Posts

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

/3 Comments/in /by

DOJ’s Inspector General just released its unclassified summary of its classified report on FBI’s use of Pen Register/Trap and Trace authority.

It is rather thin, just 5 pages long. It explains what it is in the secret report.

We described the different types of pen registers that were used and the variety of information that was collected, as well as some of the technological and legal issues the Department and FBI faced with particular uses of pen register authority. We also describe the investigative circumstances under which the authority is generally used and trends in its use. The FBI and the Intelligence Community determined that much of this information is classified or “for official use only,” and therefore we cannot include it in this Executive Summary.

Our classified report also describes the FBI’s practices for storing and handling pen register information, most of which have remained substantially unchanged since our 2007 – 2009 review period, and it provides an overview of the compliance process and a summary of the compliance incidents involving the use of pen register authority that occurred from 2007 through 2009. Our classified report also includes several findings, only one of which we can describe in this unclassified Executive Summary.

The claim is rather interesting, given that documents EPIC obtained under FOIA make it clear FBI has used PRTT orders to get location data (not at all surprising given that it does so under criminal PRTTs as well), and that it has 7 exotic applications of Post Cut Through Dialed Digits. Those EPIC documents also reveal that John Bates redefined the meaning of Dialing, Routing, Addressing, and Signaling to include some content.

How is it EPIC could obtain those documents but DOJ’s IG can’t tell us what he found about these practices?

The one conclusion DOJ’s IG can share, sort of, is that FBI has problems weeding out data it shouldn’t have.

[W]e highlighted the challenges the Department faced, and still faces, in ensuring that the government collects or uses only that information that it is lawfully permitted to obtain.

[snip]

We found that the Department’s National Security Division and FBI do not conduct systematic compliance reviews of pen registers, and instead rely on personnel assigned to cases involving pen registers to report any compliance violations.

The report repeatedly notes that “the government is not authorized under FISA to obtain the contents of wire or electronic communications with a pen register order.” Which, of course, we know it has, both under the NSA program, as well as under PCTDD (indeed, discussions with the FISC over both the content collection under the NSA collection and the PCTDD uses took place in 2009, within the scope of the report).

So I assume part of the problem — part of the reason why FBI treats its PRTT programs with greater secrecy than its Section 215 programs — is because it violates the law but doesn’t have the means in place to catch its own violations.

I mean, if FBI wants to declassify the proof that that isn’t true, by all means they should do so. But the available evidence suggests the FBI and government more generally is probably still violating the terms of PRTT under FISA.

Did FBI Stall an IG Review of Innocent Americans Sucked Up in the Dragnet?

/6 Comments/in /by

I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.

That’s important because of this passage from the Stellar Wind IG Report.

Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.

The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.

We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)

After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.

Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.

But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.

And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.

The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts

Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.

But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

[snip]

(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.

There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).

But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.

 

FBI Successfully Runs Out the Clock on DOJ’s Inspector General Review of Use of Phone Metadata

/9 Comments/in /by

While everyone was focused on USA F-ReDux last week, DOJ’s Inspector General submitted its semiannual report. In it, Michael Horowitz reiterated his complaint that FBI was stonewalling on document production. He listed 4 requests made after Congress defunded such stonewalling on which FBI was still stonewalling at the end of March.

The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records in ongoing OIG reviews. Those reviews are:

  • Two FBI whistleblower retaliation investigations, letter dated February 3, 2015, which is available here;
  • The FBI documents related to review of the DEA’s use of administrative subpoenas, letter dated February 19, 2015, which is available here;
  • The FBI’s use of information derived from collection of telephony metadata under Section 215 of the Patriot Act, letter dated February 25, 2015, which is available here; and
  • The FBI’s security clearance adjudication process, letter dated March 4, 2015, which is available here.

As of March 31, 2015, the OIG document requests were outstanding in every one of the reviews and investigations that were the subject of the letters above. The OIG is approaching the 1 year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The OIG’s ability to conduct effective and rigorous oversight is being undercut every day that goes by without a resolution of this dispute.

Of particular note, as of March 31, FBI was still stonewalling an October 10, 2014 request (and January 2015 deadline) connected with DOJ IG’s review of how FBI has been using metadata from phone dragnets.

The OIG requested these records in connection with its pending review of the FBI’s use of information derived from the National Security Agency’s collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The timeliness of production is particularly important given that Section 215 of the Patriot Act is set to expire in June of this year.

