CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FIGURES Office of the Director of National Intelligence Statistical Transparency Report Regarding the Use of National Security Authorities  Calendar Year 2019  April 2020 IC DISSEMINATION Office of Civil Liberties, Privacy, and Transparency 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES B. Areas Covered in this Report....................................................................................................................................... 4 C. Context and Clarity...................................................................................................................................................... 5 D. Key Terms...................................................................................................................................................................... 6 A. FISA Titles I and III..................................................................................................................................................... 9 B. FISA Title VII, Sections 703 and 704........................................................................................................................ 9 C. Statistics......................................................................................................................................................................... 9 A. Section 702..................................................................................................................................................................11 B. Statistics—Orders and Targets.................................................................................................................................14 C. Statistics—U.S. Person Queries................................................................................................................................14 E. NSA Dissemination of U.S. Person Information under FISA Section 702..........................................................18 IC Dissemination of U.S. Person Information........................................................................... 22 A. ICPG 107.1 ................................................................................................................................................................22 A. FISA Sections 106 and 305 ......................................................................................................................................24 FISA Title IV—Use of Pen Register and Trap and Trace (PR/TT) Devices............................ 25 A. FISA PR/TT Authority..............................................................................................................................................25 FISA Title V—Business Records................................................................................................ 27 A. Business Records FISA...............................................................................................................................................27 C. Statistics—Call Detail Record Orders, Targets and Identifiers............................................................................29 D. Statistics—Call Detail Record Queries...................................................................................................................33 A. National Security Letters ..........................................................................................................................................34 B. Statistics—National Security Letters and Requests for Information...................................................................34 2 NAT’L SECURITY LETTERS National Security Letters (NSLs)................................................................................................ 34 FISA TITLE V B. Statistics—Title V “Traditional” Business Records Statistics Orders, Targets and Identifiers ........................28 FISA TITLE IV B. Statistics.......................................................................................................................................................................25 FISA CRIMINAL USE FISA Criminal Use and Notice Provisions................................................................................. 24 IC DISSEMINATION D. Section 702 and FBI Investigations.........................................................................................................................18 FISA SECTION 702 FISA Section 702.......................................................................................................................... 11 FISA PROBABLE CAUSE FISA Probable Cause Authorities ................................................................................................ 9 INTRODUCTION A. Background................................................................................................................................................................... 4 FIGURES Introduction................................................................................................................................... 4 CONTENTS Table of Contents 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES Figures 1a and 1b: FISA “Probable Cause” Court Orders and Targets.........................................................................10 CONTENTS Table of Figures Figures 2a and 2b: FISA “Probable Cause” Targets Broken Down by U.S. Person Status..........................................10 Figure 4: Section 702 Targets...............................................................................................................................................14 Figure 6: U.S. Person Query Terms Used To Query Section 702 Content......................................................................15 Figure 7: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Noncontents............................. 16 Figure 8: U.S. Person Queries of Noncontents of Section 702..........................................................................................16 Figure 10: Number of FBI Investigations Opened on USPs Based on Section 702 Acquisition .................................18 Figure 11: Section 702 Reports Containing USP Information Unmasked by NSA.....................................................21 FISA SECTION 702 Figure 9: FBI Review of 702 Query Results for Evidence of a Crime..............................................................................17 FISA PROBABLE CAUSE Figure 5: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Content....................................15 INTRODUCTION Figure 3: Section 702 Orders................................................................................................................................................14 Figure 12: Section 702 USP Identities Disseminated by NSA.........................................................................................21 Figure 14: Number of Criminal Proceedings in Which the Government Provided Notice of Its Intent To Use Certain FISA Information....................................................................................................................................................24 Figure 16: FISA PR/TT Targets—U.S. Persons and Non-U.S. Persons.........................................................................26 Figure 17a: Title V “Traditional” Business Records Orders, Targets, and Unique Identifiers Collected....................29 Figure 17b: “Traditional” Business Records Orders and Targets....................................................................................29 Figures 18a and 18b: CDR Orders and Targets................................................................................................................30 FISA TITLE IV Figure 17c: “Traditional” Business Records Unique Identifiers.......................................................................................29 FISA CRIMINAL USE Figures 15a and 15b: Number of PR/TT Orders, Targets and Unique Identifiers Collected.......................................26 IC DISSEMINATION Figure 13: Requests for USP Identities and Decisions Regarding those Requests per ICPG 107.1............................22 Figure 19: Call Event Hop Scenario and Method of Counting........................................................................................31 Figure 21: Unique Identifiers in the CDRs Received.........................................................................................................33 Figure 23a: NSLs Issued and Requests for Information ..................................................................................................35 Figure 23b: Total NSLs Issued and Total ROIs Within Those NSLs .............................................................................35 3 NAT’L SECURITY LETTERS Figure 22: CDRs—U.S. Person Query Terms....................................................................................................................33 FISA TITLE V Figure 20: CDRs Received Arising from Such Targets......................................................................................................32 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Introduction FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS ƒƒ FISA PROBABLE CAUSE AUTHORITIES. The number of orders—and the number of targets under those orders—for the use of FISA authorities that require probable cause determinations by the Foreign Intelligence Surveillance Court (FISC), under Titles I and III, and Section 703 and 704, of FISA. IC DISSEMINATION 4 This report provides statistics in the following areas (the terms used below are defined and explained later in this report): FISA SECTION 702 In June 2014, the Director of National Intelligence (DNI) began releasing statistics relating to the use of critical national security authorities, including B. Areas Covered in this Report FISA PROBABLE CAUSE A. Background On June 2, 2015, the Uniting and Strengthening America by Fulfilling Rights and Ensuring Effective Discipline Over Monitoring Act of 2015 (USA FREEDOM Act) was enacted, amending FISA by requiring the government to publicly report many of the statistics already reported in the Annual Statistical Transparency Report. The USA FREEDOM Act also expanded the scope of the information included in the reports by requiring the DNI to report information concerning U.S. person search terms and queries of certain FISA-acquired information, as well as specific statistics concerning call detail records. See 50 U.S.C. § 1873(b). On January 19, 2018, the FISA Amendments Reauthorization Act of 2017 was signed, further codifying the release of additional statistics, including many statistics that the government previously reported pursuant to its commitment to transparency. See id. INTRODUCTION Additional public information on national security authorities is available at the Office of the Director of National Intelligence’s (ODNI) website, www.dni.gov, the Intelligence Community’s public website, www.intel.gov, and ODNI’s public Tumblr site, IC on the Record at IContheRecord.tumblr.com. FISA, in an annual report called the Statistical Transparency Report Regarding Use of National Security Authorities (hereafter the Annual Statistical Transparency Report). Subsequent Annual Statistical Transparency Reports were released in 2015, 2016, 2017, 2018, and 2019. FIGURES T oday, consistent with the Foreign Intelligence Surveillance Act of 1978 (FISA), as amended (codified in 50 U.S.C. § 1873(b)), and the Intelligence Community’s (IC) Principles of Intelligence Transparency, we are releasing our seventh annual Statistical Transparency Report Regarding Use of National Security Authorities presenting statistics on how often the government uses certain national security authorities. These statistics add further context regarding the IC’s rigorous and multi-layered oversight framework that safeguards the civil liberties and privacy of United States person (U.S. person or USP) information and non-U.S. persons’ information acquired pursuant to these national security authorities. This report goes beyond the government’s statutory duty of providing statistics by further providing the public with detailed explanations as to how the IC uses its national security authorities. This document should be read in conjunction with the national security-related materials that the government has already released publicly, especially the documents that have been highlighted through the hyperlinks embedded in this report, as well as the statistical report provided by the Director of the Administrative Office of the U.S. Courts (50 U.S.C. § 1873(a)), (available on the AOUSC website). NAT’L SECURITY LETTERS 5 FISA TITLE V Consistent with the IC’s Principles of Intelligence ƒƒ USE IN CRIMINAL PROCEEDINGS. The number of crim- Transparency, and in addition to the mandatory inal proceedings in which the United States or a reporting required by FISA, this report provides state or political subdivision provided notice un- transparency to enhance public understanding der FISA of the government’s intent to enter into about certain activities the IC undertakes to accomevidence or otherwise use or disclose any inplish its national security mission. Specifically, this FISA TITLE IV C. Context and Clarity FISA CRIMINAL USE ƒƒ NATIONAL SECURITY LETTERS. The number of National Security Letters (NSLs) issued, and the number of requests for information within those NSLs. IC DISSEMINATION ƒƒ REQUEST FOR U.S. PERSON IDENTITIES IN DISSEMINATED INTELLIGENCE REPORTS. As required by Intelligence Community Policy Guidance (ICPG) 107.1, the number of requests received for the identities of U.S. persons whose identities were originally masked in a disseminated intelligence report, regardless of the legal authority under which the information was collected. In addition to providing the number of requests