UNCLASSIFIED ?i ?1 . -- Office of the Inspector GeneraI mg; 1' U.S. Department ofJustice A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009 Oversight Review Division 15?05 TABLE OF CONTENTS EXECUTIVE SUMMARY .. I. INTRODUCTION .. 1 A. Methodology of the OIG Review .. 1 B. Organization of the Report .. 3 II. BACKGROUND .. 3 A. Legal Background .. 3 B. The Process for Seeking Section 215 Orders .. 7 C. Retention, Dissemination, and Compliance .. 8 1. Retention and Dissemination .. 8 2. Compliance Issues .. 12 STATUS OF RECOMMENDATIONS .. 12 A. Background .. 13 B. Recommendations .. 15 1. Recommendation 1 - Resolved .. 16 2. Recommendation 2 - Closed .. 17 3. Recommendation 3 - Resolved .. 18 C. Handling of Metadata under the Final Procedures .. 22 D. Effect of Final Procedures on OIG's Access to FISA Information .. 24 E. Conclusion and Recommendation .. 26 IV. OVERVIEW OF SECTION 215 ORDERS ISSUED FROM 2007 THROUGH V. 2009 .. 27 A. The Number of Section 215 Applications .. 28 B. An Overview of. of the 51 Section 215 Orders Issued by the FISA Court in 2007 through 2009 .. 28 1. Types of Records Requested in Section 215 Orders Filed on Behalf of the FBI .. 29 2. FBI Field Of?ces that Submitted Requests for Sectlon 215 Orders in 2007 through 2009 .. 29 3. Types of Investigations from which Section 215 Requests Originated .. 30 4. Subjects of Section 215 Applications .. 30 SELECTED SECTION 215 ORDERS OBTAINED IN 2007 THROUGH 2009 .. 31 A. Selected Uses of Section 215 Authority .. 32 2. Request for Electronic Communications Transactional Records Section 215 Orders Issued Ma 2009 3. 4. 5. 6. B. Summary of Findings .. 44 VI. A. Bulk Telephony Metadata .. 46 1. Background .. 46 2. May 23, 2006, Section 215 Application .. 47 3. May 24, 2006, FISA Court Order .. 49 4. Modi?cations to and Renewals of the May 24, 2006, FISA Court Order .. 49 5. Non-Compliance with Section 215 Orders .. 50 6. August 17, 2009, Report to Court and September 3, 2009, Court Order Lifting Access Restrictions .. 55 7. July 19, 2013, FISA Court Order Renewing Collection and Current Status of Collection .. 57 B. .. 59 VII. CONCLUSION AND RECOMMENDATION .. 63 EXECUTIVE SUMMARY This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Of?ce of the Inspector General's (OIG) third review of the Federal Bureau of Investigation?s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act.1 Section 215 is often referred to as the ?business record" provision. The OIG's ?rst report, A Review of the Federal Bureau of Investigation ?5 Use of Section 215 Orders for Business Records, was issued in March 2007 and covered calendar years 2002 through 2005. The 016?s second report, A Review of the FBI ?5 Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. This third review was initiated to examine the progress the Department and the FBI have made in addressing the OIG recommendations which were included in our second report. We also reviewed the use of Section 215 authority in calendar years 2007, 2008, and 2009. To conduct this review, the OIG reviewed the Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title of the Foreign Intelligence Surveillance Act adopted by the Attorney General on March 7, 2013. We also examined over 10,000 documents obtained from the FBI and the Department's National Security Division?s (NSD) Of?ce of Intelligence, including ?les relating to each of the FBI's applications to use Section 215 authority, and Department reports to Congress concerning that use during calendar years 2007 through 2009. We interviewed over 50 individuals from the FBI and the Department, including Section Chiefs from the FBI's National Security Law Branch (NSLB) and NSD's Of?ce of Intelligence as well as the attorneys, case agents, and who worked on individual Section 215 orders. In this review, we examined the progress the Department and the FBI have made in addressing the three recommendations in the OIG's March 2008 report. In the 2008 report, we recommended that the Department implement minimization procedures for the handling of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, as required by the Reauthorization Act. We also recommended that the FBI 1 In February 2015, the 016 provided a classi?ed version of this report, with certain information redacted, to the relevant Congressional oversight and intelligence committees, as well as to leadership of?ces. We did not issue a public version of the report at that time because, although we had provided a ?nal draft of the report to the FBI and the Intelligence Community in June 2014 for a classi?cation review, we had not been informed of when that review would be completed. This report follows the com letion of the classi?cation review and contains redactions of information that the FBI and determined is classi?ed, law enforcement sensitive, or ?for of?cial use only." The report also contains several redactions of information that the FBI asserted is protected by the deliberative process privilege. The 016 disagrees with those FBI assertions. With this report, the DIS has also issued an updated classi?ed report, without redactions, to the relevant Congressional oversight and intelligence committees, and to leadership of?ces. develop procedures for reviewing materials received in response to Section 215 orders to ensure that the materials do not contain information outside the scope of the Foreign Intelligence Surveillance Court (FISA Court or the Court) orders. Finally, we recommended that the FBI develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order. The Reauthorization Act required that the Department adopt minimization procedures to govern the retention and dissemination of material produced pursuant to a Section 215 order. In response to the statutory requirement, the Department adopted Interim Minimization Procedures in September 2006. The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be ?construed? to meet the statutory definitions of minimization procedures contained in the Reauthorization Act. FBI agents were already required to comply with the N51 Guidelines in their entirety when seeking a Section 215 order and handling Section 215 productions. Thus, the Interim Procedures did not add any new requirements and did not affect the application of the N51 Guidelines to Section 215 material. In our March 2008 report, we found that the Interim Procedures did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with speci?c guidance regarding the retention and dissemination of non-public US. person information obtained under Section 215 authority. We therefore recommended that the FBI develop ?nal standard minimization procedures for business records that provided such guidance. In response to our report, the Department stated that it would replace the Interim Procedures with standard minimization procedures ?speci?cally tailored to collection under Section 215.? As we describe in our current report, our review of the implementation of this recommendation revealed that the Department had not yet replaced the Interim Procedures by mid-2009. Beginning in June 2009, FISA Court judges began to issue Supplemental Orders with Section 215 orders. The Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's implementation of the Interim Procedures to US. person information produced in response to Section 215 orders. The Supplemental Orders also required that the reports be of suf?cient detail to allow the FISA Court to assess the adequacy of the implementation of the Interim Procedures. NSD and NSLB attorneys told us that they believed that the FISA Court judges would continue to issue Supplemental Orders until the Department replaced the Interim Procedures with ?nal procedures speci?cally designed for Section 215 matters. We found the Supplemental Orders signi?cant because the practice began almost 3 years after the Department was required by the Reauthorization Act to adopt speci?c minimization procedures for material produced in response to Section 215 orders, and over a year after we found that the Interim Procedures implemented by the Department in September 2006 failed to meet the requirements of the Reauthorization Act. The Department and FBI ultimately produced ?nal minimization procedures speci?cally designed for Section 215 iv materials in 2013. The Attorney General adopted the FBI Standard Minimization Procedures for Tangible Things Obtained Pursuant to Title of the Foreign Intelligence Surveillance Act on March 7, 2013 (Final Procedures), and in August 2013 the Department began to ?le Section 215 applications with the FISA Court which stated that the FBI would apply the Final Procedures to the Section 215 productions. Given the signi?cance of minimization procedures in the Reauthorization Act, we do not believe it should have taken 7 years for the Department to develop minimization procedures or 5 years to address the OIG recommendation that the Department comply with the statutory requirement to develop speci?c minimization procedures designed for business records. Nevertheless, as we describe in our report, we concluded that with the Final Procedures the Department and FBI have addressed the three recommendations in the 016's March 2008 report. With respect to our recommendation that the Department develop ?nal standard minimization procedures, we consider the recommendation to be closed. As for the other two recommendations regarding the review of Section 215 materials and procedures for handling overproduced material, we found that both recommendations were addressed in the Final Procedures and therefore are resolved. These two recommendations remain resolved and not closed so that the Department and FBI may consider clarifying speci?c aspects of those procedures in training materials, policy implementation guidelines, or future versions of the procedures. We encourage the Department and the FBI to periodically evaluate the Final Procedures' implementation to determine whether additional clari?cations or explanations through updates in training or revisions to the guidelines are appropriate. We also examined the provisions in the Final Procedures that pertain to the access to Section 215-acquired information for purposes of conducting its reviews and investi ations. The General Provisions section of the Final Procedures states The FBI has in the past taken the position that the minimization procedures for electronic surveillance and physical searches conducted under FISA restricted the OIG's access to FISA information. The Department made revisions to those procedures in 2013 that included inserting the statement above, which was subsequently also incorporated into the Final Procedures for Section 215 material. As described further in this report, the NSD Deputy Assistant Attorney General for the Of?ce of Intelligence and the General Counsel stated to us in this review their position that the Final Procedures allow the OIG's access to Section 215-acquired information needed for the reviews and investigations. In addition to examining the Department's progress in addressing the recommendations from our last report, we provide an overview of the use of Section 215 authority during the 2007-2009 time period that describes the number of Section 215 orders obtained, the type of information requested, the number of FBI of?ces using the authority, and the collection of US. person information. Our review found that the FBI processed I requests for Section 215 applications, 51 of which were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009. The Department ?led of the 51 a lications in connection with counterterrorism ro rams . The other applications were formally submitted to the FISA Court on behalf of the FBI. The I requests that were not submitted to the FISA Court were withdrawn after being submitted to either NSLB or NSD. We did not identify any applications that were withdrawn after being submitted to the FISA Court. The FISA Court approved each of the 51 formally submitted applications. We found that I of the I applications submitted to the FISA Court on behalf of the FBI requested material related to internet activity. The remaining I applications re uested records similar to those discussed in our revious reiorts such as We also found that the number of U5. persons identified as the subjects of the underlying investigations in Section 215 applications we reviewed was not equivalent to the number of US. persons about whom information was collected in response to the Section 215 orders. Several reasons account for this. First, Section 215 permits the FBI to request records of persons or entities who are not subjects of the underlying investigation. Second the classified directive to the de?nition of U.S. . Third, records produced in response to Section 215 orders may include records about US. persons who are neither the subjects of the underlying investigation nor the persons whose records were requested in the Section 215 order. Our report also describes several Section 215 applications from the 2007- 2009 time period which illustrate the use of Section 215 authority to obtain new and varied types of information. We found that agents' descriptions of why they sought Section 215 orders and whether they considered the material produced to be valuable were consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continued to be a valuable investigative tool particularly when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. As with our previous reviews, the agents we interviewed did not identify any major case developments that resulted from use of the records obtained in response to Section 215 orders, but told us that the material produced pursuant to Section 215 orders was valuable in that it was used to support other investigative requests, develop investigative leads, and corroborate other information. We vi did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders. As in our previous report, we identi?ed several instances during the 2007- 2009 period where the Department or the FISA Court modi?ed Section 215 applications and orders. For example, the FISA Court identi?ed instances where subjects were inaccurately identi?ed as non-U.S. persons and when the orders were drafted in a manner that might cause the production of material not authorized by the FISA Court?s order. This report also includes our review of the Iications that the Department ?led with the FISA Court for of information in connection with previously described Classi?ed Appendices of our March 2008 report. In June 2013, former NSA contract employee Edward Snowden caused to be publicly released documents relating to the bulk collection of telephony metadata and the Of?ce of the Director of National Intelligence has since declassi?ed as ects of this ro ram. We have included a description or the NSA program. in the body of this report. The De artment relied on to obtain FISA Court orders In the applications, the Department stated that all of the data collected is relevant because it is necessary to create a data archive from which to identify known and unknown terrorists that may be in the United States or in contact with U.S. ersons. The Department acknowledged in the applications that the include records of U.S. persons who were not the subject of or associated with the subjects of authorized investi ations. The FISA Court's orders approving the Section 215 requests for included specialized minimization procedures for the - that differed from the Interim and Final Procedures mentioned above. We describe the specialized minimization procedures in this report. Finally, we note that the use of Section 215 authority continues to expand to re?ect legislative, technological, and strategic changes. The legislative changes expanded both the types of businesses upon which Section 215 orders could be served and the categories of documents that could be obtained. The legislative changes also lowered the evidentiary threshold for obtaining Section 215 orders to a ?relevance? standard and provided a presumption of relevance for items requested in applications that involve foreign powers, agents of foreign powers, subjects of authorized investigations, and individuals known to associate with subjects of such investigations. Technological advancements to and society?s use of the Internet have also ex ended the uantit and quality of electronic information available to the FBI, H, through use of Section 215 authority. Materials vii produced in response to Section 215 orders now range from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information. The FBI made strategic use of the legislative and technological changes by broadening the scope of materials sought in applications. Section 215 authority is not limited to requesting information related to the known subjects of speci?c underlying investigations. The authority is also used in investigations of groups comprised of unknown members and to obtain information in bulk concerning persons who are not the subjects of or associated with any FBI investigation. While the expanded scope of these requests can be important uses of Section 215 authority, we believe these expanded uses require continued signi?cant oversight by the FISA Court, N50, and other oversight entities. I. INTRODUCTION This is the Department of Justice (Department or DOJ) Of?ce of the Inspector General?s (OIG) third review of the Federal Bureau of Investigation?s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act.2 Section 215 of the Patriot Act allows the FBI to seek orders from the Foreign Intelligence Surveillance Court (FISA Court) for ?any tangible things," including books, records, and other items from any business, organization, or entity provided the item or items are for an authorized investigation to obtain foreign intelligence information not concerning a US. person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a US. person is not conducted solely on the basis of activities protected under the ?rst amendment to the Constitution. The USA PATRIOT Improvement and Reauthorization Act of 2005 (Reauthorization Act or the Act) directed the OIG to review the FBI's use of Section 215 for two separate time periods.3 The OIG issued its ?rst report in March 2007. That report, A Review of the Federal Bureau of Investigations Use of Section 215 Orders for Business Records, covered calendar years 2002 through 2005. The 016's second report, A Review of the Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. Although not required by the Reauthorization Act, the OIG undertook this third review in order to examine the progress the Department and the FBI have made in addressing the recommendations in our second report. We also review in this report the FBI's use of Section 215 authority in calendar years 2007 through 2009.4 A. Methodology of the OIG Review To conduct this review, the OIG examined over 10,000 documents consisting of over 89,000 pages of material obtained from the FBI and the Department's National Security Division's (NSD) Of?ce of Intelligence, including ?les relating to each of the FBI's applications to use Section 215 authority, Department reports to Congress concerning that use during calendar years 2007 through 2009, and the new minimization procedures for Section 215 productions adopted by the Attorne General in March 2013 (Final Procedures). We reviewed each of the i requests for Section 215 applications processed by the FBI Of?ce of General Counsel's National Security Law Branch (NSLB) during our review period. 