Surveillance

Eleven Documents from ODNI on Section 702: Summaries

By Todd Carney, Rachael Hanna, Adira Levine, Natassia Velez
Friday, October 2, 2020, 8:01 AM

On Sept. 4, the Office of the Director of National Intelligence released a tranche of documents related to Section 702 of the Foreign Intelligence Surveillance Act. The documents contain a December 2019 ruling by the Foreign Intelligence Surveillance Court (FISC) approving procedures developed by the FBI, CIA, NSA and National Counterterrorism Center (NCTC) for targeting surveillance under Section 702, minimizing information obtained under Section 702 and querying—that is, searching—that information. All the procedures are dated Sept. 17, 2019.

Below, we summarize each document. Note that redactions necessarily leave gaps in some of the summaries.

Document 1: The FISC’s December 2019 Opinion

On Sept. 17, 2019, the government filed for approval of certifications and related procedures involving “the targeting of non-United States persons reasonably believed to be located outside the United States to acquire foreign intelligence information." The request was reviewed by the Foreign Intelligence Surveillance Court under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The 2019 certification request proposed continuation of information acquisition under the 2018 certification and sought approval of amendments to the certifications. These amendments sought to apply the same minimization and querying procedures to information obtained under the 2019 certification and to information obtained under certifications from prior years.

The FISC issued a classified memorandum order on December 6, 2019 that approved the 2019 certifications and related procedures for targeting, minimization, and querying under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The court determined that the procedures satisfy the FISA statute and the Fourth Amendment. The court also held that prior procedures and certification pursuant to Section 702 also satisfied both the FISA and the Fourth Amendment.

Targeting Procedures

The court found that proposed targeting procedures complied with the FISA and the Fourth Amendment. Under Section 702, targeting procedures must be "reasonably designed" to "ensure that any acquisition authorized under [Section 702(a)] is limited to targeting persons reasonably believed to be located outside the United States" and to "prevent the intentional acquisition of any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States.”

One set of issues the court addressed involved the NSA’s upstream and downstream internet data collection—two different methods of collection. Currently, when the NSA conducts upstream internet collection, it must ensure that at least one end of each acquired communication stems from outside U.S. borders. The government proposed lifting one of the requirements involved in those targeting procedures, the specifics of which are redacted, which the government claimed would help avoid the loss of foreign intelligence information. The government also proposed modifying downstream procedures to only require “post-tasking” checks—which help detect if a Section 702 target is located within the U.S—only when the NSA “is technically capable of performing them.” The court approved the modifications. Regarding the latter modification concerning downstream collection, the court noted that it “expects that … post-tasking checks will be employed whenever feasible.”

The opinion also addressed proposals for information sharing between the NSA and FBI in connection with certain requests. In response to prior court guidance that the government should include more detail about information sharing in its targeting procedures, the government proposed additional steps, such as determining whether a given user of a targeted account is reasonably believed to be outside the U.S. and a non-US. person. The government did not provide a timeline for implementation of this measure, and the court requested that it be implemented“expeditiously.”

The court also approved additional, heavily reacted changes to FBI procedures, including one that permits the bureau under certain circumstances to “forgo actions that would otherwise be required” and another that modifies agency powers when facing immediate threats. Satisfied with the effects of the proposals on balance, the court approved the changes.

Minimization and Querying Procedures

The court found that proposed targeting procedures satisfied the requirements of FISA and the Fourth Amendment. FISA requires that minimization procedures (which limit collection and retention of irrelevant information regarding U.S. persons) be instated "for acquisitions authorized under" Section 702(a) and querying procedures be put in place "for information collected pursuant to an authorization under" Section 702(a). The court found that proposed minimization and querying procedures by the FBI, CIA and NSA satisfied Section 702.

One group of proposed changes involved FBI, CIA and NSA provisions related to user-activity monitoring (UAM): systems that monitor agency’s network use to protect against misuse, and which sometimes capture and store unminimized 702 information. Under the NSA’s UAM provisions, the agency is not required to remove unminimized Section 702 information from its system. The court did not take issue with the NSA provisions and found the proposed changes acceptable.

The court also approved a similar change as applied to FBI archives of messages from classified email and IM systems. While the court also approved a narrowed requirement for the FBI to report any unminimized Section 702 information to the FISC, it chastised the bureau for its “unjustifiabl[e] disregard” of “the current reporting requirement.” It stated that the government did not “tak[e] concrete steps to comply even partially with the court's directive (or timely seeking relief from it)” from October 2018, and that the bureau must still do so as it has not sought retrospective relief.

