Summary: Declassified Nov. 2020 FISC Opinion

On April 26, the Office of the Director of National Intelligence (ODNI) declassified a Nov. 18, 2020, ruling issued by the Foreign Intelligence Surveillance Court. The decision, written by the court’s presiding judge, James E. Boasberg, grants the U.S. government’s request for approval to continue collecting information on non-U.S. persons in order to acquire foreign intelligence information under Section 702 of the Foreign Intelligence Surveillance Act (FISA).

The opinion breaks down into three parts. First, it assesses the proposed targeting, querying and minimization procedures for information acquired under Section 702. Second, the court analyzes the proposed procedures for consistency with the Fourth Amendment. Finally, the opinion addresses a variety of implementation and compliance issues that have emerged since the court’s 2019 review of the agencies’ procedures.

The Government’s Submission

The court begins by summarizing the various materials the government submitted for consideration. To collect, process, analyze and store information under Section 702, the government must submit annual requests known as certifications. Each involves “the targeting of non-United States persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” The court is tasked with reviewing each certification to ensure compliance with FISA and the Fourth Amendment.

At issue this time is the government’s request for approval of the 2020 certifications, which “generally propose to continue acquisitions of foreign-intelligence information now being conducted under prior certifications that were initially submitted on September 17, 2020 (‘the 2019 Certifications’).” The government also requests that the court approve amendments to previous years’ certifications in order to apply the new rules to information collected under prior certifications.

While the precise number of certifications under consideration is redacted, as is much of their content, each is accompanied by the following:

• Supporting affidavits from the directors of the National Security Agency (NSA), the FBI, the CIA and the National Counterterrorism Center (NCTC).
• Two sets of targeting procedures, governing the NSA and the FBI, respectively.
• Four sets of minimization procedures, which govern the NSA, the FBI, the CIA and the NCTC, respectively.
• Four sets of querying procedures, which govern the NSA, the FBI, the CIA and the NCTC, respectively.

The submission also includes an explanatory memorandum that describes the government’s reasoning behind its requests and actions. The opinion doesn’t contain the submission in its entirety, but the court refers to and quotes this document throughout the opinion. Concluding that the 2020 certifications contain all of the required elements, the court moves on to considering the proposed procedures.

Targeting Procedures

As it has done in previous years when evaluating the certifications, the court begins by restating the purpose of the Section 702 targeting procedures: to (a) limit targeting to persons “reasonably believed” to be outside the United States, (b) prevent the intentional acquisition of communications in which the sender and all intended recipients are located in the U.S., (c) to ensure that acquisitions “do not intentionally target a U.S. person reasonably believed to be located outside the United States,” and (d) to ensure the government’s actions are consistent with the Fourth Amendment.

To satisfy these requirements, the court writes, the NSA must make certain findings before picking, or “tasking,” a selector (such as an email address or a phone number) on which to collect. It must make a “foreignness determination,” establishing that the target is reasonably believed to be a non-U.S. person outside the United States. It must also support that decision with an evidence-based assessment that the target is expected to yield “foreign intelligence information relevant to the subject matter of an authorized Section 702 certification.” The NSA must also conduct posttargeting analysis to detect cases when a person who was believed to be abroad is, in fact, within the U.S.

The court identifies a single noteworthy change to both the NSA’s and the FBI’s targeting procedures: Under prior certifications, reports of the NSA’s and the FBI’s noncompliance with targeting procedures were required to be sent to the Office of the Director of National Intelligence Civil Liberties Protection Officer (ODNI CLPO). The 2020 certifications require these reports to be sent to the ODNI Office of Civil Liberties, Privacy and Transparency. The government states that the change was merely to “make clear where reporting will be directed.” The court approves the change, writing that “there is no reason to believe that reports previously directed to the ODNI CLPO were ever confined to his exclusive purview to the exclusion of members of his office …. [T]here is no actual broadening of the universe of people who would have access” to these reports. Also finding this change has “no substantive impact” on the court’s prior conclusions about the adequacy of the NSA’s and the FBI’s respective targeting procedures, the court approves them.

Minimization and Querying Procedures

The court is also required to assess whether the agencies’ proposed minimization and querying procedures comply with statutory requirements and the Fourth Amendment.