received, this report also provides a breakdown of how those requests were resolved (e.g., approved or denied). ▶▶ The number of orders—and the number of targets under those orders—issued pursuant to FISA’s call detail records authority for the ongoing production of call detail records, the number of call detail records received from providers and stored in NSA repositories, and the number of unique identifiers used to communicate information collected. FISA SECTION 702 ▶▶ The number of National Security Agency (NSA)–disseminated Section 702 reports containing U.S. person identities (various statistics relating to reports where the U.S. person identity was openly named or originally masked and subsequently unmasked). ▶▶ The number of orders—and the number of targets under those orders—issued pursuant to FISA’s traditional business records authority, and the number of unique identifiers used to communicate information collected pursuant to those orders. FISA PROBABLE CAUSE ▶▶ The number of instances in which the FBI opened, under the Criminal Investigative Division, an investigation of a U.S. person who is not considered a threat to national security based wholly or in part on Section 702-acquired information. ƒƒ BUSINESS RECORDS. The number of business records are reported with distinction made between records obtained under Section 501(b)(2)(B)— commonly referred to as “traditional” business records—and records obtained under Section 501(b)(2)(C)—commonly referred to as “call detail records” or CDRs. Specifically: INTRODUCTION INTRODUCTION ▶▶ The number of instances in which Federal Bureau of Investigation (FBI) personnel received and reviewed Section 702-acquired information that the FBI identified as concerning a U.S. person in response to a query that was designed to return evidence of a crime unrelated to foreign intelligence. ƒƒ PEN REGISTER AND TRAP AND TRACE DEVICES. The number of orders—and the number of targets under those orders—for the use of FISA’s pen register/trap and trace devices, and the number of unique identifiers used to communicate information collected pursuant to those orders. FIGURES ▶▶ The number of U.S. person queries of Section 702-acquired content and metadata. formation derived from electronic surveillance, physical search, or Section 702 acquisition. CONTENTS ƒƒ FISA SECTION 702. ▶▶ The number of orders—and the number of targets under those orders—issued pursuant to Section 702 of FISA. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 6 Despite the different meanings, targeting for intelligence purposes must be informed by the National Intelligence Priorities Framework (NIPF). The NIPF is the high-level mechanism to manage and communicate national intelligence priorities, facilitating the IC’s ability to allocate finite resources to address the most pressing intelligence questions and mission requirements. Guidance from the President and the National Security Advisor, with formal input from cabinet-level heads of departments and agencies, determine the overall priorities of the top-level NIPF issues. Once the IC determines that a particular target meets an intelligence need under the NIPF, the IC must then apply applicable legal authorities (e.g., certain acquisitions authorized under FISA, Executive Order 12333) to begin targeting. FISA PROBABLE CAUSE ƒƒ U.S. PERSON. As defined by Title I of FISA, a U.S. person is “a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in section 101(a)(20) of the Immigration and Nationality Act), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in [50 U.S.C. § 1801(a)(1), (2), or (3)].” The IC also uses the term “target” as a verb, especially as it relates to Section 702. Specifically, Section 702 authorizes the targeting of (i) non-United States persons (ii) reasonably believed to be located outside the United States (iii) to acquire foreign intelligence information. To ensure that all three requirements are appropriately met, Section 702 requires targeting procedures. Additional information on targeting is detailed below in the Section 702 discussion. INTRODUCTION INTRODUCTION Certain terms used throughout this report are described below. Other terms are described in the sections in which they are most directly relevant. These terms will be used consistently throughout this report. ƒƒ TARGET. Within the IC, the term “target” has multiple meanings. With respect to the statistics provided in this report, the term “target” is used as a noun and defined as the individual person, group, entity composed of multiple individuals, or foreign power that uses the selector such as a telephone number or email address. FIGURES D. Key Terms 50 U.S.C. § 1801(i). Section 602 of the USA FREEDOM Act, however, uses a narrower definition. Since the broader Title I definition governs how U.S. person queries are conducted pursuant to the relevant minimization procedures, it will be used throughout this report. CONTENTS report provides context concerning how the IC implements FISA, including the circumstances under which such activities are conducted and the rules that are designed to ensure compliance with the Constitution and laws of the United States. While the statistics contained herein provide an important point for understanding, the statistics have limitations in explaining the complexities of how the IC implements FISA; thus, this report is intended to be read in conjunction with other related publicly released information for a more comprehensive understanding. The statistics fluctuate from year to year for a variety of reasons. These include changes in operational priorities, world events, technical capabilities, target behavior, the dynamics of the ever-changing telecommunications sector, and the use of technology to automate the delivery of marketing and other communications. These reasons often cannot be explored in detail in an unclassified setting without divulging information necessary to protect national security. Moreover, there may be no relationship between a decrease in the use of one authority and an increase in another. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 7 ƒƒ AMICUS CURIAE. In 2015, the USA FREEDOM Act codified a framework under which qualified individuals are appointed as amicus curiae to assist the FISC and the Foreign Intelligence Surveillance Court of Review (FISC-R) in the consideration of matters (including matters that present FISA SECTION 702 ƒƒ DISSEMINATION. Dissemination refers to the sharing of minimized information. As it pertains to FISA (including Section 702), if an agency (such as NSA) lawfully collects information pursuant to ƒƒ FISC. The FISC was established in 1978 when Congress enacted FISA (see 50 U.S.C. §§ 18011885c). The Court is composed of eleven federal district court judges who are designated by the Chief Justice of the United States. Pursuant to FISA, the Court entertains applications submitted by the United States Government for approval of electronic surveillance, physical search, and other investigative actions for foreign intelligence purposes. FISA PROBABLE CAUSE ƒƒ “ESTIMATED NUMBER.” Throughout this report, when numbers are estimated, the estimate comports with the statutory requirements to provide a “good faith estimate” of a particular number. ƒƒ UNMASKING U.S. PERSON INFORMATION. After an IC element disseminates an intelligence report with a U.S. person’s identifying information masked, other federal agencies may request that the masked information in the report be revealed or “unmasked.” The requested identity information is released only if the requesting recipient has a “need to know” the identity of the U.S. person and if the dissemination of the U.S. person’s identity would be consistent with the applicable legal authorities INTRODUCTION INTRODUCTION The FISC may renew some orders multiple times during the calendar year. Each authority permitted under FISA has specific time limits for the FISA authority to continue (e.g., a Section 704 order against a U.S. person target outside of the United States may last no longer than 90 days, but FISA permits the order to be renewed, see 50 U.S.C. § 1881c(c)(4)). Each renewal requires a separate application submitted by the government to the FISC and a finding by the FISC that the application meets the requirements of FISA. Unlike amendments, this report counts each such renewal as a separate order granting the requested FISA authority. ƒƒ MASKED U.S. PERSON INFORMATION. IC elements’ rules and procedures (such as agency minimization procedures) generally provide for the substitution of a U.S. person identity with a generic phrase or term so the reader cannot ascertain the U.S. person’s identity. “Masking” the identity of the U.S. person (i.e., omitting identifying information from the intelligence report) allows the IC element to disseminate the intelligence in accordance with its procedures, while protecting the U.S. person’s civil liberties and privacy. FIGURES The FISC may amend an order one or more times after it has been granted. For example, an order may be amended to add a newly discovered account used by the target. This report does not count such amendments separately. FISA and wants to disseminate that information, the agency must first apply its minimization procedures to that information. CONTENTS ƒƒ ORDERS. There are different types of orders that the FISC may issue in connection with FISA cases, including orders granting or modifying the government’s applications to conduct foreign intelligence collection pursuant to FISA; orders directing electronic communication service providers to provide any technical assistance necessary to implement the authorized foreign intelligence collection; and supplemental orders and briefing orders requiring the government to take a particular action or provide the FISC with specific information. As with past years, this report only counts orders granting the government’s applications. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FIGURES INTRODUCTION INTRODUCTION FISA PROBABLE CAUSE FISA SECTION 702 a novel or significant interpretation of the law or matters dealing with technical expertise) before those courts. See 50 U.S.C. § 1803. Individuals designated as amici must have expertise in privacy and civil liberties, intelligence collection, communications technology, or other areas that may lend legal or technical expertise to the FISC and FISC-R and must also be eligible for access to classified information. When appointed, amicus curiae provide those courts, as appropriate, with legal arguments that advance the protection of individual privacy and civil liberties; information related to intelligence collection or communications technology; or legal arguments or information regarding any other area relevant to the issue presented to the court. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 8 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES ƒƒ Sections 703 and 704 apply to FISA collection targeting U.S. persons outside the United States. NAT’L SECURITY LETTERS zation to conduct electronic surveillance and/or physical search against the same target in four separate applications, the IC would count one target, not four. Alternatively, if the IC received authorization to conduct electronic surveillance and/or physical search against four targets in the same application, the IC would count four targets. Duplicate targets across authorities are not counted. FISA TITLE V HOW TARGETS ARE COUNTED. If the IC received authori- FISA TITLE IV C. Statistics FISA CRIMINAL USE ment seeks to conduct collection overseas targeting a U.S. person reasonably believed to be located outside the United States under circumstances in which the U.S. person has a reasonable expectation of privacy and a warrant would be required if the acquisition were conducted in the United States. Both Sections 703 and 704 require that the FISC make a probable cause finding, based upon a factual statement in the government’s application, that the target is a U.S. person reasonably believed to be (i) located outside the United States and (ii) a foreign power, agent of a foreign power, or officer or employee of a foreign power. Additionally, the government’s application must meet the other requirements of FISA. See 50 U.S.C. §§ 1881b(b) and 1881c(b). IC DISSEMINATION 9 ƒƒ Titles I and III apply to FISA collection targeting persons within the United States. FISA SECTION 702 FISA Title VII, Sections 703 and 704, similarly require a court order based on a finding of probable cause for the government to undertake FISA collection targeting U.S. persons located outside the United States. Section 703 applies when the government seeks to conduct electronic surveillance or to acquire stored electronic communications or stored electronic data inside the U.S., in a manner that otherwise requires an order pursuant to FISA, of a U.S. person who is reasonably believed to be located outside the United States. Section 704 applies when the govern- ƒƒ All of these authorities require individual court orders based on probable cause. FISA PROBABLE CAUSE B. FISA Title VII, Sections 703 and 704 FISA Title I, Title III, and Title VII Sections 703 and 704 INTRODUCTION W ith limited exceptions (e.g., in the event of an emergency), to conduct electronic surveillance or physical search of any individual, regardless of U.S. person status, under FISA Title I or FISA Title III, a probable cause court order is required. Under FISA, Title I permits electronic surveillance and Title III permits physical search in the United States of foreign powers or agents of a foreign power when the government has a significant purpose to obtain foreign intelligence information. See 50 U.S.C. §§ 1804 and 1823. Title I (electronic surveillance) and Title III (physical search) are commonly referred to as “Traditional FISA.” Both require that, following submission of a government application, the FISC make a probable cause finding, based upon a factual statement in the government’s application, that (i) the target is a foreign power or an agent of a foreign power, as defined by FISA and (ii) the facility being targeted for electronic surveillance is used by or about to be used, or the premises or property to be searched is or is about to be owned, used, possessed by, or is in transit to or from a foreign power or an agent of a foreign power. In addition to meeting the probable cause standard, the government’s application must meet the other requirements of FISA. See 50 U.S.C. §§ 1804(a) and 1823(a). FIGURES A. FISA Titles I and III CONTENTS FISA Probable Cause Authorities CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figures 1a and 1b: FISA “Probable Cause” Court Orders and Targets CY2014 CY2015 CY2016 CY2017 CY2018 CY2019 Total number of orders 1,767 1,519 1,585 1,559 1,437 1,184 907 Estimated number of targets of such orders* 1,144 1,562 1,695 1,687 1,337 1,833 1,059 1,695 1,585 1,519 1,562 1,559 1,833 1,687 1,437 1,337 1,184 1,144 907 1,059 FISA PROBABLE CAUSE 1,767 INTRODUCTION CY2013 FIGURES Titles I and III and Sections 703 and 704 of FISA FISA SECTION 702 CY2013 CY2014 CY2015 Total court orders CY2017 CY2018 CY2019 IC DISSEMINATION - CY2016 Estimated total targets* See 50 U.S.C. §§ 1873(b)(1) and 1873(b)(1)(A). *Although providing this statistic was first required by the USA FREEDOM Act, the FISA Amendments Reauthorization Act of 2017 enumerated this requirement at 50 U.S.C. § 1873(b)(1)(A). FISA CRIMINAL USE Figures 2a and 2b: FISA “Probable Cause” Targets Broken Down by U.S. Person Status 1,351 1,038 1,601 892 336 299 232 167 (22.4% of total) 1,351 19.9% 22.4% 12.7% 15.8% 1,601 (15.8% of total) 299 1,038 167 1,059 TOTAL I 1,833 TOTAL I 1,337 TOTAL Percentage of targets who are estimated to be U.S. persons I (12.7% of total) 892 CY2016 *Previously the IC was not statutorily required to publicly provide these statistics but provided them consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. §§ 1873(b)(1)(B) and 1873(b)(1)(C). 