Posts

Now Would Be a Good Time to Restore Statutory Authority of DOJ’s Inspector General

/9 Comments/in /by

Judd Legum reports that the FBI’s Inspection Division is launching an investigation into why its FBI Records Vault Twitter bot launched into action the other day, resulting in the re-release of FOIAed files on Bill Clinton’s pardon of Marc Rich.

Candice Will, Assistant Director for the FBI’s Office of Professional Responsibility, said she was referring the matter to the FBI’s Inspection Division for an “investigation.” Upon completion of the investigation, the Office of Professional Responsibility will be referred back to the Office of Professional Responsibility for “adjudication.”

Federal law and FBI policy prohibit employees from using the power of the department to attempt to influence elections.

Will was responding to a complaint from Jonathan Hutson, a former investigative reporter who now works in communication in Washington, DC. She did not respond to requests, via phone and email, for further comment.

I’m happy the FBI is conducting this investigation, but this story is the inevitable result of the FBI responding appropriately to a complaint submitted by a media consultant, not any indication anyone at the FBI takes its own misconduct seriously.

Plus, the Inspection Division and the Office of Professional Responsibility don’t have statutory independence from the rest of the FBI, which means their investigation (and particularly OPR’s adjudication) can be influenced by FBI executives.

The entity that should be conducting an investigation into the FBI’s misconduct relating to this election is the Inspector General, which does have the independence to really assess who, if anyone screwed up.

There’s just one problem with that. As I’ve long covered, in 2010, the FBI started balking at the Inspector General’s proper investigative demands. Among other things, the FBI refused to provide information on grand jury investigations unless some top official in FBI said that it would help the FBI if the IG obtained it. In addition, the FBI (and DEA) have responded to requests very selectively, pulling investigations they don’t want to be reviewed. In 2014, the IG asked OLC for a memo on whether it should be able to get the information it needs to do its job. Last year, OLC basically responded, Nope, can’t have the stuff you need to exercise proper oversight of the FBI.

DOJ’s Inspector General, Michael Horowitz, has been trying for some time to get Congress to affirmatively authorize his office (and IGs generally, because the problem exists at other agencies) to receive the information he needs to do his job. But thus far — probably because Jim Comey used to be known as the world’s biggest Boy Scout — Congress has failed to do so.

I care about how FBI’s misconduct affects the election (thus far, polling suggests it hasn’t done so, though polls are getting closer as Republican Gary Johnson supporters move back to supporting the GOP nominee, as almost always happens with third party candidates). But I care even more about how fucked up the FBI is. Even if Comey is ousted, I can’t think of a likely candidate that could actually fix the problems at FBI. One of the few entities that I think might be able to do something about the stench at FBI is the IG.

Except the FBI has spent 6 years making sure the IG can’t fully review its conduct.

It’s time to fix that.

FBI’s Surveillance Arbitrage, First Amendment Edition

/in /by

While I was cycling around Provence without a care in the world last week, DOJ’s Inspector General released an IG Report mandated by the USA Freedom Act. It reports on the use of Section 215 from 2012 to 2014 (which means NSA and FBI have successfully avoided any review of their 215 orders from 2010 and 2011, not to mention any review of CIA’s use of the provision). The key takeaway is that the application process to get Section 215 orders is very time consuming — over 100 days on average. Which is probably why Republican Senators have been trying to permit FBI to obtain Electronic Communications Transaction Records with just a National Security Letter since the report was released to Congress in June.

The report also noted a sharp drop-off in the use of 215 orders in recent years, which I’ve been tracking here.

Those two factors are useful background for some other details in the report, however. First, DOJ and FBI interviewees offered many explanations for the decline in Section 215 use, one of which is Edward Snowden, but two more credible ones of which are the use of other authorities to get the same information, Section 702 or grand jury subpoenas.

NSD and FBI personnel attributed the subsequent decline between 2013 and 2015 to several factors, including the stigma attached to the use of Section 215 authority following the Snowden revelations, increased use of Section 702 of the FISA Amendments Act, providers’ resistance to business records orders, agents’ frustrations with the lack of timeliness and level of oversight in the business records process, and agents’ increasing use of criminal legal process instead of FISA authority in counterterrorism and cyber investigations.

They key point, though, is for most uses, there are other ways to get the same information. There is a limit to that, though. Apparently, grand jury subpoenas are only possible for counterterrorism and cybersecurity investigations, not counterintelligence ones.

When asked about this disparity, agents told us that business records orders frequently are the only option available in counterintelligence investigations given the nature and classification of the information involved. By contrast, agents handling counterterrorism and cyber investigations can in some instances open a parallel criminal investigation and use the grand jury process to obtain the same information more quickly and with less oversight than a business records order.

