Posts

Useful But Not Sufficient: FBI’s FISA Fix Filing

As one of her last acts as presiding FISA judge, Rosemary Collyer ordered the government to explain how it will ensure the statement of facts in future FISA applications don’t have the same kind of errors laid out in the DOJ IG Report on Carter Page.

THEREFORE, the Court ORDERS that the government shall, no later than January 10, 2020, inform the Court in a sworn written submission of what it has done, and plans to do, to ensure that the statement of facts in each FBI application accurately and completely reflects information possessed by the FBI that is material to any issue presented by the application. In the event that the FBI at the time of that submission is not yet able to perform any of the planned steps described in the submission, it shall also include (a) a proposed timetable for implementing such measures and (b) an explanation of why, in the government’s view, the information in FBI applications submitted in the interim should be regarded as reliable.

DOJ and FBI submitted their response on Friday. (This post lays out new revelations about the FISA process in it.) While I think there are useful fixes, most laid out in FBI Director Chris Wray’s response to the IG Report itself, the fixes are insufficient to fix FISA.

The filing largely focuses on the institution and evolution of the current accuracy review process. It promises to review the memorandum guiding that process (though doesn’t set a deadline for doing so), and adds some forms and training to try to ensure that FBI Agents provide DOJ all the information that the lawyers should include in an application to FISA. One of those forms — pertaining to human sources — seems important though might lead to counterintelligence problems in the future. Another, requiring agents to provide all exculpatory information, may improve the process. But fundamentally, DOJ and FBI assume that the process they currently use just needs to be improved to make sure it works the way they intend it to.

They’re probably insufficient to fix the underlying problems in the Carter Page FISA application.

The FISA Fix Filing is based on faulty assumptions

I say that, first of all, because the FISA Fix Filing adopts certain assumptions from the DOJ IG Report that may not be valid. The FISA Fix Filing assumes that:

  • FBI was responsible for all the errors on the Carter Page application
  • The right people at FBI had the information they needed
  • The Carter Page application was an aberration

The IG Report ignored where DOJ’s National Security Division contributed to errors

As I note in this post, possibly because of institutional scope (DOJ IG cannot investigate DOJ’s prosecutors), possibly because of its own confirmation bias, the IG Report held the FBI responsible for all the information that was known to investigators, but not included in the Carter Page FISA applications. Yet the report showed that at least two of the things it says should have been included in the Page applications — Page’s own denials of a tie with Paul Manafort, and Steele’s own derogatory comments about Sergei Millian — were shared with DOJ’s Office of Intelligence, which writes the applications. Indeed, Rosemary Collyer even noted the latter example in her letter. It also shows DOJ’s National Security Division had confirmed a fact — that Carter Page had no role in the platform change at the RNC — before FBI had.

Because the FISA Fix Filing assumes FBI is responsible for everything mistakenly excluded from the applications, the proposed fixes shift even more responsibility to FBI, requiring agents, with FBI lawyers, to identify the information that should be in an application. But if — as the IG Report shows — sometimes FBI provides the relevant information but it’s not included by the lawyers, then ensuring they provide all the relevant information won’t be sufficient to fix the problem.

The focus on FBI to the detriment of NSD has one other effect. NSD includes few changes to their behaviors in the FISA Fix Filing (largely limited to training and inadequate accuracy reviews). And where they do consider changes, they do not — as ordered by the court — set deadlines for themselves.

The IG Report barely noted the import of the failure to share information in timely fashion

The IG Report deviates radically from almost twenty years of after-action reports that have consistently advocated for more sharing of national security information. It recommends that Bruce Ohr be disciplined for doing just that. Perhaps to sustain that bizarre conclusion, the IG Report focuses almost no attention on an issue that is critical to fixing the problems in the Carter Page applications: ensuring that the people submitting a FISA application have all the information available to the US government. The IG Report showed a 2 month delay before the Crossfire Hurricane team obtained the Steele reports, a month delay in getting feedback from State Department official Kathleen Kavalec, and delays in obtaining the full extent of Bruce Ohr’s knowledge on the dossier, all of which contributed to the delayed vetting of the dossier. But the IG Report doesn’t explore why this happened. And the FBI FISA Fix only addresses it by reminding agents to consult with other agencies.

In another of the 17 problems with the FISA applications, the people submitting the applications apparently did not learn that Christopher Steele had admitted meeting with Yahoo in court filings.

