CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FIGURES Office of the Director of National Intelligence Statistical Transparency Report Regarding the Use of National Security Authorities  Calendar Year 2018  Office of Civil Liberties, Privacy, and Transparency April 2019 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES B. Areas Covered in this Report....................................................................................................................................... 4 C. Context and Clarity...................................................................................................................................................... 5 D. Key Terms...................................................................................................................................................................... 6 A. FISA Titles I and III..................................................................................................................................................... 8 B. FISA Title VII, Sections 703 and 704........................................................................................................................ 8 C. Statistics......................................................................................................................................................................... 8 FISA Section 702.......................................................................................................................... 10 A. Section 702..................................................................................................................................................................10 B. Statistics—Orders and Targets.................................................................................................................................12 D. Section 702 and FBI Investigations.........................................................................................................................16 E. NSA Dissemination of U.S. Person Information under FISA Section 702..........................................................17 FISA Criminal Use and Notice Provisions................................................................................. 22 FISA Title IV—Use of Pen Register and Trap and Trace (PR/TT) Devices............................ 23 A. FISA PR/TT Authority..............................................................................................................................................23 B. Statistics.......................................................................................................................................................................23 A. Business Records FISA...............................................................................................................................................25 B. Statistics—Title V “Traditional” Business Records Statistics Orders, Targets & Identifiers ...........................26 D. Statistics—Call Detail Record Queries...................................................................................................................31 National Security Letters (NSLs)................................................................................................ 32 B. Statistics—National Security Letters and Requests for Information...................................................................32 2 NATIONAL SECURITY LETTERS A. National Security Letters ..........................................................................................................................................32 FISA TITLE V C. Statistics—Call Detail Record (CDR) Orders, Targets & Identifiers..................................................................27 FISA TITLE IV FISA Title V—Business Records................................................................................................ 25 FISA CRIMINAL USE A. FISA Sections 106 and 305 ......................................................................................................................................22 FISA SECTION 702 C. Statistics—U.S. Person Queries................................................................................................................................13 FISA PROBABLE CAUSE AUTHORITIES FISA Probable Cause Authorities ................................................................................................ 8 INTRODUCTION A. Background................................................................................................................................................................... 4 FIGURES Introduction................................................................................................................................... 4 CONTENTS Table of Contents 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES Figures 1a and 1b: FISA “Probable Cause” Court Orders and Targets........................................................................... 9 CONTENTS Table of Figures Figures 2a and 2b: FISA “Probable Cause” Targets Broken Down by U.S. Person Status............................................ 9 Figure 4: Section 702 Targets...............................................................................................................................................13 INTRODUCTION Figure 3: Section 702 Orders................................................................................................................................................13 Figure 5: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Content....................................14 Figure 7: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Noncontents............................. 15 Figure 8: U.S. Person Queries of Noncontents of Section 702..........................................................................................15 Figure 9: Required Section 702 Query Reporting to the FISC.........................................................................................16 Figure 10: Number of FBI Investigations Opened on USPs Based on Section 702 Acquisition .................................16 FISA PROBABLE CAUSE AUTHORITIES Figure 6: U.S. Person Query Terms Used To Query Section 702 Content......................................................................14 Figure 11: Section 702 Reports Containing USP Information Unmasked by NSA.....................................................20 Figure 13: Number of Criminal Proceedings in Which the Government Provided Notice of Its Intent To Use Certain FISA Information.......................................................................................................................................22 FISA SECTION 702 Figure 12: Section 702 USP Identities Disseminated by NSA.........................................................................................20 Figures 14a and 14b: Number of PR/TT Orders, Targets and Unique Identifiers Collected.......................................24 Figure 16a: Title V “Traditional” Business Records Orders, Targets, and Unique Identifiers Collected....................26 Figure 16b: “Traditional” Business Records Orders and Targets....................................................................................27 Figures 17a and 17b: CDR Orders and Targets................................................................................................................28 Figure 18: Call Event Hop Scenario and Method of Counting........................................................................................29 Figure 20: Unique Identifiers in the CDRs Received.........................................................................................................31 Figure 22a: NSLs Issued and Requests for Information ..................................................................................................33 Figure 22b: Total NSLs Issued and Total ROIs Within Those NSLs .............................................................................33 3 NATIONAL SECURITY LETTERS Figure 21: CDRs—U.S. Person Query Terms....................................................................................................................31 FISA TITLE V Figure 19: CDRs Received Arising from Such Targets......................................................................................................30 FISA TITLE IV Figure 16c: “Traditional” Business Records Unique Identifiers.......................................................................................27 FISA CRIMINAL USE Figure 15: FISA PR/TT Targets—U.S. Persons and Non-U.S. Persons.........................................................................24 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Introduction FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS ƒƒ FISA PROBABLE CAUSE AUTHORITIES. The number of orders—and the number of targets under those orders—for the use of FISA authorities that require probable cause determinations by the Foreign Intelligence Surveillance Court (FISC), under Titles I and III, and Section 703 and 704, of FISA. FISA CRIMINAL USE 4 This report provides statistics in the following areas (the terms used below are defined and explained later in this report): FISA SECTION 702 In June 2014, the Director of National Intelligence (DNI) began releasing statistics relating to the use B. Areas Covered in this Report FISA PROBABLE CAUSE AUTHORITIES A. Background On June 2, 2015, the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act) was enacted, amending FISA by requiring the government to publicly report many of the statistics already reported in the Annual Statistical Transparency Report. The USA FREEDOM Act also expanded the scope of the information included in the reports by requiring the DNI to report information concerning USP search terms and queries of certain FISA-acquired information, as well as specific statistics concerning call detail records. See 50 U.S.C. § 1873(b). On January 19, 2018, the FISA Amendments Reauthorization Act of 2017 was signed, further codifying that additional statistics must be publicly released, including many statistics that the government previously reported pursuant to its commitment to transparency. INTRODUCTION Additional public information on national security authorities is available at the Office of the Director of National Intelligence’s (ODNI) website, www. dni.gov, the Intelligence Community’s public website, www.intel.gov, and ODNI’s public Tumblr site, IC on the Record at IContheRecord.tumblr.com. of critical national security authorities, including FISA, in an annual report called the Statistical Transparency Report Regarding Use of National Security Authorities (hereafter the Annual Statistical Transparency Report). Subsequent Annual Statistical Transparency Reports were released in 2015, 2016, 2017, and 2018. FIGURES T oday, consistent with the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended (codified in 50 U.S.C. § 1873(b)), and the Intelligence Community’s (IC) Principles of Intelligence Transparency, we are releasing our sixth annual Statistical Transparency Report Regarding Use of National Security Authorities presenting statistics on how often the government uses certain national security authorities. Providing these statistics allows for an additional way to track the use of FISA authorities and National Security Letters (NSLs). The statistics also add further context regarding the IC’s rigorous and multi-layered oversight framework that safeguards the privacy of United States person (U.S. person or USP) information and non-U.S. persons’ information acquired pursuant to these national security authorities. This report goes beyond the government’s statutory duty of providing statistics by further providing the public with detailed explanations as to how the IC uses its national security authorities. This document should be read in conjunction with the national security-related materials that the government has already released publicly, especially the documents that have been highlighted through the hyperlinks embedded in this report, as well as the statistical report provided by the Director of the Administrative Office of the U.S. Courts (50 U.S.C. § 1873(a), available on the AOUSC website). NATIONAL SECURITY LETTERS 5 Consistent with the IC’s Principles of Intelligence Transparency, and in addition to the mandatory reporting required by FISA, this report provides transparency to enhance public understanding about certain activities the IC undertakes to accomplish its national security mission. Specifically, this report provides context concerning how the IC implements FISA, including the circumstances under which such activities are conducted and the rules that are designed to ensure compliance with the Constitution and laws of