Chairman Biggs, Ranking Member Jackson Lee, and Members of the Subcommittee:
Thank you for inviting me to testify today regarding the Foreign Intelligence Surveillance Act (FISA), and the Department of Justice (DOJ) Office of the Inspector General’s (OIG) prior oversight work on FISA. Many of the findings and recommendations from our prior oversight of the Department’s use of FISA and other investigative authorities will help to inform congressional deliberations on FISA’s Section 702, which expires at the end of this year.
In every year since 2006, the OIG's annual report on "Top Management and Performance Challenges Facing the Department of Justice” has highlighted the difficulty faced by the Department and the Federal Bureau of Investigations (FBI) in maintaining a balance between protecting national security and safeguarding civil liberties. The OIG's prior national security and surveillance oversight work has included OIG reviews of the FBI's use of specific FISA authorities, the FBI's use of other national security-related surveillance authorities, and the FBI's or other Department law enforcement components' use of confidential human sources (CHSs) and administrative subpoenas. We have also conducted reviews that specifically examined the impact of the FBI's use of investigative authorities on U.S. persons engaged in activities that are protected by the First Amendment. For reference and additional information as the Subcommittee and Congress examine Section 702, I have included an appendix with links to twenty, post-September 11, 2001 reports from the OIG on these topics.
The overarching conclusion from this series of reports is that transparency, and effective internal and external independent oversight, are necessary to ensure that the tremendous authority held by the Department’s investigators and prosecutors to surveil Americans is used in accordance with applicable laws, court orders, and the Constitution. Without transparency and oversight -- from the OIG, the U.S. Privacy and Civil Liberties Oversight Board (PCLOB), Congress, the Foreign Intelligence Surveillance Court (FISC), non-government stakeholders, and importantly, effective internal audits and assessments by the FBI and National Security Division (NSD) -- mistakes, errors, and abuses risk being repeated, eroding public trust in the proper use of these authorities to the detriment of national security.
In today’s testimony, I will focus on the need for ongoing, rigorous, and effective oversight of the Justice Department’s national security authorities by discussing the findings and recommendations from our three most recent FISA-related reports: 1. Review of Four FISA Applications and Other Aspects of the FBI’s Crossfire Hurricane Investigation (Crossfire Hurricane Review); 2. Audit of the Federal Bureau of Investigation’s Execution of Its Woods Procedures for Applications Filed with the Foreign Intelligence Surveillance Court Relating to U.S. Persons (Woods File Audit), and 3. Audit of the Roles and Responsibilities of the Federal Bureau of Investigation’s Office of the General Counsel in National Security Matters (FBI OGC Audit). For each of these reports, I will provide a summary of the report and the steps taken by the FBI and Department to implement our recommendations to strengthen compliance with the Constitution and the laws, rules, and regulations that govern the Department’s use of these authorities.
The OIG’s Review of Four FISA Applications and other Aspects of the FBI’s Crossfire Hurricane Investigation
In December 2019, the DOJ OIG released our review of certain actions by the FBI and the Department during an FBI investigation, known as “Crossfire Hurricane,” into whether individuals associated with the Donald J. Trump for President Campaign were coordinating, wittingly or unwittingly, with the Russian government's efforts to interfere in the 2016 U.S. presidential election. Among other issues, our review assessed four applications filed with the FISC in 2016 and 2017 to conduct FISA surveillance targeting Carter Page, who had been a Trump campaign official prior to the FISA surveillance. The applications to surveil Carter Page were sought pursuant to Title I of FISA, which requires the Department to file an application with the FISC to authorize the electronic surveillance of a telephone number, email account, or other “facility.” In its application, the government must show probable cause to believe that the proposed target is a foreign power or an agent of a foreign power.