Another set of changes sought to exclude searches of FBI, CIA and NSA UAM systems from definition of “query,” “so long as the only unminimized section 702-acquired information that the searches run against are in records captured through user activity monitoring." The FBI proposed a similar procedure for its archival email and messaging systems. The court agreed that the changes were consistent with statute and the Fourth Amendment.

Additionally, the court approved the government’s proposal to increase the retention period for information gathered through NSA’s upstream collection process from two to five years. It also addressed National Counterterrorism Center (NCTC) procedures regarding automated translation assistance from the CIA. In June 2019, the government disclosed that CIA assistance to NCTC violated some restrictions of the 2018 NCTC Minimization Procedure, as the assistance produced a log of encrypted source text maintained for up to five years. The court approved this practice as a “narrow exception” under the 2019 NCTC Minimization Procedures.

Retention of U.S. Person Information by the CIA

The court approved the CIA’s proposed minimization procedures concerning retention of information. Under its current minimization procedures, the CIA is generally authorized to retain unminimized information that may contain U.S. person information for five years. The CIA is further authorized to retain U.S person information beyond that period if the information meets certain retention criteria, subject to a requirement to delete U.S. person identities, unless the identity is necessary to understand the information. The CIA minimization procedures discussed were revised to omit language so as to clarify that the retention requirements apply to U.S. person communications and information about a U.S. person in any communication.

Court Notification Requirements

High-level agency officials are authorized to make specific determinations to approve overriding minimization requirements. The NSA, FBI, CIA and NCTC all submitted revised procedures that now require the government to report such approvals to FISC. The court noted that such increased reporting should better enable it to ensure that the agencies implement those provisions reasonably.

Loss or Abandonment of Lawful Permanent Resident Status

Lawful permanent residents of the United States are U.S. persons under Section 702. Current NSA, FBI, NCTC and CIA minimization procedures allow a determination that a person has lost or abandoned their lawful permanent resident status, and therefore is no longer a U.S. person, to be made either: 1) in consultation with the agency's Office of General Counsel (OGC) and based on either a court order revoking the person's U.S. person status or an official abandonment of status executed by the person and filed with the U.S. Customs Citizenship and Immigration Services; or 2) in consultation with the agency's OGC and the National Security Division of the Department of Justice. The agencies' respective querying procedures and the NSA’s targeting procedures have been revised to include the same requirements. FISC found these changes to be an improvement because they require sufficient scrutiny for these determinations.

The court concludes that, as written, the proposed minimization procedures for the four agencies, in conjunction with the querying procedures for those agencies, satisfy statutory requirements and additionally that their querying procedures satisfy the requirements of Section 702(f)(1).

Fourth Amendment Requirements

The court further assessed whether the proposed targeting, minimization, and querying procedures comply with the Fourth Amendment. It found that the proposed targeting procedures were reasonably designed to limit acquisitions to targeted persons reasonably believed to be non-U.S. persons located outside the United States, noting that the Fourth Amendment does not protect the privacy interests of such persons.

In reaching this conclusion, the court used a totality of the circumstances approach, balancing the degree of governmental intrusion on individual privacy against the degree to which the intrusion will further important governmental interests. The court concluded that, together, the proposed targeting, minimization and querying procedures will sufficiently guard against error and abuse to comply with the Fourth Amendment.

Implementation and Compliance Issues

In addition to review Section 702 procedures as they are written, the court also reviewed their implementation in practice for compliance.

FBI Querying Issues

FISC found that FBI querying practices raised significant questions regarding three categories of behavior: 1) recordkeeping and documentation requirements for the use of U.S. person query terms; 2) conducting queries based on a substantive standard; and 3) querying that is retrieves or is designed to retrieve evidence of a crime that is not also foreign intelligence information.

Previously, the court had found two deficiencies with the FBI’s querying procedures. First, the procedures did not require the agency to maintain records of which U.S. person terms were used to query unminimized Section 702 information. And second, the minimization and querying procedures were inconsistent with the requirements of Section 702 and the Fourth Amendment because of the lack of adequate documentation of the justifications for using U.S. person query terms.

