Statement of Glenn A. Fine Inspector General, U.S. Department of Justice,
before the House Committee on the Judiciary Subcommittee on the Constitution, Civil Rights and Civil Liberties
on The Report by the Office of the Inspector General on the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records
April 14, 2010
Mr. Chairman, Ranking Member Sensenbrenner, and Committee Members:
Thank you for inviting me to testify about the Office of the Inspector General's (OIG) recent report examining the Federal Bureau of Investigation's (FBI) use of exigent letters and other informal requests to obtain telephone records.
The OIG's review was initiated based on findings we made in two previous reports, issued in March 2007 and March 2008, describing the FBI's use of national security letters (NSLs). In those two reports, which focused on misuse of national security letters, we noted the FBI's practice of issuing exigent letters, instead of national security letters or other legal process, to obtain telephone records from three communications service providers.
However, the two prior reports did not investigate the FBI's exigent letter practices in detail. These exigent letters requested telephone records based on alleged "exigent circumstances," and inaccurately stated that grand jury subpoenas already had been sought for the records. The FBI's practice of using exigent letters circumvented the requirements of the Electronic Communications Privacy Act (ECPA) statute governing national security letters, and also violated Attorney General Guidelines and FBI policy.
In the report issued in January 2010 that is the subject of this hearing, we examined in depth the use of exigent letters. The report detailed how the FBI's practice of using exigent letters evolved, how widespread it became, and the management failures that allowed it to occur. In addition, our report identified other informal ways, in addition to exigent letters, by which the FBI obtained telephone records without legal process. For example, we identified requests made by e-mail, face-to-face, on post-it notes, and by telephone, as well as a practice referred to by the FBI and the providers as "sneak peeks."
We also describe in our report other improper practices related to the FBI's obtaining of telephone records, such as obtaining records on hot numbers without any legal process, the improper use of administrative subpoenas in certain cases, inaccurate statements to the Foreign Intelligence Surveillance Court, and improper requests for reporters' telephone records without required approvals.
Our report also assesses the accountability of FBI officials and employees for these actions. In addition, we describe the FBI's corrective actions regarding these practices.
In my testimony today, I will briefly summarize the findings of our report, our recommendations, and the FBI's response.
- The FBI's Use of Exigent Letters and Other Informal Requests for Telephone Records
- Exigent letters
Our report detailed widespread use of exigent letters that did not comply with legal requirements or FBI policies governing acquisition of these records. In particular, many exigent letters did not comply with the ECPA NSL provisions, 18 U.S.C. §§ 2709(a) and 2709(c), and did not satisfy the ECPA provisions authorizing a provider to voluntarily release toll records information to a governmental entity under certain emergency circumstances. 18 U.S.C. § 2702(c)(4) (Supp. 2002) and USA PATRIOT Improvement and Reauthorization Act of 2005, Pub. L. No. 109-177, § 119(a), 120 Stat. 192 (2006).
We determined that the use of exigent letters at the FBI began shortly after the terrorist attacks of September 11, 2001, in connection with the FBI's criminal investigation of the attacks. The FBI arranged to have a fraud detection analyst of a telephone service provider located on-site at the FBI's New York Field Division to assist in providing and analyzing telephone records associated with the September 11 hijackers and their associates. At first, the FBI in New York obtained telephone records from this analyst in response to grand jury subpoenas, but eventually the FBI began issuing exigent letters that promised future grand jury subpoenas as "placeholders" to enable the FBI to secure the records promptly.
In April 2003, several New York Field Division employees who participated in the exigent letter practice were assigned to FBI Headquarters to help set up the Communications Analysis Unit (CAU) as a new unit in the FBI's Counterterrorism Division (CTD). The purpose of the CAU was to obtain and analyze telephone communications and provide support to the appropriate operational units in the FBI.
Shortly after creation of the CAU in FBI Headquarters, the exigent letter practice migrated to CAU. Employees from three communications service providers moved into the CAU's office space, and the providers' employees had access to their companies' databases so they could immediately service FBI requests for telephone records.
