Glenn A. Fine
Inspector General, U.S. Department of Justice
House Committee on the Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties
“The FBI's Use of National Security Letters and Section 215 Orders for Business Records”
April 15, 2008
* * * * *
Mr. Chairman, Ranking Member Franks, and Subcommittee Members:
Thank you for inviting me to testify about the Office of the Inspector General’s (OIG) recent reports on the Federal Bureau of Investigation’s (FBI) use of national security letters (NSL) and Section 215 orders to obtain business records.
The Patriot Reauthorization Act of 2005 (Reauthorization Act) directed the OIG to review the FBI’s use of NSLs and Section 215 orders in two separate time periods. The OIG’s first reports, issued in March 2007, examined the FBI’s use of NSLs from 2003 through 2005, and its use of 215 orders from 2002 through 2005.
As required by the Reauthorization Act, last month the OIG issued two follow-up reports that examined the use of these authorities in 2006. In addition, our follow-up report on national security letters examined the measures taken or proposed by the FBI and the Department of Justice (Department) to address the serious misuse of national security letters that our first NSL report detailed.
In this written statement, I summarize the findings of the two reports that we issued last month. I first discuss the findings regarding the FBI’s and the Department’s corrective actions to address the serious deficiencies we described in last year’s NSL report. I then summarize the findings regarding the FBI’s use of NSLs in 2006. Finally, I summarize our report on the FBI’s use of Section 215 orders in 2006.
NATIONAL SECURITY LETTERS
Corrective Actions Implemented or Proposed Since our March 2007 NSL Report
To conduct the follow-up review on the FBI’s use of NSLs that we issued last month, the OIG interviewed FBI personnel at Headquarters and in FBI field offices, and Department personnel in the National Security Division and the Office of the Chief Privacy and Civil Liberties Officer. We analyzed more than 18,000 documents, including NSL-related guidance and training materials developed by the FBI since our first NSL report. OIG personnel also observed the FBI’s new data system designed to manage and track NSLs, and they visited three FBI field offices to assess the accuracy of the FBI’s review of NSLs issued by those offices. In particular, the OIG re-examined case files that had been reviewed by FBI inspectors and compared our findings to the FBI’s findings. We also analyzed data in the FBI’s NSL tracking database and examined the Department’s annual public reports and the Department’s semiannual classified reports to Congress to evaluate NSL requests in 2006 and trends in NSL usage. The following sections summarize the findings in our follow-up report based on this work.
Our review concluded that the FBI and the Department have made significant progress in implementing the recommendations contained in our first NSL report and in adopting other corrective actions to address the serious problems we identified in the FBI’s use of NSLs. We also found that the FBI has devoted substantial time, energy, and resources toward ensuring that its field managers and agents understand the seriousness of the FBI’s shortcomings in its use of NSLs and their responsibility for correcting these deficiencies.
Our interviews of senior FBI officials found that the FBI’s leadership is committed to correcting the serious deficiencies in the FBI’s use of NSLs identified in our first report. In addition, the FBI’s leadership has attempted to reinforce throughout the FBI the necessity for adhering to the rules governing the use of NSL authorities.
We determined that the FBI has taken a variety of actions to address the deficiencies in its use and oversight of NSLs since issuance of our March 2007 report. The actions include:
Developing a new NSL data system to facilitate issuance and tracking of NSLs and improve the accuracy of data on NSL usage in required congressional and public reports;
Issuing numerous NSL policies and guidance memoranda and providing mandatory training to FBI employees on the proper use of NSLs; and
Prohibiting the use of exigent letters.
The FBI has also created a new Office of Integrity and Compliance (OIC), modeled after private sector compliance programs, to seek to ensure that national security investigations and other FBI activities are conducted in a manner consistent with appropriate laws, guidelines, regulations, and policies. We believe this office can perform a valuable function by providing a process for identifying compliance requirements and risks, assessing existing FBI control mechanisms, and developing and implementing better controls to ensure proper use of NSLs. However, we recommend that the FBI consider providing the OIC with a larger permanent staffing level so that the OIC can develop the skills, knowledge, and independence to lead or directly carry out the critical elements of this new compliance program.
