January 2011

Executive Summary

In a review of nearly 2,500 pages of documents released by the Federal Bureau of Investigation as a result of litigation under the Freedom of Information Act, EFF uncovered alarming trends in the Bureau’s intelligence investigation practices. The documents consist of reports made by the FBI to the Intelligence Oversight Board of violations committed during intelligence investigations from 2001 to 2008. The documents suggest that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed. In particular, EFF’s analysis provides new insight into:

Number of Violations Committed by the FBI

From 2001 to 2008, the FBI reported to the IOB approximately 800 violations of laws, Executive Orders, or other regulations governing intelligence investigations, although this number likely significantly under-represents the number of violations that actually occurred.

From 2001 to 2008, the FBI investigated, at minimum, 7000 potential violations of laws, Executive Orders, or other regulations governing intelligence investigations.

Based on the proportion of violations reported to the IOB and the FBI’s own statements regarding the number of NSL violations that occurred, the actual number of violations that may have occurred from 2001 to 2008 could approach tens of thousands of possible violations of law, Executive Order, or other regulations governing intelligence investigations.

Substantial Delays in the Intelligence Oversight Process

From 2001 to 2008, both FBI and IOB oversight of intelligence activities was delayed and likely ineffectual; on average, 2.5 years elapsed between a violation’s occurrence and its eventual reporting to the IOB.

Type and Frequency of FBI Intelligence Violations

From 2001 to 2008, of the nearly 800 violations reported to the IOB:

over one-third involved FBI violation of rules governing internal oversight of intelligence investigations.



nearly one-third involved FBI abuse, misuse, or careless use of the Bureau’s National Security Letter authority.



almost one-fifth involved an FBI violation of the Constitution, the Foreign Intelligence Surveillance Act, or other laws governing criminal investigations or intelligence gathering activities.

From 2001 to 2008, in nearly half of all NSL violations, third-parties to whom NSLs were issued — phone companies, internet service providers, financial institutions, and credit agencies —contributed in some way to the FBI’s unauthorized receipt of personal information.

From 2001 to 2008, the FBI engaged in a number of flagrant legal violations, including:

submitting false or inaccurate declarations to courts.



using improper evidence to obtain federal grand jury subpoenas.



accessing password protected documents without a warrant.

Introduction

EFF’s analysis of recently disclosed documents provides new insights into the Federal Bureau of Investigation’s unlawful surveillance of Americans during intelligence investigations conducted between 2001 and 2008.

In response to EFF FOIA requests issued in 2008 and 2009, the FBI released reports of violations made to the Intelligence Oversight Board (IOB) — an independent, civilian intelligence-monitoring board that reports to the President on the legality of foreign and domestic intelligence operations. The nearly 2,500 pages of documents EFF received include FBI reports to the IOB from 2001 to 2008. The reports catalog 768 specific violations arising from FBI monitoring of U.S. citizens, resident aliens, and non-residents.

Following a series of government investigations into FBI intelligence abuses, EFF submitted FOIA requests in an effort to obtain the FBI’s IOB reports. In 2007, the Department of Justice, Office of Inspector General released a report (pdf) documenting the FBI’s abuse of its National Security Letter (NSL) authority: the report found, in an audit of only 10% of national security investigations, that the FBI may have committed as many as 3000 NSL violations and had failed to report many of those violations to the IOB.A 2008 OIG report (pdf) confirmed and expanded the earlier report’s findings and critically assessed the steps taken by the FBI to address the abuse of NSLs.

Following the second OIG report in 2008, EFF submitted FOIA requests to eleven federal agencies and agency components requesting all reports of intelligence violations made to the IOB from 2001 to 2008. EFF submitted subsequent requests the following year for violations reported to the IOB from 2008 to 2009. In July 2009, after many agencies failed to respond to the request, EFF filed suit against seven defendants — including the CIA, NSA, Department of Defense, Department of Homeland Security, Department of Justice, Office of the Director of National Intelligence, and Department of State — demanding the agencies comply with the law and produce the requested documents. In December 2009, the Court ordered the agencies to begin processing EFF’s request. In July 2010, two years after EFF’s initial FOIA request, the FBI began its release of documents. Over three separate installments in July, August, and October 2010, the FBI released nearly 2,500 pages of documents related to reports of intelligence violations to the IOB.