The first exigent letter from the CAU was issued in March 2003, and the CAU's use of exigent letters expanded rapidly. We found that from March 2003 to November 2006, CAU personnel issued at least 722 exigent letters for telephone records to the three communications service providers at the FBI.
The 722 exigent letters issued by CAU sought records on more than 2,000 different telephone numbers. Most of the exigent letters stated:
Due to exigent circumstances, it is requested that records for the attached list of telephone numbers be provided. Subpoenas requesting this information have been submitted to the U.S. Attorney's Office who will process and serve them formally to [the communications service provider] as expeditiously as possible.
In some cases, the exigent letters issued by the CAU were used in urgent investigations. But our review found that, contrary to the letters, emergency circumstances were not present when many of the letters were issued. Also contrary to the claims made in the letters, in most cases subpoenas had not been sought for the records.
When we asked FBI supervisors and employees why they issued exigent letters when they knew that no subpoena had been requested, they could not satisfactorily explain their actions. The explanations we received included that they thought someone else had reviewed or approved the letters, that they had inherited the practice and were not in a position to change it, that the communications service providers accepted the letters, or that it was not their responsibility to follow up with appropriate legal process.
We also found that when FBI personnel issued these exigent letters or made other types of informal requests for records and information from the on-site providers that are discussed below, they did not document the authority for their requests or explain the investigative reasons why the records were needed. Moreover, the exigent letter requests were not subject to any supervisory or legal review. Specifically, unlike properly-issued NSLs, exigent letters were not: (1) accompanied by approvals documenting the predication for the requests; (2) reviewed and approved by FBI attorneys; (3) approved by FBI supervisors; or (4) signed by one of the limited number of senior FBI personnel authorized to sign national security letters.
Our report also noted that training on the legal and internal FBI requirements for issuing national security letters or requesting telephone records in emergency circumstances was severely lacking in the unit that issued the exigent letters. All but 2 of the 29 FBI employees we interviewed who were assigned to work in the CAU said they had limited or no prior experience working with NSLs, and none of the Supervisory Special Agents we interviewed said that the FBI provided them training on these matters until after the OIG's first NSL report was issued in March 2007.
Our investigation concluded that the close relationship between the FBI's CAU and the three communications service providers facilitated the casual culture surrounding the use of exigent letters and other informal requests for telephone records at the FBI. Employees of one or more of these service providers were physically located on-site in the FBI's CAU from April 2003 to January 2008. These employees, who were capable of querying company databases on request, were regarded by FBI personnel as members of the communications analysis "team."
In fact, we found that the FBI's use of exigent letters became so casual, routine, and unsupervised that employees of all three communications service providers sometimes generated exigent letters for FBI personnel to sign and return to them. Although co-locating the service providers' employees at the FBI was originally an attempt to facilitate efficient and effective cooperation between the FBI and the service providers, the proximity fostered close relationships that blurred the line between the FBI and the service providers. We concluded that this co-location, in combination with poor supervision and ineffective oversight, contributed to the serious abuses we described in our report.
B. Other informal requests for telephone records
The use of exigent letters was just one of several improper practices described in our report. The OIG's investigation also found widespread use of even more informal requests for telephone records in lieu of appropriate legal process or a qualifying emergency. The scope and variety of these informal requests was startling.
For example, rather than using national security letters, other legal process, or even exigent letters, FBI personnel frequently sought and received telephone records based on informal requests they made to the on site telecommunication service provider employees by e-mail, by telephone, face-to-face, and even on post-it notes. CAU personnel made these kinds of informal requests for records associated with at least 3,500 telephone numbers, although we could not determine the full scope of this practice because of the FBI's inadequate record-keeping.