Our report also noted that the Department’s National Security Division has implemented additional measures to promote better compliance with NSL authorities and to address other issues raised by our first report. For example, in 2007 the National Security Division began reviews to examine whether the FBI is using various intelligence techniques – including NSLs – in accordance with applicable laws, guidelines, and policies.
Yet, while the FBI and the Department have taken positive steps to address the issues that contributed to the serious misuse of NSL authorities we described in our March 2007 report, we concluded that additional work remains to be done. For example, in response to the recommendations in our 2007 NSL report, the Department’s Office of the Chief Privacy and Civil Liberties Officer convened a working group to examine how NSL-derived information is used and retained by the FBI, with special emphasis on the protection of privacy interests. Our assessment of the working group’s initial proposal that was completed in August 2007 but subsequently withdrawn is that the proposal did not adequately address measures to label or tag NSL-derived information or to minimize the retention and dissemination of such information. In our recent report, we recommended that the working group consider further whether and how to provide additional privacy safeguards and measures for minimizing the retention of NSL-derived information.
In addition, our report notes that the FBI still needs to address or fully implement several of the key recommendations in our March 2007 report. For example, we recommended that the FBI address our concern about the reporting chain of Chief Division Counsels (CDCs), the chief lawyers in each FBI field office. Based on our concerns that some CDCs were reluctant to provide an independent legal review of NSLs for fear of second-guessing or antagonizing the Special Agents in Charge to whom they report, our recommendation was designed to ensure that CDCs provide close and independent review of NSL requests. While we recognize that the reporting chain of CDCs is an issue that affects many aspects of the CDCs’ role and not just their approval of NSLs, we believe the FBI should address and resolve this important issue in a timely manner.
Our report also analyzed three NSL reviews conducted by the FBI following release of our first NSL report in March 2007. One of the FBI reviews examined the use of NSLs in a random sample of 10 percent of counterterrorism, counterintelligence, and foreign computer intrusion cyber investigation case files active in FBI field offices between 2003 and 2006. The FBI’s 10 percent review confirmed the types of deficiencies and possible intelligence violations in the FBI’s use of NSLs that we identified in our first report. In fact, the FBI’s statistically valid sample of field case files found a rate of NSL violations (9.43 percent) higher than what we found (7.5 percent) in the non-statistical sample of NSLs we examined in our first report.
Moreover, when we independently examined the FBI’s 10-percent field review in detail, we determined that it did not identify all NSL-related possible intelligence violations and therefore does not provide a fully reliable baseline from which to measure future FBI compliance with NSL authorities. In addition, because the FBI was unable to locate information provided in response to a significant number of NSLs chosen for review in its sample, the results of the FBI field review likely understated the rate of possible intelligence violations.
The FBI’s reviews also confirmed two of the most significant findings in our first NSL report. First, the reviews confirmed that the FBI’s use of NSLs resulted in many intelligence violations. For example, the FBI’s 10 percent review of field office NSLs found at least 640 potential intelligence violations from 2003 through 2006. Extrapolating the results of the FBI’s 10 percent statistical sample to the full number of NSLs means that the total number of possible intelligence violations among all NSLs issued over the 4-year period could be as high as 6,400.
Second, the FBI’s reviews confirmed that the FBI’s internal policies requiring reports to FBI Headquarters of possible NSL-related intelligence violations had not been effective. For example, less than 2 percent of the possible intelligence violations identified by FBI inspectors in the 2007 field review previously had been reported to FBI Headquarters as required.
