As Lawfare readers are likely aware, last Thursday, the Office of the Director of National Intelligence released a trove of documents relating to FISA targeting and minimization procedures. The centerpiece of the release is a lengthy April 26, 2017 Foreign Intelligence Surveillance Court (FISC) memorandum order and opinion approving the new and amended targeting and minimization procedures. The other documents released all relate to that opinion. In this post, we walk through the order, summarizing the court’s findings on the new procedures and its legal conclusions. Throughout our summary, we will pause to highlight other related documents from Thursday’s release.
According to the FISC, when collecting information under FISA Section 702, the NSA collects from two sources: (1) Internet Service Providers (ISPs); and (2) the transit facilities of an Internet backbone carrier, such as AT&T. The former is known as “downstream” collection, while the latter is known as “upstream” collection. The court points out that upstream Internet collection comprises only about 9 percent of the NSA’s Internet collection, yet it presents the most legal challenges due to the presence of multiple communication transactions (MCTs). MCTs are communications that might take the form of multiple e-mail or other Internet messages—such as an email inbox—that are transmitted together as one bundled package.
One particular scenario poses specific legal challenges: In upstream surveillance, domestic email messages sent by U.S. persons may be collected because the “tasked selector” (an email or phone number of foreign intelligence value) was merely mentioned in an email or other electronic communication. This is known as “about” collection, because the target is neither the sender or recipient of the communication, but instead was mentioned within the communication itself. Due to the frequency with which U.S. communications are collected this way, a “complicated set of minimization rules was adopted for handling different types of MCTs,” to mitigate the legal concerns.
However, in 2011, FISC found these minimization procedures to be deficient, prompting the government to include a “sequestration regime for more problematic categories of MCTs,” and limit retention of U.S. person information to a two-year period. Most importantly, NSA analysts were prohibited from using “known U.S.-person identifiers” to search through upstream collection results. Largely based on the above changes, the FISC approved the procedures.
On September 26, 2016, the NSA submitted its certifications for the reauthorization of its targeting and minimization procedures under FISA Section 702, and the FISC began a 30-day review. However, on October 24, 2016, the government informed the FISC that there was “significant noncompliance” with those procedures as submitted.
According to an NSA Inspector General report from an inquiry into use of known U.S.-person identifiers associated with targets under Sections 704 (§ 1881(c)) and 705 (§ 1881d(b)) of FISA, NSA analysts had been using U.S. person identifiers to query upstream collection in direct contravention of the minimization procedures. The problem was “widespread at all periods of review.” The number of offending analysts, improper queries, and U.S.-person identifiers used have all been redacted from the memorandum by the court.
During an October 26, 2016 hearing, the court reprimanded the government for an institutional “lack of candor,” emphasizing that the behavior presented a “serious Fourth Amendment issue.” However, the court extended its review until January 31, 2017 to allow the government more time to bring itself into compliance with the revised targeting and minimization procedures. The government provided updates on the 3rd and 27th of January, 2017, on its continuing efforts to deal with the “complexity of the issues involved.”
In the first of these updates, the government told the FISC that “human error was the primary factor in these incidents,” but also explained that system designs were to blame as well. On January 27, according to the court, the government provided “further information on the technical and training measures NSA was taking,” but acknowledged that it still did not understand the full scope of the problem. The FISC granted an extension until April 28 to allow the government to respond to the court’s questions, again registering its concern about the extent of non-compliance with “important safeguards for interests protected by the Fourth Amendment.”
The 2017 Amendments
By March 30, 2017, the government had submitted revised targeting and minimization procedures for the NSA and FBI, and minimization procedures for the CIA and the National Counterterrorism Center (NCTC). Notably, these procedures would significantly limit certain kinds of NSA upstream surveillance. According to Homeland Security Adviser Thomas Bossert, Trump’s newly-appointed national security team decided to “bless” the NSA proposals—which had been the most controversial—reasoning that it was necessary to “[strike] a balance to protect the country without getting into Americans’ privacy.”
The court focused primarily on two areas of the 2017 amendments: the NSA targeting and minimization procedures, and the NCTC minimization procedures (which were technically submitted back in September 2016).