According to the Rule 13 Letter and FBI officials, although there had been open source reporting in May 2017 about Steele’s statements in the foreign litigation, the FBI did not obtain Steele’s court filings until the receipt of Senators Grassley and Graham’s January 2018 letter to DAG Rosenstein and FBI Director Christopher Wray with the filings enclosed. We found no evidence that the FBI made any attempts in May or June 2017 to obtain the filings to assist a determination of whether to change the FBI’s assessment concerning the September 23 news article in the final renewal application.

In other instance (as noted above), while NSD had affirmative knowledge that Carter Page had not been involved in the change to the RNC platform, FBI had a different view, yet this issue was not resolved to fully discount the claim in FISA applications. The IG Report also faults FBI managers (but never NSD ones) for not aggressively questioning subordinates to get a full sense of problems with the applications. All of these are information sharing problems, not errors of transparency. Making the case agent fill out forms about what he or she knows will have only limited effect on ensuring that those agents obtain all the information they need, because if they don’t know it, they won’t know to look for it.

With the Crossfire Hurricane investigation, that problem was exacerbated by the close hold of the investigation (most notably by running the investigation out of Main Justice) and, probably, by the urgency of investigating an ongoing attack while it’s happening, which likely led personnel to focus more on collecting information about the attack than exculpatory information.

The FISA Fix Filing includes a vaguely worded document describing technological improvements — including a workflow document that sounds like bureaucratic annoyance as described — that suggest FBI is considering moving some of this to the cloud.

Corrective Action #11 requires the identification and pursuit of short- and long-term technological improvements, in partnership with DOJ, that aid in consistency and accountability. I have already directed executives in the FBI’s Information Technology Branch leadership to work with our National Security Branch leadership and other relevant stakeholders to identify technological improvements that will advance these goals. To provide one example of a contemplated improvement, the FBI is considering the conversion of the revised FISA Request Form into a workflow document that would require completion of every question before it could be sent to OI. The FBI proposes to update the Court on its progress with respect to this Corrective Action in a filing made by March 27, 2020.

It’s still not clear this would fix the problem (it’s still not clear how Bruce Ohr would have shared the information he had in such a way that he wouldn’t now be threatened with firing for doing so, for example). And for a close hold investigation like this, such a cloud might not work. But it would be an improvement (if FBI could keep it secure, which is a big if).

The FISA Fix Filing does have suggests to improve information sharing. But because the scope of the problem, as defined in the IG Report, doesn’t account for information that simply doesn’t get to the people submitting the application, it’s not clear it will fix that problem.

No one knows whether the Page applications are an aberration or not

Finally, no one yet knows whether the Carter Page application was an aberration, and thus far, no one at DOJ has committed to finding out. DOJ IG has committed to doing an audit of the Woods Procedure process that failed in the Carter Page case (and the FISA Fix Filing committed to respond to any findings from that).

The Government further notes that the OIG is conducting an audit of FBI’s process for the verification of facts included in FISA applications that FBI submits to the Court, including an evaluation of whether the FBI is in compliance with its Woods Procedures requirements. The Department will work with the OIG to address any issues identified in this audit.

Yet everyone involved admits that the most serious problems with the Page applications consisted of information excluded from the application, not inaccurate information in it.

Many of the most serious issues identified by the OIG Report were … [when] relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney.

Doing an audit of the Woods Procedures, then, does not test the conclusion that Page’s applications are an aberration, and therefore does not test whether more substantive fixes are necessary.

DOJ IG has considered doing more — and PCLOB suggested last year they might get involved (though technically, their counterterrorism scope wouldn’t even permit them to look at counterintelligence cases like Page’s) — but thus far there’s no plan in this filing to figure out of this is a broader problem.

The existing oversight for FISA may be inadequate

There are several reasons to believe that the existing oversight regime for FISA may be inadequate.

As noted, the existing IG plan to audit the Woods Procedure is insufficient to identify whether the existing FISA Fix Filing is sufficient to fix the problem. Also as noted above, the jurisdiction of DOJ’s IG, because it cannot review the actions of prosecutors, might not (and in this case, pretty demonstrably did not) adequately review all parts of the process, because it could not subject NSD attorneys to the same scrutiny it did FBI.

Then there are shortcomings to NSD’s oversight regime — shortcomings that Judge James Boasberg — the new presiding FISA Judge and so the just now in charge of overseeing these fixes — already highlighted in an opinion on problems with Section 702 queries.

As the FISA Fix Filing describes, OI (the same office that the IG Report let off when it received information but did not include it in applications) does a certain number of oversight reviews each year. But they don’t do reviews in every FBI field office (to which FBI devolved the FISA application process some years ago), and they don’t do accuracy reviews at every office where they do an oversight review.

