As I noted, DOJ’s Inspector General has finally liberated the report on Section 215 use through 2009 that it finished almost a year ago. The key takeaway is that FBI continued to blow off privacy protections required by Congress in 2006 until 2013.
This will be a working thread on the rest of the report. Page numbers will be PDF.
For ease of access, here’s my table on Section 215 orders by year.
PDF 7: There was some double digit number of requests withdrawn.
PDF 7: The report breaks out how many were submitted by other agencies and how many by the FBI.
PDF 7: FBI was already getting a lot of Internet collex in 2009.
PDF 7: 3 reasons why the numbers of USPs is not the same affected: those who weren’t subjects of investigation, those who fit into weird def of USP, and those who were incidental.
PDF 7: FBI is clearly getting a lot of this voluntarily.
PDF 7: As you read the blacked out numbers of non-FBI requests, remember that the number of phone dragnet orders for that period is public: 15. If they just had one other bulk collection program (the Western Union CIA one?) that would be another 15 orders.
PDF 9: I think I’ll start to call Section 215 the “Gigabytes of Metadata and Other Electronic Information” program.
PDF 11: Report notes that NSD submits all applications to get around the statutory gig.
PDF 15: It’s clear the government at first told IG that no one had ever challenged an order, but the modified that (presumably after Snowden).
PDF 16: They use the “FISA Management System” to apply. Which probably means that’s where the data goes in?
PDF 16: “Some Section 215 requests originate from FBI Headquarters.” This may mean they use requests to parallel construct something else, as stuff that arises there often does.
PDF 19: Big redaction on USP data that exists in NSI guidelines. May mean default non-USP, same way 702 MPs work.
PDF 20: Note December 16, 2009 letter. Came at the end of a year of problems with FISC. There was also an October 28, 2009 one.
PDF 20: Someone asked FBI nicely to adopt other minimization procedures in the “redacted” manner (could be CIA, but could also be the first of the Internet ones).
PDF 23: Govt redacted the entire discussion of what led DOJ to finally follow the law.
PDF 23: The minimization procedures do not have a destruction data, which means stuff that has been determined FI will be retained 30 years.
PDF 23: Note the redacted footnote on the classified directive on US person status.
PDF 23: These MPs seem to resemble the 702 ones, which entail not looking at data but then declaring it FI.
PDF 24: The entirely redacted paragraph appears to address dissemination.
PDF 24: DOJ first started referencing FPs in August 2013.
PDF 29: In case there was any question about whether Section 215 gets dumped in with the rest of FBI’s FISA data.
PDF 30: This procedure is very similar to Section 702 procedures.
Which likely means the non-FISA-trained access is through complete copies of metadata as happens with 702 data.
PDF 32: There are 3 kinds of metadata in FBI’s stash. The distinction of what is metadata is probably important because the MPs likely let FBI copy entire databases of metadata (as they do under Section 702).
PDF 32: Yet more proof the treatment of 215 data is close to 702 data. This may respond to issues about whether someone is a USP, which pertains to First Amendment review. (see PDF 40)
PDF 33: “The type of information that is categorized as metadata will likely continue to evolve and expand.”
PDF 34: FBI has claimed DOJ IG can’t have access to 215 info to see if it is complying.
PDF 36: So AG Holder had to intervene in spat between NSD and FBI, which led them to submit MPs to the FISC in 2010, but the FISC rejected those. Remember one of the earlier debates was over the meaning of PII.
PDF 37: The numbers for 2006 seems to suggest there were 32 combined orders in 2006, some of which included subscriber data, some of which included CSLI. Note the reference to an odd app in 2008.
PDF 40: The report notes that there is some doubt about whether someone is a USP in a cyber investigation. This probably relates back to the PDF 32 comment, and that may in turn be a source of uncertainty in 702 investigations.
PDF 40: It looks like the classified directive pertains to how you deal with IP?
PDF 40: It makes it clear that there are two bulk programs.
PDF 41: First example is a short-term app (3-days) which ended up having material misstatments about where the tip — about the content of a phone call!!! — came from. The FBI agent “is no longer with the FBI.” Oh, okay.
PDF 42ff: Second example is an Agent who applied for stuff normally obtained using NSLs, but for some reason he wanted to do 215. That resulted in significant minimization concerns. This is where the investigative value exception for accessing 215 databases derived from.
PDF 45: This one involved a supplemental order. Even after that DOJ IG found some inaccuracies that weren’t noticed to FISC until June 13, 2013 (it was a 2009 order).
PDF 47ff: This one involves medical and education records (the request was from a CT target’s employer). This one involved another error. This one also showed the subject had no nexus to terrorism.
PDF 50: This looks like they were (are) still using PRBR orders, presumably for location?
PDF 51: This was the one cyberhackery investigation (dating to 2009). It got modified. The Agent claimed he lost the original production and said most of what got kept was publicly available and so didn’t minimize it.
This looks like the redaction on the 3 kinds of metadata elsewhere in the report, obtained w/a PRTT or PRBR.
PDF 53: In addition to making clear that they use 215 where nothing else can be used it shows that FISC does police content of EC but not of other things (which I expected).
PDF 53: Some clarification of what is considered a modification.
PDF 63: Horowitz appears to have written the IG Report with the expectation Stellar Wind might not come out, because this is less detailed than that in ways that align more with what has been publicly released.
PDF 66: Whoa. This suggests there are a lot more sources of telephony metadata (or EO 12333 is even more interesting than I know–or that they’re hiding SPCMA still).
PDF 74: In several cases the FISC doubted that targets were non-USPs.