10 CY2017 CY2018 Estimated USPER targets* Estimated non-USPER targets* CY2019 NAT’L SECURITY LETTERS See 50 U.S.C. §§ 1873(b)(1)(B) and 1873(b)(1)(C) for rows one and two, respectively. FISA TITLE V Estimated number of targets who are U.S. persons* I 1,687 TOTAL Estimated number of targets who are non-U.S. persons* 336 CY2016 CY2017 CY2018 CY2019 232 FISA TITLE IV Titles I and III and Sections 703 and 704—Targets (19.9% of total) 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FISA Section 702 FIGURES A. Section 702 FISA Title VII— Section 702 ƒƒ Commonly referred to as “Section 702.” IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 11 FISA SECTION 702 Directive 28 (PPD-28), Signals Intelligence Activities, to Section 702-acquired information. PPD-28 reinforces longstanding intelligence practices that protect privacy and civil liberties, while requiring SECTION 702 TARGETS AND “TASKING.” Under Section 702, agencies to implement new procedures to ensure the government “targets” a particular non-U.S. per- that U.S. signals intelligence activities continue to include appropriate safeguards for the personal son, including non-U.S. person groups or entities, reasonably believed to be located outside the Unit- information of all individuals, regardless of the ed States to acquire foreign intelligence information nationality of the individual to whom the information pertains or where that individual resides. by “tasking” selectors (e.g., telephone numbers and email addresses). Before tasking a selector for NSA and FBI task selectors pursuant to their respeccollection under Section 702, the government must tive Section 702 targeting procedures, which are disapply its targeting procedures to ensure that the cussed below. All agencies that receive unminimized selector is used by a non-U.S. person who is rea(i.e., “raw”) Section 702 data—NSA, FBI, Central sonably believed to be located outside the United Intelligence Agency (CIA), and National CounterStates and who is expected to possess, receive, terrorism Center (NCTC)—handle the Section and/or is likely to communicate foreign intel702-acquired data in accordance with minimization ligence information. The foreign intelligence and querying procedures, which are explained below. information must fall within a specific category THE FISC’S ROLE. Under Section 702, the FISC deterof foreign intelligence information that has been mines whether certifications executed jointly by the authorized for acquisition by the Attorney General Attorney General and the DNI meet all the requireand the DNI as part of a Section 702 certification. ments of Section 702. In deciding whether to apIn addition to the requirement that the type of prove a certification application package, the FISC foreign intelligence information sought must be reviews the certifications and the minimization, tarauthorized as part of a certification approved by geting, and querying procedures to ensure compliance with both FISA and the Fourth Amendment. the FISC, as a matter of policy agencies must also The FISC’s review is not limited to the procedures apply protections required by Presidential Policy FISA PROBABLE CAUSE ƒƒ Requires individual targeting determinations that the target (1) is a non-U.S. person (2) who is reasonably believed to be located outside the United States and (3) who has or is expected to communicate or receive foreign intelligence information. INTRODUCTION T itle VII of FISA includes Section 702, which permits the Attorney General and the DNI to jointly authorize the targeting of (i) non-U.S. persons (ii) who are reasonably believed to be located outside the United States (iii) to acquire foreign intelligence information. See 50 U.S.C. § 1881a. All three elements must be met. Additionally, Section 702 requires that the Attorney General, in consultation with the DNI, adopt targeting procedures, minimization procedures, and querying procedures that they attest satisfy the statutory requirements of Section 702 and are consistent with the Fourth Amendment. Additional information on how the government uses Section 702 is posted on IC on the Record. FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS dures detail requirements the government must meet to use, retain, and disseminate Section 702 FISA CRIMINAL USE 12 MINIMIZATION PROCEDURES. The minimization proce- IC DISSEMINATION detail the steps that the government must take before and after tasking a selector to ensure that the government is lawfully targeting the user of the tasked selector. Specifically, the government must reasonably assess that the user is a non-U.S. person who is reasonably believed to be located outside the United States. Additionally, the government must reasonably assess that tasking the selector is likely to acquire foreign intelligence information FISA SECTION 702 FISA SECTION 702 TARGETING PROCEDURES. The targeting procedures NSA includes the targeting rationale (TAR) in the tasking record, which requires the targeting analyst to briefly state why targeting for a particular selector was requested. The intent of the TAR is to memorialize why the analyst is requesting targeting, and provides a linkage between the user of the selector and the foreign intelligence purpose covered by the certification under which it is being tasked. The TAR is reviewed by the Department of Justice oversight team as part of their routine review of the tasking records. More information about these oversight reviews is provided in the Attorney General and DNI’s joint Semiannual Assessment of Compliance with Procedures and Guidelines Issued Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (commonly referred to as the Joint Assessment of 702 Compliance or Joint Assessment), released in March 2019 on IC on the Record. NSA’s 2018 targeting procedures and FBI’s 2018 targeting procedures were also publicly released on IC on the Record in October 2019. FISA PROBABLE CAUSE General and DNI jointly execute certifications under which the IC intends to acquire specified foreign intelligence information. The certifications identify categories of foreign intelligence information to be collected, which must meet the statutory definition of foreign intelligence information, through the targeting of non-U.S. persons reasonably believed to be located outside the United States. The certifications have included information concerning international terrorism and other topics, such as the acquisition of information concerning weapons of mass destruction. Each annual certification must be submitted to the FISC for approval in a certification application package that includes the Attorney General’s and DNI’s certifications, affidavits by certain heads of intelligence agencies, targeting procedures, minimization procedures, and querying procedures. INTRODUCTION CERTIFICATIONS. Under Section 702, the Attorney Each set of targeting procedures are adopted by the Attorney General, in consultation with the DNI, and then reviewed, as part of the certification package, by the FISC, which reviews the sufficiency of each agency’s targeting procedures including assessing the IC’s compliance with the procedures. Only agencies that have Attorney General-adopted targeting procedures that the FISC finds sufficient as part of a certification package may task selectors pursuant to Section 702; only two agencies, NSA and FBI, have targeting procedures and thus are permitted to task selectors. FIGURES If the FISC determines that the government’s certification application package meets the statutory requirements of Section 702 and are consistent with the Fourth Amendment, then the FISC issues an order and supporting statement approving the certifications. The FISC opinion approving the 2018 certifications was publicly released, in redacted form, along with the procedures, in October 2019 and posted on IC on the Record. that falls within a Section 702 certification that has been jointly executed by the Attorney General and the DNI. Further, the targeting procedures require the government to provide written, fact-based explanations of its assessments that support individual determinations that each tasked selector meets the requirements of the targeting procedures. CONTENTS as written, but also includes an examination of how the procedures have been and will be implemented. Accordingly, as part of its review, the FISC considers the compliance incidents reported to it by the government through notices and reports. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 FISA SECTION 702 IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 13 minimization, and querying procedures is subject to robust internal agency oversight and to rigorous external oversight by DOJ, ODNI, Congress, and the FISC. Every identified incident of non-compliance, regardless of the U.S. person status of individuals affected by the incident, is reported to the FISC (through notices or in reports) and to Congress in semiannual reports. Depending on the nature of the incident, the FISC may order remedial actions, which could include deleting improperly collected information, recalling improperly disseminated information, and re-training IC employees. DOJ and ODNI also jointly submit semiannual reports to Congress that assess the IC’s overall compliance FISA PROBABLE CAUSE Amendments Reauthorization Act of 2017, Congress amended Section 702 to require that querying procedures be adopted by the Attorney General, in consultation with the DNI. Section 702(f)(1) requires that the querying procedures be consistent with the Fourth Amendment and that they include a technical procedure whereby a record is kept of each COMPLIANCE. The IC’s application of the targeting, INTRODUCTION QUERYING PROCEDURES. With passage of the FISA Query terms may be date-bound, and may include alphanumeric strings, such as telephone numbers, email addresses, or terms, such as a name, that can be used individually or in combination with one another. Pursuant to FISC-approved procedures, an agency can only query Section 702 information if the query is reasonably likely to retrieve foreign intelligence information or, in the case of the FBI, evidence of a crime. This standard applies to all Section 702 queries, regardless of whether the term concerns a U.S. person or non-U.S. person. As explained in the March 2019-released Joint Assessment of Section 702 Compliance, NSA personnel are required to obtain Office of General Counsel approval before any use of U.S. person identifiers as terms to query the content of Section 702 information. The 2018 querying procedures were released on IC on the Record in October 2019. FIGURES Non-U.S. persons also benefit from many of the protective rules prescribed by the targeting and minimization procedures. Under Section 702, collection is targeted (i.e., not bulk), and must be limited to non-U.S. person targets located outside the United States who are expected to possess, receive, and/or are likely to communicate foreign intelligence information that is specified in one of the FISC-approved certifications. See Status of Implementation of PPD28: Response to the PCLOB’s Report, October 2018 at 9. Additionally, “as a practical matter, non-U.S. persons also benefit from the access and retention restrictions required by the different agencies’ minimization and/or targeting procedures.” See Privacy and Civil Liberties Oversight Board Report on the Surveillance Program Operated Pursuant to Section 702 of FISA (July 2, 2014) at 100. Moreover, as noted previously, PPD-28 regulates the IC’s retention and dissemination of personal information of non-U.S. persons collected pursuant to Section 702. U.S. person term used for a query. Similar to the Section 702 targeting and minimization procedures, the querying procedures are required to be reviewed by the FISC as part of the certification package for consistency with the statute and the Fourth Amendment. Congress added other requirements in Section 702(f), which pertain to accessing certain results of queries conducted by FBI; those requirements will be discussed later in this report. CONTENTS data, including specific restrictions regarding non-publicly available U.S. person information acquired from Section 702 collection of non-U.S. person targets, consistent with the needs of each agency to obtain, produce, and disseminate foreign intelligence information. Each agency’s Section 702 minimization procedures are adopted by the Attorney General in consultation with the DNI. The FISC reviews the sufficiency of each agency’s minimization procedures as part of the certification application package. Such reviews include assessing the IC’s compliance with past procedures. The 2018 minimization procedures were released on IC on the Record in October 2019. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES B. Statistics—Orders and Targets COUNTING SECTION 702 ORDERS. As explained above, Section 702 of FISA Total number of orders issued CY2013 CY2014 CY2015 CY2016 CY2017 CY2018 CY2019 1 1 1 0* 1** 1 2*** See 50 U.S.C. § 1873(b)(2). selector is counted as a separate target for purposes of this report. On the other hand, where the IC is aware that multiple selectors are used by the same target, the IC counts the user of those selectors as a single target. This counting methodology reduces the risk that the IC might inadvertently understate the number of discrete persons targeted pursuant to Section 702. Figure 4: Section 702 Targets Estimated number of targets of such orders* CY2013 CY2014 CY2015 CY2016 CY2017 CY2018 CY2019 89,138 92,707 94,368 106,469 129,080 164,770 204,968 FISA TITLE IV Section 702 of FISA FISA CRIMINAL USE targets, provided below, reflects an estimate of the number of non-U.S. persons who are the users of tasked selectors. This estimate is based on information readily available to the IC. Unless and until the IC has information that links multiple selectors to a single foreign intelligence target, each individual IC DISSEMINATION ESTIMATING SECTION 702 TARGETS. The number of 702 FISA SECTION 702 FISA SECTION 702 * In 2016, the government submitted a certification application package to the FISC. Pursuant to 50 U.S.C. § 1881a(j)(2), the FISC extended its review of the 2016 certification package. The FISC may extend its review of the certifications “as necessary for good cause in a manner consistent with national security.” See 50 U.S.C. § 1881a(j)(2), subsequently codified under § 1881a(k)(2) with the FISA Amendments Reauthorization Act of 2017. Thus, because the FISC did not complete its review of the 2016 certifications during calendar year 2016, the FISC did not issue an order concerning those certifications in calendar year 2016. The 2015 order remained in effect during the extension period. On April 26, 2017, the FISC issued an order authorizing the 2016 certifications. ** In addition to orders related to the certification application packages, the FISA Amendments Reauthorization Act of 2017 amended Section 702 to also require a report of the number of Court orders related to certain FBI queries from CY2017 forward. To provide increased transparency, this report separately reports such Court orders in Figure 9. *** This number includes (a) the FISC order dated September 4, 2019, which authorized the amended 2018 certifications, that was made public on October 8, 2019, and (b) a FISC order dated December 6, 2019, which authorized the 2019 certifications. The number does not include the FISC-R order, dated July 9, 2019, and made public on October 8, 2019, because the FISC-R order did not authorize any certifications. FISA PROBABLE CAUSE Figure 3: Section 702 Orders INTRODUCTION the FISC may issue a single order to approve more than one Section 702 certification to acquire foreign intelligence information. Note that, in its own transparency report, which is required pur- FIGURES suant to 50 U.S.C. § 1873(a), the Director of the Administrative Office of the United States Courts (AOUSC) counted each of the Section 702 certifications associated with the FISC’s order. Because the number of the government’s Section 702 certifications remains a classified fact, the government requested that the AOUSC redact the number of certifications from its transparency report prior to publicly releasing it. CONTENTS efforts. Past Joint Assessments of Section 702 Compliance have been publicly released. See 50 U.S.C. § 1873(b)(2)(A). C. Statistics—U.S. Person Queries 14 NAT’L SECURITY LETTERS In July 2014, the Privacy and Civil Liberties Oversight Board (PCLOB or Board) issued a report on Section 702 entitled, “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act” (PCLOB’s Section 702 Report), which reported U.S. person query statistics for calendar year 2013. See PCLOB’s Section 702 Report at 57-58. The USA FREEDOM Act, enacted in 2015, added a requirement to report publicly certain statistics regarding the number of U.S. person queries FISA TITLE V *Previously the IC was not statutorily required to publicly provide this statistic but provided it consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. § 1873(b)(2)(A). CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES COUNTING U.S. PERSON QUERY TERMS USED TO QUERY SECTION 702 CONTENT. The NSA counts the number of U.S. IC DISSEMINATION johndoe@XYZprovider johndoe@XYZprovider johndoe@XYZprovider [ johndoe@123company 3. marydoe@XYZprovider [ marydoe@XYZprovider . _ _ _ _ E-----J marydoe@XYZprovider Raw Section 702 CONTENT Counted as 3 USPER query terms, not the 6 instances that the query terms queried the content. Figure 6: U.S. Person Query Terms Used To Query Section 702 Content ICY2015 ICY2016 ICY2017 ICY2018 ICY2019 4,672 5,288 *Consistent with 50 U.S.C. § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. 15 9,637 9,126 NAT’L SECURITY LETTERS See 50 U.S.C. § 1873(b)(2)(B). 7,512 FISA TITLE V Section 702 of FISA Estimated number of search terms concerning a known U.S. person used to retrieve the unminimized contents of communications obtained under Section 702 (excluding search terms used to prevent the return of U.S. person information)* FISA TITLE IV 2. johndoe@123company FISA CRIMINAL USE [ FISA SECTION 702 FISA SECTION 702 QUERY EVENTS 1. johndoe@XYZprovider FISA PROBABLE CAUSE Figure 5: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Content QUERY TERMS USED INTRODUCTION person identifiers it approved to query the content of unminimized Section 702-acquired information. For example, if the NSA used U.S. person identifier “johndoe@XYZprovider” to query the content of Section 702-acquired information, the NSA would count it as one regardless of how many times the NSA used “johndoe@XYZprovider” to query its 702-acquired information. The CIA started using this model in 2016 for counting query terms and those statistics were included in the Annual Statistical Transparency Report covering CY2016. When the NCTC began receiving raw Section 702 information, NCTC followed a similar approach of counting U.S. person query terms that were used to query Section 702 content. FIGURES Below are statistics for U.S. person queries of raw Section 702-acquired data. The U.S. person statistics are based on (a) U.S. person query terms used to query Section 702 content and (b) U.S. person queries conducted of Section 702 noncontents (i.e., metadata). It is important to understand that these two very different numbers cannot be combined because they use different counting methodologies (query terms versus queries conducted) and different data types (content versus noncontents). CONTENTS of Section 702. Specifically, the Act requires reporting of the “number of search terms concerning a known United States person used to retrieve the unminimized contents […]”—referred to as “query terms of content”—and “the number of queries concerning a known United States person of unminimized noncontents information […]”—referred to as “queries of metadata.” See 50 U.S.C. § 1873(b)(2)(B) and (b)(2)(C), respectively. Thus, ODNI began reporting on these statistics in the Annual Statistical Transparency Report covering CY2015. CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES QUERY EVENTS 1. 111-111-2222 [ FISA PROBABLE CAUSE QUERY TERMS USED 111-111-2222 111-111-2222 2. 333-333-4444 [ 333-333-4444 3. 555-555-6666 [ 555-555-6666 Raw Section 702 NONCONTENT (i.e. metadata) Counted as 6 USPER queries (each individual query event is counted). 555-555-6666 Section 702 of FISA 9,500 17,500 23,800 30,355 16,924 14,374 16,692 See 50 U.S.C. § 1873(b)(2)(C). *Consistent with 50 U.S.C. § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. 16 NAT’L SECURITY LETTERS granted the government’s application for renewal of the 2015 certifications and, among other things, concluded that the FBI’s querying provisions in its minimization procedures, “strike a reasonable balance between the privacy interests of the United States persons and persons in the United States, on the one hand, and the government’s national security interests, on the other.” Memorandum Opinion and Order dated November 6, 2015, at 44 (released on IC on the Record on April 19, 2016). The FISC further stated that the FBI conducting queries, “designed to return evidence of crimes unrelated to foreign intelligence does not preclude the Court from concluding that taken together, the targeting and minimization procedures submitted with the 2015 Certifications are consistent with the requirements of the Fourth Amendment.” Id. FISA TITLE V FISC ORDER REQUIRING CERTAIN SECTION 702 QUERY REPORTING BY FBI. On November 6, 2015, the FISC FISA TITLE IV **Beginning with CY2018, this statistic includes all elements that are required to report this number. As explained in previous transparency reports, prior to CY2018, CIA had been unable to provide the number. FISA CRIMINAL USE Estimated number of queries concerning a known U.S. person of unminimized noncontent information obtained under Section 702 (excluding queries containing information used to prevent the return of U.S. person information)* ICY2013 ICY2014 ICY2015 ICY2016 ICY2017 ICY2018** I CY2019 IC DISSEMINATION Figure 8: U.S. Person Queries of Noncontents of Section 702 FISA SECTION 702 FISA SECTION 702 _____J 111-111-2222 INTRODUCTION Figure 7: How the IC Counts U.S. Person Query Terms Used To Query Section 702 Noncontents FIGURES estimate represents the number of times a U.S. person identifier is used to query the noncontents (i.e., metadata) of unminimized Section 702-ac- quired information. For example, if the U.S. person identifier telephone number “111-111-2222” was used 15 times to query the noncontents of Section 702-acquired information, the number of queries counted would be 15. CONTENTS COUNTING QUERIES USING U.S. PERSON IDENTIFIERS OF NONCONTENTS COLLECTED UNDER SECTION 702. This CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES 6* 1 N/A 0 0 0 See FISC Memorandum Opinion and Order dated November 6, 2015 and 50 U.S.C. § 1873(b)(2). FISA TITLE V *This figure was previously reported as zero; however, the Department of Justice conducted an oversight review in 2019 that identified these instances, which occurred in December 2018. The Department of Justice subsequently reported to the FISC each instance as a compliance incident, but those reports were issued after the CY2018 Annual Statistical Transparency Report was released. FISA TITLE IV 0 FISA CRIMINAL USE 1 IC DISSEMINATION FISC orders obtained pursuant to Section 1881a(f)(2) to review the results of a query that the FBI identified as concerning a U.S. person in response to a query that was designed to return evidence of a crime unrelated to foreign intelligence ICY2016 ICY2017 ICY2018 ICY2019 FISA SECTION 702 FISA SECTION 702 Section 702 of FISA Per the FISC Memorandum Opinion and Order dated November 6, 2015: Each reported instance in which FBI personnel received and reviewed Section 702-acquired information that the FBI identified as concerning a U.S. person in response to a query that was designed to return evidence of a crime unrelated to foreign intelligence FISA PROBABLE CAUSE Figure 9: FBI Review of 702 Query Results for Evidence of a Crime INTRODUCTION Figure 9 reports the number of instances in which FBI has reviewed the results of a query not designed to find and extract foreign intelligence information, as well as the number of instances in which the FISC authorized the FBI to review the results of such queries. Any instance in which the FBI reviewed the results of such a query without seeking a court order has been reported to the FISC as a compliance incident. FIGURES In the FISA Amendments Reauthorization Act of 2017, Congress codified the Court’s requirements regarding the access to results of certain queries conducted by the FBI. Specifically under Section 702(f)(2)(A), an order from the FISC is now required before the FBI can review the contents of a query using a U.S. person query term when the query was not designed to find and extract foreign intelligence information and was performed in connection with a predicated criminal investigation that does not relate to national security. Before the FISC may issue such an order based on a finding of probable cause, an FBI agent must apply in writing, to include the agent’s justification that the query results would provide evidence of criminal activity, and the application must be approved by the Attorney General. 