FBI was also still stonewalling records of how it used DEA’s dragnet, but in the case of phone metadata, Horowitz specifically tied the investigation to the upcoming sunset of Section 215 authority.

DOJ’s IG wanted to review what was happening with the 2-hop dragnet data that got turned over to FBI before Congress reauthorized Section 215. And FBI successfully stalled that effort until after Congress passed a bill that will almost certainly result in far more phone metadata being turned over to FBI, and under far more permissive rules than they had been under.

I’ll explain why that was probably important in a follow-up post. But for the moment, as pundits declare winners and losers on yesterday’s passage of USA F-ReDux (I’ll do my own version of that too, shortly!), it’s worth noting that FBI successfully ran out the clock on its own IG, preventing us from learning about the privacy impact of one little-considered aspect of the dragnet.

DOJ IG Issues Yet Another Classified Report that Should Be Public Before Congress Votes on PATRIOT Act

/in , /by

DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) completed a draft of this report in February 2014. At that time, we provided the draft report to DOJ, the Federal Bureau of Investigation (FBI), and the Intelligence Community to conduct factual accuracy and classification reviews. In May 2014, we circulated an updated draft report that reflected minor revisions made in response to the factual accuracy comments we received. We did not receive the final results of the classification reviews until April 30, 2015.

We are providing today’s classified report to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We recently submitted a short unclassified Executive Summary of the report to DOJ, the FBI, and the Intelligence Community for review. We will publicly release the Executive Summary as soon as that review is completed.

This is another report that should have been released long before the current debate on the PATRIOT Act. While PRTT is not among the authorities that sunsets on Sunday, the issues surrounding the shut-down of the bulk Internet program in (around) October 2009 are central to the debate about the dragnet going forward, because “call” records are increasingly Internet records.

Moreover, the USA F-ReDux calls for “privacy guidelines” that I believe are still inadequate to protect US persons’ privacy in the ways the IC is likely using PRTT today. Plus, PRTT is likely used for applications — such as tower dumps and Stingrays — that affect the privacy of many people not otherwise targeted. Congress should have details about that before they legislate.

In addition, Richard Burr’s bill actually adopts a definition of “content” — excluding Dialing, Routing, Addressing, and Signaling data from the definition of content — that responds directly to the issues behind the Internet dragnet shutdown in 2009.

Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful.

It is highly likely that the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate.

But the public is not going to have access to it.

DOJ IG Report Confirms Government Flouted Statutory Requirements of Section 215 for 7 Years

/6 Comments/in /by

For over a year, Congress has been working on a “reform” to Section 215 that it claims will rein in abusive government spying.

Also for about a year, DOJ’s Inspector General has been trying to release a Report on Section 215 use up to 2009. That investigation first began 1,800 days ago.

DOJ has finally managed to release the report.

It confirms a number of things I have been reporting for years: that the government uses the provision to collect records that have nothing to do with phone records in bulk, the majority of which are now Internet records, definitely including URLs and probably including subject lines.

But the takeaway report is something else I’ve been reporting on for some time.

The government completely blew off a requirement imposed with the 2006 PATRIOT Act Reauthorization that the FBI (which is the only agency that’s supposed to use Section 215) adopt minimization procedures specifically for Section 215. Even after FBI missed its September 2006 deadline by claiming it had Interim Procedures, FISC kept approving Section 215 orders, even including paragraphs that appear in every phone dragnet order claiming the government has met that statutory requirement. A year after DOJ’s Inspector General pointed out FBI was violating the statute, FISC started imposing its own minimization procedures and reporting requirements (though not — as a court operating with more transparency might have done — denying orders). Finally, in March 2013, DOJ adopted minimization procedures (though it did not start actually complying with them until more than four months after Edward Snowden’s leaks focused more attention on bulk 215 orders).

In other words, Congress imposed a mandate designed to protect innocent Americans’ privacy in 2006. And DOJ blew that statutory mandate off for years. And FISC let it do so for years, approving order after order requiring FBI to have fulfilled that mandate. And only after 7 years (and some unexpected transparency) did DOJ start following the law.

These are the people Congress is rushing headlong to provide new authorities (including an Emergency provision that is designed to invite abuse): government agencies who simply refuse to follow Congressional mandates.

The Loss of PRTT Minimization Review in USA F-ReDux

/in /by

As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.

Section 215 Minimization

215 tracker

First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized 21 investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.

In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).

Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.

And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.

I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.

PRTT “Privacy Procedures”

I’m more concerned about what happened on the Pen Register side.