Among the informal requests the FBI used to receive information about telephone records were so-called "sneak peeks," whereby the on-site communications service providers' employees would check their records and provide to the FBI a preview of the available information for a targeted phone number, without documentation of any justification for the request from the FBI and often without documentation of the fact of the request. In addition to confirming whether the provider had records on an identified telephone number, the providers' employees would sometimes provide to the FBI information such as whether the telephone number belonged to a particular subscriber, or a synopsis of the call records that included the number of calls to and from a specific telephone number within certain date parameters, the area codes called, and call duration.
In fact, at times the service providers' employees simply invited FBI personnel to view the telephone records on their computer screens. One senior FBI counterterrorism official described the culture of casual requests for telephone records by observing, "It [was] like having the ATM in your living room."
This sneak peek practice did not comply with the ECPA or its emergency voluntary disclosure provision for several reasons. The practice was a routine occurrence in the CAU and not limited to exigent or emergency circumstances. In addition, some of the specific instances where the sneak peek practice was used included media leak and fugitive investigations that did not satisfy the requirements for an ECPA emergency voluntary disclosure. The FBI's lack of controls over the sneak peek practice also made it impossible to reliably determine how many or in what circumstances sneak peek requests were made, and what the providers were told or believed about the reasons for these requests.
As noted above, virtually none of these FBI requests for telephone records - either the exigent letters or the other informal requests - was accompanied by documentation explaining the authority for the requests or the investigative reasons why the records were needed. Many of the requests lacked information as basic as date ranges. This resulted in the FBI obtaining substantially more telephone records covering longer periods of time than it would have obtained had it complied with the NSL process, including records that were not relevant to the underlying investigations. Many of these records were uploaded into FBI databases, where the records were available to employees throughout the government who were authorized to access the database.
C. Other practices relating to requests for telephone records
In addition to exigent letters and informal requests for telephone records, our investigation also identified other troubling practices relating to FBI requests for telephone records.
One such FBI practice is commonly referred to as "community of interest" requests. While we cannot discuss the details of this practice in an unclassified setting, we believe this practice resulted in a significant number of improper requests for telephone records. The FBI's lack of documentation made it difficult to determine under what circumstances and how often community of interest requests were made. However, we determined that FBI personnel issued at least 52 exigent letters containing "community of interest" requests. Additionally, we identified over 250 NSLs and 350 grand jury subpoenas containing such requests. When issuing the NSLs, FBI personnel did not consistently assess the relevance of the numbers before making the requests. Instead, the FBI often just included these requests in boilerplate attachments to NSLs. The classified versions of our report discuss community of interest requests in substantial detail.
Our investigation also revealed other troubling practices relating to requests for telephone information. For instance, without serving any legal process or exigent letters, the FBI sought calling activity information on approximately 152 so-called "hot" telephone numbers from two of the service providers and was provided information on approximately 40 of those numbers. One of the service providers told the FBI whether there were calls made to or from the hot numbers identified by the FBI. We also found evidence that oneof the companies may have provided additional information, such as call originating and termination information, on the hot numbers. These requests required legal process under the ECPA, but none was provided by the FBI.
We also examined whether information obtained in response to exigent letters or other informal requests was used in applications for electronic surveillance filed with the Foreign Intelligence Surveillance Court (FISA Court). In a limited review of 37 FISA Court applications that related to telephone numbers associated with exigent letters and informal requests, there were five misstatements in four declarations filed under oath by FBI personnel. The declarations inaccurately stated that the FBI had acquired subscriber or calling activity information from NSLs when in fact the information was acquired through other means, such as an exigent letter or a verbal request.
The Department of Justice (Department) concluded that the inaccurate statements made in the FBI declarations were non-material, but the Department nevertheless notified the FISA Court of the inaccurate· statements. Even though the inaccurate statements may have been non material to the FISA application, the Department agreed that any inaccurate statements to the FISA Court are serious.
Our investigation also uncovered FBI misuse of administrative subpoenas to obtain telephone records. For example, the FBI served administrative subpoenas for toll billing records as part of a fugitive investigation, which were an improper use of these administrative subpoenas. In addition, we found administrative subpoenas signed by a CAU official who was not authorized to sign them, as well as subpoenas that were issued weeks after the telephone records were already obtained by an informal request or an exigent letter.