the United States. While the statistics contained herein provide an important point for understanding the use of these authori- FISA TITLE V ƒƒ PEN REGISTER AND TRAP AND TRACE DEVICES. The number of orders—and the number of targets under those orders—for the use of FISA’s pen register/trap and trace devices, and the number C. Context and Clarity FISA TITLE IV ƒƒ USE IN CRIMINAL PROCEEDINGS. The number of criminal proceedings in which the United States or a State or political subdivision provided notice under FISA of the government’s intent to enter into evidence or otherwise use or disclose any information derived from electronic surveillance, physical search, or Section 702 acquisition. ƒƒ NATIONAL SECURITY LETTERS. The number of National Security Letters (NSLs) issued, and the number of requests for information within those NSLs. FISA CRIMINAL USE ▶▶ The number of National Security Agency (NSA)-disseminated Section 702 reports containing U.S. person identities (various statistics relating to reports where the U.S. person identity was openly named or originally masked and subsequently unmasked). ▶▶ The number of call detail record orders—and the number of targets under those orders— issued pursuant to FISA’s call detail records authority for the ongoing production of call detail records, the number of call detail records received from providers and stored in NSA repositories, and the number of unique identifiers used to communicate information collected. FISA SECTION 702 ▶▶ The number of instances in which the FBI opened, under the Criminal Investigative Division, an investigation of a U.S. person who is not considered a threat to national security based wholly or in part on Section 702-acquired information. ▶▶ The number of traditional business record orders—and the number of targets under those orders—issued pursuant to FISA’s traditional business records authority, and the number of unique identifiers used to communicate information collected pursuant to those orders. FISA PROBABLE CAUSE AUTHORITIES ▶▶ The number of instances in which Federal Bureau of Investigation (FBI) personnel received and reviewed Section 702-acquired information that the FBI identified as concerning a U.S. person in response to a query that was designed to return evidence of a crime unrelated to foreign intelligence and conducted in connection with a predicated criminal investigation. INTRODUCTION INTRODUCTION ▶▶ The number of U.S. person queries of Section 702-acquired metadata. ƒƒ BUSINESS RECORDS. The number of business records are reported with distinction made between records obtained under Section 501(b)(2)(B)— commonly referred to as “traditional” business records—and call detail records obtained under Section 501(b)(2)(C). Specifically: FIGURES ▶▶ The number of U.S. person queries of Section 702-acquired content. of unique identifiers used to communicate information collected pursuant to those orders. CONTENTS ƒƒ FISA SECTION 702. ▶▶ The number of orders—and the number of targets under those orders—issued pursuant to Section 702 of FISA. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS 6 ƒƒ ORDERS. There are different types of orders that the FISC may issue in connection with FISA cases, including orders granting or modifying the government’s applications to conduct foreign intelligence collection including orders granting or modifying the government’s applications to conduct foreign intelligence collection pursuant to FISA; orders directing electronic FISA PROBABLE CAUSE AUTHORITIES ƒƒ U.S. PERSON. As defined by Title I of FISA, a U.S. person is “a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section 101(a)(20) of the Immigration and Nationality Act), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in [50 U.S.C. § 1801(a)(1), (2), or (3)].” 50 U.S.C. § 1801(i). Section 602 of the USA FREEDOM Act, however, uses a narrower definition. Since the broader Title I definition governs how U.S. person queries are conducted pursuant to the relevant minimization procedures, it will be used throughout this report. Targeting for intelligence purposes must be informed by the National Intelligence Priorities Framework (NIPF). The NIPF is the high-level mechanism to manage and communicate national intelligence priorities, facilitating the IC’s ability to allocate finite resources to address the most pressing intelligence questions and mission requirements. Guidance from the President and the National Security Advisor, with formal input from cabinet-level heads of departments and agencies, determine the overall priorities of the top-level NIPF issues. Once the IC determines that a particular target meets an intelligence need under the NIPF, the IC must then apply applicable legal authorities (e.g., certain acquisitions authorized under FISA, Executive Order 12333) to begin targeting. INTRODUCTION INTRODUCTION Certain terms used throughout this report are described below. Other terms are described in the sections in which they are most directly relevant. These terms will be used consistently throughout this report. The IC also uses the term “target” as a verb, especially as it relates to Section 702. Specifically, Section 702 authorizes the targeting of (i) non-United States persons (ii) reasonably believed to be located outside the United States (iii) to acquire foreign intelligence information. To ensure that all three requirements are appropriately met, Section 702 requires targeting procedures. Additional information on targeting is detailed below in the Section 702 discussion. FIGURES D. Key Terms ƒƒ TARGET. Within the IC, the term “target” has multiple meanings. With respect to the statistics provided in this report, the term “target” is used as a noun and defined as the individual person, group, entity composed of multiple individuals, or foreign power that uses the selector such as a telephone number or email address. CONTENTS ties, the statistics have limitations in explaining the complexities of how the IC implements FISA; thus, this report is intended to be read in conjunction with other related publicly released information for a more comprehensive understanding. The statistics fluctuate from year to year for a variety of reasons. These include changes in operational priorities, world events, technical capabilities, target behavior, the dynamics of the ever-changing telecommunications sector, and the use of technology to automate the delivery of marketing and other communications. These reasons often cannot be explored in detail in an unclassified setting without divulging information necessary to protect national security. Moreover, there may be no relationship between a decrease in the use of one authority and an increase in another. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 FISA CRIMINAL USE FISA TITLE IV FISA TITLE V ƒƒ DISSEMINATION. Dissemination refers to the sharing of minimized information. As it pertains to FISA (including Section 702), if an agency (such as NSA) lawfully collects information pursuant to FISA PROBABLE CAUSE AUTHORITIES ƒƒ “ESTIMATED NUMBER.” Throughout this report, when numbers are estimated, the estimate comports with the statutory requirements to provide a “good faith estimate” of a particular number. ƒƒ AMICUS CURIAE. In 2015, the USA FREEDOM Act established a framework under which qualified individuals are appointed as amicus curiae to assist the FISC and the Foreign Intelligence Surveillance Court of Review (FISC-R) in the consideration of matters (including matters that present a novel or significant interpretation of the law or matters dealing with technical expertise) before those courts. See 50 U.S.C. § 1803. Individuals designated as amici must have expertise in privacy and civil liberties, intelligence collection, communications technology, or other areas that may lend legal or technical expertise to the FISC and FISC-R and must also be eligible for access to classified information. When appointed, amicus curiae provide those courts, as appropriate, with legal arguments that advance the protection of individual privacy and civil liberties; information related to intelligence collection or communications technology; or legal arguments or information regarding any other area relevant to the issue presented to the court. INTRODUCTION INTRODUCTION The FISC may renew some orders multiple times during the calendar year. Each authority permitted under FISA has specific time limits for the FISA authority to continue (e.g., a Section 704 order against a U.S. person target outside of the United States may last no longer than 90 days, but FISA permits the order to be renewed, see 50 U.S.C. § 1881c(c)(4)). Each renewal requires a separate application submitted by the government to the FISC and a finding by the FISC that the application meets the requirements of FISA. Thus, unlike amendments, this report counts each such renewal as a separate order granting the requested FISA authority. ƒƒ FISC. The FISC was established in 1978 when Congress enacted FISA (see 50 U.S.C. §§ 18011885c). The Court is composed of eleven federal district court judges who are designated by the Chief Justice of the United States. Pursuant to FISA, the Court entertains applications submitted by the United States Government for approval of electronic surveillance, physical search, and other investigative actions for foreign intelligence purposes. FIGURES The FISC may amend an order one or more times after it has been granted. For example, an order may be amended to add a newly discovered account used by the target. This report does not count such amendments separately. FISA and wants to disseminate that information, the agency must first apply its minimization procedures to that information. CONTENTS communication service providers to provide any technical assistance necessary to implement the authorized foreign intelligence collection; and supplemental orders and briefing orders requiring the government to take a particular action or provide the court with specific information. As with past years, this report only counts orders granting the government’s applications. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES NATIONAL SECURITY LETTERS 7 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES ƒƒ Sections 703 and 704 apply to FISA collection targeting U.S. persons outside the United States. HOW TARGETS ARE COUNTED. If the IC received authori- NATIONAL SECURITY LETTERS zation to conduct electronic surveillance and/or physical search against the same target in four separate applications, the IC would count one target, not four. Alternatively, if the IC received authorization to conduct electronic surveillance and/or physical search against four targets in the same application, the IC would count four targets. Duplicate targets across authorities are not counted. FISA TITLE V C. Statistics FISA TITLE IV seeks to conduct collection overseas targeting a U.S. person reasonably believed to be located outside the United States under circumstances in which the U.S. person has a reasonable expectation of privacy and a warrant would be required if the acquisition were conducted in the United States. Both Sections 703 and 704 require that the FISC make a probable cause finding, based upon a factual statement in the government’s application, that the target is a U.S. person reasonably believed to be (i) located outside the United States and (ii) a foreign power, agent of a foreign power, or officer or employee of a foreign power. Additionally, the government’s application must meet the other requirements of FISA. See 50 U.S.C. §§ 1881b(b) and 1881c(b). FISA CRIMINAL USE 8 ƒƒ Titles I and III apply to FISA collection targeting persons within the United States. FISA SECTION 702 FISA Title VII Sections 703 and 704 similarly require a court order based on a finding of probable cause for the government to undertake FISA collection targeting U.S. persons located outside the United States. Section 703 applies when the government seeks to conduct electronic surveillance or to acquire stored electronic communications or stored electronic data inside the U.S., in a manner that otherwise requires an order pursuant to FISA, of a U.S. person who is reasonably believed to be located outside the United States. Section 704 applies when the government ƒƒ All of these authorities require individual court orders based on probable cause. FISA PROBABLE CAUSE AUTHORITIES B. FISA Title VII, Sections 703 and 704 FISA Title I, Title III, and Title VII Section 703 and 704 INTRODUCTION W ith limited exceptions (e.g., in the event of an emergency), to conduct electronic surveillance or physical search of an individual under FISA Title I or FISA Title III, a probable cause court order is required regardless of U.S. person status. Under FISA, Title I permits electronic surveillance and Title III permits physical search