Our review of the Department’s applications to authorize FISA surveillance of Carter Page found that FBI personnel fell far short of the requirement in FBI policy that they ensure that all factual statements in a FISA application are "scrupulously accurate." We identified multiple instances in which factual assertions relied upon by the FISC in the FISA applications were inaccurate, incomplete, or unsupported by appropriate documentation, based upon information the FBI had in its possession at the time the applications were filed. We found that the problems we identified were primarily caused by the FBI’s Crossfire Hurricane team failing to share all relevant information with the NSD and, consequently, the information was not considered by the Department decision makers who ultimately decided to support the applications. We identified 17 significant inaccuracies and omissions in the four applications -- 7 in the first FISA application and a total of 17 by the time of the final renewal application in 2017.
In our conclusion to that report, we explained the significance of these errors, noting:
The authority under FISA to conduct electronic surveillance and physical searches targeting individuals significantly assists the government's efforts to combat terrorism, clandestine intelligence activity, and other threats to the national security. At the same time, the use of this authority unavoidably raises civil liberties concerns. FISA orders can be used to surveil U.S. persons, like Carter Page, and in some cases the surveillance will foreseeably collect information about the individual's constitutionally protected activities, such as Page's legitimate activities on behalf of a presidential campaign. Moreover, proceedings before the Foreign Intelligence Surveillance Court (FISC)—which is responsible for ruling on applications for FISA orders—are ex parte, meaning that unlike most court proceedings, the government is present but the government's counterparty is not. In addition, unlike the use of other intrusive investigative techniques (such as wiretaps under Title III and traditional criminal search warrants) that are granted in ex parte hearings but can potentially be subject to later court challenge, FISA orders have not been subject to scrutiny through subsequent adversarial proceedings.
In light of these concerns, Congress through the FISA statute, and the Department and FBI through policies and procedures, have established important safeguards to protect the FISA application process from irregularities and abuse. Among the most important are the requirements in FBI policy that every FISA application must contain a "full and accurate" presentation of the facts, and that agents must ensure that all factual statements in FISA applications are "scrupulously accurate." These are the standards for all FISA applications, regardless of the investigation's sensitivity, and it is incumbent upon the FBI to meet them in every application.
The FBI fell far short of these standards in the applications targeting Carter Page, even though the FBI recognized that these applications would be subject to greater scrutiny than most FISA applications.
In addition, we identified numerous instances of non-compliance with the FBI’s factual accuracy review procedures (the “Woods Procedures”) in connection with the four Carter Page FISA applications. The FBI’s Woods Procedures require agents to document in a Woods File the support for all factual assertions contained in FISA applications for surveillance. The FBI adopted its Woods Procedures in 2001, following earlier concerns raised by the FISC about inaccuracies in FISA applications. However, in connection with the Carter Page applications, we found basic, fundamental, and serious errors during the FBI’s completion of its Woods Procedures and that some agents did not appear to know certain basic requirements of the Woods Procedures. In light of the significant compliance issues we identified, the OIG initiated an audit to more broadly examine the FBI's compliance with its Woods Procedures. I detail below the results of that audit.
In addition to initiating the Woods Procedures audit, the OIG made nine recommendations to the Department and the FBI to assist them in avoiding similar failures in future investigations. The first of these recommendations, which remains open in part, included four subparts, and is intended to strengthen the accuracy of FISA applications submitted by the Department to the FISC. It requires the Department and the FBI to ensure that adequate procedures are in place for NSD to obtain all relevant and accurate information needed to prepare accurate FISA applications and renewal applications, including any exculpatory information in the FBI’s possession.
The Department and FBI concurred with this recommendation, have completed 3 of the 4 subparts, and are continuing with their efforts to fulfill the final requirement. In early 2022, the Department submitted to the OIG a FISA Accuracy and Completeness Memorandum, revised procedures and forms, and provided evidence that employees had completed revised training on these procedures. We believe these steps demonstrate progress the FBI and the Department have made towards addressing the issues we identified in our Crossfire Hurricane review. However, given the importance of the issue and our concerns about the lack of compliance with prior reforms (such as the Woods procedures), we have informed the Department and FBI that evidence from future internal compliance reviews will be necessary to accumulate sufficient data for the Department and the FBI to assess, and the OIG to verify, the effectiveness of the new policies and procedures in ensuring that the NSD receives from the FBI all relevant and accurate information to prepare accurate FISA applications.