50 U.S.C. Section 1873(b)(2) requires annual reporting of the number of times the FBI received an order pursuant to 702(f)(2)(A). CONTENTS Nevertheless, the FISC ordered the government to report in writing, “each instance after December 4, 2015, in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” (Emphasis added). Id. at 44 and 78. The FISC directed that the report contain details of the query terms, the basis for conducting the query, the manner in which the query will be or has been used, and other details. Id. at 78. In keeping with the IC’s Principles of Transparency, the DNI has declassified the number of such queries reported to the FISC since calendar year 2016. NAT’L SECURITY LETTERS 17 CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS D. Section 702 and FBI Investigations Section 702 of FISA The number of instances in which the FBI opened, under the Criminal Investigative Division or any successor division, an investigation of a U.S. person (who is not considered a threat to national security) based wholly or in part on an acquisition authorized under Section 702 CY2017 CY2018 CY2019 0 0 0 FISA PROBABLE CAUSE Figure 10: Number of FBI Investigations Opened on USPs Based on Section 702 Acquisition INTRODUCTION 702-acquired information. See 50 U.S.C. § 1873(b) (2)(D). This statistic will provide transparency with regard to how often Section 702 collection is used for non-national security investigations conducted by the FBI. Figure 10 provides the required statistic. FIGURES With the enactment of the FISA Amendments Reauthorization Act of 2017, FISA now requires that the FBI report on the number of instances in which the FBI opened a criminal investigation of a U.S. person, who is not considered a threat to national security, based wholly or in part on Section See 50 U.S.C. § 1873(b)(2)(D). FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 18 NSA has been providing similar information to Congress since 2009, in classified form, per FISA reporting requirements. For example, FISA Section 702(m)(3) requires that NSA annually submit a report to applicable Congressional committees regarding certain numbers pertaining to the acquisition of Section 702-acquired information, including the number of “disseminated intelligence reports containing a reference to a United States person identity.” See 50 U.S.C. § 1881a(m)(3)(A)(i) (prior to the FISA Amendments Reauthorization Act of 2017 under § 1881a(l)(3)(A)(i)). Section 702 (m)(3)(A) also requires that the number of “United States-person identities subsequently disseminated by [NSA] in response to request for identities that were not referred to by name or title in the original reporting.” See 50 U.S.C. § 1881a(m)(3)(A)(ii). This second requirement refers to NSA providing the number of approved unmasking requests, which FISA CRIMINAL USE Section 702 Report contained 10 recommendations. Recommendation 9 focused on “accountability and transparency,” noting that the government should implement measures, “to provide insight about the extent to which the NSA acquires and utilizes the communications involving U.S. persons and people located in the United States under the Section 702 program.” PCLOB’s Section 702 Report at 145-146. Specifically, the PCLOB recommended that “the NSA should implement processes to annually count […] (5) the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers, such as telephone numbers or e-mail addresses, potentially associated with individuals.” Id. at 146. This recommendation is commonly referred to as Recommendation 9(5). In response to the PCLOB’s July 2014 Recommendation 9(5), NSA previously publicly provided (in the Annual Statistical Transparency Report for calendar year 2015) and continues to provide the following additional information IC DISSEMINATION BACKGROUND ON NSA DISSEMINATING U.S. PERSON INFORMATION UNDER SECTION 702. In July 2014, the PCLOB’s regarding the dissemination of Section 702 intelligence reports that contain U.S. person information. Because the PCLOB issued its recommendation in 2014, these statistics were not included in Annual Statistical Transparency Report for calendar years 2013 or 2014. FISA SECTION 702 FISA SECTION 702 E. NSA Dissemination of U.S. Person Information under FISA Section 702 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 19 In certain other instances, however, NSA makes a determination that it is appropriate to include in the original report the U.S. person’s identity (i.e., openly naming the U.S. person). When NSA includes U.S. person information in the original report, NSA is required to apply the same minimization and “need to know” standards discussed above. IC DISSEMINATION The minimization procedures also permit NSA to disseminate U.S. person identities only if doing so meets one of the specified reasons listed in NSA’s minimization procedures, including that the U.S. person consented to the dissemination, the U.S. person information was already publicly available, the U.S. person information was necessary to understand foreign intelligence information, or the com- In the instances where NSA’s report contains masked U.S. person information, recipients of the reports may submit a request to NSA for the U.S. person identifying information. The requested identity information is released (i.e., unmasked) only if the requesting recipient has a “need to know” the identity of the U.S. person and if the dissemination of the U.S. person’s identity would be consistent with NSA’s minimization procedures (e.g., the identity is necessary to understand foreign intelligence information or assess its importance); additional approval by a designated NSA official is also required. FISA SECTION 702 FISA SECTION 702 Section 702 only permits the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information. Such targets, however, may communicate information to, from, or about U.S. persons. NSA’s minimization procedures (most recently released in October 2019) permit the NSA to disseminate U.S person information if the information is necessary to understand the foreign intelligence. By policy, generally, the NSA masks the information that could identify the U.S. person. NSA’s minimization procedures define U.S. person identifying information as “ (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person [. . . ]”. See NSA’s Minimization Procedures 2(f). FISA PROBABLE CAUSE Even if one these conditions applies, as a matter of policy, NSA may still mask the U.S. person identity and will include no more than the minimum amount of U.S. person information necessary to understand the foreign intelligence or to describe the crime or threat. Id. For example, instead of reporting that Section 702-acquired information revealed that non-U.S. person “Bad Guy” communicated with U.S. person “John Doe” (i.e., the actual name of the U.S. person), the report would mask “John Doe’s” name, and would state that “Bad Guy” communicated with “an identified U.S. person,” “a named U.S. person,” or “a U.S. person.” Other examples of masked U.S. person identities would be “a named U.S. entity,” “a U.S. person email address,” or “a U.S. IP address.” INTRODUCTION Prior to the PCLOB issuing its Section 702 Report, NSA’s Director of the Civil Liberties, Privacy, and Transparency Office published “NSA’s Implementation of Foreign Intelligence Surveillance Act Section 702” on April 16, 2014, (hereinafter “NSA DCLPO Report”), in which it explained NSA’s dissemination processes. NSA DCLPO Report at 7-8. NSA “only generates classified intelligence reports when the information meets a specific intelligence requirement, regardless of whether the proposed report contains U.S. person information.” NSA DCLPO Report at 7. FIGURES munication contained evidence of a crime and is being disseminated to law enforcement authorities. For example, a Section 702 target may communicate information about a U.S. person that the target intends to victimize in some way; NSA may need to disseminate the identity of affected U.S. persons to appropriate authorities so that they can take appropriate protective, preventive, or investigative action. CONTENTS is explained below. Additionally, the Attorney General and the DNI provide to Congress the number of NSA’s disseminated intelligence reports containing a U.S. person reference as part of the Attorney General and the DNI’s 702 Joint Assessment of Compliance. See 50 U.S.C. § 1881a(m)(1) (prior to the FISA Amendments Reauthorization Act of 2017 under § 1881a(l)(1)). NAT’L SECURITY LETTERS 20 FISA TITLE V NSA applies its minimization procedures in preparing its classified intelligence reports, and then disseminates the reports to authorized recipients with a need to know the information in order to perform their official duties. A limited portion of NSA’s FISA TITLE IV Consistent with the CY2018 Annual Statistical Transparency Report, this year’s report presents the number of reports (in Figure 11) separate from the statistics relating to the U.S. person identities later disseminated (in Figure 12). As noted above, a U.S. person is “a citizen of the United States, an alien lawfully admitted for permanent residence (as defined in Section 101(a)(20) of the Immigration and Nationality Act), an unincorporated association a substantial number of members of which are citizens of the United States or aliens lawfully admitted for permanent residence, or a corporation which is incorporated in the United States, but does not include a corporation or an association which is a foreign power, as defined in [50 U.S.C. § 1801(a)(1), (2), or (3)].” See 50 U.S.C. § 1801(i). Thus the numbers below include U.S. person identities not only of U.S. persons who are individuals, but also of U.S. persons that are corporations or unincorporated associations. FISA CRIMINAL USE iii. in the instances where the U.S. person identity was initially masked, upon a specific request, later reveal and unmask the U.S. person identity but only to the requestor. IC DISSEMINATION ii. initially mask (i.e., not reveal) the U.S. person identity in the report, or FISA SECTION 702 FISA SECTION 702 i. openly name (i.e., originally reveal) the U.S. person identity in the report, Note that a single report could contain multiple U.S. person identities, masked and/or openly named. For example, a single report could include of a large number of U.S. identities that a foreign intelligence target is seeking to victimize; each of those identities would be counted. FISA PROBABLE CAUSE explain how NSA disseminates U.S. person information incidentally acquired from Section 702 in classified intelligence reports. NSA may: INTRODUCTION STATISTICS OF NSA’S U.S. PERSON DISSEMINATING INFORMATION. Below are statistics and charts to further The first row of Figure 11 provides “an accounting of the number of disseminated intelligence reports containing a reference to a United States-person identity.” See 50 U.S.C. § 1881a(m)(3)(A)(i). NSA’s counting methodology is to include any disseminated intelligence report that contains a reference to one or more U.S. person identities, whether masked or openly named, even if the report includes information from other sources. NSA does not maintain records that allow it to readily determine, in the case of an intelligence report that includes information from several sources, from which source a reference to a U.S. person identity was derived. Accordingly, the references to U.S. person identities may have resulted from Section 702-authorized collection or from other authorized signals intelligence activity conducted by NSA. This counting methodology was used in the previous report and is used in NSA’s FISA Section 702(m)(3) report. FIGURES Additional information describing how the IC protects U.S. person information obtained pursuant to FISA is provided in reports by the civil liberties and privacy officers for the ODNI (including NCTC), NSA, FBI, and CIA. The reports collectively documented the rigorous and multi-layered framework that safeguards the privacy of U.S. person information in FISA disseminations. See ODNI Report on Protecting U.S. Person Identities in Disseminations under FISA and annexes containing agency specific reports. intelligence reports from Section 702 collection contains references to U.S. person identities (whether masked or openly named). CONTENTS As part of their regular oversight reviews, DOJ and ODNI review disseminations that contain information of or concerning U.S. persons that NSA obtained pursuant to Section 702 to ensure that the disseminations were consistent with the minimization procedures. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES Figure 11: Section 702 Reports Containing USP Information Unmasked by NSA CY2016 I CY2017 I CY2018 I CY2019 3,914 4,065 4,495 4,297 REPORTS—Total number of NSA disseminated § 702 reports containing USP identities where the USP identity was masked 2,964 3,034 3,442 3,196 REPORTS—Total number of NSA disseminated § 702 reports containing USP identities where the USP identity was openly included 1,200 1,341 1,379 1,562 Rows 2 and 3 will not total row 1 because one report may contain both masked and openly named identities CY2018 CY2019 9,217 9,529 16,721 10,012 NAT’L SECURITY LETTERS 21 CY2017 FISA TITLE V The number of U.S. person identities that NSA unmasked in response to a specific request from another agency 12-month period Sep 2015–Aug 2016 FISA TITLE IV Section 702—U.S. Person (USP) Identities Unmasked by NSA FISA CRIMINAL USE Figure 12: Section 702 USP Identities Disseminated by NSA IC DISSEMINATION The CY2015 and CY2016 Annual Statistical Transparency Reports focused on responding to the PCLOB’s report recommendation 9(5) by counting only those U.S. person identities where the proper name or title of an individual was unmasked; it did not count other identifiers such as email addresses, telephone numbers or U.S. IP addresses; nor did it count identifiers pertaining to U.S. corporations or associations. Rather than distinguishing between the different ways a U.S. person might be named in an intelligence report, NSA now provides the total number of U.S. person identities unmasked in response to a specific request from another agency. This is the same metric that NSA reports to Congress pursuant to FISA Section 702(m)(3) reporting requirements. Prior to CY2017, NSA’s FISA Section 702(m)(3) reports covered the time period of September through August. From CY2017, both reports now cover the same timeframe and follow the same reporting methodology. FISA SECTION 702 FISA SECTION 702 Figure 12 provides statistics relating to the numbers of U.S. person identities that were originally masked in those reports counted in Figure 11 but which NSA later provided to authorized requestors (i.e., unmasked). This statistic is the number required to be reported to Congress in NSA’s FISA Section 702(m)(3) report. In other words, Figure 12 provides “an accounting of the number of United States-person identities subsequently disseminated by [NSA] in response to requests for identities that were not referred to by name or title in the original reporting.” See 50 U.S.C. § 1881a(m)(3)(A)(ii). This number is different than numbers provided in either CY2015 or the CY2016 Annual Statistical Transparency Report. NSA has declassified the total number of U.S. person identities unmasked in response to a request. FISA PROBABLE CAUSE REPORTS—Total number of NSA disseminated § 702 reports containing USP identities regardless of whether or not the identity was openly included or masked I INTRODUCTION Section 702 Reports Containing U.S. Person (USP) Information Disseminated by NSA FIGURES The third row provides the number of reports containing U.S. person identities where the U.S. person identity was openly included in the report. CONTENTS The second row of Figure 11 provides the number of reports containing U.S. person identities where the U.S. person identity was masked in the report. CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES A. ICPG 107.1 ƒƒ Applies regardless of the legal authority under which the information was collected. ƒƒ Does not change the standard for when a U.S. person identity may be unmasked. made pursuant to ICPG 107.1. As of January 1, 2019, all IC elements began tracking the applicable requests, including whether those requests were approved or denied, pursuant to the requirements of ICPG 107.1 E.2. Accordingly, Figure 13 provides these numbers for CY2019. Total Requests Received and Disposition CY2019 (1) Total Number of Requests Received by all IC elements this calendar year 7,724 (2) Of the 7,724 requests received, the IC Approved 6,845 349 (4) Of the 7,724 requests received, the IC processed as Withdrawn in Full 270 (5) Of the 7,724 requests received, the IC has Pending Decisions 260 NAT’L SECURITY LETTERS ƒƒ REQUESTS RECEIVED are requests to identify U.S. persons whose identities were initially masked in disseminated intelligence reports. A single request may include one or more identities or involve one or more disseminated intelligence reports, but is still counted as one request. Duplicate requests, where the same requesting entity makes an identical request to what it already requested, are not counted. If a subsequent request changes in any manner—with respect to the identities requested, the disseminated FISA TITLE V To explain how the IC counted applicable requests, definitions are provided below. FISA TITLE IV (3) Of the 7,724 requests received, the IC Denied in Full FISA CRIMINAL USE Figure 13: Requests for USP Identities and Decisions Regarding those Requests per ICPG 107.1 IC DISSEMINATION IC DISSEMINATION ICPG 107.1 also requires the DNI to report, on an annual basis, certain statistics to track requests ƒƒ Applies to all 17 IC elements. FISA SECTION 702 B. Statistics ƒƒ Procedures to respond to requests for U.S. person information that was masked in disseminated intelligence reporting and to report the number of those requests. FISA PROBABLE CAUSE ICPG 107.1 does not change the standard for when a U.S. person’s identity may be unmasked. Each IC element must follow the applicable legal authorities when determining if the element is permitted to unmask the identity of a U.S. person. ICPG 107.1 INTRODUCTION I ntelligence Community Policy Guidance (ICPG) 107.1, Requests for Identities of U.S. Persons in Disseminated Intelligence Reports, requires all IC elements to have procedures to respond to requests for the identities of U.S. persons whose identities were originally masked in a disseminated intelligence report. ICPG 107.1 applies to information regardless of the legal authority under which the information was collected including, but not limited to, FISA Section 702. 22 CONTENTS IC Dissemination of U.S. Person Information INTRODUCTION FISA PROBABLE CAUSE ƒƒ DENIED IN FULL are requests denied in their entirety. This includes denials that occurred in January 2020 for requests that were initially received in 2019. ƒƒ PENDING DECISIONS are requests where there is no final decision made because (a) the receiving IC element has not reviewed or decided on the request or (b) the receiving IC element asked the requesting entity for additional information to process the request and is waiting for such information. FIGURES ƒƒ APPROVED are requests approved in part or in their entirety. Requests that were approved in part, regardless of whether they were also denied in part or withdrawn in part, are included in this number. Approvals that occurred in January 2020 for requests that were initially received in 2019 are included in this number. ƒƒ WITHDRAWN IN FULL are requests withdrawn or cancelled by the requesting entity in their entirety. This includes withdrawals that occurred in January 2020 for requests that were initially received in 2019. CONTENTS intelligence reports, or the intended recipients of the identities—the second request would be counted as a new request received. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FISA SECTION 702 IC DISSEMINATION IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 23 CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS FISA Criminal Use and Notice Provisions FIGURES A. FISA Sections 106 and 305 ƒƒ Attorney General advance authorization is required before such information may be used in a criminal proceeding; if such information is used or intended to be used against an aggrieved person, that person must be given notice of the information and have a chance to suppress the information. CY2017 CY2018 CY2019 See 50 U.S.C. § 1873(b)(4). 24 7 14 7 NAT’L SECURITY LETTERS The number of criminal proceedings in which the United States or a State or political subdivision thereof provided notice pursuant to Section 106 (including with respect to Section 702-acquired information) or Section 305 of the government’s intent to enter into evidence or otherwise use or disclose any information obtained or derived from electronic surveillance, physical search, or Section 702 acquisition FISA TITLE V Figure 14: Number of Criminal Proceedings in Which the Government Provided Notice of Its Intent To Use Certain FISA Information FISA TITLE IV concerning criminal proceedings must be provided to the public pertaining to Sections 106 and 305, including Section 702-acquired information. FISA CRIMINAL USE ƒƒ The FISA Amendments Reauthorization Act of 2017 codified that statistics must be provided to the public as it pertained to Section 106, Section 305, as well as Section 702 acquired information. IC DISSEMINATION The FISA Amendments Reauthorization Act of 2017 codified a requirement that certain statistics ƒƒ Section 106 applies to information acquired from Title I electronic surveillance and Section 702; Section 305 applies to information acquired from Title III physical search. FISA SECTION 702 B. Statistics ƒƒ Commonly referred to as the “criminal use provision.” FISA PROBABLE CAUSE FISA Section 305 provides comparable requirements for use of information acquired through Title III physical search (i.e., advance authorization, notice, and opportunity to suppress) in a legal proceeding. FISA Sections 106 and 305— Criminal Use and Notice Provisions INTRODUCTION F ISA Section 106 requires advance authorization from the Attorney General before any information acquired through Title I electronic surveillance may be used in a criminal proceeding. This authorization from the Attorney General is defined to include authorization by the Acting Attorney General, Deputy Attorney General, or, upon designation by the Attorney General, the Assistant Attorney General for National Security. Section 106 also requires that if a government entity intends to introduce into evidence in any trial, hearing, or other proceeding, against an “aggrieved person,” information obtained or derived from electronic surveillance, it must notify the aggrieved person and the court. The aggrieved person is then entitled to seek suppression of the information. FISA Section 706 requires that any information acquired pursuant to Section 702 be treated as electronic surveillance under Section 106 for purposes of the use, notice, and suppression requirements. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES ESTIMATING THE NUMBER OF UNIQUE IDENTIFIERS. This NAT’L SECURITY LETTERS statistic counts (1) the targeted identifiers and (2) the non-targeted identifiers (e.g., telephone numbers and email addresses) that were in contact with the targeted identifiers. Specifically, the House Report on the USA FREEDOM Act states that “[t]he phrase ‘unique identifiers used to communicate information collected pursuant to such orders’ means the total number of, for example, email addresses or phone numbers that have been collected as a result of these particular types of FISA orders—not just the number of target email addresses or phone numbers.” [H.R. Rept. 114109 Part I, p. 26], with certain exceptions noted. FISA TITLE V 25 the IC received authorization for the installation and use of a PR/TT device against four targets in the same application, the IC would count four targets. FISA TITLE IV methodology for counting PR/TT targets is similar to the methodology described above for counting targets of electronic surveillance and/or physical search. If the IC received authorization for the installation and use of a PR/TT device against the same target in four separate applications, the IC would count one target, not four. Alternatively, if ƒƒ Government request to use a PR/TT device on U.S. person target must be based on an investigation to protect against terrorism or clandestine intelligence activities and that investigation must not be based solely on the basis of activities protected by the First Amendment to the Constitution. FISA CRIMINAL USE ESTIMATING THE NUMBER OF TARGETS. The government’s ƒƒ Requires individual FISC order to use PR/ TT device to capture dialing, routing, addressing, or signaling (DRAS) information. IC DISSEMINATION for Titles I and III and Sections 703 and 704, this report only counts the orders granting authority to conduct intelligence collection—the order for the installation and use of a PR/TT device. Thus, renewal orders are counted as a separate order; modification orders and amendments are not counted. ƒƒ Bulk collection is prohibited. FISA SECTION 702 COUNTING ORDERS. Similar to how orders were counted ƒƒ Commonly referred to as the “PR/TT” provision. FISA PROBABLE CAUSE B. Statistics FISA Title IV INTRODUCTION T itle IV of FISA authorizes the use of pen register and trap and trace (PR/TT) devices for foreign intelligence purposes. Title IV authorizes the government to use a PR/TT device to capture dialing, routing, addressing or signaling (DRAS) information. The government may submit an application to the FISC for an order approving the use of a PR/TT device (i.e., PR/TT order) for (i) “any investigation to obtain foreign intelligence information not concerning a United States person or” (ii) “to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the First Amendment to the Constitution.” 50 U.S.C. § 1842(a). If the FISC finds that the government’s application meets the requirements of FISA, the FISC must issue an order for the installation and use of a PR/TT device. FIGURES A. FISA PR/TT Authority CONTENTS FISA Title IV—Use of Pen Register and Trap and Trace (PR/TT) Devices CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS Figures 15a and 15b: Number of PR/TT Orders, Targets and Unique Identifiers Collected Total number of orders 135 90 60 33 34 22 319 516 456 41 27 29 21 56,064• 132,690 96,995 Estimated number of unique identifiers used to communicate information collected pursuant to such orders* 134,987• 81,035•‡ Estimated non-USPER targets 456 18 23 135 131 Total number of orders 16 t t (48.3% of total) (61.9% of total) 13 15 8 CY2015 41 33 CY2016 27 CY2017 34 t 29 t 22 CY2018 21 IC DISSEMINATION CY2014 14 (40.7% of total) ----60 90 CY2013 11 CY2019 Estimated number of targets See 50 U.S.C. §§ 1873(b)(3), 1873(b)(3)(A), and 1873(b)(3)(B). •This number is generated from the FBI’s systems that hold unminimized PR/TT collection. For every docket that resulted in the acquisition of PR/TT data, the collection was uploaded into these systems. Estimated number of targets who are non-U.S. persons Estimated percentage of targets who are U.S. persons I CY2017 I CY2018 16 15 18 11 14 13 43.9% 40.7% 48.3% 61.9% CY2016 23 I CY2019 8 See 50 U.S.C. §§1873(b)(3)(A)(i) and 1873(b)(3)(A)(ii) for rows one and two, respectively. *Previously the IC was not statutorily required to publicly provide these statistics, but provided them consistent with transparency principles. The FISA Amendments Reauthorization Act of 2017 codified this requirement at 50 U.S.C. §§ 1873(b)(3)(A)(i) and 1873(b)(3)(A)(ii). 