- NSA Targeting and Minimization Procedures
The court welcomed the revised NSA’s targeting procedures, which, it noted, abandoned so-called “‘abouts’ collection.” (As mentioned above, “‘abouts’ collection” [sic] was of particular concern since it meant that “upstream Internet collection was ‘more likely than other forms of Section 702 collection to contain information of or concerning United States persons with no foreign intelligence value.’”) But the amended targeting procedures avoid these concerns by restricting acquisitions “to communications to or from persons targeted in accordance with [the] procedures.”
Additionally, the revised minimization procedures require “that Internet transactions acquired after March 17, 2017, that are not to or from a person targeted” be destroyed, and that their acquisition be reported to the court “as an incident of non-compliance.” Moreover, the new minimization procedures take what the court calls an “‘all-or-nothing’ approach” to MCTs: Should the NSA determine that any discrete communication within an MCT is from a domestic sender to solely domestic recipients, the NSA will destroy the entire MCT, unless the Director of the NSA “makes the required waiver determination for each and every domestic communication contained in the MCT.”
However, the amended minimization procedures would allow analysts to query upstream data for U.S. person identifiers, subject to the standard 702 query requirements/determinations, and with records of such determinations. Because the data against which such queries could be run is now more limited, the court was “satisfied that queries using U.S.-person identifiers may now be permitted.” The court concluded that, based on the totality of the circumstances, the NSA targeting procedures meet the requirements of § 1881a(d)(1).
- NCTC “Raw Take” Sharing
On September 26, 2016, the government proposed that, “for the first time,” the NCTC be allowed to access certain “unminimized information acquired by NSA and FBI.” The court approved this access, noting that the information NCTC will receive is “subject to the same limitations as the CIA (no upstream Internet collection and no telephony)." Historically, NCTC’s access had been limited to minimized Section 702 information residing in FBI’s “general indices and relating to certain categories of investigations concerning international terrorism.”
But the court noted that it had “recognized NCTC’s role as the government’s primary organization for analyzing and integrating all intelligence pertaining to international terrorism and counterterrorism,” each time it had previously authorized sharing FISA-acquired information with NCTC. And the rationales that had justified those authorizations “appl[y] with equal force” here. Specifically, the court concluded that—given the volume of information at issue and the time pressure inherent in terrorism investigations—“access to raw Section 702-acquired information will enhance NCTC's ability to perform its distinct mission.”
The court, while acknowledging that “incidental” collection (acquiring U.S. person information while targeting non-U.S. persons) will continue under Section 702, stated that the NCTC procedures must carefully regulate the organization’s use and dissemination of that information. The court then found the scope of the proposed sharing to be “appropriate.” The court explained the sharing will be limited to downstream collection based on the new NCTC minimization procedures.
After highlighting that the FBI’s targeting procedures, as well as the FBI and the NSA’s minimization procedures, were amended to accommodate this sharing, the court examined the NCTC minimization procedures.
The court first explained that the NCTC procedures are an amalgam of previous procedures under Titles I and III and Sections 704 and 705(b) of FISA. Apparently, the procedures do not have a provision restricting the NCTC’s “processing, retention, and dissemination of third-party information.”
In approving the omission of these provisions, the court relied on a 2012 decision that approved a similar FBI practice, explaining that there are no “third party” communications to minimize in Section 702 collection, and therefore the lack of a third-party information provision “presents no impediment” to approval.
Moving on to U.S.-person presumptions, the court engaged in a heavily redacted discussion of how the procedures diverge from their counterparts in handling information when an individual's location is unknown. Reasoning that since Section 702 focuses exclusively on electronic data and communications from service providers it must be fair to conclude that the targets are non-U.S. persons overseas, the court noted that “[t]he presumption of non-U.S. person status” when the location of an individual is unknown is similar to FBI and NSA procedures. Therefore, the court found that the NCTC practice is reasonable.
Next, the court spelled out the NCTC’s retention policy under the procedures: Information on an “electronic and data storage system” must be destroyed 5 years after the certification expiration date. Information under review that has not been identified for foreign intelligence or prosecutorial purposes must be destroyed 15 years after the certification expiration date. The court highlighted that these time limits apply to metadata repositories, and require appropriate training and access controls. Destruction of information acquired under mistaken beliefs about its Section 702 value must be destroyed subject to a waiver according to the court. All these measures, the court pointed out, are similar to FBI and NSA procedures.