While there are “significant differences” among the agencies’ procedures due to their “differing missions, legal and policy constraints, and technical architecture,” the court writes, they broadly perform similar functions. Each agency’s procedures:

• [S]et criteria for the indefinite retention of information of or concerning United States persons and generally applicable timetables for destroying information that does not meet those criteria[.]
• [P]rovide special rules for protecting attorney-client communications[.]
• [S]et standards and procedures for disseminating information[.]
• [P]rescribe procedures for obtaining technical or linguistic assistance from other agencies and/or from foreign governments[.]

The procedures also contain guidance for situations in which the government’s initial “foreignness determination” was reasonable, but the target is later discovered to be a U.S. person or located inside the United States.

Additionally, each agency’s querying procedures contain record-keeping requirements for the use of U.S.-person query terms. “Investigative and analytics personnel at the CIA, the NSA, and NCTC are allowed to query unminimized Section 702 information if the queries are reasonably likely to return foreign-intelligence information,” as the court describes the procedures. Those at the FBI may do the same if their queries are “reasonably likely to return foreign-intelligence information or evidence of a crime.”

In this section the court addresses the minimization and querying procedures of four agencies: the CIA, the NSA, the FBI, and the NCTC. The government’s submission does not propose any changes to the NSA or CIA minimization procedures, nor does it propose changes to the FBI or CIA querying procedures. While the government does propose some minor changes to the FBI minimization procedures, the court determines that they do not detract from the finding that the procedures are “statutorily and constitutionally sufficient.”

Next, the court takes up in sequence the NCTC querying and minimization procedures and the NSA querying procedures.

NCTC Querying and Minimization Procedures

The opinion addresses four changes in the NCTC minimization procedures. The first two involve title and terminology changes, which do not appear to implicate the court’s previous determination of the procedures’ adequacy.

First, the government proposes to change all references to “NCTC employees” in the procedures to “NCTC personnel.” The government explains that the change in terminology more clearly reflects the scope of application, as the term “personnel” includes “employees as well as certain individuals detailed to NCTC and contractors working under NCTC management and supervision.” The court characterizes this as a “change of emphasis” and states that the “effective scope of the operative definition remains unchanged.”

Second, in two sections governing the retention of 702-acquired information, the government proposes to change references to “deputy director for intelligence” and “deputy director of terrorist identities” to “assistant director for intelligence” and “assistant director for identity intelligence,” respectively. The government writes that these changes “reflect internal renaming of the positions at NCTC” and that the “referenced position[s] and duties of the individuals in these positions remain the same.”

The third proposed change, however, is substantive and gives the court pause. The change would authorize individuals at or above the rank of “group chief” within the NCTC Directorate of Identity Intelligence to approve disseminations of Section 702-acquired information concerning U.S. persons. This, the court writes, would “expand the universe of individuals” who may approve such disseminations; approval previously had to come from the NCTC director or a designee at or above the rank of group chief within a separate NCTC Directorate of Intelligence. The government says that this change reflects an “internal NCTC realignment moving an analytic group responsible for identifying and locating members of terrorist networks from the Directorate of Intelligence to the Directorate of Identity Intelligence.”

The court expresses some reservations. The act of moving an analytic group, it argues, “does not mean that the practical effect of the proposed change would be limited to that group.” Presumably, it writes, “there are other groups within the Directorate of Identity Intelligence, and, on its face, this change would allow the NCTC director to delegate dissemination determinations to chiefs of those other groups …[,] none of whom currently can be delegated such authority.”

The court makes clear that it does not “second-guess internal organizational decisions made by the Executive.” It also notes that it has not been provided with enough information about the composition of the Directorate of Identity Intelligence to know whether extending the delegated authority to other group chiefs in the directorate is “equally appropriate.” Thus the court approves the change but requires the government to report on the exercise of the delegation authority to any official within the Directorate of Identity Intelligence other than the one specifically discussed in the government’s submission.

Fourth, the court discusses a change made to a section of the NCTC minimization procedures at the court’s suggestion. As previously written, the section allowed the NCTC to indefinitely retain “evidence-of-a-crime information” concerning a U.S. person. Following the revision, the agency can retain “evidence of a crime” only for the purpose of disseminating it to law enforcement authorities. With this change, the court concludes that the NCTC minimization procedures satisfy the statute.

The opinion also quickly deals with the NCTC querying procedures, which propose the same change of replacing “NCTC employees” with “NCTC personnel.” For reasons previously discussed, the court approves the change and, with it, the NCTC querying procedures.

NSA Querying Procedures

The court also approves the NSA querying procedures after recommending a single change in response to a move that the court characterized as an appropriate deviation from its procedures.