Among the more troubling incidents detailed in our report are three FBI media leak investigations in which the FBI sought, and in two cases received, telephone toll billing records or other calling activity information for telephone numbers assigned to reporters without first obtaining the approvals from the Attorney General that are required by federal regulation and FBI policy. In one of these cases, the FBI loaded the reporters' records that it obtained in response to an exigent letter into a database, where the records stayed for over 3 years until OIG investigators determined that the records had been improperly obtained. Our report concluded that serious lapses in training, supervision, and oversight led to the FBI and the Department issuing these requests for the reporters' records without following legal requirements and their own policies.
Our report concluded that these and other informal requests for telephone records represented a significant breakdown in the FBI's responsibility to comply with the ECPA, the Attorney General Guidelines, and FBI policy.
II. FBI Corrective Actions
Our report also analyzed the various attempts made by the FBI from 2003 through March 2007, when the OIG issued our first NSL report, to address issues arising from the CAU's use of exigent letters and other informal means to obtain telephone records. We concluded that during this time period the FBI's actions were seriously deficient and that the FBI repeatedly failed to ensure that it complied with the law, Attorney General Guidelines, and FBI policy when obtaining telephone records from the on-site communications service providers.
For example, from 2003 through 2006 FBI officials repeatedly failed to take steps to ensure that the FBI's requests for telephone records were consistent with the ECPA, the Attorney General Guidelines, and FBI policy. For three and a half years, as the CAU issued hundreds of exigent letters, FBI officials and employees failed to object even to letters that contained inaccurate statements on their face, and FBI supervisors failed to develop, implement, or maintain a system for tracking their many requests for records or other information from the on-site providers. Moreover, after issuing the exigent letters, the CAU failed to take appropriate and effective steps to ensure that the timely legal process promised in the letters was actually obtained, thus leading to a significant backlog of records requests for which there was no legal process.
The exigent letters practice began at CAU without any input from the FBI's lawyers, and this was undoubtedly ill-advised. But even in late 2004, when FBI attorneys became aware of the practice of using exigent letters, they not only failed to stop it, they ultimately became involved in issuing after-the-fact NSLs and provided legal advice that was inconsistent with the ECPA. For instance, approximately three years after the CAU began using exigent letters, the FBI's Office of the General Counsel (OGC) directed the CAU to revise the exigent letters, but approved their continued use.
In 2006, shortly after the OIG began questioning the FBI about exigent letters, the CAU and the FBI Counterterrorism Division - without consulting OGC - issued three legally deficient "blanket" NSLs to "cover" or "validate" prior telephone record requests. The ECPA, however, does not authorize the FBI to issue retroactive legal process for ECPA-protected records, and these blanket NSLs did not cure prior violations of the ECPA. In addition, all three blanket NSLs contained other serious defects. The blanket NSLs were used to cover many telephone numbers not relevant to national security investigations, they were not accompanied by documents describing their relevance to an authorized investigation, they lacked required statutory certifications regarding non-disclosure, and they did not state that they related to records that had already been provided to the FBI.
In subsequent months, the FBI issued eight additional improper blanket NSLs to attempt to cover its previous requests to the communications service providers for calling records and other information on over 1,500 telephone numbers. These eight NSLs were also served after the-fact and were issued without the approval documents required under FBI policy. Five of them also failed to comply with the ECPA certification requirement for NSLs imposing confidentiality and non-disclosure obligations on the recipients. None of the 11 blanket NSLs stated that the FBI had already acquired the records, in some instances more than 3 years earlier.
In sum, we concluded that the FBI's initial attempts to cover the improperly obtained records were deficient, ill-conceived, and poorly executed.
By contrast, after the OIG issued our first NSL report in March 2007 we concluded that the FBI took appropriate steps to address the difficult problems that the deficient exigent letters practice had created. For example, the FBI ended the use of exigent letters, issued clear guidance on the use of national security letters and on the proper procedures for requesting records in circumstances qualifying as emergencies under the ECPA, and provided training on this guidance. In addition, the FBI moved the three service providers out of FBI offices.