After mentioning that the NCTC procedures require written justifications for queries of U.S. person identifiers to the ODNI and the Justice Department, and the destruction of attorney-client communications not containing Section 702-relevant information (which FISC says “serve[s] to enhance the protection of privileged information”), the court noted that the NCTC procedures “track in all material respects” NCTC Title I Procedures, which satisfy § 1801(h).
Also, the court found the government’s distinction between NCTC “employees” and NCTC “personnel” sensible in regards to information obtained through the FBI’s general indices. “Personnel”, generally speaking, is defined as including detailees, contractors, and assignees from other agencies, along with employees.
Lastly, FISC examined two provisions which “merit separate discussion”: retention of evidence of crimes, and collection avoidance.
Previously, the NCTC, as a non-law-enforcement agency, was precluded from retaining, using, or disseminating evidence of crimes. But the new procedures undo this restriction. The government argued that this is necessary for the NCTC to meet its “crime reporting obligations” under EO 12333, drawing a key distinction: The NCTC, when it receives information that has already been reviewed by the FBI, would not need to retain that information, whereas when the NCTC receives raw information that has not been reviewed another agency, it should be able to retain the evidence of a crime for law enforcement purposes. The court found that NCTC may retain information only in furtherance of law enforcement purposes and only so long as it is reasonably necessary to law enforcement requests.
The court also approved a provision that allows the FBI and NSA to share information about domestic communications obtained under Section 702 with NCTC for "collection avoidance" purposes. While initially confused by this seemingly “counterintuitive” request (the NCTC does not independently collect information), the court was ultimately persuaded by the government's “plausible explanation” that the NCTC is in a unique position to “connect the dots” and identify other potential targets not covered by Section 702.
The court ultimately concluded that the NCTC minimization procedures are “reasonable.” And the court, as with the NCTC procedures, highlighted two changes to the FBI minimization procedures, one (largely redacted) amendment to FBI targeting procedures, and one revision in minimization procedures across agencies.
Analysis & Conclusions
- Fourth Amendment
The court found that the targeting and minimization procedures relating to the 2016 certifications and 2017 amendments, as well as the targeting and minimization procedures for Section 702 certifications, comply with FISA's statutory requirements and are consistent with the Fourth Amendment.
After the review of modifications to NSA and FBI targeting procedures described above, the court “ha[d] no difficulty finding” that the new procedures satisfy § 1881a(d)(1)’s requirements that targeting procedures be reasonably designed to limit targeting to persons believed to be located outside the United States and to prevent intentional collection of intra-national communications in the United States. (§1881a codifies FISA Section 702.) The court likewise found that all of the agencies’ minimization procedures meet the statutory definition in § 1801(h), noting that the government had acted on recommendations from the court contained in a November 2015 order approving certifications. (Bob Loeb and Helen provided a comprehensive look at that 2015 FISC order here.)
Next, the court analyzed whether the procedures are consistent with the Fourth Amendment, as required by § 1881a(i)(3)(A). Citing In re Directives Pursuant to Section 105B of FISA and In re Certified Question of Law, the court noted that greater intrusions are tolerated under the Fourth Amendment where the government’s interest is of particular importance. The interest in investigating national security threats is “particularly intense,” but the court must still balance this interest against the governmental intrusion on individual privacy.
Having already found that the new procedures were reasonably designed to avoid targeting U.S. persons (who are protected by the Fourth Amendment), the court turned its focus to communications acquired when a non-U.S. target communicates with a U.S. person or someone in the United States. The court explained that restrictions on use and disclosure of these types of U.S. person communications—minimization procedures—can reduce intrusiveness for Fourth Amendment purposes.
In a 2015 opinion, FISC held that the minimization procedures in place at NSA, FBI, and CIA were sufficient to satisfy constitutional requirements. The revised NSA procedures for upstream collection match those in place for other types of Section 702 collection; therefore, in adopting the 2015 opinion’s analysis, the court determined that these procedures, like the others, are reasonable under the Fourth Amendment.
