Posts

Does the FBI STILL Have an Identity Crisis?

I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.

Both the NSA and CIA minimization procedures have some form of this definitional paragraph (this one is NSA’s):

Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.

Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.

Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.

Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.

One holdup was disagreement over what constituted US person identifying information.

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)

One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.

And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.

Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.

NYT Mischaracterizes PCLOB Report While Transcribing NSA Pushback to WaPo

The NYT has a story transcribing Administration efforts to “play down new disclosures” from the WaPo showing that the bulk of people whose communications were collected in a sample provided by Edward Snowden were not targets. The key claim NYT transcribes is that NSA “filters out” US person communications.

Administration officials said the agency routinely filters out the communications of Americans and information that is clearly of no intelligence value.

In addition, the NYT claims that PCLOB had no problems with the way the government minimized all this data.

Just days before the Post article, an independent federal privacy board had largely endorsed the N.S.A.’s execution of the program. The Privacy and Civil Liberties Oversight Board concluded last week that the “minimizing” of that data was largely successful, at least under the current law, which Congress passed six years ago.

Um, no.

I hope to explain this at more length, but the WaPo suggests that the government did not comply with targeting and minimization requirements in two ways: first, because the standards for foreignness were not as stringent as witnesses have claimed for a year (something which NYT’s sources apparently don’t even try to rebut). But also, WaPo showed the NSA was not destroying communications that — at least from their own and even some of the analysts’ own descriptions of it — had no foreign intelligence value. Here are some analysts judging the data collected irrelevant.

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst.

It’s this second detail NYT’s sources attempt to rebut.

But NYT’s claim that PCLOB concluded minimization “was largely successful” ignores a number of concerns they raised about it, a number of which pertain to back door searches and upstream collection.

In addition to those concerns (which about four of PCLOB’s recommendations address), PCLOB raised this issue:

Therefore, although a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

A communication must be destroyed upon recognition if it’s a US person communication with no intelligence value — PCLOB restates the standard that NYT’s sources claim is actually used. But after laying out that standard, PCLOB immediately says meeting that requirement “rarely happens.”

NYT’s sources say it routinely happens. PCLOB says it rarely happens at NSA, and not at all at CIA and FBI.

PCLOB, incidentally, recommends addressing this issue by having FISC review what tasking standards are actually used and then reviewing a subset of the data returned — precisely what the WaPo just did, though we have no way of knowing if WaPo had a representative sample.

But the story here should have been, “Administration’s rebuttal has already been refuted by PCLOB’s independent review.”

PCLOB and WaPo disagree about the tasking — PCLOB sides with past Administration witnesses on the assiduousness of NSA’s targeting.

But PCLOB entirely backs WaPo on how many worthless communications NSA is keeping and documenting.

All Your Data Belong to George

There’s a striking passage in one of the documents released in yesterday’s document dump.

Would NSA object to a legislative codification of E.O. 12333 minimization?

Yes because it can be difficult to change a statute if the procedures need to be changed in order to meet operational needs.

The passage refers to minimization, the process by which intelligence agencies protect the privacy of Americans whose communications are collected incidentally to their wiretapping activities. I find the passage striking, first of all, because it (indeed, the whole document) emphasizes the basis for minimization requirements in EO 12333, and not FISA. In response to a question about where minimization comes from, the document points to the EO.

Where does the need for minimization procedures come from?

The most direct answer is Executive Order 12333. Section 2.3 of that Order specifies that agencies in the Intelligence Community are authorized to collect, retain, or disseminate information concerning U.S. persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General.

This basically repeats that passage of EO 12333, which says,

Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order.

And then goes on to describe the kind of information that can be collected.

But why refer to an Executive Order, when FISA imposes a statutory requirement on minimization? And FISA’s minimization requirements provide more detail about what can and cannot happen with US person data. Read more