Audit of the Federal Bureau of Investigation’s Execution of Its Woods Procedures for Applications Filed with the Foreign Intelligence Surveillance Court Relating to U.S. Persons
Because of the extensive failures we identified in the Crossfire Hurricane Review and the unacceptable level of errors and omissions in the Carter Page applications, we determined that additional OIG oversight work was required to assess the FBI's compliance with Department and FBI FISA-related policies that seek to protect the civil liberties of U.S. persons. Accordingly, we initiated the Woods File Audit to further examine the FBI's compliance with the Woods Procedures in Title I FISA applications that target U.S. persons. We completed our Woods File Audit in September 2021.
In March 2020, prior to the completion of our audit, and based on the information we had gathered during our initial assessment of a sample of FISA applications, we issued a Management Advisory Memorandum (MAM) to FBI Director Wray to report that we had identified Woods Procedures non-compliance in all 29 FISA applications we reviewed. These applications had all been approved by the FISC between fiscal years 2015 and 2019. The Department thereafter notified the FISC of 209 errors in those applications, 4 of which DOJ deemed material. Our further audit work identified over 200 additional instances of Woods Procedures noncompliance—where Woods Files did not contain adequate supporting documentation for statements in the 29 applications—although the FBI and NSD subsequently confirmed the existence of available support elsewhere. We also identified at least 183 FISA applications for which the required Woods File was missing or incomplete.
In addition to the Woods File compliance and accuracy errors, we identified significant weaknesses in the FBI’s supervisory review of Woods Files, which we determined contributed to the compliance and accuracy errors in the Woods Files and applications. Specifically, we observed that the Woods Files generally did not contain evidence of the thoroughness or completeness of this supervisory review, which is an important quality control check in the process. Rather, the files we reviewed indicated only that a supervisor had signed a verification form, indicating that they had reviewed the documentation in the Woods File.
We also raised concerns, both in our March 2020 MAM and the final September 2021 Woods Procedures Audit Report, about the lack of follow through by the Department and FBI in response to issues identified from the FBI and NSD’s internal oversight findings and reviews. The FBI and NSD conduct periodic reviews designed to ensure that FISA applications contain accurate information. However, as we noted in our March 2020 MAM, FBI personnel told us that the FBI and NSD accuracy review reports had not been used in a comprehensive, strategic fashion by FBI Headquarters to assess the performance of individuals involved in and accountable for FISA applications, to identify trends in results of the reviews, or to contribute to an evaluation of the efficacy of quality assurance mechanisms intended to ensure that FISA applications were “scrupulously accurate.” That is, the accuracy reviews were not being used by the FBI as a tool to help assess the FBI’s compliance with its Woods Procedures.
Based on these and related findings in our MAM and full audit report, the OIG made an additional twelve recommendations to strengthen the Woods Procedures and reduce the risk of erroneous information being included in FISA applications, which can lead to faulty probable cause determinations and the infringement of U.S. persons’ civil liberties.
During our audit, the FBI began to implement over 40 corrective actions to address the OIG’s recommendations. These corrective actions included: (1) updating the FBI’s forms and checklists used during the preparation of FISA applications and Woods Files to ensure that all relevant information to the FISA request has been provided and verified by responsible parties; (2) formalizing the role of FBI attorneys in the legal review process for FISA applications; (3) developing and implementing new training for FBI personnel; (4) pursuing technological improvements to aid in consistency and accountability; and (5) identifying new audit, review, and compliance mechanisms to ensure that the changes to the FISA application process are effective.
In addition, in August 2020, then Attorney General Barr announced supplemental reforms to enhance compliance, oversight, and accountability of FBI foreign intelligence activities, as well as to augment the internal compliance functions of the FBI. Specifically, then Attorney General Barr directed the FBI to create an Office of Internal Auditing to conduct routine audits of the FBI’s compliance with FISA and FISC orders and to assess measures taken by the FBI to ensure accuracy and completeness of FISA applications.