2 The term PATRIOT Act" is an acronym for the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No. 107?56, 115 Stat. 272 (2001). It is commonly referred to, and referred to in this report as ?the Patriot Act.? 3 The Reauthorization Act of 2005 was signed into law on March 9, 2006. 4 We note subsequent developments brought to our attention where relevant. 0f the I requests, 51 applications were submitted to and granted by the FISA Court. Of the 51 applications, the Department ?led on behalf of the FBI and ?led in connection with counterterrorism ro rams .5 The requests not submitted to the FISA Court were withdrawn after being submitted by the FBI either to NSLB or NSD. With regard to the I Section 215 applications ?led on behalf of the FBI, we summarize information about them in order to provide an overview of the Section 215 orders obtained between 2007 and 2009. The information includes the types of investigations from which the Section 215 requests originated and the types of records sought in the applications. We also selected eight applications for more detailed analysis in order to highlight the evolving and varied uses of Section 215 authority. With reiard to the Section 215 a we summarize which use Section 215 orders to obtain of information from certain roviders of telecommunications service if We also provide an overview of the unique aspects of the Section 215 applications which su ort . The overview includes a description of the the specialized minimization procedures that apply to the and reported compliance incidents. lications the FBI submitted We interviewed over 50 people from the FBI and the Department, including Section Chiefs from NSLB and NSD's Office of Intelligence as well as the attorneys, case agents, and who worked on individual Section 215 orders. We also interviewed FBI personnel responsible for administering various FBI databases. We did not conduct an independent compliance review of each use of Section 215 authority in 2007 through 2009 to determine whether there was any improper use of the authority, or whether recipients of Section 215 orders produced material outside the scope the orders. For purposes of this report, we relied on the Department's reporting to the FISA Court to describe any compliance incidents that occurred during the 2007-2009 time period. However, we do highlight with respect to some uses of Section 215 authority the challenges the Department faces in ensuring that the government collects or uses only that information it is lawfully permitted to obtain, and we identify 5 Because Section 215 provides the FBI with the sole authority to make Section 215 a lications to the FISA Court, the FBI initiates the Section 215 applications a See 50 U.S.C. 1861(a)(1). As a matter of Department procedure, NSD ?les all Section 215 applications with the FISA Court irrespective of the agency designated in an application to receive the production. several instances where the Department?s reporting to the FISA Court contained inaccuracies. B. Organization of the Report This report is divided into seven sections. After this introduction, we describe in Section II the legal background related to Section 215 authority, the process for obtaining a Section 215 order, and the procedures applicable to the use of Section 215 material. In Section we discuss the status of the recommendations the OIG made in its second and most recent report concerning the use of Section 215 authority. In Section IV, we provide an overview of the FBI's use of Section 215 authority during the relevant time period. We describe the number of Section 215 orders obtained, the type of information requested, the number of FBI of?ces using the authority, and the collection of U5. person information. In Section V, we provide a detailed description of a sample of the FBI's use of Section 215 authority in 2007 through 2009. We describe the material requested, the purpose of the request, the material produced, and the manner in which the material was used. In Section VI, we date the information about the uses of Section 215 authority described i Classi?ed Appendices to our last report. These appendices described the FBI's use of Section 215 authorit on behalf of the NSA to obtain bulk collections of tele hon metadata section vn contains conclusions. II. BACKGROUND This section provides a brief description of the legal background related to Section 215 authority and the process for obtaining Section 215 orders. A. Legal Background Pursuant to Section 215 of the Patriot Act, the FBI may obtain ?any tangible things,? including books, records, and other items from any business, organization, or entity provided that the item or items are for an authorized investigation. The tangible things are available ?for an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that an investigation of a United States person is not conducted solely upon the basis of activities protected by the ?rst amendment to the Constitution.?7 50 U.S.C. 1861. Section 215 did not create any new investigative authority but instead expanded existing authority found in the Foreign Intelligence Surveillance Act of 1978 (FISA). 50 U.S.C. 1801 et seq. FISA requires the FBI to obtain an order from the FISA Court in order to conduct electronic surveillance to collect foreign intelligence information.? In 1998, Congress amended FISA to authorize the FBI to apply to the FISA Court for orders compelling four kinds of businesses to ?release records in [their] possession" to the FBI: common carriers, public accommodation facilities, physical storage facilities, and vehicle rental facilities. The amendment did not further de?ne ?records.? This provision, which was codi?ed at 50 U.S.C. 1862, became known as the ?business records" provision and was the provision expanded by Section 215 of the Patriot Act.9 The 1998 business records amendment required a FISA application to specify that the records were sought for an investigation to gather foreign intelligence information or an investigation concerning international terrorism, and that there were ?speci?c and articulable facts giving reason to believe that the person to whom the records pertain is a foreign power or an agent of a foreign power.? 50 U.S.C. 1862 (2000 ed.) This language meant that the FBI was limited to obtaining information regarding a speci?c person or entity the FBI was investigating and about whom the FBI had individualized suspicion. In addition, the amendment prohibited the entity complying with the order from disclosing either the existence of the order or any information produced in response to the order. Subsequent to the 1998 FISA amendment creating this investigative authority and prior to passage of the Patriot Act in October 2001, the FBI obtained only one FISA order for business records. This order was obtained in 2000. Section 215 of the Patriot Act signi?cantly expanded the scope of the investigative authority pursuant to the business records provision of FISA and lowered the standard of proof required to obtain this type of business record. The pertinent part of Section 215 provides: The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information not concerning a United States 7 The FISA statute defines U.S. persons as US. citizens, permanent resident aliens, corporations incorporated in the United States, and associations substantially composed of US. persons. 50 U.S.C. 18010). The Office of Intelligence prepares and presents applications for Section 215 orders to the FISA Court at the request of the FBI. 9 50 U.S.C. 1862(b)(2)(B) (1998), as amended, 50 U.S.C. 1861 (2001). person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the ?rst amendment to the Constitution. 50 U.S.C. 1861(a)(1). While the 1998 language limited the reach of this type of investigative authority to four types of entities, the new language did not explicitly limit the type of entity or business that can be compelled by an order. Section 215 of the Patriot Act also expanded the categories of documents that the FBI can obtain under the business records provision of FISA. The categories are no longer limited to ?records?; instead, Section 215 provides that the FBI may obtain an order for ?the production of any tangible things (including books, records, papers, documents, and other items)." Id. Section 215 also lowered the evidentiary threshold to obtain such an order. As a result, the number of people whose information could be obtained was expanded because the FBI is no longer required to show that the items being sought pertain to a person whom the FBI is investigating. Instead, the items sought need only be requested ?for an authorized investigation conducted in accordance with [applicable law and guidelines] to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.? 50 U.S.C. 1861(b)(2). This standard, referred to as the relevance standard, permits the FBI to seek information concerning persons not necessarily under investigation but who are connected in some way to a person or entity under investigation. In 2006, the Reauthorization Act further amended Section 215 by requiring that an application establish ?reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation." Id. At the same time, the Reauthorization Act provided a presumption of relevance for tangible things that pertain to any of four speci?ed entities or individuals: foreign powers, agents of foreign powers, subjects of authorized investigations, and individuals known to associate with subjects of such investigations. Id. When the statement of facts in an application demonstrates the tangible things requested pertain to any of these four entities or individuals, the government has presumptively established the items' relevance. In other words, in these cases the FISA Court is required to ?nd that the statutory threshold has been met. The Reauthorization Act included other substantive amendments to Section 215. For example, the Act speci?cally authorized the collection of certain sensitive records, including library, medical, educational, and tax return records. The Act also required that applications for these sensitive records be approved by the FBI Director or a speci?ed designee, and speci?c congressional reporting regarding them.? In addition, the Reauthorization Act speci?cally provided that Section 215 orders must, among other things, contain a particularized description of the items sought and provide for a reasonable time (not de?ned in the statute) to assemble them. The Act also established a detailed judicial review process for recipients of Section 215 orders to challenge their legality before a FISA Court judge. Additional changes to Section 215 were adopted with the enactment of the USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006. For example, the 2006 amendments provided that a recipient of a Section 215 order may petition the FISA Court to modify or set aside the nondisclosure requirernent after 1 year from the issuance of the order if certain ?ndings are made. Section 215, along with other provisions of the Patriot Act, was originally scheduled to sunset on December 31, 2005. The Reauthorization Act extended Section 215 for 4 years until December 31, 2009. Since the Reauthorization Act, Section 215 has been extended on several occasions and is currently extended to June 1, 2015. Discussions about the future of Section 215 authority have been affected by public disclosures of information about the NSA's counterterrorism program involving the bulk collection of telephony metadata. The disclosures began in June 2013 and revealed, among other things, that the FISA Court approved Section 215 orders that authorized the collection of billions of call detail records. The records included those of millions of U.S. persons who were not the subjects of or associated with the subjects of authorized investigations, or believed to be associated with a speci?ed Foreign Power. The collection was predicated on the theory that the government needed to build a vast archive of call detail records in order to identify communications between known and unknown terrorists and potential operatives located in the United States. The telephony metadata 1? As permitted by the Reauthorization Act, the FBI Director delegated approval authority for these records to the Deputy Director and the Executive Assistant Director for the FBI's National Security Branch. USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006, Pub. L. No. 109- 178. The Court may grant a petition to modify or set aside the non-disclosure provision if the Court ?nds there is no reason to believe that disclosure may endanger the national security, interfere with a criminal, counterterrorism, or counterinteliigence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person. However, if the Attorney General, Deputy Attorney General, or FBI Director certi?es that the disclosure may endanger the national security or interfere with diplomatic relations, the certification will be treated as conclusive, unless the Court ?nds that such a certi?cation was made in bad faith. . However, after reviewing a draft of this report, NSD informed the OIG that in 2010, the FISA Court granted a joint request by the Department and a provider to extend the time in which the provider could challenge a Section 215 order related to the bulk collection of telephony metadata. Ultimately, the parties resolved the issue of the orders legality and a challenge was not ?led with the FISA Court. On May 14, 2014, the Of?ce of the Director of National Intelligence declassi?ed the FISA Court pleadings relating to this event. included information from local and long-distance telephone calls such as the numbers dialed as well as the date, time, and duration of the telephone calls, but not the content of the telephone conversations. B. The Process for Seeking Section 215 Orders As we described in our ?rst and second Section 215 reports, the process to obtain a Section 215 order generally involves ?ve phases: FBI ?eld of?ce initiation and review, FBI Headquarters review, NSD Of?ce of Intelligence review, FISA Court review, and FBI service of the order. The process to obtain a Section 215 order generally begins when an FBI case agent in a ?eld of?ce prepares a business records request form, which requires the agent to provide, among other things, the following information: a brief summary of the investigation, a speci?c description of the items requested, an explanation of the manner in which the requested items are expected to provide relevant information, and the identity of the custodian or owner of the requested items.? The request form must be approved by the agent's supervisor and the ?eld of?ce's Chief Division Counsel and Special Agent in Charge. The approval process is automated through the FISA Management System (FISAMS), which sends electronic noti?cations to each individual responsible for taking the next action in order to process the business record in the ?eld of?ce. After the approvals are completed in the ?eld of?ce, the FISAMS noti?es the ?substantive desk" (in the Counterterrorism Division or Counterintelligence Division) at FBI Headquarters. At FBI Headquarters, the business records request form is reviewed and approved by both the substantive desk and NSLB. Once the FISAMS delivers the request to the substantive desk, it is assigned to an NSLB attorney who works with the case agent and other FBI personnel to obtain the information the NSLB attorney believes is necessary to include in the draft application and order. The draft application package is then reviewed by NSLB supervisors and forwarded to NSD, where the request is assigned to an NSD attorney. The NSD attorney works with the NSLB attorney, case agents, and occasionally FBI intelligence to obtain any additional information the NSD attorney believes is necessary to include in the draft application and order.13 An NSD supervisor then reviews the draft application package. The ?nal application package is returned to the FBI for an accuracy review and additional edits may be made based on the review of the ?nal package. Upon completion of the ?nal version, signatures of designated senior FBI 12 Some Section 215 requests originate from FBI Headquarters. 13 According to an NSLB attorney, in 2011 the NSLB and NSD adjusted the drafting process for certain Section 215 applications and orders to reduce dupiicative efforts. The agencies agreed that NSLB would submit a factual summary of the investigation to NSD instead of a draft application and order and that NSD would draft the Section 215 application and order based on the facts in the NSLB summary. personnel are obtained and an NSD attorney prepares the package for presentation to the FISA Court. While the ?nal signatures are collected, NSD schedules the case on the FISA Court's docket and, pursuant to the FISA Court Rules of Procedure, provides the FISA Court with a ?proposed application" which is an advance copy of the application commonly called a ?read? copy. The FISA Court, through a FISA Court legal advisor, may identify questions or concerns and request changes or additional information to the documents after reviewing the ?read? copy. NSD and the FBI then address these questions or concerns and make any necessary revisions to the application and order prior to submitting a formal or ?nal application and order for the Court's approval. The FISA Court will either sign the formal submission or request that NSD present the formal application package to the FISA Court at a scheduled hearing. If the FISA Court judge approves the formal application, the judge signs the order. The judge may make handwritten changes to the order (for example, to clarify the U.S. person status of the person or entity for which the records were sought) and, if so, will sign the order with the handwritten modi?cations. The order is then entered into the FISAMS and served by the FBI ?eld of?ce nearest to the provider designated in the order. Among other things, the order sets forth the deadline for producing the items. C. Retention, Dissemination, and Compliance In this section we describe the policies and procedures that governed the retention and dissemination of material produced pursuant to a Section 215 order during the 2007-2009 time period. We also describe the Department's obligation to report compliance issues related to the use of Section 215 authority. 