That’s why I’m so interested in a discussion of the applications that got filed — in counterterrorism cases — but either not submitted or withdrawn from the FISC in this period.

screen-shot-2016-10-07-at-10-51-46-am

Remember, the way the government and FISC avoid rejected applications is by not submitting or withdrawing things that it is clear the FISC won’t approve. What this redacted section effectively says is that at least “several” requests based on a target’s statements about jihad were withdrawn, apparently in the wake of a February 2013 order from John Bates on what constitutes targeting for First Amendment reasons.

We’ve seen a heavily redacted version of that opinion. As I laid out here, it’s a classic John Bates opinion: it hems and haws about Executive Branch behavior, but then approves the behavior in question (at least in this case, Bates didn’t approve an expansion of the questionable behavior, as he did in 2010 with the Internet dragnet).

Effectively Bates appears to have objected to the use of a target’s language (perhaps, support for jihad without endorsement of specific threats) in obtaining a Section 215 order, but then pointed to other peoples’ behavior in finding that the order didn’t stem exclusively from First Amendment protected activities.

And the IG Report says that, apparently in the wake of that wishy-washy opinion, DOJ decided to withdraw several applications based on stated support for jihad.

Remember, in 2006, the FBI withdrew two attempts at a 215 order because of FISC’s First Amendment concerns only to get the same information with NSLs. (See page 68ff) Congress made a particularly big stink about it, because the FBI was acting on its own in spite of FISC’s disapproval.

This feels similar. That is, given that FBI was already moving its Section 215 orders to grand jury subpoenas because they’re easier to get and undergo less oversight, it sure seems likely these requests reappeared as such. Unlike the earlier IG report that confirmed FBI arbitraged surveillance authorities to get around First Amendment protections, this report appears not to have pursued the issue (as I understand it, the declassification of this report was handled exclusively through redactions).

They did, however, ask why DOJ doesn’t track applications that are withdrawn, to avoid the appearance that the FISC is a rubber stamp. DOJ’s answer was rather unpersuasive.

The FISA Court did not deny any business records applications between 2012 and 2014. When asked why applications withdrawn after submission of a read copy to the FISA Court were not reported to Congress, potentially creating the inadvertent impression that the FISA Court is a “rubber stamp,” NSD supervisors told us that the Department includes only business records applications formally submitted to the FISA Court and denied or withdrawn, not those filed in “read copy” and subsequently withdrawn. 41 The NSD supervisors acknowledged that excluding applications withdrawn after the FISA Court indicates that it will not sign an order might lead to misunderstandings about the FISA Court’s willingness to question applications, but the supervisors noted that NSD and the FISA Court have talked about the “read” process publicly to address concerns about this. 42 In comments provided to the OIG after reviewing a draft of this report, NSD stated that it is currently considering whether to revise the methodology for counting withdrawn applications.

My guess is they want to avoid any records of withdrawn applications for those times when they do use a grand jury subpoena to obtain stuff that FISC made known it wouldn’t approve. That detail might have to be disclosed to defendants, after all. Here, there’s less paperwork.

It all seems to support a theory that the FBI continues to arbitrage surveillance authorities (as they, by their own admission, do with location tracking). With location tracking, there’s nothing patently illegal about that. But with First Amendment protections, that sure seems dubious.

FBI’s Open NSL Requests

/in , /by

DOJ’s Inspector General just released a report of all the recommendations it made prior to September 15, 2015 that are not yet closed. As it explained in the release, the IG compiled the report in response to a congressional request, but they’ve posted (and will continue to post, every 6 months) the report for our benefit as well.

Specifically, we have posted a report listing all recommendations from OIG audits, evaluations, and reviews that we had not closed as of September 30, 2015.  As you will see, most of the recommendations show a status of “resolved,” which indicates that the Department of Justice has agreed with our recommendation, but we have not yet concluded that they have fully implemented it.

As that release made clear, most of the recommendations that have not yet been closed are not open, but resolved, which means DOJ has agreed with the IG’s recommendation but has not fully implemented a fix for that recommendation.

Which leaves the “open” recommendations, which might include recommendations DOJ hasn’t agreed to address or hasn’t told the IG how they’ll address. There are 20 open recommendations in the report, most of which date to 2014. That’s largely because every single one of the 10 recommendations made in the 2014 report on National Security Letters remains open. Here are some of my posts on that report (one, two, three, four, five), but the recommendations pertain to not ingesting out-of-scope information, counting the NSL’s accurately, and maintaining paperwork so as to be able to track NSLs. [Update: as the update below notes, the FBI response to the released report claimed it was responding, in whole or in part, to all 10 recommendations, which means the “open” category here means that FBI has not had time to go back and certify that FBI has done what it said.]

