UNCLASSIFIED A Review of the FBI's Use of Section 215 Orders for Business Records in 2012 through 2014 Oversight & Review Division 16-04 September 2016 NOTE ****************************************************** A classified version of this report was completed in June 2016 and, as required by the USA Freedom Act, was provided to the Committee on the Judiciary and the Select Committee on Intelligence of the Senate and the Committee on the Judiciary and the Permanent Select Committee on Intelligence of the House of Representatives. We also provided the report to cleared members of other relevant Congressional oversight committees. This unclassified version of the report follows the completion of a classification review by the FBI and the Intelligence Community and contains redactions of information that they determined to be classified. ****************************************************** EXECUTIVE SUMMARY ........................................................................................ iii I. II. INTRODUCTION ......................................................................................... 1 A. Methodology of the OIG Review .......................................................... 1 B. Organization of the Report ................................................................. 3 BACKGROUND ...........................................................................................4 A. Legal Background ............................................................................. 4 B. The Process for Seeking Section 215 Orders ......................................... 8 C. Minimization Procedures .................................................................. 10 1. 2. 3. D. III. Compliance Issues .......................................................................... 17 STATUS OF RECOMMENDATIONS ............................................................... 19 A. Handling of Metadata Under the Final Procedures ................................ 19 1. 2. B. "Necessary to Understand Foreign Intelligence Information"........ 23 Dissemination of Information Relating to Computer Intrusions or Attacks .............................................................. 24 OVERVIEW OF BUSINESS RECORDS ORDERS ISSUED FROM 2012 THROUGH 2014 ....................................................................................... 24 A. The Overall Number of Business Records Orders ................................. 25 B. Business Records Orders by FBI Field Office ....................................... 28 C. Analysis of Business Records Orders .................................................. 28 1. 2. 3. 4. V. Initial Review of Meta data ....................................................... 20 Other Provisions Relating to Meta data ...................................... 20 Retention and Dissemination of U.S. Person Information ...................... 23 1. 2. IV. Interim Minimization Procedures .............................................. 10 Final Minimization Procedures .................................................. 12 Retroactive Application of the Final Procedures .......................... 16 Types of Investigations from which Business Records Orders Originated ............................................................................. 29 Subjects of Business Records Orders ........................................ 30 Types of Records Requested in Approved Business Records Orders Filed on Behalf of the FBI ............................................. 31 Timeliness of the Business Records Process ............................... 33 SELECTED SECTION 215 ORDERS OBTAINED BETWEEN 2012 AND 2014 ........ 37 A. Selected Uses of Section 215 Authority .............................................. 38 1. 2. Related FBI Business Records Orders Counterterrorism Investigations .............................................. 38 Multiple Business Records Orders in an FBI Counterintelligence Investigation ............................................. 43 3. 4. 5. 6. B. Compliance Incidents ...................................................................... 60 1. C. VI. ued May 2012) .......... 53 (Section 215 Orders 014) ................................. 55 Request for (Section 215 Orders Issued October 2013) ............................................................. 57 Multiple Business Records Orders in an FBI Counterintelligence Investigation ............................................. 58 Full and Partial Su ect Lines from .............. 60 2. . ....................................................... 61 3. DWS Release of Quarantined Records ....................................... 63 Current Status of Bulk Collection under Section 215 ............................ 63 CONCLUSION .......................................................................................... 65 ii EXECUTIVE SUMMARY This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General's (OIG) review of the Federal Bureau of Investigation's (FBI) use of the investigative authority granted by Section 215 of the Patriot Act between 2012 and 2014. Section 215 is often referred to as the Foreign Intelligence Surveillance Act (FISA) "business records" provision. This is the OIG's fourth review of the FBI's use of FISA business records. Three previous reports issued in March 2007, March 2008, and May 2015 addressed the FBI's use of Section 215 authority between 2002 and 2009. This current review is mandated by the USA Freedom Act of 2015. 1 The USA Freedom Act, signed into law on June 2, 2015, directs the OIG to issue within 1 year of the date of enactment a report examining the FBI's use of Section 215 authority for calendar years 2012 to 2014, addressing any noteworthy facts or circumstances relating to Section 215 orders, any illegal or improper use of Section 215 authority, the effectiveness of Section 215 as an investigative tool, and the adequacy of procedures used to "minimize" U.S. person information obtained in response to Section 215 orders. To conduct this review, the OIG reviewed the Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title V of the Foreign Intelligence Surveillance Act adopted by the Attorney General on March 7, 2013 ("Final Procedures"). We also examined over 90,000 documents obtained from the FBI and the Department's National Security Division's (NSD) Office of Intelligence, including files relating to each FISA Court order approving use of Section 215 authority between 2012 and 2014, Department reports to Congress concerning that use during calendar years 2012 through 2014, documents detailing compliance incidents related to the FBI's use of Section 215 authority, reports documenting the results of internal reviews conducted by NSD between 2012 and 2014, e-mails relating to approved and withdrawn business records applications, and FBI and NSD policies and training materials related to the Final Procedures. We reviewed each of the FISA Court-approved orders for business records between 2012 and 2014 in order to provide an overview of the characteristics of those orders and the underlying investigations in which they were obtained. In addition, we conducted a more in-depth analysis of the FBI's use of this authority in national security investigations by reviewing a sample of Section 215 orders and withdrawn applications selected from two FBI field offices that had relatively large and diverse uses of Section 215 orders, and by conducting field visits in those offices. Over the course of the review, we also interviewed more than 50 individuals from the FBI and the Department, including Section 1 "USA FREEDOM Act" is an acronym for United and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015, Pub. L. No. 114-23, 129 Stat. 268 (2015). We refer to it in this report as the USA Freedom Act. iii and Unit Chiefs from NSD's Office of Intelligence and the FBI's National Security Law Branch (NSLB), and attorneys, case agents, and supervisors who worked on individual Section 215 orders. In this report, we provide an overview of the FBI's use of Section 215 authority between 2012 and 2014 that describes the number of Section 215 orders obtained, the type of information requested, the types of FBI cases in which business records orders were used, and the average time between initiation of a business records order request by an FBI field office and issuance of an order by the FISA Court. Our review found that the number of business records orders obtained by the FBI increased significantly between 2007 and 2012, largely driven by the refusal of several communications providers to produce transactional records for e-mail accounts (known as Electronic Communication Transaction Records, or ECTRs) in response to FBI National Security Letters (NSLs). Between 2012 and 2014, the FISA Court approved 561 business records orders. 2 However, as shown in Figure 1, between 2012 and 2014, the number of business records orders dropped from a 9-year high of 212 in 2012 to 170 in 2014 (19.8%). A further decrease occurred in 2015, when the number of orders fell to 142. 2 After reviewing a draft of this report, NSD commented that references to the number of business records orders should be changed to the number of approved applications for business records orders. The OIG understands that some business records applications result in more than one order. For example, the FISA Court may issue orders to four separate providers when approving a single application requesting ECTRs for four e-mail addresses. We also recognize that NSD reports the number of applications submitted to the FISA Court in its annual reports to Congress. Nonetheless, we decided to retain the references to the number of business records orders throughout this report as a matter of convenience. iv FIGURE 1 Total Number of Approved Business Records Orders, by Calendar Year, 2007- 2015 3 e ::: _._[_~_-_-_ ____ 205 212 Ql '2 0 150 1100 z so t _ _. • 17 0 I 13 21 2007 2008 2009 2010 2011 2012 2013 Calendar Year 2014 2015 Source: FBI. An NSD Deputy Unit Chief noted the decline after 2012 and told the OIG that the number of ECTRs decreased more than other types of records. He attributed the decline in part to revelations by Edward Snowden about the U.S. government's use of Section 215 to collect bulk telephony metadata, both in terms of the stigma attached to use of Section 215 and increased resistance from providers. In comments provided to the OIG after reviewing a draft of this report, NSD stated that the degree to which the Snowden disclosures affected the number of business records applications was somewhat speculative, and attributed the FBI's increasing use of taskings under Section 702 as likely a "notable cause" in the decrease in business records requests. NSD stated that during the relevant period (and continuing today) it suggested that FBI withdraw business records requests for accounts used by non-U.S. persons located overseas that can instead be tasked under Section 702. 4 Agents also told the OIG that they increasingly were electing to use criminal legal process instead of FISA authority 3 This table includes the total number of dockets for 2013 (179). This number differs slightly from the number of approved applications for business records the Department reported to Congress for 2013 (178). The OIG recognizes that one submission in 2013 was a copy of the Final Procedures, which did not result in a FISA Court order. As described below, we excluded this docket from our numbers for purposes of analysis. 4 Section 702 of the FISA Amendments Act allows the government to acquire foreign intelligence by targeting non-U.S. persons reasonably believed to be outside the United States. Under Section 702, the government is not required to obtain individual surveillance orders from the FISA Court. Instead, the FISA Court approves targeting procedures to ensure that the government targets only non-U.S. persons reasonably believed to be outside the United States, and minimization procedures to guard against the inadvertent collection, retention, and dissemination of U.S. person information. v in counterterrorism and cyber investigations because of their frustrations with the lack of timeliness and the level of oversight in the business records process. We analyzed data f o r . of the 561 orders approved during our review eriod. 5 Between 2012 and 2014, of t h e . business records orders analyzed, business records orders included requests for ECTRs, representing • of all non-bulk orders, compared t o - orders in the OIG's previous review period between 2007 and 2009, which constituted- of non-bulk orders. The median time needed to obtain business records orders during our review period from initiation of a request by a field office until issuance of the order by the FISA Court was 115 days. 6 While several NSD witnesses said that the volume of requests did not significantly impact their processing of business records orders, others acknowledged that there had been delays in the process "because things get backed up." One NSLB attorney told the OIG that he was "embarrassed" at how long the business records process takes, stating, "We are asking for less [than a full FISA], and it's taking twice as long." According to the witnesses we interviewed, both NSD and NSLB have taken steps to improve the business records process, including streamlining the drafting and review process for ECTRs. In addition, the OIG found that Section 215 business records orders were used far more freque'2!!J:_in counterintelligence cases than as a counterterrorism or cyber tool. Of the total orders we analyzed, • were obtained in counterintelligence cases, • in counterterrorism ca and in r cases. ents told us that Section 215 orders uentl are while agents handling counterterrorism and cyber cases in some instances can open a parallel criminal case and use the grand jury process to obtain the same information more quickly and with less overs ht than a business records order. In articular ts 6 FISA Court rules provide for submission of a proposed application, an advance copy of an application commonly called a "read" copy, no later than 7 days before the government seeks to have the matter entertained by the FISA Court. Our analysis included the time that applications and proposed orders were with the FISA Court to provide the most accurate measurement of the time needed for the FBI to obtain business records orders. While we do not have complete data regarding the FISA Court's processing of business records applications, we were informed that "read" copies generally are provided the week before, and the orders signed within a day or two of submission of the final application. No witnesses cited delays with the FISA Court as an issue. vi Our report describes. Section 215 applications and orders between 2012 and 2014 that illustrate the varied uses of Section 215 authority. While the FBI used business records orders most to obtain transactional records for e-mail Agents expressed concern about the length of the process to obtain a business records order, but also told us that Section 215 authority continued to be a valuable investigative tool when companies would not voluntarily produce material sought by the FBI or produce it in response to other investigative authorities. As with our previous reviews, the majority of agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to Section 215 orders, but told us that the material produced pursuant to Section 215 orders was valuable as a building block of the investigation, and was used to support other investigative requests, develop investigative leads, and corroborate other information. However, in at least two cases, agents we interviewed told us that the business records obtained in their investigation provided valuable information that they would not otherwise have been able to obtain. In other instances, case agents told us that they used the information obtained under Section 215 to exculpate a subject and close the investigation. The OIG reviewed three compliance incidents that affected numerous business records orders between 2012 and 2014. The first involved the ~tion of full and partial e-mail subject lines by two providers, . . _ _ . . . . , which the OIG determined affected business records orders. In a second compliance incident, se to a si le busin The FBI subseque~d that previous likely contained s i m i l a r _ . _ and worked with the provider to fix the error. A third compliance incident resulted from a system-wide error in an FBI database that released business records returns from a quarantined area prior to initial review and allowed access to un-minimized data. All of these incidents were reported to the FISA Court. As noted above, during our review peri orders issued in connection with vii As part of this review, we also examined the progress the Department and the FBI made in addressing three relevant recommendations from the OIG's March 2008 and May 2015 reports. In the 2008 report, we recommended that the Department implement final minimization procedures, develop procedures for reviewing materials received in response to business records orders issued by the Foreign Intelligence Surveillance Court (FISA Court) to ensure that they do not contain "overproduced" information outside the scope of orders, and develop procedures for handling overproductions. In our May 2015 report, we found that the Department had adopted Final Procedures implementing the OIG's recommendations, but identified several terms used in the Final Procedures that we believed required clarification, including with regard to the minimization of U.S. person information. Based on the information obtained in our current review, we concluded that the Department and the FBI have made these clarifications. We therefore have closed these remaining recommendations. However, based on the concerns expressed by agents about the time needed to obtain business records orders, we recommend that the FBI and the Department continue to pursue ways to make the business records process rticula for a lications related to ber cases where ts more effie Potential measures include using the FBI's FISA Management System (FISAMS) data to track the timeliness of Section 215 applications, using alerts within FISAMS to identify applications that have lingered past a certain period of time without review and implementing a streamlined drafting and review pro viii I. INTRODUCTION Section 215 of the Patriot Act, otherwise known as the business records provision, allows the Federal Bureau of Investigation (FBI) to acquire "any tangible things (including books, records, papers, documents, and other items) for an investigation ... "to obtain foreign intelligence information not concerning a U.S. person or to protect against international terrorism or clandestine intelligence activities, provided that an underlying investigation of a U.S. person is not conducted solely upon the basis of activities protected by the First Amendment. 