1. Retention and Dissemination The Reauthorization Act required that the Department adopt minimization procedures to govern the retention and dissemination of material produced pursuant to a Section 215 order. These minimization procedures apply to nonpublic U.S. person information. The Act required that the procedures minimize the retention and dissemination of nonpublic U.S. person information consistent with the needs of the United States to obtain and disseminate foreign intelligence. The Reauthorization Act also required that the procedures prohibit the dissemination of nonpublic U.S. person information unless the identity of the U.S. person was foreign intelligence, necessary to understand foreign intelligence, or evidence of a crime.? 1? The FISA statute de?nes minimization procedures as: (A) Speci?c procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information (Cont?d.] In response to the statutory requirement, the Department adopted Interim Minimization Procedures in September 2006. The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be ?construed? to meet the statutory de?nitions of minimization procedures contained in the Reauthorization Act. FBI agents were already required to comply with the N51 Guidelines in their entirety when seeking a Section 215 order and handling Section 215 productions. Thus, the Interim Procedures did not add any new requirements and did not affect the application of the N51 Guidelines to Section 215 material.15 The Interim Procedures included several concepts that appear in Section of this report, where we describe speci?c uses of Section 215 authority from 2007 to 2009. First, the Interim Procedures included the de?nition of minimization procedures from the Reauthorization Act. The de?nition stated that nonpublicly available information that is not foreign intelligence cannot be disseminated in a manner that identi?es a US. person unless the identity is ?necessary to understand foreign intelligence information or assess its importance" or is evidence of a crime. Although the Interim Procedures referenced the de?nition of ?foreign intelligence information" from the Reauthorization Act, neither the Interim Procedures nor the N51 Guidelines included a de?nition or guidance about what is meant by the phrase ?necessary to understand foreign intelligence information.?16 Similarly, neither the Interim concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; (B) Procedures that require that nonpublicly available information, which is not foreign intelligence information as de?ned in section 1801(e)(1) of this title, shall not be disseminated in a manner that identi?es any United States person, without such person's consent, unless such person?s identity is necessary to understand foreign intelligence information or assess its importance; and (C) Notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and dissemination of Information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes. 50 U.S.C. 1861(g)(2) ?5 During our review period the Attorney General Guidelines were updated. Speci?cally, the 2003 Guidelines were superseded by the 2008 Attorney General Guidelines for Domestic FBI Operations (AGG-DOM). Although the new AGG-DOM were not incorporated into the Interim Procedures, the AGG-DOM did not substantively change the N51 Guidelines provisions adopted in the Interim Procedures. 16 The FISA Statute de?nes Foreign Intelligence as: (1) information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power; sabotage or international terrorism by a foreign power or an agent or foreign power; or clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or (Cont?d.) Procedures nor the NSI Guidelines included a de?nition or guidance regarding what constitutes U.S. person identifying information. Second, the Interim Procedures adopted the ?Determination of United States Persons Status? and ?Respect for Legal Rights" sections of the NSI Guidelines. The ?Determination of United States Person Status? section included the de?nition of U.S. erson contained in the FISA statute noted above. This section also rovided . In sum absent other information . See NSI Guidelines {3 I.C.2 and AGG-DOM Classi?ed Provisions The ?Respect for Legal Rights? section of the NSI Guidelines prohibited investigating or maintaining U.S. person information solely for the purpose of monitoring First Amendment activities or the lawful exercise of Constitutional or statutory rights. Third, the Interim Procedures adopted provisions of the ?Retention and Dissemination of Information" section of the NSI Guidelines.17 With respect to retaining information, the Interim Procedures required that the FBI retain investigative records in accordance with a plan approved by the National Archives and provided for NSD oversight of information obtained in the course of investigations. With respect to disseminating information, the Interim Procedures provided that the FBI could disseminate information within the Department, with other federal, state, and local entities, and with foreign authorities when the information related to the recipient's authorized responsibilities and dissemination was consistent with national security interests.? In our March 2008 report, we found that the Interim Procedures ad0pted by the Department did not meet the requirements of the Reauthorization Act because they failed to provide FBI agents with speci?c guidance regarding the retention and dissemination of non-public U.S. person information obtained under Section 215 authority. We therefore recommended that the FBI develop ?nal standard minimization procedures for business records that provided such (2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to the national defense or the security of the United States; or the conduct of the foreign affairs of the United States. 50 U.S.C. 1801(e). ?1 The Interim Procedures adopted the retention provision requiring compliance with the National Archives and Records Administration and the Information Sharing provisions. 1" The ?De?nitions? section was the fourth section of the NSI Guidelines adopted in the Interim Procedures. guidance. We also recommended that the FBI require an initial review of the records received in response to Section 215 orders and develop a policy for handling overproductions, or material outside the scope of the Section 215 order. In response to the latter recommendations, the FBI wrote a December 16, 2009, letter to the OIG which stated that the FBI added a compliance requirement to the FISA Business Records section of the FBI Domestic Investigations and Operations Guide (DIOG). In addition to requiring that agents implement the minimization procedures required by the Department and the FISA Court, the compliance requirement mandated that prior to uploading Section 215 material into FBI databases, agents review productions to determine whether the documents were responsive to the Section 215 orders, and included procedures for handling overproduced material.? (DIOG During the course of the OIG's correspondence with the FBI regarding the adequacy of the new DIOG compliance requirement, the FBI informed us in an October 28, 2009, letter that it expected the Final Procedures to address all three of the OIG recommendations. With respect to our recommendation to develop ?nal standard minimization procedures for business records, the Department stated that it would replace the Interim Procedures with standard minimization procedures ?speci?cally tailored to collection under Section 215." However, by spring 2009, the Department had not yet replaced the Interim Procedures. In May 2009, a FISA Court judge requested that the FBI voluntaril a additional minimization procedures Section 215 orders. The De artment agreed to implement the additional minimization procedures in these matters and also ?led reports with the FISA Court describing how the FBI implemented the additional procedures for the - matters. Subsequently, in June 2009, FISA Court judges began to issue Supplemental Orders with most Section 215 orders.? The Supplemental Orders required the Department to submit a written report to the FISA Court describing the FBI's implementation of the Interim Procedures to materials roduced in res onse to Section 215 orders. . NSD and NSLB attorneys told us that they believed that the FISA Court judges would continue to issue Supplemental 19 The review requirement and overproduction procedures were removed from the 2011 edition of the DIOG and a new section entitled Overcollection" was added. The new section addressed the circumstances in which overproduced material would be sequestered with the FISA Court, and directed FBI personnel to NSLB attorneys for additional guidance for handling FISA overcollectlons. According to NSLB attorneys, the change re?ected the fact that NSLB was then reviewing the overproduction guidance. 2? The FISA Court did not issue Supplemental Orders for Section 215 productions that were subject to specialized minimization procedures, which are discussed in Section IV, or for the Section 215 production in the Positive Foreign Intelligence investigation that we describe in Section of this report. 11 Orders until the Department replaced the Interim Procedures with ?nal procedures speci?cally designed for Section 215 matters. In Section V, we describe several of the reports submitted to the FISA Court in response to Supplemental Orders. 2. Compliance Issues The Department is required to report compliance issues related to the use of Section 215 authority. The Rules of Procedure for the FISA Court require the Department to correct misstatements of material fact and to disclose non- compliance with an order to the FISA Court. In addition, the FBI is required to report activities that may be unlawful or contrary to executive orders or directives to the Intelligence Oversight Board (108) and Director of National Intelligence. See Exec. Order 12863 and Exec. Order 13470 amending Exec. Order 12333 on United States Intelligence Activities. The subjects of these reports to the 108 are commonly referred to as violations.? FBI policy requires employees to report potential 103 violations to NSLB within 30 days of discovery. In Sections and VI, we describe the compliance incidents reported during the 2007-2009 time period that occurred in the Section 215 matters we selected for review. We do not attempt to independently identify or describe all of the compliance incidents that occurred during our review period. STATUS OF RECOMMENDATIONS In the second report about the use of Section 215 authority, A Review of the FBI's Use of Section 215 Orders for Business Records in 2006 (March 2008), we made the following three recommendations: 0 The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders; a The FBI should develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order; and The FBI should develop ?nal standard minimization procedures for business records that provide speci?c guidance for the retention and dissemination of U.S. person information. In this section, we provide some background information about the and the Department's efforts to implement the recommendations and the statutory requirement that the Attorney General adopt speci?c minimization procedures for Section 215 material. We then assess the status of the each of the three recommendations. Where the FBI or Department has taken action on a recommendation that fully addresses the issue the OIG identi?ed, we consider the recommendation ?closed.? Where the FBI or the Department has taken 12 action on a recommendation but we request additional action or information to address any issue the OIG identi?ed, we consider the recommendation ?resolved? but not yet closed. Upon completion of the requested action or receipt of the requested information, we will consider whether to close the recommendation. A. Background As described in Section II, the Reauthorization Act required the Attorney General to adopt minimization procedures for business records obtained pursuant to Section 215 orders. 50 U.S.C. 1861(g)(1). The Reauthorization Act de?ned ?minimization procedures" as: speci?c procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things to minimize the retention, and prohibit the dissemination, of non-publicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information. Id. at 5 1861(g)(2)(A). The Reauthorization Act required that the Attorney General adopt minimization procedures within 180 days of the enactment of the Reauthorization Act (that is, by September 5, 2006). Id. at 1861(g)(1). On September 5, 2006, the Attorney General signed and ?led with the FISA Court Interim Standard Minimization Procedures (Interim Procedures). The Interim Procedures adopted four sections of the FBI's National Security Investigation Guidelines (NSI Guidelines) and stated that the four sections were to be "construed" to meet the statutory de?nitions of minimization procedures contained in the Reauthorization Act.21 As stated in our March 2008 report, we found that the Interim Procedures failed to meet the requirements of the Reauthorization Act because the Interim Procedures did not provide FBI agents with speci?c guidance regarding the retention and dissemination of nonpublic U.S. person information. In response to our report, the then-Assistant Attorney General for N50 wrote a letter to the then-Inspector General stating that the Department would replace the Interim Procedures with standard minimization procedures ?speci?cally tailored to collection under Section 215.? 2? The four sections of the N51 Guidelines were: 1) Respect of Legal Rights; 2) Determination of US. Person Status; 3) Retention and Dissemination of Information; and 4) De?nitions. 13 The Final Procedures govern the retention and dissemination of information the FBI receives in response to Section 215 orders. According to the procedures, and as required by the Reauthorization Act, they are designed to ?minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information." In other words, Section 215 information concerning U.S. persons may be possessed, used, and disclosed by the FBI in accordance with the Final Procedures.22 The Final Procedures incorporate the de?nitions and a classi?ed directive for determining U.S person status established in the Attorney General Guidelines for Domestic FBI Operations The procedures do not apply to publicly available U.S. person information or to the handling of U.S. person information for which consent has been given, and generally do not apply to non-U.S. person information as discussed in more detail in Section 111.33., below. The ?Retention? section of the Final Procedures contains provisions that address how the FBI handles Section 215 information after it is received. These . The Retention section also identi?es where the information may be stored and the time periods in which the FBI can retain particular Section 215 material. In addition, the Retention section de?nes the conditions under which the FBI can retain and disclose information that has not been assessed as foreign intelligence information. FBI policies and procedures govern instances where the Final Procedures are silent. For example, the Final Procedures do not identify the time period in which the FBI is authorized to retain material produced in response to a Section 215 order that is determined to be foreign intelligence, necessary to understand foreign intelligence, or evidence of a crime. Therefore the time period for retaining this material is subject to applicable FBI policies, the Attorney General Guidelines, and the relevant National Archives and Records Administration procedures. l4 The Final Procedures also include a ?Compliance? section. According to this provision, the Attorney General is authorized to implement policies and procedures to ensure good faith compliance with the requirements of the Final Procedures, and NSD is required to review compliance with the Final Procedures. In order for NSD to perform this oversight function, the Final Procedures provide that NSD ?shall have access to all FISA [business records] material and other necessary information to facilitate minimization reviews and for all other lawful purposes." Similar language is contained in the minimization procedures for electronic surveillance and physical searches under FISA. The FBI has in the past taken the position, over the OIG's objections, that it was prohibited from disclosing FISA-acquired information to the OIG for oversight purposes because the Attorney General has not designated anyone in the OIG as having access to this information for minimization reviews or other lawful purposes, and because there were no speci?c provisions in the procedures authorizing such access. We, therefore, in connection with this review raised concerns about whether the FBI would apply a similar, and in our view erroneous, interpretation to the Final Procedures. As we describe below, NSD informed us that it included language in the General Provisions section of the Final Procedures that was intended to make clear that nothing in the procedures should be interpreted to restrict the access to FISA-acquired information needed for OIG reviews and investigations. In August 2013, the Department began to reference the Final Procedures instead of the Interim Procedures in Section 215 a lications and the FISA Court has since ranted such a B. Recommendations As described below, we concluded that with the Final Procedures the Department and FBI have addressed the three recommendations in the - 15 March 2008 report.25 We consider one recommendation to be closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying certain aspects of the procedures in training materials, policy implementation guidelines, or future versions of the procedures. 1. Recommendation 1 - Resolved The FBI should develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders. 25 As described in Section II, in a December 16, 2008, letter the FBI informed the 016 of a new Section 215 compliance requirement which was temporarily added to the 0106. The compliance requirement partially addressed two of our recommendations by requiring a review of Section 215 material before it was uploaded into FBI databases and creating a procedure for handling overproduced material. In an October 28, 2009, letter, the FBI informed the 016 that the Final Procedures would address all three of the 016's recommendations. 26 Accordingly, we consider this recommendation resolved but not yet closed in order to provide the FBI and the Department an opportunity to clarify in training or guidelines, or in any future versions of the procedures, that the Final Procedures ?initial review? requirement applies to metadata. 2. Recommendation 2 -- Closed The FBI should develop procedures for handling material that is produced in response to, but outside the scope of,r a Section 215 order. The Final Procedures include a rovision for handlin However the Final Procedures 27 25 After reviewini a draft of this reiortl NSD submitted comments in which it (Cont'cl.) 17 .23 NSD and NSLB attorneys told us that the scope of the exception will be addressed in the implementation guidelines. Because the FBI has developed procedures for the handling of overproduced material, the OIG considers this recommendation closed. 