Three of the other still-open recommendations pertain to hiring; they pertain to nepotism, applicants for the civil rights division wanting to enforce civil rights laws (!), and the use of political tests for positions hiring career attorneys (this was the Monica Goodling report). Another still open recommendation suggests DOJ should document why US Attorneys book hotels that are outside cost limits (this pertains, ironically, to Chris Christie’s travel while US Attorney).

The remaining 2 recommendations, both of which date to 2010, are of particular interest.

1/19/2010: A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records

The OIG recommends that the FBI should issue guidance specifically directing FBI personnel that they may not use the practices known as hot number [classified and redacted] to obtain calling activity information from electronic communications service providers.

The first pertains to the IG Report on exigent letters. The report described (starting on PDF 94) how FBI contracted with two providers for “hot number” services that would let them alert the FBI when certain numbers were being used. FBI first contracted for the service with MCI or Verizon, not AT&T (as happened with most tech novelties in this program). The newly released version of the report make it clear that redactions are redacted for b1 (classification), b4 (trade secrets), b7A (enforcement proceedings), and b7E (law enforcement technique). At one point, then General Counsel now lifetime appointed judge Valerie Caproni said the practice did not require Pen Registers.

I find this practice — and FBI’s longstanding unwillingness to forswear it — interesting for two reasons. First, most references to the practice follow “hot number” by a short redaction.

Screen Shot 2016-01-21 at 2.02.30 PM

That suggests “hot number” may just be a partial name. Given that this section makes it clear this was often used with fugitives — just as Stingrays are often most often used — I wonder whether this involved “number” and “site.” That’s especially true since Company C (again, MCI or Verizon) also tracked whether calls were being made from a particular area code or [redacted], suggesting some location tracking function.

I’m also interested in this because “hot numbers” tracks the unauthorized “alert” function the NSA was using with the phone dragnet up until 2009. As you recall, NSA analysts would get an alert if any of thousands of phone numbers got used in a given day, none of which it counted as a contact-chaining session.

In other words, this practice might be related to one or both of these things. And 6 years later, the FBI doesn’t want to forswear the practice.

9/20/2010, A Review of the FBI’s Investigations of Certain Domestic Advocacy Groups

The OIG recommends that the FBI seek to ensure that it is able to identify and document the source of facts provided to Congress through testimony and correspondence, and to the public.

This report (see one of my posts on it) reviewed why the FBI had investigated a bunch of peace and other advocacy groups as international terrorist groups dating back to 2004. ACLU had FOIAed some documents on investigations into Pittsburgh’s peace community. In response, Patrick Leahy started asking for answers, which led to obvious obfuscation from the FBI. And as I noted, even the normally respectable Glenn Fine produced a report that was obviously scoped not to find what it was looking for.

Nevertheless, a key part of the report pertained to FBI’s inability (or unwillingess) to respond to Leahy’s inquiries about what had started this investigation or to explain where the sources of information for their responses came from. (See PDF 56) The FBI, to this day, has apparently refused to agree to commit to be able to document where the information it responds to Congress comes from.

I will have more to say on this now, but I believe this is tantamount to retaining the ability to parallel construct answers for Congress. I’m quite confident that’s what happened here, and it seems that FBI has spent 6 years refusing to give up the ability to do that.

Update:

I didn’t read it when I originally reported in the NSL IG report, but it, like most IG reports, has a response from FBI, which in this case is quite detailed. The FBI claims that it had fulfilled most recommendations well before the report was released.

The response to the open exigent letter recommendation is at PDF 224. It’s not very compelling; it only promised to consider issuing a statement to say “hot number [redacted]” was prohibited.

The response to the 2014 report recommendations start on PDF 226. Of those, the FBI didn’t say they agreed with one part of one recommendations:

  • That the NSL subsystem generate reminders if an agent hasn’t verified return data for manual NSLs (which are sensitive)

In addition, with respect to the data requested with NSLs, FBI has taken out expansive language from manual models for NSLs (this includes an attachment the other discussion of which is redacted), but had not yet from the automated system.

As Recently as 2012, FBI Didn’t Think Your Phone Number Was Your Identity

/1 Comment/in /by

Last week, Charlie Savage liberated additional disclosures on three IG reports he liberated last year: the 2007 NSL report, the 2009 Stellar Wind report, and a 2012 DOJ IG Section 702 report. With the NSL report, DOJ disclosed numbers that I believe were otherwise public or intuitable. With the Stellar Wind report, DOJ disclosed additional information on how the Department was dodging its obligation to notify defendants of the surveillance behind their cases; I hope to return to this issue.

By far the most important new disclosure, however, pertains to the FBI’s reporting on reports on US persons identified under Section 702 (see pages 17-18, highlighted by Savage here). Introducing the Executive Summary description of whether FBI was fulfilling reporting requirements, the report explained that the IG had adopted a fairly strict understanding of what constituted a US person dissemination.

