FBI Warrantless Searches of U.S. Persons under FISA Over-Reported
Privacy In Focus®
The headlines scream: “FBI made 3.4M warrantless U.S. data searches,” claiming that the FBI carried out nearly 3.4 million warrantless searches of Americans’ electronic data that was collected as part of the government’s foreign surveillance activities. The headline conjures up images of Big Brother and the violation of U.S. privacy rights by indiscriminate government searches. But, what does the government’s report really say, and what do these figures really mean?
On April 28, 2022, the Office of the Director of National Intelligence (ODNI) published the Annual Statistical Transparency Report: Regarding the Intelligence Community’s Use of National Security Surveillance Authorities – Calendar Year 2021. This annual report provides statistics and contextual information about how the Intelligence Community uses the Foreign Intelligence Surveillance Act (FISA) and certain other national security authorities to accomplish its mission. The report also describes the circumstances under which such national security activities are conducted and the rules that are designed to ensure compliance with the Constitution and laws of the United States.
Let’s provide some context for this report. Congress passed FISA in 1978 to provide judicial and congressional oversight of foreign intelligence surveillance activities while maintaining the secrecy necessary to investigate national security threats. Initially, FISA only addressed electronic surveillance, but the act has been amended to include the use of physical searches, pen registers, trap and trace devices, and business records. Title VII of FISA includes Section 702, which permits the Attorney General (AG) and the Director of National Intelligence (DNI) to jointly authorize the targeting of: (1) non-U.S. persons; (2) who are reasonably believed to be located outside the U.S.; (3) to acquire foreign intelligence information, if all three requirements are met. Section 702 also requires that the Attorney General, in consultation with the DNI adopt targeting procedures, minimization procedures, and querying procedures to make sure that the statutory requirements of Section 702 and the constitutional requirements of the Fourth Amendment are satisfied.
The FISA Amendments Reauthorization Act of 2017 amended Section 702 of FISA to require that querying procedures be adopted by the AG in consultation with the DNI. Those querying procedures are required to be consistent with the Fourth Amendment and a record must be kept of each U.S. person term used for a query. Query terms may be date-bound and may include alpha-numeric strings (e.g., telephone numbers or email addresses) as well as terms (e.g., names) that can be used individually or in combination with one another. According to procedures approved by the Foreign Intelligence Surveillance Court (FISC), certain Intelligence Community (IC) agencies may only query Section 702 information if the query is reasonably likely to retrieve foreign intelligence information or, in the case of the FBI which is an IC agency and a domestic law enforcement investigative agency, evidence of a crime. This standard applies to all Section 702 queries regardless of whether the term concerns a U.S. person or a non-U.S. person.
U.S. Person Query Statistics
The USA FREEDOM Act requires the government to report the number of search terms concerning a known U.S. person used to retrieve unminimized content, known as “query term content,” and the number of queries concerning a U.S. person and unminimized non-contents for communications and data acquired under Section 702. The FBI, however, is exempt from this statutory reporting requirement. Due to recent changes in the FBI’s systems documenting the assessed U.S. person status with query terms, the FBI can now identify the number of U.S. person queries conducted against unminimized Section 702-acquired information. Unlike NSA, CIA, and NCTC, the FBI does not count the number of unique query terms, but instead counts the total number of queries which can lead to duplicate queries for the same term and dramatically different reporting results.
FBI U.S. Person Queries
The 2021 Annual Transparency Report, for the first time, now includes the number of queries the FBI ran using U.S. person identifiers against unminimized Section 702 collections. The FBI U.S. person queries, however, were reported separately from the National Security Agency (NSA), the Central Intelligence Agency (CIA), and the National Counterterrorism Center (NCTC) for several important reasons, and the methodology has led to overcounting U.S. person queries.
- The FBI has a dual law enforcement and intelligence mission.