3. Recommendation 3 - Resolved The FBI should develop ?nal standard minimization procedures for business records that provide speci?c guidance for the retention and dissemination of U.S. person information. As described earlier, the Final Procedures are designed to ?minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information." In other words, Section 215 information concerning U.S. persons may be possessed, used, and disclosed by the FBI in accordance with the Final Procedures.? The procedures do not apply to publicly available information concerning U.S. persons or to the handling of information concernin U.S. ersons for which consent has been 29 As noted above, where the Final Procedures are silent on a matter, FBI policies and procedures control. 13 The Final Procedures incorporate the de?nitions and the classi?ed directive for determining the US person status of individuals contained in the AGG-DOM. As noted in the introduction, the de?nition of U.S. person under the statute includes U.S. citizens, permanent resident aliens, corporations incorporated in the United States, and associations substantiall com osed of We describe below speci?c guidance the Final Procedures provide for the retention and dissemination of nonpublic information that concerns U.S. persons produced in response to Section 215 orders. 21. Retention The time period for which the FBI is permitted to retain Section 215 material depends on the of material and how it is stored. Accordin to the Final Procedures that reasonably appears to be foreign intelligence, necessary to understand foreign intelligence information, or evidence of a crime. 19 b. Dissemination According to NSD and NSLB attorneys, personnel with authorized access to FISA databases must have completed training on the minimization procedures related to other FISA authorities but there is no current or anticipated requirement that they also receive training on the Section 215 minimization procedures.31 3? According to an NSLB Section Chief, persons with access to FISA material must have completed training on the minimization procedures that apply to full electronic surveillance and collections conducted under Section 702 of the statute. 2U FBI ersonnel with authorized access to FISA material may for the purpose of determining whether particular Section 215 material reasonably appears to be foreign intelligence information, necessary to understand foreign intelligence information, or evidence of a crime. As noted in Section II, the term ?foreign intelligence information" is de?ned by the FISA statute. The term ?necessary to understand foreign intelligence information" is not de?ned and during interviews, NSD attorneys and FBI case agents provided us a range of exam les of material that would uali under this criterion. The exam les Included The Final Procedures provide that after the above determination is made, Section 215 material may be accessible to ?33 However, the universe of personnel authorized to review FISA material is greater than the rou of individuals connected to an articular investi ation. 32 After reviewln a draft of our re ort NSD submitted comments to the 016 in which it We consider this recommendation resolved but not yet closed. As we recommended, and as the Reauthorization Act required, the FBI and Department developed ?nal standard minimization procedures for Section 215 material that provide speci?c guidance for the retention and dissemination of U.S. person information. However, we identi?ed several areas in the Final Procedures that we believe NSD and the FBI should consider clarifying in training or implementation guidelines for the rocedures or in an future versions of the Final Procedures. C. Handling of Metadata under the Final Procedures 35 After reviewin a draft of this re ort NSD submitted comments to the 016 in which it I Thus, under the terms of the ?Metadata Anal sis" rovision in the Final The FBI ma also use metadata We believe the treatment of metadata is important because of the increasin use of Section 215 authority to obtain large collections of metadata such as electronic communication transactional information, and transaction information described in Section V. The Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identi?ed two potential issues regarding the application of the metadata provisions that will require attention and oversight. First, we believe that it will be im ortant for NSD and the FBI to . With re ard to this of material and In the absence of other information .38 This raises the question of whether there are or a 33 In our September 2012 report, A Review of the Federal Bureau of Investiation?s Activities Under Section 702 of the FISA Amendments Act of 2008 we described . In that reort we described an examle (Cont?d.) 23 will be circumstances thus making the Final Procedures fully applicable to the material. For these reasons, we believe it will be im ortant that NSD and the FBI continue to evaluate the application of the particularly in circumstances where metadata contains information concerning U.S. persons, to ensure that the Final Procedures are applied appropriately and the information is handled responsibly. Second, the attention NSD and the FBI pay to the treatment of metadata will also be important because the type of information that is cate orized as metadata will likel continue to evolve and ex and. Metadata generally is considered to exclude the content of communications. However, NSD and NSLB attorneys told us that the terms used to de?ne metadata themselves lack standardized de?nitions and that applying them to rapidly changing technology can be difficult. Indeed, the US. Court of Appeals for the Ninth Circuit has recognized that there are circumstances where ?addressing information" one of the categories of metadata - may constitute content and therefore would likel have to be obtained with a warrant.39 We nevertheless believe that such decisions evidence the importance for NSD and the FBI of remaining cognizant of developments in this area in order to guard against the inadvertent request for or collection of metadata that is not authorized under Section 215 authority. D. Effect of Final Procedures on OIG's Access to FISA Information We also examined the provisions in the Final Procedures that pertain to the 016's access to Section 215-acquired information for purposes of conducting 39 In United Stated v. Forrester, 512 F.3d 500 (9th Cir. 2008), the Court held that IP addresses and to/from entries in e-mails are the Internet equivalent of dialed phone numbers and can be obtained without a warrant. The Court also suggested that a uniform resource locator (URL) address, which can identify the particular pages an individual browsed wlthin a website, is close to content in substance and thus, without deciding the issue, that the government would likely need a warrant to obtain such information. Id. at 510 n.6. 4? After reviewin a draft of this re ort NSD submitted comments to the OIG in which it 24 its reviews and investigations. As described above, the ?Compliance? section of the Final Procedures states that the Attorney General is authorized to implement policies and procedures to ensure good faith compliance with the requirements of the Final Procedures, and that NSD is required to review compliance with the Final Procedures. In order for NSD to perform this oversight function, the Final Procedures provide that NSD ?shall have access to all FISA [business record] material and other necessary information to facilitate minimization reviews and for all other lawful purposes.? Although the Final Procedures?r ?General Provisions" state that ?[n]othing in these procedures shall restrict the . . . lawful oversight functions of the NSD or the Department of Justice Of?ce of Inspector General," the Final Procedures do not expressly authorize the access to Section 215 material as they do NSD's access for purposes of compliance revuews. The FBI has previously asserted to the Department and the OIG its belief that unless the Attorney General speci?cally designates the OIG in FISA minimization procedures as part of the Department's oversight function, or the OIG is functioning as a law enforcement of?cial, the FBI is prohibited by the minimization procedures from disclosing FISA-acquired information to the OIG.41 However, the Inspector General Act of 1978, as amended, provides an independent basis for the OIG to obtain Section 215 and other FISA material for its investigations and reviews. In fact, we have received such material from the FBI in previous OIG reviews without any objection from the FBI, even though we were not designated by the Attorney General as part of the Department's oversight function, and were not functioning in a manner the FBI interprets as that of a law enforcement of?cial. Examples include our reviews of the FISA Amendments Act of 2008, the President's Surveillance Program, and our reviews of the FBI's use of Section 215 authority. In light of the FBI's previous stated position, we expressed our concern that a similar interpretation of the Final Procedures will prevent or impede the OIG's future ability to obtain the material necessary to review the Department?s use of FISA authorities. An interpretation of the Final Procedures to preclude our access to information necessary for future reviews of the Department?s use of Section 215 authority would be particularly problematic given that our prior Section 215 reviews exposed the Department?s noncompliance with the requirement to develop minimization procedures. Similarly, an interpretation of the Final Procedures that would require the Attorney General?s advance permission for the OIG to exercise its oversight authority would seriously undermine the independence of the Inspector General and be inconsistent with the dictates of the Inspector General Act. ?1 The FBI's assertion was based on its interpretation of the 2008 Standard Minimization Procedures for FBI Electronic Surveillance and Physical Search conducted under FISA and the 2006 Interim Standard Minimization Procedures for the production of tangible things under FISA. The ?Compliance? provision in the Final Procedures is similar to the oversight provisions in these other procedures. 25 In response to our concern, NSD informed us that the statement contained in the General Provisions section of the Final Procedures was speci?cally incorporated to make clear that nothing in the procedures should be interpreted to prohibit the access to Section 215-acquired information for its reviews and investigations. NSD had previously made similar revisions for the same purpose to the FBI's minimization procedures for electronic surveillance and physical searches, and acquisition of foreign intelligence information under Section 702 of FISA. The FBI's General Counsel confirmed to us that he agreed with NSD that there is nothing in the Final Procedures, or the other current FBI FISA minimization procedures, that would prohibit the OIG's access to FISA-acquired information. We also sought clari?cation from NSD and the FBI about the language in the General Provisions section, ?[n]othing in these procedures shall restrict the . . . lawful oversight functions" of the OIG (emphasis added). The FBI has in the past explained its disclosure to the OIG of FISA information acquired under Section 702 of FISA notwithstanding its position that the OIG is prohibited from obtaining other FISA-acquired information for oversight purposes - by suggesting that Section 702's authorization of an OIG review of the compliance with applicable targeting and minimization procedures constitutes speci?c congressional authorization of the access to Section 702 FISA information. The OIG has strongly disagreed with this distinction and we therefore sought clari?cation from NSD and the FBI that the phrase, ?lawful oversight functions," includes reviews and investigations the OIG conducts on its own initiative as well as reviews and investigations conducted at the request of members of Congress or as required or authorized by Congressional legislation. The NSD Deputy Assistant Attorney General for the Of?ce of Intelligence and the General Counsel informed us that they share our understanding of the phrase. E. Conclusion and Recommendation As described in this section, we recommended in our March 2008 report that the Department implement minimization procedures for the handling of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, as required by the 2006 Reauthorization Act. We also recommended that the FBI develop procedures for reviewing materials received in response to Section 215 orders to ensure that the materials do not contain information outside the scope of the FISA Court orders. Finally, we recommended that the FBI develop procedures for handling material that is produced in response to, but outside the scope of, a Section 215 order. We concluded that with the Final Procedures certi?ed by the Attorney General in March 2013 the Department and FBI have fully implemented one of the three recommendations from our March 2008 report and we consider it closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying aspects of the procedures that we identi?ed above in training materials and policy implementation guidelines, or in any future versions of the Final Procedures. We will consider closing the 26 remaining two recommendations upon receiving the Department's and the FBI's responses to this report. The Final Procedures ful?lled a signi?cant requirement of the 2006 Reauthorization Act. The Final Procedures are also the Department?s response to the 016's 2008 ?nding that the Interim Procedures failed to meet the requirements of the Reauthorization Act. Nevertheless, we believe that in light of the importance of minimization procedures to the Department's authority to use Section 215, the Department should have met its statutory obligation considerably earlier than March 2013.42 The Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identi?ed two potential issues regarding the application of the metadata provisions that will require attention and oversight. In addition, we established that nothing in the Final Procedures restricts the access to Section 215-acquired information if it is needed as part of the reviews and investigations, including for oversight purposes. In this regard, the language described above in the General Provisions section of the Final Procedures, and similar language incorporated into other FBI minimization procedures, appears to resolve what we believe has been a misguided interpretation of minimization procedures and the Inspector General Act by the FBI. IV. OVERVIEW OF SECTION 215 ORDERS ISSUED FROM 2007 THROUGH 2009 In this section we provide an overview of Section 215 applications and orders issued from 2007 through 2009. We describe the number of Section 215 applications ?led and orders obtained, the type of information requested, the number of FBI of?ces that used the authority, and the types of investigations in which Section 215 orders were sought. We also provide information about the number of Section 215 applications and orders in which US. persons were the subject of the underlying investigations. ?2 After reviewing a draft of this report, NSD submitted comments in which it stated our conclusion does not recognize the efforts the Department made over the years to craft new procedures, including extensive interaction with the FISA Court on drafts of the procedures. While we agree that some of the time was attributable to the Department's interaction with the FISA Court, we found a signi?cant amount of the delay is attributable to the Department, speci?cally to disagreements between the FBI and NSD over the new SMP provisions as described in part in our last Section 215 report. These disagreements continued after issuance of that report, and the parties asked the Attorney General's Of?ce to intervene in 2010. The resulting SMPs were subsequently presented to and rejected by the FISA Court, which resulted in additional discussions within the Department. 2? A. The Number of Section 215 Applications During the eriod from 2007 through 2009, the FISAMS showed that NSLB processed requests for Section 215 Of these, 51 were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009. The remaining ?requests were withdrawn before being presented to the FISA Court. Of these withdrawn requests, I were withdrawn before being sent to NSD for review and I were withdrawn after NSD review. According to NSD, no applications were withdrawn after a read copy was presented to the FISA Court.?4 Each of the 51 Section 215 applications formally submitted to the FISA Court was approved. In total, between 2002 and 2009, 83 Section 215 applications were processed and formally submitted to the FISA Court. Each of the 83 applications was approved, as indicated in Table 3.1. TABLE 3.1 Section 215 Orders Issued by the Foreign Intelligence Surveillance Court 2002 2003 2004 2005. 2006 2007 2008 2009 Total Total to and the FISA Court number of applications submitted approved Source: NSD and FBI B. An Overview of I of the 51 Section 215 Orders Issued by the FISA Court in 2007 through 2009 As described above, the FISA Court issued 51 Section 215 orders in 2007 through 2009. The FBI submitted I of these applications ?3 The FISAMS electronically tracks the status of the Section 215 requests from the time the Section 215 request is entered into the system until it is either signed by the FISA Court or withdrawn. 4? NSD of?cials informed us that in addition to the Section 215 applications formally submitted to the FISA Court in 2008 the De artment rovided the FISA Court with a ro osed Section 215 a 28 as art of counterterrorism programs NSA's bulk collection of tele hon metadata from certain telecommunications service roviders. discuss in Section VI. With respect to the remaining applications, all of which were ?led on behalf of the FBI, we provide a description immediately below. 1. Types of Records Requested in Section 215 Orders Filed on Behalf of the FBI We compiled the types of business records that were sought in the I Section 215 orders ?led on behalf of the FBI. Table 3.2 shows the types of records identi?ed in the Section 215 orders, as well as the number of requests for each type of record. TABLE 3.2 Records Requested in Section 215 Orders Filed on Behalf of FBI Issued in 2007 through 2009 Source: NSD and FBI In total, I different types of records were requested in the I Section 215 orders ?led on behalf of the FBI. of the I Section 215 applications requested material related to internet activities. 2. FBI Field Offices that Submitted Requests for Section 215 Orders in 2007 through 2009 The OIG analyzed the number of FBI ?eld of?ces that requested and received Section 215 orders in 2007 through 2009. We determined that 13 of 29 the FBI's 56 ?eld of?ces (23 percent) requested the Section 215 orders ?led on behalf of the FBI during this period. 