Screen Shot 2016-01-11 at 2.08.00 PM

Although the key passage is redacted (and the report body on this topic is almost entirely redacted), it’s clear that the IG considered reports that identified a US person via something other than his or her name without sharing the content of communications constituted a report “with respect to” 702 acquisitions.

The FBI had been arguing about these definitions internally  and with DOJ’s IG since at least 2006, when it failed to comply with the legally mandated requirement for new minimization procedures to go with Section 215.  One way to understand an early version of the debate is whether, by retaining call records that don’t include a name but do include phone numbers that clearly belong to a specific person, the FBI was retaining US person identifying information. For obvious reasons — because if their minimization procedures treated a phone number as US person identifying information, then it would mean it couldn’t retain 5 years of phone records — FBI didn’t want to treat a person’s unique identifiers as person identifying information. The minimization procedures adopted in 2013 must mirror this problem given that FBI and NSA kept those records for another two years.

It appears the IG found the FBI’s reporting lacking in several ways: it did not include Section 702 related reports that identify a US person if that person (which I assume to mean that person’s identity) was identified via other means, and argued FBI should also count reports if the US person information in it was publicly available. In addition, the IG considered a metadata reference to also constitute a US person reference.

Screen Shot 2016-01-11 at 6.04.42 PM

This suggests the FBI was, until 2012, at least, not including the sharing of an email or even a report that identified the person tied to an email if it found that email, but not that person’s identity, via Section 702 in its reports to Congress. Imagine, for example, if FBI didn’t consider my emptywheel  email personally identifying of me, emptywheel, until such time as it publicly tied that email address to me. It would be bullshit, but we know that seems to be the kind of game FBI was and probably still is playing.

I’m particularly interested in this because of a speech Dianne Feinstein made in December 2012 — presumably after FBI had made whatever response they might make to this IG report — that named a number of people as if they had been IDed using Section 702. But when several of them demanded notice of Section 702 surveillance, none of them got it, and Feinstein and the Senate’s lawyer insisted they could not make anything of her insinuation that Section 702 had discovered them.

In other words, the two standards at issue here — the minimization procedures standard and the notice one — may be implicated in DOJ’s opaque notice guidelines. We don’t know whether it is or not, of course, but if it is, it would suggest that DOJ is limiting 702 notices based on what kinds of identifiers 702 produces.

1/13: Tweaked this post for clarity. In addition, note these letters from the Brennan Center which relate to this issue.

 

Jim Comey Makes Bogus Claims about Privacy Impact of Electronic Communications Trasaction Record Requests

/in /by

215 trackerOn November 30, Nicholas Merrill was permitted to unseal the NSL he received back in 2004 for the first time. That request asked for:

the names, addresses, lengths of service and electronic communication transaction records [ECTR], to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields) for [the target]

The unsealing of the NSL confirmed what has been public since 2010: that the FBI used to (and may still) demand ECTRs from Internet companies using NSLs.

On December 1, House Judiciary Committee held a hearing on a bill reforming ECPA that has over 300 co-sponsors in the House; on September 9, Senate Judiciary Committee had its own hearing, though some witnesses and members at it generally supported expanded access to stored records, as opposed to the new restrictions embraced by HJC.

Since then, a number of people are arguing FBI should be able to access ECTRs again, as they did in 2004, with no oversight. One of two changes to the version of Senator Tom Cotton’s surveillance bill introduced on December 2 over the version introduced on November 17 was the addition of ECTRs to NSLs (the other was making FAA permanent).

And yesterday, Chuck Grassley (who of course could shape any ECPA reform that went through SJC) invited Jim Comey to ask for ECTR authority to be added to NSLs.

Grassley: Are there any other tools that would help the FBI identify and monitor terrorists online? More specifically, can you explain what Electronic Communications Transactions Record [sic], or ECTR, I think that’s referred to, as acronym, are and how Congress accidentally limited the FBI’s ability to obtain them, with a, obtain them with a drafting error. Would fixing this problem be helpful for your counterterrorism investigations?

Comey: It’d be enormously helpful. There is essentially a typo in the law that was passed a number of years ago that requires us to get records, ordinary transaction records, that we can get in most contexts with a non-court order, because it doesn’t involve content of any kind, to go to the FISA Court to get a court order to get these records. Nobody intended that. Nobody that I’ve heard thinks that that’s necessary. It would save us a tremendous amount of work hours if we could fix that, without any compromise to anyone’s civil liberties or civil rights, everybody who has stared at this has said, “that’s actually a mistake, we should fix that.”

That’s actually an unmitigated load of bullshit on Comey’s part, and he should be ashamed to make these claims.

As a reminder, the “typo” at issue is not in fact a typo, but a 2008 interpretation from DOJ’s Office of Legal Counsel, which judged that FBI could only get what the law said it could get with NSLs. After that happened — a DOJ IG Report laid out in detail last year — a number (but not all) tech companies started refusing to comply with NSLs requesting ECTRs, starting in 2009.