7 The FBI may use this investigative method only in Preliminary and Full Investigations, and the information sought must be relevant to an open, predicated national security investigation. This is the Department of Justice (Department or DOJ) Office of the Inspector General's (OIG) fourth review of the FBI's use of investigative authority granted by Section 215. The OIG has issued three previous reports regarding the FBI's use of the business records provision: in March 2007, covering calendar years 2002 to 2005; in March 2008, covering calendar year 2006; and in May 2015, covering calendar years 2007 to 2009. This fourth review is mandated by the USA Freedom Act of 2015, signed into law on June 2, 2015. The USA Freedom Act directs the OIG to issue within 1 year of the date of enactment a report examining the FBI's use of Section 215 authority for calendar years 2012 to 2014. As required by the USA Freedom Act, this report addresses noteworthy facts or circumstances relating to Section 215 orders, any illegal or improper use of Section 215 authority, the effectiveness of Section 215 as an investigative tool, and the adequacy of procedures used to "minimize" U.S. person information obtained in response to Section 215 orders. A. Methodology of the OIG Review To conduct this review, the OIG examined over 90,000 pages of material obtained from the FBI and the Department's National Security Division's (NSD) Office of Intelligence. These documents included files relating to each FISA Court order approving use of Section 215 authority between 2012 and 2014; Department reports to Congress concerning that use during calendar years 2012 through 2014; documents detailing compliance incidents related to the FBI's use of Section 215 authority; reports documenting the results of Accuracy and Minimization Reviews conducted by NSD between 2012 and 2014; e-mails relating to approved and withdrawn business records applications; minimization procedures in effect during the review period; and FBI and NSD policies and training materials related to final minimization procedures adopted in 2013. 7 The term "USA PATRIOT Act" is an acronym for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (2001). We refer to it as "the Patriot Act" in this report. 1 We reviewed each of the 561 Foreign Intelligence Surveillance Act (FISA) Court-approved orders for business records between 2012 and 2014 in order to provide an overview of the characteristics of those orders and the underlying investigations in which they were obtained. 8 In order to conduct an in-depth analysis of the FBI's use of business records authori we conducted field visits to two FBI field offices: the We identified these field offices based on the overall n riety of business records orders obtained during the review period. we reviewed business records orders obtained during the review period . • each of the we reviewed a sample o f . of the • business records orders obtained, which we selected based on various factors, including unique use of Section 215 authority, the type of investigation, or the occurrence of compliance incidents. During these field visits, we examined documents in the FBI's case management system and interviewed agents, supervisors, and counsel about the FISA business records process, the use of Section 215 authority in their individual cases, and the application of the relevant minimization procedures. In several instances, we also examined the materials produced in response to business records orders. We selected. of these applications for more detailed analysis to highlight the varied and evolving uses of Section 215 authority. In addition to the orders aP.e.!:2ved by the FISA Court, between 2012 and 2014 there were. pending and- withdrawn applications for Section 215 orders. 9 We reviewed withdrawn re uests or applications originating from and questioned agents about. of these. We also reviewed requests submitted to NSD but not filed with the FISA Court, and • proposed applications filed with the FISA Court as "read" or advance copies that NSD ultimately withdrew prior to formally filing. Where the applications presented novel or unique legal issues, we questioned NSD attorneys about the reasons for these withdrawals. As noted earlier, durin roved orders related to Our third report discussed uding the specialized minimization procedures t reported compliance incidents, and the status of through May 2015. On June 2, 2015, the USA Freedom Act ended bulk collection under Section 215 by requiring that applications for business records identify a person, account, address, or personal 8 We reviewed all 561 orders approved during our review period, but excluded • orders for statistical as described in more detail IV.C: orders Procedures. 9 Pending applications include applications generated between 2012 and 2014 but not provided to NSD for further processing or submitted to the FISA Court for further approval. 2 device, or any other specific identifier. 10 See 50 U.S.C. §§ 1861(b)(2), (k)(4) (2015), as amended by USA Freedom Act of 2015 101 103, 107, 109. Our report provides a brief status update in light of the changes instituted by the USA Freedom Act. Over the course of this review, we interviewed more than 50 people from the FBI and the Department, including Section and Unit Chiefs from the FBI's National Security Law Branch (NSLB) and NSD's Office of Intelligence and attorneys, case agents, and supervisors who worked on Section 215 orders. We did not question FBI and NSD personnel about the specifics of every order, nor did we conduct an independent compliance review of each use of Section 215 authority between 2012 and 2014. For purposes of this report, we relied on the Department's reporting to the FISA Court, the FBI's reporting to the Intelligence Oversight Board (lOB), and the reports summarizing Accuracy and Minimization Reviews conducted by NSD in FBI field offices to identify compliance incidents that occurred during the relevant time period. B. Organization of the Report This report is divided into six sections. After this introduction, we describe in Section II the legal background related to Section 215 authority, the process for obtaining a Section 215 order, the procedures applicable to the use of business records material, and the procedures for reporting compliance incidents to the FISA Court and the lOB. In Section III, we discuss the status of recommendations the OIG made in previous reports concerning the FBI's use of Section 215 authority. In Section IV, we provide an overview of the FBI's use of Section 215 authority between 2012 and 2014. We describe the number of Section 215 orders approved, the type of information requested, the number of FBI offices that used the authority, and the types of investigations in which Section 215 orders were sought. In Section V, we provide a more detailed discussion o f . business records orders obtained between 2012 and 2014. We describe the information requested, the purpose of the requests, the material produced, the manner in which it was used, and any compliance incidents that occurred. We also describe three compliance incidents that affected numerous business records orders durin our time eriod and b discuss the status o f of the USA Freedom Act. Finally, Section VI contains our conclusions. 10 As described in more detail below, the effective date of these changes was within 180 days of the date of enactment, which was November 29, 2015. The USA Freedom Act also eliminated bulk collection using pen register/trap and trace authority or various National Security Letter authorities by requiring use of a specific selection term. See USA Freedom Act of 2015, §§ 201, 501. 3 II. BACKGROUND This section provides a brief description of the legal background related to Section 215 authority and the process for obtaining Section 215 orders. A. Legal Background The Foreign Intelligence Surveillance Act of 1978 (FISA) requires the FBI to obtain an order from the FISA Court to conduct electronic surveillance to collect foreign intelligence information. 11 In 1998, Congress amended FISA to authorize the FBI to apply to the FISA Court for orders compelling common carriers, public accommodation facilities, physical storage facilities, and vehicle rental facilities to "release records in [their] possession" to the FBI. The amendment did not further define "records." This provision, which was codified at 50 U.S.C. § 1862, became known as the "business records" provision. 12 The 1998 amendment required the FBI to specify that the business records were sought for an investigation to gather foreign intelligence information or an investigation concerning international terrorism, and that there were "specific and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power." 50 U.S.C. § 1862 {2000). This language meant that the FBI was limited to obtaining information regarding a specific person or entity the FBI was investigating and about whom the FBI had individualized suspicion. The amendment also prohibited the entity complying with the order from disclosing either the existence of the order or any information produced in response to the order. The authority granted by the 1998 amendment was rarely used. Between enactment of the amendment and passage of the Patriot Act in October 2001, the FBI obtained only one FISA order for business records. In October 2001, Section 215 of the Patriot Act significantly expanded the business records provision. The pertinent part of Section 215 provides: [T]he Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special 11 FISA provides two definitions of "foreign intelligence information." Under 50 U.S.C. § 1801(e)(1), foreign intelligence information means information that relates to, and if concerning a U.S. person is necessary to, the ability of the United States to protect against (1) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; (2) sabotage, international terrorism, or the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power; or (3) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power. Under 50 U.S.C. § 1801(e)(2), foreign intelligence information includes information with respect to a foreign power or foreign territory that relates to, and if concerning a U.S. person is necessary to, the national defense or the security of the United States, or the conduct of the foreign affairs of the United States. 12 50 U.S.C. § 1862(b)(2)(B) (1998), as amended, 50 U.S.C. § 1861 (2001). 4 Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution. 50 U.S.C. § 1861(a)(1) (2001). While the 1998 amendment limited the FBI's business records authority to four types of businesses, the 2001 language did not contain any such limitation. Section 215 also expanded the categories of documents obtainable under the business records provision from "records" to "any tangible things (including books, records, papers, documents, and other items)." In addition, Section 215 lowered the evidentiary threshold to obtain a business records order. Rather than requiring the FBI to show that the requested information pertained to a person under investigation, Section 215 required that the items sought need only be "for an authorized investigation conducted in accordance with [applicable law and guidelines] to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities." 50 U.S.C. § 1861(b)(2) (2001). This standard, ·referred to as the relevance standard, permits the FBI to seek information concerning persons connected in some way to a person or entity under investigation. Congress twice amended Section 215 in 2006. The first legislative amendment, the USA PATRIOT Improvement and Reauthorization Act of 2005 (Reauthorization Act), was signed into law on March 9, 2006. The Reauthorization Act required that an application for a business records order establish "reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation." 13 50 U.S.C. § 1861(b)(2)(B) (2006). At the same time, the Reauthorization Act provided a presumption of relevance for tangible things that pertain to foreign powers, agents of foreign powers, suspected agents of foreign powers who are the subjects of authorized investigations, or individuals in contact with, or known to, suspected agents of foreign powers who are the subjects of authorized investigations. If an application demonstrates that the information requested pertains to one of these four entities or individuals, it is presumptively relevant to an authorized investigation. The Reauthorization Act also authorized the collection of certain sensitive records, including library, medical, educational, and tax return records. However, it required that applications for sensitive records be approved by the FBI Director or his specified designee, and required specific reporting about 13 USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. 109-177, 120 Stat. 196 to 198 (2006). 5 these records to Congress. 14 The Reauthorization Act also established a process for recipients of Section 215 orders to challenge their legality before a FISA Court judge. The second legislative amendment, the USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006, included additional changes to Section 215. For example, these amendments included a provision allowing a recipient of a Section 215 order to petition the FISA Court to modify or set aside the nondisclosure requirement after 1 year from the issuance of the order if certain findings are made. 15 Section 215, along with other provisions of the Patriot Act, originally was scheduled to sunset on December 31, 2005. The Reauthorization Act extended Section 215 for 4 years, until December 31, 2009. Congress subsequently extended Section 215 to June 1, 2015. In June 2013, information about the NSA's bulk telephony metadata program was publicly disclosed by Edward Snowden. 16 These disclosures revealed, among other things, that the FISA Court had approved Section 215 orders authorizing the bulk collection of call detail records. The telephony metadata collected by the NSA included information from local and long-distance telephone calls, such as the originating and terminating telephone number and the date, time, and duration of each call. 17 The disclosures prompted widespread public discussion about the bulk telephony metadata program and the proper scope of government surveillance, and ultimately led Congress to end bulk collection by the government in the USA Freedom Act. 18 Amid public debate about the bulk telephony metadata program, the sunset provisions of the Reauthorization Act took effect at 12:01 a.m. on June 1, 2015, temporarily reverting the business records provision to the much more limited version in effect between 1998 and October 2001. 19 On June 2, 2015, President Obama signed the USA Freedom Act. While the USA Freedom Act did 14 As permitted by the Reauthorization Act, the FBI Director delegated approval authority for these records to the Deputy Director and the Executive Assistant Director for the FBI's National Security Branch. 15 See USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006, Pub. L. No. 109-178, 120 Stat. 278, 280. 16 See Glenn Greenwald, NSA Collecting Phone Records of Millions of Verizon Customers Daily, The Guardian (Jun. 6, 2013). As described in more detail below, metadata refers to dialing, routing, addressing, or signaling information associated with a communication, but does not include any information concerning the substance, purport, or meaning of the communications. 7 As we described in our second and third reports, NSA lilpllacle.dilt.hleiclaiillldlet.aliiilirelc.olilrdiiisiliiiinl an archive and then ran "queries" against this archive to identify 1 llllliiil. The telephone numbers used to query the archive were telephone numbers that met the "reasonable articulable suspicion" standard. 