3. Types of Investigations from which Section 215 Requests Originated We also examined the es of investigations from which Section 215 applications originated. The Section 215 applications originated from counterintelligence (CI), counterterrorism (CT), cyber, and positive foreign intelligence (PFI) investigations. According to FISAMs, I Section 215 applications ori inated from C1 investigations, I originated from CT investigations, i originated from cyber investigations, and I originated from a PFI investigation.45 TABLE 3.3 Types of Investigations from which Section 215 Applications were Submitted to and Approved by the FISA Court -Case Type Totals; I PFI Source: NSD and the FBI 4. Subjects of Section 215 Applications We determined the number of Section 215 applications in which at least one subject of the underlying investigation was identi?ed as a U.S. person. We relied on the ?nal Section 215 applications or orders for this information.46 Of the I applications from which we compiled this data, we found that I applications or orders identi?ed the subjects of the underlying investigations as US. persons and I applications or orders identi?ed the subjects of the 45 . DIOG 9.1. 30 underlying investigations as non-U.S. persons. In I of the I applications that identi?ed the subject of the a lication and underl in investi ation as a non- U.S. erson the sub'ect . These applications involved cyber investigations. As described in Section II in these instances the Interim Procedures rovided that The number of U.S. persons identi?ed in these applications as the subjects of the underlying investigations is not equivalent to the number of U.S. persons about whom information was collected in response to the Section 215 orders. There are three reasons for this. First, the number of persons identi?ed as subjects in the applications does not include U.S. persons whose records were targeted by the Section 215 order but who were not themselves subjects of the underlying investigation. For exam le related Section 215 a lications we reviewed requested Another Section 215 a Second the classi?ed directive for determinin U.S. erson status rovides that . We reviewed related Section 215 a lications that requested subscriber and transactional information for e-mail accounts from U.S. providers. Third, the ?gure does not re?ect the number of U.S. persons whose information was included in the production compelled by the Section 215 order, but who were neither the subjects of the underlying investigations nor the identi?ed targets of the Section 215 a lication. For exam le we reviewed a V. SELECTED SECTION 215 ORDERS OBTAINED IN 2007 THROUGH 2009 In this section we describe several Section 215 applications and orders obtained by the FBI between 2007 and 2009. We selected these matters to illustrate various uses of Section 215 authority. For each selected use, we summarize the underlying investigation, describe the material requested, and 4? The bulk include millions of records of U.S. persons who are neither the subject of nor associated with the subjects of national security investigations. 31 identify modi?cations to or notable issues regarding the application and order. We then describe, where applicable, the material produced in response to the order, how the material was used, and any compliance incidents. We did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders. We present the examples in chronological order. We conclude the section with a summary of our examination of the use of Section 215 authority. A. Selected Uses of Section 215 Authority 1- Request for (Section 215 Order Issued January 2007) An FBI a ent submitted a Section 215 request for in a counterintelli ence investi ation. Accordin to the a lication the FBI initiated the investi ation when it teamed that in the United States and offered to sell stolen parts of a nuclear converter. The unidenti?ed caller stated that the Oak Rid National Laborato in Tennessee. . This was an expedited Section 215 application that was approved by the FISA Court 3 days after the FBI sent the request to NSD.49 The same day the FISA Court issued the Section 215 order, the Department ?led a notice of misstatement of a material fact with the FISA Court. The notice corrected a statement in the a lication re arding the basis of the knowledge that . The Section lication stated that the FBI knew ?9 Unlike other FISA authorities, the Section 215 statute does not include a provision for emergency requests. However, the Department and the FISA Court have established a process to expedite Section 215 requests when necessary. 32 -. The notice did not include an explanation for the discrepancy. The FBI agent who submitted the Section 215 request is no longer with the FBI and we did not interview him. However FBI documents indicate that . The caller eventually pled guilty to unlawful disclosure of restricted data under the Atomic Energy Act, in violation of 42 U.S.C. 2274(b). According to the FBI, the Section 215 information was not used in the criminal proceeding. 2. Request for Electronic Communications Transactional Records (Section 215 Orders Issued May 2009) An FBI agent submitted a Section 215 re uest for subscriber and transactional records The NSLB attorney who drafted the a lications told us that the a ent sou ht the Section 215 orders to . As the e-mail addresses were from three different major U.S. e-mail providers, the Department submitted three separate applications and orders to the FISA Court. These Section 215 applications were unusual because they sought information the FBI routinely requested through National Security Letters (NSL) under the Electronic Communications Privacy Act (ECPA), 18 U.S.C. 2709. ECPA authorizes the FBI to use an NSL to obtain subscriber and ?electronic communication transactional records" from e-mail providers. The NSLB attorney said that he sou ht Section 215 orders instead of ECPA NSLs for two reasons. First 33 The second reason the NSLB attorne indicated that the FBI sou ht Section 215 orders was because After reviewing the ?read? copy of the Section 215 applications the FISA Court throu the le al advisor identi?ed three concerns. First . Accordin the draft a lications and orders 5 eci?ed that the business records . As described earlier, the Interim Procedures (which simply incorporated provisions from the N51 Guidelines rovided that in the absence of other information The NSLB attorney told us that to address the second and third concerns, the FISA Court judge asked 5? These Section 215 a 2009. Be in 2010 lications were drafted in Februa . We describe further in the 2014 report, A Review of the FBI ?5 Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage from 2007-2009. We recommend in that report that the Department revive its efforts to bring about a legislative amendment to ECPA that will define the categories of electronic records that fall within the scope of the statute. 34 su ested that . The 'ude also asked .51 The NSD and FBI attorneys agreed and the FISA Court judge issued the orders. Because NSLB was concerned about the scope of the FISA Court's expectations, the FBI did not immediately serve the orders. Instead, the Department ?led a notice with the FISA Court identifying the additional minimization procedures that the FBI would apply to the retention and dissemination of US. person information contained in the production. NSD and NSLB attorneys collaborated on the additional minimization procedures. After the additional procedures were ?led and approximately 5 weeks after the orders were issued, the FBI served the Section 215 orders. Notably, the additional procedures introduced ?investigative value? as the standard for allowing persons unconnected with the underlying investigation access to material received in response to the Section 215 order. ?Investi ative value" was de?ned in the rocedures . The procedures speci?ed that material that was determined to be of such ?investigative value" could be uploaded into FBI databases and made available to persons authorized to access those databases. The rocedures allowed the FBI to "52 . The reort stated 5? As described in Section II, in June 2009 other FISA Courtjudges began issuing Supplemental Orders imposing similar reporting requirements. 52 As noted above, an attorney in the FBI's Of?ce of General Counsel informed us that national security investigative records are generally maintained for 30 years after case closure at which time they are reviewed and either destroyed or transferred to the National Archives and Records Administration according to the approved retention schedule. 35 The second re ort . Accordin to the re ort re ort did not state The second reort also stated . The reort stated An FBI case agent told us that the information produced to the FBI in res onse to the Section 215 order was useful. The a ent said that 3. Re uest for Records Relating to (Section 215 Order Issued June 2009) An FBI aent submitted a Section 215 reuest in a counterterrorism . The Section 215 a lication souht customer information The Department ?led a read copy application in February 2009. Upon reviewin the read co the FISA Court noti?ed the De artment that 36 . In this matter, because accordin to a case a ent Department?s ?nal Section 215 a Iication and order ?led in June 2009 chan ed the status of the The FISA Court issued 3 Supplemental Order to the Department in addition to the Section 215 orders to the com anies. The Su lemental Order re uired the De artment lemental Order re uired the De artment to include information about the The Department ?led in res onse to the Su - lemental Order in this case. The ?rst re orts described . Accordin to the reorts 5? The second re ort stated . We brought these issues, and several other apparent factual inaccuracies in to NSD's attention. In response, NSD reviewed the matters, consulted with the FBI, and then sent a June 13 2013 letter to the FISA Court advisin it of the inaccuracies. With res ed: to this matter 37 The re orts also stated 55 The case agents summarized the information in Electronic Communications (EC) reports that were ?u loaded retained and disseminated" in ACS. According to the ?rst . The FBI made this ?nding with respect to the companies that provided records responsive to the Section 215 order as well as to those that informed the FBI that the had no res onsive records.56 The second re ort did not FBI case agents stated that Section 215 authority and the information produced to the FBI in response to the orders were useful. The initial case a ent stated that the Section 215 tool was valuable because it allowed him to . The agent assi ned to the case when the Section 215 records were received stated that 4- Request for (Section 215 Order Issued July 2009) An FBI a ent submitted a Section 215 request for a US. person?s from a rivate em lo er in a reliminary counter-terrorism investi ation. . the time the Section 215 order was re uested the subiect 55 With re ard to one com an that roduced records the second re ort failed to indicate whether 5'5 According to the underl in Section 215 a lication the FBI had conducted FISA Courtr authorized electronic surveillance 38 sou ht the information The Department ?led the read copy application with the FISA Court in June 2009. Upon reviewin the read co a lication the FISA Court legal advisor noted that . As described in Section II, Section 215 requests for medical and educational records must be authorized by the FBI Director, Deputy Director, or Executive Assistant Director for the FBI's National Security Branch. In July 2009, the Department ?led the ?nal Section 215 a lication with The FISA Court approved the Section 215 application and order and also issued a Su lemental Order that re uired the Department . The De artment?s re ort stated . The FBI retained all of the records. Accordin to the re ort the reduction included was ?foreign intelligence information or was to understand forei intelli ence information." The . Accordin to the re ort stated that the . The re orl: stated that .57 The ?rst erroneously stated that . This was one of the errors we identified during our review that was [Cont?d.) 39 reason was that . The second reason was that The case agent who submitted the Section 215 request told us that one of the ECs that he uploaded into ACS contained his anal sis of the ent stated that . The aent also told us that An FBI anal st stated that she loaded an EC into ACS with her The aent to whom the case was transferred said that The aent also told us that . The aent said that . According to the FBI EC closing the preliminary investigation, the ?eld of?ce determined that the US. person subject had ?no nexus to terrorism." 5. Request for (Section 215 Order Issued November 2009) An FBI a ent submitted a Section 215 re uest _58 subsequently corrected in the June 13, 2013, letter NSD ?led with the FISA Court that we discussed above in footnote 45. In the letter NSD 5? As described in Section IV, the FBI conducts PFI investigations to collect information for the US. intelligence community. PFI investigations are distinct from FBI criminal or national security investigations, and are predicated on foreign intelligence collection requirements (Cont?d.) 4o The agent said that once the investi ation was 0 ened he initiall considered usin an NSL . This was the FBI's ?rst PFI Investigation to use Section 215 authority. The Section 215 a lication stated that . The a lication stated that . The a lication also stated that The Section 215 order requested account information and electronic communication transactional records The case agent who reviewed the Section 215 material told us that in . The case aent stated that . She told us the electronic ?le was placed in the case ?le and identi?ed in an EC that was uploaded to ACS. The case a ent also told us that . Accordin to the case aent PFI said that . The aent said that . The aent told us that . The case aent for this . She said that established by speci?ed authorities such as the President, Attorney General, or Director of National Intelligence. . We describe the FBI's use of this authority in our forthcoming report, A Review of the FBI '5 Use of Pen Register and Trap and Trace Device Authority under FISA in 2007-2009. 41 6. Request for (Section 215 Order Issued December 2009) An FBI agent submitted a Section 215 request for in a counterintelligence investi ation of ber network ex loitation.?50 Before ?lin the re uest the FBI had . Through this Section 215 application the FBI sou ht to obtain . The Section 215 order re uired the roduction of This Section 215 order was After ?ling the read copy application, NSD attorneys met with the FISA Court legal advisor to discuss speci?c concerns regarding the application. Among other questions, the legal advisor re uested additional information re ardin the manner in which . In res onse to these concerns the ?nal Section 215 a order stated that . With regard to the legal advisor's question re ardin the FBI's the ?nal a lication also stated that . The FISA Court granted the ?nal application as modi?ed and issued a Supplemental Order requiring a report to the FISA Court as discussed above. The case agent stated that in resonse to the Section 215 order the document identi?ed in the Section Accordin to the Department's ?led with the FISA Court, the i did not include any non-publicly available U.S. person information and thus was not subject to minimization procedures. The case aent told us that this use of Section 215 authorit was effective because .52 In addition the aent said that ?1 The case agent told us that he could not locate the original Section 215 production and that it appeared that the original return was never placed In the case ?le. However, the agent stated that the FBI has an electronic copy of the return. 62 We also discuss the FBI's use of FISA's pen register authority to obtain - in our forthcoming report, A Review of the Federal Bureau of Investigation?s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. 43 However, the agent stated that and that he did not follow up on the information received because of other investigative iriorities and his transfer to a different FBI ?eld of?ce. The agent told us that which is what he had hoped that this Section 215 order would have produced. B. Summary of Findings Our review of the matters detailed in this section resulted in agents describing for us the use of Section 215 authority in a manner that was consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continues to be a valuable investigative tool. Agents said they relied on Section 215 authority when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. The agents we interviewed did not identify any major case deveIOpments that resulted from the records obtained in response to Section 215 orders, but told us the authority is valuable when it is the only means to obtain certain information. As described in this section, agents told us that the material produced pursuant to Section 215 orders was used to support other investigative requests, develop leads, and corroborate information obtained from other sources. As previously noted, we did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders. We also identi?ed in this review, as we did in our prior reviews, several instances where the Department or the FISA Court modi?ed Section 215 applications or orders.63 For example, the FISA Court questioned in four a lications three applications were related) whether the of individuals whose records were sought had been properly applied. The Department responded by changing the status of the target in one of the applications and an NSLB attorney told us that with regard to the three related applications, he believes that the legal advisor's concerns were addressed by the implementation of additional minimization procedures. The Department also made revisions to applications following discussions with the FISA Court that had the effect of speci?cally excluding particular categories of records and limiting the scope of the requests to ensure that only non-content information was produced in response to the orders from electronic service providers to the public. We believe that the most signi?cant modi?cation made during the 2007- 2009 period was the FISA Court?s general practice, beginning in June 2009, of 53 As noted in our previous reports, NSD considers modi?cations to be limited to any changes by the FISA Court after the Department ?led the ?nal application and order. NSD does not consider revisions to applications and orders made at the request of the FISA Court after It reviewed read copies to be modi?cations. In this review, we considered any revision to a Section 215 submission - whether after the review of the read copy or after ?nal submission - to be a modi?cation. 