Last year, the PRTT section added new “privacy” (not “minimization”) procedures.

IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.

Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.

A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.

But at least there were privacy procedures, right? Baby steps?

Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.

(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.

Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.

Which is why I worry that this section was removed from the bill.

(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.

As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”

Read more

Michael Horowitz’ Monthly Complaint about FBI and DEA Stonewalling

/2 Comments/in /by

The House Oversight Committee is having a hearing on the problems law enforcement agencies have with sexual harassment and misconduct, as reported by DOJ’s Inspector General. DEA Administrator Michele Leonhart will be offering amusing testimony about how the DEA has given its Agents clear instructions that they’re really the best evah™ but they need to stop breaking the law.

But because I’m an IG nerd, I’m as interested in what has become a monthly event during DOJ Inspector General Michael Horowitz’ tenure, when he provides details of FBI and DEA’s latest stonewalling of oversight. Here’s today’s version:

Further, we cannot be completely confident that the FBI and the DEA provided us with all information relevant to this review. When the OIG finally received from the FBI and DEA the requested information without extensive redactions, we found that it still was incomplete. For example, we determined that the FBI removed a substantial number of cases from the result of their search and provided additional cases to the OIG only after we identified some discrepancies. These cases were within the scope of our review and should have been provided as requested. Likewise, the DEA also provided us additional cases only after we identified some discrepancies. In addition, after we completed our review and a draft of the report, we learned that the DEA used only a small fraction of the terms we had provided to search its database for the information needed for our review. Rather than delay our report further, we decided to proceed with releasing it given the significance of our findings.

We also determined that the DEA initially withheld from us relevant information regarding an open case involving overseas prostitution. During a round of initial interviews, only one interviewee provided us information on this case. We later learned that several interviewees were directly involved in the investigation and adjudication of this matter, and in follow-up interviews they each told us that they were given the impression by the DEA that they were not to talk to the OIG about this case while the case was still open. In order to ensure the thoroughness of our work, the OIG is entitled to receive all information in the agency’s possession regardless of the status of any particular case.

As I have testified on multiple occasions, in order to conduct effective oversight, an Inspector General must have timely and complete access to documents and materials needed for its audits, reviews, and investigations. This review starkly demonstrates the dangers inherent in allowing the Department and its components to decide on their own what documents they will share with the OIG, and even whether the Inspector General Act requires them to provide us with requested information. The delays experienced in this review impeded our work, delayed our ability to discover the significant issues we ultimately identified, wasted Department and OIG resources during the pendency of the dispute, and affected our confidence in the completeness of our review.

This was not an isolated incident. Rather, we have faced repeated instances over the past several years in which our timely access to records has been impeded, and we have highlighted these issues in our reports on very significant matters such as the Boston Marathon Bombing, the Department’s use of the Material Witness Statute, the FBI’s use of National Security Letters, and ATF’s Operation Fast and Furious.

The Congress recognized the significance of this impairment to the OIG’s independence and ability to conduct effect oversight, and included a provision in the Fiscal Year 2015 Appropriations Act — Section 218 — which prohibits the Justice Department from using appropriated funds to deny, prevent, or impede the OIG’s timely access to records, documents, and other materials in the Department’s possession, unless it is in accordance with an express limitation of Section 6(a) of the IG Act. Despite the Congress’s clear statement of intent, the Department and the FBI continue to proceed exactly as they did before Section 218 was adopted – spending appropriated funds to review records to determine if they should be withheld from the OIG. The effect is as if Section 218 was never adopted. The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records.

We are approaching the one year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told on occasion over the past year that the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The American public deserves and expects an OIG that is able to conduct rigorous oversight of the Department’s activities. Unfortunately, our ability to conduct that oversight is being undercut every day that goes by without a resolution of this dispute.

At some point, Congress is going to have to decide whether it will use the power of the purse — as they have authorized by statute — to force DEA and FBI to meet the same standards of disclosure that mere citizens would be required if DEA and FBI were investigating them.

Until then, we should just assume FBI and DEA are breaking the law.

DEA Likely Has More than One Dragnet

/9 Comments/in , /by

As yesterday’s USAT story on the DEA dragnet reported, DOJ’s Inspector General is investigating DEA’s dragnet. I first reported that in April 2014.

As I also reported in February, FBI is obstructing that investigation — so much so, that DOJ’s Inspector General Michael Horowitz encouraged Congress to start using appropriations to force it to stop.

