UNCLASSIFIED A Review of the FBI's Use of Section 215 Orders for Business Records in 2012 through 2014 Oversight Review Division 16-04 September 2016 NOTE A classified version of this report was completed in June 2016 and as required by the USA Freedom Act was provided to the Committee on the Judiciary and the Select Committee on Intelligence of the Senate and the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives We also provided the report to cleared members of other relevant Congressional oversight committees This unclassified version of the report follows the completion of a classification review by the FBI and the Intelligence Community and contains redactions of information that they determined to be classified EXECUTIVE SUMMARY iii I II INTRODUCTION 1 A Methodology of the OIG Review 1 B Organization of the Report 3 BACKGROUND 4 A Legal Background 4 B The Process for Seeking Section 215 Orders 8 C Minimization Procedures 10 1 2 3 D III Compliance Issues 17 STATUS OF RECOMMENDATIONS 19 A Handling of Metadata Under the Final Procedures 19 1 2 B Necessary to Understand Foreign Intelligence Information 23 Dissemination of Information Relating to Computer Intrusions or Attacks 24 OVERVIEW OF BUSINESS RECORDS ORDERS ISSUED FROM 2012 THROUGH 2014 24 A The Overall Number of Business Records Orders 25 B Business Records Orders by FBI Field Office 28 C Analysis of Business Records Orders 28 1 2 3 4 V Initial Review of Meta data 20 Other Provisions Relating to Meta data 20 Retention and Dissemination of U S Person Information 23 1 2 IV Interim Minimization Procedures 10 Final Minimization Procedures 12 Retroactive Application of the Final Procedures 16 Types of Investigations from which Business Records Orders Originated 29 Subjects of Business Records Orders 30 Types of Records Requested in Approved Business Records Orders Filed on Behalf of the FBI 31 Timeliness of the Business Records Process 33 SELECTED SECTION 215 ORDERS OBTAINED BETWEEN 2012 AND 2014 37 A Selected Uses of Section 215 Authority 38 1 2 Related FBI Business Records Orders Counterterrorism Investigations 38 Multiple Business Records Orders in an FBI Counterintelligence Investigation 43 3 4 5 6 B Compliance Incidents 60 1 C VI ued May 2012 53 Section 215 Orders 014 55 Request for Section 215 Orders Issued October 2013 57 Multiple Business Records Orders in an FBI Counterintelligence Investigation 58 Full and Partial Su ect Lines from 60 2 61 3 DWS Release of Quarantined Records 63 Current Status of Bulk Collection under Section 215 63 CONCLUSION 65 ii EXECUTIVE SUMMARY This Executive Summary provides a brief overview of the results of the Department of Justice Department or DOJ Office of the Inspector General's OIG review of the Federal Bureau of Investigation's FBI use of the investigative authority granted by Section 215 of the Patriot Act between 2012 and 2014 Section 215 is often referred to as the Foreign Intelligence Surveillance Act FISA business records provision This is the OIG's fourth review of the FBI's use of FISA business records Three previous reports issued in March 2007 March 2008 and May 2015 addressed the FBI's use of Section 215 authority between 2002 and 2009 This current review is mandated by the USA Freedom Act of 2015 1 The USA Freedom Act signed into law on June 2 2015 directs the OIG to issue within 1 year of the date of enactment a report examining the FBI's use of Section 215 authority for calendar years 2012 to 2014 addressing any noteworthy facts or circumstances relating to Section 215 orders any illegal or improper use of Section 215 authority the effectiveness of Section 215 as an investigative tool and the adequacy of procedures used to minimize U S person information obtained in response to Section 215 orders To conduct this review the OIG reviewed the Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title V of the Foreign Intelligence Surveillance Act adopted by the Attorney General on March 7 2013 Final Procedures We also examined over 90 000 documents obtained from the FBI and the Department's National Security Division's NSD Office of Intelligence including files relating to each FISA Court order approving use of Section 215 authority between 2012 and 2014 Department reports to Congress concerning that use during calendar years 2012 through 2014 documents detailing compliance incidents related to the FBI's use of Section 215 authority reports documenting the results of internal reviews conducted by NSD between 2012 and 2014 e-mails relating to approved and withdrawn business records applications and FBI and NSD policies and training materials related to the Final Procedures We reviewed each of the FISA Court-approved orders for business records between 2012 and 2014 in order to provide an overview of the characteristics of those orders and the underlying investigations in which they were obtained In addition we conducted a more in-depth analysis of the FBI's use of this authority in national security investigations by reviewing a sample of Section 215 orders and withdrawn applications selected from two FBI field offices that had relatively large and diverse uses of Section 215 orders and by conducting field visits in those offices Over the course of the review we also interviewed more than 50 individuals from the FBI and the Department including Section 1 USA FREEDOM Act is an acronym for United and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 Pub L No 114-23 129 Stat 268 2015 We refer to it in this report as the USA Freedom Act iii and Unit Chiefs from NSD's Office of Intelligence and the FBI's National Security Law Branch NSLB and attorneys case agents and supervisors who worked on individual Section 215 orders In this report we provide an overview of the FBI's use of Section 215 authority between 2012 and 2014 that describes the number of Section 215 orders obtained the type of information requested the types of FBI cases in which business records orders were used and the average time between initiation of a business records order request by an FBI field office and issuance of an order by the FISA Court Our review found that the number of business records orders obtained by the FBI increased significantly between 2007 and 2012 largely driven by the refusal of several communications providers to produce transactional records for e-mail accounts known as Electronic Communication Transaction Records or ECTRs in response to FBI National Security Letters NSLs Between 2012 and 2014 the FISA Court approved 561 business records orders 2 However as shown in Figure 1 between 2012 and 2014 the number of business records orders dropped from a 9-year high of 212 in 2012 to 170 in 2014 19 8% A further decrease occurred in 2015 when the number of orders fell to 142 2 After reviewing a draft of this report NSD commented that references to the number of business records orders should be changed to the number of approved applications for business records orders The OIG understands that some business records applications result in more than one order For example the FISA Court may issue orders to four separate providers when approving a single application requesting ECTRs for four e-mail addresses We also recognize that NSD reports the number of applications submitted to the FISA Court in its annual reports to Congress Nonetheless we decided to retain the references to the number of business records orders throughout this report as a matter of convenience iv FIGURE 1 Total Number of Approved Business Records Orders by Calendar Year 2007- 2015 3 e _ _ _ _-_-_ ____ 205 212 Ql '2 0 150 1100 z so t _ _ • 17 0 I 13 21 2007 2008 2009 2010 2011 2012 2013 Calendar Year 2014 2015 Source FBI An NSD Deputy Unit Chief noted the decline after 2012 and told the OIG that the number of ECTRs decreased more than other types of records He attributed the decline in part to revelations by Edward Snowden about the U S government's use of Section 215 to collect bulk telephony metadata both in terms of the stigma attached to use of Section 215 and increased resistance from providers In comments provided to the OIG after reviewing a draft of this report NSD stated that the degree to which the Snowden disclosures affected the number of business records applications was somewhat speculative and attributed the FBI's increasing use of taskings under Section 702 as likely a notable cause in the decrease in business records requests NSD stated that during the relevant period and continuing today it suggested that FBI withdraw business records requests for accounts used by non-U S persons located overseas that can instead be tasked under Section 702 4 Agents also told the OIG that they increasingly were electing to use criminal legal process instead of FISA authority 3 This table includes the total number of dockets for 2013 179 This number differs slightly from the number of approved applications for business records the Department reported to Congress for 2013 178 The OIG recognizes that one submission in 2013 was a copy of the Final Procedures which did not result in a FISA Court order As described below we excluded this docket from our numbers for purposes of analysis 4 Section 702 of the FISA Amendments Act allows the government to acquire foreign intelligence by targeting non-U S persons reasonably believed to be outside the United States Under Section 702 the government is not required to obtain individual surveillance orders from the FISA Court Instead the FISA Court approves targeting procedures to ensure that the government targets only non-U S persons reasonably believed to be outside the United States and minimization procedures to guard against the inadvertent collection retention and dissemination of U S person information v in counterterrorism and cyber investigations because of their frustrations with the lack of timeliness and the level of oversight in the business records process We analyzed data f o r of the 561 orders approved during our review eriod 5 Between 2012 and 2014 of t h e business records orders analyzed business records orders included requests for ECTRs representing • of all non-bulk orders compared t o - orders in the OIG's previous review period between 2007 and 2009 which constituted- of non-bulk orders The median time needed to obtain business records orders during our review period from initiation of a request by a field office until issuance of the order by the FISA Court was 115 days 6 While several NSD witnesses said that the volume of requests did not significantly impact their processing of business records orders others acknowledged that there had been delays in the process because things get backed up One NSLB attorney told the OIG that he was embarrassed at how long the business records process takes stating We are asking for less than a full FISA and it's taking twice as long According to the witnesses we interviewed both NSD and NSLB have taken steps to improve the business records process including streamlining the drafting and review process for ECTRs In addition the OIG found that Section 215 business records orders were used far more freque'2 J _in counterintelligence cases than as a counterterrorism or cyber tool Of the total orders we analyzed • were obtained in counterintelligence cases • in counterterrorism ca and in r cases ents told us that Section 215 orders uentl are while agents handling counterterrorism and cyber cases in some instances can open a parallel criminal case and use the grand jury process to obtain the same information more quickly and with less overs ht than a business records order In articular ts 6 FISA Court rules provide for submission of a proposed application an advance copy of an application commonly called a read copy no later than 7 days before the government seeks to have the matter entertained by the FISA Court Our analysis included the time that applications and proposed orders were with the FISA Court to provide the most accurate measurement of the time needed for the FBI to obtain business records orders While we do not have complete data regarding the FISA Court's processing of business records applications we were informed that read copies generally are provided the week before and the orders signed within a day or two of submission of the final application No witnesses cited delays with the FISA Court as an issue vi Our report describes Section 215 applications and orders between 2012 and 2014 that illustrate the varied uses of Section 215 authority While the FBI used business records orders most to obtain transactional records for e-mail Agents expressed concern about the length of the process to obtain a business records order but also told us that Section 215 authority continued to be a valuable investigative tool when companies would not voluntarily produce material sought by the FBI or produce it in response to other investigative authorities As with our previous reviews the majority of agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to Section 215 orders but told us that the material produced pursuant to Section 215 orders was valuable as a building block of the investigation and was used to support other investigative requests develop investigative leads and corroborate other information However in at least two cases agents we interviewed told us that the business records obtained in their investigation provided valuable information that they would not otherwise have been able to obtain In other instances case agents told us that they used the information obtained under Section 215 to exculpate a subject and close the investigation The OIG reviewed three compliance incidents that affected numerous business records orders between 2012 and 2014 The first involved the tion of full and partial e-mail subject lines by two providers _ _ which the OIG determined affected business records orders In a second compliance incident se to a si le busin The FBI subseque d that previous likely contained s i m i l a r _ _ and worked with the provider to fix the error A third compliance incident resulted from a system-wide error in an FBI database that released business records returns from a quarantined area prior to initial review and allowed access to un-minimized data All of these incidents were reported to the FISA Court As noted above during our review peri orders issued in connection with vii As part of this review we also examined the progress the Department and the FBI made in addressing three relevant recommendations from the OIG's March 2008 and May 2015 reports In the 2008 report we recommended that the Department implement final minimization procedures develop procedures for reviewing materials received in response to business records orders issued by the Foreign Intelligence Surveillance Court FISA Court to ensure that they do not contain overproduced information outside the scope of orders and develop procedures for handling overproductions In our May 2015 report we found that the Department had adopted Final Procedures implementing the OIG's recommendations but identified several terms used in the Final Procedures that we believed required clarification including with regard to the minimization of U S person information Based on the information obtained in our current review we concluded that the Department and the FBI have made these clarifications We therefore have closed these remaining recommendations However based on the concerns expressed by agents about the time needed to obtain business records orders we recommend that the FBI and the Department continue to pursue ways to make the business records process rticula for a lications related to ber cases where ts more effie Potential measures include using the FBI's FISA Management System FISAMS data to track the timeliness of Section 215 applications using alerts within FISAMS to identify applications that have lingered past a certain period of time without review and implementing a streamlined drafting and review pro viii I INTRODUCTION Section 215 of the Patriot Act otherwise known as the business records provision allows the Federal Bureau of Investigation FBI to acquire any tangible things including books records papers documents and other items for an investigation to obtain foreign intelligence information not concerning a U S person or to protect against international terrorism or clandestine intelligence activities provided that an underlying investigation of a U S person is not conducted solely upon the basis of activities protected by the First Amendment 7 The FBI may use this investigative method only in Preliminary and Full Investigations and the information sought must be relevant to an open predicated national security investigation This is the Department of Justice Department or DOJ Office of the Inspector General's OIG fourth review of the FBI's use of investigative authority granted by Section 