44 issuing Supplemental Orders in Section 215 matters. As described in this section and Section II, these orders required the Department to report to the FISA Court on the implementation of the Interim Minimization Procedures to U.S. person information received in Section 215 roductions. Each We reviewed each of the reports ?led in the Section 215 matters we examined. According to the reports, the FBI retained nearly all of the material produced in response to the Section 215 orders and disseminated material to persons unconnected with the underlying investigation that was determined to be ?foreign intelligence information" or ?necessary to understand foreign intelligence information." The reports indicated that disseminations were made to individuals authorized to access the FBI's electronic case management systems, other U.S. intelligence agencies, and foreign governments. As described in this section, we identi?ed factual inaccuracies the Department made in several of the reports we reviewed, including incorrectly identifying the number of U.S. persons in a document and providing the FISA Court with incorrect information regarding the quantity and type of material produced in response to an order. We informed NSD of the inaccuracies we identi?ed and, after reviewing the instances and consulting with the FBI, NSD sent a June 13, 2013, letter to the FISA Court identifying the errors. We found the Supplemental Orders signi?cant because the practice began almost three years after the Department was required by the Reauthorization Act to adopt speci?c procedures to govern the retention and dissemination of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders, and over a year after we found that the Interim Procedures that the Department had implemented in September 2006 failed to meet the requirements of the Reauthorization Act and recommended that the Department take steps to address the issue. Yet, it was not until March 2013 that the Department ?led with the FISA Court ?nal minimization procedures speci?cally tailored to Section 215 collections and not until August 2013 that the Department began to ?le Section 215 applications with the FISA Court which stated that the FBI would apply the ?nal minimization procedures to the Section 215 productions. In Section of this report, we describe aspects of the ?nal minimization procedures that are relevant to the recommendations we made in our last report about the use of Section 215 authority. Some of the issues identi?ed in our review of the reports ?led in response to Supplemental Orders, such as the broad application of the term ?foreign intelligence information" and the meaning of ?necessary to understand foreign intelligence information," ?gure prominently in the rules about retention and dissemination set forth in the ?nal minimization procedures. 45 A. Bulk Telephony Metadata 1. Background On May 23, 2006, the US. Department of Justice ?led an application with the FISA Court seeking a Section 215 order requiring the production of certain records to the NSA. Speci?cally, the application sought telephone call-detail records, also known as telephony metadata, relating to all telephone communications maintained by certain telecommunications providers. The records were sou ht for investi ations a ainst international terrorism concerning the activities of* persons in the United States and abroad. In the 016's second report about the FBI's use of Section 215 authority, A Review of the FBI ?5 Use of Section 215 Orders for Business Records in 2006 (March 2008), we provided an appendix that summarized the May 23, 2006, FISA application, the FISA Court's May 24, 2006, order authorizing the collection, and the subsequent modi?cations to and renewals of the order. In the report, A Review of the Department of Justice?s Involvement with the President?s Surveillance Program (July 2009), we also described the application and order, as well as signi?cant compliance incidents related to the order that the Department reported to the FISA Court in January 2009. In this section of the current report, we include a summary of the May 2006 application and order and signi?cant compliance incidents that draws from the descriptions contained in our March 2008 report about the use of Section 215 authority and in our January 2009 report concerning the President's Surveillance Program. In addition, we describe signi?cant changes to the order or compliance incidents involving the collection or use of the metadata since 2009, and the current status of the order. Much of the information contained in this section was declassi?ed and made publicly available by the Of?ce of the Director of National Intelligence in the months following the public disclosures of classi?ed information beginning in June 2013. 2. May 23, 2006, Section 215 Application The records sought by the FBI on behalf of the NSA in the May 23, 2006, Section 215 application were all telephone call?detail records, or telephony metadata, maintained as business records by certain telecommunications carriers. The application sought the production of metadata on an ongoing basis for the duration of the period covered by the Court order. This metadata is a de?ned term in the application and essentially consists of routing information that includes the originating and terminating telephone number of each call, and the date, time, and duration of each call. Telephony metadata does not include the substantive content of any communication or the name, address, or ?nancial information of a subscriber or customer. According to the application, the vast majority of the telephony metadata provided to the NSA was expected to involve communications that were (1) between the United States and abroad, or (2) wholly within the United States, including local telephone calls. The purpose of this bulk collection of data, as explained in the application, was to allow metadata analysis, which the application called a signi?cant tool available to the U.S. government in its con?ict with According to the application, the call-detail records provided to the NSA on an ongoing basis would be placed In an archive. The NSA could then run ueries? against this archive to identify . The queries would attempt to identi communications links to individuals reasonably suspected of being an intelli ence techni ue known as ?contact chainin According to the application, the telephone numbers selected by the NSA to query the archive would be known telephone numbers for which, ?based on the factual and practical considerations of everyday life on which reasonable and prudent persons act, there are facts giving rise to a reasonable articulable suspicion that the telephone number is associated with terrorist organization,? provided that a telephone number believed to be used by a U.S. person will not be regarded as associated with the Foreign Powers solely on the basis of activities protected by the First Amendment to the Constitution. The FISA application stated that the Section 215 order over the course of a ear would result in the collection of telephony metadata ertaining to - telephone communications (approximately call-detail records per day), including records of communications of US. persons located within the United States who were not the subjects of any FBI investigation. The stated justi?cation for this broad collection was the determination that a data archive was needed for the NSA to erform anal sis to ?nd known operatives and to identify unknown operatives terrorist organization, some of whom may be in the United States or in 47 communication with U5. persons. The application stated that the primary advanta of metadata analysis - the ability to identify past connections and - was possible only if the NSA ?has collected and archived a broad set of metadata that contains within it the subset of communications that can later be identi?ed as According to the application, the NSA estimated that only a tiny fraction (0.000025 percent or one in four million) of the call detail records included in the archive were expected to be analyzed. The results of any such analysis would be provided, or ?tipped,? to the FBI or other federal agencies. The application stated that the NSA expected to provide on average approximately two telephone numbers per day to the federal agencies. The application also stated that the FBI would handle tipped information in a manner consistent with the Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection. The FISA application proposed restrictions on access to, and the processing and dissemination of, the data collected. The restrictions included the requirement that queries be approved by one of seven NSA of?cials or managers, and that queries only be performed with telephone numbers for which there was a reasonable, articulable suspicion that they were associated with terrorist organization. In addition, the application stated that the OGC would review and approve proposed queries of telephone numbers reasonably believed to be used by US. persons, and that prior to disseminating any US. person information outside the NSA, the designated NSA of?cial must have determined that the information is related to counterterrorism information and is necessary to understand the counterterrorism information or assess its importance. The application also pointed to several mechanisms for oversight of the use of metadata, including the creation of a capability to audit NSA with access to the metadata, and the destruction of collected metadata after a period of 5 years. The application also stated that the Director of the NSA would inform the Congressional Intelligence Oversight Committees of the FISA Court's order, if granted, requiring the communications carriers to produce the call-detail records. ?5 The application to obtain call detail records in bulk relied on the precedent established by a July 2004 FISA Court opinion and order authorizing the government to obtain Speci?ed categories of metadata in bulk from Internet communications. The OIG previously described this authorization and its implementation in our July 2009 report, A Review of the Department of Justice?s Involvement with the President?s Surveillance Program, and the authorization is also described in the 016's forthcoming report, A Review of the FBI ?5 Use of Pen Register and Trap and Trace Device Authority under FISA in 2007-2009. The FISA Court stated in its July 2004 opinion and order authorizing the bulk collection of Internet communications metadata that the FISA statute's "relevance" requirement is a relative! low standard and that in evaluating whether bulk metadata is ?relevant? to an investigation intoh groups, ?deference should be given to the fully considered judgment of the executive branch in assessing and responding to national security threats and in determining the potential signi?cance of intelligence-related information." The government cited this precedent in the bulk Section 215 application, statln lust as the bulk collection of e-mail metadata was relevant to FBI investigations into i so is the bulk collection of telephony metadata described herein.? 4B 3. May 24, 2006, FISA Court Order The FISA Court approved the Department?s Section 215 application on May 24, 2006. The Court found that there were reasonable grounds to believe that the records sought the telephony metadata were relevant to authorized investigations being conducted by the FBI to protect against international terrorism. The Court's order also incorporated each of the procedures proposed in the government's application relating to access to and use of the archived metadata. This included a requirement that any application to renew or reinstate the authority for the bulk collection Include a report describing: (1) the queries made since the order was granted; (2) the manner in which the procedures relating to access and use of the metadata were applied; and (3) any proposed changes in the way in which the call detail records would be received from the communications carriers. The Court?s order was accompanied by - secondary orders to the telecommunications providers directing each to produce the records identi?ed in the order and to continue producing such on an ongoing daily basis for the duration of the order, which was set to expire on August 18, 2006. 4. Modifications to and Renewals of the May 24, 2006, FISA Court Order On August 8, 2006, the FBI presented to the FISA Court a Veri?ed Motion for an Amended Order authorizing the use of the telephon metadata ?to rotect a ainst the threat of international terrorism osed persons in the United States and abroad.? The terms of the rior Ma 23 a lication and May 24 order had been limited to terrorism organizations. The proposed modi?cation would allow the NSA also to uery the archive of tele hon metadata for information associated with persons in the United States and abroad. The government's motion asked that all other provisions of the FISA Court?s May 24, 2006, order remain in place. The motion was supported by a declaration of the Director of the National Counterterrorism Center describin the use of telephone communications by . The Court granted the government's motion for an amended order on August 8, 2006. On August 18, 2006, the FBI ?led a renewal application requesting that the FISA Court authorize the continued collection of the telephony metadata authorized in the May 24, 2006, order, as amended by the Court's August 8, 2006, order. However, the August 18 application modi?ed the prior applications in a few respects, including a request that the FISA Court increase the number of individuals at the NSA authorized to approve queries of the telephony metadata from seven to ei ht and that the FISA Court authorize the collection and use of i information that the telecommunications providers were sometimes including in the bulk data provided to the NSA. The August 18 application also included the report required by the FISA Court's May 24, 2006, order describing the queries that had been made since the May 24 49 order was granted and the manner in which the procedures relating to access and use of the metadata had been applied. The Court approved the government's August 18 application the same day it was ?led and issued the accompanying secondary orders to the communication carriers. The August 18, 2006, order was set to expire on November 15, 2006. On November 14, 2006, the FBI ?led a renewal application requesting that the FISA Court reauthorize the collection of the telephony metadata authorized in the August 18, 2006, order. The renewal application included a notice that two additional organizations had recently been determined to be af?liated with and that the NSA expected to provide an average of approximately telephone numbers per day to the FBI, an increase of from the estimate provided in the May 23, 2006, application. The November 14 application also included the report required by the FISA Court's May 24, 2006, order describing the queries that had been made since the August 18 order was granted and the manner in which the procedures relating to access and use of the metadata had been applied. The Court approved the government's application on November 15, 2006, and issued the accompanying secondary orders to the communications carriers. Since that time, the government has ?led additional renewal applications at approximately 90-day intervals. Each of these applications has been approved by the Court, most recently on February 26, 2015.55 5. Non-Compliance with Section 215 Orders The FISA Court drastically changed the authority previously granted to NSA by the March 2009 order for several months following the government?s disclosure of incidents involving the NSA's failure to comply with the terms of the Court's prior orders. On January 9, 2009, representatives from NSD attended a brie?ng at the NSA concerning the telephony metadata collection. During the course of this brie?ng, and as con?rmed by the NSA in the days that followed, the Department came to understand that the NSA was querying the telephony metadata in a manner that was not authorized by the FISA Court's Section 215 orders. Speci?cally, the NSA was on a daily basis automatically querying the metadata with thousands of telephone identi?ers from an ?alert list? that had not been determined to satisfy the_reasonable articulable suspicion (RAS) standard the Court required be met before the NSA was authorized to ?access the archived data? for search or analysis purposes.?57 ?5 In June 2007, the government sought approval to add the terrorist organizations as targets of the Section 215 collection. The FISA Court granted his request on June 14 and then incorporated these groups into the FISA Court?s July 25, 2007, order. 57 The term ?telephone identi?er? used by the government means a telephone number as well as other unique identi?ers associated with a particular user or telecommunications device for purposes of billing or routing communications. SCI The alert list contained telephone identi?ers that were of interest to NSA counterterrorism responsible for tracking the targets of the Section 215 orders. The list was used to compare the incoming telephony metadata obtained under FISA authority, as well as other NSA sources of signals intelligence collection (collection authorized under Executive Order 12333, for example), and alert the NSA if there was a match between a telephone identi?er on the list and an identi?er in the incoming data. Under the procedures the NSA had developed to implement the Section 215 authority, alerts (or matches) generated from roved identi?ers could be used to automatically conduct contact chaining of the telephony metadata. However, automated analysis for alerts generated by non-RAS approved identi?ers were not permitted; instead the alerts were sent to to determine whether contact chaining was warranted in accordance with the RAS standard. On January 15, 2009, the Department noti?ed the FISA Court that the NSA had been accessing the telephony metadata with non-RAS approved identi?ers. As of that date, only 1,935 of the 17,835 telephone identi?ers on the alert list were On January 28, 2009, the Court issued an order stating that it was ?exceptionally concerned about what appears to be a flagrant violation of its Order in this The Court required the government to ?le a brief to ?help the Court assess whether the Orders in this docket should be modi?ed or rescinded; whether other remedial steps should be directed; and whether the Court should take action regarding persons responsible for any misrepresentations to the Court or violation of its Orders, either through its contempt powers or by referral to appropriate investigative of?ces." The Court also required the government to address several additional speci?c issues, including who knew that the alert list being used to query the metadata included identi?ers that had not been determined to meet the RAS standard, how long the ?unauthorized querying" had been conducted, and why none of the entities the Court directed to conduct reviews of the metadata collection program identi?ed the problem earlier.? On February 17, 2009, the government responded to the Court?s Order and acknowledged that the previous descriptions to the Court of the alert list process were inaccurate and that the Section 215 Order did not authorize the government to use the alert list in the manner that it did. The government described for the Court in detail how the NSA developed procedures in May 2006 to implement the Section 215 authority that resulted in the NSA querying the 5? Following the Department?s notice to the Court, the NSA attempted to complete a software ?x to the alert process so that ?hits? against the telephony metadata generated by non- RAS-approved telephone identi?ers were deleted and that only ?hits? generated by PAS-approved identi?ers were sent to NSA for further analysis. The NSA also attempted to construct a new alert list consisting of only RAS?approved telephone identi?ers. However, the implementation of these modi?cations was unsuccessful and on January 24, 2009, the NSA shut down the alert process completely. ?9 The entities directed to conduct such reviews under the Section 215 Orders were the NSA's Inspector General, General Counsel, and Signals Intelligence Directorate Oversight and Compliance Office. 