1 18 See generally Bart Forsyth, Banning Bulk: Passage of the USA FREEDOM Act and Ending Bulk Collection, 72 Wash. & Lee L. Rev. 1307, 1321-22, 1325, 1334 (Summer 2015). 19 See id. 6 not substantively change the standard for obtaining business records linked to a particular person or identifier, it ended bulk collection under Section 215 by requiring that applications for business records include a "specific selection term," defined as "a term that specifically identifies a person, account, address, or personal device, or any other specific identifier." 50 U.S.C. §§ 1861{b){2), (k)(4) (2015), as amended by USA Freedom Act of 2015, §§ 101, 103, 107. This provision became effective 180 days after the date of enactment, ending bulk collection by the government as of November 29, 2015. See USA Freedom Act of 2015, § 109. To allow the government to continue to obtain call data, the USA Freedom Act created a new mechanism that allows the government to obtain call detail records from providers within two "hops" of the specific selection term on an ongoing basis for 180 days from the date of the FISA Court order. 20 Each application to obtain these records must include (a) a specific selection term to be used as the basis for the production of the call detail records, 50 U.S.C. § 1861(b)(2)(A); (b) a statement of facts showing that there are reasonable grounds to believe that the call detail records being sought are relevant to an authorized investigation and that there is a reasonable, articulable suspicion that the specific selection term is associated with a foreign power, or an agent of a foreign power, engaged in international terrorism or activities in preparation thereof, 50 U.S.C. § 1861(b)(2)(C)(i) and (ii); and (c) an enumeration of the minimization procedures adopted by the Attorney General that are applicable to the handling of call detail records obtained by the government in response to the requested order, 50 U.S.C. § 1861(b)(2)(D). 21 According to NSD, if the FISA Court finds that the application meets the statutory requirements, it will order the production of a first set of records (the "first hop") using the specific selection term, and a second set of records (the "second hop") using session-identifying information (such as originating or terminating telephone numbers) or telephone calling card numbers identified by the specific selection term. Session-identifying information and telephone calling card numbers may be identified in the first hop productions or from other information already in the government's possession. The FISA Court has 20 The term "call detail record" means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call. It does not include the contents of any communication; the name, address, or financial information of a subscriber or customer; or cell site location or global positioning system (GPS) information. See 50 U.S.C. § 1861(k)(3). As a result, the FBI may not obtain identifying, financial, or location information on the basis of an individual being in first- or second-degree contact with the original person, account, address, or personal device, or other specific identifier used as a specific selection term. •data • •collected • • •under • · those The FISA Court orders orders when "based on permitted authorized personnel to search the the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable, articulable suspicion that a particular known ign powers identified in the orders. We identifier is associated with" discuss the evolution of the RAS standard in our May 2015 report. 7 concluded that FISA, as amended by the USA Freedom Act, does not require a showing of relevance for second hop records. To guard against overbroad collection, the USA Freedom Act requires "the prompt destruction of all call detail records" collected by the government not determined to be foreign intelligence information. See 50 U.S.C. §§ 1861(b)(2)(C), (c)(2)(F), as amended by USA Freedom Act of 2015, § 107. The USA Freedom Act also added a provision allowing the Attorney General to require the emergency production of business records when certain criteria are met, including applying relevant minimization procedures and obtaining a FISA Court order approving the production within 7 days of the emergency authorization. See 50 U.S.C. § 1861(i), as amended by USA Freedom Act of 2015, § 102. Finally, the USA Freedom Act extended the sunset date for Section 215 as amended until December 15, 2019. See USA Freedom Act of 2015, § 705(a). B. The Process for Seeking Section 215 Orders As we described in our previous Section 215 reports, the process to obtain and utilize a Section 215 order generally involves five phases: FBI field office initiation and review, FBI Headquarters review, NSD Office of Intelligence review, FISA Court review, and FBI service of the order. The process to obtain a Section 215 order generally begins when an FBI case agent prepares a business records request form, which requires the agent to provide, among other things, the following information: a brief summary of the investigation, a specific description of the items requested, an explanation of the manner in which the requested items are expected to provide relevant information, and the identity of the custodian or owner of the requested items. The request form must be approved by the agent's supervisor and the field office's Chief Division Counsel and Assistant Special Agent in Charge. The approval process is automated through the FBI's FISA Management System (FISAMS), which sends electronic notifications to each individual responsible for taking the next action in order to process the business records in the field office. After the approvals are completed in the field office, the FISAMS notifies the "substantive desk" (in the Counterterrorism, Counterintelligence, or Cyber Divisions) at FBI Headquarters. At FBI Headquarters, the business records request form is reviewed and approved by both the substantive desk and NSLB. Once FISAMS delivers the request to the substantive desk, it is assigned to an NSLB attorney who works with the case agent and other FBI personnel to obtain any additional information the NSLB attorney believes is necessary to support the request. The request package then is reviewed by NSLB supervisors and forwarded to NSD, where the request is assigned to an NSD attorney. The NSD attorney works with the NSLB attorney and case agents to obtain any additional information necessary to include in the draft application and order. NSD uses an internally-created software program called "TurboFISA" that produces a template with standardized language for various types of 8 business records applications. An NSD supervisor then reviews the draft application package. In most cases, the NSD attorney then sends the draft to the FBI for review, including having agents answer any questions regarding the application. The application is then finalized by NSD. The final application package is returned to the FBI for an accuracy review, and additional edits may be made based on the FBI's review of the final package. Upon completion of the final version of the application, signatures of the designated senior FBI personnel are obtained and an NSD attorney prepares the package for presentation to the FISA Court. Pursuant to Rule 9 of the FISA Court Rules of Procedure, NSD provides the FISA Court with a proposed application, an advance copy of the application commonly called a "read" copy, no later than 7 days before the government seeks to have the matter entertained by the FISA Court. The FISA Court, through a FISA Court legal advisor, may identify questions or concerns and request changes or additional information to the documents after reviewing the "read" copy. NSD and the FBI then address these questions or concerns and make any necessary revisions to the application and order prior to submitting a formal or final application and order for the Court's approval, or decide to withdraw the application before submission. The FISA Court will either sign the formal submission or request that NSD present the formal application package to the FISA Court at a scheduled hearing. If the FISA Court judge approves the formal application, the judge signs the order. The order is then entered into FISAMS and served by the FBI field office nearest to the company or provider designated in the order. Among other things, the order sets forth the deadline for producing the items. The FBI can receive business records returns electronically or in hard copy. Hard copies of business records returns typically are sent directly to the case agent. Electronic records, particularly business records returns from certain Internet Service Providers, typically are sent to the FBI's Data Intercept Technology Unit (DITU). DITU then uploads the records into the Data Warehouse System (DWS), the FBI's primary repository for raw FISA-acquired material. Un-minimized business records returns are quarantined in a separate area of DWS that is accessible only to personnel involved in the case. When returns are uploaded, DWS automatically notifies the case agent, who must then review the records in a restricted area of DWS to determine whether the records are responsive to the FISA Court order. If so, DITU releases the records from the quarantined area into DWS, where they are available to FBI personnel with appropriate access. Once the information is in DWS, the case agent must assess its intelligence value. Only information that reasonably appears to be foreign intelligence information, necessary to understand foreign intelligence information or assess its importance, or evidence of a crime may be placed in other FBI electronic storage systems, such as the Automated Case System (ACS) and Sentinel, where the information will be more widely accessible to FBI personnel (discussed in more detail below). 22 22 ACS and its successor, Sentinel, are the FBI's case management systems. 9 C. Minimization Procedures FISA requires the FBI to "minimize" U.S. person information it receives in response to business records orders. Under current procedures, this means that the FBI may retain and disseminate nonpublic U.S. person information only if it reasonably appears to be foreign intelligence information, necessary to understand foreign intelligence information or assess its importance, or evidence of a crime, referred to as meeting the "FISA Standard." The FBI adopted interim minimization procedures for business records returns following the passage of the Reauthorization Act in March 2006, and revised procedures in 2013. 23 Two sets of minimization procedures thus governed business records orders issued between 2012 and 2014: Interim Procedures between January 1, 2012 and June 30, 2013, and Final Procedures after July 1, 2013. In this section we discuss these minimization procedures and describe the decision by FBI and NSD to implement the Final Procedures retroactively. 1. Interim Minimization Procedures The Reauthorization Act mandated that the Department adopt minimization procedures to govern the retention and dissemination of nonpublic U.S. person information produced in response to a Section 215 order. One critical requirement was that the minimization procedures prohibit the dissemination of nonpublic U.S. person information, unless the identity of the U.S. person was foreign intelligence information, necessary to understand foreign intelligence information or assess its importance, or evidence of a crime (i.e., met the FISA Standard). The Department adopted Interim Procedures in September 2006. Rather than providing new procedures designed to comply with the requirements of the Reauthorization Act, the Interim Procedures incorporated six existing provisions from the Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSI Guidelines): • Part I.B.3., which prohibited the FBI from investigating or maintaining information on U.S. persons solely for the purpose of monitoring First Amendment activities or the lawful exercise of Constitutional or statutory rights. • Part I.C.l., which defined "U.S. person" to include U.S. citizens or lawful permanent residents, unincorporated associations substantially composed of individuals who are U.S. persons, and corporations incorporated in the United States . • 23 See so u.s.c. § 1861(g)(2). 10 • Part VII.A.l., which required that the FBI retain investigative records in accordance with a plan approved by the National Archives and provided for NSD oversight of information obtained in the course of investigations. • Part VII.B., which allowed the FBI to disseminate information within the Department, to the intelligence community and federal law enforcement agencies, to other federal, state, and local authorities, and to foreign authorities when the information related to the recipient's authorized responsibilities and dissemination was consistent with national security interests. • Part VIII, which defined certain terms used in the NSI Guidelines, including "foreign intelligence" and "publicly available." The Interim Procedures stated that these provisions were to be construed to minimize retention and prohibit dissemination of nonpublic U.S. person information, and to prohibit the FBI from disseminating nonpublic U.S. person information that was not foreign intelligence information in a manner that identified a U.S. person, unless the person's identity was "necessary to understand foreign intelligence information or assess its importance" or evidence of a crime. However, the Interim Procedures did not define or explain what "necessary to understand foreign intelligence information or assess its importance" means, nor did they define or provide guidance on what constitutes U.S. person identifying information. In our March 2008 report, we found that the Interim Procedures did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with specific guidance regarding the retention and dissemination of nonpublic U.S. person information obtained under Section 215 authority. We recommended that the FBI develop final minimization procedures that provided such guidance, require an initial review of records received in response to business records orders, and provide guidance on handling overproductions (i.e., material outside the scope of the Section 215 order). Although the FBI stated that it would replace the Interim Procedures with final minimization procedures that addressed the recommendations in the March 2008 report, it had not done so by spring 2009. As a result, in May 2009, a FISA Court judge requested that the FBI volun~ apply additional minimization procedures to the productions o f - related Section 215 orders. The Department agreed to implement these additional minimization procedures and filed reports with the FISA Court describing how the FBI had minimized U.S. person information. 11 In June 2009, FISA Court judges began to issue Supplemental Orders with most Section 215 orders. These Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's minimization of U.S. person information no later than 90 days after the production of materials, with sufficient detail to allow the FISA Court to assess the adequacy of the FBI's implementation of the Interim Procedures. Between Janu~, and June 30, 2013, the FISA Court issued Supplemental Orders f o r - - total business records orders. 24 2. Final Minimization Procedures On March 7, 2013, the Attorney General adopted and the Department filed with the FISA Court final minimization procedures for material received in response to Section 215 orders. These Final Procedures became effective on July 1, 2013. The Final Procedures are designed to minimize the retention and prohibit the dissemination of "nonpublicly available information concerning unconsenting [U.S.] persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information." The Final Procedures do not apply to publicly available U.S. person information, nor do they apply to acquiring, retaining, or disseminating U.S. person information with the person's consent. With the exception of provisions requiring an initial review of business records returns, and dictating the handling and retention of overproduced material and attorney-client communications, the Final Procedures do not apply to non-U.S. person information . • • • 24 Of the. orders for which the FISA Court did not issue Supplemental Orders, • were in counterintelligence investigations, were in counterterrorism investigations, and were in • business records orders issued under the Interim cyber i Procedures or to restricted counterespionage investigations. I I 12 The Final Procedures also address the handling and retention of business records returns. An agent must conduct an initial review of returns to determine if the information received is within the scope of the order. If it is, the agent then must evaluate whether the information meets the FISA Standard {i.e., reasonably appears to be foreign intelligence information, necessary to understand foreign intelligence information or assess its importance, or evidence of a crime). Information that meets the FISA Standard may be included in official FBI case files; used for analysis; inserted in Electronic Communications (EC), intelligence information reports (IIR), or analytical products; uploaded into widely-accessible FBI databases; or disseminated to other sora encies in accordance with the Final Procedures. In general, the Final Procedures prohibit the FBI from retaining, using, or disclosing material outside the scope of an order. 