In short, our review of the FBI’s corrective actions concluded that the FBI and the Department have evidenced a commitment to correcting the serious problems we found in our first NSL report and have made significant progress in addressing the need to improve compliance in the FBI’s use of the NSLs. However, because only 1 year has passed since our first NSL report in March 2007, and because some measures are not fully implemented or tested, we believe it is too early to definitively state whether the new systems and controls developed by the FBI and the Department will eliminate fully the problems with NSLs that we identified. We believe the FBI must implement all of our recommendations in our first NSL report, demonstrate sustained commitment to the steps it has taken and committed to take to improve compliance, implement the additional recommendations described in our follow-up report, consider additional measures to enhance privacy protections for NSL-derived information, and remain vigilant in holding FBI personnel accountable for properly using and approving NSLs and for handling responsive records appropriately.
Use of National Security Letters in 2006
As required by the Patriot Reauthorization Act, we also reviewed the FBI’s use of NSLs in 2006. As discussed in our report, under five statutory provisions the FBI can use NSLs to obtain records such as toll billing records and subscriber information from communication service providers, transactional records from Internet service providers, bank records from financial institutions, and full or limited consumer credit information from credit reporting agencies. The Patriot Act broadened the FBI’s authority to use NSLs by lowering the threshold standard for issuing NSLs, allowing FBI field office Special Agents in Charge to sign NSLs, and permitting the FBI to use NSLs to obtain full credit reports in international terrorism investigations.
First, it is important to note that the FBI’s use of NSLs in 2006 occurred before we issued our first NSL report in March 2007, which identified the serious deficiencies in the FBI’s use of and oversight of NSLs, and before the FBI began to implement its corrective actions. Therefore, not surprisingly, our follow-up report on the use of NSLs in 2006 contains findings similar to our March 2007 report regarding deficiencies in the FBI’s use of NSLs.
Our review of the FBI’s use of NSLs in 2006 found a continued upward trend in the use of NSLs, with 49,425 NSL requests issued in 2006, a 4.7 percent increase from the previous year. For the 4-year period 2003 – 2006, the FBI issued more than 192,000 NSL requests.
National Security Letter Requests (2003 through 2006)
FBI data showed that, on average, approximately one-third of all FBI counterterrorism, counterintelligence, and cyber investigations that were open at any time during 2006 used NSLs. Our review also found that the percentage of NSL requests that related to investigations of U.S. persons (as opposed to non-U.S. persons) continued to increase, rising from about 39 percent of all NSL requests in 2003 to approximately 60 percent of all NSL requests in 2006.
Similar to findings in our first report on the effectiveness of NSLs, our follow-up report found that FBI personnel continued to believe that NSLs were indispensable tools in national security investigations in 2006. They reported that NSLs were used to identify the financial dealing of investigative subjects, confirm the identity of subjects, support the use of enhanced intelligence techniques, and establish predication for the initiation of preliminary and full counterterrorism and counterintelligence investigations.
As required by the Reauthorization Act, our review also examined whether NSLs issued after the effective date of the Reauthorization Act contained the required certifications to impose non-disclosure and confidentially requirements on NSL recipients. In the random sample of NSLs we reviewed, we found that 97 percent of the NSLs imposed non-disclosure and confidentiality requirements, and almost all contained the required certifications. We found that a small percentage of the justifications for imposing this requirement were perfunctory and conclusory, and a small number of the NSL approval memoranda failed to comply with internal FBI policy.
We also determined that 17 NSL approval memoranda (5 percent of the random sample) contained insufficient explanations to justify imposition of these obligations. We also identified eight NSLs in our sample that contained recitals about non-disclosure that were inconsistent with the corresponding approval memoranda, signifying that case agents, their supervisors, and Chief Division Counsels were not careful in reviewing and approving these documents to ensure consistency. In addition to these non-compliant NSLs that were part of the random sample, we identified eight “blanket” NSLs issued by senior Counterterrorism Division officials in 2006 that did not contain the required certifications.
With regard to intelligence violations arising from the use of NSLs in 2006, our report’s findings were consistent with the findings in our first report on NSL usage from 2003 through 2006 and with the results of the FBI’s 10 percent review of field office NSLs, which identified at least 640 potential intelligence violations over the 4-year period.