The FBI also expended significant efforts to determine whether improperly obtained records should be retained or purged from FBI databases, and ultimately purged records relating to nearly 20 percent of the telephone numbers listed in exigent letters or the 11 blanket NSLs. We believe the FBI's review process and other corrective measures since issuance of our first NSL report in March 2007 have been reasonable, given the difficult and inexcusable circumstances that its deficient practices had created.
In sum, after the issuance of our report in 2007 the FBI has taken significant steps to correct past deficiencies in the use of exigent letters and other informal requests for telephone records, and the FBI should be credited for these actions.
III. OIG Findings on Individual Accountability and OIG. Recommendations
In our report, we also assessed the accountability of FBI employees, their supervisors, and the FBI's senior leadership for the use of exigent letters and the other improper practices we described in this report.
We concluded that numerous, repeated, and significant management failures led to the FBI's use of exigent letters and other improper requests for telephone transactional records over an extended period of time. These failures began shortly after the CAU was established in 2002, and they continued until March 2007 when the OIG issued its first NSL report describing the use of exigent letters.
We concluded that every level of the FBI - from the most senior FBI officials, to the FBI's Office of the General Counsel, to managers in the Counterterrorism Division, to supervisors in the CAU, to the CAU agents and analysts who repeatedly signed the letters - were responsible in some part for these failures.
In particular, FBI officials at all levels failed to develop a plan and implement procedures to ensure that telephone records were properly obtained from the on-site communications service providers. FBI managers failed to ensure that CAU personnel were properly trained to request telephone subscriber and toll billing records information from the on-site providers in national security investigations only in response to legal process or under limited emergency situations defined in the ECPA. They also did not ensure that CAU personnel were trained to comply with the Attorney General's Guidelines and internal FBI policies governing the acquisition of these records.
In reviewing the FBI's responsibility for exigent letters and other improper requests for telephone records and the performance of FBI personnel involved in the practices covered in this review, we recognized that the FBI was confronting major organizational and operational challenges during the period covered by our review. Following the September 11 attacks, the FBI had overhauled its counterterrorism operations, expanded its intelligence capabilities, and had begun to upgrade its information technology systems. Throughout the period covered by this review, the FBI was responsible for resolving hundreds of threats each year, some of which, such as bomb threats or threats to significant national events, needed to be evaluated quickly. Many of these threats, whether linked to domestic or international terrorism, resulted in a large number of high priority requests to the CAU for analysis of telephone communications associated with the threats, which was the CAU's core mission.
Indeed, some of the exigent letters and other improper practices we describe in this report were used to obtain telephone records that the FBI used to evaluate some of the most serious terrorist threats posed to the United States in the last few years. In our view, while these circumstances do not excuse the management and performance failures we describe in this report, they provide an important context to the events that led to the serious abuses we found in this review.
Our report also examined in detail the role of individual FBI employees in these failures. Our report recommended that the FBI should assess this report and the information we developed in this review to determine whether administrative or other personnel action is appropriate for the individuals involved in the use of exigent letters and other improper requests for telephone records. We understand that the FBI is now engaged in that process.
As discussed above, after we issued our first NSL report in March 2007 the FBI ended the use of exigent letters and took other corrective actions to address their use. However, our report concluded that the FBI and the Department should take additional action to ensure that FBI personnel comply with the statutes, guidelines, regulations, and policies governing the FBI's authority to request and obtain telephone records. We therefore made additional recommendations to the FBI and the Department regarding the use of exigent letters and other informal requests for telephone records.