215 The OIG has issued three previous reports regarding the FBI's use of the business records provision in March 2007 covering calendar years 2002 to 2005 in March 2008 covering calendar year 2006 and in May 2015 covering calendar years 2007 to 2009 This fourth review is mandated by the USA Freedom Act of 2015 signed into law on June 2 2015 The USA Freedom Act directs the OIG to issue within 1 year of the date of enactment a report examining the FBI's use of Section 215 authority for calendar years 2012 to 2014 As required by the USA Freedom Act this report addresses noteworthy facts or circumstances relating to Section 215 orders any illegal or improper use of Section 215 authority the effectiveness of Section 215 as an investigative tool and the adequacy of procedures used to minimize U S person information obtained in response to Section 215 orders A Methodology of the OIG Review To conduct this review the OIG examined over 90 000 pages of material obtained from the FBI and the Department's National Security Division's NSD Office of Intelligence These documents included files relating to each FISA Court order approving use of Section 215 authority between 2012 and 2014 Department reports to Congress concerning that use during calendar years 2012 through 2014 documents detailing compliance incidents related to the FBI's use of Section 215 authority reports documenting the results of Accuracy and Minimization Reviews conducted by NSD between 2012 and 2014 e-mails relating to approved and withdrawn business records applications minimization procedures in effect during the review period and FBI and NSD policies and training materials related to final minimization procedures adopted in 2013 7 The term USA PATRIOT Act is an acronym for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 Pub L No 107-56 115 Stat 272 2001 We refer to it as the Patriot Act in this report 1 We reviewed each of the 561 Foreign Intelligence Surveillance Act FISA Court-approved orders for business records between 2012 and 2014 in order to provide an overview of the characteristics of those orders and the underlying investigations in which they were obtained 8 In order to conduct an in-depth analysis of the FBI's use of business records authori we conducted field visits to two FBI field offices the We identified these field offices based on the overall n riety of business records orders obtained during the review period we reviewed business records orders obtained during the review period • each of the we reviewed a sample o f of the • business records orders obtained which we selected based on various factors including unique use of Section 215 authority the type of investigation or the occurrence of compliance incidents During these field visits we examined documents in the FBI's case management system and interviewed agents supervisors and counsel about the FISA business records process the use of Section 215 authority in their individual cases and the application of the relevant minimization procedures In several instances we also examined the materials produced in response to business records orders We selected of these applications for more detailed analysis to highlight the varied and evolving uses of Section 215 authority In addition to the orders aP e 2ved by the FISA Court between 2012 and 2014 there were pending and- withdrawn applications for Section 215 orders 9 We reviewed withdrawn re uests or applications originating from and questioned agents about of these We also reviewed requests submitted to NSD but not filed with the FISA Court and • proposed applications filed with the FISA Court as read or advance copies that NSD ultimately withdrew prior to formally filing Where the applications presented novel or unique legal issues we questioned NSD attorneys about the reasons for these withdrawals As noted earlier durin roved orders related to Our third report discussed uding the specialized minimization procedures t reported compliance incidents and the status of through May 2015 On June 2 2015 the USA Freedom Act ended bulk collection under Section 215 by requiring that applications for business records identify a person account address or personal 8 We reviewed all 561 orders approved during our review period but excluded • orders for statistical as described in more detail IV C orders Procedures 9 Pending applications include applications generated between 2012 and 2014 but not provided to NSD for further processing or submitted to the FISA Court for further approval 2 device or any other specific identifier 10 See 50 U S C §§ 1861 b 2 k 4 2015 as amended by USA Freedom Act of 2015 101 103 107 109 Our report provides a brief status update in light of the changes instituted by the USA Freedom Act Over the course of this review we interviewed more than 50 people from the FBI and the Department including Section and Unit Chiefs from the FBI's National Security Law Branch NSLB and NSD's Office of Intelligence and attorneys case agents and supervisors who worked on Section 215 orders We did not question FBI and NSD personnel about the specifics of every order nor did we conduct an independent compliance review of each use of Section 215 authority between 2012 and 2014 For purposes of this report we relied on the Department's reporting to the FISA Court the FBI's reporting to the Intelligence Oversight Board lOB and the reports summarizing Accuracy and Minimization Reviews conducted by NSD in FBI field offices to identify compliance incidents that occurred during the relevant time period B Organization of the Report This report is divided into six sections After this introduction we describe in Section II the legal background related to Section 215 authority the process for obtaining a Section 215 order the procedures applicable to the use of business records material and the procedures for reporting compliance incidents to the FISA Court and the lOB In Section III we discuss the status of recommendations the OIG made in previous reports concerning the FBI's use of Section 215 authority In Section IV we provide an overview of the FBI's use of Section 215 authority between 2012 and 2014 We describe the number of Section 215 orders approved the type of information requested the number of FBI offices that used the authority and the types of investigations in which Section 215 orders were sought In Section V we provide a more detailed discussion o f business records orders obtained between 2012 and 2014 We describe the information requested the purpose of the requests the material produced the manner in which it was used and any compliance incidents that occurred We also describe three compliance incidents that affected numerous business records orders durin our time eriod and b discuss the status o f of the USA Freedom Act Finally Section VI contains our conclusions 10 As described in more detail below the effective date of these changes was within 180 days of the date of enactment which was November 29 2015 The USA Freedom Act also eliminated bulk collection using pen register trap and trace authority or various National Security Letter authorities by requiring use of a specific selection term See USA Freedom Act of 2015 §§ 201 501 3 II BACKGROUND This section provides a brief description of the legal background related to Section 215 authority and the process for obtaining Section 215 orders A Legal Background The Foreign Intelligence Surveillance Act of 1978 FISA requires the FBI to obtain an order from the FISA Court to conduct electronic surveillance to collect foreign intelligence information 11 In 1998 Congress amended FISA to authorize the FBI to apply to the FISA Court for orders compelling common carriers public accommodation facilities physical storage facilities and vehicle rental facilities to release records in their possession to the FBI The amendment did not further define records This provision which was codified at 50 U S C § 1862 became known as the business records provision 12 The 1998 amendment required the FBI to specify that the business records were sought for an investigation to gather foreign intelligence information or an investigation concerning international terrorism and that there were specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power 50 U S C § 1862 2000 This language meant that the FBI was limited to obtaining information regarding a specific person or entity the FBI was investigating and about whom the FBI had individualized suspicion The amendment also prohibited the entity complying with the order from disclosing either the existence of the order or any information produced in response to the order The authority granted by the 1998 amendment was rarely used Between enactment of the amendment and passage of the Patriot Act in October 2001 the FBI obtained only one FISA order for business records In October 2001 Section 215 of the Patriot Act significantly expanded the business records provision The pertinent part of Section 215 provides T he Director of the Federal Bureau of Investigation or a designee of the Director whose rank shall be no lower than Assistant Special 11 FISA provides two definitions of foreign intelligence information Under 50 U S C § 1801 e 1 foreign intelligence information means information that relates to and if concerning a U S person is necessary to the ability of the United States to protect against 1 actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power 2 sabotage international terrorism or the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power or 3 clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power Under 50 U S C § 1801 e 2 foreign intelligence information includes information with respect to a foreign power or foreign territory that relates to and if concerning a U S person is necessary to the national defense or the security of the United States or the conduct of the foreign affairs of the United States 12 50 U S C § 1862 b 2 B 1998 as amended 50 U S C § 1861 2001 4 Agent in Charge may make an application for an order requiring the production of any tangible things including books records papers documents and other items for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution 50 U S C § 1861 a 1 2001 While the 1998 amendment limited the FBI's business records authority to four types of businesses the 2001 language did not contain any such limitation Section 215 also expanded the categories of documents obtainable under the business records provision from records to any tangible things including books records papers documents and other items In addition Section 215 lowered the evidentiary threshold to obtain a business records order Rather than requiring the FBI to show that the requested information pertained to a person under investigation Section 215 required that the items sought need only be for an authorized investigation conducted in accordance with applicable law and guidelines to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities 50 U S C § 1861 b 2 2001 This standard ·referred to as the relevance standard permits the FBI to seek information concerning persons connected in some way to a person or entity under investigation Congress twice amended Section 215 in 2006 The first legislative amendment the USA PATRIOT Improvement and Reauthorization Act of 2005 Reauthorization Act was signed into law on March 9 2006 The Reauthorization Act required that an application for a business records order establish reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation 13 50 U S C § 1861 b 2 B 2006 At the same time the Reauthorization Act provided a presumption of relevance for tangible things that pertain to foreign powers agents of foreign powers suspected agents of foreign powers who are the subjects of authorized investigations or individuals in contact with or known to suspected agents of foreign powers who are the subjects of authorized investigations If an application demonstrates that the information requested pertains to one of these four entities or individuals it is presumptively relevant to an authorized investigation The Reauthorization Act also authorized the collection of certain sensitive records including library medical educational and tax return records However it required that applications for sensitive records be approved by the FBI Director or his specified designee and required specific reporting about 13 USA PATRIOT Improvement and Reauthorization Act of 2005 Pub L 109-177 120 Stat 196 to 198 2006 5 these records to Congress 14 The Reauthorization Act also established a process for recipients of Section 215 orders to challenge their legality before a FISA Court judge The second legislative amendment the USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006 included additional changes to Section 215 For example these amendments included a provision allowing a recipient of a Section 215 order to petition the FISA Court to modify or set aside the nondisclosure requirement after 1 year from the issuance of the order if certain findings are made 15 Section 215 along with other provisions of the Patriot Act originally was scheduled to sunset on December 31 2005 The Reauthorization Act extended Section 215 for 4 years until December 31 2009 Congress subsequently extended Section 215 to June 1 2015 In June 2013 information about the NSA's bulk telephony metadata program was publicly disclosed by Edward Snowden 16 These disclosures revealed among other things that the FISA Court had approved Section 215 orders authorizing the bulk collection of call detail records The telephony metadata collected by the NSA included information from local and long-distance telephone calls such as the originating and terminating telephone number and the date time and duration of each call 17 The disclosures prompted widespread public discussion about the bulk telephony metadata program and the proper scope of government surveillance and ultimately led Congress to end bulk collection by the government in the USA Freedom Act 18 Amid public debate about the bulk telephony metadata program the sunset provisions of the Reauthorization Act took effect at 12 01 a m on June 1 2015 temporarily reverting the business records provision to the much more limited version in effect between 1998 and October 2001 19 On June 2 2015 President Obama signed the USA Freedom Act While the USA Freedom Act did 14 As permitted by the Reauthorization Act the FBI Director delegated approval authority for these records to the Deputy Director and the Executive Assistant Director for the FBI's National Security Branch 15 See USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006 Pub L No 109-178 120 Stat 278 280 16 See Glenn Greenwald NSA Collecting Phone Records of Millions of Verizon Customers Daily The Guardian Jun 6 2013 As described in more detail below metadata refers to dialing routing addressing or signaling information associated with a communication but does not include any information concerning the substance purport or meaning of the communications 7 As we described in our second and third reports NSA lilpllacle dilt hleiclaiillldlet aliiilirelc olilrdiiisiliiiinl an archive and then ran queries against this archive to identify 1 llllliiil The telephone numbers used to query the archive were telephone numbers that met the reasonable articulable suspicion standard 1 18 See generally Bart Forsyth Banning Bulk Passage of the USA FREEDOM Act and Ending Bulk Collection 72 Wash Lee L Rev 1307 1321-22 1325 1334 Summer 2015 19 See id 6 not substantively change the standard for obtaining business records linked to a particular person or identifier it ended bulk collection under Section 215 by requiring that applications for business records include a specific selection term defined as a term that specifically identifies a person account address or personal device or any other specific identifier 50 U S C §§ 1861 b 2 k 4 2015 as amended by USA Freedom Act of 2015 §§ 101 103 107 This provision became effective 180 days after the date of enactment ending bulk collection by the government as of November 29 2015 See USA Freedom Act of 2015 § 109 To allow the government to continue to obtain call data the USA Freedom Act created a new mechanism that allows the government to obtain call detail records from providers within two hops of the specific selection term on an ongoing basis for 180 days from the date of the FISA Court order 20 Each application to obtain these records must include a a specific selection term to be used as the basis for the production of the call detail records 50 U S C § 1861 b 2 A b a statement of facts showing that there are reasonable grounds to believe that the call detail records being sought are relevant to an authorized investigation and that there is a reasonable articulable suspicion that the specific selection term is associated with a