In addition, in our review we determined that FBI personnel self-reported 84 possible intelligence violations involving the use of NSLs in 2006 to FBI Headquarters. Of these 84 possible violations, the FBI concluded that 34 needed to be reported to the President’s Intelligence Oversight Board (IOB) in 2006. The 34 matters reported to the IOB included errors such as issuing NSLs without proper authorization, improper requests, and unauthorized collection of telephone or Internet e-mail records. We found that 20 of these violations were attributable to mistakes made by the FBI, while 14 resulted initially from mistakes by recipients of NSLs.
We found that of the 84 possible intelligence violations identified and reported to the FBI Office of the General Counsel in 2006, the FBI received information it was not entitled to receive in 14 matters. In one of the matters the FBI requested information it was not entitled to under the applicable NSL statute. In the other 13 matters, the FBI made proper requests but, due initially to third party errors, obtained information it was not entitled to receive under the pertinent NSL statutes.
We noted that the number of possible NSL-related intelligence violations identified by FBI personnel in 2006 was significantly higher than the number of reported violations in prior years. From 2003 through 2005, the FBI had self-identified only 26 possible intelligence violations, of which 19 were reported to the IOB. We believe that the increase in 2006 may be explained in large part by the attention that our first NSL review, which was ongoing in 2006, focused on these issues and also to increased training, guidance, and oversight by the FBI.
Our follow-up report also noted that a large number of possible intelligence violations were initially attributable to mistakes made by NSL recipients. However, we believe the FBI may have compounded these errors by not recognizing the overproductions and using or uploading the inappropriately obtained information. The FBI Office of the General Counsel is in the process of determining whether the FBI will report these matters to the IOB.
It is important to note that the most serious violations involving the use of NSL authorities in 2006 related to the FBI’s use of exigent letters. Our first NSL report generally described this practice by which the FBI improperly obtained telephone toll billing records from three communication service providers pursuant to more than 700 exigent letters without first issuing NSLs. We found that these exigent letters contained inaccurate statements, circumvented the requirements of the Electronic Communications Privacy Act NSL statute, and violated Attorney General Guidelines and internal FBI policy. The OIG is in the process of completing a separate investigation examining the use of exigent letters, as well as the use of “blanket NSLs” and other improper requests for telephone records. Among other things, our upcoming report will assess the accountability of FBI personnel for these practices.
Our NSL report also contains 17 additional recommendations to help improve the FBI’s use and oversight of this important intelligence tool. These include recommendations that the FBI provide additional guidance and training for FBI agents on the proper use of NSLs and on the review, filing, and retention of NSL-derived information; reinforce the need for FBI agents and supervisors to determine whether there is adequate justification for imposing non-disclosure and confidentiality requirements on NSL recipients; regularly monitor the preparation and handling of NSLs; and provide timely reports of possible intelligence violations to FBI Headquarters. We also recommended that the Department’s working group consider further measures for minimizing the retention of NSL-derived information. In its response to our report, the FBI agreed with all of these recommendations and stated that it would implement additional actions to address our findings.
SECTION 215 ORDERS
As also required by the Patriot Reauthorization Act, in a second follow-up report issued along with the NSL report the OIG examined the FBI’s use of Section 215 orders to obtain business records in 2006. Section 215 of the Patriot Act allows the FBI to seek an order from the FISA Court to obtain “any tangible thing,” including books, records, and other items, from any business, organization, or entity, provided the item or items are for an authorized investigation to protect against international terrorism or clandestine intelligence activities. Examples of the types of business records that can be obtained through Section 215 orders include driver’s license records, public accommodations records, apartment records, and credit card records.
The OIG’s first Section 215 report in March 2007 examined the FBI’s use of this authority in calendars years 2002 through 2005. Our recent follow-up report examined the FBI’s use of Section 215 authorities in 2006 and, as required by the Patriot Reauthorization Act, also assessed the minimization procedures for business records that the Attorney General was required to adopt in 2006.