in the United States of foreign powers or agents of a foreign power when the government has a significant purpose to obtain foreign intelligence information. See 50 U.S.C. §§ 1804 and 1823. Title I (electronic surveillance) and Title III (physical search) are commonly referred to as “Traditional FISA.” Both require that, following submission of a government application, the FISC make a probable cause finding, based upon a factual statement in the government’s application, that (i) the target is a foreign power or an agent of a foreign power, as defined by FISA and (ii) the facility being targeted for electronic surveillance is used by or about to be used, or the premises or property to be searched is or is about to be owned, used, possessed by, or is in transit to or from a foreign power or an agent of a foreign power. In addition to meeting the probable cause standard, the government’s application must meet the other requirements of FISA. See 50 U.S.C. §§ 1804(a) and 1823(a). FIGURES A. FISA Titles I and III CONTENTS FISA Probable Cause Authorities CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figures 1a and 1b: FISA “Probable Cause” Court Orders and Targets CY2014 CY2015 CY2016 CY2017 CY2018 Total number of orders 1,767 1,519 1,585 1,559 1,437 1,184 Estimated number of targets of such orders* 1,144 1,562 1,695 1,687 1,337 1,833 1,585 1,519 1,562 1,695 1,559 1,833 1,687 1,437 1,337 1,184 1,144 CY2014 CY2015 Total court orders CY2016 CY2017 FISA SECTION 702 CY2013 FISA PROBABLE CAUSE AUTHORITIES FISA PROBABLE CAUSE AUTHORITIES 1,767 CY2018 Estimated total targets* See 50 U.S.C. §§ 1873(b)(1) and 1873(b)(1)(A). FISA CRIMINAL USE *Although providing this statistic was first required by the USA FREEDOM Act, the FISA Amendments Reauthorization Act of 2017 enumerated this requirement at 50 U.S.C. § 1873(b)(1)(A). Figures 2a and 2b: FISA “Probable Cause” Targets Broken Down by U.S. Person Status 1,038 1,601 Estimated number of targets who are U.S. persons* 336 299 232 Percentage of targets who are estimated to be U.S. persons 19.9% 22.4% 12.7% 1,351 1,601 299 (22.4% of total) 1,038 1,833 TOTAL 1,351 1,337 TOTAL Estimated number of targets who are non-U.S. persons* 336 1,687 TOTAL CY2018 See 50 U.S.C. §§ 1873(b)(1)(B) and 1873(b)(1)(C) for rows one and two, respectively. CY2016 *Previously the IC was not statutorily required to publicly provide these statistics but provided them consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. §§ 1873(b)(1)(B) and 1873(b)(1)(C). 9 CY2017 CY2018 Estimated USPER targets* Estimated non-USPER targets* NATIONAL SECURITY LETTERS CY2017 (12.7% of total) FISA TITLE V CY2016 232 (19.9% of total) FISA TITLE IV Titles I and III and Sections 703 and 704—Targets INTRODUCTION CY2013 FIGURES Titles I and III and Sections 703 and 704 of FISA 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FISA Section 702 FIGURES A. Section 702 FISA Title VII— Section 702 ƒƒ Commonly referred to as “Section 702.” FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS 10 FISA SECTION 702 required by Presidential Policy Directive 28 (PPD-28), Signals Intelligence Activities, to Section 702-acquired information. PPD-28 reinforces longstanding intelligence practices that protect privacy and civil liberties, while requiring SECTION 702 TARGETS AND “TASKING.” Under Section 702, agencies to implement new procedures to ensure the government “targets” a particular non-U.S. per- that U.S. signals intelligence activities continue to include appropriate safeguards for the personal son, including non-U.S. person groups or entities, reasonably believed to be located outside the Unit- information of all individuals, regardless of the ed States to acquire foreign intelligence information nationality of the individual to whom the information pertains or where that individual resides. by “tasking” selectors (e.g., telephone numbers and email addresses). Before tasking a selector for NSA and FBI task selectors pursuant to their respeccollection under Section 702, the government must tive Section 702 targeting procedures, which are disapply its targeting procedures to ensure that the cussed below. All agencies that receive unminimized selector is used by a non-U.S. person who is rea(i.e., “raw”) Section 702 data—NSA, FBI, Central sonably believed to be located outside the United Intelligence Agency (CIA), and National CounterStates and who is expected to possess, receive, terrorism Center (NCTC)—handle the Section and/or is likely to communicate foreign intel702-acquired data in accordance with minimization ligence information. The foreign intelligence procedures, which are explained below. information must fall within a specific category THE FISC’S ROLE. Under Section 702, the FISC deterof foreign intelligence information that has been mines whether certifications executed jointly by the authorized for acquisition by the Attorney General Attorney General and the DNI meet all the requireand the DNI as part of a Section 702 certification. ments of Section 702. In deciding whether to approve a certification application package, the FISC In addition to the requirement that the type of reviews the certifications and the minimization, tarforeign intelligence information sought must be geting, and querying procedures to ensure compliauthorized as part of a certification approved by ance with both FISA and the Fourth Amendment. the FISC, agencies must also apply protections FISA PROBABLE CAUSE AUTHORITIES ƒƒ Requires individual targeting determinations that the target (1) is a non-U.S. person (2) who is reasonably believed to be located outside the United States and (3) who has or is expected to communicate or receive foreign intelligence information. INTRODUCTION T itle VII of FISA includes Section 702, which permits the Attorney General and the DNI to jointly authorize the targeting of (i) non-U.S. persons (ii) who are reasonably believed to be located outside the United States (iii) to acquire foreign intelligence information. See 50 U.S.C. § 1881a. All three elements must be met. Additionally, Section 702 requires that the Attorney General, in consultation with the DNI, adopt targeting procedures, minimization procedures, and querying procedures that they attest satisfy the statutory requirements of Section 702 and are consistent with the Fourth Amendment. Additional information on how the government uses Section 702 is posted on IC on the Record including a Section 702 Overview. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CERTIFICATIONS. Under Section 702, the Attorney FISA TITLE V NATIONAL SECURITY LETTERS 11 FISA TITLE IV dures are adopted by the Attorney General and then reviewed, as part of the certification package, by the FISC, which reviews the sufficiency of each agency’s targeting procedures including assessing the IC’s compliance with the procedures. Only FISA CRIMINAL USE TARGETING PROCEDURES. Each set of targeting proce- MINIMIZATION PROCEDURES. The minimization procedures detail requirements the government must meet to use, retain, and disseminate Section 702 data, including specific restrictions regarding non-publicly available U.S. person information acquired from Section 702 collection of non-U.S. person targets, consistent with the needs of each agency to obtain, produce, and disseminate foreign intelligence information. Each agency’s Section 702 minimization procedures are adopted by the Attorney General. The FISC reviews the sufficiency of each agency’s minimization procedures as part of the certification application package. Such reviews include assessing the IC’s compliance with past procedures. The 2016 minimization procedures have been released on IC on the Record. FISA SECTION 702 FISA SECTION 702 General and DNI jointly execute certifications under which the Intelligence Community intends to acquire specified foreign intelligence information. The certifications identify categories of foreign intelligence information to be collected, which must meet the statutory definition of foreign intelligence information, through the targeting of non-U.S. persons reasonably believed to be located outside the United States. The certifications have included information concerning international terrorism and other topics, such as the acquisition of information concerning weapons of mass destruction. Each annual certification must be submitted to the FISC for approval in a certification application package that includes the Attorney General and DNI’s certifications, affidavits by certain heads of intelligence agencies, targeting procedures, minimization procedures, and, as described below, querying procedures. Samples of certification application packages have been publicly released on IC on the Record, most recently in May 2017. FISA PROBABLE CAUSE AUTHORITIES NSA includes the targeting rationale (TAR) in the tasking record, which requires the targeting analyst to briefly state why targeting for a particular selector was requested. The intent of the TAR is to memorialize why the analyst is requesting targeting and provide a linkage between the user of the selector and the foreign intelligence purpose covered by the certification under which it is being tasked. The TAR is reviewed by the ODNI and Department of Justice oversight teams as part of their routine review of the tasking records. More information about these oversight reviews is provided in the Attorney General and DNI’s joint Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (commonly referred to as the Joint Assessment of 702 Compliance or Joint Assessment), most recently released in February 2019 on IC on the Record. NSA’s 2016 targeting procedures and FBI’s 2016 targeting procedures have been publicly released on IC on the Record. INTRODUCTION If the FISC determines that the government’s certification application package meets the statutory requirements of Section 702 and are consistent with the Fourth Amendment, then the FISC issues an order and supporting statement approving the certifications. The 2016 FISC order and statement approving the certifications was publicly released, in redacted form, in May 2017 and posted on IC on the Record. FIGURES agencies that have Attorney General-adopted targeting procedures that the FISC finds sufficient as part of a certification package may task selectors pursuant to Section 702; only two agencies, NSA and FBI, have targeting procedures and thus are permitted to task selectors. CONTENTS The Court’s review is not limited to the procedures as written, but also includes an examination of how the procedures have been and will be implemented. Accordingly, as part of its review, the FISC considers the compliance incidents reported to it by the government through notices and reports. FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS the FISC may issue a single order to approve more than one Section 702 certification to acquire foreign intelligence information. Note that, in its own transparency report, which is required pursuant to 50 U.S.C. § 1873(a), the Director of the Administrative Office of the United States Courts (AOUSC) counted each of the Section 702 certifications associated with the FISC’s order. Because the number of the government’s Section 702 certifications remains a classified fact, the government requested that the AOUSC redact the number of certifications from its transparency report prior to publicly releasing it. FISA CRIMINAL USE COUNTING SECTION 702 ORDERS. As explained above, FISA SECTION 702 FISA SECTION 702 12 B. Statistics—Orders and Targets FISA PROBABLE CAUSE AUTHORITIES Query terms may be date-bound, and may include alphanumeric strings, such as telephone numbers, email addresses, or terms, such as a name, that can be used individually or in combination with one another. Pursuant to court-approved procedures, an agency can only query Section 702 information if the query is reasonably likely to return foreign intelligence information or, in the case of the FBI, evidence of a crime. This standard applies to all minimization, and querying procedures is subject to robust internal agency oversight and to rigorous external oversight by DOJ, ODNI, Congress, and the FISC. Every identified incident of non-compliance, regardless of the U.S. person status of individuals affected by the incident, is reported to the FISC (through notices or in reports) and to Congress in semiannual reports. Depending on the nature of the incident, the FISC may order remedial actions, which could include deleting improperly collected information, recalling improperly disseminated information, and re-training IC employees. DOJ and ODNI also jointly submit semiannual reports to Congress that assess the IC’s overall compliance efforts. Past Joint Assessments of Section 702 Compliance have been publicly released. INTRODUCTION Amendments Reauthorization Act of 2017, Congress