The NSA queries of unminimized Section 702 information must be reasonably likely to return foreign intelligence information; however, the procedures contain exceptions to that standard. The need to perform “lawful oversight functions of the NSA’s personnel or systems” is one category of exception. The NSA may also deviate from the procedures “to perform other oversight functions” if the agency consults with the Justice Department’s National Security Division (NSD) and the ODNI.

In a Jan. 22, 2020, notice, the government informed the court of one such deviation from the querying procedures. The government wrote that the NSA had developed a method for identifying known or suspected child exploitation material, to identify and remove such material from the NSA systems. The NSA tested the methodology against a sample of FISA-acquired information in the NSA systems.

The government concedes the queries involved in this case do not meet the generally applicable querying standard, nor do they fall within one of the enumerated lawful oversight functions. However, the NSD and the ODNI argue that “the identification and removal of child-exploitation material … from the NSA systems is a lawful oversight function” and that “the deviation from querying procedure was necessary.” The NSA anticipates using such queries in the future “to prevent [NSA] personnel from unneeded exposure to highly disturbing, illegal material,” the court writes.

The court finds that these queries qualify as a lawful oversight function for the NSA systems but encourages the government to add this activity to the list of other enumerated exceptions to the querying standards.

Clarification Regarding Segregation of Attorney-Client Privileged Communications by the NSA, the CIA and the NCTC

The court also follows up on reporting it had previously requested in connection with the 2019 certifications regarding the agencies’ procedures for handling attorney-client communications.

The NSA, CIA, and NCTC minimization procedures require them to “segregate” attorney-client privileged information acquired under Section 702 from other information. In connection with the 2019 certifications, the court had inquired about how the three agencies implemented this requirement. The government responded that the CIA and the NCTC limit access to the information to a small number of individuals needed to process the information for compliance purposes. The NSA, by contrast, implements the requirement differently. In the 2019 certifications, the government said that attorney-client communications in the NSA systems that are marked for quarantine “remain discoverable by the NSA personnel, but may not be used in taskings made pursuant to section 702, FISA applications, or any reporting product.”

The court was concerned that the NSA personnel with access to the Section 702-acquired information also had access to all attorney-client privileged communication. This arrangement, the court writes, was insufficiently protective of the privilege inherent in those communications. In response, the government reports that the NSA is implementing a procedure limiting access to this information to a “designated number of individuals who require access for a specific foreign intelligence purpose.” The NSA’s procedures place numerous restrictions on the dissemination of such privileged communications. Many of the details in this section, however, are redacted.

The court finds that the new procedure is a “significant improvement” in the implementation of the segregation requirement. But it also notes that the NSA continues to interpret the requirement differently from the CIA and the NCTC.

In all, the court finds that the “further restriction of privileged communications … enhances the privacy protection afforded those communications under the NSA’s procedures[,]” and the court concludes that the procedures are reasonably designed to protect the substantial privacy interests in attorney-client communications, consistent with the need to exploit those communications for legitimate foreign intelligence purposes.

The court, however, admonishes the government to guard against the following possibility: The NSA may disseminate to the FBI a report based on privileged communication that, had the FBI obtained it through its own collection efforts, would need to be sequestered with the court under the FBI minimization procedures.

With that warning, the court concludes that the NSA, CIA and NCTC minimization and querying procedures satisfy the definitions and requirements of the statute.

Fourth Amendment Requirements

The court moves on to consider whether the proposed targeting, minimization and querying procedures, together, are consistent with the requirements of the Fourth Amendment. The court notes that these protections do not apply to the primary targets of Section 702 collection: non-U.S. persons located outside the United States. To the extent that U.S.-persons information is acquired under Section 702 (for example, in the case of incidental collection), the court writes, the government can reduce the intrusiveness of the acquisition by restricting use or disclosure of the information. The court has previously found that the various agencies’ targeting and minimization procedures “adequately protect the Fourth Amendment interests that are implicated” by acquiring the communications of U.S. persons.

To determine whether the procedures are consistent with the Fourth Amendment, the court relies on a balancing test first articulated in Wyoming v. Houghton, weighing “the degree to which [government action] intrudes upon individual privacy” against “the degree to which it is needed for the promotion of legitimate governmental interests.” The court has previously written that acquiring “foreign intelligence with an eye toward safeguarding the nation’s security serves … a particularly intense interest.” Moreover, it has said, the balancing test tilts in favor of upholding the government’s actions “if the protections that are in place for individual privacy interests are sufficient in light of the governmental interest at stake.”