The documents released to EFF constitute the most complete picture of post-9/11 FBI intelligence abuses available to the public. Among other findings, EFF’s analysis of the documents shows that, from 2001 to 2008, significant delays occurred in the reporting of FBI violations to the IOB. The analysis also provides new insights into the type and frequency of violations committed by the Bureau. Most violations fell into one of three broad categories: first, FBI failure to comply with oversight guidelines; second, abuse of the FBI’s authority to issue National Security Letters; and, third, the FBI’s failure to carry out investigations within the bounds of the Constitution or other federal statutes governing intelligence-gathering. Finally, EFF’s analysis concludes that the FBI may have committed as many as 40,000 violations in the 10 years since the attacks of 9/11.

The Intelligence Oversight Board

The Intelligence Oversight Board "was created in 1976 by President Ford in response to recommendations made by the Rockefeller Commission calling for a Presidential-level body with specific oversight responsibilities for the legality and propriety of US intelligence activities.” The Commission’s recommendations came in the wake of a series of congressional reports that revealed illegal and abusive intelligence activities targeting American and foreign citizens. These reports found that intelligence agencies had intercepted and read Americans’ mail, performed surveillance on civil rights leaders and other dissidents, and had orchestrated assassination attempts on foreign leaders.

In light of the Commission’s recommendation, President Ford established the IOB to provide an independent review of intelligence activities to better safeguard citizens’ civil liberties against these types of abusive practices. The IOB consists of five civilian members, all with top-level security clearances, selected by the President to serve on the IOB from the larger intelligence-monitoring body, the President’s Intelligence Advisory Board (PIAB). The IOB’s mission is to "oversee the Intelligence Community’s compliance with the Constitution and all applicable laws, Executive Orders, and Presidential Directives." The IOB must then report to the President those violations the Board believes "may be unlawful or contrary to an Executive Order or presidential directive." Since its creation, the vast majority of the IOB’s reports and investigations have remained secret.

Slight modifications to the IOB’s authority and structure have occurred since its creation in 1976, but the IOB’s oversight capacity remained largely unchanged for nearly 30 years. In the years following the attacks of 9/11, however, the Board’s role within the intelligence community was diminished in several ways. First, from 2001 to 2003, President Bush failed to appoint advisers to serve on the IOB. Even when advisers were appointed, however, the IOB continued to provide little real oversight: the IOB did not forward a single instance of intelligence misconduct to the Attorney General until 2006, despite having received notice of several hundred violations. Further, in 2008, President Bush significantly weakened the IOB’s oversight capacity by removing its ability to refer violations to the Attorney General for criminal investigation. President Bush also removed the IOB’s authority to oversee intelligence agency general counsel and eliminated the requirement for quarterly agency reporting to the IOB.

EFF’s analysis of FBI reports to the IOB confirms the perceived inefficacy of the IOB’s oversight from 2001 to 2008. Significant delays between violations occurring and their eventual reporting rendered the IOB’s oversight capacity entirely impotent. On average, nearly two-and-a-half years passed between the occurrence of an FBI intelligence violation and its eventual reporting to the IOB. When a violation was reported within the FBI internally, on average, six months still passed before the Bureau reported the violation to the IOB, despite the Bureau’s requirement to report IOB violations on a quarterly basis. In light of these significant gaps between the occurrence of a violation and its eventual reporting to the IOB, it seems unlikely that the IOB diligently fulfilled its intelligence oversight responsibilities for most of the past decade.

After taking office, President Obama rolled back some of the Bush Administration’s changes to the IOB’s authority, but the function and effectiveness of the Board still remains in question. In an October 2009 executive order, President Obama largely reversed the changes made to the IOB’s oversight authority, and nine appointments have been made to the larger President’s Intelligence Advisory Board. Nevertheless, the White House has not disclosed the composition or membership, if any, of the IOB, which continues to call into question the legitimacy of current intelligence oversight efforts.

