Don’t Fall for the Hype: How the FBI’s Use of Section 702 Surveillance Data Really Works
By Asha Rangappa
All the cool kids these days oppose the FBI’s so-called “backdoor search loophole,” which allows it to query information obtained under Section 702 of the Foreign Intelligence Surveillance Act (FISA). Lawmakers have jumped on the bandwagon: As Section 702 approaches its end-of-the-year expiration date, some members of Congress have introduced renewal legislation that would require the FBI to obtain a search warrant supported by probable cause before the FBI can view the contents of these communications.
At first glance, this might seem perfectly reasonable. Unfortunately, though, this proposal – like almost of all critiques of the FBI’s use of 702 data – rest on incorrect factual premises of how 702 data is actually obtained, maintained, and accessed by the FBI, and on a lack of understanding of how FBI investigations work in general. This gap in understanding can have devastating consequences for both existing and new FBI cases. Let me tell you why.
The first thing to understand is what kind of 702 information the FBI actually has. Section 702 of FISA allows the NSA to conduct a “programmatic surveillance” program called PRISM. The parameters of PRISM, including how the NSA may target individuals and what can be shared with the CIA and FBI, are presented to and approved by the Foreign Intelligence Surveillance Court (FISC) and renewable annually. PRISM allows the NSA to target non-U.S. persons reasonably believed to be located abroad based on “selectors” – like an email address or a phone number (but not keywords or names) – which will reasonably return foreign intelligence information. In collecting these communications, the NSA will, by necessity, collect “incidental communications,” which include communications with non-target parties. Some of these incidental communications may include parties who are U.S. persons (USPERs), which under FISA are defined as U.S. citizens or permanent legal residents.
Only a subset of the total communications collected under PRISM is passed on to the FBI. Specifically, the NSA passes on to the FBI information collected on selectors associated with “Full Investigations” opened by the FBI. Full Investigations are the most serious class of investigations within the Bureau, and require the most stringent predicate to open: There must be an “articulable factual basis” that a federal crime has occurred or is occurring or a threat to national security exists. (Two other investigative classifications, Preliminary Investigations and Threat Assessments, have lower thresholds to open and shorter time limits to remain open.) In other words, the NSA provides the FBI with communications from selectors that are directly linked to the most serious crimes or threats to national security currently being investigated by the FBI. According to FBI Director Christopher Wray, the FBI receives about 4.3 percent of the NSA’s total collection – and since not every incidental communication will necessarily involve an USPER, the number of communications involving Americans are likely less than that.
The second critical aspect in understanding the FBI’s use of 702 data is how it is maintained and accessed by agents. Most criticisms of the FBI’s “backdoor loophole” include language referencing the FBI’s ability to search its “702 database.” In this paradigm, there is presumably a stand-alone computer in the middle of each FBI office with a big sign that reads “702 DATABASE ” and which agents can casually query on their way to and from the water cooler. As I have written previously, this is not how it works.
Any proper attempt to reform the FBI’s access of 702 data must begin by recognizing that the FBI uses one database for all of its investigative functions. Beginning in 2011, the FBI developed a system called the Data Integration and Visualization System, or DIVS. The purpose of DIVS is to aggregate information from a number of different government databases into a single system, allowing for one-stop shopping across all government-collected data. For instance, visa applications and issuances from the Department of State, or information collected by the Department of Homeland Security, can now be accessed through DIVS, rather than having the FBI send time-consuming requests to each department (which, as I learned in practice, could “disappear” or simply end up in a bureaucratic pile somewhere and never processed). This followed from the 9/11 Commission’s recommendation that the members of the Intelligence Community unify “their knowledge in a network-based information sharing system that transcends traditional government boundaries.” The point is for the government to have the ability to quickly “connect the dots” between information collected by various agencies on a single individual or related cases – something that, had it been possible to do prior to 9/11, might have prevented that tragedy from taking place.
As the DOJ explained to the FISC in 2015, Section 702 data provided to the FBI is included in DIVS and comingled with all other data that the FBI has the ability to query. Importantly, however, Section 702 data, is “federated” within DIVS: This means that while a query may return a 702 “hit” – i.e., an indication that FISA-related information related to the queried selector exists – neither the metadata nor the content of that communication is immediately accessible to all agents. Only agents who work national security cases, have gone through FISA training, and have the appropriate clearance levels may continue to access the full 702 data at this stage. Agents working “ordinary” criminal cases, who do not have this training and clearance, would need to have an agent with the appropriate FISA clearance access the 702 data, and only after obtaining approval from both her own supervisor and the national security agent’s supervisor to rerun the query.