amended Section 702 to require that querying procedures be adopted by the Attorney General, in consultation with the DNI. Section 702(f)(1) requires that the querying procedures be consistent with the Fourth Amendment and that they include a technical procedure whereby a record is kept of each U.S. person term used for a query. Similar to the Section 702 targeting and minimization procedures, the querying procedures are required to be reviewed by the FISC as part of the certification package for consistency with the statute and the Fourth Amendment. Congress added other requirements in Section 702(f), which pertain to accessing certain results of queries conducted by FBI; those requirements will be discussed later in this report. COMPLIANCE. The IC’s application of the targeting, FIGURES QUERYING PROCEDURES. With passage of the FISA Section 702 queries, regardless of whether the term includes U.S. person or non-U.S. person identifiers. As explained in the March 2019-released Joint Assessment of Section 702 Compliance, NSA personnel are required to obtain Office of General Counsel approval before any use of United States person identifiers as terms to query the content of Section 702 information. Additional information about U.S. person queries is posted on IC on the Record. CONTENTS Non-U.S. persons also benefit from many of the protective rules prescribed by the targeting and minimization procedures. Under Section 702, collection is targeted (not bulk), and must be limited to non-U.S. person targets located outside the United States who are likely to possess, receive, and/or are expected to communicate foreign intelligence information that is linked to one of the FISC-approved certifications. See Status of Implementation of PPD-28: Response to the PCLOB’s Report, October 2018 at 9. Additionally, “as a practical matter, non-U.S. persons also benefit from the access and retention restrictions required by the different agencies’ minimization and/or targeting procedures.” See Privacy and Civil Liberties Oversight Board Report on the Surveillance Program Operated Pursuant to Section 702 of FISA (July 2, 2014) at 100. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figure 3: Section 702 Orders Total number of orders issued CY2013 CY2014 CY2015 CY2016 CY2017 CY2018 1 1 1 0* 1 1 * In 2016, the government submitted a certification application package to the FISC. Pursuant to 50 U.S.C. § 1881a(j)(2), the FISC extended its review of the 2016 certification package. The FISC may extend its review of the certifications “as necessary for good cause in a manner consistent with national security.” See 50 U.S.C. § 1881a(j)(2), subsequently codified under § 1881a(k)(2) with the FISA Amendments Reauthorization Act of 2017. Thus, because the FISC did not complete its review of the 2016 certifications during calendar year 2016, the FISC did not issue an order concerning those certifications in calendar year 2016. The 2015 order remained in effect during the extension period. On April 26, 2017, the FISC issued an order authorizing the 2016 certifications. Figure 4: Section 702 Targets* Section 702 of FISA CY2014 CY2015 CY2016 CY2017 CY2018 89,138 92,707 94,368 106,469 129,080 164,770 See 50 U.S.C. § 1873(b)(2)(A). *Recall that only non-USPs are targeted **Previously the IC was not statutorily required to publicly provide this statistic but provided it consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. § 1873(b)(2)(A). NATIONAL SECURITY LETTERS 13 FISA TITLE V In July 2014, the Privacy and Civil Liberties Oversight Board (PCLOB or Board) issued a report on Section 702 entitled, “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act” (PCLOB’s Section 702 Report), which reported U.S. person query statistics for calendar year 2013. See PCLOB’s Section 702 Report at 57-58. The USA FREEDOM Act, enacted in 2015, added a requirement to report publicly certain statistics regarding the number of U.S. person que- ries of Section 702. Specifically, the Act requires reporting of the “number of search terms concerning a known United States person used to retrieve the unminimized contents […]”—referred to as “query terms of content”—and “the number of queries concerning a known United States person of unminimized noncontents information […]”—referred to as “queries of metadata.” See 50 U.S.C. § 1873(b)(2) (B) and (b)(2)(C), respectively. Thus, ODNI began reporting on these statistics in the Annual Statistical Transparency Report covering CY2015. FISA TITLE IV C. Statistics—U.S. Person Queries FISA CRIMINAL USE Estimated number of targets of such orders** CY2013 FISA SECTION 702 FISA SECTION 702 of this report. On the other hand, where the IC is targets, provided below, reflects an estimate of the aware that multiple selectors are used by the same number of non-U.S. persons who are the users of target, the IC counts the user of those selectors as tasked selectors. This estimate is based on informa- a single target. This counting methodology reduces tion readily available to the IC. Unless and until the the risk that the IC might inadvertently understate IC has information that links multiple selectors to the number of discrete persons targeted pursuant a single foreign intelligence target, each individual to Section 702. selector is counted as a separate target for purposes FISA PROBABLE CAUSE AUTHORITIES ESTIMATING SECTION 702 TARGETS. The number of 702 INTRODUCTION See 50 U.S.C. § 1873(b)(2). FIGURES Section 702 of FISA CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES Figure 5: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Content QUERY EVENTS johndoe@XYZprovider 1. johndoe@XYZprovider johndoe@XYZprovider johndoe@XYZprovider 2. johndoe@123company Raw Section 702 CONTENT johndoe@123company marydoe@XYZprovider marydoe@XYZprovider Counted as 3 USPER query terms, not the 6 instances that the query terms queried the content. CY2015 CY2016 CY2017 CY2018 Estimated number of search terms concerning a known U.S. person used to retrieve the unminimized contents of communications obtained under Section 702 (excluding search terms used to prevent the return of U.S. person information)* 4,672 5,288 7,512 9,637 See 50 U.S.C. § 1873(b)(2)(B). 1 With the FISA Amendments Reauthorization Act in 2017, Congress codified new requirements regarding the access to results of certain queries conducted by the FBI. Specifically under Section 702(f)(2)(A), an order from the FISC is now required before the FBI can review the contents of a query using a U.S. person query term when the query was not designed to find and extract foreign intelligence information and was performed in connection with a predicated criminal investigation that does not relate to national security. Before the FISC may issue such an order based on a finding of probable cause, an FBI agent must apply in writing, to include the agent’s justification that the query results would provide evidence of criminal activity, and the application must be approved by the Attorney General. 50 U.S.C. Section 1873(b)(2)(A) requires annual reporting of the number of times the FBI received an order pursuant to 702(f)(2)(A). 14 NATIONAL SECURITY LETTERS *Consistent with 50 U.S.C. § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. FISA TITLE V Section 702 of FISA FISA TITLE IV Figure 6: U.S. Person Query Terms Used To Query Section 702 Content FISA CRIMINAL USE 3. marydoe@XYZprovider FISA SECTION 702 FISA SECTION 702 QUERY TERMS USED FISA PROBABLE CAUSE AUTHORITIES person identifiers it approved to query the content INTRODUCTION 702 CONTENT. The NSA counts the number of U.S. FIGURES COUNTING U.S. PERSON QUERY TERMS USED TO QUERY SECTION of unminimized Section 702-acquired information. For example, if the NSA used U.S. person identifier “johndoe@XYZprovider” to query the content of Section 702-acquired information, the NSA would count it as one regardless of how many times the NSA used “johndoe@XYZprovider” to query its 702-acquired information. The CIA started using this model in 2016 for counting query terms and those statistics were included in the Annual Statistical Transparency Report covering CY2016. When the NCTC began receiving raw Section 702 information, NCTC followed a similar approach of counting U.S. person query terms that were used to query Section 702 content. CONTENTS Below are statistics for U.S. person queries of raw, Section 702-acquired data.1 The U.S. person statistics are based on (a) U.S. person query terms used to query Section 702 content and (b) U.S. person queries conducted of Section 702 noncontents (i.e., metadata). It is important to understand that these two very different numbers cannot be combined because they use different counting methodologies (query terms versus queries conducted) and different data types (content versus noncontents). CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES INTRODUCTION Figure 7: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Noncontents FIGURES estimate represents the number of times a U.S. person identifier is used to query the noncontents (i.e., metadata) of unminimized Section 702-ac- quired information. For example, if the U.S. person identifier telephone number “111-111-2222” was used 15 times to query the noncontents of Section 702-acquired information, the number of queries counted would be 15. CONTENTS COUNTING QUERIES USING U.S. PERSON IDENTIFIERS OF NONCONTENTS COLLECTED UNDER SECTION 702. This QUERY EVENTS 1. 111-111-2222 111-111-2222 111-111-2222 111-111-2222 2. 333-333-4444 3. 555-555-6666 Raw Section 702 NONCONTENT 333-333-4444 (i.e. metadata) 555-555-6666 555-555-6666 estimate the number of these queries and, as such, this new information is included in the CY2018 statistic below. CY2013 CY2014 CY2015 CY2016 CY2017 CY2018** Estimated number of queries concerning a known U.S. person of unminimized noncontent information obtained under Section 702 (excluding queries containing information used to prevent the return of U.S. person information)* 9,500 17,500 23,800 30,355 16,924 14,374 *Consistent with 50 U.S.C. § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. **Beginning with CY2018, this statistic includes all elements that are required to report this number. As explained above, prior to CY2018, CIA had been unable to provide this number. FISA TITLE V See 50 U.S.C. § 1873(b)(2)(C). FISA TITLE IV Section 702 of FISA FISA CRIMINAL USE Figure 8: U.S. Person Queries of Noncontents of Section 702 FISA SECTION 702 FISA SECTION 702 The CIA, had been previously unable to provide the number of queries using U.S. person identifiers of unminimized Section 702 noncontents information. Beginning in 2018, CIA was able to Counted as 6 USPER queries (each individual query event is counted). FISA PROBABLE CAUSE AUTHORITIES QUERY TERMS USED NATIONAL SECURITY LETTERS 15 CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2018 Per the FISC Memorandum Opinion and Order dated November 6, 2015: Each reported instance in which FBI personnel received and reviewed Section 702-acquired information that the FBI identified as concerning a U.S. person in response to a query that was designed to return evidence of a crime unrelated to foreign intelligence. 1 0 0 FISA CRIMINAL USE CY2017 See FISC Memorandum Opinion and Order dated November 6, 2015. D. Section 702 and FBI Investigations FISA TITLE V 702-acquired information. See 50 U.S.C. § 1873(b)(2)(D). This statistic will provide transparency with regard to how often Section 702 collection is used for non-national security investigations conducted by the FBI. Figure 10 provides the required statistic. FISA TITLE IV With the enactment of the FISA Amendments Reauthorization Act of 2017, FISA now requires that the FBI report on the number of instances in which the FBI opened, under the Criminal Investigative Division, a criminal investigation of a U.S. person, who is not considered a threat to national security, based wholly or in part on Section FISA SECTION 702 FISA SECTION 702 CY2016 FISA PROBABLE CAUSE AUTHORITIES Section 702 of FISA INTRODUCTION Figure 9: Required Section 702 Query Reporting to the FISC FIGURES granted the government’s application for renewal of the 2015 certifications and, among other things, concluded that the FBI’s U.S. person querying provisions in its minimization procedures, “strike a reasonable balance between the privacy interests of the United States persons and persons in the United States, on the one hand, and the government’s national security interests, on the other.” Memorandum Opinion and Order dated November 6, 2015, at 44 (released on IC on the Record on April 19, 2016). The FISC further stated that the FBI conducting queries, “designed to return evidence of crimes unrelated to foreign intelligence does not preclude the Court from concluding that taken together, the targeting and minimization procedures submitted with the 2015 Certifications are consistent with the requirements of the Fourth Amendment.” Id. Nevertheless, the FISC ordered the government to report in writing, “each instance after December 4, 2015, in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” (Emphasis added). Id. at 44 and 78. The FISC directed that the report contain details of the query terms, the basis for conducting the query, the manner in which the query will be or has been used, and other details. Id. at 78. In keeping with the IC’s Principles of Intelligence Transparency, the DNI declassified the number of each such query reported to the FISC in calendar year 2016 and for applicable calendar years thereafter. These numbers are reported in Figure 9. CONTENTS FISC ORDER REQUIRING CERTAIN SECTION 702 QUERY REPORTING BY FBI. On November 6, 2015, the FISC Figure 10: Number of FBI Investigations Opened on USPs Based on Section 702 Acquisition CY2017 CY2018 The number of instances in which the FBI opened, under the Criminal Investigative Division or any successor division, an investigation of a U.S. person (who is not considered a threat to national security) based wholly or in part on an acquisition authorized under Section 702. 