The FBI’s standard for conducting queries of unminimized Section 702-acquired information is fundamentally different from other agencies. Where NSA, CIA, and NCTC are authorized to query Section 702-acquired contents and non-content information for foreign intelligence information, the FBI is authorized to conduct queries that are both reasonably likely to return foreign intelligence information and queries that are reasonably likely to return evidence of a crime. The broader query authority for the FBI than its IC counterparts is a result of the FBI’s dual law enforcement and intelligence mission.
2. The FBI’s domestic mission involves more U.S. person information.
Reportedly, the FBI receives less than 5% of the IC’s total Section 702 collection, but the frequency with which the FBI uses U.S. person query terms is greater than its IC counterparts because of the FBI’s domestic-focused mission versus the IC’s foreign-focused missions. The FBI’s queries are often initiated through tips and leads relating to domestic matters, provided by the American public or domestic partners, which are more likely to involve U.S. persons.
3. The FBI uses a different counting methodology.
According to ODNI, the FBI does not currently have the capability to identify the number of unique U.S. person query terms. Instead, the FBI only has the ability to count the total number of queries, which may include duplicate queries. Unlike NSA, CIA, and NCTC, if the FBI runs the same query term five times against Section 702-acquired content, this is counted as five queries, not one query term. Additionally, unlike NSA and CIA but comparable to NCTC, FBI queries are run against both content and non-content information.
4. The FBI’s reporting can vary based on investigative activities.
In the first half of 2021, there were a number of large “batch” queries related to attempts to compromise U.S. critical infrastructure by foreign cyber actors. A batch query is where the FBI runs multiple query terms at the same time using a common justification for all of the query terms. Each of the query terms in a batch query is counted as a separate query. These particular large batch queries were reviewed by the U.S. Department of Justice and found to be compliant with the FBI’s Section 702 querying procedures. These queries included approximately 1.9 million query terms related to potential victims, including U.S. persons, of this malicious cyber activity. These queries accounted for the vast majority of the increase in U.S. person queries conducted by the FBI at that time.
In the summer of 2021, the FBI made several changes to systems that store unminimized Section 702-acquired information designed to ensure compliance with the FBI’s 702 querying procedures by adding an additional approval process for batch queries. The FBI also modified two important systems that allow the FBI to query across multiple datasets to require FBI personnel to affirmatively “opt-in” to querying unminimized FISA Section 702-acquired information. These changes are significant because after these changes were made, the average monthly number of FBI U.S. person queries run against unminimized Section 702-acquired collection decreased. Investigative activity and system design changes can greatly impact the numbers that are recorded.
It’s important to note that the number of FBI queries does not reflect the number of U.S. persons associated with these queries, due to the way the numbers are calculated. For instance, a single U.S. person might be associated with 10 unique query terms including name, Social Security number, passport number, multiple email addresses, etc. These 10 identifiers could be run 10 different times throughout the reporting period, resulting in 100 queries associated with a single individual or U.S. company. So, multiple identifiers that are searched for one person could result in hundreds of queries of the identifiers for that one person. Additionally, the FBI has the capability to run queries in which a single query action might include hundreds of query terms. The FBI counts such query terms as hundreds, not one. That means that if one term in a 100-term query action is associated with a U.S. person, the query action will be counted as 100 U.S. person queries, even if some of the query terms are not associated with a U.S. person.
While the intent of this system is to capture all potential U.S. person query terms, the result is an overcounting of the number of U.S. person queries that the FBI actually conducts. It’s ironic that the steps the FBI has taken to safeguard U.S. person information by redesigning systems and adding additional approval levels have actually resulted in the overcounting of U.S. person queries, leading to the misimpression that a large number of U.S. persons are subject to warrantless searches. This overcounting is the reason why ODNI reported the number of FBI U.S. person queries as “fewer than” the total number of queries labeled as U.S. person queries. Again, these are queries and not persons. True transparency in reporting would be able to differentiate between actual U.S. persons versus queries and would have a comparable counting methodology that is consistent among relevant IC agencies using Section 702 data.
© 2022 Wiley Rein LLP