26 If an agent identifies an 25 Ad hoc databases are files and databases accessible only to FBI personnel who are to the i ation and authorized to review business records information. (Cont'd.) 13 overproduction, he must return it to the producing party or destroy it as soon as practicable, ensure that the information has not been uploaded into any widelyaccessible FBI system, and inform NSD of the ave duction to facilitate notification of the FISA Court. The Final Procedures allow the FBI to disseminate information obtained business records orders to . In general, the FBI must determine that nonpublic U~mation meets the FISA Standard before disseminating i t - - - - · Key dissemination provisions are summarized below: • Where the foreign intelligence information relates to a foreign power or foreign territory and reasonably appears to be necessary to the national defense or forei n affairs of the United States • (Cont'd.) 14 • In accordance with this provision, NSD includes business records orders in the Minimization and Accuracy reviews it conducts in FBI field offices. During these reviews, NSD attorneys examine information produced in response to business records orders to identify overproductions, confirm that the information has been properly 29 As described in more detail below, metadata refers to dialing, routing, addressing, or signaling information associated with communications, such as e-mail addresses, telephone numbers, or IP addresses. 15 classified and marked in FBI systems as FISA-derived, evaluate compliance with minimization procedures, and assess retention and dissemination decisions. NSD attorneys also audit the searches conducted by FBI personnel in multiple FBI databases, including two databases that contain business records material, DWS and Data Integrated Visual System (DIVS), which operates as a search engine for a collection of other databases to which the FBI has access, to ensure that the queries comply with the minimization procedures. Between 2012 and 2014, NSD conducted 90 Minimization and Accuracy Reviews, including business records minimization reviews in every FBI field office. After the Final Procedures became effective, NSD began requiring its attorneys to conduct post-order briefings within 5 days of an order being signed. These briefings are designed to ensure that FBI personnel understand and comply with the requirements of the Final Procedures. NSD attorneys contact FBI personnel to review the Final Procedures, includin the definitions of "U.S. person" and "foreign intelligence information," the requirement that agents conduct an initial review of returns before placing information in widely-accessible FBI systems, the proper handling of overproduced materials, and the standards for retaining and disseminating information. NSD attorneys told us that they typically conduct the briefings with case agents and cover the major requirements of the Final Procedures, the information requested by the order, and any special minimization or reporting requirements imposed by the FISA Court in a Supplemental Order. The first business records application referencing the Final Procedures was filed with the FISA Court on August 6, 2013. Once the Final Procedures were in place, the FISA Court ceased issuing Supplemental Orders requiring the Department to report on its handling of U.S. person information as a matter of standard practice. However, between August 9, 2013, and January 3, 2014, the FISA Court issued Supplemental Orders for. applications that requested e-mail transactional records from various service providers, requiring the Department to submit written reports stating whether the returns included the contents of any communications. An NSD Deputy Unit Chief told us that the FISA Court began requiring content reporting for business records orders directed a t and other communications providers following a series of overproductions of email subject lines. He characterized Supplemental Orders as "relatively unusual" since resolution of the systemic overproductions, stating that they are only issued if the FISA Court has particular concern about the breadth or potential volume of the material requested. We describe these systemic errors in more detail in Section V. 3. Retroactive Application of the Final Procedures When the government submitted the Final Procedures to the FISA Court in March 2013, the then-Assistant General of NSD stated in a letter to the Court that the FBI 16 • • • • The remaining provisions of the Final Procedures, including the retention and dissemination restrictions, apply retroactively. D. Compliance Issues The Rules of Procedure for the FISA Court require the Department to correct misstatements of material fact and to disclose non-compliance with an order to the FISA Court. Under Rule 13(b), the Department must notify the FISA Court in writing if it discovers that any authority or approval granted by the FISA Court has been implemented in a manner that did not com with the Court's authorization or a roval or with a licable law. Between 2012 and 2014, the Department filed Rule 13(b) notices informing the FISA Court of compliance incidents related to business records ord~at resulted in the overproduction of e-mail subject lines b y - ' and • systemic errors in the FBI's DWS database that allowed FBI personnel unconnected with an investigation to access business records information before the case agent's initial review. We discuss these compliance incidents in more detail in Section V. Given the large number of business records orders issued between 2012 and 2014, we did not attempt to independently identify or describe all of the compliance incidents that occurred during our review period. 17 The FBI also is required to report activities that may be unlawful or contrary to executive orders or directives to the lOB and Director of National Intelligence (DNI). 31 The subjects of these reports to the lOB are commonly referred to as "lOB violations." FBI policy requires employees to report potential lOB violations to NSLB within 30 days of discovery. Once an agent reports a potential lOB matter, NSLB reviews the facts to determine whether Executive Order 13462 and the Intelligence Oversight Reporting Criteria require the violation to be reported to the lOB and the DNI. Agents are required to report third-party overproductions to NSLB within 90 days of the date of discovery. 32 The FBI must then submit this information to the lOB in quarterly reports containing the following information: 1. 2. 3. Between 2012 and 2014, the FBI reported. violations related to business records orders to the lOB. Of these, • involved overcollections, ~ s~mic overproductions of e-mail subject lines by - - ; - i n v o l v e d other issues, such as the production of materials outside the date range specified in a business records order; and • was the result of a typographical error in a business records order. NSLB also deemed. overcollections and. typographical error to be non-reportable. 31 See Exec. Order 12333 § 1.6(c), as amended; Exec. Order 13462 § 6(b), as amended; Criteria on Thresholds for Reporting Intelligence Oversight Matters (Sept. 8, 2010) ("Intelligence Oversight Reporting Criteria"). 18 III. STATUS OF RECOMMENDATIONS Previous OIG reports recommended changes to the minimization procedures used by the FBI. Our second report, issued in March 2008, recognized that the FBI had adopted Interim Minimization Procedures but made the following three recommendations: • The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders; • The FBI should develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order; and • The FBI should develop final standard minimization procedures for business records that provide specific guidance for the retention and dissemination of U.S. person information. Our third report, issued in May 2015, analyzed the FBI's compliance with these recommendations. We concluded that the FBI had resolved the first recommendation in adopting the Final Procedures, but that it nonetheless should clarify in policy guidance or training materials that the initial review requirements in the Final Procedures apply to metadata. We determined that the second recommendation was closed, as the Final Procedures include a provision for handling "overproduced" material. Finally, we concluded that the third recommendation was resolved by the Final Procedures, but that the FBI should consider using training materials or policy guidance to clarify several provisions regarding the retention and dissemination of U.S. person information. Below we describe the FBI's progress in implementing these recommendations. A. Handling of Metadata Under the Final Procedures As noted above, metadata refers to dialing, routing, addressing, or signaling information associated with a communication. In the context of wire or electronic communication transaction records, metadata may include e-mail addresses, telephone numbers, IP addresses, and similar information. Metadata does not include information concerning the substance, purport, or meaning of the communications. 19 1. Initial Review of Metadata In our second report, we recommended that the FBI develop procedures for reviewing materials received from Section 215 orders to ensure that it had not received information outside the scope of the FISA Court orders. In our third report, we observed that the FBI had adopted Final Procedures requiring that agents conduct an initial review of materials produced pursuant to a Section 215 order. We concluded that this provision requires case agents to review materials for overproduced material, but that it does not expressly subject metadata to the initial review requirement. We recommended that the FBI clarify that the initial review requirement applies to metadata. In the course of our current review, the FBI and NSD produced copies of internal policies and training materials that make clear that the initial review provision applies to all FISA business records materials, including metadata. The FBI Policy Implementation Guide for Business Records Standard Minimization Procedures (SMP PG) states, and emphasizes that agents must complete the initial review . Training before uploading the information to any widel accessible FBI s materials ided the FBI also state . Agents we interviewed told us that they had received multiple trainings on the Final Procedures and understood that the requirement to conduct initial reviews applies to all business records returns, including those involving e-mail transactional data or other metadata . In addition, as described above, NSD attorneys are required to conduct post-order briefings with the case agent within 5 days of a business records order being signed. NSD's Post-Order Briefing Policy provides that the NSD attorneys must remind agents that they are required to conduct an initial review of FI SA-acquired business records information to ensure that the production is generally responsive to the order, and that this initial review must take place before placing the information in any widely accessible FBI system. NSD attorneys told us that they make clear in these briefings that the initial review requirement applies to every business records production, including metadata. Accordingly, we consider this recommendation closed. 2. Other Provisions Relating to Metadata 20 In our third report, we identified two potential issues regarding application of these provisions that we believed required attention and oversight. • We stated that NSD and the FBI should In our current review, we assessed whether NSD and the FBI have addressed these issues. Traini materials released in earl 2016 state that 21 In 2012 and 2013, the FBI used business records orders to re ct on two occasions. 34 The first order re uested 22 Given these steps, we believe that the FBI and NSD have sufficiently addressed the concerns we raised regarding other provisions related to metadata in our third report. B. Retention and Dissemination of U.S. Person Information In our second report, we recommended that the FBI develop final minimization procedures providing specific guidance on the retention and dissemination of U.S. person information. In our third report, we recognized that the FBI had resolved this recommendation by adopting Final Procedures providing such guidance, but stated that the FBI should consider clarifying two provisions in policy guidance or training materials: the definition of "necessary to understand forei n intelli ence information " and the revision allowin . We briefly discuss each in turn below. 1. "Necessary to Understand Foreign Intelligence Information" We recommended that the FBI define the term "necessary to understand foreign intelligence information" and provide actual examples of its application in the FBI training materials or policy guidance. Training materials produced and NSD address this issue. One resentation states that when training provided the following example of this analysis: and thus it meets however, it may be difficult to articulate why would be appropriate. ~ e, ~ Based on this guidance, we believe the FBI has addressed our concerns. 23 2. Dissemination of Information Relating to Computer Intrusions or Attacks We also recommended that the FBI provide further sion in the Final Procedures that allows the FBI We stated the FBI should consider clarifying that the material must meet the FISA Standard, as well as define the term "U.S. person identifying information" and provide actual examples of its application. The FBI has made these clarifications. The SMP PG makes clear that agents must first ana whether the information meets the FISA Standard statin While the current version of the SMP PG does not further define or illustrate "U.S. person identifying information," an NSLB attorney told the OIG that the FBI is in the process of revising and consolidating its FISA policy guidance, and that the revised guidance will include a definition. In addition, materials used in trainings beginning in March 2016 define "U.S. person identifying information" and provide uidance on its a lication. Training slides and s ker's notes state that . The materials emphasize that determining whether information constitutes "U.S. person identifying information" requires a case-bycase assessment, and that agents should consult with NSLB if questions arise. As a result, we consider this recommendation closed. IV. OVERVIEW OF BUSINESS RECORDS ORDERS ISSUED FROM 2012 THROUGH 2014 In this section, we provide an overview of the characteristics of business records orders approved in calendar years 2012 through 2014. We describe the number of business records orders approved, the type of information requested, the number of FBI offices that used the authority, and the types of investigations in which business records orders were sought. We provide information about the number of business records orders in which U.S. persons were the subject of the underlying investigations. 24 Additionally, we examine the timeliness of the business records process. We analyze the length of time that elapsed between the initiation of a business records request and the signing of the business records order by the FISA Court. A. The Overall Number of Business Records Orders From 2012 to 2014, the FISA Court approved 561 business records orders. 36 This continued a dramatic increase in the use of business records authority compared to the number of orders that we have observed during our prior reviews . For example, the FISA Court approved 51 orders from 2007 through 2009, the 3 year time period that we reviewed in our 2015 report. Figure 1 illustrates the increase in number of approved business records orders by calendar year. FIGURE 1 Total Number of Approved Business Records Orders, by Calendar Year, 2007-2015 3 7 250 !!! 200 Gl "f 0 150 1--- 0 j 205 212 96 100 E :a z 50 17 0 13 "1 - - - r _..__, 2007 2008 2009 2010 2011 2012 2013 2014 2015 Calendar Year Source: FBI. 36 After reviewing a draft of this report, NSD commented that references to the number of business records orders should be changed to the number of approved applications for business records orders. The OIG understands that some business records applications result in more than one order. For example, the FISA Court may issue orders to four separate providers when approving a single application requesting ECTRs for four e-mail addresses. We also recognize that NSD reports the number of applications submitted to the FISA Court in its annual reports to Congress. Nonetheless, we decided to retain the references to the number of business records orders throughout this report as a matter of convenience. 37 This table includes the total number of dockets for 2013 (179). This number differs slightly from the number of approved applications for business records the Department reported to Congress for 2013 (178). The OIG recognizes that one submission in 2013 was a copy of the Final Procedures, which did not result in a FISA Court order. As described below, we excluded this docket from our numbers for purposes of statistical analysis. 