foreign power or an agent of a foreign power engaged in international terrorism or activities in preparation thereof 50 U S C § 1861 b 2 C i and ii and c an enumeration of the minimization procedures adopted by the Attorney General that are applicable to the handling of call detail records obtained by the government in response to the requested order 50 U S C § 1861 b 2 D 21 According to NSD if the FISA Court finds that the application meets the statutory requirements it will order the production of a first set of records the first hop using the specific selection term and a second set of records the second hop using session-identifying information such as originating or terminating telephone numbers or telephone calling card numbers identified by the specific selection term Session-identifying information and telephone calling card numbers may be identified in the first hop productions or from other information already in the government's possession The FISA Court has 20 The term call detail record means session-identifying information including an originating or terminating telephone number an International Mobile Subscriber Identity number or an International Mobile Station Equipment Identity number a telephone calling card number or the time or duration of a call It does not include the contents of any communication the name address or financial information of a subscriber or customer or cell site location or global positioning system GPS information See 50 U S C § 1861 k 3 As a result the FBI may not obtain identifying financial or location information on the basis of an individual being in first- or second-degree contact with the original person account address or personal device or other specific identifier used as a specific selection term •data • •collected • • •under • · those The FISA Court orders orders when based on permitted authorized personnel to search the the factual and practical considerations of everyday life on which reasonable and prudent persons act there are facts giving rise to a reasonable articulable suspicion that a particular known ign powers identified in the orders We identifier is associated with discuss the evolution of the RAS standard in our May 2015 report 7 concluded that FISA as amended by the USA Freedom Act does not require a showing of relevance for second hop records To guard against overbroad collection the USA Freedom Act requires the prompt destruction of all call detail records collected by the government not determined to be foreign intelligence information See 50 U S C §§ 1861 b 2 C c 2 F as amended by USA Freedom Act of 2015 § 107 The USA Freedom Act also added a provision allowing the Attorney General to require the emergency production of business records when certain criteria are met including applying relevant minimization procedures and obtaining a FISA Court order approving the production within 7 days of the emergency authorization See 50 U S C § 1861 i as amended by USA Freedom Act of 2015 § 102 Finally the USA Freedom Act extended the sunset date for Section 215 as amended until December 15 2019 See USA Freedom Act of 2015 § 705 a B The Process for Seeking Section 215 Orders As we described in our previous Section 215 reports the process to obtain and utilize a Section 215 order generally involves five phases FBI field office initiation and review FBI Headquarters review NSD Office of Intelligence review FISA Court review and FBI service of the order The process to obtain a Section 215 order generally begins when an FBI case agent prepares a business records request form which requires the agent to provide among other things the following information a brief summary of the investigation a specific description of the items requested an explanation of the manner in which the requested items are expected to provide relevant information and the identity of the custodian or owner of the requested items The request form must be approved by the agent's supervisor and the field office's Chief Division Counsel and Assistant Special Agent in Charge The approval process is automated through the FBI's FISA Management System FISAMS which sends electronic notifications to each individual responsible for taking the next action in order to process the business records in the field office After the approvals are completed in the field office the FISAMS notifies the substantive desk in the Counterterrorism Counterintelligence or Cyber Divisions at FBI Headquarters At FBI Headquarters the business records request form is reviewed and approved by both the substantive desk and NSLB Once FISAMS delivers the request to the substantive desk it is assigned to an NSLB attorney who works with the case agent and other FBI personnel to obtain any additional information the NSLB attorney believes is necessary to support the request The request package then is reviewed by NSLB supervisors and forwarded to NSD where the request is assigned to an NSD attorney The NSD attorney works with the NSLB attorney and case agents to obtain any additional information necessary to include in the draft application and order NSD uses an internally-created software program called TurboFISA that produces a template with standardized language for various types of 8 business records applications An NSD supervisor then reviews the draft application package In most cases the NSD attorney then sends the draft to the FBI for review including having agents answer any questions regarding the application The application is then finalized by NSD The final application package is returned to the FBI for an accuracy review and additional edits may be made based on the FBI's review of the final package Upon completion of the final version of the application signatures of the designated senior FBI personnel are obtained and an NSD attorney prepares the package for presentation to the FISA Court Pursuant to Rule 9 of the FISA Court Rules of Procedure NSD provides the FISA Court with a proposed application an advance copy of the application commonly called a read copy no later than 7 days before the government seeks to have the matter entertained by the FISA Court The FISA Court through a FISA Court legal advisor may identify questions or concerns and request changes or additional information to the documents after reviewing the read copy NSD and the FBI then address these questions or concerns and make any necessary revisions to the application and order prior to submitting a formal or final application and order for the Court's approval or decide to withdraw the application before submission The FISA Court will either sign the formal submission or request that NSD present the formal application package to the FISA Court at a scheduled hearing If the FISA Court judge approves the formal application the judge signs the order The order is then entered into FISAMS and served by the FBI field office nearest to the company or provider designated in the order Among other things the order sets forth the deadline for producing the items The FBI can receive business records returns electronically or in hard copy Hard copies of business records returns typically are sent directly to the case agent Electronic records particularly business records returns from certain Internet Service Providers typically are sent to the FBI's Data Intercept Technology Unit DITU DITU then uploads the records into the Data Warehouse System DWS the FBI's primary repository for raw FISA-acquired material Un-minimized business records returns are quarantined in a separate area of DWS that is accessible only to personnel involved in the case When returns are uploaded DWS automatically notifies the case agent who must then review the records in a restricted area of DWS to determine whether the records are responsive to the FISA Court order If so DITU releases the records from the quarantined area into DWS where they are available to FBI personnel with appropriate access Once the information is in DWS the case agent must assess its intelligence value Only information that reasonably appears to be foreign intelligence information necessary to understand foreign intelligence information or assess its importance or evidence of a crime may be placed in other FBI electronic storage systems such as the Automated Case System ACS and Sentinel where the information will be more widely accessible to FBI personnel discussed in more detail below 22 22 ACS and its successor Sentinel are the FBI's case management systems 9 C Minimization Procedures FISA requires the FBI to minimize U S person information it receives in response to business records orders Under current procedures this means that the FBI may retain and disseminate nonpublic U S person information only if it reasonably appears to be foreign intelligence information necessary to understand foreign intelligence information or assess its importance or evidence of a crime referred to as meeting the FISA Standard The FBI adopted interim minimization procedures for business records returns following the passage of the Reauthorization Act in March 2006 and revised procedures in 2013 23 Two sets of minimization procedures thus governed business records orders issued between 2012 and 2014 Interim Procedures between January 1 2012 and June 30 2013 and Final Procedures after July 1 2013 In this section we discuss these minimization procedures and describe the decision by FBI and NSD to implement the Final Procedures retroactively 1 Interim Minimization Procedures The Reauthorization Act mandated that the Department adopt minimization procedures to govern the retention and dissemination of nonpublic U S person information produced in response to a Section 215 order One critical requirement was that the minimization procedures prohibit the dissemination of nonpublic U S person information unless the identity of the U S person was foreign intelligence information necessary to understand foreign intelligence information or assess its importance or evidence of a crime i e met the FISA Standard The Department adopted Interim Procedures in September 2006 Rather than providing new procedures designed to comply with the requirements of the Reauthorization Act the Interim Procedures incorporated six existing provisions from the Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection NSI Guidelines • Part I B 3 which prohibited the FBI from investigating or maintaining information on U S persons solely for the purpose of monitoring First Amendment activities or the lawful exercise of Constitutional or statutory rights • Part I C l which defined U S person to include U S citizens or lawful permanent residents unincorporated associations substantially composed of individuals who are U S persons and corporations incorporated in the United States • 23 See so u s c § 1861 g 2 10 • Part VII A l which required that the FBI retain investigative records in accordance with a plan approved by the National Archives and provided for NSD oversight of information obtained in the course of investigations • Part VII B which allowed the FBI to disseminate information within the Department to the intelligence community and federal law enforcement agencies to other federal state and local authorities and to foreign authorities when the information related to the recipient's authorized responsibilities and dissemination was consistent with national security interests • Part VIII which defined certain terms used in the NSI Guidelines including foreign intelligence and publicly available The Interim Procedures stated that these provisions were to be construed to minimize retention and prohibit dissemination of nonpublic U S person information and to prohibit the FBI from disseminating nonpublic U S person information that was not foreign intelligence information in a manner that identified a U S person unless the person's identity was necessary to understand foreign intelligence information or assess its importance or evidence of a crime However the Interim Procedures did not define or explain what necessary to understand foreign intelligence information or assess its importance means nor did they define or provide guidance on what constitutes U S person identifying information In our March 2008 report we found that the Interim Procedures did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with specific guidance regarding the retention and dissemination of nonpublic U S person information obtained under Section 215 authority We recommended that the FBI develop final minimization procedures that provided such guidance require an initial review of records received in response to business records orders and provide guidance on handling overproductions i e material outside the scope of the Section 215 order Although the FBI stated that it would replace the Interim Procedures with final minimization procedures that addressed the recommendations in the March 2008 report it had not done so by spring 2009 As a result in May 2009 a FISA Court judge requested that the FBI volun apply additional minimization procedures to the productions o f - related Section 215 orders The Department agreed to implement these additional minimization procedures and filed reports with the FISA Court describing how the FBI had minimized U S person information 11 In June 2009 FISA Court judges began to issue Supplemental Orders with most Section 215 orders These Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's minimization of U S person information no later than 90 days after the production of materials with sufficient detail to allow the FISA Court to assess the adequacy of the FBI's implementation of the Interim Procedures Between Janu and June 30 2013 the FISA Court issued Supplemental Orders f o r - - total business records orders 24 2 Final Minimization Procedures On March 7 2013 the Attorney General adopted and the Department filed with the FISA Court final minimization procedures for material received in response to Section 215 orders These Final Procedures became effective on July 1 2013 The Final Procedures are designed to minimize the retention and prohibit the dissemination of nonpublicly available information concerning unconsenting U S persons consistent with the need of the United States to obtain produce and disseminate foreign intelligence information The Final Procedures do not apply to publicly available U S person information nor do they apply to acquiring retaining or disseminating U S person information with the person's consent With the exception of provisions requiring an initial review of business records returns and dictating the handling and retention of overproduced material and attorney-client communications the Final Procedures do not apply to non-U S person information • • • 24 Of the orders for which the FISA Court did not issue Supplemental Orders • were in counterintelligence investigations were in counterterrorism investigations and were in • business records orders issued under the Interim cyber i Procedures or to restricted counterespionage investigations I I 12 The Final Procedures also address the handling and retention of business records returns An agent must conduct an initial review of returns to determine if the information received is within the scope of the order If it is the agent then must evaluate whether the information meets the FISA Standard i e reasonably appears to be foreign intelligence information necessary to understand foreign intelligence information or assess its importance or evidence of a crime Information that meets the FISA Standard may be included in official FBI case files used for analysis inserted in Electronic Communications EC intelligence information reports IIR or analytical products uploaded into widely-accessible FBI databases or disseminated to other sora encies in accordance with the Final Procedures In general the Final Procedures prohibit the FBI from retaining using or disclosing material outside the scope of an order 26 If an agent identifies an 25 Ad hoc databases are files and databases accessible only to FBI personnel who are to the i ation and authorized to review business records information Cont'd 13 overproduction he must return it to the producing party or destroy it as soon as practicable ensure that the information has not been uploaded into any widelyaccessible FBI system and inform NSD of the ave duction to facilitate notification of the FISA Court The Final Procedures allow the FBI to disseminate information obtained business records orders to In general the FBI must determine that nonpublic U mation meets the FISA Standard before disseminating i t - - - - · Key dissemination provisions are summarized below • Where the foreign intelligence information relates to a foreign power or foreign territory and reasonably appears to be necessary to the national defense or forei n affairs of the United States • Cont'd 14 • In accordance with this provision NSD includes business records orders in the Minimization and Accuracy reviews it conducts in FBI field offices During these reviews NSD attorneys examine information produced in response to business records orders to identify overproductions confirm that the information has been properly 29 As described in more detail below metadata refers to dialing routing addressing or signaling information associated with communications such as e-mail addresses telephone numbers or IP addresses 15 classified and marked in FBI systems as FISA-derived evaluate compliance with minimization procedures and assess retention and dissemination decisions NSD attorneys also audit the searches conducted by FBI personnel in multiple FBI databases including two databases that contain business records material DWS and Data Integrated Visual System DIVS which operates as a search engine for a collection of other databases to which the FBI has access to ensure that the queries comply with the minimization procedures Between 2012 and 2014 NSD conducted 90 Minimization and Accuracy Reviews including business records minimization reviews in every FBI field office After the Final Procedures became effective NSD began requiring its attorneys to conduct post-order briefings within 5 days of an order being signed These briefings are designed to ensure that FBI personnel understand and comply with the requirements of the Final Procedures NSD attorneys contact FBI personnel to review the Final Procedures includin the definitions of U S person and foreign intelligence information the requirement that agents conduct an initial review of returns before placing information in widely-accessible FBI systems the proper handling of overproduced materials and the standards for retaining and disseminating information NSD attorneys told us that they typically conduct the briefings with case agents and cover the major requirements of the Final Procedures the information requested by the order and any special minimization or reporting requirements imposed by the FISA Court in a Supplemental Order The first business records application referencing the Final Procedures was filed with the FISA Court on August 6 2013 Once the Final Procedures were in place the FISA Court ceased issuing Supplemental Orders requiring the Department to report on its handling of U S person information as a matter of standard practice However between August 9 2013 and January 3 2014 the FISA Court issued Supplemental Orders for applications that requested e-mail transactional records from various service providers requiring the Department to submit written reports stating whether the returns included the contents of any communications An NSD Deputy Unit Chief told us that the FISA Court began requiring content reporting for business records orders directed a t and other communications providers following a series of overproductions of email subject lines He characterized Supplemental Orders as relatively unusual since resolution of the systemic overproductions stating that they are only issued if the FISA Court has particular concern about the breadth or potential volume of the material requested We describe these systemic errors in more detail in Section V 3 Retroactive Application of the Final Procedures When the government submitted the Final Procedures to the FISA Court in March 2013 the then-Assistant General of NSD stated in a letter to the Court that the FBI 16 • • • • The remaining provisions of the Final Procedures including the retention and dissemination restrictions apply retroactively D Compliance Issues The Rules of Procedure for the FISA Court require the Department to correct misstatements of material fact and to disclose non-compliance with an order to the FISA Court Under Rule 13 b the Department must notify the FISA Court in writing if it discovers that any authority or approval granted by the FISA Court has been implemented in a manner that did not com with the Court's authorization or a roval or with a licable law Between 2012 and 2014 the Department filed Rule 13 b notices informing the FISA Court of compliance incidents related to business records ord at resulted in the overproduction of e-mail subject lines b y - ' and • systemic errors in the FBI's DWS database that allowed FBI personnel unconnected with an investigation to access business records information before the case agent's initial review We discuss these compliance incidents in more detail in Section V Given the large number of business records orders issued between 2012 and 2014 we did not attempt to independently identify or describe all of the compliance incidents that occurred during our review period 17 The FBI also is required to report activities that may be unlawful or contrary to executive orders or directives to the lOB and Director of National Intelligence DNI 31 The subjects of these reports to the lOB are commonly referred to as lOB violations FBI policy requires employees to report potential lOB violations to NSLB within 30 days of discovery Once an agent reports a potential lOB matter NSLB reviews the facts to determine whether Executive Order 13462 and the Intelligence Oversight Reporting Criteria require the violation to be reported to the lOB and the DNI Agents are required to report third-party overproductions to NSLB within 90 days of the date of discovery 32 The FBI must then submit this information to the lOB in quarterly reports containing the following information 1 2 3 Between 2012 and 2014 the FBI reported violations related to business records orders to the lOB Of these • involved overcollections s mic overproductions of e-mail subject lines by - - - i n v o l v e d other issues such as the production of materials outside the date range specified in a business records order and • was the result of a typographical error in a business records order NSLB also deemed overcollections and typographical error to be non-reportable 31 See Exec Order 12333 § 1 6 c as amended Exec Order 13462 § 6 b as amended Criteria on Thresholds for Reporting Intelligence Oversight Matters Sept 8 2010 Intelligence Oversight Reporting Criteria 18 III STATUS OF RECOMMENDATIONS Previous OIG reports recommended changes to the minimization procedures used by the FBI Our second report issued in March 2008 recognized that the FBI had adopted Interim Minimization Procedures but made the following three recommendations • The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders • The FBI should develop procedures for handling material that is produced in response to but outside the scope of a Section 215 order and • The FBI should develop final standard minimization procedures for business records that provide specific guidance for the retention and dissemination of U S person information Our third report issued in May 2015 analyzed the FBI's compliance with these recommendations We concluded that the FBI had resolved the first recommendation in adopting the Final Procedures but that it nonetheless should clarify in policy guidance or training materials that the initial review requirements in the Final Procedures apply to metadata We determined that the second recommendation was closed as the Final Procedures include a provision for handling overproduced material Finally we concluded that the third recommendation was resolved by the Final Procedures but that the FBI should consider using training materials or policy guidance to clarify several provisions regarding the retention and dissemination of U S person information Below we describe the FBI's progress in implementing these recommendations A Handling of Metadata Under the Final Procedures As noted above metadata refers to dialing routing addressing or signaling information associated with a communication In the context of wire or electronic communication transaction records metadata may include e-mail addresses telephone numbers IP addresses and similar information Metadata does not include information concerning the substance purport or meaning of the communications 19 1 Initial Review of Metadata In our second report we recommended that the FBI develop procedures for reviewing materials received from Section 215 orders to ensure that it had not received information outside the scope of the FISA Court orders In our third report we observed that the FBI had adopted Final Procedures requiring that agents conduct an initial review of materials produced pursuant to a Section 215 order We concluded that this provision requires case agents to review materials for overproduced material but that it does not expressly subject metadata to the initial review requirement We recommended that the FBI clarify that the initial review requirement applies to metadata In the course of our current review the FBI and NSD produced copies of internal policies and training materials that make clear that the initial review provision applies to all FISA business records materials including metadata The FBI Policy Implementation Guide for Business Records Standard Minimization Procedures SMP PG states and emphasizes that agents must complete the initial review Training before uploading the information to any widel accessible FBI s materials ided the FBI also state Agents we interviewed told us that they had received multiple trainings on the Final Procedures and understood that the requirement to conduct initial reviews applies to all business records returns including those involving e-mail transactional data or other metadata In addition as described above NSD attorneys are required to conduct post-order briefings with the case agent within 5 days of a business records order being signed NSD's Post-Order Briefing Policy provides that the NSD attorneys must remind agents that they are required to conduct an initial review of FI SA-acquired business records information to ensure that the production is generally responsive to the order and that this initial review must take place before placing the information in any widely accessible FBI system NSD attorneys told us that they make clear in these briefings that the initial review requirement applies to every business records production including metadata Accordingly we consider this recommendation closed 2 Other Provisions Relating to Metadata 20 In our third report we identified two potential issues regarding application of these provisions that we believed required attention and oversight • We stated that NSD and the FBI should In our current review we assessed whether NSD and the FBI have addressed these issues Traini materials released in earl 2016 state that 21 In 2012 and 2013 the FBI used business records orders to re ct on two occasions 34 The first order re uested 22 Given these steps we believe that the FBI and NSD have sufficiently addressed the concerns we raised regarding other provisions related to metadata in our third report B Retention and Dissemination of U S Person Information In our second report we recommended that the FBI develop final minimization procedures providing specific guidance on the retention and dissemination of U S person information In our third report we recognized that the FBI had resolved this recommendation by adopting Final Procedures providing such guidance but stated that the FBI should consider clarifying two provisions in policy guidance or training materials the definition of necessary to understand forei n intelli ence information and the revision allowin We briefly discuss each in turn below 1 Necessary to Understand Foreign Intelligence Information We recommended that the FBI define the term necessary to understand foreign intelligence information and provide actual examples of its application in the FBI training materials or policy guidance Training materials produced and NSD address this issue One resentation states that when training provided the following example of this analysis and thus it meets however it may be difficult to articulate why would be appropriate e Based on this guidance we believe the FBI has addressed our concerns 23 2 Dissemination of Information Relating to Computer Intrusions or Attacks We also recommended that the FBI provide further sion in the Final Procedures that allows the FBI We stated the FBI should consider clarifying that the material must meet the FISA Standard as well as define the term U S person identifying information and provide actual examples of its application The FBI has made these clarifications The SMP PG makes clear that agents must first ana whether the information meets the FISA Standard statin While the current version of the SMP PG does not further define or illustrate U S person identifying information an NSLB attorney told the OIG that the FBI is in the process of revising and consolidating its FISA policy guidance and that the revised guidance will include a definition In addition materials used in trainings beginning in March 2016 define U S person identifying information and provide uidance on its a lication Training slides and s ker's notes state that The materials emphasize that determining whether information constitutes U S person identifying information requires a case-bycase assessment and that agents should consult with NSLB if questions arise As a result we consider this recommendation closed IV OVERVIEW OF BUSINESS RECORDS ORDERS ISSUED FROM 2012 THROUGH 2014 In this section we provide an overview of the characteristics of business records orders approved in calendar years 2012 through 2014 We describe the number of business records orders approved the type of information requested the number of FBI offices that used the authority and the types of investigations in which business records orders were sought We provide information about the number of business records orders in which U S persons were the subject of the underlying investigations 24 Additionally we examine the timeliness of the business records process We analyze the length of time that elapsed between the initiation of a business records request and the signing of the business records order by the FISA Court A The Overall Number of Business Records Orders From 2012 to 2014 the FISA Court approved 561 business records orders 36 This continued a dramatic increase in the use of business records authority compared to the number of orders that we have observed during our prior reviews For example the FISA Court approved 51 orders from 2007 through 2009 the 3 year time period that we reviewed in our 2015 report Figure 1 illustrates the increase in number of approved business records orders by calendar year FIGURE 1 Total Number of Approved Business Records Orders by Calendar Year 2007-2015 3 7 250 200 Gl f 0 150 1--- 0 j 205 212 96 100 E a z 50 17 0 13 1 - - - r _ __ 2007 2008 2009 2010 2011 2012 2013 2014 2015 Calendar Year Source FBI 36 After reviewing a draft of this report NSD commented that references to the number of business records orders should be changed to the number of approved applications for business records orders The OIG understands that some business records applications result in more than one order For example the FISA Court may issue orders to four separate providers when approving a single application requesting ECTRs for four e-mail addresses We also recognize that NSD reports the number of applications submitted to the FISA Court in its annual reports to Congress Nonetheless we decided to retain the references to the number of business records orders throughout this report as a matter of convenience 37 This table includes the total number of dockets for 2013 179 This number differs slightly from the number of approved applications for business records the Department reported to Congress for 2013 178 The OIG recognizes that one submission in 2013 was a copy of the Final Procedures which did not result in a FISA Court order As described below we excluded this docket from our numbers for purposes of statistical analysis 25 As we describe in more detail in Section IV C I a primary factor in the increase between 2010 and 2012 was the refusal of certain communications providers to produce transactional records for e-mail accounts Electronic Communication Transaction Records or ECTRs in response to National Security Letters NSL beginning in late 2009 NSD and FBI personnel attributed the subsequent decline between 2013 and 2015 to several factors including the stigma attached to the use of Section 215 authority following the Snowden revelations increased use of Section 702 of the FISA Amendments Act providers' resistance to business records orders agents' frustrations with the lack of timeliness and level of oversight in the business records process and agents' increasing use of criminal legal process instead of FISA authority in counterterrorism and cyber investigations In addition between 2012 and 2014 there were pending