FBI delayed privacy protection rules for Section 215 data, says IG
An IG report asserts that it should not "have taken 7 years … to develop minimization procedures" to protect the privacy of data.
The FBI dragged its heels in developing processes to minimize the dissemination of non-public information on Americans held in law enforcement databases and collected under the auspices of Section 215 of the Patriot Act, according to a recent report by the Justice Department Office of Inspector General.
The report is a historical look at the FBI's requests for data under Section 215 authority from 2007-2009, and it examines the processes put in place by the FBI to safeguard the privacy of individuals whose information was swept up in the collection of business records ordered by the FBI for its own investigation and for use by intelligence agencies.
Technological advances and growth in the use of the Internet have "expanded the quantity and quality of electronic information available to the FBI," per the 77-page report. "Materials produced in response to Section 215 orders now range from hard copy reproductions of business ledgers and receipts to gigabytes of metadata and other electronic information," the report notes.
The public had little understanding of how these authorities were used until the leaks of classified intelligence documents by Edward Snowden in 2013, which led to the declassification of some of the 215 programs, including the bulk collection and storage of telephone metadata from domestic carriers by the National Security Agency. Though the NSA maintains and queries that data, it is the FBI that ordered its collection and delivery. The OIG report cautioned that there is no fixed definition of metadata in use.
"Metadata generally is considered to exclude the content of communications. However, [Justice Department and FBI national security attorneys] told us that the terms used to define metadata themselves lack standardized definitions and that applying them to rapidly changing technology can be difficult," the report says. The OIG said it would continue to keep an eye on the FBI's use of metadata, as the Bureau uses 215 authority to sweep up ever larger collections.
The OIG found that by August 2013, the FBI had put in place minimization procedures that were ordered in the 2006 reauthorization of the Patriot Act. The heavily redacted unclassified version of the report does not specify what those procedures are, except to note that agents are required to review material before uploading to FBI databases to make sure that the documents and other material returned were "responsive to Section 215 orders" and "included procedures for handling overproduced material."
The report was critical of the amount of time the FBI took to develop the procedures. "Given the significance of minimization procedures in the Reauthorization Act, we do not believe it should have taken 7 years for the Department to develop minimization procedures or 5 years to address the OIG recommendation that the Department comply with the statutory requirement to develop specific minimization procedures designed for business records," the report found.
In June 2009, the Foreign Intelligence Surveillance Court, which authorizes the collection of information under Section 215, began to require the FBI to report on the implementation of interim minimization procedures put in place after the 2006 reauthorization. The IG report found that "the FBI retained nearly all of the material" produced in response to 215 orders. Additionally, the FBI disseminated material via the FBI's case management systems to its own personnel, and made it available to U.S. intelligence agencies and foreign governments. The minimization rules permit the FBI to keep material that is determined to be "foreign intelligence information" or "necessary to understand foreign intelligence information." Per the OIG report, these terms were not strictly defined in the interim guidance.
The FBI's authority under Section 215 is due to expire on June 1. The House passed a bill that would curtail some of the government's authority to maintain databases derived from bulk collection of business records. If the Senate does not pass that measure, it seems unlikely that a compromise could be voted on and signed into law before the authorities expire.
NEXT STORY: Health Insurer CareFirst Popped By Hackers