FBI personnel improperly searched an expansive foreign surveillance database for tens of thousands of phone numbers and/or email addresses that included those of Americans—in violation of rules put in place to protect Americans’ constitutional rights, according to a court ruling.
“The FBI procedures, as implemented, have involved a large number of unjustified queries conducted to retrieve information about U.S. persons,” said James Boasberg, judge on the secret Foreign Intelligence Surveillance Court (FISC) in an Oct. 18, 2018 ruling (pdf) that was released with redactions on Tuesday.
The database aggregates data collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA), which allows warrantless surveillance “of persons reasonably believed to be located outside the United States to acquire foreign intelligence information.”
The FBI is allowed to query the database as long as the results are “reasonably likely to return foreign-intelligence information or evidence of crime.”
But, since April 2017, when the Section 702 surveillance was last certified by FISC, “a large number of FBI queries” didn’t comport to the rules.
The government argued that such queries generally resulted from “fundamental misunderstandings by some FBI personnel [about] what the standard ‘reasonably likely to return foreign intelligence information’ means.”
FISC was still holding back on the 2018 certification on July 12 (pdf), saying FBI documentation procedures lack a means to differentiate “whether a particular query term relates to a United States person or a non-United States person.”
The government has since updated the FBI procedures, which the FISC found “sufficient,” according to the Office of the Director of National Intelligence.
What Happened There were multiple instances of improper searches of the surveillance database, FISC learned.
“It appears that many subjects of those queries were U.S. persons,” the judge said, acknowledging it was “difficult on the record before the Court to assess to what extent U.S. person information was returned and examined as a result of those queries.”
“At a minimum, however, the reported querying practices present a serious risk of unwarranted intrusion into the private communications of a large number of U.S. persons,” he said.
In 2017, between March 24 and 27, “the FBI’s [redacted] conducted queries using identifiers for over 70,000 communication facilities ‘associated with’ persons with access to FBI facilities and systems,” the ruling said.
“Communication facilities” are means of communication, such as an email address or a phone number.
“[Redacted] proceeded with those queries notwithstanding advice from the FBI Office of General Counsel (OGC) that they should not be conducted without approval by OGC and the National Security Division (NSD) of the Department of Justice,” the ruling says, also noting, though, that “the FBI did not examine the results of those queries.”
The ruling further says that on Dec. 1, 2017, “the FBI’s [redacted] conducted over 6,800 queries using identifier of persons [redacted].”
Between Dec. 7 and 11, 2017, “[redacted] also conducted over 1,600 queries using identifiers of persons [redacted]. The [redacted] who conducted those queries advised he did not intend to run them against raw FISA information, but nonetheless reviewed raw FISA information returned by them.”
On Feb. 5 and Feb. 23, 2018, “the FBl’s [redacted] conducted approximately 30 queries regarding potential [redacted] sources, e.g., persons who [redacted] where the subject of a [redacted] investigation was [redacted].”
On Feb. 21, 2018, “the FBI’s [redacted] conducted approximately 45 queries to retrieve information on persons [redacted] under consideration as potential sources of information.”
The government also told the FISC that an unspecified FBI unit “conducted what may be considered queries against raw FISA-acquired [metadata] … using what appear to be identifiers of approximately 57,000 individuals who work [redacted].”
The date of the queries wasn’t provided, “though it is reported that the FBI informed NSD of them on April 13, 2018,” the ruling said.
The government also disclosed to FISC several queries that involved queries that were “to return information for just one person,” though the names have been redacted.
“At some time before March 2015, the FBI’s [redacted] conducted a query [redacted].
At some time before May 2016, the FBI’s [redacted] conducted a query on [redacted] before serving a classified order on [redacted].
On October 11, 2017, the FBI’s [redacted] queried [redacted] to identify cleared personnel on whom to serve process.
On November 11, 2017, the FBI’s [redacted] conducted a query on a potential recipient of a FISA order.”
Further “non-compliant queries” included:
“A small number of cases in which FBI personnel apparently conducted queries for improper personal reasons—for example, a contract linguist who ran queries on himself, other FBI employees, and relatives.
A number of instances in which FBI personnel inadvertently ran queries against Section 702 information.
A set of queries (overlapping to some extent with the set of inadvertent queries of Section 702 data) apparently intended to return FBI documents or material.”
In the court’s view, the last three instances “do not present the same level of concern as those that evidence misunderstanding of the querying standard.”
“It would be difficult to completely prevent personnel from querying data for personal reasons,” the judge said.