0 0 See 50 U.S.C. § 1873(b)(2)(D). 16 NATIONAL SECURITY LETTERS Section 702 of FISA INTRODUCTION FISA PROBABLE CAUSE AUTHORITIES FISA SECTION 702 FISA SECTION 702 FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS 17 FIGURES (i) (prior to the FISA Amendments Reauthorization Act of 2017 under § 1881a(l)(3)(A)(i)). Section 702(m)(3)(A) also requires that the number BACKGROUND ON NSA DISSEMINATING U.S. PERSON INFORMAof “United States-person identities subsequently TION UNDER SECTION 702. In July 2014, the PCLOB’s disseminated by [NSA] in response to request for Section 702 Report contained 10 recommendations. identities that were not referred to by name or Recommendation 9 focused on “accountability title in the original reporting.” See 50 U.S.C. and transparency,” noting that the government § 1881a(m)(3)(A)(ii). This second requirement should implement measures, “to provide insight refers to NSA providing the number of approved about the extent to which the NSA acquires and unmasking requests, which is explained below. utilizes the communications involving U.S. persons Additionally, the Attorney General and the DNI and people located in the United States under the provide to Congress the number of NSA’s dissemiSection 702 program.” PCLOB’s Section 702 Report nated intelligence reports containing a U.S. person at 145-146. Specifically, the PCLOB recommendreference as part of the Attorney General and the ed that “the NSA should implement processes to DNI’s Joint Assessment of Compliance. See 50 annually count […] (5) the number of instances in U.S.C. § 1881a(m)(1) (prior to the FISA which the NSA disseminates non-public informaAmendments Reauthorization Act of 2017 under tion about U.S. persons, specifically distinguishing § 1881a(l)(1)). disseminations that includes names, titles, or other Prior to the PCLOB issuing its Section 702 Report, identifiers, such as telephone numbers or e-mail addresses, potentially associated with individuals.” NSA’s Director of the Civil Liberties, Privacy, and Transparency Office published “NSA’s ImplemenId. at 146. This recommendation is commonly tation of Foreign Intelligence Surveillance Act Section referred to as Recommendation 9(5). In response to the PCLOB’s July 2014 Recommendation 9(5), 702,” on April 16, 2014, (hereinafter “NSA DCLPO Report”), in which it explained NSA’s disNSA previously publicly provided (in the Annual semination processes. NSA DCLPO Report at 7-8. Statistical Transparency Report for calendar year 2015) and continues to provide the following addi- NSA “only generates classified intelligence reports when the information meets a specific intelligence tional information regarding the dissemination of requirement, regardless of whether the proposed Section 702 intelligence reports that contain U.S. person information. Because the PCLOB issued its report contains U.S. person information.” NSA recommendation in 2014, these statistics were not DCLPO Report at 7. included in Annual Statistical Transparency Report Section 702 only permits the targeting of non-U.S. for calendar years 2013 or 2014. persons reasonably believed to be located outside the United States to acquire foreign intelligence NSA has been providing similar information to information. Such targets, however, may commuCongress since 2009, in classified form, per FISA nicate information to, from, or about U.S. persons. reporting requirements. For example, FISA Section 702(m)(3) requires that NSA annually submit NSA’s minimization procedures (publicly released on August 11, 2016) permit the NSA to dissemia report to applicable Congressional commitnate U.S person information if the information is tees regarding certain numbers pertaining to the necessary to understand the foreign intelligence. acquisition of Section 702-acquired information, including the number of “disseminated intelligence By policy, generally, the NSA masks the informareports containing a reference to a United States tion that could identify the U.S. person. NSA’s person identity.” See 50 U.S.C. § 1881a(m)(3)(A) minimization procedures define U.S. person identi- CONTENTS E. NSA Dissemination of U.S. Person Information under FISA Section 702 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS explain how NSA disseminates U.S. person infor- FISA CRIMINAL USE STATISTICS OF NSA’S U.S. PERSON DISSEMINATING INFORMATION. Below are statistics and charts to further FISA SECTION 702 FISA SECTION 702 18 Additional information describing how the IC protects U.S. person information obtained pursuant to FISA provisions is provided in recent reports by the civil liberties and privacy officers for the ODNI (including NCTC), NSA, FBI, and CIA. The reports collectively documented the rigorous and multi-layered framework that safeguards the privacy of U.S. person information in FISA disseminations. See ODNI Report on Protecting U.S. Person Identities in Disseminations under FISA and annexes containing agency specific reports. FISA PROBABLE CAUSE AUTHORITIES ƒƒ MASKED U.S. PERSON INFORMATION. Agency minimization procedures generally provide for the substitution of a U.S. person identity with a generic phrase or term if the identity otherwise does not meet the dissemination criteria; this is often referred to as “masking” the identity of the U.S. person. Information about a U.S. person is masked when the identifying information about the person is not included in a report. For example, instead of reporting that Section 702-acquired information revealed that nonU.S. person “Bad Guy” communicated with As part of their regular oversight reviews, DOJ and ODNI review disseminations of information about U.S. persons that NSA obtained pursuant to Section 702 to ensure that the disseminations were consistent with the minimization procedures. INTRODUCTION Even if one these conditions applies, as a matter of policy, NSA may still mask the U.S. person identity and will include no more than the minimum amount of U.S. person information necessary to understand the foreign intelligence or to describe the crime or threat. Id. In certain instances, however, NSA makes a determination that it is appropriate to include in the original report the U.S. person’s identity, using the same standards discussed above. ƒƒ UNMASKING U.S. PERSON INFORMATION. Recipients of NSA’s classified reports, such as other federal agencies, may request that NSA provide the U.S. person identifying information that was masked in an intelligence report. The requested identity information is released only if the requesting recipient has a “need to know” the identity of the U.S. person and if the dissemination of the U.S. person’s identity would be consistent with NSA’s minimization procedures (e.g., the identity is necessary to understand foreign intelligence information or assess its importance), and additional approval has been provided by a designated NSA official. FIGURES The minimization procedures also permit NSA to disseminate U.S. person identities only if doing so meets one of the specified reasons listed in NSA’s minimization procedures, including that the U.S. person consented to the dissemination, the U.S. person information was already publicly available, the U.S. person information was necessary to understand foreign intelligence information, or the communication contained evidence of a crime and is being disseminated to law enforcement authorities. For example, a Section 702 target may communicate information about a U.S. person that the target intends to victimize in some way; NSA may need to disseminate the identity of affected U.S. persons to appropriate authorities so that they can take appropriate protective, preventive, or investigative action. U.S. person “John Doe” (i.e., the actual name of the U.S. person), the report would mask “John Doe’s” name, and would state that “Bad Guy” communicated with “an identified U.S. person,” “a named U.S. person,” or “a U.S. person.” Other examples of masked U.S. person identities would be “a named U.S. entity,” “a U.S. person email address,” or “a U.S. IP address.” CONTENTS fying information as “(1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person [. . . ]”. See NSA’s Minimization Procedures 2(f). 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA TITLE V NATIONAL SECURITY LETTERS 19 The second row of Figure 11 provides the number of reports containing U.S. person identities where the U.S. person identity was masked in the report. The third row provides the number of reports containing U.S. person identities where the U.S. person identity was openly included in the report. FISA TITLE IV The first row of Figure 11 provides “an accounting of the number of disseminated intelligence reports containing a reference to a United States-person identity.” See 50 U.S.C. § 1881a(m)(3)(A)(i). NSA’s counting methodology is to include any disseminated intelligence report that contains a reference to one or more U.S. person identities, whether masked or openly named, even if the report includes information from other sources. NSA does not maintain FISA CRIMINAL USE NSA applies its minimization procedures in preparing its classified intelligence reports, and then disseminates the reports to authorized recipients with a need to know the information in order to perform their official duties. Very few of NSA’s intelligence reports from Section 702 collection contain references to U.S. person identities (whether masked or openly named). As noted above, a U.S. person is “a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section 101(a)(20) of the Immigration and Nationality Act), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in [50 U.S.C. § 1801(a)(1), (2), or (3)].” See 50 U.S.C. § 1801(i). Thus the numbers below include U.S. person identities not only of U.S. persons who are individuals, but also of U.S. persons that are corporations or unincorporated associations. FISA SECTION 702 FISA SECTION 702 Consistent with the CY2017 Annual Statistical Transparency Report, this year’s report presents the dissemination numbers in a different format from the CY2016 and prior year reports to facilitate understanding and to provide consistency with NSA’s classified FISA Section 702(m)(3) reports to Congress. This report separates the number of reports (in Figure 11) from the statistics relating to the U.S. person identities later disseminated (in Figure 12). Note that a single report could contain multiple U.S. person identities, masked and/or openly named. For example, a single report could include of a large number of U.S. identities that a foreign intelligence target is seeking to victimize; each of those identifiers would be counted. FISA PROBABLE CAUSE AUTHORITIES iii. in the instances where the U.S. person identity was initially masked, upon a specific request, later reveal and unmask the U.S. person identity but only to the requestor. INTRODUCTION ii. initially mask (i.e., not reveal) the U.S. person identity in the report, or FIGURES i. openly name (i.e., originally reveal) the U.S. person identity in the report, records that allow it to readily determine, in the case of an intelligence report that includes information from several sources, from which source a reference to a U.S. person identity was derived. Accordingly, the references to U.S. person identities may have resulted from Section 702 authorized collection or from other authorized signals intelligence activity conducted by NSA. This counting methodology was used in the previous report and is used in NSA’s FISA Section 702(m)(3) report. CONTENTS mation incidentally acquired from Section 702 in classified intelligence reports. NSA may: 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figure 11: Section 702 Reports Containing USP Information Unmasked by NSA CY2018 REPORTS—Total number of NSA disseminated § 702 reports containing USP identities regardless of whether or not the identity was openly included or masked. 