FBI Intelligence Violations Reported to the IOB

As noted above, in EFF’s review of nearly 2,500 pages of documents released by the FBI, EFF uncovered alarming trends in the Bureau’s intelligence investigation practices from 2001 to 2008. The documents suggest the FBI’s intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed. Broadly, these documents show that the FBI most frequently committed three types of intelligence violations — violations of internal oversight guidelines for conducting investigations; violations stemming from the abuse of National Security Letters; and violations of the Fourth Amendment, Foreign Intelligence Surveillance Act (FISA), and other laws governing intelligence investigations. Also, based on statements made by government officials and the proportion of violations occurring in the released reports, EFF estimates the FBI may have committed as many as 40,000 intelligence investigation violations over the past ten years.

Violations of Internal Oversight Guidelines

The first category of violation occurring with the most frequency involved the FBI’s failure to comply with internal oversight guidelines for conducting investigations. This type of violation ultimately resulted in investigations occurring without any meaningful oversight from either FBI Headquarters or the IOB. Of the reports filed with the IOB, violations of oversight guidelines accounted for over a third of all FBI violations.

The Attorney General Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSIG) (pdf) set forth various reporting rules, investigative requirements, and classification regulations for FBI agents to follow when conducting intelligence investigations. Originally issued in 1976 in the wake of the Church Committee’s revelations of frequent and serious FBI violations of citizens’ rights, the Guidelines task the Attorney General with ensuring that all government intelligence operations occur with sufficient oversight and within the bounds of the Constitution and other federal laws. For example, the NSIG requires that, upon initiating a new intelligence investigation, an agent report the investigation to FBI Headquarters within a specified period. Other guidelines set requirements for annual reporting of investigations, for information sharing practices between agencies, and — depending on the stage of the investigation and the level of internal authorization — for the investigative techniques FBI agents may use. Broadly, the Guidelines are intended to protect American citizens’ constitutional rights from intrusive and overreaching intelligence investigations.

In 2006, Department of Justice Inspector General Glenn Fine reported to Congress on FBI compliance with the Attorney General’s Guidelines for Domestic Investigations, a distinct set of guidelines from the NSIG governing FBI domestic investigations. The OIG investigation revealed "significant non-compliance with the Guidelines." EFF’s analysis demonstrates that the FBI's non-compliance extends to the NSIG, as well: the FBI frequently violated its own internal oversight protocols for national security and intelligence investigations. These violations ranged from a failure to submit notification of the investigation of a US person to FBI Headquarters for three years,

...to a failure to report a violation within 14 days of its discovery,

...to continuing to investigate a US person when the authority to do so had expired:



In all cases involving violations of the NSIG, though, the FBI only reported to the IOB when it determined the agency’s ability to supervise the investigation had been "substantially impaired."

In a 2005 Washington Post article, a senior FBI official dismissed the severity of this type of violation, noting that the "vast majority of the potential [violations] reported have to do with administrative timelines and time frames for renewing orders." But these guidelines are much more than mere "administrative timelines": the NSIG exists in order to prevent intelligence agencies from invoking "national security" to monitor citizens engaging in constitutionally protected activities — exactly the type of monitoring the FBI was engaging in at the time (pdf).

Taken together, the FBI’s disregard for its own internal oversight requirements and the Bureau’s failure to timely report violations to the IOB undermined the safeguards established to protect civil liberties violations from occurring — the precise object of both the NSIG and the IOB.

Abuse of National Security Letters

In the reports disclosed to EFF, the second type of violation occurring with the most frequency involved FBI abuse of National Security Letters. These violations accounted for almost one-third of all reported violations. National Security Letters, or NSLs, are secret administrative subpoenas used by the FBI to obtain records from third-parties without any judicial review. While NSLs have existed since the late-1970s, the USA PATRIOT Act greatly expanded the intelligence community’s authority to issue NSLs. During the course of a terrorism or counterintelligence investigation, NSLs can be used to obtain just three types of records: (1) subscriber and "toll billing information" from telephone companies and "electronic communications services;" (2) financial records from banks and other financial institutions; and (3) consumer identifying information and the identity of financial institutions from credit bureaus.

The FBI's systemic abuse of NSLs has been well-documented — both by Justice Department investigations and through litigation and scrutiny of FBI practices by EFF. As noted above, in reports from 2007 and 2008, the Inspector General found that, between 2003 to 2006, the FBI may have committed as many as 6,400 violations of the FBI’s NSL authority.According to the 2008 Report(pdf), from 2003 to 2006, the FBI issued nearly 200,000 NSL requests; almost 60% of the 49,425 requests issued in 2006 were for investigations of U.S. citizens or legal aliens.