The decision of these [redacted] Internet companies to discontinue producing electronic communication transactional records in response to NSLs followed public release of a legal opinion issued by the Department’s Office of Legal Counsel (OLC) regarding the application of ECPA Section 2709 to various types of information. The FBI General Counsel sought guidance from the OLC on, among other things, whether the four types of information listed in subsection (b) of Section 2709 — the subscriber’s name, address, length of service, and local and long distance toll billing records — are exhaustive or merely illustrative of the information that the FBI may request in an NSL. In a November 2008 opinion, the OLC concluded that the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL.

Although the OLC opinion did not focus on electronic communication transaction records specifically, according to the FBI, [redacted] took a legal position based on the opinion that if the records identified in Section 2709(b) constitute the exclusive list of records that may be obtained through an ECPA NSL, then the FBI does not have the authority to compel the production of electronic communication transactional records because that term does not appear in subsection (b).

Even before that, in 2007, FBI had developed a new definition of what it could get using NSLs. Then, in 2010, the Administration proposed adding ECTRs to NSLs. Contrary to Comey’s claim, plenty of people objected to such an addition, as this 2010 Julian Sanchez column, which he could re-release today verbatim, makes clear.

They’re calling it a tweak — a “technical clarification” — but make no mistake: The Obama administration and the FBI’s demand that Congress approve a huge expansion of their authority to obtain the sensitive Internet records of American citizens without a judge’s approval is a brazen attack on civil liberties.

[snip]

Congress would be wise to specify in greater detail just what are the online equivalents of “toll billing records.” But a blanket power to demand “transactional information” without a court order would plainly expose a vast range of far more detailed and sensitive information than those old toll records ever provided.

Consider that the definition of “electronic communications service providers” doesn’t just include ISPs and phone companies like Verizon or Comcast. It covers a huge range of online services, from search engines and Webmail hosts like Google, to social-networking and dating sites like Facebook and Match.com to news and activism sites like RedState and Daily Kos to online vendors like Amazon and Ebay, and possibly even cafes like Starbucks that provide WiFi access to customers. And “transactional records” potentially covers a far broader range of data than logs of e-mail addresses or websites visited, arguably extending to highly granular records of the data packets sent and received by individual users.

As the Electronic Frontier Foundation has argued, such broad authority would not only raise enormous privacy concerns but have profound implications for First Amendment speech and association interests. Consider, for instance, the implications of a request for logs revealing every visitor to a political site such as Indymedia. The constitutionally protected right to anonymous speech would be gutted for all but the most technically savvy users if chat-forum participants and blog authors could be identified at the discretion of the FBI, without the involvement of a judge.

That legislative effort didn’t go anywhere, so instead (the IG report explained)  FBI started to use Section 215 orders to obtain that data. That constituted a majority of 215 orders in 2010 and 2011 (and probably has since, creating the spike in numbers since that year, as noted in the table above).

Supervisors in the Operations Section of NSD, which submits Section 215 applications to the FISA Court, told us that the majority of Section 215 applications submitted to the FISA Court [redacted] in 2010 and [redacted] in 2011 — concerned requests for electronic communication transaction records.

The NSD supervisors told us that at first they intended the [3.5 lines redacted] They told us that when a legislative change no longer appeared imminent and [3 lines redacted] and by taking steps to better streamline the application process.

But the other reason Comey’s claim that getting this from NSL’s would not pose “any compromise to anyone’s civil liberties or civil rights” is bullshit is because the migration of ECTR requests to Section 215 orders also appears to have led the FISA Court to finally force FBI to do what the 2006 reauthorization of the PATRIOT Act required it do: minimize the data it obtains under 215 orders to protect Americans’ privacy.

By all appearances, the rubber-stamp FISC believed these ECTR requests represented a very significant compromise to people’s civil liberties and civil rights and so finally forced FBI to follow the law requiring them to minimize the data.

Which is probably what this apparently redoubled effort to let FBI obtain the online lives of Americans (remember, this must be US persons, otherwise the FBI could use PRISM to obtain the data) using secret requests that get no oversight: an attempt to bypass whatever minimization procedures — and the oversight that comes with it — the FISC imposed.

And remember: with the passage of USA Freedom Act, the FBI doesn’t have to wait to get these records (though they are probably prospective, just like the old phone dragnet was), they can obtain an emergency order and then fill out the paperwork after the fact.

For some reason — either the disclosure in Merrill’s suit that FBI believed they could do this (which has been public since 2010 or earlier), or the reality that ECPA will finally get reformed — the Intelligence Community is asserting the bogus claims they tried to make in 2010 again. Yet there’s even more evidence then there was then that FBI wants to conduct intrusive spying without real oversight.