OI’s Oversight Section conducts oversight reviews at approximately 25-30 FBI field offices annually. During those reviews, OI assesses compliance with Court-approved minimization and querying procedures, as well as the Court orders. Pursuant to the 2009 Memorandum, OI also conducts accuracy reviews of a subset of cases as part of these oversight reviews to ensure compliance with the Woods Procedures and to ensure the accuracy of the facts in the applicable FISA application. 5 OI may conduct more than one accuracy review at a particular field office, depending on the number ofFISA applications submitted by the office and factors such as whether there are identified cases where errors have previously been reported or where there is potential for use of FISA information in a criminal prosecution. OI has also, as a matter of general practice,_ conducted accuracy reviews of FISA applications for which the FBI has requested affirmative use of FISA-obtained or -derived information in a proceeding against an aggrieved person. See 50U.S.C. §§ 1806(c), 1825(d).

During these reviews, OI attorneys verify that every factual statement in the categories of review described in footnote 5 is supported by a copy of the most authoritative document that exists or, in enumerated exceptions, by an appropriate alternate document. With regard specifically to human source reporting included in an application, the 2009 Memorandum requires that the accuracy sub-file include the reporting that is referenced in the application and further requires that the FBI must provide the reviewing attorney with redacted documentation from the confidential human source sub-file substantiating all factual assertions regarding the source’s reliability and background.

As Boasberg noted in his 702 opinion last year, this partial review may result in problems going unaddressed for years.

Personnel from the Office of Intelligence (OI) within the Department of Justice’s National Security Division (NSD) visit about half of the FBI’s field offices for oversight purposes in a given year. Id at 35 & n 42. Moreover OI understandably devotes more resources to offices that use FISA authorities more frequently, so those offices [redacted] are visited annually, id at 35 n. 42, which necessitates that some other offices go for periods of two years or more between oversight visits. The intervals of time between oversight visits at a given location may contribute to lengthy delays in detecting querying violations and reporting them to the FISC. See, e.g., Jan. 18, 2019, Notice [redacted] had been conducting improper queries in a training context since 2011, but the practice was not discovered until 2017).

Furthermore, OI’s review of a subset of a subset of applications targeting Americans only reviews for things included in the application, not things excluded from it.

OI’s accuracy reviews cover four areas: (1) facts establishing probable cause to believe that the target is a foreign power or an agent of a foreign power; (2) the fact and manner of FBI’s verification that the target uses or is about to use each targeted facility and that property subject to search is or is about to be owned, used, possessed by, or in transit to or from the target; (3) the basis for the asserted U.S. person status of the target(s) and the means of verification; and (4) the factual accuracy of the related criminal matters section, such as types of criminal investigative techniques used (e.g., subpoenas) and dates of pertinent actions in the criminal case.

DOJ admits that this is a problem, and considers doing a check for the kind of information excluded from Carter Page’s applications, but doesn’t commit to doing so and (again, unlike FBI) doesn’t give itself a deadline to do so.

Admittedly, these accuracy reviews do not check for the completeness of the facts included in the application. That is, if additional, relevant information is not contained in the accuracy sub-file and has not been conveyed to the OI attorney, these accuracy reviews would not uncover the problem. Many of the most serious issues identified by the OIG Report were of this nature. Accordingly, OI is considering how to expand at least a subset of its existing accuracy reviews at FBI field offices to check for the completeness of the factual information contained in the application being reviewed. NSD will provide a further update to the Court on any such expansion of the existing accuracy reviews.

Improving these oversight reviews will have a salutary effect on all FISA authorities, not just individualized orders. Since Boasberg has already identified the inadequacies of the current reviews, I would hope he’d ask for at least an improved oversight regime.

Treating alleged subpoenas like they’re not subpoenas

There’s a change promised that I’m unsure about: Chris Wray’s voluntary decision to subject Section 215 and pen register orders to heightened accuracy reviews.

Currently, the accuracy of facts contained in applications for pen register and trap and trace surveillance pursuant to 50 U.S.C. § 1841 , et seq. , or applications for business records pursuant to 50 U.S. C. § 1861 , et seq. , must, prior to submission to the Court, be reviewed for accuracy by the case agent and must be verified as true and correct under penalty ofpeijury pursuant to 28 U.S.C. § 1746 by the Supervisory Special Agent or other designated federal official submitting the application. Historically, the Woods Procedures described herein have not been formally applied by the FBI to applications for pen register and trap and trace surveillance or business records. As discussed in the FBI Declaration, FBI will begin to formally apply accuracy procedures to such applications and proposes to update the Court on this action by March 27, 2020.