The unfulfilled information request that causes the OIG to make this report was sent to the FBI on November 20,2014. Since that time, the FBI has made a partial production in this matter, and there have been multiple discussions between the OIG and the FBI about this request, resulting in the OIG setting a final deadline for production of all material of February 13,2015.

On February 12, 2015, the FBI informed the OIG that it would not be able to produce the remaining records by the deadline. The FBI gave an estimate of 1-2 weeks to complete the production but did not commit to do so by a date certain. The reason for the FBI’s inability to meet the prior deadline set by the OIG for production is the FBI’s desire to continue its review of emails requested by the OIG to determine whether they contain any information which the FBI maintains the OIG is not legally entitled to access, such as grand jury, Title III electronic surveillance, and Fair Credit Reporting Act information.

DOJ IG’s comments about this investigation are worth reconsideration for two reasons.

First, FBI’s obstruction of the investigation emphasize what we already knew from the Shantia Hassanshahi case (via which we first learned about this database). The FBI is (was) also using this database, and for purposes that far exceed counter-narcotics (Hassanshahi was busted for sanctions violations). And, as the Homeland Security investigator’s dramatically changing stories about how he first identified Hassanshahi suggest, for each of those usages, there’s likely some kind of parallel construction going on.

How many cases have been based off this giant dragnet?

But also look at how DOJ’s IG has described this investigation.

Administrative Subpoenas

The OIG is examining the DEA’s use of administrative subpoenas to obtain broad collections of data or information. The review will address the legal authority for the acquisition or use of these data collections; the existence and effectiveness of any policies and procedural safeguards established with respect to the collection, use, and retention of the data; the creation, dissemination, and usefulness of any products generated from the data; and the use of “parallel construction” or other techniques to protect the confidentiality of these programs.

DOJ IG is investigation DEA’s use of subpoenas to obtain broad collections of data or information. Its review will address the legal authority underlying these data collections.

Collections, plural.

Admittedly, we already know of two DEA dragnets: the international dragnet described by the USAT, and the domestic one — Hemisphere — though that resides at least partially with the White House Drug Czar.

But the authority used in the USAT dragnet, 21 USC 876, is the drug equivalent of Section 215, permitting the agency to obtain “tangible things” relevant to (that phrase again) an investigation. We know FBI used equivalent language under Section 215 to collect financial and Internet records as well.

Hell, the DEA couldn’t very well track drug cartels without following the money, via whatever means. Plus, we know cartels have used things like travelers checks and gift cards to move money in recent years.

So I would be willing to bet more than a few quarters that DOJ IG’s use of the term “collections” suggests there’s more than just these telecom dragnets hiding somewhere.

FBI’s Cell Phone Investigative Kiosk Would Allow Fourth Amendment Violations

/2 Comments/in /by

Jim Comey wants to sacrifice individual security to ensure the FBI can access cell phones easily.

But in an audit of a forensic lab in Philadelphia, DOJ’s Inspector General found that the FBI is not keeping adequate control of the kiosks that FBI uses to do initial reviews of data on cell phones.

As the report describes, cell phone kiosks serve as a “preview” tool of the contents of the data stored on a phone.

Cell Phone Investigative Kiosks (Kiosks) are available at select FBI field offices and RCFLs. A Kiosk is a preview tool that allows users to quickly and easily view data stored on a cell phone, extract the data to use as evidence, put it into a report, and copy the report to an electronic storage device such as a compact disk. Kiosks are not designed to take the place of full-scale cell phone examinations performed by certified Forensic Examiners; however, the evidence produced by a Kiosk is admissible in a court of law. Kiosk users are required to take a one-time hour-long training course and be familiar with computers. In addition, FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media.

The FBI only recently started tracking who had access to these kiosks. And when DOJ IG audited this office’s use of the kiosk, it found that 27% of the people who were accessing it hadn’t filled out the requisite paperwork to ensure only appropriate people used it.

We found that the PHRCFL did not have adequate controls over the access and use of its Kiosks. FBI policy requires Kiosk users to confirm they possess the proper legal authority for the search of data on cell phones or loose media. During our fieldwork, the FBI did not provide any information to show that PHRCFL Kiosk users were required to sign-in, identify the case related to the evidence being examined, or, as required by FBI policy, confirm that they possessed the proper legal authority to search for evidence on the cell phone. In addition, the FBI did not provide us with any information regarding controls in place at the PHRCFL to ensure that users do not use the Kiosks for non-law enforcement matters.