and withdrawn applications for business records orders 38 While we did not seek to ascertain the basis for each withdrawn uest or a ication we did review • that originated from the and questioned agents about of these The reasons for the withdrawals varied but many were withdrawn for administrative reasons such as inadvertent initiation in FISAMS or a duplicate request while others were withdrawn because the a ents determined that the information was no lon er necessa As a result the number of applications withdrawn for substantive reasons is likely significantly lower We also reviewed • requests submitted to NSD but not filed with the FISA Court and draft applications submitted to the FISA Court as read copies but subsequently withdrawn The requested information and targets in these applications varied substantially and witnesses were unable to identify a common factor leading to their withdrawal The withdrawn applications included several requests that were based on or statements advocating 39 withdrawn jihad that raised potential First Am ication uested toll records 38 Pending applications include applications generated between 2012 and 2014 but not provided to NSD for further processing or submitted to the FISA Court for further approval 39 In February 2013 the FISA Court issued a legal opinion that addressed the line between First Amendment-protected activity and information establishing predication for an international terrorism inve on The nt's The Department reported and provided copies of this opinion to Congress in April 2013 26 The agent ultimate roved in 2015 40 which we discuss in more detail in Section V The FISA Court did not deny any business records applications between 2012 and 2014 When asked why applications withdrawn after submission of a read copy to the FISA Court were not reported to Congress potentially creating the inadvertent impression that the FISA Court is a rubber stamp NSD supervisors told us that the Department includes only business records applications formally submitted to the FISA Court and denied or withdrawn not those filed in read copy and subsequently withdrawn 41 The NSD supervisors acknowledged that excluding applications withdrawn after the FISA Court indicates that it will not sign an order might lead to misunderstandings about the FISA Court's willingness to question applications but the supervisors noted that NSD and the FISA Court have talked about the read process publicly to address concerns about this 42 In comments provided to the OIG after In September 2013 the agent submitted a business records request for the information but NSLB asked him to withdraw the request since the information that could be obtained with an NSL The agent added a request for e-mail transactional data and the request ultimately went forward as a business records application in early 2015 It received ap I from An NSD n Chief lained tha the De 41 As described above the FISA Court Rules of Procedure require the government to file a propose application or read copy with the FISA Court no later than 7 days before it seeks to have the application considered 42 See e g Letter from the Honorable Reggie B Walton Presiding Judge of the FISA Court to Sen Charles E Grassley Ranking Member of the Sen Comm on the Judiciary Jul 29 2013 The annual statistics provided to Congress by the Attorney General pursuant to 50 U S C §§ 1807 and 1862 b -frequently cited to in press reports as a suggestion that the Court's approval rate of applications is over 99%-reflect only the number of final applications submitted to and acted on by the Court These statistics do not reflect the fact that many applications are altered prior to final submission or even withheld from final submission entirely often after an indication that a judge would not approve them Remarks of John Carlin Acting Assistant Cont'd 27 reviewing a draft of this report NSD stated that it is currently considering whether to revise the methodology for counting withdrawn applications B Business Records Orders by FBI Field Office The OIG analyzed the number of FBI field offices with_ Pproved business records orders in 2012 through 2014 We determined that • of the FBI's 56 field offices obtained business records orders during this period 43 The following 3 field offices had the most a roved business records orders during our review period Sixteen field offices each had between and business records orders approved between 2012 and 2014 The remaining 37 field offices each had fewer than business records orders approved during our review period C Analysis of Business Records Orders We also analyzed various characteristics of the business records orders during our review period Factors we considered included the type of information requested the type of underlying investigation e g counterterrorism counterintelligence or cyber the status of the subject of the investigation either a U S person or non-U S person and the timeliness of the business records process To conduct this analysis we excluded of the 561 total business records orders in our dataset based upon the unique characteristics of those orders of the excluded business records orders involved the bulk collection of information which we briefly address in Section V of this report business records orders involved restricted counterespionage investigations and were handled outside of FISAMS Finally one order was an administrative document memorializina b e Final Procedures Therefore the dataset in our analysis includes a total o f - approved business records from 2012 through 2014 Figure 2 shows the number of business records orders included in our analysis by calendar year Attorney General for National Security at the American Bar Assoc Homeland Security Law Institute Jun 20 2013 That the Foreign Intelligence Surveillance Court FISC ultimately denies very few applications is simply a reflection of the unique nature of ex parte FISC proceedings T he Department of Justice has 'an independent obligation to determine that every FISA application meets the statutory standard before we submit it' and treats that obligation with the utmost seriousness and care 43 The field offices submitted business records requests during our review period but those requests were later withdrawn 28 FIGURE 2 Total Number of Business Records Orders Included in Analysis 2012-2014 Source FBI 1 Types of Investigations from which Business Records Orders Originated First we examined the ty of investigations from which business records orders originated The business records orders we reviewed originated from counterintelligence CI counterterrorism CT and cyber investigations Figure 3 shows the numbers of business records orders approved in each type of investigation FIGURE 3 Types of Investigations from which Business Records Orders Originated 2012-2014 Source NSD and FBI We found that business records orders were used far more frequently in counterintelligence inv ations than in counterterrorism or cyber investigations Of the total orders we analyzed • were obtained in counterintelligence investigations in counterterrorism investigations - and nvestigations - Figure 29 4 shows that this gap increased during our review period during which the usage of business records orders in counterintelligence investigations increased slightly while the orders' usage decreased more substantially in both counterterrorism and cyber investigations FIGURE 4 Usage of Business Records Orders 2012-2014 Source FBI When asked about this disparity agents told us that business records orders frequently are the only option available in counterintelligence investigations given the nature and classification of the information involved By contrast agents handling counterterrorism and cyber investigations can in some instances open a parallel criminal investigation and use the grand jury process to obtain the same information more quickly and with less oversight than a business records order As described in more detail below agents told the OIG that the business records process frequently takes several months versus several weeks to obtain a rand sub na This was rticularly true in during the reporting period as discussed below 2 Subjects of Business Records Orders We also analyzed approved business records orders to determine the number of orders that had U S persons and non-U S persons as subjects of the underlying investigations We found that U S persons were listed as subjects in • orders while non-U S persons were listed as subjects i n orders orders identified both a U S person and a non-U S person as subjects of the underlying investigations 30 3 Types of Records Requested in Approved Business Records Orders Filed on Behalf of the FBI Next we examined our dataset for the types of business records requested during our review period Figure 5 shows the types of records requested as well as the number of orders requesting each type of record FIGURE 5 Types of Records Requested in Business Records Orders 2012 thro 2014 31 We found that different types of recor d during our review period Transactional records for e-mail accounts were the most common type of records requested ac r of the non-bulk business records orders we reviewed - records 48 The business records orders requesting ECTRs between 2012 and 2014 are a dramatic increase from- approved orde ng ECTRs in the OIG's previous review period which constituted only - - of the approved non-bulk orders between 2007 and 2009 We found that the increase in business records orders for ECTRs was primarily due to a significant change in the use of NSLs In late 2009 Internet gan refusing to provide transactional information for e-mail accounts in response to an NSL requiring the FBI to use business records orders to obtain the same information 49 Consequently the number of business records orders went up exponentially Interviews with FBI and Department personnel supported this conclusion One NSLB attorney described business records orders as a used to obtain transactional records that were previously obtained through NSLs Several agents told us that a business records order was their only option once providers refused to accept NSLs for transactional information Many agents expressed frustration at having to utilize the business records process instead of NSLs because an NSL requires only field office approval and takes a few weeks to obtain rather than the several months that can be required for a business records order However the number of non-ECTR business records orders also increased significantly compared to the previous review period There were business records orders for non-ECTR information during our current review period as opposed t o between 2007 and 2009 We asked FBI and NSD personnel about the reasons for the increase in non-ECTR business records orders Some witnesses attributed the increase to agents' growing awareness of and comfort 48 Business records orders uested e-mai account information and 49 As described in the OIG's August 2014 report on the FBI's Use of National Security Letters Internet providers began refusing to produce ECTRs in response to NSLs around November 2009 The FBI historically had relied on Section 2709 b of the Electronic Communications Privacy Act ECPA for authority to obtain ECTRs using NSLs In November 2008 however the Department's Office of Legal Counsel OLC issued an opinion interpreting Section 2709 b as authorizing communications providers to produce four exclusive categories of information in response to an NSL subscriber name address length of service and local and long distance toll billing records Although the OLC opinion did not specifically focus on ECTRs one Internet provider argued that Section 2709 b did not give the FBI autho to ail an N and several other ers followed suit transactional records usi 32 with the business records process while others were unable to provide an explanation for it An NSD Deputy Unit Chief noted that the number of business records orders reached its peak in 2012 and has declined annually since then and that the number of ECTR requests has declined more than other types of requests The Deputy Unit Chief said that the Snowden revelations have played a role in this decline both in terms of the stigma attached to use of Section 215 and increased resistance from providers The Deputy Unit Chief stated I think that it's possible that folks have decided it's not worth pursuing business records orders you know obviously things haven't been great with providers since Snowden either In comments provided to the OIG after reviewing a draft of this report NSD stated that the degree to which the Snowden disclosures affected the number of business records applications was speculative and attributed the FBI's increasing use of taskings under Section 702 as likely a notable cause in the decrease in business records requests NSD stated that during the relevant period and continuing today it suggested that FBI withdraw business records requests for accounts used by non-U S persons located overseas that can instead be tasked under Section 702 50 4 Timeliness of the Business Records Process Lastly we examined the median length of time it took for business records orders to move through the approval process including the overall length of time from initiation of a FISAMS request to FISA Court approval and the amount of time spent in each phase of the business records process As we describe in more detail below we did not identify a particular phase of the business records approval process that was responsible for delays 51 Our review also evaluated whether particular characteristics of business records orders affected the time it took for a business records order to move 50 Section 702 of the FISA Amendments Act allows the government to acquire foreign intelligence by targeting non-U S persons reasonably believed to be outside the United States Under Section 702 the government is not required to obtain individual surveillance orders from the FISA Court Instead the FISA Court approves targeting procedures to ensure that the government targets only non-U S persons reasonably believed to be outside the United States and minimization procedures to guard against the inadvertent collection retention and dissemination of U S person information 51 In comments provided to the OIG after reviewing a draft of this report NSD highlighted the importance of the expedite process for business records applications NSD stated that it had worked closely with FBI over the years to establish an expedite process through which FBI management can request that a FISA request including a business records request be processed immediately According to NSD this has resulted in some applications being processed in a single day We agree that the expedite process is an important procedure that allows NSD and FBI to move applications quickly when operationally necessary However given the infrequency with which the expedite process is used for business records requests we do not believe it impacts our overall analysis of the timeliness of the business records process As noted below in footnote 54 only business records requests we examined followed an expedited or amended approval process 33 through the approval process To do this we first examined the median amount of time it took for a business records order to be approved from the time the request was initiated in FISAMS to the time the order was sent to the FISA Court for approval We then aggregated the business records orders by the following characteristics type of records requested type of underlying investigation whether the subject of the investigation was a U S person and by originating field office We compared the aggregated median number of days for each of these characteristics to determine whether any orders sharing a similar characteristic took longer to be approved Based on this analysis we concluded that these factors had no appreciable effect on timeliness a Overall Length of Time for Business Records Orders Approval 2012-2014 First we examined the overall length of time it took for business records orders to go from initiation in the Foreign Intelligence Surveillance Act Management System FISAMS to approval by the FISA Court 52 We found that it took a median of 115 days almost 4 months for a business records order to move through the approval process duri ew period 53 - o f the business records orders orders were processed in 4 months or less during our review period 54 Figure 6 illustrates the amount of time business records took to move through the business records orders approval process c -- 52 As discussed in Section II B the process to obtain a Section 215 order generally involves FBI field office initiation and review FBI Headquarters review by NSLB and the Counterterrorism or Counterintelligence substantive desk NSD review and