FBI has, for years, told the public these are mere grand jury subpoena equivalents, and so the privacy impact is not that great. That Wray thinks these need accuracy reviews suggests they’re more intrusive than that, in which case by all means FBI should add these reviews.

But as I suggested in this post, some of the problems with the Carter Page applications might have been avoided had the Crossfire Hurricane team obtained call records from both Page and George Papadopoulos early in the process, which would not only have confirmed Page’s accurate claim that Paul Manafort never returned his emails (undermining a key claim from the dossier), but it would have revealed Papadopoulos’ interactions with suspect Russian asset Joseph Mifsud, thereby pinpointing where the investigative focus should have been (and making it a lot harder for Papadopoulos to obstruct the investigation in the way he did). The IG Report doesn’t ask why this didn’t happen, but it seems an important question because if the FBI chose not to use ostensibly less intrusive legal process because existing Section 215 applications are not worth the trouble, then making the purportedly less-intrusive applications even more onerous will only lead to a rush to use full FISA, as appears to have happened here.

Further breaking the affiant-officer of the court relationship

One of the more insightful observations from the IG Report described how OI attorneys and FBI agents applying for FISA orders don’t work as closely as prosecutors and agents on a normal case.

NSD officials told us that the nature of FISA practice requires that OI rely on the FBI agents who are familiar with the investigation to provide accurate and complete information. Unlike federal prosecutors, OI attorneys are usually not involved in an investigation, or even aware of a case’s existence, unless and until OI receives a request to initiate a FISA application. Once OI receives a FISA request, OI attorneys generally interact with field offices remotely and do not have broad access to FBI case files or sensitive source files. NSD officials cautioned that even if OI received broader access to FBI case and source files, they still believe that the case agents and source handling agents are better positioned to identify all relevant information in the files.

The proposed FISA fixes seem to derive from this OI viewpoint, that because OI don’t work closely with agents they need to replace cooperation that is often inadequate on normal criminal investigations with a process that has even less cooperation for applications that are supposed to have a higher degree of candor.

The FISA Fix Filing seems to envision FBI lawyers picking up this slack, but especially since DOJ devolved the application process to Field Agents some years ago, it’s not clear, at all, why this would result in better lawyering.

Formalizing the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal review;

[snip]

Corrective Action #7 requires the formalization of the role of FBI attorneys in the legal review process for FISA applications, to include identification of the point at which SES-level FBI OGC personnel will be involved, which positions may serve as the supervisory legal reviewer, and establishing the documentation required for the legal reviewer. Through this Corrective Action, the FBI seeks to encourage legal engagement throughout the FISA process, while still ensuring that case agents and field supervisors maintain ownership of their contributions.

As it is, the FISA process requires a more senior agent to be the affiant on an application, which in at least one of the Page applications, resulted in someone who had less knowledge of the case making the attestation under penalty of perjury.

It may be that these changes go in the opposite direction from where FISA should go, which would be closer to the criminal warrant model where a judge will have an FBI affiant who anticipates taking the stand at a trial (and therefore needs to retain his or her integrity to avoid damaging the case), and an office of the court signing off on applications (whom judges can sanction directly). That is, by introducing more layers and absolving OI from some of the direct responsibility for the process, these proposed changes may make FISA worse, not better.

Remarkably, the court might consider something far more effective.

On Friday, Boasberg appointed David Kris as amicus for this consideration. Kris literally wrote the book on all this, in addition to writing the 2001 OLC memo that eliminated the wall between the intelligence collected under FISA and the prosecutions that arise out of them. In a recent podcast, he mused that the way to fix all this may be to give defendants review of their applications, something always envisioned by Congress, but something no defendant has done. That — along with a more robust oversight process — seems like it has a better chance of changing the way the FBI and DOJ approach FISA applications than adding a bunch more checklists for the process.

The frothy right is in a lather over Kris’ appointment, which is a testament to how little these people (up to and especially Devin Nunes) understand FISA. But he has the institutional clout to be able to recommend real fixes to FISA, rather than a bunch of paperwork to try to make the Woods Procedure to work the way it’s supposed to.

DOJ could, voluntarily, provide review to more defendants. Alternately, Congress could mandate it in whatever bill reauthorizes Section 215 this year. Or Kris could suggest that’s the kind of thing that should happen.