In response to the March 2020 MAM and Woods File Audit recommendations, the Department and FBI have taken a number of additional actions. One of the most significant of these actions is the FBI’s creation of the Compliance Trends Analysis Group (CTAG). The CTAG is responsible for reviewing compliance reports regarding the FBI’s use of national security legal authorities, including FISA applications submitted to the FISC, and analyzing internal and external compliance reports to identify trends, including cross-cutting issues.
Based on the establishment of the CTAG, which will help improve the efficacy of the internal FBI and NSD review processes, and related reforms established to improve accountability and accuracy in the Woods Procedures, the OIG has closed all but one of the 12 recommendations from our March 2020 MAM and Woods File Audit. The remaining open recommendation requires the FBI to develop and implement a policy that describes the expectations for supervisory review of Woods Files. Although the FBI has updated its supervisory review policy, it has not updated it in a way that effectively demonstrates that a supervisor’s review of a Woods File and supporting documentation consist of more than simply signing the FISA Verification Form. The FBI is continuing to work on a method to demonstrate further evidence of the steps that a supervisor has taken to review and ensure accuracy, beyond signing a form.
Audit of the Roles and Responsibilities of the Federal Bureau of Investigation’s Office of the General Counsel in National Security Matters
Following the issuance of our Crossfire Hurricane Review, then Attorney General Barr requested that the OIG conduct an audit to review the roles and responsibilities of the FBI’s Office of the General Counsel (OGC) in overseeing compliance with applicable laws, policies, and procedures relating to the FBI’s national security activities. We completed this audit in September 2022.
FBI’s OGC and the Department’s NSD both have roles in ensuring that the authorities exercised by the FBI and DOJ respect the rule of law and maintain public trust and confidence in the FBI’s use of intrusive investigative authorities, including those authorized by FISA. Our audit identified several instances of ineffective coordination between FBI OGC and NSD and uncertainty in the delineation of their roles that negatively impact important workflows between them. For example, we found instances of FBI OGC attorneys advising FBI investigators on topics traditionally reserved for prosecutors, disagreements between FBI OGC and NSD attorneys related to FISA processes, and varying interpretations by FBI OGC and NSD of key legal principles.
We also found that, for several years, NSD and FBI OGC had differing interpretations of the query standard under the FBI’s Section 702 Querying Procedures. As the Subcommittee is aware, Section 702 of the FISA Amendments Act of 2008, 50 U.S.C. § 1881a, governs targeted surveillance of foreign persons reasonably believed to be located outside the United States with the compelled assistance of electronic communications service providers. An acquisition authorized under Section 702 may not intentionally target a United States person or any person known at the time of the acquisition to be located in the United States. To ensure the requirements of Section 702 are appropriately met, the Attorney General, in consultation with the Director of National Intelligence (DNI) adopted: (1) targeting procedures designed to ensure the FBI targets foreign persons outside the United States, (2) minimization procedures designed to ensure the FBI safeguards United States person information incidentally acquired, and (3) querying procedures containing a query standard that sets the requirements for the FBI to query, or search, its unminimized, or raw, Section 702-acquired information.
In 2015, DOJ told the FISC that the FBI’s standard for querying was “reasonably likely to return foreign intelligence information or evidence of a crime.” However, the language in the FBI’s querying rules at that time was “to the extent reasonably feasible, authorized users…must design such queries to find and extract foreign intelligence information or evidence of a crime.” Consequently, we were told by FBI OGC that FBI and NSD operated under different query standards. One senior FBI OGC official stated that this led to numerous compliance incidents and resulted in the FBI almost losing its Section 702 authorities.
We also were told that FBI OGC had significant concerns that this NSD interpretation of the FBI’s query standard, which FBI OGC says has a heightened threshold, creates limitations and operational risks that may prevent the FBI from identifying threats through methods that were available prior to implementation of the new interpretation of the query standard in 2015. In contrast, NSD told us that the query standard has been the same since 2008 (when Section 702 was created by Congress). A senior NSD official told us that the FBI had a fundamental misunderstanding of the standard and that compliance incidents were not identified sooner because NSD can only review a limited sample of the FBI’s queries and NSD improved upon its ability to identify non-compliant queries over time.