review and approval by the FISC 53 A median was used instead of an average in this case because the datasets had several number outliers artificially inflating the average 54 For purposes of our timeliness analysis we excluded records in our dataset because those records followed expedited or amended approval processes Because these investigations were not entered into FISAMS we do not have information as to how long they took to process 34 FIGURE 6 Business Records Orders Approval Time 2012-2014 Source FBI b Length of Time in Each Phase of the Approval Process 2012-2014 We also examined the length of time business records orders spent in each phase of the approval process field office NSLB NSD and final approval during our review period We found that business records orders spent the least amount of time in the field office phase of the approval process - a median of 16 days 55 Despite testimony from witnesses attributing delays in the process to various bottlenecks at FBI Headquarters in NSD or in obtaining final signatures we were unable to identify a particular phase of the process that was responsible for delays Orders spent a median of 40 days with NSLB and a median of 33 days in the NSD phase of the approval process 56 We found that the FBI took a median of 2 weeks to obtain final approval signatures from NSLB and the FBI Deputy General Counsel 55 As described above the field office phase of the approval process usually includes the initiation of a business records request by case agent in FISAMS and approval from the following supervisors Supervisory Special Agent Chief Division Counsel and the Assistant Special Agent in Charge 56 In comments provided to the OIG after reviewing a draft of this report NSD noted that a substantial amount of the time between NSD's receipt of a business records request and the finalization of the application involves a back and forth with FBI personnel who review the draft and provide answers to questions from NSD 35 As described above FISA Court rules provide for submission of a read copy no later than 7 days before the government seeks to have the matter entertained by the Court Our analysis included the time that applications and proposed orders were with the FISA Court to provide the most accurate measurement of the time needed for the FBI to obtain business records orders While we do not have complete data regarding the FISA Court's processing of business records applications we were informed that read copies generally are provided the week before and the orders signed within a day or two of submission of the final application No witnesses cited delays with the FISA Court as an issue c Overall Timeliness In interviews with the OIG agents expressed concern with the timeliness of the business records orders approval process Many agents we interviewed told us that the process for obtaining a business records order was lengthy citing the amount of detail required the multiple layers of approval and the need to work with attorneys to draft the application Various agents told the OIG that the process was a deterrent to seeking another business records order One counterterrorism agent stated To be candid with you I don't think I ever will seek another business records order He explained that he could be waiting for months before the order is approved and served and that once a case is over it's not really over because he has to go through internal FBI inspections as well as possible inspections from other entities including the OIG By contrast where there is a parallel criminal case he can consult with the Assistant United States Attorney AUSA to confirm that there is enough information to obtain a grand jury subpoena and receive the records much more quickly Agents expressed particular concerns about the impact of these delays in cyber cases One agent said that the 2 to 3 months it took to obtain his business records order was ridiculous He explained that information moves quickly in the cyber realm stating He told the OIG that it has been common practice to use the FISA process and NSLs in cyber cases but that given providers' resistance to NSLs and delays in obtaining FISA orders 36 some cyber squads have begun opening parallel criminal cases on foreign actors and finding ways to develop probable cause to obtain criminal legal process allowing them to get data more uickl and with less oversi ht These views are consistent with the NSD and NSLB personnel we interviewed were aware of agents' frustrations and said that their divisions have taken steps to improve the business records process While several NSD witnesses said that the volume of requests did not significantly impact their processing of business records orders one NSD attorney acknowledged to us that there had been delays in the process because things get backed up An NSD Deputy Unit Chief told the OIG that NSD has implemented TurboFISA to provide standardized language and streamline the drafting process for business records requests NSD also places business records applications on a 14-day schedule requiring attorneys to attend a meeting with supervisors to explain the reasons for any delays An NSLB attorney told the OIG that he was embarrassed at how long the business records process takes stating We are asking for less than a full FISA and it's taking twice as long He told the OIG that although NSLB does not measure the timeliness of the business records process he thought that NSLB has streamlined the way it handles ECTR requests Another NSLB attorney told the OIG that he thought ECTRs were being drafted and received by the FISA Court in a much more expeditious manner than other types of requests because they were so common As described above we examined whether the type of records requested affected the timeliness of the process and identified no difference between ECTR and non-ECTR applications We also did not see im rovements in the timeliness of ECTR uests over the 3riod or analyze 2015 data Based on agents' concerns about timeliness we recommend in Section VI that the FBI and the Department continue to pursue ways to make the business records process more efficient particularly for applications related to cyber cases V SELECTED SECTION 215 ORDERS OBTAINED BETWEEN 2012 AND 2014 In this section we describe selected Section 215 applications and orders obtained by the FBI between 2012 and 2014 We chose these matters to illustrate various uses of Section 215 authority For each selected use we summarize the underlying investigation and describe the material requested and any notable issues regarding the application and order We then describe where applicable the material produced in response to the order how it was used and any compliance incidents In addition in this section we discuss three compliance incidents that affected numerous business records orders during our review period These 37 ductions of full and partial es ntent by the production of e - m a i l - - b y - ' and the FBI's release of un-minimized data from quarantined areas of DWS before agents conducted their initial review Finally we provide a brief overview -following passage of the USA Freedom Act A Selected Uses of Section 215 Authority 1 Business Records Orders in Related FBI Counterterrorism Investigations In 2012 and 2013 an FBI agent obtained business records orders and submitted one a ication that was withdrawn after submission to NSLB These were obtained i related counterterrorism in ations -· the FBI opened a full investigation The agent stated that the FBI was concerned that these individuals wittingly or unwittingly may have been tied to a foreign power so they initiated preliminary investigations on each of them 57 of the business records orders obtained in these cases were for electronic communication transactional records while the other business records orders and the withdrawn application were for Below we describe these orders and the withdrawn application the handling of the information received in response to the approved orders how the information was used to further the investigation and any compliance incidents 57 Under the FBI's Domestic Investigation and Operations Guide DIOG there are two levels of predicated national security investigations a preliminary investigation which requires information or an allegation of a possible threat to national security and a full investigation which requires an articulable factual basis of a possible threat to national security 38 a Requests for Electronic Communications Transactional Records from Section 215 Orders Issued December 2012 Between April and August 2012 the agent initiated business records uests for electronic communications transactional records from The uests sou ht transactional data for in an effort to gather information about these individuals and determine whether they had been in contact with a foreign E 2Y er NSLB approved the requests in October 2012 and the FISA Court issued- separate orders in December 2012 Each of these orders requested a ll tangible things but not the 'contents' of any communications as defined by 18 U S C § 2510 8 e g electronic mail or subject line associated with the targeted account from the inception of the targeted account to the date of production In standardized language used in every request for e-mail transactional records the orders listed the following items as examples of tangible things being sought for the identified e-mail addresses • • • • • • • • • • • • 39 F o r - of the orders the FISA Court issued standard Supplemental Orders requiring submission of written reports describing the FBI's implementation of the Interim Procedures to U S person information received from the providers For order which included a request for transactional data from FISA Court issued a Supplemental Order requiring the Department to report on its minimization of U S person information and on whether the records received from the providers included the content of any communications NSD and the FBI filed the required Supplemental Reports For each of these orders format The records included DITU received the records from the providers and uploaded them into DWS where they were stored as unpublished products The records were viewable only to relevant FBI personnel until the agent or co-case agent completed his initial review minimized nonpublic U S person information and published the information Except as described below the agent or his cocase agent reviewed the records and determined that they were within the scope of the orders in general they returned no information indicating connections to or support for a foreign terrorist organization The SOS documented these analyses in ECs widely available to FBI personnel through Sentinel coordinating with local law enforcement obtaining NSLs for financial and e-mail subscriber data and conducting searches of FBI and other government databases The agent explained that a number of providers recently had stopped providing e-mail transactional records in response to NSLs and that a business records order was the only available tool given the classification of the derogatory information in his cases The agent stated that the business records process took considerably longer than an NSL Nonetheless he said that the information he obtained was 58 Automated Case System ACS and its successor Sentinel are the FBI's case management systems As described above DIVS operates as a search engine for a collection of FBI and nonFBI databases to which the FBI has access 40 There were compliance incidents related to two of these business records for an e-mail orders The first order sou ht transactional records from address used Although the co-case agent reviewed the records in reduction DITU later determined that some of and were part of a systemic overproduction of content by As described in more detail below DITU purged overproduced records from DWS and the overproductions were reported to the FISA Court and to the IOB in 2013 and 2014 as part of a larger report about systemic overproductions The order requested transactional records from e-mail addresses used by another associate In response to this order produced nic forma which the FBI uploaded into DWS on the FBI uploaded rmation for and Three days later on the FBI uploaded an additional records which primarily were e-mail header information The agent and co-case agent reviewed the returns and determined that the records were within the scope of the FISA Court order and did not include content Howev he agent and co-case agent mistakenly attributed the second batch o f - records to The co-case agent documented these as separate returns from in the case file and the F tly closed the preliminary investig this individual on - - - · The FBI also disclosed these as returns to the FISA Court in a Supplemental Report filed on - - - - - d i d not complete its production of responsive records u n t i l most 6 months after the i on was closed reduced a matel records consistin of which were uploaded electronically into DWS Upon initial receipt of the records from- DITU identified full or e-mail subject lines in the production sent the entire production back to - deleted the materials from its systems and asked for the information to subsequently re-produced the be produced without the subject lines records which were then uploaded into DWS The agent told the OIG that he did not learn about the production until several months later when he logged on to DWS and noticed that he had the returns for review According to e-mails dated agent subsequently contacted attorneys in NSLB and NSD who helped him records were within the date range in the order and determine that the thus were not an overproduction even though the investigation had been closed 41 for several months During this process however the original misattribution of records t o - was discovered and on the FBI and NSD filed a notice of material misstatement with th Court under Rule 13 a The report correctly described the returns and stated that the FBI had deleted t h e - records without reviewing them The agent told the OIG that he was satisfied that they had mitigated the threat even without the records based on the other information developed in the investigation NSD reviewed these business records orders in its 2014 Minimization and Accuracy Review of the field office During this review NSD examined the information produced in response to the orders to evaluate compliance with the applicable minimization procedures and identify overproductions NSD identified no additional errors b Section 215 Orders Issued February 2013 The agent explained that he wanted to obtain as much contact information as possible for these individuals and that a business records order was necessary because He stated that he planned to use the e-mail addresses and telephone numbers he obtained to search FBI and other databases to see if any connections to a foreign power emerged Both applications were approved by the FISA Court on Because the orders were governed by the Interim Procedures the FISA Court issued its standard Supplemental Order requiring submission of a written report describing the FBI's minimization of U S person information The FBI served these orders on 59 A - request sought records for request after submitting it to NSLB because exist 60 NSD reported these business records orders in the Attorney General's 2013 Annual Report to Congress on the use of the business records provision 42 Two weeks later on responsive documents directly to the agen ecords contained telephone numbers and e-mail addresses · According to the Supplemental Reports filed with the FISA Court the agent reviewed the hard copy documents and determined that the information related exclusively to the targeted individuals The agent then had an SOS analyze the information by using the identifiers to conduct database checks and create a telephone link chart which were documented in ECs and uploaded into Sentinel The agent also uploaded scanned documents of the original returns into the case file in Sentinel NSD reviewed the returns for these business records orders in its 2014 Minimization and Accuracy Review and identified no errors Based on this and other information the FBI found no nexus to terrorism and closed the preliminary investigations in - · The FBI closed the full i to the closi Although he had had contact with a person who was associated with the foreign terrorist organization there was no evidence that he su rted or was a member of the o anization himself The FBI also determined concluded warranting further investigation 2 As a result the FBI posed no threat to national security Multiple Business Records Orders in an FBI Counterintelligence Investigation Between 2012 and 2014 an FBI agent obtained business records orders and submitted business records application that was withdrawn