Earlier scrutiny of FBI practices by EFF also revealed abuses of the Bureau’s NSL authority. Documents obtained in a response to a 2007 EFF FOIA request showed that the FBI issued an NSL to North Carolina State University to obtain educational records, in clear violation of the FBI’s statutory authority. EFF also filed a lawsuit challenging the legality of an NSL issued by the FBI to the Internet Archive. The government formally withdrew the NSL request in 2008.

Analysis of the FBI’s IOB reports released to EFF show that the Bureau committed violations involving NSLs for telephone and electronic communications records twice as often as it did for financial and credit records. While the FBI has publicly disclosed the total number of NSLs issued annually, the Bureau has refused to release the frequency with which the three individual types of NSLs were issued. However, if the rate at which the FBI’s NSL violations occurred is an indicator of the frequency with which the three types of requests were issued, then, on average, the FBI likely issued approximately 25,000 NSL requests for telephone and electronic communications records, 12,500 requests for financial records, and 12,500 requests for credit information annually from 2003 to 2006.

Perhaps most startling, however, was the frequency with which companies receiving NSLs — phone companies, internet providers, banks, or credit bureaus — contributed to the FBI’s NSL abuse. In over half of all NSL violations reviewed by EFF, the private entity receiving the NSL either provided more information than requested or turned over information without receiving a valid legal justification from the FBI. Companies were all too willing to comply with the FBI’s requests, and — in many cases — the Bureau readily incorporated the over-produced information into its investigatory databases.

For example, in a violation reported in 2006, the FBI requested email header information for two email addresses used by a U.S. person:



In response, the email service provider returned two CDs containing the full content of all emails in the accounts. The FBI eventually (and properly) sequestered the CDs, notified the email provider of the overproduction, and re-issued an NSL for the originally requested header information; but, in response to the second NSL, the email provider again provided the FBI with the full content of all emails in the accounts.

Compounding the service providers’ problematic over-disclosure, the scope of the FBI’s authority to issue NSLs for electronic transactional records rests on unsettled and unclear legal grounds. The FBI’s NSL authority under the Electronic Communications Privacy Act (ECPA) allows the government to issue NSLs to traditional telephone service providers for non-content subscriber information and toll billing records — essentially, the name, address, length of service, and local and long distance call records. ECPA also provides the authority to issue NSLs for "electronic communications transactional records." However, the exact scope of this remains unclear: according to the DOJ, "electronic communications transactional records" include "those categories of information parallel to . . . toll billing records for ordinary telephone service." What, exactly, "those categories of information" constitute — possibly including, for example, email "header" information, IP addresses, URLs, or other information — remains unclear.

Third-parties not only willingly cooperated with FBI NSLs when the legal justification was unclear, however: they responded to NSLs without any legal justification at all. In one instance, when requesting financial records from a bank under the Right to Financial Privacy Act, the FBI used language and statutory citations from ECPA — a statute entirely unrelated to financial records — for its legal authority; nevertheless, the financial institution complied with the FBI’s legally deficient request:

In another series of violations, the FBI improperly requested and received full credit reports on subjects of counterintelligence investigations:

The Fair Credit Reporting Act, the statute providing FBI authority to request credit information using an NSL, however, only provides that authority in terrorism investigations. In other violations, the FBI failed to certify, as required by statute, that the NSL was relevant to a terrorism investigation and not being used to investigate constitutionally protected activities:

Again, despite the deficiency of the request, the third-party complied with the FBI’s NSL.

The FBI’s abuse of its NSL power has garnered much of the attention in the debate over the FBI’s abusive intelligence practices. What has not received as much attention, however, is the unwillingness of companies and organizations to guard their clients’ and users’ sensitive, personal information in the face of these NSL requests — whether the request was legally justifiable or not. Undeniably, if the FBI had complied with the law, the vast majority of NSL violations would never have occurred. Nevertheless, many of the businesses and organizations with which Americans trust their most private information are not applying any scrutiny to unjustifiable requests from the FBI and are not responding to valid requests in a responsible manner.