In this case, the court finds that the proposed targeting, minimization and querying procedures will adequately guard against error and abuse, taking into account the individual and governmental interests at stake. It, therefore, finds the procedures consistent with the Fourth Amendment requirements.

Implementation and Compliance Issues

The court begins this several-part section of the opinion with a largely redacted analysis of the agencies’ implementation of their targeting procedures. It then moves on to consider a variety of querying issues that have emerged at the FBI.

FBI Querying Issues

With the 2019 certifications, the court approved amended FBI querying procedures that required greater record-keeping, documentation and reporting around FBI personnel’s querying of unminimized Section 702 information. The FBI needed time to implement the new requirements, so the court ordered the FBI to report periodically on its progress. On March 5, 2020, the FBI informed the court that it had concluded its implementation of the amended querying procedures.

The court, however, writes that it continues to be concerned about the FBI’s querying practices with respect to “1) application of the substantive standard for conducting queries, 2) queries that are designed to retrieve evidence of a crime that is not foreign intelligence information, and 3) recordkeeping and documentation requirements.” A number of reported compliance incidents suggest the FBI’s failure to apply its querying standard when searching 702-acquired information is more pervasive than the court previously believed, the opinion states. The court describes four instances in which analysts conducted queries of raw Section 702 information. Two cases, according to the court, resulted from accidents when the analysts “mistakenly failed to opt out of querying against raw FISA acquired information.”

The court also explored an unspecified number of incidents in which FBI systems inappropriately returned Section 702 information in response to queries designed to retrieve evidence of a crime—not foreign intelligence information. Normally, FBI personnel are allowed to query and view Section 702 information for evidence of a crime only if they apply to the court for a certification under Section 702(f)(2). However, oversight reviews at seven FBI field offices uncovered “a number of … violations” in which FBI systems have displayed Section 702 information that would require such a certification. The court describes two illustrative cases:

For example, the government discovered 40 queries that had been conducted in support of predicated criminal investigations related to health-care fraud, transnational organized crime, domestic terrorism involving racially motivated violent extremists, as well as investigations relating to public corruption and bribery. None of these queries was related to national security and they returned numerous Section 702-acquired products in response …. Another analyst ran a “batch query” in connection with predicated criminal investigations relating to domestic terrorism that returned 33 Section 702-acquired products, but the FBI was unable to confirm whether any products were opened.

The FBI stated that none of the Section 702-acquired information was used “in a criminal or civil proceeding or otherwise used for any investigative or evidentiary purpose.” Nevertheless, the court writes, these and other reported incidents indicate “apparent widespread violations of the querying standard.”

Finally, the court explores three issues regarding the FBI’s compliance with record-keeping and documentation requirements for U.S.-person query terms. First, the court examines issues with the documentation procedures involved in FBI personnel conducting U.S.-person queries for evidence of a crime rather than for foreign intelligence purposes. The court describes the querying process in great detail, with an emphasis on the various yes-no questions FBI personnel face when querying FISA-acquired information, which serve to document the rationale and legal basis for their query. In some cases, the system offers default choices to those questions that, if accepted, allow users to view Section 702 information inappropriately. For example,

when a user is prompted to indicate whether a U.S.-person query is conducted to find only evidence of a crime, the system’s default answer is “No.” Unless the user changes the answer to “Yes,” the system will permit a user to access the 702-acquired contents—even if a non-foreign intelligence evidence-of-a-crime justification is entered.

The court writes that this differs from its previous understanding that “a user must provide both a justification for the query, and an affirmative indication as to whether the query is an evidence-of-a-crime query” (emphasis in original). It also expresses reservations about the “default choice architecture in the … system because of how it may influence behavior or lead to misunderstandings by FBI personnel querying Section 702-acquired information.”

As the court does not have enough information to assess whether the government’s training efforts and changes to its systems are increasing compliance despite the default choice architecture, it approves the FBI’s querying procedures. That said, it requires the FBI to report on “evidence of a crime (only) queries” to evaluate whether querying procedures are being implemented in a manner consistent with the statute and the Fourth Amendment.

Second, the court requires reporting on a variety of querying and oversight statistics related to bulk querying. This comes in response to the government’s failing to record whether U.S.-person query terms were used in the “bulk search” feature, which allows users to conduct “batch” queries using multiple search terms. The government also reported allowing users to view the content of 702 information without entering a justification in the system. According to the court, the bulk search feature has operated this way since late November 2019. “The fact that this system failure went undetected or unreported for nearly a year highlights the ramifications of the technical shortcomings in implementation of the procedures,” the court writes.