Our follow-up review found that, similar to the findings in our first report, the FBI and the Department’s Office of Intelligence Policy and Review (OIPR) processed FBI requests submitted to the FISA Court for two different kinds of applications for Section 215 orders in 2006: “pure” Section 215 applications and “combination” Section 215 applications. A “pure” Section 215 application is a term used to refer to a Section 215 application for any tangible item, and it is not associated with any other FISA authority. A “combination” Section 215 application is a term used to refer to a Section 215 request that is added to a FISA application for pen register/trap and trace orders, which identify incoming and outgoing telephone numbers called on a particular line.
In 2006, the FBI and OIPR processed 15 pure Section 215 applications and 32 combination Section 215 applications that were formally submitted to the FISA Court. All 47 applications were approved by the FISA Court. Six additional Section 215 applications were withdrawn by the FBI before they were formally submitted to the FISA Court.
The OIG’s follow-up report found that FBI agents encountered similar processing delays for Section 215 applications as those identified in our previous report. Overall, the average processing time for Section 215 orders in 2006 was 147 days, which was similar to the processing time in 2005. However, the FBI and OIPR were able to expedite certain Section 215 requests in 2006, and when the FBI identified two emergency requests the FBI and OIPR processed both requests quickly.
Our follow-up report did not identify any illegal use of Section 215 orders in 2006. However, we identified two instances in 2006 when the FBI received more information than it had requested in the Section 215 orders. In one of the cases, approximately 2 months passed before the FBI recognized it was receiving additional information that was beyond the scope of the FISA Court order. The FBI reported this incident to the IOB, and the additional information was sequestered with the FISA Court.
In the other case, the FBI quickly determined that it had inadvertently received information not authorized by the Section 215 order and isolated the records. However, the FBI subsequently concluded that the matter was not reportable to the IOB and that the FBI should be able to use the material as if it were “voluntarily produced” because the information was not statutorily protected. We disagreed with the FBI’s conclusion, and our report recommended that the FBI develop procedures for identifying and handling information that is produced in response to, but outside the scope of, a Section 215 order.
The Reauthorization Act also directed the OIG to identify any “noteworthy facts or circumstances” related to the use of Section 215 orders. Our report discussed another case in which the FISA Court twice refused to authorize a Section 215 order based on concerns that the investigation was based on protected First Amendment activity. The FBI subsequently issued NSLs to obtain information about the subject based on the same factual predicate and without a review to ensure the investigation did not violate the subject’s First Amendment rights. We questioned the appropriateness of the FBI’s actions because the NSL statute contains the same First Amendment caveat as the Section 215 statute.
As noted throughout the report, the FBI determined that much of the information about this and other cases described in the Section 215 report was classified and therefore had to be redacted from the public report. However, the full classified report contains the details about this case and other cases, and describes other uses of Section 215 authority. The full classified report has been provided to the Department and Congress.
Finally, as directed by the Reauthorization Act, we examined the interim minimization procedures adopted by the Department in 2006 for Section 215 orders. Such procedures are intended to minimize the retention and prohibit the dissemination of non-publicly available information about U.S. persons. We concluded that the interim minimization procedures adopted in September 2006 do not provide specific guidance for minimization procedures that the Reauthorization Act appears to contemplate. Consequently, our report recommends that the Department develop specific minimization procedures relating to Section 215 orders.
In sum, we believe that the FBI has devoted significant time, energy, and resources to ensuring that its employees understand the seriousness of the FBI’s shortcomings with respect to use of national security letters and the FBI’s responsibility for correcting these deficiencies. However, the FBI’s and the Department’s corrective measures are not yet fully implemented, and it is too early to determine whether these measures will eliminate the problems we found with use of these authorities. Ensuring full compliance with the proper use of these authorities will require continual attention, vigilance, and reinforcement by the FBI, the Department, the OIG, and the Congress.
That concludes my prepared statement. I would be pleased to answer any questions.