset of all Americans' phone records. In addition to those phone records, FBI also uses Section 215 for other "tangible things," which it can collect in significant bulk. The FBI says it won't start counting the Section 215 records obtained because the records it collects (which include email metadata, hotel records, and sales transactions, in addition to phone records) "typically do not indicate the location of the sender or recipient at the time of communication or collection." So learning the location would "require the FBI to scrutinize certain communications or take additional investigative steps to determine the location of the communicants." Basically, FBI says tracking what it is doing would, by itself, be a privacy invasion.
But the FBI's exemption from this kind of record-keeping means the agency whose backdoor searches should be most closely monitored evades all scrutiny.
"The FBI is the only agency whose use of the Section 702 'backdoor' can actually hurt you," Mike German, a fellow in the Brennan Center for Justice's Liberty and National Security Program at NYU and a former undercover FBI agent, told me. "The FBI can put you in jail for something they find in this pool of data that has nothing to do with terrorism or espionage or any national security threat that justified the dragnet."
Then there's National Security Letters (NSLs). These are orders the FBI can write for itself to get phone or email records (as opposed to the content of the messages) or financial data for national security investigations; no judge ever reviews them unless a telecom provider challenges the order. In a recent report, the Department of Justice's Inspector General revealed a discrepancy in the FBI's count of its NSL use. The FBI had reported fewer National Security Letters to Congress than it had counted internally; it was missing around 6.8 percent of its 2009 NSLs in congressionally mandated reporting (or some 2,231 NSLs in addition to 30,442 documented requests).
On top of that discrepancy, the FBI persistently misses a small number of NSLs (the Bureau hides exactly how many) by bypassing an automated system introduced precisely to fix persistent problems with NSL reporting. While the number appears to be just a tiny percentage of the total, the IG Report questions whether FBI may have missed even more: "What remains unknown, however, is, whether the FBI inspectors identified all the manually generated NSLs issued by the FBI or whether a significant number remains unaccounted for and unreported."
These smaller discrepancies should raise concerns because manual NSLs address "sensitive" requests. When asked, the FBI could not explain if this usage of "sensitive" adopted the DIOG's definition--investigations involving politicians, journalists, or clergy--though it did explain that "the term 'sensitive' is often used to describe cases that require a close hold for operational reasons."
The Bureau's failure to track its intelligence collections poses serious problems. First and most obvious is that it makes it very hard to conduct oversight.
The FBI also refuses to track how it uses NSLs as it moves through theirsystem by tagging the data electronically. So it can't easily tell how much gets shared with local authorities or used in criminal prosecutions. "The Working Group is not convinced," a review group on this issue concluded in 2010, "that learning the frequency with which NSL-derived information ends up in analytical products or criminal investigations would help determine anything of value." The FBI even lacks the paper backup to track what it does with NSLs in about half its files.
The Bureau's failure to track its intelligence collections poses serious problems. First and most obvious is that it makes it very hard to conduct oversight. The DOJ's Inspector General had no way of ensuring his agency tracked all of the FBI's NSL usage. Regarding 702 backdoor searches, PCLOB judged "the manner in which the FBI is employing US person queries, while subject to genuine efforts at executive branch oversight, is difficult to evaluate." And, of course, under the USA Freedom Act, the FBI won't even be required to give Congress meaningful numbers reflecting the privacy impact of most of its intelligence collections. The FBI likes to say all this gets closely overseen, but it's hard to understand how that's possible if it can't provide numbers for what it's doing.
Just as important is the government's obligation to explain what evidence it uses to investigate defendants. For some of these tools, the feds must provide notice if it intends to use the evidence against them in trial; for others, it must do so if it might help prove their innocence. Yet only in the last year has DOJ started complying with an obligation to inform defendants if materials used against them were derived from Section 702 spying, and only after Solicitor General Don Verrilli got caught misleading the Supreme Court about that very question. Additionally, in spite of language in FISA orders since September 2009 permitting the use of the phone dragnet data for discovery purposes, the DOJ has only ever given one defendant notice that it used Section 215 against him. The feds even refused to provide notice to Boston Marathon bombing suspect Dzhokhar Tsarnaev, despite repeated boasts by government officials that they used the phone dragnet in the aftermath of that attack.
Records showing the FBI participates in the Hemisphere Project (another easy way for federal agencies to obtain phone records) heightens concerns about the Bureau explaining where leads come from. Program documents explicitly tell users to hide the program from defendants. "DO NOT mention Hemisphere in any official reports or court documents," a program slide instructs. If the FBI is hiding this investigative method, it's likely hiding others as well.
Hiding the source of a defendant's prosecution can strike at the core of due process guaranteed by the Constitution.
To challenge the FISA warrants or the use of informants, defendants may need to know whether the government had any real reason to suspect them to begin with. And for investigative authorities that have never (least until recently) been legally challenged, defendants would need to know that--and in some cases, how--the authority was actually used.
To get around the secrecy regarding the techniques used against defendants, lawyers for several men accused of material support for terrorism, a charge that often hinges on what a person knew and what he meant by something he said, have started playing an obscene game of pin the tail on the donkey. In both the Reaz Qadir Khan case in Oregon and the case against Jamshid Muhtorov and Bakhtiyor Jumaev in Colorado, defense attorneys have submitted motions listing all the authorities their clients might have been exposed to. In the former case, attorney Amy Baggio went so far as to make a table showing as many as five authorities per piece of evidence leading to a search warrant that may have authorized the collection.
Hiding the source of a defendant's prosecution can strike at the core of due process guaranteed by the Constitution.
"Without knowing which evidence was derived from which authority and when, defense counsel in any case is completely unable to assess possible constitutional violations posed by the method of evidence collection," Baggio explained in an interview. "These are simple requests for information about how the government conducted itself so that we can assess whether its behavior violated our Constitution, and if so, make appropriate arguments to the Court."
While government officials have defended the NSA dragnet over the last year and a half, pointing to the approval of the secret FISA court, defendants have consistently been prevented from challenging them in an adversarial proceeding, largely because the government has not told them how they were found.
And remember: It's not just the due process rights of a handful of Muslim men. As Baggio points out, the FBI is sitting on huge databases of this information. "The due process problem arises... when the Executive relies on its foreign intelligence gathering power to collect millions--or billions--of pieces of personal information, much of which appears... to implicate the protected privacy interests of US citizens."
Which raises one more reason the FBI probably refuses to count all these national security tools. "The government's refusal to properly track and disclose its use of these surveillance tools allows it to mask their impact on Americans' privacy, short-circuiting any informed public debate about their wisdom," argues ACLU National Security Project Attorney Patrick Toomey. If the public knew "the number of backdoor searches the FBI performed in the course of ordinary criminal investigations, it could understand how these spying programs are actually being used--and Americans would be surprised."
In the meantime, we're left with the FBI's bizarre claim that keeping track of what its agents are doing with these billions of records would harm our privacy.
"It simply does not make sense for a reporting requirement designed to monitor privacy impact on US persons to result in further scrutiny or investigative activity that may not otherwise be pursued," the agency said in its statement. But the FBI seems to be asking Americans to go ahead and trust it, even as its director, Comey, warns us not to do just that.
Marcy Wheeler an an independent journalist who writes about national security and civil liberties. Follow her on Twitter.