after submission of a read co to the FISA Court The business records 43 In a related c records order for information about Below we describe the business records orders and the withdrawn application the FBI's handling of the information received in response to the approved orders how the information was used to further the investigation and any compliance incidents that occurred in connection with these matters a Request for Issued February 2012 Section 215 Order er it had been used to access She said that there was no other authority available to obtain this data given the classification and sensitivity of the case The business records request was submitted to NSD in earl and subsequently was approved by the FISA Court on Because the order pre-dated the Final Procedures the FISA Court issued a Supplemental Order requiring submission of a written report describing the FBI's minimization of U S person information received in response to the order 44 The agent placed the information in the FBI's official case file which is maintained in a secure area of the FBI field office and restricted to personnel involved in the case and did not upload it into the FBI's electronic case management database The OIG reviewed the records and confirmed that they did not include any identifying or account information b Request for Issued February 2012 Section 215 Order The business records request was sent NSD in and the The FISA Court again issued FISA Court signed the order on a Supplemental Order requiring submission of a written report describing the FBI's minimization of U S person information received order ----· The FBI served the FISA Court order on The case agent reviewed the materials and determined that they were within the scope of the order and contained only information relating to the subject We reviewed the documents received in response to this business records order and confirmed that they contained only the subject's information The information remained in hard copy and was not uploaded into the FBI's electronic case management database or disseminated c Request for Issued March 2012 Section 215 Order the agent initiated a business records request for the information The draft request sou ht various his e-mail address 45 The order was approved by the FISA Court on The FISA Court issued its standard Supplemental Order requiring submission of a written report describing the FBI's minimization of U S person information received in response to the order According to the S emental ort submitted to the 64 FISA Cou the FBI served the order In for reasons discussed below and were not uploaded to the FBI's electronic case management database or otherwise disseminated h the FBI ultimately obtained the OIG asked 64 The Supplemental Report for this order and the 2012 orders • • • According to contemporaneous emails these Supplemental Reports got lost in NSD's administrative shuffle when the matters were handed off between attorneys and the delay was not the agent's fault The NSD attorney who filed the Supplemental Reports in 2015 explained the reason for the delay in his cover letters to the FISA Court •••••••li liiiliiiiiiiiiil were not filed until early 2015 46 metadata obtained with a business records order can include In addition our review of revealed t h a t -information included This information was within the sc h authorized the production of all records associated with · As described in more detail below in connection with the discussion of the FBI's dispute the FBI and NSD believe that Section 215 authorizes the government to usin business records orde but nonetheless d Request for Issued November 2012 Section 215 Order The FISA Court approved the Section 215 order on and issued a standard Supplemental Order requiring reporting on the minimization of nsive U S rson information The FBI served the FISA Court order on and the recipient company produced responsive records on The agent then reviewed the records of the order The a nt told us and determined that The agent retained the records in hard copy in the FBI's restricted case file The agent told us went through minimization training 47 to directly view the minimized data The FBI disclosed this dissemination to the FISA Court in a Supplemental Report filed o n - -· e Section 215 Order Issued January 2013 the FBI opened a spin-off investi Based on information and issued The FISA Court approved the application on its standard Supplemental Order requiring reporting on the amount of U S person information received and how it was retained and disseminated The FBI served the business records orders on - fell within the scope of the order but that did not because they either preceded the start date of the order or related to different names than the 66 48 The FBI purged the overproduced records and retained the remaining records in its sical i ative file The produced all of which fell within the scope of the order and were retained in the FBI's physical investigative file The FBI did not did not disseminate or upload the records into its databases f Request for E-mail Transactional Records Section 215 Order Issued December 2013 The FISA Court approved the application on and issued a Supplemental Order requiring the government to file a report stating whether the items received include the contents communication The FBI served the order on on produced responsive records the following day A e Supplemental Report filed with the FISA Court - produced--- which were uploaded and stored in a lemental Re stated restricted area of the FBI's DWS The S The agent told the OIG that she marked the records in DWS by whether they met the FISA Standard and did not release them to the FBI's case management database The OIG reviewed the records and confirmed that they were visible only to the agent 49 g Request for Additional Records Section 215 Order Issued June 2014 I n - the a transactional records fro nt initiated another business records re Rather than ide cific was unable - · She said that there were no overproductions in the returns The OIG reviewed t h e - production and confirmed that it was stored in the restricted case file h - Withdrawn Request for 50 In earl NSD subsequently finalized the business records application The nal draft re uest sou ht all tan ible thin 5 related to the sub'ect In the final 51 According to the application Congress had ratified this interpretation of the business records provision in its 2011 reauthorization The final application also included the same supplemental minimization that these were used in the rocedures as the initial draft not The EAD si FISA Court in 52 NSD subsequently withdrew the business records request 3 Issued May 2012 The request sought the following information • • 68 The FISA Court may authorize a physical searcrll· ······ ·­ finding that there is probable cause to believe that the target of the physical search is a foreign power or an agent of a foreign power except that no United States person may be considered an agent of a foreign power solely upon the basis of activities protected by the first amendment to the Constitution of the United States and that the premises or property to be searched is or is about to be owned used or possessed by or is in transit to or from an agent of a foreign power or a foreign power 50 U S C § 1824 a 2 A B 53 The FISA Court approved the order on standard Supplemental Order under the Interi Su lemental Re filed with the FISA Court stored the raw data on a computer system members The a ent reviewed the records minimized the U S person information summarized his analysis in an EC and uploaded the EC into the FBI's case management system was ve The agent told the OIG to his investigation and · However he expressed concern about how long the business records recess took ·mate 106 da from initiation to order in this instance ant 54 but uld be the maximum amount of time 4 Requests for Section 215 Orders Issued 2011 2012 and November 2014 In late 2011 and early 2012 the FISA Court a records orders authorizi the reduction of 55 Instead the Department and to negotiate a compromise over the production of These negotiations occurred sporadically for nearly three years Durin om early through late all business records requests t o - - those not involving a request for were placed on hold and no new orders were served Eventually in late the FBI decided to exclude from all business records requests FBI Section Chi t the FBI made this decision because business records requests very infrequent and the FBI concluded that the issue did not warrant further liti ation in the FISA Court Following this decision all business records orders we reviewed contained the following limitation an FBI case agent initiated a business records re in a counterintelligence investigation unrelated to t h e business records orders referenced above This uest would become the first business records order issued The su ect in the ·''- ' tion The case agent stated that she initially intended to use an NSL to obtain the records but was informed by others in her office that a business records order would be necessary to get the information she sought The business records request was submitted to NSD on and was subsequently approved by the FISA Court on As requested by the governme the FISA Court's o lan described above The case agent told the OIG that she became aware request process that she would not be able to obtain information o n - - · The case agent stated that this information could have ntial aided her tion if for exam it showed the subject Nonetheless the case agent stated that the inability to get these records did not have an effect on the investigation The FBI served the FISA Court order The FBI received a The case agent conducted an initial review of the records and after determining that they were within the scope of the order 56 and contained only information relating to the subject requested that the records be uploaded into DWS 72 We reviewed the records received in response to the business records order and confirmed that t contained on the su ect's information Additional we found that agent and ri' using the were not of investigative value No analytical pro records obtained The investigation was closed in after the subject departed the United States TI' rl s Request for Orders Issued October 2013 Section 215 The business records request was submitted to NSD on and was sub roved the FISA Court on Court ordered The case agent described the business records process to be uneventful in this case He stated that he answered a few factual questions for the NSD attorney assigned to the business records application but that no concerns or problems were identified with the application The case agent described the overall business records process positively but noted that the amount of time it takes to obtain a business records order was frustrating and can slow down an investigation The FBI served the FISA Court orders on the FBI with records responsive the business records order and responsive records on We describe this compliance issue in more detail below 57 The case agent conducted an initial review of the records and determined that the records were responsive and contained no overproduced information Around this time in the FBI decided to transfer of this case from the - - · The case agent told the OIG that this decision was based on resource considerations Due to this arded the business records to the new case agent in FBI's - - - - · The new case agent told the OIG that the FBI reached out to an individual identified in the business records and According to ment The new case agent stated that the FBI would not have identified if not for these business records Because of that the agent described the business records request as one of the key steps in the ongoing investigation 6 Multiple Business Records Orders in an FBI Counterintelligence Investigation In 2013 and 2014 FBI agents obtained counterintelligence investigation involving The sub ects of the investi Below we business records orders obtained in this investigation a Request for Section 215 Order Issued August 2013 t initiated a business records Fi the The business records request was submitted to NSD on was subsequently approved by the FISA Court on 58 ordered the requested records for the period from inception of service to the date of production of the records The FBI served the FISA Court order FBI received FBI agents assigned to the investigation conducted an initial review of the records and determined that they were who uested the records told the responsive to the request The FBI OIG that the records confirmed b Requests for Section 215 Orders Issued August 2013 and March 2014 -· determined that The business records request was submitted to NSD on and was su uentl the FISA Court on Court ordered The FBI attem informed the FBI the order and refused to accept service of the order As a result no records were obtained in response to this order and as we discuss below the FBI obtained a new order for these records 73 On the FBI case agent initiated a second business records request for these records In addition to the records uested the second re uest 73 NSD told us that 59 The business records request was submitted to NSD on and was subsequently approved by the FISA Court on Court's order a ain contained lan ua produce The FBI served the order received with the responsive records on The case agent told us that she conducted an initial review of the materials upon receipt and found the records responsive to the request The case agent also told us the records were useful to the investigation and that some of the records were disseminated The case file indicated The the case agent told the OIG • B Compliance Incidents The OIG reviewed three compliance incidents that affected numerous business records orders between 2012 and 2014 The first involved the reduction of full and partial e-mail subject lines by two providers which the OIG determined affected business records orders duced NSD and FBI witnesses told the OIG that the vast majority of compliance incidents relating to business records orders between 2012 and 2014 were the result of overproductions by providers A third compliance incident was the result of a technical database rather than der error In March 2015 the FBI We describe each of these compliance incidents below 1 - Full and Partial Subject Lines from On November 16 2012 DITU notified NSD that it had discovered that - h a d overproduced full or partial subject lines in response t o business records orders requesting e-mail transactional records Upon discovery of the overproduction the FBI contacted and stopped serving business records orders on it NSD filed a inary notice with the FISA Court on November 21 2012 disclosing t h e - overproduction and statin the FBI was investigating the issue further On December 19 2012 - advised the FBI that it had identified the cause of the overproduction and rectified the error and the FBI then resumed serving business records orders on - · 60 However DITU's review of subsequent productions revealed that continued to produce full and partial subject line information in response to business records orders after December 2012 DITU determined that the duction was caused by a mistake i n - production logic and that --earlier fix was flawed DITU then sequestered all business records productions f r o m - so that they were available only to limited technical personnel When DITU discovered overproduced information it purged the entire production prior to uploading and requested that the provider reproduce it without the subject line information By April 6 2013 - represented that it had corrected its production methodology to include only authorized e-mail fields Nonetheless DITU continued to manually review business records productions and discovered additional full or partial subject lines in July August and October 2013 According to a Rule 13 b notice filed with the FISA Court on December 26 2013 DITU did not identify additional overproductions b y - after November 8 201 stopped manually reviewing business records productions f r o m - on November 18 2013 While investigating systemic overproduction of subject lines DITU identified similar overproductions by - · DITU followed the same procedures as it had w i t h - ' sequestering and purging t h e productions to ensure that no information had been transferred to other FBI systems DITU continued to review all returns until November 12 2013 when it determined that corrected the problem In July 2015 however NSD reported that had overproduced subject line information in response to two business records orders issued in 2014 A subsequent FBI investigation concluded that these overproductions were an isolated issue and n emic problem The OIG did not identify additional overproductions b y - - in 2014 