Third, the court discusses and predicts positive results from modifications made to an FBI SharePoint site used for recording whether queries satisfy the querying standard before users can view the contents that are returned. The FBI disabled an auto-preview feature it discovered that allowed users to see the results of a U.S.-person query without a record being made of that query. The modified system will present query results to users only after the full query term has been entered, and it will log every query. This change, the court writes, provides reason to expect improvement in the government’s compliance with the querying procedures.

The court responds to most of these issues with the same fundamental rejoinder: The incidents largely occurred prior to the FBI implementing the requirements of the 2019 certifications, which included changes to FBI systems and training about new documentation and record-keeping procedures. Per the court, the coronavirus pandemic also “severely limited the government’s ability to monitor the FBI’s compliance once the system changes were implemented and users received training on those changes.” Together, these two factors deny the court the information necessary to assess whether the government’s training efforts and changes to its systems are increasing compliance. Absent evidence to the contrary and given the unique oversight circumstances created by the coronavirus, the court repeatedly writes, the compliance incidents do not undermine its original determination that the FBI’s querying and minimization procedures meet statutory and Fourth Amendment requirements. The court also requires the FBI to report on “evidence of a crime (only) queries” to evaluate whether querying procedures are being implemented in a manner consistent with the statute and the Fourth Amendment.

FBI Retention/Searches on Archival Systems and Retention/Searches of User-Activity Monitoring Systems

The FBI maintains a system that archives email messages sent to or from an FBI email system since 2011, some of which may contain raw FISA-acquired information. The bureau also stores copies of its classified instant-messaging system in a separate archival system. The opinion details that the FBI is moving to a new archival system that will replace and receive data from legacy systems to assist the FBI’s Information Management Division in fulfilling obligations under the Freedom of Information Act and the Privacy Act. The government treats the relevant data as potentially containing raw FISA-acquired information subject to the FBI’s Section 702 minimization procedures, and maintains that the FBI must report to the court if certain unminimized information is retained in such databases. The FBI has, in the court’s view, disregarded this requirement by taking too long to issue guidance on it to FBI personnel.

The court holds that the creation of the archival system does not present any new cause for concern. The opinion does, however, admonish the government to report any instance of retention of unminimized 702 information subject to the reporting requirement.

Similar retention and reporting requirements, the court writes, apply to Section 702-acquired information in “user-activity monitoring systems.” The court keeps in place reporting requirements around these systems and related activities being undertaken by the FBI, the CIA and the NSA.

Failure to Purge Recalled Reports

The court also takes up the issue of agencies failing to purge their systems of reports that have been recalled for FISA-compliance purposes.

In March 2019, the government reported that NCTC systems did not purge the NSA reports that were subsequently recalled by the NSA. As a result, NCTC analysts retained access to reports that potentially contained FISA information and had been recalled due to compliance incidents. Subsequent investigation revealed that the NSA and CIA also had systems that did not purge reports when they were recalled. In its Dec. 6, 2019, opinion, the court directed the government to report by Feb. 28, 2020, on steps to ensure agencies purge their systems of reports recalled for FISA compliance reasons.

In its filing, the government states that the ODNI has created a new category under which intelligence products can be recalled: FISA-compliance recall. The category will be used to notify recipients that a product has been recalled specifically for FISA-compliance reasons. The revised guidance, which appears in the “DNI Intelligence Community policy memorandum” also requires each revision or recall notice to specify a point of contact who can provide additional details on why the notice was issued. The revised memorandum has been issued, but the government was unable to provide to the court an estimated timeline for implementing the revised policy.

The court concludes that it is satisfied with the policy and requires the government to provide regular reports on the status of implementation.

Other Incidents of Noncompliance

Finally, the court turns to several miscellaneous instances of noncompliance. These include the NSA failing to appropriately task facilities for acquisition because of insufficient or incomplete foreignness checks, incorrect processing of requests for certain administrative updates, or overly attenuated connections between the targeted user and an authorized foreign power or foreign territory.

The court also describes an instance in which the FBI failed to establish a timely review team to protect attorney-client communications after a Section 702 target had been charged with a federal crime.

After considering these and other matters, the court finds that the proposed procedures, as reasonably expected to be implemented, comply with applicable statutory and Fourth Amendment requirements. The court writes that it will continue to monitor the government’s implementation of the procedures, especially regarding U.S.-person queries.

Conclusion

The court concludes by restating its approval of the 2020 certifications and procedures. It also orders the government to produce the various aforementioned reports.