3,914 4,065 4,495 REPORTS—Total number of NSA disseminated § 702 reports containing USP identities where the USP identity was masked. 2,964 3,034 3,442 REPORTS—Total number of NSA disseminated § 702 reports containing USP identities where the USP identity was openly included. 1,200 1,341 1,379 Rows 2 and 3 will not total row 1 because one report may contain both masked and openly named identities FISA TITLE V 20 12-month period Sep 2015–Aug 2016 CY2017 CY2018 9,217 9,529 16,721 NATIONAL SECURITY LETTERS The number of U.S. person identities that NSA unmasked in response to a specific request from another agency FISA TITLE IV Figure 12: Section 702 USP Identities Disseminated by NSA Section 702—U.S. Person (USP) Identities Unmasked by NSA FISA CRIMINAL USE The CY2015 and CY2016 Annual Statistical Transparency Reports focused on responding to the PCLOB’s report recommendation 9(5) by counting only those U.S. person identities where the proper name or title of an individual was unmasked; it did not count other identifiers such as email addresses, telephone numbers or U.S. IP addresses; nor did it count identifiers pertaining to U.S. corporations or associations. Rather than distinguishing between the different ways a U.S. person might be named in an intelligence report, NSA now provides the total number of U.S. person identities unmasked in response to a specific request from another agency. This is the same metric that NSA reports to Congress pursuant to FISA Section 702(m)(3) reporting requirements. Prior to CY2017, NSA’s FISA Section 702(m) (3) reports covered the time period of September through August. For CY2017 and going forward, both reports now cover the same timeframe and follow the same reporting methodology. FISA SECTION 702 FISA SECTION 702 Figure 12 provides statistics relating to the numbers of U.S. person identities that were originally masked in those reports counted in Figure 11 but which NSA later provided to authorized requestors (i.e., unmasked). This statistic is the number required to be reported to Congress in NSA’s FISA Section 702(m)(3) report. In other words, Figure 12 provides “an accounting of the number of United States-person identities subsequently disseminated by [NSA] in response to requests for identities that were not referred to by name or title in the original reporting.” See 50 U.S.C. § 1881a(m) (3)(A)(ii). This number is different than numbers provided in either CY2015 or the CY2016 Annual Statistical Transparency Report. NSA has decided to declassify the total number of U.S. person identities unmasked in response to a request. FISA PROBABLE CAUSE AUTHORITIES CY2017 INTRODUCTION CY2016 FIGURES Section 702 Reports Containing U.S. Person (USP) Information Disseminated by NSA INTRODUCTION FISA PROBABLE CAUSE AUTHORITIES Since issuance of ICPG 107.1, all IC elements have finalized their procedures. As of January 1, 2019, all IC elements began tracking the applicable requests. Accordingly, ODNI will be able to provide these numbers for CY2019 in next year’s Annual Statistical Transparency Report. FIGURES requires the DNI to report, on an annual basis, certain statistics to track requests made pursuant to ICPG 107.1. CONTENTS Intelligence Community Policy Guidance (ICPG) 107.1, Requests for Identities of U.S. Persons in Disseminated Intelligence Reports, requires all IC elements to have procedures to respond to requests for the identities of U.S. persons whose identities were originally masked in a disseminated intelligence report. ICPG 107.1 applies to information regardless of the legal authority under which the information was collected (i.e., including, but not limited to, FISA Section 702). The ICPG further 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 FISA SECTION 702 FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS 21 CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FISA Criminal Use and Notice Provisions FIGURES A. FISA Sections 106 and 305 ƒƒ Attorney General advance authorization is required before such information may be used in a criminal proceeding; if such information is used or intended to be used against an aggrieved person, that person must be given notice of the information and have a chance to suppress the information. ƒƒ The FISA Amendments Reauthorization Act of 2017 codified that statistics must be provided to the public as it pertained to Section 106, Section 305, as well as Section 702 acquired information. See 50 U.S.C. § 1873(b)(4). 22 7 14 NATIONAL SECURITY LETTERS The number of criminal proceedings in which the United States or a State or political subdivision thereof provided notice pursuant to Section 106 (including with respect to Section 702-acquired information) or Section 305 of the government’s intent to enter into evidence or otherwise use or disclose any information obtained or derived from electronic surveillance, physical search, or Section 702 acquisition. CY2018 FISA TITLE V Figure 13: Number of Criminal Proceedings in Which the Government Provided Notice of Its Intent To Use Certain FISA Information CY2017 FISA TITLE IV including Section 702-acquired information. Specifically, Figure 13 provides that the government filed notice of intent to use FISA-acquired information, pursuant to Section 106 or 305, in seven (7) separate proceedings in 2017 and in fourteen (14) separate criminal proceedings in 2018. FISA CRIMINAL USE The FISA Amendments Reauthorization Act of 2017 codified a requirement that certain statistics concerning criminal proceedings must be provided to the public pertaining to Sections 106 and 305, ƒƒ Section 106 applies to information acquired from Title I electronic surveillance and Section 702; Section 305 applies to information acquired from Title III physical search. FISA SECTION 702 B. Statistics ƒƒ Commonly referred to as the “criminal use provision.” FISA PROBABLE CAUSE AUTHORITIES FISA Section 305 provides comparable requirements for use of information acquired through Title III physical search (i.e., advance authorization, notice, and opportunity to suppress) in a legal proceeding. FISA Sections 106 and 305— Criminal Use and Notice Provisions INTRODUCTION F ISA Section 106 requires advance authorization from the Attorney General before any information acquired through Title I electronic surveillance may be used in a criminal proceeding. This authorization from the Attorney General is defined to include authorization by the Acting Attorney General, Deputy Attorney General, or, upon designation by the Attorney General, the Assistant Attorney General for National Security. Section 106 also requires that if a government entity intends to introduce into evidence in any trial, hearing, or other proceeding, against an “aggrieved person,” information obtained or derived from electronic surveillance, it must notify the aggrieved person and the court. The aggrieved person is then entitled to seek suppression of the information. FISA Section 706 requires that any information acquired pursuant to Section 702 be treated as electronic surveillance under Section 106, including for purposes of the use, notice, and suppression requirements. 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES ESTIMATING THE NUMBER OF UNIQUE IDENTIFIERS. This statistic counts (1) the targeted identifiers and (2) the non-targeted identifiers (e.g., telephone numbers and email addresses) that were in contact with the targeted identifiers. Specifically, the House Report on the USA FREEDOM Act states that “[t]he phrase ‘unique identifiers used to communicate information collected pursuant to such orders’ means the total number of, for example, email addresses or phone numbers that have been collected as a result of these particular types of FISA orders—not just the number of target email addresses or phone numbers.” [H.R. Rept. 114109 Part I, p. 26], with certain exceptions noted. NATIONAL SECURITY LETTERS 23 the IC received authorization for the installation and use of a PR/TT device against four targets in the same application, the IC would count four targets. FISA TITLE V methodology for counting PR/TT targets is similar to the methodology described above for counting targets of electronic surveillance and/or physical search. If the IC received authorization for the installation and use of a PR/TT device against the same target in four separate applications, the IC would count one target, not four. Alternatively, if ƒƒ Government request to use a PR/TT device on U.S. person target must be based on an investigation to protect against terrorism or clandestine intelligence activities and that investigation must not be based solely on the basis of activities protected by the First Amendment to the Constitution. FISA TITLE IV ESTIMATING THE NUMBER OF TARGETS. The government’s ƒƒ Requires individual FISC order to use PR/ TT device to capture dialing, routing, addressing, or signaling (DRAS) information. FISA CRIMINAL USE for Titles I and III and Sections 703 and 704, this report only counts the orders granting authority to conduct intelligence collection—the order for the installation and use of a PR/TT device. Thus, renewal orders are counted as a separate order; modification orders and amendments are not counted. ƒƒ Bulk collection is prohibited. FISA SECTION 702 COUNTING ORDERS. Similar to how orders were counted ƒƒ Commonly referred to as the “PR/TT” provision. FISA PROBABLE CAUSE AUTHORITIES B. Statistics FISA Title IV INTRODUCTION Title IV of FISA authorizes the use of pen register and trap and trace (PR/TT) devices for foreign intelligence purposes. Title IV authorizes the government to use a PR/TT device to capture dialing, routing, addressing or signaling (DRAS) information. The government may submit an application to the FISC for an order approving the use of a PR/TT device (i.e., PR/TT order) for (i) “any investigation to obtain foreign intelligence information not concerning a United States person or” (ii) “to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the First Amendment to the Constitution.” 50 U.S.C. § 1842(a). If the FISC finds that the government’s application meets the requirements of FISA, the FISC must issue an order for the installation and use of a PR/TT device. FIGURES A. FISA PR/TT Authority CONTENTS FISA Title IV—Use of Pen Register and Trap and Trace (PR/TT) Devices CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figures 14a and 14b: Number of PR/TT Orders, Targets and Unique Identifiers Collected CY2014 CY2015 CY2016 CY2017 CY2018 Total number of orders 131 135 90 60 33 34 Estimated number of targets of such orders 319 516 456 41 27 29 134,987• 81,035•‡ 56,064• Estimated USPER targets 516 Estimated non-USPER targets 456 18 319 11 CY2014 Total number of orders CY2015 60 41 CY2016 14 (40.7% of total) 16 33 (48.3% of total) 15 34 27 CY2017 FISA SECTION 702 90 CY2013 (43.9% of total) 23 135 131 132,690 29 CY2018 Estimated number of targets *Pursuant to § 1873(d)(2)(B), this statistic does not apply to orders resulting in the acquisition of information by the FBI that does not include email addresses or telephone numbers. •This number represents information the government received from provider(s) electronically for the entire calendar year. The government does not have a process for capturing unique identifiers received by other means (such as hard-copy or portable media). CY2017 CY2018 Estimated number of targets who are non-U.S. persons* 23 16 15 Estimated number of targets who are U.S. persons 18 11 14 43.9% 40.7% 48.3% Estimated percentage of targets who are U.S. persons See 50 U.S.C. §§1873(b)(3)(A)(i) and 1873(b)(3)(A)(ii) for rows one and two, respectively. *Previously the IC was not statutorily required to publicly provide these statistics, but provided them consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. §§ 1873(b)(3)(A)(i) and 1873(b)(3)(A)(ii). NATIONAL SECURITY LETTERS CY2016 PR/TT Targets FISA TITLE V Figure 15: FISA PR/TT Targets—U.S. Persons and Non-U.S. Persons* FISA TITLE IV FISA TITLE IV ‡For the CY2016 report, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for business records instead of the number of the unique identifiers collected pursuant PR/TT orders. As noted below, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for PR/TT orders under the statistics for business records. FISA CRIMINAL USE See 50 U.S.C. §§ 1873(b)(3), 1873(b)(3)(A), and 1873(b)(3)(B). 