DOJ Still Gets a Failing Grade on Strong Authentication

/in /by

In DOJ’s Inspector General’s annual report on challenges facing the department, Michael Horowitz revealed how well DOJ is complying with the Office of Management and Budget’s directive in the wake of the OPM hack that agencies improve their own cybersecurity, including by adopting strong authentication for both privileged and unprivileged users.

DOJ’s still getting a failing grade on that front — just 64% of users are in compliance with requirements they use strong authentication.

Following OMB’s directive, the White House reported that federal civilian agencies increased their use of strong authentication (such as smartcards) for privileged and unprivileged users from 42 percent to 72 percent. The Justice Department, however, had among the worst overall compliance records for the percentage of employees using smartcards during the third quarter of FY 2015 – though it has since made significant improvements, increasing to 64 percent of privileged and unprivileged users in compliance by the fourth quarter. Given both the very sensitive nature of the information that it controls, and its role at the forefront of the effort to combat cyber threats, the Department must continue to make progress to be a leader in these critical areas.

Ho hum. These are only the databases protecting FBI’s investigations into mobs, terrorists, and hackers. No reason to keep those safe.

In any case, it may be too late, as the Crackas with Attitude already broke into the portal for some of those databases.

Ah well, we’ll just dump more information into those databases under CISA and see if that prevents hackers.

FBI’s 5-Year Effort to Avoid Inspector General Scrutiny of Its Phone Dragnet Use

/8 Comments/in /by

Screen Shot 2015-08-05 at 1.15.53 PMAs part of today’s Senate Judiciary Hearing on DOJ OLC’s decision to make DOJ’s Inspector General ask nicely before it gets certain kinds of materials it needs to conduct its work, John Cornyn asked what changed in 2010 to make the FBI start pushing back against sharing information freely with the IG.

Inspector General Michael Horowitz responded,

I was not the Inspector General at that time, but my understanding is that the memos and decisions from the legal counsel at the FBI followed several OIG reviews of the handling of National Security Letters, Exigent Letters, and other hard-hitting OIG reviews, because there was no other change in the law, no policy change, no regulatory change…

Horowitz is suggesting that because Horowitz’ predecessor, Glenn Fine, released reports that showed FBI abuse of national security programs, FBI started pushing back against sharing information. The claim is particularly interesting given that the Exigent Letters report, which was released in January 2010, significantly implicated FBI’s General Counsel’s office, including then General Counsel and now lifetime appointed judge (with Cornyn’s backing) Valerie Caproni.

The suggestion is also interesting given that Fine resigned in 2010 after starting an investigation into the use ofSection 215 and PRTT. It took years before DOJ had a working Inspector General again, resulting in a long delay before Congress got another report on how the government was using the phone dragnet.

All of which is all the more troubling, given that Horowitz revealed that,

Just yesterday, I’m told, in our review of the FBI’s use of the bulk telephony statute, a review that this committee has very much been interested in our doing, we got records with redactions, not for grand jury, Title III, or fair credit information, because those have been dealt with, but for other areas that the FBI has identified legal concerns about.

This is particularly troubling given that just weeks ago the USA Freedom Act mandated certain IG reviews of phone dragnet activities.

But the FBI is still obstructing such efforts.

The Inspectors General Bring Out the Space Heroes to Defend Full Access

/8 Comments/in /by

John GlennA few weeks back, I noted that Office of Legal Counsel had finally released its opinion on whether DOJ had to share everything its Inspector General requested, or could hold things (and investigations) up until the Deputy Attorney General decided such disclosure would be in the interest of DOJ.

OLC ruled against the Inspector General, finding that rules limiting dissemination of wiretap, grand jury, and financial data required DOJ’s preferred arrangement, even given Congress’ recent appropriations instructions to give Inspectors General what they need.

Senators Chuck Grassley and Ron Johnson and Congressmen Bob Goodlatte and John Conyers expressed concern about the opinion when it was released. Grassley now has a hearing — titled “‘All’ Means All: The Justice Department’s Failure to Comply with Its Legal Obligation to Ensure Inspector General Access to All Records Needed for Independent Oversight” — tomorrow to address the issue.

In anticipation of that hearing, the Inspectors General have brought out the big guns.

First, retired Senator and space hero wrote a letter, reminding that the intent when he and others in Congress passed the Inspector General act in 1978, they intended IGs to get access to everything.

The success of the IG Act is rooted in the principles on which the Act is grounded–independence, direct reporting to Congress, dedicated staff and resources, unrestricted access to agency records, subpoena power, special protections for agency employees who cooperate with the IG, and the ability to refer criminal matters to the Department of Justice without clearing such referrals through the agency. We considered these safeguards to be vital when we developed the Act and they remain essential today.