The FBI clarified the query standard in its 2018 Section 702 Querying Procedures. The FBI’s amended Section 702 Querying Procedures defined the query standard as: “Each query of FBI systems containing unminimized contents or noncontents (including metadata) acquired pursuant to section 702 of the Act must be reasonably likely to retrieve foreign intelligence information, as defined by FISA, or evidence of a crime, unless otherwise specifically excepted in these procedures.” To help ensure implementation of the amended query procedures occurred, the FBI, in consultation with NSD, developed mandatory training on the query standard and required that all personnel with access to raw FISA-acquired information complete the training by December 2019.
However, despite these efforts, we learned that there were still disputes between NSD and FBI OGC on query-related compliance incidents. A senior FBI OGC official stated that FBI OGC has recently redoubled its efforts to ensure compliance with the query standard after concerns were raised about FBI query incidents in a November 2020 FISC opinion, a semiannual assessment conducted jointly by NSD and the Office of the Director of National Intelligence (ODNI) released in November 2020, and an Attorney General (AG) Memorandum issued on April 22, 2021. This senior FBI OGC official said the FBI is currently focused on addressing its query-related compliance incidents through a variety of methods, including database changes, an audit, and training.
On November 1, 2021, the Department issued new guidance titled “FBI FISA Query Guidance,” which is designed to assist FBI personnel in understanding the querying standard and in conducting queries of raw FISA collection that comply with applicable requirements. Further, the guidance provides illustrative examples of both compliant and noncompliant queries. In response to the new guidance, the FBI developed and deployed an updated training course on the query standard, which FBI personnel with access to raw FISA-acquired information were required to complete by January 2022. We verified that all FBI personnel with access to raw FISA-acquired information either completed the required training or had their access to this information revoked by the end of January 2022.
To address the type of disconnect between FBI OGC and NSD that we observed during the audit, we made a total of 5 recommendations – 3 to the FBI and 2 to the Office of the Deputy Attorney General (ODAG). The FBI and ODAG concurred with each of the recommendations, and their resolution is still largely in progress (one of the five recommendations, related to the use of FISA-derived information in criminal trials, has been recently closed).
As these recent reports demonstrate, transparency and effective internal and external oversight are essential to ensuring that these important authorities are used in accordance with applicable laws, court orders, and the Constitution. In the context of oversight of Section 702 authorities, I want to highlight three important issues for consideration: 1) the need for effective supervisory review that occurs in real time and can prevent compliance errors from occurring; 2) the need for effective, routine, and regular internal oversight to identify and correct any errors or program weaknesses close in time to their occurrence; and 3) the role of the OIG and other independent oversight entities in conducting periodic, big picture external reviews.
Ensuring there is an appropriate level of review and approval at the Department and FBI prior to FBI personnel querying unminimized Section 702 information
In connection with both our Crossfire Hurricane Review and Woods File Audit, we identified inadequate supervisory review as a significant concern and emphasized the importance of ensuring meaningful and effective supervisory review before a FISA application is submitted to the FISC. In our experience, effective and strong supervisory review can help detect and prevent compliance errors before they occur. With regard to Section 702 queries, in June 2021, the FBI instituted a policy requiring FBI attorney approval prior to FBI personnel conducting a “batch job” that would result in 100 or more queries of unminimized Section 702 information. According to the Department, the FBI attorney pre-approval requirement is designed to ensure that there is additional review in situations where one incorrect decision could potentially have a greater privacy impact due to the large number of query terms. While we have not tested the FBI’s new approval procedures, in general this type of higher level or legal sufficiency review prior to any query, if implemented effectively, promotes accountability, can provide opportunities to better explain query standards before an error is made, and may be appropriate in light of the non-supervisory positions, such as “technical information specialist,” identified by the FISC as being responsible for some of the reported query errors.