Two important points follow from this system. First, when an agent conducts a query, she uses the DIVS system, which includes a host of non-702–related information – there is no such thing as doing an independent, 702-only “search,” even just for surface connections between non-content selectors, or “metadata.” Second, and even more importantly, at the point at which the agent conducts the query, she does not know whether or not the search will result in a 702 “hit.” These points are critical because any requirement that imposes an a priori restriction or hurdle on determining whether a subject is even associated with 702 metadata will, by definition, affect every query conducted by the FBI. Failure to understand this point can result in misguided policy proposals: Jake Laperruque, for example, has argued that the FBI should show a court that a “metadata query” is “relevant to an ongoing investigation” before conducting a search that might return even 702 metadata. This fails to recognize that not only is there no such thing as a “metadata query,” but adopting his policy would require the FBI to go to court for every single search its 14,000 agents conduct each day.
Let’s now turn to how investigations work in practice. It’s worth emphasizing here that unlike the CIA or NSA, whose primary mission is to collect and analyze intelligence, the FBI is a law enforcement agency. Although it may collect intelligence, that function is ancillary and supportive to its primary job of investigating and preventing violations of federal law and threats to national security.
Querying DIVS is, quite literally, the first and most basic thing the FBI does in its investigative sequence. Depending on the kind of information the search returns, an agent will then take the next prescribed step as outlined in the FBI’s Domestic and Investigative Operations Guide (DIOG) until a case is either opened for further investigation, or the matter is resolved in the negative and closed. Every query, furthermore, is documented and placed in a case file. (If we learned anything from James Comey, it’s that the FBI puts everything down on paper.) In fact, every query conducted by the FBI is recorded and must be traceable back to an authorized purpose and a case file. Agent queries are routinely audited, and a failure of an agent to provide an authorized purpose for conducting a query can be grounds for sanctions, suspension, or even termination.
Much of the criticism of the FBI’s use of 702 centers around the fact that agents can query subjects in their databases even if there is no evidence of criminal wrongdoing. However, as any law enforcement official will tell you, criminals and spies don’t show up on the doorstep of law enforcement with all of their evidence and motives neatly tied up in a bow. Cases begin with leads, tips, or new information obtained in the course of other cases. Often, the discrete pieces of information the FBI receives may not in and of themselves constitute criminal acts – and the identifying information provided to the FBI may be incomplete. However, anytime the FBI receives a credible piece of information that could indicate a potential violation of the law or a threat to national security, it has a legal duty determine whether a basis for further investigation exists. It is for this reason that a query of its existing databases is essential before proceeding further.
A very basic example can help illustrate this in practice. Let’s say the FBI receives a call (as it did before 9/11) from an instructor at a flight school. The instructor advises the FBI agent taking the call that one of the students taking a flight class is behaving strangely: In particular, this student has paid the $8,000 tuition in all-cash, has no pilot’s license or commercial flight experience, and is only interested in learning how to take off, but not in how to land. (In case it’s not evident, none of these things are illegal, but taken together could indicate a motive for using an aircraft for other than its intended purpose including as a weapon of mass destruction.) The caller provides the agent with the name of the student, and an email address and cell phone number the student used to register.
To investigate this lead, an agent will first document the lead (in this case, on a form called an FD-71). She will then query DIVS based on the information provided to see what, if any, data the FBI already has on this individual. The purpose of the query is to find out, among other things: Have other complaints ever been filed on this individual? Has this person ever been the subject of another case, or ever been interviewed by the FBI? Has this person been on the radar of another agency for any reason? Did this person enter the US on a visa, and if so, when was it issued and for how long?
As in this example, an agent may not even know, based on the limited information provided, whether or not the subject is a USPER at the time of making the initial query. (The agent may still not know after the results are returned.) Further, as noted above, because DIVS is an integrated system there is no way for an agent to know, at this stage, what kind of hits the query will return – whether it is from Section 702, another agency, or its own case files. Lastly, any information returned from the query must be documented – even if nothing turns up that warrants further action, the agent must write up the result and file it appropriately.