Update: David Kris submitted his recommendations to Boasberg. Like me, he finds Wray’s plan useful but not sufficient. Like me he notes that the agents doing the investigation should be the ones signing off on affidavits (and he suggests the FISC review more applications until new procedures are in place). Kris also focuses on cultural changes that need to happen.

One thing he doesn’t do is review DOJ’s role (though he does argue that part of this stems from conflict between DOJ and FBI).

He also notes that DOJ has not imposed deadlines for itself.

The Various Channels Via Which the Steele Reports Got Ingested by FBI

One side benefit of the DOJ IG Report on Carter Page is its running description of when the FBI obtained Steele’s reports when. I’ve tried to track that information, which appears in narrative form, in this spreadsheet. It shows that the FBI got different sets of Steele reports from the following sources:

  • Mike Gaeta, Steele’s handling agent. He first got a report on July 5, 2016, got more in time to share them with the Crossfire Hurricane team on September 19, and then kept sharing files as he received them in October. Two of the most problematic reports — the one that claimed Russia had not had success hacking Western targets (which was knowably false in 2015) and the one that misspelled Alfa Bank “Alpha”) — did not get shared directly with the FBI. There are three reports shared with the FBI that are not public, though the content and report number of one can be surmised from the report.
  • Kathleen Kavalec. Kavalec shared the content of a briefing she attended on October 11, 2016 after Steele had been closed out in November (though she tried to share it in more timely fashion). The FBI describes the briefing she received as largely the same as two reports Steele wrote (one that is not public) the following day.
  • David Corn. He shared his set of files either “after the election” or on November 6, 2016 with FBI’s General Counsel, Jim Baker. His set did include those two dodgier reports on hacking and “Alpha” Bank.
  • John McCain. He shared his set of files with Jim Comey on December 9, 2016. He, too, got the dodgy cyber and “Alpha” reports, as well as a report invoking Aras Agalarov.
  • Bruce Ohr. After Steele was closed out, Ohr helped the FBI figure out what Steele had actually been doing (for which favor the IG referred him to Office of Professional Responsibility). He obtained a set of files from Glenn Simpson and shared it with the FBI, which largely overlapped McCain’s, but included an extra report claiming Russia had input on whom Trump picked for Secretary of State.
  • BuzzFeed. The BuzzFeed dossier included an extra report no one else had, dated December 13, 2016. It made the most inflammatory claim of all the reports — that Michael Cohen had paid the hackers who had targeted the DNC — and accused XBT of doing things that the Internet Research Agency had actually done.

As noted, the FBI never received their own copy of two of the sketchiest reports — the one claiming Russia had had no success hacking targets that the FBI knew well they had been hacking for over a year, and the one that misspelled “Alfa” bank. They would have first obtained those via David Corn either just before or after the election (the report is inconsistent on the timing).

This in no way exonerates the FBI for using the dossier in later Page FISA applications. It’s also not clear when the Crossfire Hurricane team received the first three reports on Michael Cohen, which were some of other other most easily disproved reports, but it’s unlikely they received and vetted them before the first application. But at the time they used the dossier as a basis for the first Page FISA application, there would have been less reason to immediately distrust the reports.

 

OTHER POSTS ON THE DOJ IG REPORT

Overview and ancillary posts

DOJ IG Report on Carter Page and Related Issues: Mega Summary Post

The DOJ IG Report on Carter Page: Policy Considerations

Timeline of Key Events in DOJ IG Carter Page Report

Crossfire Hurricane Glossary (by bmaz)

Facts appearing in the Carter Page FISA applications

Nunes Memo v Schiff Memo: Neither Were Entirely Right

Rosemary Collyer Responds to the DOJ IG Report in Fairly Blasé Fashion

Report shortcomings

The Inspector General Report on Carter Page Fails to Meet the Standard It Applies to the FBI

“Fact Witness:” How Rod Rosenstein Got DOJ IG To Land a Plane on Bruce Ohr

Eleven Days after Releasing Their Report, DOJ IG Clarified What Crimes FBI Investigated

Factual revelations in the report

Deza: Oleg Deripaska’s Double Game

The Damning Revelations about George Papadopoulos in a DOJ IG Report Claiming Exculpatory Evidence

A Biased FBI Agent Was Running an Informant on an Oppo-Research Predicated Investigation–into Hillary–in 2016

The Carter Page IG Report Debunks a Key [Impeachment-Related] Conspiracy about Paul Manafort

The Flynn Predication

Sam Clovis Responded to a Question about Russia Interfering in the Election by Raising Voter ID