26 NAT’L SECURITY LETTERS Estimated number of targets who are U.S. persons I FISA TITLE V Figure 16: FISA PR/TT Targets—U.S. Persons and Non-U.S. Persons* FISA TITLE IV FISA TITLE IV ‡For the CY2016 report, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for business records instead of the number of the unique identifiers collected pursuant PR/TT orders. As noted below, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for PR/TT orders under the statistics for business records. FISA CRIMINAL USE *Pursuant to § 1873(d)(2)(B), this statistic does not apply to orders resulting in the acquisition of information by the FBI that does not include email addresses or telephone numbers. PR/TT Targets FISA SECTION 702 319 (43.9% of total) FISA PROBABLE CAUSE Estimated USPER targets 516 INTRODUCTION Estimated number of targets of such orders 131 FIGURES ICY2013 ICY2014 I CY2015 I CY2016 I CY2017 I CY2018 I CY2019 Titles IV of FISA PR/TT FISA 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES A. Business Records FISA ƒƒ Title V has two key provisions: (1) traditional business records and (2) Call Detail Records (CDRs). ƒƒ CDRs may be obtained from a telephone company if the FISC issues an individual court order for the target’s records. NAT’L SECURITY LETTERS 27 FISA TITLE V Certain statutory language under Title V, as amended by the USA FREEDOM Act, expired in March 2020, and resulted in the government being limited to acquiring only four categories of business records. The government may still submit requests for business records, but those requests must comply with the statutory language in effect from March 15, 2020, and beyond. This will be addressed in next year’s transparency report, as appropriate. 2 FISA TITLE IV On November 30, 2015, the IC implemented certain provisions of the USA FREEDOM Act, including the call detail records provision and the requirement to use a specific selection term. Accordingly, only one month’s worth of data for calendar year 2015 was available with respect to those provisions. Any statistical information relating to a particular FISA authority for a particular month remains classified. Therefore, the Title V data specifically associated with December 2015 was only released in a classified annex provided to Congress as part of the report for CY2015. After FISA CRIMINAL USE the government is required to promptly destroy all bulk metadata produced by telecommunications providers under the Section 215 Program. IC DISSEMINATION ƒƒ Bulk collection of CDRs is prohibited. FISA SECTION 702 ƒƒ Request for records in an investigation of a U.S. person must be based on an investigation to protect against terrorism or clandestine intelligence activities and provided that the investigation is not conducted solely upon activities protected by the First Amendment to the Constitution. FISA PROBABLE CAUSE In June 2015, the USA FREEDOM Act was signed into law and, among other things, it amended Title V, including by prohibiting bulk collection. See 50 U.S.C. §§ 1861(b), 1861(k)(4). The DNI is required to report various statistics about two Title V provisions—traditional business records under Section 501(b)(2)(B) and call detail records under Section 501(b)(2)(C). On November 28, 2015, in compliance with amendments enacted by the USA FREEDOM Act, the IC terminated collection of bulk telephony metadata under Title V of FISA (the “Section 215 Program”). Solely due to legal obligations to preserve records in certain pending civil litigation, the IC continues to preserve previously collected bulk telephony metadata. Under the terms of a FISC order dated November 24, 2015, the bulk telephony metadata cannot be used or accessed for any purpose other than compliance with preservation obligations. Once the government’s preservation obligations are lifted, FISA Title V INTRODUCTION D uring CY2019, Title V of FISA authorized the government to submit an application for an order requiring the production of any tangible things for (i) “an investigation to obtain foreign intelligence information not concerning a United States person or” (ii) “to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the First Amendment to the Constitution.”2 50 U.S.C. § 1861. Title V is commonly referred to as the “Business Records” provision of FISA. CONTENTS FISA Title V—Business Records FISA TITLE IV FISA TITLE V FISA TITLE V NAT’L SECURITY LETTERS 28 FISA CRIMINAL USE estimate of the number of (1) targeted identifiers used to communicate information (e.g., telephone numbers and email addresses) and (2) non-targeted identifiers that were in contact with the targeted identifiers. The number of identifiers used by targets to communicate can vary significantly IC DISSEMINATION ESTIMATING THE NUMBER OF UNIQUE IDENTIFIERS. This is an FISA SECTION 702 Business Record (BR) requests for tangible things may include books, records, (e.g. electronic communications transactions records), papers, documents, and other items pursuant to 50 U.S.C. § 1861(b)(2)(B), also referred to as Section 501(b)(2)(B). These are commonly referred to as traditional business records. of the government’s methodology, assume that in a given calendar year, the government submitted a BR request targeting “John Doe” with email addresses john.doe@serviceproviderX, john.doe@ serviceproviderY, and john.doe@serviceproviderZ. The FISC found that the application met the requirements of Title V and issued orders granting the application and directing service providers X, Y, and Z to produce business records pursuant to Section 501(b)(2)(B). Provider X returned 10 non-targeted email addresses that were in contact with the target; provider Y returned 10 non-targeted email addresses that were in contact with the target; and provider Z returned 10 non-targeted email addresses that were in contact with the target. Based on this scenario, we would report the following statistics: A) one order by the FISC for the production of tangible things, B) one target of said orders, and C) 33 unique identifiers, representing three targeted email addresses plus 30 non-targeted email addresses. FISA PROBABLE CAUSE B. Statistics—Title V “Traditional” Business Records Statistics Orders, Targets and Identifiers EXPLAINING HOW WE COUNT BR STATISTICS. As an example INTRODUCTION Statistics related to traditional business records obtained under Title V Section 501(b)(2)(B) are provided first pursuant to 50 U.S.C. § 1873(b)(5). Statistics related to call detail records obtained under Title V Section 501(b)(2)(C) are provided second pursuant to 50 U.S.C. § 1873(b)(6). FIGURES In a letter to Congress, dated August 14, 2019, the DNI explained that NSA suspended its use of the USA FREEDOM Act call details record provision and deleted call detail records acquired under that authority. This decision was made after balancing the program’s relative intelligence value, associated costs, and compliance and data integrity concerns caused by the unique complexities of using company-generated records for intelligence purposes. The call detail records provision under Section 501(b)(2)(C) expired on March 15, 2020. from year to year, which in turn will impact the number of non-targeted identifiers in contact with the targeted identifiers. Furthermore, this metric represents unique identifiers received from the provider(s) and uploaded into FBI systems. The government also obtains under Title V other types of tangible things from entities other than communication service providers. For example, the FBI could obtain, under this authority, a hard-copy of a purchase receipt or surveillance video from a retail store. The purchase receipt or surveillance video could contain a unique identifier such as a telephone number, which would not be counted. Nevertheless, the government believes that such tangible things would not include many, if any, unique identifiers used to communicate information and, therefore, the figures reported constitute a good faith estimate. CONTENTS CY2015, statistical information was collected for an entire year and those statistics were included in subsequent reports. 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2018 CY2019 84 77 56 61 Estimated number of targets of such orders 88 74 60 53 125,354* 87,834 214,860 57,382 Estimated number of unique identifiers used to communicate information collected pursuant to such orders See 50 U.S.C. §§ 1873(b)(5), 1873(b)(5)(A), and 1873(b)(5)(B). 84 88 77 74 56 CY2017 CY2018 53 Total number of orders Estimated number of targets CY2019 Figure 17c: “Traditional” Business Records Unique Identifiers 214,860 125,354* 87,834 CY2016 CY2017 CY2018 CY2019 NAT’L SECURITY LETTERS 29 FISA TITLE V FISA TITLE V Call Detail Records (CDRs)—commonly referred to as “call event metadata”—may be obtained from telecommunications providers on an ongoing basis pursuant to 50 U.S.C. §1861(b)(2)(C). Title V of FISA defines a CDR as session identifying information (such as an originating or terminating telephone number, an International Mobile Subscriber Identity [IMSI] number, or an International Mobile Station Equipment Identity [IMEI] number), a telephone calling card number, or the time or duration of a call). See 50 U.S.C. §1861(k)(3)(A). By statute, CDRs provided to the government may not include the content of any communication, the name, address, or financial information of a subscriber or customer, or cell site location or global positioning system information. See 50 U.S.C. §1861(k)(3)(B). CDRs are stored and queried by the service providers. See 50 U.S.C. §1861(c)(2). After NSA receives the CDRs from the providers pursuant to a FISC order, NSA stores and queries those lawfully obtained CDRs. FISA TITLE IV C. Statistics—Call Detail Record Orders, Targets and Identifiers FISA CRIMINAL USE 57,382 *For the CY2016 report, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for PR/TT devices instead of the number of the unique identifiers collected pursuant business records orders. As noted above, FBI erroneously provided the estimated number of unique identifiers used to communicate information collected pursuant to orders for business records orders under the statistics for PR/TT devices. IC DISSEMINATION See 50 U.S.C. §§ 1873(b)(5), 1873(b)(5)(A), and 1873(b)(5)(B). FISA SECTION 702 CY2016 61 60 FISA PROBABLE CAUSE Figure 17b: “Traditional” Business Records Orders and Targets INTRODUCTION CY2017 Business Records “BR”—Section 501(b)(2)(B) FIGURES CY2016 Total number of orders issued pursuant to applications under Section 501(b)(2)(B) CONTENTS Figure 17a: Title V “Traditional” Business Records Orders, Targets, and Unique Identifiers Collected CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES Business Records (BRs)—Section 501(b)(2)(B) Estimated number of targets of such orders 40 42 40 CY2016 I CY2017 I CY2018 I CY2019* 40 40 14 0 42 40 11 0 40 FISA PROBABLE CAUSE Total number of orders issued pursuant to applications under Section 501(b)(2)(C) I INTRODUCTION Figures 18a and 18b: CDR Orders and Targets FIGURES intended to be read in light of the decisions to suspend and delete CDRs in CY2019. As mentioned above, this provision expired on March 15, 2020. (Learn more about the USA FREEDOM Act Telephone Call Records Program). CONTENTS NSA sought no orders for the production of CDRs in CY2019, suspended the program that uses this authority, and deleted the CDRs produced pursuant to it. The statistical information for CY2019 and any comparisons to prior reporting periods is Total number of orders 14 CY2016 CY2017 11 CY2018 0 0 CY2019* FISA SECTION 702 Estimated number of targets See 50 U.S.C. §§ 1873(b)(6) and 1873(b)(6)(A). CHANGES IN TECHNICAL CAPABILITIES TO COUNT UNIQUE IDENTIFIERS. While the USA FREEDOM Act NAT’L SECURITY LETTERS report on the USA FREEDOM Act, the metric provided is over-inclusive because the government FISA TITLE V FISA TITLE V 30 THE ESTIMATED NUMBER OF CDRS RECEIVED FROM PROVIDERS. As explained in the 2016 NSA public FISA TITLE IV Prior to the development of the technical capability to count unique identifiers, this report included an alternate metric that represents the number of Both metrics are included in this report. NSA counting for CY2018 and CY2019 includes (1) the total number of CDRs received for the year as we have reported in previous years, as illustrated in Figure 20, and (2) the unique identifiers within the CDRs received for the portion of 2018 NSA was able to count them, and the portion of 2019 NSA was receiving records from the providers, as illustrated in Figure 21. FISA CRIMINAL USE directs the government to provide a good faith estimate of “the number of unique identifiers used to communicate information collected pursuant to” orders issued in response to CDR applications (see 50 U.S.C. § 1873(b)(5)(B)), the government has not always had the technical ability to isolate the number of unique identifiers within records received from the providers. In 2018, NSA developed a new technical solution to allow NSA to produce a good faith estimate of the number of unique identifiers. This new technical solution was put in place after a prior deletion of records in May 2018, permitting NSA to provide a partial-year count for that year. The deletion of records was publicly discussed in a June 28, 2018 public notice by NSA and is also discussed below. records received from the provider(s) and stored in NSA repositories (records that fail at any of a variety of validation steps are not included in this number). CDRs covered by §501(b)(2)(C) include call detail records created before, on, or after the date of the application relating to an authorized investigation. IC DISSEMINATION *Program suspended CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES 500 calls 50 • • •••• •• ••• ••• ••• ••• PHONE B PHONE C 500 calls 500 calls 500 ••• ••• ••• •••• •• ••• ••• •••• •• call s ••• ••• ••• PHONE D PHONE E PHONE F PHONE G 31 NAT’L SECURITY LETTERS Target uses Phone Number A which is the FISC-approved selector in the FISC order. This would be counted as 1 order, 1 target, 7 unique identifiers (phone numbers A, B, C, D, E, F, G) and, assuming 500 calls between each party (1,000 records), 6000 CDRs. CDRs may include records for both sides of a call (for example, one call from Phone Number A to Phone Number B could result in 2 records). FISA TITLE V FISA TITLE V • • • • FISA TITLE IV ••• PHONE A ls al 0c FISA CRIMINAL USE ••• ••• 500 calls p ho IC DISSEMINATION • h op FISA SECTION 702 st F ir FISA PROBABLE CAUSE S d on ec INTRODUCTION Figure 19: Call Event Hop Scenario and Method