Ensuring there is effective internal oversight by FBI OGC and NSD through regular audits and/or other accountability measures
As with any program, but particularly with a sensitive national security program, the Department and the FBI are invariably the first line of defense in ensuring its own personnel are complying with laws, rules, and policies governing the use of such authorities. Internal auditors and oversight personnel at the FBI and NSD have direct access to information, as well as the capacity and mandate, to conduct routine audits and compliance reviews that can and should identify and correct compliance errors close in time to their occurrence. As we noted in our March 2020 MAM, we were concerned to find that the compliance problems and trends identified by the FBI and the Department through their own internal oversight efforts were not timely addressed. That is why we are continuing to monitor the implementation of the corrective actions taken in response to our Crossfire Hurricane Review, including seeking evidence of the efficacy of the post-reform internal reviews conducted by the FBI and NSD. As I noted throughout this testimony, the FBI and Department have taken a number of steps to improve internal oversight, including the establishment of the CTAG and the FBI’s Office of Internal Accounting. We also have noted language in the December 2021 Compliance Assessment by the Attorney General and Director of National Intelligence, which states:
The resolution of particular compliance incidents can provide lessons learned for all agencies. Robust communication among the agencies is required for each to effectively implement its authorities, gather foreign intelligence information, and comply with all legal requirements. For those reasons, NSD and ODNI generally lead calls and meetings on relevant compliance topics, including calls or meetings with representatives from all agencies implementing Section 702 authorities, so as to address interagency issues affecting compliance with the statute and applicable procedures.
As the OIG continues to assess the FBI and NSD’s efforts to promote compliance with our outstanding recommendations and Section 702, we will test this and related reforms instituted by the Department and FBI, to better understand how these identified issues and concerns are communicated to the individual FBI user of FISA information. We will also continue to emphasize the importance of internal oversight, as we work with the FBI and Department to close the remaining open recommendations from our FISA-related reviews.
Ensuring independent oversight entities, such as the OIG and the PCLOB, have timely access to information, as well as sufficient resources, to conduct effective oversight and to report on the Department and FBI’s compliance with laws, rules, and regulations
Independent oversight, conducted by entities like the OIG and PCLOB, plays an essential role in identifying any compliance issues or concerns, and allows recommendations to be made to address them that, in turn, guide the ongoing, routine oversight conducted by the FBI and NSD. In order to perform this oversight in a meaningful way, we need timely and complete access to all information. In 2016, Congress greatly assisted the OIG in that regard by passing the IG Empowerment Act. Currently, for my office, resources and personnel are the biggest challenges we face in conducting more than periodic oversight of the FBI and Department’s use of national security authorities, including FISA’s Title I and Section 702. The OIG has approximately 506 FTEs and an annual budget of $139 million (plus $10 million for Crime Victims Fund oversight) to oversee a DOJ workforce of about 125,000 employees and a discretionary budget of about $37.3 billion, which includes the FBI, the Federal Bureau of Prisons, and the Department’s three other law enforcement components (the DEA, ATF, USMS), as well as billions of dollars spent through DOJ contracts and grants. Moreover, the national security reviews referenced in this testimony were resource intensive; for example, the Crossfire Hurricane Review and the Woods File Audit required the efforts of more than a dozen OIG personnel for an extended period of time. Nonetheless, we will continue to conduct, consistent with our available resources, periodic oversight of FISA implementation (including, if requested, a review of any reforms passed by this Congress related to Section 702), and we greatly appreciate the strong support that we have received from Congress that has allowed us to perform this critical oversight work.
Thank you for your continued support for our mission, which allows the OIG to conduct objective, fact-based, and thorough oversight of the Department and provide transparency for the public and Congress. I look forward to continuing to work closely with the Subcommittee to help ensure that DOJ operates with integrity, efficiency, and accountability. That concludes my prepared remarks, and I would be pleased to answer any questions that the Subcommittee may have.