In addition, yesterday the Council of the Inspectors General on Integrity and Efficiency sent a letter to Ron Johnson, Tom Carper, Jason Chaffetz, and Elijah Cummings asking for immediate legislation to fix the problem created by the OLC memo. In addition to expressing concern about the impact of the memo for DOJ’s Inspector General (that IG, Michael Horowitz, is Chair of CIGIE, so that’s sort of him reiterating his concerns), the other agency IG’s worried that the memo might affect their ability to conduct their own work, as well.

The OLC opinion’s restrictive reading of the IG Act represents a potentially serious challenge to the authority of every Inspector General and our collective ability to conduct our work thoroughly, independently, and in a timely manner. Our concern is that, as a result of the OLC opinion, agencies other than DOJ may likewise withhold crucial records from their Inspectors General, adversely impacting their work. Even absent this opinion, agencies such as the Peace Corps and the U.S. Chemical Safety and Hazard Investigation Board (CSB) have restricted or denied their OIGs access to agency records on claims of common law privileges or assertions that other laws prohibit access.

[snip]

Uncertainty about the legal authority of Inspectors General to access all information in an agency’s possession could also negatively affect interactions between the staffs of the Offices of Inspector General and the agencies they oversee. Prior to this opinion, agency personnel could be confident, given the clear language of Section 6(a) of the IG Act, that they were required to and should share information openly with Inspector General staff, and typically they did so without reservation or delay. This led to increased candor during interviews, greater efficiency of investigations and other reviews, and earlier and more effective detection and resolution of waste, fraud, and abuse within Federal agencies. We are concerned that witnesses and other agency personnel, faced with uncertainty regarding the applicability of the OLC opinion to other records and situations, may now be less forthcoming and fearful of being accused of improperly divulging information. Such a shift in mindset also could deter whistleblowers from directly providing information about waste, fraud, abuse, or mismanagement to Inspectors General because of concern that the agency may later claim that the disclosure was improper and use that decision to retaliate against the whistleblower.

Neither FBI Director Jim Comey nor Deputy Attorney General Sally Yates are appearing at tomorrow’s hearing. FBI Associate Deputy Director Kevin Perkins and Associate Deputy Attorney General Carlos Uriarte have pulled the unpleasant duty of appearing on a panel with Horowitz. But I imagine Grassley intends tomorrow’s hearing to be rather aggressive.

How CISA Might Hurt FBI’s Ability to Fight Cyberattacks

/in /by

DOJ’s Inspector General just released a report on how well FBI’s cybersecurity initiative has been going. In general, it finds that the FBI has improved its ability to investigate cyberattacks.

But among the most significant challenges facing the FBI is in two-way information sharing with the private sector.

You might think that the Cyber Information Sharing Act — which after all, aims to increase information sharing between the private sector and those in government who will investigate it — would help that.

On one count it would: private sector entities interviewed by the IG were reluctant to cooperate with the FBI because of FOIA concerns.

During our interviews with private sector individuals, we found that private sector entities are reluctant to share information, such as PII or sensitive or proprietary information, with the government because of concerns about how that information could be used or the possibility that it could be publicly released under the Freedom of Information Act (FOIA).26 One private sector professional told us that he had declined to be interviewed by the OIG due to FOIA concerns.

CISA would include a blanket exception from FOIA — which is not necessarily a good thing, but should placate those who have these concerns.

But other private sector entities expressed concerns about the multiple uses to which shared data would be put. They cited Snowden disclosures showing data might be used for other purposes.

In addition, several private sector individuals discussed with us the challenges in collaborating with the FBI in a “post-Snowden” era. One private sector individual emphasized that Snowden has redefined how the private sector shares information with the United States government. We were told by private industry representatives and the FBI that, following the Snowden disclosures, private sector entities have become more reluctant to share information with the United States government because they are uncertain as to how the information they provide will be used and are concerned about balancing national security and individual privacy interests.

The recent reports on the use of cyber signatures for upstream Section 702 collection show that the NSA and FBI might be able to use signatures to search all traffic (though I suspect FISC has put more limitations on this practice than is currently known).

Just as troubling, however, are the broad permissions under CISA to use the data turned over under the law for prosecutions on a range of crimes. Right now, ECPA has provided tech companies — at least the ones that pushed back on NSLs demanding Internet data — a way to protect their customers from fishing expeditions. CISA is voluntary (though I can imagine many ways pressure would be brought to participate), but it does undermine that system of protections for customers.

When commenting on this, Jim Comey apparently added in proprietary information among the concerns of providers, along with the explicitly described “guard[ing] customer data.

The FBI Director has acknowledged private sector concerns related to proprietary information and the need to guard customer data and stated the FBI will do what it can to protect private sector privacy.27

Given NSA’s voracious use of any information it gets its hands on, and the broad permissions for information sharing in the bill, the protections for trade secrets may not be enough for the private sector, since it’s now clear the government, not just competitors, is exploiting trade secrets.