51 telephony metadata with non-RAS approved telephone identi?ers for over two years in violation of the Court?s orders, and how those procedures came to be described incorrectly to the Court. According to the government, the situation resulted from the NSA's interpretation of the term ?archived data" used in the Court?s orders and the mistaken belief that the alert process under the Section 215 authority operated the same as the alert process under the Pen Register and Trap and Trace authority.70 The government told the Court that ?there was never a complete understanding among key personnel" who reviewed the initial report to the Court describing the alert process about what certain terminology was intended to mean, and that ?there was no single person who had complete technical understanding of the [business records] FISA system architecture." The government argued that the Section 215 orders should not be rescinded or modi?ed ?in light of the signi?cant steps that the Government has already taken to remedy the alert list compliance incident and its effects, the signi?cant oversight modi?cations the Government is in the process of implementing, and the value of the telephony metadata collection to the Government?s national security Among the several measures the government highlighted to the Court was the NSA Director's decision to order ?end-to-end system engineering and process reviews (technical and operational) of handling of [telephony] metadata.? Less than 2 weeks after the government ?led the response summarized above, the government informed the Court that the NSA had identi?ed additional compliance incidents during these reviews." 7? The NSA understood the term ?archived data? In the Court's Order to refer to the analytical repository for the telephony metadata. As the term is normally used by the NSA, ?archived data" excludes the processing steps the NSA uses to make raw collection of signals intelligence useful to individual intelligence The NBA viewed the alert process as an ?intermediate step" because it was applied as the metadata ?owed from the telecommunications service providers to the NSA - before it was stored in a repository, thus becoming ?archived data." The NSA believed that the requirement to satisfy the RAS standard was only triggered ?when the NSA sought access to the stored, or archived," repository of telephony metadata. For this reason, in the view, it was not required to limit the alert list to RAS?approved identi?ers. 7? The government also reported that of the 275 reports (totaling 2,549 telephone identi?ers) the NSA had disseminated since May 2006 as a result of contact chaining 31 reports resulted from the automated alert process and no reports were identi?ed that resulted from the use of a non-RAS approved identi?er. The NSA also determined that in all instances that a U5. telephone identi?er was used to query the metadata for a report, the identi?er was either already the subject of a FISA Court Order or had been reviewed by the NSA's Of?ce of General Counsel to ensure the RAS determination was not based solely on a U5. person's First Amendment-protected activities. 72 The additional compliance incidents involved the NSA's handling of the telephony metadata in an unauthorized manner. The ?rst incident involved the NSA's use of an analytical tool to query (usually automatically) the metadata with non-RAS approved telephone identi?ers. The tool determined if a record of a telephone identi?er was present in NSA databases and, if so, provided with information about the calling activity associated with that identi?er. The second incident involved 3 who conducted chaining analyses in the telephony metadata using 14 non-RAS approved identi?ers. According to the government's notice to the Court, the conducted queries of authorized telephony metadata and were unaware their (Cont?d.) SE In orders dated March 2 and 5, 2009, the FISA Court addressed the compliance incidents reported by the government and imposed drastic changes to the Section 215 authorities previously granted. The Court ?rst addressed the interpretation of the term ?archived data.? The Court said the interpretation ?strains credulity? and observed that an interpretation that turns on whether the metadata being accessed has been "archived" in a particular database at the time of the access would ?render compliance with the RAS requirement merely optional." The Court next addressed the misrepresentations the government made to the Court from August 2006 to December 2008 in reports that inaccurately described the alert list process. The Court recounted the speci?c misrepresentations and summarized the government's explanation for their occurrence. The Court then concluded: Regardless of what factors contributed to making these misrepresentations, the Court ?nds that the government's failure to ensure that responsible of?cials adequately understood the alert list process, and to accurately report its implementation to the Court, has prevented, for more than two years, both the government and the Court] from taking steps to remedy daily violations of the minimization procedures set forth in Court] orders and designed to protect billions of call detail records pertaining to telephone communications of U.S. persons located within the United States who are not the subject of any FBI investigations and whose call detail information could not otherwise have been legally captured in bulk. The Court also addressed the additional non-compliance incidents that were identi?ed during the initial review ordered by the NSA Director, observing that the incidents occurred despite the NSA implementing measures speci?cally intended to prevent their occurrence. In view of the record of compliance incidents the government had reported to date, the Court stated: [I]t has ?nally come to light that the Court]'s authorizations of this vast collection program have been premised on a flawed depiction of how the NSA uses [business records] metadata. This misperception by the Court] existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government?s submissions, and despite a government-devised and Court-mandated oversight regime. The minimization procedures proposed by the government in each successive application and approved and adopted as binding by the orders of the Court] have been so frequently and systemically violated that it can fairly be said that this critical queries also ran against the FISA-authorlzed metadata. The government stated that none of the queries used an Identi?er associated with a US. person or telephone identi?er and none of the queries resulted in intelligence reporting. 53 element of the overall [business records] regime has never functioned effectively. Despite the Court?s concerns with the telephony metadata program, and its lack of con?dence ?that the government is doing its utmost to ensure that those responsible for implementation fully comply with the Court's orders,? it authorized the government to continue collecting telephony metadata under the Section 215 orders. The Court stated that in light of the government's repeated representations that the collection of the telephony metadata is vital to national security, taken together with the Court?s prior determination that the collection properly administered conforms with the FISA statute, ?it would not be prudent? to order the government to cease the bulk collection. However, believing that ?more is needed to protect the privacy of US. person information acquired and retained? pursuant to the Section 215 Orders, the Court prohibited the government from accessing the metadata collected ?until such time as the government is able to restore the Court's confidence that the government can and will comply with previously approved procedures for accessing such data.?73 The Court ruled that the government may, on a case- by-case basis, request authority from the Court to query the metadata to obtain foreign intelligence."1 The Court required that the requests specify the telephone identifier to be used and the factual basis for the NSA's RAS determination. The Court ordered that upon completion of the end-to-end system engineering and process reviews, the government was to ?le a report that described the results of the reviews, discussed the steps taken to remedy non- compliance incidents, and proposed minimization and oversight procedures to employ should the Court authorize resumption of regular access to the telephony metadata. The government?s report also was required to include an af?davit from the FBI Director and any other government national security of?cial deemed appropriate describing the value of the telephony metadata to US. national security. Additionally, the Court ordered the government to implement oversight mechanisms proposed in the government?s response to the compliance incidents. These mechanisms generally required NSD to assume a more prominent role in the NSA's administration of the bulk collection program, such ?3 The Court also stated, ?Given the Executive Branch's responsibility for and expertise in determining how best to protect our national security, and in light of the scale of this bulk collection program, the Court must rely heavily on the government to monitor this program to ensure that it continues to be justi?ed, in the view of those responsible for our national security, and that it is being implemented in a manner that protects the privacy interests of U5. 7? The Court authorized the government to query the metadata without Court approval to protect against an imminent threat to human life, with notice to the Court within the next business day of the query being conducted. The Court also authorized the government to access the metadata to ensure ?data integrity? and to develop and test technological measures designed to enable to the NSA to comply with previously approved procedures for accessing the metadata. 54 as the requirement that OGC consult with the NSD on all signi?cant legal opinions that relate to the interpretation, scope, or implementation of past, current, and future Section 215 orders related to the telephony bulk metadata collection. For the next several months, the government ?led requests with the Court seeking approval of queries the NSA sought to make against the metadata archive. NSD submitted the requests to the Court as the NSA identi?ed telephone numbers that it believed satis?ed the RAS standard. The requests were made by motion to the Court and typically included multiple telephone numbers, or identi?ers. For each identi?er, the government identi?ed the telephone number and country of origin, if known, and set forth the justi?cation for the belief the identi?er satis?ed RAS. The justi?cation was typically a paragraph that included information about the sus ected user of the tele hone number and that individual?s connection to terrorist organizations. The justi?cations also stated whether the suspected user of the telephone number was a non-US. person or US. person. Between March and September 2009, NSD submitted about - telephone identi?ers to the FISA Court for approval. Each of these was approved.75 6. August 17, 2009, Report to Court and September 3, 2009, Court Order Lifting Access Restrictions In August 2009, NSD submitted the report to the FISA Court required by the March 2009 orders. The report ?aim[ed] to provide the Court with assurance that NSA has addressed and corrected the instances of non- compliance and is taking additional steps to monitor and ensure compliance with the Court's Orders going forward.? The report included, as required by the Court's Orders, the results of NSA's end-to-end review, the remedies for instances of noncompliance, the testing of technological remedies, and additional measures to ensure compliance, such as creating a new position of Director of Compliance. The report also included, through declarations from NSA Director Alexander and FBI Director Mueller, assertions about the value of the program to the national security. The government informed the Court in the report that it intended to request in the next renewal application authority for certain NSA to resume conducting queries of the telephony metadata archive using identi?ers approved by the NSA. According to the report, the end-to-end review did not identify any single cause for the instances of non-compliance that had been reported to the Court, including the additional instances discovered during the end-to-end review. The review determined that the non-compliance instances ?were exacerbated by a 75 As described earlier in this report, FISA Court rules require that NSD submit ?proposed applications? or "read" copies of applications with the FISA Court before making formal applications. The FISA Court, often through a staff legal advisor, occasionally identi?es questions or concerns or requests changes after reviewing ?read? copies. When this occurs, NSD and the NSA address the issues identi?ed by the Court and made revisions where necessary before formally submitting the requests. 55 primary focus on analyst use of the data, the complexity of the overall [business record] FISA system, and a lack of shared understanding among the key stakeholders as to the full scope of the [business record] FISA system and the implementation of the [business record] FISA Orders.? The report described each of the non-compliance incidents that had been identi?ed and the associated remedy. For example, the NSA discovered during the end-to-end review that between May 2006 and February 2009, 3,000 domestic telephone numbers were determined to satisfy the RAS standard and authorized for use as query identi?ers without obtaining NSA OGC approval, as required by the Court's Orders. NSA remedied this by re-designating the identi?ers as non-RAS approved and also veri?ed that none of the identi?ers generated alerts that resulted in reports to Intelligence Community agencies. The review also discovered instances of inappropriately disseminating U.S. person information derived from the FISA metadata archive, such as authorizing disseminations pursuant to NSA's dissemination requirements and not the more restrictive dissemination provisions of the Court's Orders. This non-compliance was to be remedied through additional training and oversight and weekly reports to the Court summarizing disseminations that had been made. For these and other instances of non-compliance, the NSA also implemented technological remedies, such as implementing software that prevented from querying the archive with non-RAS identi?ers. The report also described additional measures that the government had implemented and the Court had imposed to maintain compliance with the Court?s Orders. These included regular communications between NSA and NSD on signi?cant legal interpretations and compliance issues, the NSA's creation of the position of Director of Compliance who reports directly to the NSA's Director and Deputy Director, the requirement that NSA obtain NSD approval before implementing any automated query process, and broader training requirements. In addition, any renewal application for the bulk collection was required to include a report on a meeting NSA and NSD were required to have regarding compliance with past Orders prior to ?ling the renewal application, and the NSA was required to ?le a report every week with the Court describing any dissemination of the Section 215 data and certifying that the Orders' dissemination requirements were followed. The report also proposed measures the NSA would take with respect to the RAS standard, including reviewing determinations at regular intervals (at least every 180 days for U5. telephone numbers believed to be used by a U.S. person and every year for all other identi?ers). With respect to the value of the bulk collection of telephony metadata to national security, the report, through declarations from Directors Alexander and Mueller, asserted that the metadata ?addresses a critical, threshold issue for the Government?s efforts to detect and prevent terrorist acts affecting the national security" by identifying terrorists and their associates. The report elaborated that the historical nature of the metadata allows NSA to identify recent and past contacts and of individuals believed to be associated with terrorists. In addition, according to the report, the metadata provides information about the activities of terrorists and their associates that is not 56 available from other sources of telephony metadata, such as NSA's si nal intelli ence collection under Executive Order 12333 . The report asserted that the Section 215 metadata collection ?helps ?ll these foreign intelligence gaps" and allows the NSA to provide the FBI with information about contacts between US. tele hone numbers and individuals believed to be associated with ?ten?orist organizations. These leads or tips to the FBI ?can act as an early warning of possible domestic terrorist activity.? According to Director Alexandar's declaration, the NSA tipped - telephone numbers to the FBI between May 2006 and May 2009. The report also stated that the FBI opened 27 full investigations between May 2006 and the end of 2008 ?based, at least in part" on Section 215 metadata tips. Director Mueller's declaration described as examples four such cases. On September 3, 2009, the FISA Court approved the government?s renewal application and lifted the restrictions it had placed on the NSA's authority to make RAS determinations and approve telephone numbers as queries, in effect generally returning the program to the process that was in place prior to the discovery of the compliance issues NSD identi?ed in January 2009. The Order incorporated the oversight measures identi?ed in the government's August 2009 report and described above. Since the September 3, 2009, Order the FISA Court has continued to approve the renewal applications at approximately 90-day intervals and the government has continued to submit to the Court the required reports about meetings between NSD and NSA and about disseminations of information obtained or derived from the Section 215 metadata. According to NSD staff with primary responsibility for these applications, there have been occasional compliance incidents reported to the Court since those identi?ed in January 2009, but none as consequential. For example, NSD reported to the FISA Court in March 2011 that in December 2010 and January 2011 NSA technical personnel discovered that telephony metadata roduced a telecommunications carrier included NSA contacted the carrier and was informed that a software change made in October 2010 resulted in this occurrence. According to NSD's compliance notice ?led with the Court, beginning on or about January 14 2011 the tele hon metadata produced by the carrier did not include The NSA subsequently provided dates to the FISA Court describing the measures taken to purge the i from its databases. 