25 As we describe in more detail in Section IV.C.I., a primary factor in the increase between 2010 and 2012 was the refusal of certain communications providers to produce transactional records for e-mail accounts (Electronic Communication Transaction Records, or ECTRs) in response to National Security Letters (NSL) beginning in late 2009. NSD and FBI personnel attributed the subsequent decline between 2013 and 2015 to several factors, including the stigma attached to the use of Section 215 authority following the Snowden revelations, increased use of Section 702 of the FISA Amendments Act, providers' resistance to business records orders, agents' frustrations with the lack of timeliness and level of oversight in the business records process, and agents' increasing use of criminal legal process instead of FISA authority in counterterrorism and cyber investigations. In addition, between 2012 and 2014 there were. pending and. withdrawn applications for business records orders. 38 While we did not seek to ascertain the basis for each withdrawn uest or a ication we did review • that originated from the and questioned agents about. of these. The reasons for the withdrawals varied, but many were withdrawn for administrative reasons, such as inadvertent initiation in FISAMS or a duplicate request, while others were withdrawn because the a ents determined that the information was no lon er necessa As a result, the number of applications withdrawn for substantive reasons is likely significantly lower. We also reviewed • requests submitted to NSD but not filed with the FISA Court, and. draft applications submitted to the FISA Court as read copies but subsequently withdrawn. The requested information and targets in these applications varied substantially, and witnesses were unable to identify a common factor leading to their withdrawal. The withdrawn applications included several requests that were based on or statements advocating 39 withdrawn jihad that raised potential First Am ication uested toll records 38 Pending applications include applications generated between 2012 and 2014 but not provided to NSD for further processing or submitted to the FISA Court for further approval. 39 In February 2013, the FISA Court issued a legal opinion that addressed the line between First Amendment-protected activity and information establishing predication for an international terrorism inve on. The nt's The Department reported and provided copies of this opinion to Congress in April 2013. 26 The agent ultimate roved in 2015. 40 which we discuss in more detail in Section V. The FISA Court did not deny any business records applications between 2012 and 2014. When asked why applications withdrawn after submission of a read copy to the FISA Court were not reported to Congress, potentially creating the inadvertent impression that the FISA Court is a "rubber stamp," NSD supervisors told us that the Department includes only business records applications formally submitted to the FISA Court and denied or withdrawn, not those filed in "read copy" and subsequently withdrawn. 41 The NSD supervisors acknowledged that excluding applications withdrawn after the FISA Court indicates that it will not sign an order might lead to misunderstandings about the FISA Court's willingness to question applications, but the supervisors noted that NSD and the FISA Court have talked about the "read" process publicly to address concerns about this. 42 In comments provided to the OIG after In September 2013, the agent submitted a business records request for the information, but NSLB asked him to withdraw the request since the information that could be obtained with an NSL. The agent added a request for e-mail transactional data, and the request ultimately went forward as a business records application in early 2015. It received ap I from . An NSD n Chief lained tha the De 41 As described above, the FISA Court Rules of Procedure require the government to file a propose application, or "read copy," with the FISA Court no later than 7 days before it seeks to have the application considered. 42 See, e.g., Letter from the Honorable Reggie B. Walton, Presiding Judge of the FISA Court, to Sen. Charles E. Grassley, Ranking Member of the Sen. Comm. on the Judiciary (Jul. 29, 2013) ("The annual statistics provided to Congress by the Attorney General pursuant to 50 U.S.C. §§ 1807 and 1862(b)-frequently cited to in press reports as a suggestion that the Court's approval rate of applications is over 99%-reflect only the number of final applications submitted to and acted on by the Court. These statistics do not reflect the fact that many applications are altered prior to final submission or even withheld from final submission entirely, often after an indication that a judge would not approve them."); Remarks of John Carlin, Acting Assistant (Cont'd.) 27 reviewing a draft of this report, NSD stated that it is currently considering whether to revise the methodology for counting withdrawn applications. B. Business Records Orders by FBI Field Office The OIG analyzed the number of FBI field offices with_!Pproved business records orders in 2012 through 2014. We determined that • of the FBI's 56 field offices obtained business records orders during this period. 43 The following 3 field offices had the most a roved business records orders during our review period: Sixteen field offices each had between and business records orders approved between 2012 and 2014. The remaining 37 field offices each had fewer than. business records orders approved during our review period. C. Analysis of Business Records Orders We also analyzed various characteristics of the business records orders during our review period. Factors we considered included the type of information requested, the type of underlying investigation (e.g., counterterrorism, counterintelligence, or cyber), the status of the subject of the investigation (either a U.S. person or non-U.S. person), and the timeliness of the business records process. To conduct this analysis, we excluded. of the 561 total business records orders in our dataset based upon the unique characteristics of those orders. of the excluded business records orders involved the bulk collection of information which we briefly address in Section V of this report. business records orders involved restricted counterespionage investigations and were handled outside of FISAMS. Finally, one order was an administrative document memorializina..!b.,e Final Procedures. Therefore, the dataset in our analysis includes a total o f - approved business records from 2012 through 2014. Figure 2 shows the number of business records orders included in our analysis, by calendar year. Attorney General for National Security, at the American Bar Assoc. Homeland Security Law Institute (Jun. 20, 2013) ("That the [Foreign Intelligence Surveillance Court (FISC)] ultimately denies very few applications is simply a reflection of the unique nature of ex parte FISC proceedings . . . . [T]he Department of Justice has 'an independent obligation to determine that every FISA application meets the statutory standard before we submit it' and treats that obligation with the utmost seriousness and care."). 43 The field offices submitted business records requests during our review period, but those requests were later withdrawn. 28 FIGURE 2 Total Number of Business Records Orders Included in Analysis, 2012-2014 Source: FBI. 1. Types of Investigations from which Business Records Orders Originated First, we examined the ty~ of investigations from which business records orders originated. The business records orders we reviewed originated from counterintelligence (CI), counterterrorism (CT), and cyber investigations. Figure 3 shows the numbers of business records orders approved in each type of investigation. FIGURE 3 Types of Investigations from which Business Records Orders Originated, 2012-2014 Source: NSD and FBI. We found that business records orders were used far more frequently in counterintelligence inv~ations than in counterterrorism or cyber investigations. Of the total orders we analyzed, • were obtained in counterintelligence investigations~),. in counterterrorism investigations(-), and ~nvestigations ( - ) . Figure 29 4 shows that this gap increased during our review period, during which the usage of business records orders in counterintelligence investigations increased slightly, while the orders' usage decreased more substantially in both counterterrorism and cyber investigations. FIGURE 4 Usage of Business Records Orders 2012-2014 Source: FBI. When asked about this disparity, agents told us that business records orders frequently are the only option available in counterintelligence investigations given the nature and classification of the information involved. By contrast, agents handling counterterrorism and cyber investigations can in some instances open a parallel criminal investigation and use the grand jury process to obtain the same information more quickly and with less oversight than a business records order. As described in more detail below, agents told the OIG that the business records process frequently takes several months, versus several weeks to obtain a rand sub na. This was rticularly true in (.). , during the reporting period, as discussed below. 2. Subjects of Business Records Orders We also analyzed approved business records orders to determine the number of orders that had U.S. persons and non-U.S. persons as subjects of the underlying investigations. We found that U.S. persons were listed as subjects in • orders, while non-U.S. persons were listed as subjects i n . orders. orders identified both a U.S. person and a non-U.S. person as subjects of the underlying investigations. 30 3. Types of Records Requested in Approved Business Records Orders Filed on Behalf of the FBI Next, we examined our dataset for the types of business records requested during our review period. Figure 5 shows the types of records requested, as well as the number of orders requesting each type of record. FIGURE 5 Types of Records Requested in Business Records Orders, 2012 thro 2014 31 We found that. different types of recor~d during our review period. Transactional records for e-mail~ accounts ~ were the most common type of records requested, ac~,r. of the non-bulk business records orders we reviewed ( - records). 48 The. business records orders requesting ECTRs between 2012 and 2014 are a dramatic increase from- approved orde~ng ECTRs in the OIG's previous review period, which constituted only - - of the approved non-bulk orders between 2007 and 2009. We found that the increase in business records orders for ECTRs was primarily due to a significant change in the use of NSLs. In late 2009, Internet ~gan refusing to provide transactional information for e-mail. ~accounts in response to an NSL, requiring the FBI to use business records orders to obtain the same information. 49 Consequently, the number of business records orders went up "exponentially." Interviews with FBI and Department personnel supported this conclusion. One NSLB attorney described business records orders as a used to obtain transactional records that were previously obtained through NSLs. Several agents told us that a business records order was their only option once providers refused to accept NSLs for transactional information. Many agents expressed frustration at having to utilize the business records process instead of NSLs, because an NSL requires only field office approval and takes a few weeks to obtain rather than the several months that can be required for a business records order. However, the number of non-ECTR business records orders also increased significantly compared to the previous review period. There were. business records orders for non-ECTR information during our current review period, as opposed t o . between 2007 and 2009. We asked FBI and NSD personnel about the reasons for the increase in non-ECTR business records orders. Some witnesses attributed the increase to agents' growing awareness of and comfort 48 Business records orders ;uested e-mai~ account information and 49 As described in the OIG's August 2014 report on the FBI's Use of National Security Letters, Internet providers began refusing to produce ECTRs in response to NSLs around November 2009. The FBI historically had relied on Section 2709(b) of the Electronic Communications Privacy Act (ECPA) for authority to obtain ECTRs using NSLs. In November 2008, however, the Department's Office of Legal Counsel (OLC) issued an opinion interpreting Section 2709(b) as authorizing communications providers to produce four exclusive categories of information in response to an NSL: subscriber name, address, length of service, and local and long distance toll billing records. Although the OLC opinion did not specifically focus on ECTRs, one Internet provider argued that Section 2709(b) did not give the FBI autho to ail an N and several other ers followed suit transactional records usi 32 with the business records process, while others were unable to provide an explanation for it. An NSD Deputy Unit Chief noted that the number of business records orders reached its peak in 2012 and has declined annually since then, and that the number of ECTR requests has declined more than other types of requests. The Deputy Unit Chief said that the Snowden revelations have played a role in this decline, both in terms of the stigma attached to use of Section 215 and increased resistance from providers. The Deputy Unit Chief stated, "I think that it's possible that folks ... have decided it's not worth pursuing [business records orders], you know, obviously things haven't been great with providers since Snowden either." In comments provided to the OIG after reviewing a draft of this report, NSD stated that the degree to which the Snowden disclosures affected the number of business records applications was speculative, and attributed the FBI's increasing use of taskings under Section 702 as likely a "notable cause" in the decrease in business records requests. NSD stated that during the relevant period (and continuing today) it suggested that FBI withdraw business records requests for accounts used by non-U.S. persons located overseas that can instead be tasked under Section 702. 50 4. Timeliness of the Business Records Process Lastly, we examined the median length of time it took for business records orders to move through the approval process, including the overall length of time from initiation of a FISAMS request to FISA Court approval and the amount of time spent in each phase of the business records process. As we describe in more detail below, we did not identify a particular phase of the business records approval process that was responsible for delays. 51 Our review also evaluated whether particular characteristics of business records orders affected the time it took for a business records order to move 50 Section 702 of the FISA Amendments Act allows the government to acquire foreign intelligence by targeting non-U.S. persons reasonably believed to be outside the United States. Under Section 702, the government is not required to obtain individual surveillance orders from the FISA Court. Instead, the FISA Court approves targeting procedures to ensure that the government targets only non-U.S. persons reasonably believed to be outside the United States, and minimization procedures to guard against the inadvertent collection, retention, and dissemination of U.S. person information. 51 In comments provided to the OIG after reviewing a draft of this report, NSD highlighted the importance of the expedite process for business records applications. NSD stated that it had worked closely with FBI over the years to establish an expedite process through which FBI management can request that a FISA request, including a business records request, be processed immediately. According to NSD, this has resulted in some applications being processed in a single day. We agree that the expedite process is an important procedure that allows NSD and FBI to move applications quickly when operationally necessary. However, given the infrequency with which the expedite process is used for business records requests, we do not believe it impacts our overall analysis of the timeliness of the business records process. As noted below in footnote 54, only business records requests we examined followed an expedited or amended approval process. 33 through the approval process. To do this, we first examined the median amount of time it took for a business records order to be approved from the time the request was initiated in FISAMS, to the time the order was sent to the FISA Court for approval. We then aggregated the business records orders by the following characteristics: type of records requested, type of underlying investigation, whether the subject of the investigation was a U.S. person, and by originating field office. We compared the aggregated median number of days for each of these characteristics to determine whether any orders sharing a similar characteristic took longer to be approved. Based on this analysis, we concluded that these factors had no appreciable effect on timeliness. a. Overall Length of Time for Business Records Orders Approval, 2012-2014 First, we examined the overall length of time it took for business records orders to go from initiation in the Foreign Intelligence Surveillance Act Management System (FISAMS) to approval by the FISA Court. 