Having dispatched with its analysis of the new NSA procedures and compliance concerns, the court briefly revisited its 2015 approval of the FBI procedures. In determining their constitutionality, FISC relied on the government’s assurance that FBI queries of Section 702 information for evidence of non-foreign intelligence related crime “rarely, if ever,” produces responsive results. To confirm this, FISC required the government to report on any Section 702 information concerning a U.S. person that the FBI reviews as a result of such a query. On one occasion, the FBI reviewed an email collected under Section 702 from a person in the United States describing incidents of child abuse and ran queries based on the email, but no additional responsive communications were found. The court concluded that this one incident did not undermine its 2015 analysis, but asked the FBI to continue reporting these instances.
- Improper Implementation of NSA Targeting and Minimization Procedures
Moving forward, the court noted that it must examine not only whether the targeting and minimization procedures comply with statutory and constitutional law, but also how the program as a whole has and will be implemented. After acknowledging the complexity of the Section 702 program, the court stated that believed it was “beneficial” to engage in a heavily-redacted discussion of compliance issues that have arisen to ensure the procedures were legally sound.
The court began with issues raised in the 2015 opinion, discussing (1) the failure of access controls on the FBI database containing raw Section 702 information that resulted in violations of FBI minimization procedures; and (2) NSA’s failure to complete its purge process for FISA-acquired information in its mission management system (due alternatively to human error or technical malfunctions that pivoted in and out of compliance).
Next, the court turned to issues arising from NSA’s targeting procedures, explaining that “a reasonable assessment that the user of the selector is a non-U.S. person located outside the United States,” must be made both pre-tasking (that is, before sending a search request) and post-tasking, and that compliance issues have happened in both stages. After a heavily-redacted explanation of the scope of pre-tasking review and a “new tool” for analysts to use in those checks (which the court notes should not be seen as a “panacea”), the court delved into post-tasking review as bearing “significantly on how [NSA’s targeting] procedures are implemented.”
The court explained that post-tasking review happens according to “analytic and intelligence requirements and priorities,” rather than at fixed intervals. NSA policy (which is generally followed by the FBI and CIA) requires a review to take place no later than a certain number of days after the tasking and at certain intervals. (Details on the number of days and length of intervals have been redacted.) Yet even as analysts are trained on this policy, the government does not “comprehensively monitor or verify whether analysts in fact conduct content reviews,” consistent with the policy, and therefore deviations can go undetected for quite some time, according to the court. To allay the court’s concerns, the government has taken to including the instances of noncompliance in its quarterly compliance reports to FISC. As of March 17, 2017, there was a 79 percent compliance rate for one type of (redacted) reviews, and a 99 percent compliance rate for another type of (redacted) reviews.
The court then turned again to address issues arising from the NSA’s minimization procedures regarding upstream collection. The court chronicles how a (redacted) error affected the upstream collection, causing two compliance problems with the minimization procedures: first, it resulted in unauthorized acquisition of Internet communications from facilities “only partially match[ing]” Section 702 selectors (which the NSA took positive steps to mitigate); and secondly, it resulted in technical failures to the “segregation” of MCTs likely involving “communicants” in the United States that “may have been” wrongfully labeled as ones with the active user outside the United States. While the court did not find the government’s answers or response to the issue “entirely satisfactory,” it pointed out that the question was moot because the new procedures address this issue.
Last, the court addressed improper querying of Section 702 data using U.S. person identifiers. Using a certain tool, analysts had inadvertently violated internal NSA procedures requiring a statement of facts before using an identifer about how likely it was that the identifier would yield foreign intelligence information, with 85 percent of the queries investigated being non-compliant. The NSA, according to the court, has “taken steps to educate analysts” on the proper use of this tool, and that they appear to have been effective. The court concluded therefore that, despite the above noncompliance issues, the NSA procedures are statutorily and constitutionally sound.
- Improper Implementation of FBI Minimization Procedures
The court next examined three violations of the FBI’s minimization procedures: improper disclosure of raw information, potential over-retention of Section 702 information, and failure to establish review teams for attorney-client communications.
First, the court discussed two instances of improper disclosure of raw information. In the first, the FBI was working with another federal agency “largely staffed by private contractors.” Although the minimization procedures allow the FBI to share raw information, they must abide by certain restrictions. In this instance, the contractors’ “access was not limited to raw information for which the FBI sought assistance and access continued even after they had completed work in response to an FBI request.”