Violations of the Constitution, FISA, and Other Legal Authorities

The third category of FBI intelligence violations reported to the IOB, accounting for almost 20% of all reports, are violations of the Constitution, the Foreign Intelligence Surveillance Act (FISA), and other federal laws governing criminal investigations and intelligence-gathering activities. The first two types of intelligence violations committed by the FBI — violations of the NSIG and NSL abuse — were readily susceptible to categorization: these violations occurred with great frequency, and the violations were often repetitive and largely similar. On the other hand, violations falling into the third category were, in general, unique, and often flagrant, violations of a variety of legal authorities.

Violations falling into this third category were consistently the most brazen and egregious violations. For example, in two separate incidents, the FBI reported to the IOB that its agents had made false statements in written declarations to courts:

Another reported violation involved the FBI’s use of improper evidence to obtain grand jury subpoenas:

Other violations involved FBI’s use of a target’s username and password to access and download account information,

...and a warrantless search of password-protected files:

Of the reports reviewed by EFF, however, this type of violation was also generally the most redacted. One four-page report (on average, most reports are only one or two paragraphs) is almost entirely redacted, with the exception of one paragraph that notes the "scope of [the FBI agent’s] alleged offenses" warranted reporting to the IOB:

the three pages detailing the offenses, however, are almost entirely redacted:



Moreover, solely from the documents provided to EFF, it is evident that the FBI is withholding information on an inconsistent and arbitrary basis. For example, one IOB report, which details the issuance of NSLs without proper authority in the wake of the attacks on September 11th, was inadvertently included twice in the FBI’s document release: one is nearly entirely redacted; the other, almost entirely free from redactions:

Numerous documents throughout the FBI’s release provide similar evidence of the agency’s inconsistent and arbitrary practice of redacting and withholding documents.

While the reports documenting the FBI’s abuse of the Constitution, FISA, and other intelligence laws are troubling, EFF’s analysis is necessarily incomplete: it is impossible to know the severity of the FBI’s legal violations until the Bureau stops concealing its most serious violations behind a wall of arbitrary secrecy.

Total Number of Violations from 2001 to 2008

Both the frequency and type of violations revealed in the FBI’s release to EFF are staggering. At a minimum, these documents already demonstrate the need for greater accountability and improved oversight mechanisms for American intelligence agencies. Yet, at the same time, the FBI continues to withhold critical information on the circumstances, rate of occurrence, and severity of these violations. And, if past experience is any guide, it is likely that the FBI is either withholding or failing to report many violations altogether.

In the absence of robust auditing and full disclosure from the Bureau, the only method for approximating the scope of the FBI’s abusive intelligence practices is to extrapolate from information contained within these releases and public statements made by government officials. The IOB reports, themselves, provide some insight into the sheer number of FBI intelligence violations. In previous litigation, EFF fought the FBI to release the IOB matter numbers that accompany every IOB report. While not every IOB "matter" is ultimately reported to the IOB, the numbers provide some indication of the number of violations investigated by the FBI. Based on IOB matter numbers on the reports released to EFF, it is clear that, at minimum, the FBI investigated approximately 7,000 instances of alleged misconduct from 2001 to 2008.

The actual number of violations that occurred from 2001 to 2008, however, is likely much higher. The Inspector General has acknowledged that as many as 6,400 potential NSL violations may have occurred between 2003-2006; if the proportion of violations released to EFF is representative of all FBI intelligence violations from 2001 to 2008, then the number of total violations during that span may have approached tens of thousands of possible violations of laws, Executive Orders, or regulations.

Conclusion

From 2001 to 2008, the FBI frequently and flagrantly violated laws intended to check abusive intelligence investigations of American citizens. While many hoped the era of abusive FBI practices would end with the Bush Administration, there is little evidence that President Obama has taken significant measures to change past intelligence abuses. Two years into his term, the President has not publicly disclosed any appointments to the IOB, and his campaign promise of unprecedented transparency within the executive branch has gone largely unfulfilled — especially within the intelligence community.

Congress, however, has an opportunity to remedy these abuses: portions of the USA PATRIOT Act expire in late February, and a bill has already been introduced in the House of Representatives to reauthorize it. Instead of simply rubber-stamping the intelligence community’s continuing abuse of Americans’ civil liberties, Congress should seize this opportunity to investigate the practices of the FBI and other intelligence agencies, and to demand greater accountability, disclosure, and reporting from these agencies. Until then, the FBI’s pattern of misconduct will undoubtedly continue.