But let’s take this example a step further. Let’s say the initial query does return information. In particular, while the name turned up too many hits to correctly identify the individual (very common for names without a date of birth or social security number) and the cell phone returned no hits at all, the email address returns a 702 hit. What this tells the agent is that the email address used by the flight student is also linked to a Full Investigation the FBI has opened. The agent, however, cannot view the contents of the 702 data or the particular case or cases that individual may be linked to unless she is trained and has the clearance to look at FISA-related information, or two supervisors make a determination that the content of the 702 data will reasonably provide foreign intelligence or evidence of a crime related to their case.
Despite the checks, approvals, documentation, and firewalls that exist in the FBI’s process, it is here where 702 critics (and pending legislation) argue that the FBI should go to a court and obtain a warrant before viewing the 702 communications. However, ask any lawyer whether an affidavit for a search warrant that says “Target, who may or may not be a U.S. person, is behaving suspiciously in flight school and may be linked to another, unknown investigation in the FBI” will constitute probable cause for a search warrant. The resounding answer you’ll get is: No. There is simply not enough evidence at this stage to demonstrate probable cause that the individual has committed or is committing a crime, and a warrant should rightly not issue.
In fact, phrases like “just get a warrant” fail to grasp that a warrant would never issue at such an early stage of any investigation. Search warrants are an investigative tool that is used after months, and sometimes years, of investigative activity – this is why in the FBI they are only authorized for Full Investigations. FBI agents spend hundreds of hours interviewing witnesses and contacts, conducting surveillance, digging through trash, using undercover informants, and obtaining third-party records, among other techniques, to obtain evidence of a crime (or in the case of individual FISAs, acting as a foreign agent). Agents and prosecutors then spend weeks drafting affidavits that detail the evidence gathered to present to a court. Ironically, a search warrant requirement for Section 702 suggests that agents should “build a case” and use even more aggressive and intrusive tactics against an individual simply to view a discrete set of communications it already has and that might ultimately be benign – or even exculpatory. And if agents ever managed to get a warrant, the value of the 702 data – which is that it provides real-time intelligence and case connections – would be obviated by the time they looked at it anyway.
Essentially, a warrant requirement would effectively block the FBI from knowing the nature of the connection between a new lead and another serious crime or national security threat currently under investigation under its own roof. At the same time, the lead may not be pursued much further without knowing the contents of the 702 communications. By sealing off the contents of the 702 data, the FBI may not be legally able to do much more than some very limited additional checks on the complaint within a short period of time (this would be a “Threat Assessment,” also outlined in the DIOG). Unless these checks uncovered something significant enough to form a “predicate” to open an investigation, the matter would be closed. Reviewing the nature and content of the 702 communication, on the other hand, might open up several further investigative avenues: The new lead might provide a missing piece of information for the existing Full Investigation, for example, or identify connections across individuals not previously known, or suggest that the new subject could be a valuable intelligence source.
The truth is that few 702 “hits” are likely to come from over-the-transom tips like the one described above. They are more likely to come in the course of investigating new leads in already-open cases on criminal enterprises, terrorist networks, or foreign intelligence activity – the kinds of cases where contacts with foreign targets are most likely to occur. Even as I write this, I have no doubt that the agents working on the investigation into Russia’ interference in the 2016 election are relying at least in part on 702 data provided to the FBI to establish links between individuals in the United States and ongoing Russian counterintelligence investigations. Nevertheless, regardless of where in an ongoing investigation a new lead surfaces, an agent will always begin with a DIVS query – it is the initial building block of FBI investigations.
A search warrant requirement for the FBI to view the contents of 702 data returned in the course of a standard investigative query would stymie cases like Mueller’s and other investigations currently open in the FBI. Most importantly, it would leave the FBI in a position where one hand is unaware of what the other is doing, even within its own agency. This was precisely the kind of situation – known then as the “wall” – that led to the intelligence failures of 9/11 and that the Intelligence Community, under presidents of both parties, has sought to break down since. Adding unnecessary hurdles, based on a mischaracterization of the FBI’s handling of this data and rudimentary understanding of its investigative process, would resurrect a new, and very dangerous, “wall” in the FBI.