24 FISA PROBABLE CAUSE AUTHORITIES Estimated number of unique identifiers used to communicate information collected pursuant to such orders* INTRODUCTION CY2013 FIGURES Titles IV of FISA PR/TT FISA 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES A. Business Records FISA ƒƒ CDRs may be obtained from a telephone company if the FISC issues an individual court order for the target’s records. ƒƒ Bulk collection of CDRs is prohibited. FISA TITLE V NATIONAL SECURITY LETTERS Statistics related to traditional business records obtained under Title V Section 501(b)(2)(B) are provided first pursuant to 50 U.S.C. § 1873(b)(5). Statistics related to call detail records obtained under Title V Section 501(b)(2)(C) are provided second pursuant to 50 U.S.C. § 1873(b)(6). FISA TITLE IV including the call detail records provision and the requirement to use a specific selection term. Accordingly, only one month’s worth of data for calendar year 2015 was available with respect to those provisions. Any statistical information relating to a particular FISA authority for a particular month remains classified. Therefore, the Title V data specifically associated with December 2015 was only released in a classified annex provided to Congress as part of the report for CY2015. After CY2015, statistical information was collected for an entire year and those statistics were included in subsequent reports. FISA CRIMINAL USE 25 ƒƒ Request for records in an investigation of a U.S. person must be based on an investigation to protect against terrorism or clandestine intelligence activities and provided that the investigation is not conducted solely upon activities protected by the First Amendment to the Constitution. FISA SECTION 702 On November 30, 2015, the IC implemented certain provisions of the USA FREEDOM Act, ƒƒ Title V has two key provisions: (1) traditional business records and (2) Call Detail Records (CDRs). FISA PROBABLE CAUSE AUTHORITIES In June 2015, the USA FREEDOM Act was signed into law and, among other things, it amended Title V, including by prohibiting bulk collection. See 50 U.S.C. §§ 1861(b), 1861(k)(4). The DNI is required to report various statistics about two Title V provisions—traditional business records under Section 501(b)(2)(B) and call detail records under Section 501(b)(2)(C). On November 28, 2015, in compliance with amendments enacted by the USA FREEDOM Act, the IC terminated collection of bulk telephony metadata under Title V of FISA (the “Section 215 Program”). Solely due to legal obligations to preserve records in certain pending civil litigation, the IC continues to preserve previously collected bulk telephony metadata. Under the terms of a FISC order dated November 24, 2015, the bulk telephony metadata cannot be used or accessed for any purpose other than compliance with preservation obligations. Once the government’s preservation obligations are lifted, the government is required to promptly destroy all bulk metadata produced by telecommunications providers under the Section 215 Program. FISA Title V INTRODUCTION T itle V of FISA authorizes the government to submit an application for an order requiring the production of any tangible things for (i) “an investigation to obtain foreign intelligence information not concerning a United States person or” (ii) “to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the First Amendment to the Constitution.” 50 U.S.C. § 1861. Title V is commonly referred to as the “Business Records” provision of FISA. CONTENTS FISA Title V—Business Records CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2018 Total number of orders issues pursuant to applications under Section 501(b)(2)(B) 84 77 56 Estimated number of targets of such orders 88 74 60 125,354* 87,834 214,860 Estimated number of unique identifiers used to communicate information collected pursuant to such orders See 50 U.S.C. §§ 1873(b)(5), 1873(b)(5)(A), and 1873(b)(5)(B). 26 NATIONAL SECURITY LETTERS *For the CY2016 report, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for PR/TT devices instead of the number of the unique identifiers collected pursuant business records orders. As noted above, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for business records orders under the statistics for PR/TT devices. FISA TITLE V FISA TITLE V CY2017 FISA TITLE IV CY2016 Business Records “BR” - Section 501(b)(2)(B) FISA CRIMINAL USE Figure 16a: Title V “Traditional” Business Records Orders, Targets, and Unique Identifiers Collected FISA SECTION 702 ESTIMATING THE NUMBER OF UNIQUE IDENTIFIERS. This is an estimate of the number of (1) targeted identifiers (e.g., telephone numbers and email addresses) and (2) non-targeted identifiers that were in contact with the targeted identifiers. The number of identifiers used by targets to communicate can vary significantly from year to year, which in turn will impact the number of non-targeted identifiers in contact with the targeted identifiers. Furthermore, this metric represents unique identifiers received electronically from the provider(s). The government does not have a process for capturing unique identifiers received by other means (i.e., hard-copy or portable media). For example, the FBI could obtain, under this authority, a hard-copy of a FISA PROBABLE CAUSE AUTHORITIES EXPLAINING HOW WE COUNT BR STATISTICS. As an example of the government’s methodology, assume that in 2017, the government submitted a BR request targeting “John Doe” with email addresses john.doe@serviceproviderX, john.doe@serviceproviderY, and john.doe@serviceproviderZ. The FISC found that the application met the requirements of Title V and issued orders granting the application and directing service providers X, Y, and Z to produce business records pursuant to Section 501(b)(2)(B). Provider X returned 10 non-targeted email addresses that were in contact with the target; provider Y returned 10 non-targeted email addresses that were in contact with the target; and provider Z returned 10 non-targeted email addresses that were in contact with the target. Based on this scenario, we would report the following statistics: A) one order by the FISC for the production of tangible things, B) one target of said orders, and C) 33 unique identifiers, representing three targeted email addresses plus 30 non-targeted email addresses. INTRODUCTION Business Record (BR) requests for tangible things may include books, records, (e.g. electronic communications transactions records), papers, documents, and other items pursuant to 50 U.S.C. § 1861(b)(2)(B), also referred to as Section 501(b)(2)(B). These are commonly referred to as traditional business records. FIGURES purchase receipt from a company. That purchase receipt could contain a unique identifier such as a telephone number, which would not be counted. CONTENTS B. Statistics—Title V “Traditional” Business Records Statistics Orders, Targets & Identifiers 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES 88 77 74 60 56 Total number of orders FIGURES 84 CONTENTS Figure 16b: “Traditional” Business Records Orders and Targets Estimated number of targets CY2017 INTRODUCTION CY2016 CY2018 214,860 See 50 U.S.C. §§ 1873(b)(5), 1873(b)(5)(A), and 1873(b)(5)(B). 87,834 CY2016 CY2017 CY2018 FISA TITLE V FISA TITLE V NATIONAL SECURITY LETTERS 27 FISA TITLE IV Call Detail Records (CDRs)—commonly referred to as “call event metadata”—may be obtained from telecommunications providers on an ongoing basis pursuant to 50 U.S.C. § 1861(b)(2)(C). Title V of FISA defines a CDR as session identifying information (such as an originating or terminating telephone number, an International Mobile Subscriber Identity (IMSI) number, or an International Mobile Station Equipment Identity (IMEI) number), a telephone calling card number, or the time or duration of a call. See 50 U.S.C. § 1861(k)(3)(A). By statute, CDRs provided to the government may not include the content of any communication, the name, address, or financial information of a subscriber or customer, or cell site location or global positioning system information. See 50 U.S.C. § 1861(k)(3)(B). CDRs are stored and queried by the service providers. See 50 U.S.C. § 1861(c)(2). After NSA receives the CDRs from the providers pursuant to a FISC order, NSA stores and queries those lawfully obtained CDRs. FISA CRIMINAL USE C. Statistics—Call Detail Record (CDR) Orders, Targets & Identifiers FISA SECTION 702 *For the CY2016 report, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for PR/TT devices instead of the number of the unique identifiers collected pursuant business records orders. As noted above, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for business records orders under the statistics for PR/TT devices. 125,354* FISA PROBABLE CAUSE AUTHORITIES Figure 16c: “Traditional” Business Records Unique Identifiers CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figures 17a and 17b: CDR Orders and Targets CY2018 Total number of orders issues pursuant to applications under Section 501(b)(2)(C) 40 40 14 Estimated number of targets of such orders 42 40 11 40 42 40 40 Estimated number of targets 14 CY2016 CY2017 11 CY2018 See 50 U.S.C. §§ 1873(b)(6) and 1873(b)(6)(A). NATIONAL SECURITY LETTERS report on the USA FREEDOM Act, the metric provided is over-inclusive because the government counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers). Additionally, this metric includes duplicates of unique identifiers – i.e., because the government lacked the technical ability to isolate unique identifiers, the statistic counts the number of records even if unique identifiers are repeated. For example, if one unique identifier is associated with multiple calls to a second unique identifier, it will be counted multiple times. Similarly, if two different provid- FISA TITLE V FISA TITLE V 28 THE ESTIMATED NUMBER OF CDRS RECEIVED FROM PROVIDERS. As explained in the 2016 NSA public FISA TITLE IV In previous years, this report has included an alternate metric that represents the number of records received from the provider(s) and stored in NSA repositories (records that fail at any of a variety of validation steps are not included in this number). CDRs covered by § 501(b)(2)(C) in- Both metrics are included in this report. NSA counting for CY2018 includes (1) the total number of CDRs received for the year as we have reported in previous years, as illustrated in Figure 19 and (2) the unique identifiers within the CDRs received for the portion of the year NSA was able to count them, as illustrated in Figure 20. FISA CRIMINAL USE the government to provide a good faith estimate of “the number of unique identifiers used to communicate information collected pursuant to” orders issued in response to CDR applications (see 50 U.S.C. § 1873(b)(5)(B)), in the past, the government did not have the technical ability to isolate the number of unique identifiers within records received from the providers. Since the previous Annual Statistical Transparency Report, NSA developed a new technical solution to allow NSA to produce a good faith estimate of the number of unique identifiers. This new technical solution was put into place after the deletion of records in May 2018, so NSA will provide this partial-year count. The deletion of records was publicly discussed in a June 28, 2018 public notice by NSA and is also discussed below. clude call detail records created before, on, or after the date of the application relating to an authorized investigation. FISA SECTION 702 CHANGES IN TECHNICAL CAPABILITIES TO COUNT UNIQUE IDENTIFIERS. While the USA FREEDOM Act directs FISA PROBABLE CAUSE AUTHORITIES Total number of orders INTRODUCTION CY2017 FIGURES CY2016 Business Records (BRs)—Section 501(b)(2)(B) CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES s F ir th op 500 calls alls c 500 PHONE B 500 calls PHONE C 500 calls 500 calls PHONE E PHONE F call s PHONE G NATIONAL SECURITY LETTERS 29 identifier Phone Number B—what is referred to as a “call event.” This is the “first hop.” In turn, assume that NSA submits the “first-hop” Phone Number B to the provider X, and finds that unique identifier was used to call another unique identifier Phone Number D. This is the “second-hop.” If the unique identifiers call one another multiple times, then multiple CDRs are produced and duplication occurs. Additionally, the government may receive multiple FISA TITLE V FISA TITLE V Assume an NSA intelligence analyst learns that phone number (Phone Number A) is being used by a suspected international terrorist (target). Phone Number A is the “specific selection term” or “selector” that will be submitted to the FISC (or the Attorney General in an emergency) for approval using the “reasonable articulable suspicion” (RAS) standard. Assume that one provider (provider X) submits a record showing Phone Number A called unique FISA TITLE IV Target uses Phone Number A which is the FISC-approved selector in the FISC order. This would be counted as 1 order, 1 target, 7 unique identifiers (phone numbers A, B, C, D, E, F, G) and, assuming 500 calls between each party (1,000 records), 6000 