The IG ends this section urging the FBI to provide “appropriate assurances” about its handing of Personally Identifiable Information.

More generally, efforts to detect, prevent, and mitigate threats are hampered because neither the public nor private sector can see the whole picture.

The FBI Director further explained government lacks visibility into the many private networks maintained by companies in the United States, and the FBI “has information it cannot always share [with the private sector].” Consequently, each can see distinct types of cyber threats, but the information is not always visible to the other. We believe that the FBI should strengthen its outreach efforts to provide appropriate assurances regarding its handling of PII and proprietary information received from the private sector and work to reduce classification, where appropriate, of information in its possession in order to improve sharing and collaboration in both directions consistent with appropriate privacy and other limitations.

It is just my opinion, but I suspect CISA, as written, would further exacerbate concerns.

Finally, Inspector General Michael Horowitz’ statement releasing this report includes something not developed in the report itself, perhaps because it is a more recent concern: security of data shared with the federal government.

And, the FBI continues to face challenges relating to information sharing with private sector entities, in part because of concerns in the private sector about privacy and the security of sensitive information it shares with the government.

I’d be very interested in whether this stems just from trade secret concerns or from the concern that several of the agencies that would automatically get data shared with the government have their own cybersecurity challenges.

 

OLC Undermines DOJ Inspector General Independence

/9 Comments/in /by

For over a year, DOJ’s Inspector General has been trying to ensure it got ready access to things like grand jury materials (this has been pertinent in the Fast and Furious investigation and how DEA and FBI use the latter’s dragnet, among other things). As part of this effort, the IG asked OLC to weigh in on whether it should be able to access this information, or whether it needed to ask nicely, as it has been forced to do.

Here’s the opinion. Here’s the key passage:

In particular, Title III permits Department officials to disclose to OIG the contents of intercepted communications when doing so could aid the disclosing official or OIG in the performance of their duties related to law enforcement, including duties related to Department leadership’s supervision of law enforcement activities on a programmatic or policy basis. Rule 6(e) permits disclosure of grand jury materials to OIG if a qualifying attorney determines that such disclosure could assist her in the performance of her criminal law enforcement duties, including any supervisory law enforcement duties she may have. And FCRA permits the FBI to disclose to OIG consumer information obtained pursuant to section 626 if such disclosure could assist in the approval or conduct of foreign counterintelligence investigations, including in the supervision of such investigations on a programmatic or policy basis. In our view, however, Title III and Rule 6(e) forbid disclosures that have either an attenuated or no connection with the conduct of the Department’s criminal law enforcement programs or operations, and section 626 of FCRA forbids disclosures that have either an attenuated or no connection with the approval or conduct of foreign counterintelligence investigations.

And here’s OIG’s response.

Today’s opinion by the OLC undermines the OIG’s independence, which is a hallmark of the Inspector General system and is essential to carrying out the OIG’s oversight responsibilities under the Inspector General Act. The OLC’s opinion restricts the OIG’s ability to independently access all records in the Justice Department’s possession that are necessary for our audits, reviews, and investigations, and is contrary to the principles and express language set forth in the Inspector General Act.

The opinion also finds that, in adopting Section 218 of the Department of Justice’s FY 2015 Appropriations Act, Congress’ intent was not sufficiently clear to support independent OIG access to all records in the Department’s possession. The OLC’s opinion reaches this conclusion even though Congress passed Section 218 “to improve OIG access to Department documents and information” following the Department’s failure to independently and timely provide all responsive records to the OIG, and Section 218 explicitly provides that the Department may not use appropriated funds to withhold records from the OIG for reasons other than as expressly provided in the Inspector General Act.

As a result of the OLC’s opinion, the OIG will now need to obtain Justice Department permission in order to get access to important information in the Department’s files – putting the agency over which the OIG conducts oversight in the position of deciding whether to give the OIG access to the information necessary to conduct that oversight. The conflict with the principles enshrined in the Inspector General Act could not be clearer and, as a result, the OIG’s work will be adversely impacted.

The OIG will immediately ask Congress to pass legislation ensuring that the OIG has independent access to the information it needs for its work. The Attorney General and the Deputy Attorney General have each expressed their commitment to join the OIG in this effort.

Inspector General Michael E. Horowitz stated:

“I strongly disagree with the OLC opinion. Congress meant what it said when it authorized Inspectors General to independently access ‘all’ documents necessary to conduct effective oversight. Without such access, our Office’s ability to conduct its work will be significantly impaired, and it will be more difficult for us to detect and deter waste, fraud, and abuse, and to protect taxpayer dollars. We look forward to working with the Congress and the Justice Department to promptly remedy this serious situation.”

[This post has been updated to add the opinion.]