Although NSLB concluded that DITU followed proper procedures by sequestering the overproductions and did not compound the errors by uploading the materials into FBI databases the FBI reported these as lOB violations based on the systemic nature of the technical problems by the providers and the large number of FISA Court dockets affected The Department also reported the systemic overproductions to Congress in the Attorney General's 2013 Annual Report on the use of the business records provision and in the Semi-Annual Report for January 1 to June 30 2013 2 On June 27 2013 the FISA Court a transactional records from 61 74 The providers produced responsive records in electronic format which were uploaded into DWS and reviewed by the agent During a Minimization and Accuracy Review conducted in a field office in December 2013 an NSD attorney reviewed the records produced in response to this business records order and discovered that had roduced information D determined potentially constitute content and were beyond the scope of a business records order for electronic transactional records In subsequent conversations with - ' the FBI discovered t h a t was regularly providing - i n response to FISA business r P and trace PRITT orders and thus it was likely that - - had been overproduced in r other orders 75 As of February 7 2014 had removed-- from business records and told the FBI it would provide information only from uctions in response to future orders to avoid producing unauthorized information NSD prov inary notice of the potential compliance issue associated w i t h - - to the FISA Court on February 14 2014 and final notice on June 12 2014 According to the final notice filed with the FISA Court in June 2014 NSLB issued guidance to FBI personnel concerningfound in business records or PRITT ns advising FBI personnel to consult NSLB if they came across - - in FISA-acquired information produced pursuant to a business records or PRm order and the data was not confined to information in the to from field FBI e-mails indicate that NSLB did not require agents to re-review business records or PRITT returns received before February 7 2014 to assess whether they i n c l u d e d data outside the scope of the orders An NSD Depu ion Chief told the OIG that the content in the 2 0 1 3 - production reported to the FISA Cou data is not content in all cases For exam she indicated data was but that The FBI disclosed this misstatement to the FISA Court and filed a second application for business records relating to those e-mail addresses In addition this business records order was not part of the systemic overproduction of e-mail subject lines b y - · 75 The OIG identified • business records orders directed at in 2012 and 2013 but did not review the potenti voluminous productions received in response to those orders to determine if these contained 62 The Deputy Section Chief explained that this distinction was not always readily discernible and required case-by-case analysis She stated that when the error in this instance was initially discovered the FBI determined that DITU could not automatically screenproductions to identify data that constituted content She said that the FISA Court was aware that NSLB iss idance instructing agents to be on productions the lookout f o r - data in future The Department also reported the production o f - data to Congress in the Attorney General's Semi-Annual Report for January 1 to June 30 2014 3 DWS Release of Quarantined Records As described above the FBI's typical practice is to store business records returns produced in electronic format in an access-restricted area of DWS The agent is required to conduct an initial review of the records to identify overproductions and minimize nonpublic U S person information before releasing the records in DWS In March 2015 the FBI identified an error that caused DWS to release some business records returns prior to initial review making the un-minimized raw data available FBI-wide The FBI determined that the error potentially affected business records orders between January 2014 and March 2015 76 The FBI informed the FISA Court of the error on June 30 2015 According to the Rule 13 b notice filed with the FISA Court the FBI corrected the error in DWS and restricted access to the materials produced in response to the affected business records orders The FBI then notified the agents responsible for those orders to allow them to conduct initial reviews of their returns An NSD Deputy Section Chief told us that NSD and FBI are still investigating the incident specifically they are confirming that all initial reviews have been completed and attempting to determine whether any of the un-minimized raw data was exported from DWS prior to the initial review being conducted C Current Status of Bulk Collection under Section 215 76 This error affected business records orders in 2014 including review by the OIG 63 I orders selected for As noted previously the USA Freedom Act effectively ended bulk collection by the government under Section 215 by requiring the government to limit the scope of its requests to the greatest extent reasonably practicable and by requiring that applications for business records include a specific selection term such as a specific individual telephone number or e-mail address This addition to the business rds statute was si nificant because the FISA Court on the theory that all of the data was relevant because it was necessary to create a data archive from which to identify known and unknown terrorists that may be in the United States or in contact with U S persons The new provision of the USA Freedom Act became effective on November 29 2015 180 da after the date of the statute's enactment· • bulk collection After that date A Deputy Section Chief from NSD told us that the government no longer collects information in bulk under Section 215 77 authorization from the FISA Court to retain and use produced under the FISA Court orders that authorized the - - - - · According to filings with the FISA Court the NSA requested authority to retain previously produced data for two reasons First the NSA requested 90 days of technical access to previously produced data so that authorized technical personnel could use that data to verify the completeness and accuracy of call detail records produced under the new targeted production orders authorized by the USA Freedom Act Second the NSA requested authority to retain previously produced data in order to remain in compliance with civil litigation preservation obligations imposed federal district courts until the NSA was relieved of those obli ations The FISA Court appointed amicus curiae under the new provisions of the USA Freedom Act and ordered the amicus and the overnment to brief the issue In memoranda to the FISA Court the amicus concluded that the USA Freedom Act did not prohibit the government's retention and requested use of the bulk data and that it was within the discretion of the FISA Court to determine 77 As noted in Section II of this report the USA Freedom Act created a new mechanism that allows the government to obtain call detail records from providers within two hops of the specific selection term on an ongoing basis for 180 days from the date of the FISA Court order See 50 U S C § 1861 b 2 C 64 The amicus stated that given the significant privacy interests of U S persons that were at issue the FISA Court should exercise its oversight authority to ensure that the government was retaining and using the previously collected information in a manner consistent ures Followi a hearin on the matter the with applicable minimization FISA Court granted the According to the the FISA Court found e FISA Court found that the government's access to and use of the bulk telephony metadata was appropriately tailored to ensure that the successor program established by the USA Freedom Act was functioning effectively and to ensure compliance with the government's litigation-related obligations VI CONCLUSION As required by the USA Freedom Act we examined the FBI's use of Section 215 authority for calendar years 2012 through 2014 in this report Our review determined that the FISA Court issued 561 business records orders during the review period including 212 in 2012 179 in 2013 and 170 in 2014 We found that the Section 215 applications during our review period sou ht a of tan ible thin includin transactional records for e-mai We found that the number of business records orders obtained by the FBI increased significantly between 2007 and 2014 largely driven by the refusal of several communications ders to produce transactional records for e-mail ECTRs in response to NSLs Between 2007 and 51 total orders Of these related t o and only were requests for ECTRs representing of all non-bulk business records orders obtained during that between 2012 and 2014 of the orders related to while involved requests for of the non-bulk orders obtained during ECTRs constituting roughly our review period I Even excepting requests for e-mail transactional records the number of business records orders obtained by the FBI between 2012 and 2014 was substantially higher than in the previous review period There were • business records orders for non-ECTR non-bulk information during our review period as compared t o between 2007 and 2009 Some witnesses 65 attributed this increase to agents' growing awareness of and comfort with the business records process while others were unable to provide an explanation for it We identified changes in the use of business records orders that took place within our review period The number of business records orders reached its peak in 2012 with 212 orders and has declined annually since then Witnesses told us that the number of ECTR requests has declined more than other types of requests According to an NSD Deputy Unit Chief revelations about the NSA's bulk telephony metadata program played a role in this decline both in terms of the stigma attached to use of Section 215 and increased resistance from providers In comments provided to the OIG after reviewing a draft of this report NSD also attributed the FBI's increasing use of taskings under Section 702 of the FISA Amendments Act as likely a notable cause in the decrease in business records requests We found that business records orders were used most fr ntly in counterintelligence cases Of t h e total orders we analyzed - were in counterterrorism cases in obtained in counterintelligence cases • cases ts told us that business records orders uent ber cases in some instances can open a parallel criminal case and use the grand jury process to obtain the same information more and with less overs t than a business records order which is consistent with agents' explanations that those cases require particularly timely acquisition of information as discussed below During our review we analyzed the timeliness of the business records process both generally and at each phase of the approval process We determined that the median time needed to obtain business records orders during our review period was 115 days Business records orders spent the least amount of time in the field office phase of the approval process a median of 16 days Orders spent a median of 40 days with NSLB and 33 days in the NSD phase of the approval process We found that the FBI took a median of 2 weeks to obtain final approval signatures from NSLB and the FBI Deputy General Counsel 66 acknowledged the delays in the process and told the OIG that they have taken steps to improve it including streamlining the drafting and review process for ECTRs We also selected • applications to illustrate the various uses of Section 215 authority and to conduct a more detailed review of the types of materials requested the purposes of the requests the materials produced and the manner in which the materials were used Although agents expressed concern about the length of the process to obtain a business records order they told us consistently that these orders continued to be a valuable investigative tool As with our previous reviews the majority of agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to business records orders but told us that the material produced was valuable as a building block of the investigation However in at least two cases agents we interviewed told us that the business records obtained in their investigation provided valuable information that they would not otherwise have been able to obtain In other instances case agents told us that they used the information obtained under Section 215 to exculpate a subject and close the investigation We also reviewed the • FISA Court orders authorizin of certain data as part of counterterrorism • Our third report on Section 215 authority described luding the specialized minimization procedures th - - ' reported compliance incidents and the status of through May 2015 As described in this report the USA Freedom Act effectively ended the government's collection of data in bulk under Section 215 by requiring the government to limit the scope of its requests to the greatest extent reasonably practicable and by requiring that applications seek records related to a specific identifier such as an individual account address or rsonal device On November 24 2015 he FISA Court ranted the bulk data previously collected under prior FISA Court orders Finally in addition to reviewing the FBI's use of Section 215 authority in calendar years 2012 through 2014 we examined the progress the Department and the FBI made in addressing three recommendations in the OIG's March 2008 and May 2015 reports In the 2008 report we recommended that the Department implement final minimization procedures develop procedures for reviewing materials received in response to business records orders to identify overproduced information and develop procedures for handling overproductions In our May 2015 report we recognized that the Department had adopted Final Procedures implementing the OIG's recommendations but identified several terms used in the Final Procedures that we believed required clarification Based on the information obtained in our current review we concluded that the Department and the FBI have made these clarifications We therefore have closed the recommendations Based on the information developed during our review we concluded that the process used to obtain non-bulk business records orders between 2012 and 67 2014 contained safeguards that protected U S persons from the unauthorized collection retention and dissemination of nonpublic information about them As described above the business records process requires multiple layers of approval including by attorneys in NSLB and NSD and by the FBI EAD for certain sensitive records Information we reviewed indicates that NSLB and NSD attorneys routinely question agents about business records applications Rather than acting as a rubber stamp documents that we reviewed reflect that the FISA Court engages in a dialogue with NSD and at times has informed NSD that it will not approve certain business records applications we identified at least • applications that were withdrawn after submission of a read copy to the FISA Court during the period covered by this review In addition since July 2013 the Final Procedures require agents to determine whether nonpublic U S person information meets the FISA Standard before retaining or disseminating it to other agencies We found that the agents we interviewed had received training on the minimization procedures were knowledgeable about them and appeared to take them seriously The steps that the FBI and NSD have taken to implement the OIG's previous recommendations combined with the level of oversight and reporting to monitor FBI compliance with the Final Procedures reflect considerable progress in the FBI's use of Section 215 authority However based on the concerns expressed by agents about the time needed to obtain business records orders we recommend that the FBI and the Department continue to pursue ways to make the business records process more effie rticula for a lications related to r cases where a ents Potential measures include using FISAMS data to track the timeliness of Section 215 applications using alerts within FISAMS to identify applications that have lingered past a certain period of time without review and implementing a streamlined drafting and review nr r·ccoc 68 The Department of Justice Office of the Inspector General DOJ OIG is a statutorily created independent entity whose mission is to detect and deter waste fraud abuse and misconduct in the Department of Justice and to promote economy and efficiency in the Department's operations Information may be reported to the DOJ GIG's hotline at www justice govjoig hotline or BOO 869-4499 Office of the Inspector General U S Department of Justice www justice gov oig