7. July 19, 2013, FISA Court Order Renewing Collection and Current Status of Collection As noted earlier, in June 2013 Edward Snowden caused the public disclosure of classi?ed documents related to the use of Section 215 authority to obtain telephony metadata in bulk. This resulted in a signi?cant amount of public discussion about the program, and led to the decision by the Of?ce of the Director of National Intelligence to declassify and release to the public a substantial volume of information about the program. 57 The government's ?rst renewal application in the wake of the Snowden disclosures was ?led on July 18, 2013. Judge Claire V. Eagan of the FISA Court approved the application on July 19 and the Of?ce of the Director of National Intelligence informed the public of the application and order that same day. In her August 29, 2013, Amended Memorandum Opinion explaining the basis for her decision to grant the government's application, Judge Eagan requested under applicable FISA Court rules that her opinion and order be published because of the public interest in the case. The Of?ce of the Director of National Intelligence publicly released a declassi?ed version of the opinion and order on October 18, 2013. Judge Eagan addressed the constitutionality of the requested production and the relevance of telephony metadata in bulk to authorized investigations, compared Section 215 to its counterpart in criminal investigations (18 U.S.C. 2703), and considered the applicability of the doctrine of legislative re- enactment to Section 215. Judge Eagan did not ?nd any constitutional impediment to the collection and stated that she agreed with the Court?s prior ?ndings that bulk collections are necessary and, therefore, relevant in order for the NSA to use its analytical tools to identify the calls of known and unknown terrorists contained within the bulk data. Judge Eagan also found that the ?complementary? operation of Section 215 and 2703 ?is an indication that Congress intended this Court to apply a different, and in speci?c respects lower, standard to the government?s Application under Section 215 than a court reviewing a request under Section Lastly, Judge Eagan found that the doctrine of legislative re-enactment applied to the government's use of Section 215 authority because Congress's reauthorization of the provision in the Patriot Sunsets Extension Act of 2011 ?carried with it this Court?s interpretation of the statute, which permits the bulk collection of telephony metadata under the restrictions that are in place.?r77 Judge Eagan?s order expired on October 11, 2013, and a new order authorizing the collection for another 90 days was issued that same day by Judge Mary A. McLaughlin. Judge McLaughlin also requested under FISA Court rules that her Memorandum and Order be published, and they were among the documents the Of?ce of the Director of National Intelligence publicly released on October 18, 2013. Judge McLaughlin stated in her memorandum that she had conducted an independent review of the relevant issues and ?agrees with and 7? Section 2703 is used by criminal investigators to obtain the content of communications or non-content records of communications from electronic communications service providers. Investigators can obtain court orders for non-content records by demonstrating ?specific and articuiable facts showing that there are reasonable grounds to believe . . . the records or other information sought, are relevant and material to an ongoing criminal investigation.? 18 U.S.C. 2703(d). Section 215 requires only ?a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation . . 50 U.S.C. 1861(b)(2)(A). 7? Judge Eagan quoted from the US. Supreme Court's decision in Lorillard v. Pans, 434 US. 575, 580 (1978): ?Congress is presumed to be aware of an administrative or judicial interpretation of a statute and to adopt that interpretation when it re-enacts a statute without change." 58 adopts Judge Eagan's analysis as the basis for granting the application.? Judge McLaughlin's order expired on January 3, 2014. On that same day, Judge Thomas F. Hogan issued an order authorizing the collection for another 90 days, to March 28, 2014. On January 17, 2014, the President publicly announced two changes that would be made to the bulk collection of telephony metadata. The ?rst was to require the government, absent an emergency, to obtain FISA Court approval of query term prior to conducting queries of the database. The second change was to limit query results to those that are two levels or ?hops? - instead of three from the query terms used to query the database. These changes became effective on February 5, 2014, after the FISA Court granted the government?s motion to amend the January 3, 2014, order. The President also directed the Intelligence Community and the Attorney General ?to develop options for a new approach to match the capabilities and ?ll gaps that the Section 215 program was designed to address without the government holding the metadata.? Alternative approaches were provided to the President and on March 27, 2014, he announced that the government would end its collection of bulk telephony metadata. In its place, the President proposed an arrangement in which the metadata is maintained by the providers and queries are conducted with speci?c telephone numbers approved by the FISA Court through individual orders. The President?s proposal requires new legislation. In order to provide the government time to work to implement the proposal while maintaining its ability to query the bulk telephony metadata, the President directed the Department to ?le an application with FISA Court seeking to renew the January 3, 2014, order (as amended in February) that was set to expire on March 28. The FISA Court granted the Department's application, and has since that time granted four additional renewal applications, most recently on February 26, 2015. The current order expires on June 1, 2015. a 1 60 61 mi mi 62 VII. CONCLUSION AND RECOMMENDATION We examined in this report the progress the Department and the FBI made in addressing the three recommendations in the OIG's second report about the FBI's use of Section 215 authority, A Review of the FBI ?5 Use of Section 215 Orders for Business Records in 2006 (March 2008). We recommended then that the FBI develop procedures for reviewing materials received from Section 215 orders to ensure that it has not received information that is not authorized by the FISA Court orders, and for handling material that is produced in response to, but outside the scope of, a Section 215 order. We also recommended that the FBI develop ?nal standard minimization procedures for business records that provide speci?c guidance for the retention and dissemination of US. person information. On March 7, 2013, the Attorney General adopted and the Department ?led ?nal minimization procedures for Section 215 material with the FISA Court. The Department began to implement the procedures In August 2013. The Attorney General's and the Department's actions came 7 years after such procedures were required by the Reauthorization Act and 5 years after we concluded the Interim Procedures implemented in 2006 were de?cient. We believe that in light of the importance of minimization procedures to the 63 Department's authority to use Section 215, the Department should have met its statutory obligation considerably earlier than March 2013. We reviewed aspects of the procedures that were relevant to our recommendations. For reasons described in Section of this report, we concluded that with the Final Procedures the Department and FBI have fully implemented one of the three recommendations from our March 2008 report on the use of Section 215 authority, and we consider it closed. The other two recommendations are resolved but not closed so that the Department and FBI may consider clarifying aspects of the procedures that we identi?ed above in training materials or policy implementation guidelines, or in any future versions of the Final Procedures. We encourage the Department and the FBI to periodically evaluate the ?nal procedures' implementation to determine whether additional clarifications or explanations through updates in training or revisions to the guidelines are appropriate. We noted the FISA Court's general practice, beginning in June 2009, of issuing Supplemental Orders in Section 215 matters. These orders required the Department to report to the FISA Court on the implementation of the Interim Minimization Procedures to U.S. erson information received in Section 215 We found the Supplemental Orders signi?cant because the practice began almost 3 years after the Department was required by the Reauthorization Act to adopt speci?c procedures to govern the retention and dissemination of nonpublicly available information concerning U.S. persons produced in response to Section 215 orders and over a year after we found that the Interim Procedures that the Department had implemented in September 2006 failed to meet the requirements of the Reauthorization Act. We also identi?ed some factual inaccuracies the Department made in several of the reports required by the Supplemental Orders we reviewed, including incorrectly identifying the number of U.S. persons in a document disseminated by the FBI and providing the FISA Court with incorrect information regarding the quantity and type of material produced in response to an order. We informed NSD of the inaccuracies we identi?ed and, after reviewing the instances and consulting with the FBI, NSD sent a letter to the FISA Court identifying the errors. In addition to reviewing the status of the OIG recommendations, we examined in this report the use of Section 215 authority to obtain ?any tangible things" in calendar years 2007 through 2009. Our review of Section 215 applications and orders for that period showed that the FBI processed I requests for Section 215 applications, 51 of which were formally submitted to the FISA Court for approval: 17 in 2007, 13 in 2008, and 21 in 2009. The Department ?led of the 51 a lications formall submitted to the FISA Court in connection with The other applications were formally submitted to the FISA Court on behalf of the FBI. The I requests that were not submitted to the FISA 64 Court were withdrawn after being submitted to either NSLB or NSD. We did not identify any applications that were withdrawn after being submitted to the FISA Court. The FISA Court approved each of the applications submitted. We found that the Section 215 applications ?led on behalf of the FBI sought a variety of ?tangible thin e-mail transactional records . We determined that 13 of the 56 ?eld of?ces requested the Section 215 orders ?led on behalf of the FBI and that the requests for orders originated from counterintelligence, counterterrorism, cyber, and positive foreign intelligence investigations. We also selected several Section 215 applications from the 2007-2009 time period to illustrate various uses of Section 215 authority and to conduct a more detailed review of the types of material requested, the purposes of the requests, the materials produced, and the manner in which the materials were used. This examination resulted in agents describing for us the FBI's use of Section 215 authority in a manner that was consistent with what we were told during our last two reviews. For example, agents and attorneys told us that Section 215 authority continues to be a valuable investigative tool. Agents said they relied on Section 215 authority when companies would not voluntarily produce the material sought by the FBI and when the material was not available through other investigative authorities. The agents we interviewed did not identify any major case developments that resulted from the records obtained in response to Section 215 orders, but told us the authority is valuable when it is the only means to obtain certain information. Agents told us that the material produced pursuant to Section 215 orders was used to support other investigative requests, develop investigative leads, and corroborate other information. The agents? descriptions of these uses of the authority were consistent with what we were told during our last two reviews. As with our past reviews, we did not attempt to independently evaluate the value or use of the materials produced in response to the Section 215 orders. We also identi?ed, as we did in our prior reviews, several instances during the 2007-2009 period where the Department or the FISA Court modi?ed Section 215 applications or orders. In several instances the FISA Court questioned whether subjects were properly identified as non-U.S. persons. The FISA Court also requested that additional language be inserted into applications and orders to public electronic service providers to ensure that any content was excluded from the material produced to the FBI in response to the orders. We also described in this report the - Section 215 applications that the De artment submitted to the FISA Court in connection with the . We previously described Classi?ed Appendices of our March 2008 report. The Of?ce of the Director of National Intelligence declassi?ed aspects of the NSA's program following the public disclosure of documents relating to the collection beginning 65 in June 2013. As described earlier, I the Department relied on the legal theory that all of the data collected is relevant as a whole because it is necessary to create a data archive from which to identify the speci?c records that are pertinent to authorized investigations to protect against international terrorism activities of speci?ed Foreign Powers. The Department acknowledged that the data includes records of U.S. persons who were not the subject of or associated with the subjects of authorized investigations, and the FISA Court's orders approving the government's applications have included specialized minimization procedures for handling the U.S. person information that is collected. We note that the use of Section 215 authority continues to expand to re?ect legislative, technological, and strategic changes. The legislative changes described in Section II expanded both the types of businesses upon which Section 215 orders could be served and the categories of documents that could be obtained. The legislative changes also lowered the evidentiary threshold to a ?relevance standard" for obtaining Section 215 orders and provided a presumption that for applications that demonstrate the tangible things sought pertain to foreign powers, agents of foreign powers, subjects of authorized investigations, or individuals known to associate with subjects of such investigations, the FISA Court is required to ?nd that the statutory threshold of relevance has been met. Technological advancements to and society's use of the Internet have also ex anded the uantit and quality of electronic information available to the FBI, through use of Section 215 authority. Materials produced in response to Section 215 orders now range from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information. The FBI made strategic use of the legislative and technological changes by broadening the scape of materials sought in applications. Section 215 authority is not limited to requesting information related to the known subjects of speci?c underlying investigations. The authority is also used in investigations of groups comprised of unknown members and to obtain information in bulk concerning persons who are not the subjects of or associated with an authorized FBI investigation. While the expanded scope of these requests can be important uses of Section 215 authority, we believe these expanded uses require continued signi?cant oversight by the FISA Court, NSD, and other oversight entities. Finally, the Department's Final Procedures have been incorporated into Section 215 applications only since August 2013 and thus we have not reviewed their implementation. However, we have identi?ed two potential issues regarding the application of the metadata provisions that will require attention and oversight. First, we believe that it will be im ortant for NSD and the FBI to eriodicall review the a llcation of the . Second, NSD and the FBI must remain cognizant of deveIOpments in the type of 66 information that is categorized as metadata in order to guard against the inadvertent request for or collection of metadata that is not authorized under Section 215 authority. In addition, we examined the provisions in the Final Procedures that pertain to the access to Section 215-acquired information for purposes of conducting its reviews and investi ations. The General Provisions section of the Final Procedures states The FBI has in the past taken the position, over the objections, that the FBI's minimization procedures for electronic surveillance and physical searches restricted the OIG's access to such information. NSD made revisions to those procedures in 2013 that included inserting the statement above, which was subsequently also incorporated into the Final Procedures for Section 215- acquired information. The NSD Deputy Assistant Attorney General for the Of?ce of Intelligence informed us that NSD included this statement in the minimization procedures to make clear that nothing in the procedures should be interpreted to restrict the 016?s access to FISA-acquired information needed for OIG reviews and Investigations. As part of this review, the General Counsel informed us that he concurs with this position. 6? UNCLASSIFIED The Department of Justice Of?ce of the Inspector General (DO) 01? G) is a statutorily created independent entity whose mission is to detect and deter waste, fraud, abuse, and misconduct in the Department of Justice, and to promote economy and ef?ciency in the Department?s operations. Information may be reported to the DOJ hotline at justice. gov/oig/hotline or (800) 869-4499. Of?ce of the Inspector General US. Department of Justice