52 We found that it took a median of 115 days (almost 4 months) for a business records order to move through the approval process duri~ew period. 53 - o f the business records orders orders) were processed in 4 months or less during our review period. 54 Figure 6 illustrates the amount of time business records took to move through the business records orders approval process. c.-- 52 As discussed in Section II.B, the process to obtain a Section 215 order generally involves FBI field office initiation and review, FBI Headquarters review by NSLB and the Counterterrorism or Counterintelligence substantive desk, NSD review, and review and approval by the FISC. 53 A median was used instead of an average in this case because the datasets had several number outliers artificially inflating the average. 54 For purposes of our timeliness analysis, we excluded records in our dataset because those records followed expedited or amended approval processes. Because these investigations were not entered into FISAMS, we do not have information as to how long they took to process. 34 FIGURE 6 Business Records Orders Approval Time, 2012-2014 Source: FBI. b. Length of Time in Each Phase of the Approval Process, 2012-2014 We also examined the length of time business records orders spent in each phase of the approval process (field office, NSLB, NSD, and final approval) during our review period. We found that business records orders spent the least amount of time in the field office phase of the approval process - a median of 16 days. 55 Despite testimony from witnesses attributing delays in the process to various bottlenecks at FBI Headquarters, in NSD, or in obtaining final signatures, we were unable to identify a particular phase of the process that was responsible for delays. Orders spent a median of 40 days with NSLB and a median of 33 days in the NSD phase of the approval process. 56 We found that the FBI took a median of 2 weeks to obtain final approval signatures from NSLB and the FBI Deputy General Counsel. 55 As described above, the field office phase of the approval process usually includes the initiation of a business records request by case agent in FISAMS, and approval from the following supervisors: Supervisory Special Agent, Chief Division Counsel, and the Assistant Special Agent in Charge. 56 In comments provided to the OIG after reviewing a draft of this report, NSD noted that a substantial amount of the time between NSD's receipt of a business records request and the finalization of the application involves a back and forth with FBI personnel who review the draft and provide answers to questions from NSD. 35 As described above, FISA Court rules provide for submission of a "read" copy no later than 7 days before the government seeks to have the matter entertained by the Court. Our analysis included the time that applications and proposed orders were with the FISA Court to provide the most accurate measurement of the time needed for the FBI to obtain business records orders. While we do not have complete data regarding the FISA Court's processing of business records applications, we were informed that "read" copies generally are provided the week before, and the orders signed within a day or two of submission of the final application. No witnesses cited delays with the FISA Court as an issue. c. Overall Timeliness In interviews with the OIG, agents expressed concern with the timeliness of the business records orders approval process. Many agents we interviewed told us that the process for obtaining a business records order was lengthy, citing the amount of detail required, the multiple layers of approval, and the need to work with attorneys to draft the application. Various agents told the OIG that the process was a deterrent to seeking another business records order. One counterterrorism agent stated, "To be candid with you, I don't think I ever will [seek another business records order]." He explained that he could be "waiting for months" before the order is approved and served, and that "once a case is over, it's not really over," because he has to go through internal FBI inspections, as well as possible inspections from other entities, including the OIG. By contrast, where there is a parallel criminal case, he can consult with the Assistant United States Attorney (AUSA) to confirm that there is enough information to obtain a grand jury subpoena, and receive the records much more quickly. Agents expressed particular concerns about the impact of these delays in cyber cases. One agent said that the 2 to 3 months it took to obtain his business records order was "ridiculous." He explained that information moves quickly in the cyber realm, stating: He told the OIG that it has been common practice to use the FISA process and NSLs in cyber cases, but that given providers' resistance to NSLs and delays in obtaining FISA orders, 36 some cyber squads have begun opening parallel criminal cases on foreign actors and finding ways to develop probable cause to obtain criminal legal process, allowing them to get data more uickl and with less oversi ht. These views are consistent with the NSD and NSLB personnel we interviewed were aware of agents' frustrations and said that their divisions have taken steps to improve the business records process. While several NSD witnesses said that the volume of requests did not significantly impact their processing of business records orders, one NSD attorney acknowledged to us that there had been delays in the process "because things get backed up." An NSD Deputy Unit Chief told the OIG that NSD has implemented "TurboFISA" to provide standardized language and streamline the drafting process for business records requests. NSD also places business records applications on a 14-day schedule, requiring attorneys to attend a meeting with supervisors to explain the reasons for any delays. An NSLB attorney told the OIG that he was "embarrassed" at how long the business records process takes, stating, "We are asking for less [than a full FISA], and it's taking twice as long." He told the OIG that, although NSLB does not measure the timeliness of the business records process, he thought that NSLB has streamlined the way it handles ECTR requests. Another NSLB attorney told the OIG that he thought ECTRs were being drafted and received by the FISA Court in a much more expeditious manner than other types of requests because they were so common. As described above, we examined whether the type of records requested affected the timeliness of the process and identified no difference between ECTR and non-ECTR applications. We also did not see im rovements in the timeliness of ECTR uests over the 3riod: or analyze 2015 data. Based on agents' concerns about timeliness, we recommend in Section VI that the FBI and the Department continue to pursue ways to make the business records process more efficient, particularly for applications related to cyber cases. V. SELECTED SECTION 215 ORDERS OBTAINED BETWEEN 2012 AND 2014 In this section we describe selected Section 215 applications and orders obtained by the FBI between 2012 and 2014. We chose these matters to illustrate various uses of Section 215 authority. For each selected use, we summarize the underlying investigation and describe the material requested and any notable issues regarding the application and order. We then describe, where applicable, the material produced in response to the order, how it was used, and any compliance incidents. In addition, in this section we discuss three compliance incidents that affected numerous business records orders during our review period. These 37 ~ductions of full and partial~es ~ntent) by . . . . . . . . . ., the production of e - m a i l - - b y - ' and the FBI's release of un-minimized data from quarantined areas of DWS before agents conducted their initial review. Finally, we provide a brief overview -following passage of the USA Freedom Act. A. Selected Uses of Section 215 Authority 1. Business Records Orders in . . Related FBI Counterterrorism Investigations In 2012 and 2013, an FBI agent obtained. business records orders and submitted one a ication that was withdrawn after submission to NSLB. These were obtained i related counterterrorism in ations -· the FBI opened a full investigation . The agent stated that the FBI was concerned that these individuals wittingly or unwittingly may have been tied to a foreign power, so they initiated preliminary investigations on each of them. 57 . . of the business records orders obtained in these cases were for electronic communication transactional records, while the other business records orders and the withdrawn application were for Below we describe these orders and the withdrawn application, the handling of the information received in response to the approved orders, how the information was used to further the investigation, and any compliance incidents. 57 Under the FBI's Domestic Investigation and Operations Guide (DIOG), there are two levels of predicated national security investigations: a preliminary investigation, which requires information or an allegation of a possible threat to national security, and a full investigation, which requires an articulable factual basis of a possible threat to national security. 38 a. . . Requests for Electronic Communications Transactional Records from (Section 215 Orders Issued December 2012) Between April and August 2012, the agent initiated. business records uests for electronic communications transactional records from The uests sou ht transactional data for in an effort to gather information about these individuals and determine whether they had been in contact with a foreign .E..2Y!er. NSLB approved the requests in October 2012, and the FISA Court issued- separate orders in December 2012. Each of these orders requested "[a]ll tangible things, but not the 'contents' of any communications as defined by 18 U.S.C. § 2510(8), e.g., electronic mail or subject line, associated with the [targeted account] ... from the inception of the targeted account to the date of production." In standardized language used in every request for e-mail transactional records, the orders listed the following items as examples of "tangible things" being sought for the identified e-mail addresses: • • • • • • • • • • • • 39 F o r - of the orders, the FISA Court issued standard Supplemental Orders requiring submission of written reports describing the FBI's implementation of the Interim Procedures to U.S. person information received from the providers. For~ order, which included a request for transactional data from ~ FISA Court issued a Supplemental Order requiring the Department to report on its minimization of U.S. person information, and on whether the records received from the providers included the "content" of any communications. NSD and the FBI filed the required Supplemental Reports. For each of these orders format. The records included DITU received the records from the providers and uploaded them into DWS, where they were stored as unpublished products. The records were viewable only to relevant FBI personnel until the agent or co-case agent completed his initial review, minimized nonpublic U.S. person information, and "published" the information. Except as described below, the agent or his cocase agent reviewed the records and determined that they were within the scope of the orders. in general they returned no information indicating connections to or support for a foreign terrorist organization. The SOS documented these analyses in ECs widely available to FBI personnel through Sentinel. coordinating with local law enforcement, obtaining NSLs for financial and e-mail subscriber data, and conducting searches of FBI and other government databases. The agent explained that a number of providers recently had stopped providing e-mail transactional records in response to NSLs, and that a business records order was the only available tool given the classification of the derogatory information in his cases. The agent stated that the business records process took considerably longer than an NSL. Nonetheless, he said that the information he obtained was 58 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . Automated Case System (ACS) and its successor, Sentinel, are the FBI's case management systems. As described above, DIVS operates as a search engine for a collection of FBI and nonFBI databases to which the FBI has access. 40 There were compliance incidents related to two of these business records for an e-mail orders. The first order sou ht transactional records from address used Although the co-case agent reviewed the records in reduction DITU later determined that some of and were part of a systemic overproduction of content by As described in more detail below, DITU purged overproduced records from DWS, and the overproductions were reported to the FISA Court and to the IOB in 2013 and 2014 as part of a larger report about systemic overproductions. The order requested transactional records from e-mail addresses used by another associate, In response to this order, produced nic forma which the FBI uploaded into DWS on the FBI uploaded rmation for and Three days later, on the FBI uploaded an additional records, which primarily were e-mail header information. The agent and co-case agent reviewed the returns and determined that the records were within the scope of the FISA Court order and did not include content. Howev~he agent and co-case agent mistakenly attributed the second batch o f - records to The co-case agent documented these as separate returns from in the case file, and the F~tly closed the preliminary investig this individual on - - - · The FBI also disclosed these as returns to the FISA Court in a Supplemental Report filed on - - - - - d i d not complete its production of responsive records u n t i l ~most 6 months after the i on was closed. reduced a matel records consistin of which were uploaded electronically into DWS. Upon initial receipt of the records from-, DITU identified full or ~e-mail subject lines in the production, sent the entire production back to -,deleted the materials from its systems, and asked for the information to subsequently re-produced the be produced without the subject lines. records, which were then uploaded into DWS. The agent told the OIG that he did not learn about the production until several months later, when he logged on to DWS and noticed that he had the returns for review. According to e-mails dated agent subsequently contacted attorneys in NSLB and NSD, who helped him records were within the date range in the order and determine that the thus were not an overproduction, even though the investigation had been closed 41 for several months. During this process, however the original misattribution of records t o - was discovered, and on the FBI and NSD filed a notice of material misstatement with th Court under Rule 13(a). The report correctly described the returns and stated that the FBI had deleted t h e - records without reviewing them. The agent told the OIG that he was satisfied that they had mitigated the threat even without the records based on the other information developed in the investigation. NSD reviewed these business records orders in its 2014 Minimization and Accuracy Review of the field office. During this review, NSD examined the information produced in response to the orders to evaluate compliance with the applicable minimization procedures and identify overproductions. NSD identified no additional errors. b. (Section 215 Orders Issued February 2013) The agent explained that he wanted to obtain as much contact information as possible for these individuals and that a business records order was necessary because He stated that he planned to use the e-mail addresses and telephone numbers he obtained to search FBI and other databases to see if any connections to a foreign power emerged. Both applications were approved by the FISA Court on Because the orders were governed by the Interim Procedures, the FISA Court issued its standard Supplemental Order requiring submission of a written report describing the FBI's minimization of U.S. person information. The FBI served these orders on 59 A - request sought records for request after submitting it to NSLB because exist. 60 NSD reported these. business records orders in the Attorney General's 2013 Annual Report to Congress on the use of the business records provision. 42 Two weeks later, on responsive documents directly to the agen~ecords contained telephone numbers and e-mail addresses~· According to the Supplemental Reports filed with the FISA Court, the agent reviewed the hard copy documents and determined that the information related exclusively to the targeted individuals. The agent then had an SOS analyze the information by using the identifiers to conduct database checks and create a telephone link chart, which were documented in ECs and uploaded into Sentinel. The agent also uploaded scanned documents of the original returns into the case file in Sentinel. NSD reviewed the returns for these business records orders in its 2014 Minimization and Accuracy Review and identified no errors. Based on this and other information, the FBI found no nexus to terrorism and closed the preliminary investigations in - · The FBI closed the full i to the closi Although he had had contact with a person who was associated with the foreign terrorist organization, there was no evidence that he su rted or was a member of the o anization himself. The FBI also determined concluded warranting further investigation. 