For example, we recommended that the FBI conduct periodic training of FBI personnel engaged in national security investigations about the ECPA and other relevant legal authorities; review existing and proposed contracts between the FBI and private entities that provide for the FBI's acquisition of telephone, e-mail, financial, or consumer credit records to ensure that the FBI's methods and procedures for requesting, obtaining, storing, and retaining these records is in conformity with applicable law, Attorney General Guidelines, and FBI policy; issue written FBI guidance and conduct training to ensure that if FBI employees are placed in the same work space as communications service providers, all methods and procedures used to obtain records from the providers conform to applicable law, Attorney General Guidelines, and FBI policy; and issue written guidance proscribing certain practices used to obtain calling activity information and clarifying the circumstances under which it is appropriate to issue requests for community of interest information.
The OIG report also recommended that the FBI take steps to address the potential consequences of its improper practices with respect to the past use of exigent letters and other informal requests for telephone records. These actions include reviewing the circumstances in which FBI personnel asked for and obtained certain calling activity information on "hot numbers" so the Department can determine whether discovery or other legal obligations in any criminal investigations or prosecutions have been triggered. We also recommended that the Department determine whether it has issued any grand jury subpoenas in media leak investigations, other than those identified by the OIG, that included a request for community of interest information, and if so whether the Department obtained toll billing records of news reporters in compliance with Department regulations, including notification requirements.
The OIG recently received the FBI's responses to these additional recommendations. The FBI provided a description of the steps it has taken, or will be taking, to address the recommendations. We believe that the FBI is taking the recommendations seriously, and we will continue to monitor its corrective actions.
Finally, our last recommendation relates to the FBI's potential use of a certain legal authority to obtain certain telephone records without relying on the NSL provisions of the ECPA. Due to the classified nature of this issue, we cannot identify or discuss the specific legal authority in this forum.
This issue first arose after the FBI had reviewed a draft of the OIG's report. In its response to the draft report, the FBI asserted for the first time that as a matter of law the FBI could have obtained certain telephone records in national security investigations without legal process or an ECPA emergency voluntary disclosure request. However, the FBI did not rely on this legal authority when it requested and obtained the records discussed in this report. In fact, from the first exigent letter issued by the New York Field Division through the conclusion of our investigation, the FBI had never raised or relied on this legal authority when requesting the records described in our report.
The FBI requested an opinion from the Department's Office of Legal Counsel (OLC) on this issue. OLC agreed with the FBI that under certain circumstances the ECPA does not prohibit electronic communications service providers from disclosing certain call detail records to the FBI on a voluntary basis without legal process or a qualifying emergency under Section 2702.
The OIG report noted that the FBI's possible use of this authority had important legal and policy implications, and stated that the FBI, the Department, and Congress should consider how the FBI would use this legal authority when seeking telephone records. We further recommended that the Department inform Congress of the FBI's potential use of this legal authority and of the OLC opinion interpreting the scope of this authority.
The FBI has stated that it does not currently intend to exercise the full scope of this authority and that it will fully brief the Congressional oversight committees before implementing any changes to its policy concerning the use of its national security letter authorities in light of the OLC opinion. The FBI also has stated that any such policy would include administrative recordkeeping requirements, which we believe are essential for effective supervision and oversight.
We believe that the Department and Congress should carefully consider this issue and this authority, which if used would broaden the FBI's ability to request and lawfully obtain certain telephone records without legal process or a qualifying emergency. Unlike the past expansions of the FBI's NSL authority, which included carefully considered oversight and accountability provisions, this alternative legal authority does not contain similar statutory provisions to ensure that proper controls are in place and that oversight is conducted. We therefore recommend that the Department and Congress carefully review the OLC opinion and consider its possible ramifications for the NSL statute, other ECPA authorities, and other federal statutes governing the FBI's access to certain records and other information.
National security letters and other law enforcement authorities in the ECPA are important investigative tools for the FBI to carry out its vital counterterrorism mission, but it is critical that these authorities be used in compliance with applicable statutes and Department, Attorney General Guidelines, and FBI policies. We believe that the FBI needs to ensure that it uses these authorities in full accord with these requirements. The OIG will continue to monitor the FBI exercise of these important authorities.
That concludes my prepared statement, and I would be pleased to answer any questions.