of Counting FIGURES orders issued pursuant to applications under Section 501(b)(2)(C) in 2019, this statistic includes records that were received from the providers in CY2019 for all orders active for any portion of the calendar year, which includes orders that the FISC approved in CY2018. Furthermore, while the records are received from domestic communications service providers, the records received are for domestic and foreign numbers. More information on how NSA implements this authority can be found in the DCLPO report, in particular see page 5 for a description and illustration of the USA FREEDOM Implementation Architecture. CONTENTS counts each record separately even if the government receives the same record multiple times (whether from one provider or multiple providers). Additionally, this metric includes duplicates of unique identifiers—i.e., because the government lacked the technical ability to isolate unique identifiers, the statistic counts the number of records even if unique identifiers are repeated. For example, if one unique identifier is associated with multiple calls to a second unique identifier, it will be counted multiple times. Similarly, if two different providers submit records showing the same two unique identifiers in contact, then those would also be counted separately. Although there were no FISC CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CY2017 CY2018 CY2019 Estimated number of call detail records arising from such targets that NSA received from providers pursuant to Section 501(b)(2)(C) and stored in its repositories* 151,230,968 534,396,285 434,238,543 4,236,479 *While the statute directs the government to count the unique identifiers, until May of 2018, the government was not technically able to isolate the number of unique identifiers; thus, the number reported above counts total CDRs received for the year and includes duplicate records. Additionally, the number of records contains both domestic and foreign numbers, including numbers used by business entities for marketing purposes. NAT’L SECURITY LETTERS 32 FISA TITLE V FISA TITLE V During CY2018, NSA subsequently re-submitted the already FISC-approved selectors to the provid- The process counts each type of identifier separately, and includes counts for phone numbers, International Mobile Subscriber Identities (IMSIs), and International Mobile Equipment Identities (IMEIs). An IMSI is a 15-digit number associated with the SIM card in a mobile phone. An IMEI FISA TITLE IV notice stating that on May 23, 2018, NSA began deleting all CDRs acquired since 2015 under Section 501(b)(2)(C) of FISA. NSA deleted the CDRs because earlier in 2018 NSA analysts noted technical irregularities in some data received from telecommunications service providers. These irregularities also resulted in the production to NSA of some CDRs that NSA was not authorized to receive. The decision to delete in 2018 was made in consultation with the Department of Justice and the ODNI, and with notice to the Congressional oversight committees, the Privacy and Civil Liberties Oversight Board, and the Foreign Intelligence Surveillance Court. ers and also submitted new selectors that were approved by the FISC. NSA ingested and stored CDRs produced by the providers in response to these submissions. Additionally, during this time, NSA implemented a new technical means of counting the unique identifiers as opposed to counting all records stored in NSA’s repositories. The new counting process was applied as the records were delivered by the providers beginning on May 23, 2018, when the process was initiated. FISA CRIMINAL USE THE ESTIMATED NUMBER OF UNIQUE IDENTIFIERS IN THE CDRS RECEIVED. On June 28, 2018, NSA issued a public IC DISSEMINATION CY2016 FISA SECTION 702 Call Detail Records (CDRs)—Section 501(b)(2)(C) FISA PROBABLE CAUSE Figure 20: CDRs Received Arising from Such Targets INTRODUCTION Not all CDRs provided to the government will be for domestic numbers. The targeted “specific selection term” could be a foreign number, could have called a foreign number or the “first-hop” number could have called a foreign number; thus, these CDRs statistics contain both domestic and foreign number results. Furthermore, CDRs provided to the government include call events with business entities, such as calls for marketing purposes. FIGURES multiple CDRs are produced and duplication occurs. Additionally, the government may receive multiple CDRs for a single call event. NSA may also submit the specific selection Phone Number A to another provider (provider Y) who may have CDRs of the same call events. CONTENTS Assume an NSA intelligence analyst learns that phone number (Phone Number A) is being used by a suspected international terrorist (target). Phone Number A is the “specific selection term” or “selector” that will be submitted to the FISC (or the Attorney General in an emergency) for approval using the “reasonable articulable suspicion” (RAS) standard. Assume that one provider (provider X) submits a record showing Phone Number A called unique identifier Phone Number B—what is referred to as a “call event.” This is the “first hop.” In turn, assume that NSA submits the “first-hop” Phone Number B to the provider X, and finds that unique identifier was used to call another unique identifier Phone Number D. This is the “second-hop.” If the unique identifiers call one another multiple times, then CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES IMEIs are associated with a phone number, so the phone number count below represents the number of unique phones associated with UFA CDRs. CONTENTS identifies the specific physical device, much like a serial number. In the CDRs NSA receives under the USA FREEDOM Act (UFA), IMSIs and Figure 21: Unique Identifiers in the CDRs Received CY2019 The number of unique identifiers used to communicate information collected pursuant to such orders under Section 501(b)(2)(C)* 19,372,544 Phone Numbers, which are associated with 7,285,362 IMSIs and 5,305,578 IMEIs 979,539 Phone Numbers, which are associated with 327,531 IMSIs and 299,966 IMEIs *Identifiers include both domestic and foreign numbers, including numbers used by business entities for marketing purposes. D. Statistics—Call Detail Record Queries CY2016 CY2017 CY2018 CY2019 22,360 31,196 164,682 26,644 FISA TITLE IV Call Detail Records (CDRs)—Section 501(b)(2)(C) Estimated number of search terms that included information concerning a U.S. person that were used to query any database of call detail records obtained through the use of such orders* FISA CRIMINAL USE Figure 22: CDRs—U.S. Person Query Terms IC DISSEMINATION streamlined and upgraded its analytic tools to improve performance and compliance capabilities. This gave NSA analysts an increased ability to group related query terms together and run those query terms against multiple repositories that the analyst is authorized to query. Regardless of the upgrade, NSA analysts were still required to comply with all applicable restrictions, controls, and training that apply to each query term and each repository. In 2019, NSA indefinitely suspended the use of the authority. Due to the technical parameters of the tool, in order to generate a count of CDR queries, NSA must count all query terms, even if query terms would never return CDR results (e.g. an email address). Additionally, the parameters of the tool do not allow NSA to distinguish which specific query terms are U.S. persons and which are not when multiple query terms are used. For example, a single query using 20 query terms counts as 20, even if only one of those terms is a U.S. person phone number, and the remaining 19 are either not associated with a U.S. person or are email addresses. FISA SECTION 702 THE NUMBER OF SEARCH TERMS ASSOCIATED WITH A U.S. PERSON USED TO QUERY THE CDR DATA. In 2018, NSA FISA PROBABLE CAUSE 23 May to 31 December 2018 INTRODUCTION Call Detail Records (CDRs)—Section 501(b)(c)(C) See 50 U.S.C. § 1873(b)(6)(C). FISA TITLE V FISA TITLE V *Consistent with § 1873(d)(2)(A), this statistic does not include queries that are conducted by the FBI. NAT’L SECURITY LETTERS 33 2019 CALENDAR YEAR ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES CONTENTS National Security Letters (NSLs) B. Statistics—National Security Letters and Requests for Information annual number of requests for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL. Even if the FBI systems were configured differently, it would still be difficult to identify the number of specific individuals or organizations that are the subjects of NSLs. One reason for this NAT’L SECURITY LETTERS 34 WHY WE REPORT THE NUMBER OF NSL REQUESTS INSTEAD OF THE NUMBER OF NSL TARGETS. We are reporting the FISA TITLE V number of NSLs issued for all persons, and (2) the total number of requests for information (ROI) contained within those NSLs. When a single NSL contains multiple ROIs, each is considered a “request” and each request must be relevant to the same pending investigation. For example, if the government issued one NSL seeking subscriber information from one provider and that NSL identified three e-mail addresses for the provider to return records, this would count as one NSL issued and three ROIs. ƒƒ THE DEPARTMENT OF JUSTICE’S REPORT ON NSLs. In April 2020, the Department of Justice released its Annual Foreign Intelligence Surveillance Act Report to Congress. That report, which is available online, provides the number of requests made for certain information concerning different U.S. persons pursuant to NSL authorities during calendar year 2019. The Department of Justice’s report provides the number of individuals subject to an NSL whereas the ODNI’s report provides the number of NSLs issued. Because one person may be subject to more than one NSL in an annual period, the number of NSLs issued and the number of persons subject to an NSL differs. FISA TITLE IV COUNTING NSLs. Today we are reporting (1) the total ƒƒ FBI may only use NSLs if the information sought is relevant to international counterterrorism or counterintelligence investigation. FISA CRIMINAL USE iv. Financial records, see 12 U.S.C. § 3414. ƒƒ Bulk collection is prohibited, however, by the USA FREEDOM Act. IC DISSEMINATION iii. Full credit reports, see 15 U.S.C. § 1681v (only for counterterrorism, not for counterintelligence investigations); and ƒƒ Not authorized by FISA but by other statutes. FISA SECTION 702 ii. Consumer-identifying information possessed by consumer reporting agencies (names, addresses, places of employment, institutions at which a consumer has maintained an account), see 15 U.S.C. § 1681u; vi. FISA PROBABLE CAUSE i. Telephone subscriber information, toll records, and other electronic communication transactional records, see 18 U.S.C. § 2709; National Security Letters INTRODUCTION I n addition to statistics relating to FISA authorities, we are reporting information on the government’s use of National Security Letters (NSLs). The FBI is statutorily authorized to issue NSLs for specific records (as specified below) only if the information being sought is relevant to a national security investigation. NSLs may be issued for four commonly used types of records: v. FIGURES A. National Security Letters CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES Number of Requests for Information (ROI) 19,212 16,348 12,870 12,150 12,762 10,235 13,850 38,832 33,024 48,642 24,801 41,579 38,872 63,466 Figure 23b: Total NSLs Issued and Total ROIs Within Those NSLs 63,466 Total NSLs issued FISA TITLE IV Number of ROIs within those NSLs 48,642 41,579 38,872 FISA TITLE V 38,832 33,024 24,801 CY2013 35 16,348 CY2014 12,870 CY2015 12,150 CY2016 12,762 CY2017 10,235 CY2018 13,850 CY2019 NAT’L SECURITY LETTERS 19,212 FISA CRIMINAL USE See 50 U.S.C. § 1873(b)(6). IC DISSEMINATION Total number NSLs issued I CY2013 I CY2014 I CY2015 I CY2016 I CY2017 I CY2018 I CY2019 FISA SECTION 702 National Security Letters (NSLs) FISA PROBABLE CAUSE Figure 23a: NSLs Issued and Requests for Information INTRODUCTION As is the case with other statistics in this report, statistics often fluctuate from year to year for a variety of reasons. The IC is committed to sharing statistical data and engaging the public about how the IC uses its national security authorities and for what purposes. FIGURES We also note that the actual number of individuals or organizations that are the subject of an NSL is different than the number of NSL requests. The FBI often issues NSLs under different legal authorities, e.g., 12 U.S.C. § 3414(a)(5), 15 U.S.C. §§ 1681u(a) and (b), 15 U.S.C. § 1681v, and 18 U.S.C. § 2709, for the same individual or organization. The FBI may also serve multiple NSLs for an individual for multiple facilities (e.g., multiple e-mail accounts, landline telephone numbers and cellular phone numbers). The number of requests, consequently, is significantly larger than the number of individuals or organizations that are the subjects of the NSLs. CONTENTS is that the subscriber information returned to the FBI in response to an NSL may identify, for example, one subscriber for three accounts or it may identify different subscribers for each account. In some cases this occurs because the identification information provided by the subscriber to the provider may not be true. For example, a subscriber may use a fictitious name or alias when creating the account. Thus, in many instances, the FBI never identifies the actual subscriber of an account. In other cases, this occurs because individual subscribers may identify themselves differently for each account (e.g., inclusion of middle name, middle initial, etc.) when creating an account. CONTENTS CALENDAR YEAR 2019 ODNI STATISTICAL TRANSPARENCY REPORT REGARDING USE OF NATIONAL SECURITY AUTHORITIES FIGURES INTRODUCTION FISA PROBABLE CAUSE FISA SECTION 702 IC DISSEMINATION FISA CRIMINAL USE FISA TITLE IV FISA TITLE V NAT’L SECURITY LETTERS 36 037141 4-20