2. As a result, the FBI posed no threat to national security Multiple Business Records Orders in an FBI Counterintelligence Investigation Between 2012 and 2014, an FBI agent obtained. business records orders and submitted. business records application that was withdrawn after submission of a "read co to the FISA Court. The business records 43 In a related c records order for information about Below we describe the business records orders and the withdrawn application, the FBI's handling of the information received in response to the approved orders, how the information was used to further the investigation, and any compliance incidents that occurred in connection with these matters. a. Request for Issued February 2012) (Section 215 Order er it had been used to access She said that there was no other authority available to obtain this data given the classification and sensitivity of the case. The business records request was submitted to NSD in earl . ., and subsequently was approved by the FISA Court on Because the order pre-dated the Final Procedures, the FISA Court issued a Supplemental Order requiring submission of a written report describing the FBI's minimization of U.S. person information received in response to the order. 44 The agent placed the information in the FBI's official case file, which is maintained in a secure area of the FBI field office and restricted to personnel involved in the case, and did not upload it into the FBI's electronic case management database. The OIG reviewed the records and confirmed that they did not include any identifying or account information. b. Request for Issued February 2012) (Section 215 Order The business records request was sent NSD in and the The FISA Court again issued FISA Court signed the order on a Supplemental Order requiring submission of a written report describing the FBI's minimization of U.S. person information received~ order. ----· The FBI served the FISA Court order on The case agent reviewed the materials and determined that they were within the scope of the order and contained only information relating to the subject. We reviewed the documents received in response to this business records order and confirmed that they contained only the subject's information. The information remained in hard copy, and was not uploaded into the FBI's electronic case management database or disseminated. c. Request for Issued March 2012) (Section 215 Order the agent initiated a business records request for the information. The draft request sou ht various his e-mail address 45 The order was approved by the FISA Court on The FISA Court issued its standard Supplemental Order requiring submission of a written report describing the FBI's minimization of U.S. person information received in response to the order. According to the S emental ort submitted to the 64 FISA Cou the FBI served the order In for reasons discussed below. and were not uploaded to the FBI's electronic case management database or otherwise disseminated. h the FBI ultimately obtained the OIG asked 64 The Supplemental Report for this order and the 2012 orders • • • According to contemporaneous emails, these Supplemental Reports "got lost in [NSD's] administrative shuffle when the matters were handed off between attorneys," and the delay was not the agent's fault. The NSD attorney who filed the Supplemental Reports in 2015 explained the reason for the delay in his cover letters to the FISA Court. •••••••li.liiiliiiiiiiiiil were not filed until early 2015. 46 metadata obtained with a business records order can include In addition, our review of revealed t h a t -information included This information was within the sc~h authorized the production of all records associated with ~· As described in more detail below in connection with the discussion of the FBI's dispute the FBI and NSD believe that Section 215 authorizes the government to usin business records orde but nonetheless d. Request for Issued November 2012) (Section 215 Order The FISA Court approved the Section 215 order on and issued a standard Supplemental Order requiring reporting on the minimization of nsive U.S. rson information. The FBI served the FISA Court order on and the recipient company produced responsive records on The agent then reviewed the records of the order. The a nt told us and determined that . The agent retained the records in hard copy in the FBI's restricted case file. The agent told us went through minimization training 47 to directly view the minimized data. The FBI disclosed this dissemination to the FISA Court in a Supplemental Report filed o n - -· e. (Section 215 Order Issued January 2013) the FBI opened a spin-off investi Based on information and issued The FISA Court approved the application on its standard Supplemental Order requiring reporting on the amount of U.S. person information received and how it was retained and disseminated. The FBI served the business records orders on - fell within the scope of the order, but that did not because they either preceded the start date of the order or related to different names than the 66 48 The FBI purged the. overproduced records and retained the remaining records in its sical i ative file. The produced all of which fell within the scope of the order and were retained in the FBI's physical investigative file. The FBI did not did not disseminate or upload the records into its databases. f. Request for E-mail Transactional Records (Section 215 Order Issued December 2013) The FISA Court approved the application on and issued a Supplemental Order requiring the government to file a report stating whether the items received include the contents~ communication. The FBI served the order on on produced responsive records the following day. A~e Supplemental Report filed with the FISA Court,- produced---, which were uploaded and stored in a lemental Re stated restricted area of the FBI's DWS. The S The agent told the OIG that she marked the records in DWS by whether they met the FISA Standard, and did not release them to the FBI's case management database. The OIG reviewed the records and confirmed that they were visible only to the agent. 49 g. Request for Additional Records (Section 215 Order Issued June 2014) I n - , the a transactional records fro nt initiated another business records re Rather than ide cific was unable - · She said that there were no overproductions in the returns. The OIG reviewed t h e - production and confirmed that it was stored in the restricted case file. h. - Withdrawn Request for 50 In earl NSD subsequently finalized the business records application. The ?nal draft re uest sou ht ?all tan ible thin 5 related to the sub'ect In the final 51 According to the application, Congress had ratified this interpretation of the business records provision in its 2011 reauthorization. The final application also included the same supplemental minimization that these were used in the rocedures as the initial draft not The EAD si FISA Court in 52 NSD subsequently withdrew the business records request. 3. Issued May 2012) The request sought the following information: • • 68 The FISA Court may authorize a physical searcrll·~······~~·­ finding that there is probable cause to believe that "the target of the physical search is a foreign power or an agent of a foreign power, except that no United States person may be considered an agent of a foreign power solely upon the basis of activities protected by the first amendment to the Constitution of the United States," and that "the premises or property to be searched is or is about to be owned, used, or possessed by, or is in transit to or from an agent of a foreign power or a foreign power." 50 U.S.C. § 1824(a)(2)(A), (B). 53 The FISA Court approved the order on standard Supplemental Order under the Interi Su lemental Re filed with the FISA Court stored the raw data on a computer system members. The a ent reviewed the records, minimized the U.S. person information, summarized his analysis in an EC, and uploaded the EC into the FBI's case management system. was ve The agent told the OIG to his investigation and · However, he expressed concern about how long the business records recess took ·mate 106 da from initiation to order in this instance . ~ant 54 but uld be the maximum amount of time 4. Requests for (Section 215 Orders Issued 2011, 2012, and November 2014) In late 2011 and early 2012, the FISA Court a records orders authorizi the reduction of 55 Instead, the Department and to negotiate a compromise over the production of . These negotiations occurred sporadically for nearly three years. Durin~om early . . through late . ., all business records requests t o - - those not involving a request for were placed on hold and no new orders were served Eventually, in late . ., the FBI decided to exclude from all business records requests. FBI Section Chi t the FBI made this decision because business records requests very infrequent and the FBI concluded that the issue did not warrant further liti ation in the FISA Court. Following this decision, all business records orders we reviewed contained the following limitation: an FBI case agent initiated a business records re~ in a counterintelligence investigation unrelated to t h e business records orders referenced above. This uest would become the first business records order issued The su ect in the ,...,,·''-~"' tion The case agent stated that she initially intended to use an NSL to obtain the records, but was informed by others in her office that a business records order would be necessary to get the information she sought. The business records request was submitted to NSD on and was subsequently approved by the FISA Court on As requested by the governme the FISA Court's o lan described above The case agent told the OIG that she became aware~ request process that she would not be able to obtain information o n - - · The case agent stated that this information could have ntial aided her tion if for exam it showed the subject Nonetheless, the case agent stated that the inability to get these records did not have an effect on the investigation. The FBI served the FISA Court order The FBI received a . The case agent conducted an initial review of the records and, after determining that they were within the scope of the order 56 and contained only information relating to the subject, requested that the records be uploaded into DWS. 72 We reviewed the records received in response to the business records order and confirmed that t contained on the su ect's information. Additional we found that agent and ri'> .. using the were not of investigative value. No analytical pro records obtained. The investigation was closed in after the subject departed the United States. TI'>rl s. Request for Orders Issued October 2013) (Section 215 The business records request was submitted to NSD on and was sub roved the FISA Court on Court ordered The case agent described the business records process to be uneventful in this case. He stated that he answered a few factual questions for the NSD attorney assigned to the business records application, but that no concerns or problems were identified with the application. The case agent described the overall business records process positively, but noted that the amount of time it takes to obtain a business records order was "frustrating" and can slow down an investigation. The FBI served the FISA Court orders on the FBI with records responsive the business records order and responsive records on We describe this compliance issue in more detail below. 57 . . . The case agent conducted an initial review of the records and determined that the records were responsive and contained no overproduced information. Around this time, in the FBI decided to transfer of this case from the - - · The case agent told the OIG that this decision was based on resource considerations. Due to this,~arded the business records to the new case agent in FBI's - - - - · The new case agent told the OIG that the FBI reached out to an individual identified in the business records and According to ~ment The new case agent stated that the FBI would not have identified if not for these business records. Because of that, the agent described the business records request as "one of the key steps" in the ongoing investigation. 6. Multiple Business Records Orders in an FBI Counterintelligence Investigation In 2013 and 2014, FBI agents obtained counterintelligence investigation involving The sub ects of the investi Below we business records orders obtained in this investigation. a. Request for (Section 215 Order Issued August 2013) t initiated a business records Fi the The business records request was submitted to NSD on was subsequently approved by the FISA Court on 58 ordered the requested records for the period from inception of service to the date of production of the records. The FBI served the FISA Court order FBI received FBI agents assigned to the investigation conducted an initial review of the records and determined that they were who uested the records told the responsive to the request. The FBI OIG that the records confirmed b. Requests for (Section 215 Orders Issued August 2013 and March 2014) -· determined that The business records request was submitted to NSD on and was su uentl the FISA Court on Court ordered The FBI attem informed the FBI the order and refused to accept service of the order. As a result, no records were obtained in response to this order and, as we discuss below, the FBI obtained a new order for these records. 73 On the FBI case agent initiated a second business records request for these records. In addition to the records uested the second re uest 73 NSD told us that 59 The business records request was submitted to NSD on and was subsequently approved by the FISA Court on Court's order a ain contained lan ua produce The FBI served the order received with the responsive records on The case agent told us that she conducted an initial review of the materials upon receipt and found the records responsive to the request. The case agent also told us the records were useful to the investigation and that some of the records were disseminated The case file indicated The the case agent told the OIG • B. Compliance Incidents The OIG reviewed three compliance incidents that affected numerous business records orders between 2012 and 2014. The first involved the reduction of full and partial e-mail subject lines by two providers,which the OIG determined affected business records orders. duced NSD and FBI witnesses told the OIG that the vast majority of compliance incidents relating to business records orders between 2012 and 2014 were the result of overproductions by providers. A third compliance incident was the result of a technical database rather than der error. In March 2015 the FBI We describe each of these compliance incidents below. 1. - Full and Partial Subject Lines from On November 16, 2012, DITU notified NSD that it had discovered that - h a d overproduced full or partial subject lines in response t o . business records orders requesting e-mail transactional records. Upon discovery of the overproduction, the FBI contacted and stopped serving business records orders on it. NSD filed a~inary notice with the FISA Court on November 21, 2012, disclosing t h e - overproduction and statin~ the FBI was investigating the issue further. On December 19, 2012,- advised the FBI that it had identified the cause of the overproduction and rectified the error, and the FBI then resumed serving business records orders on - · 60 However, DITU's review of subsequent productions revealed that continued to produce full and partial subject line information in response to business records orders after December 2012. DITU determined that the ~duction was caused by a mistake i n - production logic, and that --earlier fix was flawed. DITU then sequestered all business records productions f r o m - so that they were available only to limited technical personnel. When DITU discovered overproduced information, it purged the entire production prior to uploading and requested that the provider reproduce it without the subject line information. By April 6, 2013,- represented that it had corrected its production methodology to include only authorized e-mail fields. Nonetheless, DITU continued to manually review business records productions and discovered additional full or partial subject lines in July, August, and October 2013. According to a Rule 13(b) notice filed with the FISA Court on December 26, 2013, DITU did not identify additional overproductions b y - after November 8, 201~ stopped manually reviewing business records productions f r o m - on November 18, 2013. While investigating systemic overproduction of subject lines, DITU identified similar overproductions by - · DITU followed the same procedures as it had w i t h - ' sequestering and purging t h e productions to ensure that no information had been transferred to other FBI systems. DITU continued to review all returns until November 12, 2013, when it determined that corrected the problem. In July 2015, however, NSD reported that had overproduced subject line information in response to two business records orders issued in 2014. A subsequent FBI investigation concluded that these overproductions were an isolated issue and n~emic problem. The OIG did not identify additional overproductions b y - - in 2014. Although NSLB concluded that DITU followed proper procedures by sequestering the overproductions and did not compound the errors by uploading the materials into FBI databases, the FBI reported these as lOB violations based on the systemic nature of the technical problems by the providers and the large number of FISA Court dockets affected. The Department also reported the systemic overproductions to Congress in the Attorney General's 2013 Annual Report on the use of the business records provision and in the Semi-Annual Report for January 1 to June 30, 2013. 