[snip]

we conducted limited testing of 25 visits during FYs 2012 through 2014 to verify compliance with the procedures in place. When the PHRCFL began using the Acknowledgment Form in May 2012, its visitor’s log contained a field for the purpose of each visitor’s visit. We selected names from the visitor’s log whose stated purpose for the visit was Kiosk usage and compared those names and dates to the corresponding Acknowledgment Forms. For the 17 visits we selected between May 2012 and January 2013, we found that approximately 24 percent of the PHRCFL Kiosk-related visitor log entries did not have corresponding Acknowledgment Forms.

[snip]

We believe that although the Kiosks are an efficient tool for law enforcement officers to use to examine digital evidence that may not require the extensive examination of a certified Forensic Examiner, Kiosks are vulnerable to potentially serious abuse. For example, without proper controls, it is possible that a Kiosk user could use this tool to view private cell phone information for non-law enforcement purposes. It also is possible for a user to use a Kiosk without proper legal authority, thereby engaging in a Fourth Amendment violation.

Later in the report, the IG noted that none of the centralized databases tracking other uses of the forensic office track use of the kiosk. That, combined with the paperwork failures, would sure permit FBI to do a whole lot of illegal cell phone searching that would not be tracked.

Which might explain why the numbers FBI shows for searching cell phones don’t actually match Director Comey’s stated concerns about iPhone encrypting its phone.

DOJ Pissed Away $2.1 Million on Drones that Don’t Work

/8 Comments/in /by

DOJ’s IG just released a report on the Department’s drone use. Its overall recommendation is that FBI get more drones, so it has them in locations around the country for quick use if they’re needed (sigh). It also found that FBI doesn’t have good records of how it partners with other agencies (notably, Customs and Border Patrol) to use their drones, which seems like it might present discovery problems.

But I’m most struck by how much money DOJ is blowing on drones that don’t work.

The IG reports — but seems unconcerned — that half of the drones FBI has bought are not operational.

Our September 2013 interim report found that between 2004 and 2013, the FBI spent approximately $3 million to acquire small UAS it deployed to support its investigations. As of August 2014, the FBI had acquired 34 UAS vehicles and associated control stations, of which it considered 17 vehicles and a smaller number of control stations to be operational.

I find this more troubling given that FBI claims only to have used drones in 13 investigations between September 2006 and August 2014. So are they losing more than one drone every time they use one for an investigation?

The IG is far more concerned about ATF’s sunk drone costs.

Our September 2013 interim report found that ATF possessed UAS and planned to deploy them operationally. Specifically, between September 2011 and September 2012, ATF’s UAS program spent approximately $600,000 to purchase three different types of rotary-wing UAS with a total of six UAS vehicles.

[snip]

ATF officials reported that ATF never flew its UAS in support its operations because TOB testing and pilot training revealed a series of technological limitations with the UAS models it had acquired. In particular, ATF determined the real-time battery capability for one UAS model lasted for only about 20 minutes even though the manufacturer specified its flight time was 45 minutes. ATF determined that the other two models of UAS acquired also were unreliable or unsuitable for surveillance. One UAS program manager told us ATF found that one of its smaller UAS models, which cost nearly $90,000, was too difficult to use reliably in operations. Furthermore, the TOB discovered that a gas-powered UAS model, which cost approximately $315,000 and was specified to fly for up to 2 hours, was never operable due to multiple technical defects.

In June 2014, the Special Operations Division concluded that ATF’s UAS were unsuitable for operational use, suspended all ATF UAS-related activities, and reassigned all UAS staff until after DOJ issues and ATF reviews new UAS policy recommendations. In September 2014, the TOB transferred its six UAS vehicles and other related equipment purchased prior to June 2014 to the Naval Criminal Investigative Service at no cost.

Although the OIG did not specifically audit ATF’s UAS contracts, we are troubled that the process ATF used to purchase these UAS resulted in ATF spending approximately $600,000 on UAS models it ultimately determined to have significant mechanical and technical problems that rendered them unsuitable to deploy in support of ATF operations.

By my calculation, all of ATF’s investments in drones ($600,000) and half of FBI’s investments in drones (half of $3 million) have been lost to drones that either never did or no longer work. $2.1 million on drones that don’t fly.

Don’t get me wrong. I’m not crazy about DOJ buying up a fleet of small drones for investigative uses they’re keeping inadequate paperwork on in the first place.

But neither am I happy about DOJ pissing away all this money on drones that don’t work.