In a separate instance, the FBI gave raw Section 702–acquired information to a private entity that was not a federal agency and whose personnel were not sufficiently supervised by a federal agency for compliance minimization procedures. Much of this section is redacted, so the full picture is somewhat opaque, but at a minimum, the court found sufficient problems to order the government to provide additional information about the second instance of improper disclosure.
Ultimately, however, the court concluded that these violations do not preclude a finding that the FBI minimization procedures themselves meet the statutory requirements and are consistent with the Fourth Amendment: the first instance has been remedied, while the second pertains to a certain (redacted) number of tasked selectors.
Next, the court addressed possible over-retention as a result of a particular practice, the description of which is largely redacted from the court’s opinion. It appears this issue was previously identified, the government agreed to address it in a subsequent filing, and has yet to provide additional information. The court directed the government to provide that information.
The final FBI minimization issue discussed was the establishment of review teams for attorney-client privileged information. The minimization procedures require that the FBI “establish a separate review team whose members have no role in the prosecution of the charged criminal matter” in order to identify privileged attorney-client communications, which are they sequestered with the FISC. Repeated failures to establish these review teams has been a persistent problem. The court noted that the violations appear to be caused by individual case agents’ lack of awareness of the requirement and by “lack of coordination among FBI field offices.” There have likewise been issues of under-inclusiveness of identification of such privileged material.
Although the court urged “that the review team requirement . . . continue to be a point of emphasis in the government’s training and oversight efforts,” the violations are not reason to find the minimization procedures themselves deficient. Because the government has taken appropriate measures to remedy the problem and because the “lapses to date appear to have resulted in few, if any, privileged communications” inappropriately being review by law enforcement apart from the review teams, the violations do not undermine the conclusion that the FBI minimization procedures are statutorily and constitutionally sufficient.
- Improper Implementation of CIA Minimization Procedures
Finally, the court looked at the impact of the problem of incomplete purges on the sufficiency of CIA’s minimization procedures. Because of a software script issue, the CIA’s system had failed to identify all communications subject to routine purges under the minimization procedures. Another script problem was doing the same with metadata. CIA has now corrected those scripts and largely completed the required purges, and is examining another type of purging error. The court noted that CIA’s steps to remedy the problems appear to be reasonable, but “encourages the government to take proactive measures to verify that the automated processes upon which it relies to implement minimization requirements are functioning as intended.”
The court therefore concluded that all of the targeting and minimization procedures are statutorily and constitutionally sound and approves the amended certificates, but orders the following in lightly redacted form:
(1) The NSA may not share its upstream 702 collection with the other agencies absent revised minimization procedures;
(2) The NCTC may retain “raw” 702 information only where it is determined to be evidence of a crime and “only as long as reasonably necessary to serve a law enforcement purpose”;
(3) The government must report annually on information that would otherwise be destroyed, but must be preserved for litigation purposes and provide specific docket numbers;
(4) The government must promptly report § 1 of the minimization procedures allowing retention, processing, or dissemination pursuant to specific congressional mandate;
(5) The government must promptly report in writing any deviation from its minimization procedures by an agency when asked by an entity not expressly referenced in that agency’s procedures, describing the circumstances of the deviation and the specific oversight activity;
(6) The government must submit, no later than June 16, 2017, a written report:
- Describing when raw FISA information is retained in (redacted) circumstances;
- Assessing whether that retention squares with the minimization requirements; and
- The extent to which noncompliance is found, and remedial steps to correct such actions.
(7) Also no later than June 16, 2017, the government must submit one or more written reports on:
- The results of the government investigation into the FBI’s dissemination practices to non-FBI personnel;
- A description of the installation of a (redacted) object on an FBI system; and
- [More redactions]
(8) The government shall submit written updates of the “sequester-and-destroy” process dealing with information acquired on or before March 17, 2017 every 90 days;
(9) If the government does not apply the “sequester-and-destroy” process to the information described in point (8), it must describe when that will occur no later than July 2, 2017;
(10) The government must “promptly” submit in writing each instance when FBI personnel receive and review Section 702 information concerning a U.S. person when it is not for foreign intelligence purposes, including a detailed description of the information at issue, how it will be used, and the query terms.