2. On June 27, 2013, the FISA Court a transactional records from 61 74 The providers produced responsive records in electronic format, which were uploaded into DWS and reviewed by the agent. During a Minimization and Accuracy Review conducted in a field office in December 2013, an NSD attorney reviewed the records produced in response to this business records order and discovered that had roduced information D determined potentially constitute content and were beyond the scope of a business records order for electronic transactional records. In subsequent conversations with - ' the FBI discovered t h a t was regularly providing - i n response to FISA business r~ ~P and trace (PRITT) orders, and thus it was likely that~ - - had been overproduced in r~ other orders. 75 As of February 7, 2014, had removed-- from business records and told the FBI it would provide information only from uctions in response to future orders to avoid producing unauthorized information. NSD prov~inary notice of the potential compliance issue associated w i t h - - to the FISA Court on February 14, 2014, and final notice on June 12, 2014. According to the final notice filed with the FISA Court, in June 2014, NSLB issued guidance to FBI personnel concerningfound in business records or PRITT~ns, advising FBI personnel to consult NSLB if they came across - - in FISA-acquired information produced pursuant to a business records or PRm order, and the data was not confined to information in the to/from field. FBI e-mails indicate that NSLB did not require agents to re-review business records or PRITT returns received before February 7, 2014, to assess whether they i n c l u d e d data outside the scope of the orders. An NSD Depu~ion Chief told the OIG that the content in the 2 0 1 3 - production reported to the FISA Cou data is not content in all cases. For exam she indicated data was but that . . The FBI disclosed this misstatement to the FISA Court and filed a second application for business records relating to those e-mail addresses. In addition, this business records order was not part of the systemic overproduction of e-mail subject lines b y - · 75 The OIG identified • business records orders directed at in 2012 and 2013, but did not review the potenti[ voluminous productions received in response to those orders to determine if these contained . 62 The Deputy Section Chief explained that this distinction was not always readily discernible and required case-by-case analysis. She stated that when the error in this instance was initially discovered, the FBI determined that DITU could not automatically screenproductions to identify data that constituted content. She said that the FISA Court was aware that NSLB iss~idance instructing agents to be on productions. the lookout f o r - data in future The Department also reported the production o f - data to Congress in the Attorney General's Semi-Annual Report for January 1 to June 30, 2014. 3. DWS Release of Quarantined Records As described above, the FBI's typical practice is to store business records returns produced in electronic format in an access-restricted area of DWS. The agent is required to conduct an initial review of the records to identify overproductions and minimize nonpublic U.S. person information before "releasing" the records in DWS. In March 2015, the FBI identified an error that caused DWS to release some business records returns prior to initial review, making the un-minimized raw data available FBI-wide. The FBI determined that the error potentially affected. business records orders between January 2014 and March 2015. 76 The FBI informed the FISA Court of the error on June 30, 2015. According to the Rule 13(b) notice filed with the FISA Court, the FBI corrected the error in DWS and restricted access to the materials produced in response to the affected business records orders. The FBI then notified the agents responsible for those orders to allow them to conduct initial reviews of their returns. An NSD Deputy Section Chief told us that NSD and FBI are still investigating the incident, specifically they are confirming that all initial reviews have been completed and attempting to determine whether any of the un-minimized raw data was exported from DWS prior to the initial review being conducted. C. Current Status of Bulk Collection under Section 215 76 This error affected. business records orders in 2014, including review by the OIG. 63 I orders selected for As noted previously, the USA Freedom Act effectively ended bulk collection by the government under Section 215 by requiring the government to limit the scope of its requests "to the greatest extent reasonably practicable," and by requiring that applications for business records include a "specific selection term," such as a specific individual, telephone number, or e-mail address. This addition to the business rds statute was si nificant because the FISA Court on the theory that all of the data was relevant because it was necessary to create a data archive from which to identify known and unknown terrorists that may be in the United States or in contact with U.S. persons. The new provision of the USA Freedom Act became effective on November 29 2015 180 da after the date of the statute's enactment· • bulk collection After that date A Deputy Section Chief from NSD told us that the government no longer collects information in bulk under Section 215. 77 authorization from the FISA Court to retain and use ~ produced under the FISA Court orders that authorized the - - - - · According to filings with the FISA Court, the NSA requested authority to retain previously produced data for two reasons. First, the NSA requested 90 days of technical access to previously produced data so that authorized technical personnel could use that data to verify the completeness and accuracy of call detail records produced under the new targeted production orders authorized by the USA Freedom Act. Second, the NSA requested authority to retain previously produced data in order to remain in compliance with civil litigation preservation obligations imposed federal district courts until the NSA was relieved of those obli ations. The FISA Court appointed amicus curiae under the new provisions of the USA Freedom Act and ordered the amicus and the overnment to brief the issue . In memoranda to the FISA Court, the amicus concluded that the USA Freedom Act did not prohibit the government's retention and requested use of the bulk data and that it was within the discretion of the FISA Court to determine 77 As noted in Section II of this report, the USA Freedom Act created a new mechanism that allows the government to obtain call detail records from providers within two "hops" of the specific selection term on an ongoing basis for 180 days from the date of the FISA Court order. See 50 U.S.C. § 1861(b)(2)(C). 64 The amicus stated that given the significant privacy interests of U.S. persons that were at issue, the FISA Court should exercise its oversight authority to ensure that the government was retaining and using the previously collected information in a manner consistent ures. Followi a hearin on the matter the with applicable minimization FISA Court granted the . . . According to the the FISA Court found e FISA Court found that the government's access to and use of the bulk telephony metadata was appropriately tailored to ensure that the successor program established by the USA Freedom Act was functioning effectively and to ensure compliance with the government's litigation-related obligations. VI. CONCLUSION As required by the USA Freedom Act, we examined the FBI's use of Section 215 authority for calendar years 2012 through 2014 in this report. Our review determined that the FISA Court issued 561 business records orders during the review period, including 212 in 2012, 179 in 2013, and 170 in 2014. We found that the Section 215 applications during our review period sou ht a of "tan ible thin " includin transactional records for e-mai We found that the number of business records orders obtained by the FBI increased significantly between 2007 and 2014, largely driven by the refusal of several communications ders to produce transactional records for e-mail (ECTRs) in response to NSLs. Between 2007 and 51 total orders. Of these,. related t o and only were requests for ECTRs, representing of all non-bulk business records orders obtained during that between 2012 and 2014,. of the orders related to while. involved requests for of the non-bulk orders obtained during ECTRs, constituting roughly our review period. I Even excepting requests for e-mail transactional records, the number of business records orders obtained by the FBI between 2012 and 2014 was substantially higher than in the previous review period. There were • business records orders for non-ECTR, non-bulk information during our review period, as compared t o . between 2007 and 2009. Some witnesses 65 attributed this increase to agents' growing awareness of and comfort with the business records process, while others were unable to provide an explanation for it. We identified changes in the use of business records orders that took place within our review period. The number of business records orders reached its peak in 2012 with 212 orders and has declined annually since then. Witnesses told us that the number of ECTR requests has declined more than other types of requests. According to an NSD Deputy Unit Chief, revelations about the NSA's bulk telephony metadata program played a role in this decline, both in terms of the stigma attached to use of Section 215 and increased resistance from providers. In comments provided to the OIG after reviewing a draft of this report, NSD also attributed the FBI's increasing use of taskings under Section 702 of the FISA Amendments Act as likely a "notable cause" in the decrease in business records requests. We found that business records orders were used most fr~ntly in counterintelligence cases. Of t h e . total orders we analyzed,- were in counterterrorism cases,~ in . obtained in counterintelligence cases, • cases. ts told us that business records orders uent ber cases in some instances can open a parallel criminal case and use the grand jury process to obtain the same information more and with less overs t than a business records order. which is consistent with agents' explanations that those cases require particularly timely acquisition of information, as discussed below. During our review, we analyzed the timeliness of the business records process, both generally and at each phase of the approval process. We determined that the median time needed to obtain business records orders during our review period was 115 days. Business records orders spent the least amount of time in the field office phase of the approval process, a median of 16 days. Orders spent a median of 40 days with NSLB and 33 days in the NSD phase of the approval process. We found that the FBI took a median of 2 weeks to obtain final approval signatures from NSLB and the FBI Deputy General Counsel. 66 acknowledged the delays in the process and told the OIG that they have taken steps to improve it, including streamlining the drafting and review process for ECTRs. We also selected • applications to illustrate the various uses of Section 215 authority and to conduct a more detailed review of the types of materials requested, the purposes of the requests, the materials produced, and the manner in which the materials were used. Although agents expressed concern about the length of the process to obtain a business records order, they told us consistently that these orders continued to be a valuable investigative tool. As with our previous reviews, the majority of agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to business records orders, but told us that the material produced was valuable as a building block of the investigation. However, in at least two cases, agents we interviewed told us that the business records obtained in their investigation provided valuable information that they would not otherwise have been able to obtain. In other instances, case agents told us that they used the information obtained under Section 215 to exculpate a subject and close the investigation. We also reviewed the • FISA Court orders authorizin of certain data as part of counterterrorism • . Our third report on Section 215 authority described ~luding the specialized minimization procedures th - - ' reported compliance incidents, and the status of through May 2015. As described in this report, the USA Freedom Act effectively ended the government's collection of data in bulk under Section 215 by requiring the government to limit the scope of its requests "to the greatest extent reasonably practicable," and by requiring that applications seek records related to a "specific identifier," such as an individual, account, address or rsonal device. On November 24 2015 he FISA Court ranted the bulk data previously collected under prior FISA Court orders. Finally, in addition to reviewing the FBI's use of Section 215 authority in calendar years 2012 through 2014, we examined the progress the Department and the FBI made in addressing three recommendations in the OIG's March 2008 and May 2015 reports. In the 2008 report, we recommended that the Department implement final minimization procedures, develop procedures for reviewing materials received in response to business records orders to identify overproduced information, and develop procedures for handling overproductions. In our May 2015 report, we recognized that the Department had adopted Final Procedures implementing the OIG's recommendations, but identified several terms used in the Final Procedures that we believed required clarification. Based on the information obtained in our current review, we concluded that the Department and the FBI have made these clarifications. We therefore have closed the recommendations. Based on the information developed during our review, we concluded that the process used to obtain non-bulk business records orders between 2012 and 67 2014 contained safeguards that protected U.S. persons from the unauthorized collection, retention, and dissemination of nonpublic information about them. As described above, the business records process requires multiple layers of approval, including by attorneys in NSLB and NSD, and by the FBI EAD for certain sensitive records. Information we reviewed indicates that NSLB and NSD attorneys routinely question agents about business records applications. Rather than acting as a "rubber stamp," documents that we reviewed reflect that the FISA Court engages in a dialogue with NSD and at times has informed NSD that it will not approve certain business records applications: we identified at least • applications that were withdrawn after submission of a "read copy" to the FISA Court during the period covered by this review. In addition, since July 2013, the Final Procedures require agents to determine whether nonpublic U.S. person information meets the FISA Standard before retaining or disseminating it to other agencies. We found that the agents we interviewed had received training on the minimization procedures, were knowledgeable about them, and appeared to take them seriously. The steps that the FBI and NSD have taken to implement the OIG's previous recommendations, combined with the level of oversight and reporting to monitor FBI compliance with the Final Procedures, reflect considerable progress in the FBI's use of Section 215 authority. However, based on the concerns expressed by agents about the time needed to obtain business records orders, we recommend that the FBI and the Department continue to pursue ways to make the business records process more effie rticula for a lications related to r cases where a ents Potential measures include using FISAMS data to track the timeliness of Section 215 applications, using alerts within FISAMS to identify applications that have lingered past a certain period of time without review, and implementing a streamlined drafting and review nr,.r·ccoc;: 68 The Department of Justice Office of the Inspector General (DOJ OIG) is a statutorily created independent entity whose mission is to detect and deter waste, fraud, abuse, and misconduct in the Department of Justice, and to promote economy and efficiency in the Department's operations. Information may be reported to the DOJ GIG's hotline at www.justice.govjoig/hotline or (BOO) 869-4499. Office of the Inspector General U.S. Department of Justice www.justice.gov/oig