CDRs. CDRs may include records for both sides of a call (for example, one call from Phone Number A to Phone Number B could result in 2 records). FISA CRIMINAL USE 500 PHONE D FISA SECTION 702 PHONE A p ho FISA PROBABLE CAUSE AUTHORITIES d on c Se INTRODUCTION Figure 18: Call Event Hop Scenario and Method of Counting FIGURES received from domestic communications service providers, the records received are for domestic and foreign numbers. More information on how NSA implements this authority can be found in the DCLPO report, in particular see page 5 for a description and illustration of the USA FREEDOM Implementation Architecture. CONTENTS ers submit records showing the same two unique identifiers in contact, then those would also be counted separately. This statistic includes records that were received from the providers in CY2018 for all orders active for any portion of the calendar year, which includes orders that the FISC approved in CY2017. Furthermore, while the records are CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2016 Estimated number of call detail records arising from such targets that NSA received from providers pursuant 151,230,968 to Section 501(b)(2)(C) and stored in its repositories* CY2017 CY2018 534,396,285 434,238,543 *While the statute directs the government to count the unique identifiers, until May of 2018, the government was not technically able to isolate the number of unique identifiers; thus, the number reported above counts total CDRs received for the year and includes duplicate records. Additionally, the number of records contains both domestic and foreign numbers, including numbers used by business entities for marketing purposes. FISA TITLE IV FISA TITLE V FISA TITLE V NATIONAL SECURITY LETTERS 30 The new process counts each type of identifier separately, and includes counts for phone numbers, International Mobile Subscriber Identities (IMSIs), and International Mobile Equipment Identities (IMEIs). An IMSI is a 15-digit number associated with the SIM card in a mobile phone. An IMEI identifies the specific physical device, much like a serial number. In the CDRs NSA receives under UFA, IMSIs and IMEIs are associated with a phone number, so the phone number count below represents the number of unique phones associated with UFA CDRs. FISA CRIMINAL USE notice stating that on May 23, 2018, NSA began deleting all CDRs acquired since 2015 under Section 501(b)(2)(C) of FISA. NSA deleted the CDRs because earlier in 2018 NSA analysts noted technical irregularities in some data received from telecommunications service providers. These irregularities also resulted in the production to NSA of some CDRs that NSA was not authorized to receive. Because it was infeasible to identify and isolate properly produced data, NSA concluded that it should not use any of the CDRs. Consequently, NSA, in consultation with the Department of Justice and the ODNI, decided that the appropriate course of action was to delete all CDRs. NSA notified the Congressional oversight committees, the Privacy and Civil Liberties Oversight Board, and the Department of Justice of this decision. The Department of Justice, in turn, notified the Foreign Intelligence Surveillance Court. The root cause of the specific problem that led to the deletion was addressed at that time. Additionally, NSA reviewed and revalidated its intelligence reporting to ensure that the reports were based on properly received CDRs. During the reporting period, NSA subsequently re-submitted the already FISC-approved selectors to the providers and also submitted new selectors that were approved by the FISC. NSA ingested and stored CDRs produced by the providers in response to these submissions during CY2018. Additionally, during this time, NSA implemented a new technical means of counting the unique identifiers as opposed to counting all records stored in NSA’s repositories. The new counting process was applied as the records were delivered by the providers beginning on May 23, 2018, when the process was initiated. FISA SECTION 702 THE ESTIMATED NUMBER OF UNIQUE IDENTIFIERS IN THE CDRS RECEIVED. On June 28, 2018, NSA issued a public FISA PROBABLE CAUSE AUTHORITIES Call Detail Records (CDRs)—Section 501(b)(2)(C) INTRODUCTION Figure 19: CDRs Received Arising from Such Targets FIGURES Not all CDRs provided to the government will be for domestic numbers. The targeted “specific selec- tion term” could be a foreign number, could have called a foreign number or the “first-hop” number could have called a foreign number; thus, these CDRs statistics contain both domestic and foreign number results. Furthermore, CDRs provided to the government include call events with business entities, such as calls for marketing purposes. CONTENTS CDRs for a single call event. NSA may also submit the specific selection Phone Number A to another provider (provider Y) who may have CDRs of the same call events. CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figure 20: Unique Identifiers in the CDRs Received The number of unique identifiers used to communicate information collected pursuant to such orders under Section 501(b)(2)(C)* 19,372,544 Phone Numbers, which are associated with 7,285,362 IMSIs and 5,305,578 IMEIs *Identifiers include both domestic and foreign numbers, including numbers used by business entities for marketing purposes. D. Statistics—Call Detail Record Queries CY2016 CY2017 CY2018 Estimated number of search terms that included information concerning a U.S. person that were used to query any database of call detail records obtained through the use of such orders.* 22,360 31,196 164,682 See 50 U.S.C. § 1873(b)(6)(C). * Consistent with § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. FISA TITLE IV Call Detail Records (CDRs)—Section 501(b)(2)(C) FISA CRIMINAL USE Figure 21: CDRs—U.S. Person Query Terms FISA SECTION 702 streamlined and upgraded its analytic tools to improve performance and compliance capabilities. This gave NSA analysts an increased ability to group related query terms together and run those query terms against multiple repositories that the analyst is authorized to query. NSA analysts must still comply with all applicable restrictions, controls, and training that apply to each query term and each repository. Due to the technical parameters of the tool, in order to generate a count of CDR queries, NSA must count all query terms, even if query terms would never return CDR results (e.g. using an email address as a query term will never return a hit from CDR data). Additionally, the parameters of the tool do not allow NSA to distinguish which specific query terms are U.S. persons and which are not when multiple query terms are used. For example, a single query using 20 query terms counts as 20, even if only one of those terms is a U.S. person phone number, and the remaining 19 are either not associated with a U.S. person or are email addresses. FISA PROBABLE CAUSE AUTHORITIES THE NUMBER OF SEARCH TERMS ASSOCIATED WITH A U.S. PERSON USED TO QUERY THE CDR DATA. In 2018, NSA INTRODUCTION 23 May to 31 December 2018 FIGURES Call Detail Records (CDRs)—Section 501(b)(c)(C) FISA TITLE V FISA TITLE V NATIONAL SECURITY LETTERS 31 2018 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS National Security Letters (NSLs) iv. financial records, see 12 U.S.C. § 3414. WHY WE REPORT THE NUMBER OF NSL REQUESTS INSTEAD OF THE NUMBER OF NSL TARGETS. We are reporting the annual number of requests for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL. Even if the FBI systems were configured differently, it would still be difficult to identify the number of specific individuals or organizations that are the subjects of NSLs. One reason for this NATIONAL SECURITY LETTERS 32 ƒƒ THE DEPARTMENT OF JUSTICE’S REPORT ON NSLs. In April 2019, the Department of Justice released its Annual Foreign Intelligence Surveillance Act Report to Congress. That report, which is available online, provides the number of requests made for certain information concerning different U.S. persons pursuant to NSL authorities during calendar year 2018. The Department of Justice’s report provides the number of individuals subject to an NSL whereas the ODNI’s report provides the number of NSLs issued. Because one person may be subject to more than one NSL in an annual period, the number of NSLs issued and the number of persons subject to an NSL differs. FISA TITLE V COUNTING NSLs. Today we are reporting (1) the total number of NSLs issued for all persons, and (2) the total number of requests for information (ROI) contained within those NSLs. When a single NSL contains multiple ROIs, each is considered a “request” and each request must be relevant to the same pending investigation. For example, if the government issued one NSL seeking subscriber information from one provider and that NSL identified three e-mail addresses for the provider to return records, this would count as one NSL issued and three ROIs. ƒƒ FBI may only use NSLs if the information sought is relevant to international counterterrorism or counterintelligence investigation. FISA TITLE IV B. Statistics—National Security Letters and Requests for Information ƒƒ Bulk collection is prohibited, however, by the USA FREEDOM Act. FISA CRIMINAL USE iii. full credit reports, see 15 U.S.C. § 1681v (only for counterterrorism, not for counterintelligence investigations); and ƒƒ Not authorized by FISA but by other statutes. FISA SECTION 702 ii. consumer-identifying information possessed by consumer reporting agencies (names, addresses, places of employment, institutions at which a consumer has maintained an account), see 15 U.S.C. § 1681u; vi. FISA PROBABLE CAUSE AUTHORITIES i. telephone subscriber information, toll records, and other electronic communication transactional records, see 18 U.S.C. § 2709; National Security Letters INTRODUCTION I n addition to statistics relating to FISA authorities, we are reporting information on the government’s use of National Security Letters (NSLs). The FBI is statutorily authorized to issue NSLs for specific records (as specified below) only if the information being sought is relevant to a national security investigation. NSLs may be issued for four commonly used types of records: v. FIGURES A. National Security Letters CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2015 CY2016 CY2017 CY2018 Total number NSLs issued 19,212 16,348 12,870 12,150 12,762 10,235 Number of Requests for Information (ROI) 38,832 33,024 48,642 24,801 41,579 38,872 See 50 U.S.C. § 1873(b)(6). Figure 22b: Total NSLs Issued and Total ROIs Within Those NSLs Number of ROIs within those NSLs 48,642 41,579 38,872 33,024 FISA TITLE V 38,832 FISA TITLE IV Total NSLs issued FISA CRIMINAL USE CY2014 FISA SECTION 702 CY2013 National Security Letters (NSLs) FISA PROBABLE CAUSE AUTHORITIES Figure 22a: NSLs Issued and Requests for Information INTRODUCTION As is the case with other statistics in this report, statistics often fluctuate from year to year for a variety of reasons. The IC is committed to sharing statistical data and engaging the public about how the IC uses its national security authorities and for what purposes. FIGURES We also note that the actual number of individuals or organizations that are the subject of an NSL is different than the number of NSL requests. The FBI often issues NSLs under different legal authorities, e.g., 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709, for the same individual or organization. The FBI may also serve multiple NSLs for an individual for multiple facilities (e.g., multiple e-mail accounts, landline telephone numbers and cellular phone numbers). The number of requests, consequently, is significantly larger than the number of individuals or organizations that are the subjects of the NSLs. CONTENTS is that the subscriber information returned to the FBI in response to an NSL may identify, for example, one subscriber for three accounts or it may identify different subscribers for each account. In some cases this occurs because the identification information provided by the subscriber to the provider may not be true. For example, a subscriber may use a fictitious name or alias when creating the account. Thus, in many instances, the FBI never identifies the actual subscriber of an account. In other cases, this occurs because individual subscribers may identify themselves differently for each account (e.g., inclusion of middle name, middle initial, etc.) when creating an account. 24,801 16,348 12,870 CY2013 33 CY2014 CY2015 12,150 CY2016 12,762 CY2017 10,235 CY2018 NATIONAL SECURITY LETTERS NATIONAL SECURITY LETTERS 19,212 CONTENTS CALENDAR YEAR 2018 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES INTRODUCTION FISA PROBABLE CAUSE AUTHORITIES FISA SECTION 702 FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NATIONAL SECURITY LETTERS 34 034609 4-19