In light of these findings, the FBI amended its querying procedures to require the agency, first, to keep records that identify U.S. person query terms used to query unminimized Section 702 information; and second, to document why a query involving a U.S. person query term satisfies the querying standard before accessing the contents of communications retrieved by the query, except for queries that are subject to Section 702(f)(2). The court's approval of the FBI' s querying and minimization procedures relied on FBI descriptions of what information it considers to be “contents,” and the court emphasized its expectation that the FBI implement its procedures in accordance with those descriptions.

The court had approved the FBI’s proposed timetable for its full implementation of the new querying and minimization procedures, including personnel training and modifications to its systems, and concluded that the FBI was complying with its implementation schedule.

Violations of the Querying Standard

Despite the FBI’s procedural improvements, the court noted the continuing indication of “widespread violations of the querying standard.” Most egregiously, the court highlighted the National Security Division’s assessment that in August 2019, FBI queries for unminimized Section 702 information used the identifiers of approximately 16,000 people, only seven of whom satisfied the querying standard. There was no indication that the rest were involved in criminal activity or foreign intelligence-related conduct. However, because the FBI is still in the process of implementing the new documentation requirements discussed above, the court did not believe that these abusive queries indicated that the FBI’s revised querying and minimization procedures fall short of the statutory and Fourth Amendment requirements.

Evidence of Crime Queries

Section 702(f)(2)(A) requires the FBI, but not other agencies, to obtain a FISC order based on a finding of probable cause before it can access the contents of unminimized Section 702 information in certain circumstances: namely, when the query involves a U.S. person and is made connection to a criminal investigation that does not have national security or foreign intelligence implications. The government has never applied for such an order, but FBI personnel have violated Section 702(f)(2) by accessing such contents without an order. Violations were discovered during oversight reviews of four FBI field offices, and the court noted that similar violations had likely occurred throughout the FBI. However, the court acknowledged the government's efforts to improve compliance with Section 702(f)(2). As a result, the court approved the FBI's revised querying procedures but with close, ongoing monitoring of the FBI’s compliance with Section 702(f)(2).

Relatedly, the government sought relief from a reporting requirement that the FBI submit a written report to FISC about each instance in which FBI personnel access Section 702 information concerning a U.S. person from a query not intended to find foreign-intelligence information. This reporting requirement was imposed in a prior FISC opinion, which relied on the government's representation that “queries designed to elicit evidence of crimes unrelated to foreign intelligence rarely, if ever, produce responsive results from the Section 702-acquired data.” Despite this opinion and the government’s own representation, the court found that the government has not provided timely reporting in such instances—in fact, reports were often not provided until they were uncovered during oversight reviews.

The court decided to retain this separate reporting requirement. However, the court modified the requirement to focus on the use of U.S. person query terms, rather than on whether U.S. person information is accessed through a query, and reporting is required only when contents information is accessed.

NSA Querying Issues

Every NSA query “must be reasonably likely to retrieve foreign intelligence information,” but the National Security Division has found that multiple NSA queries have not met this querying standard. Accordingly, the court stated that it will continue to monitor closely how all four agencies use U.S. person identifiers to query Section 702-acquired information.

Failure to Purge Recalled Reports

The government has reported incidents of non-compliance resulting from NCTC's failure to purge its copies of NSA reports; the NSA had recalled the reports for FISA-compliance reasons but did not inform NCTC of the reason for recall. A subsequent assessment by the Office of the Director of National Intelligence (ODNI) submitted to the FISC revealed that the CIA, NSA and NCTC may be retaining copies of reports which had been recalled for FISA compliance reasons. Accordingly, the court ordered the government to submit a written report by Febr. 28, 2020, explaining: 1) the necessary actions the FBI, NSA, CIA and NCTC has taken or will take to identify when reports are recalled for a FISA-compliance reason; 2) other steps the government has taken or will take to improve processes for identifying and removing reports that are recalled for FISA-compliance reasons; and (3) an anticipated timetable for completing any remaining steps.

NSA Purge Backlog

The NSA has previously had a backlog of purge-discovery orders, which had resulted in significant delays in placing Section 702-acquired information on the NSA's Master Purge List. By October 2018, the NSA had eliminated this backlog, and on Feb. 26, 2019, the court ordered the NSA to continue to ensure that information subject to purge is not included in FISA applications; to report to the court if there is a significant delay in its purge process; and to submit quarterly reports that assess the timeliness of its purges. Here, the court concluded that the NSA’s quarterly reports indicate its purge process has been operating in a timely manner.

Other Incidents of Non-Compliance

Regarding other identified incidents of non-compliance since the Oct. 18, 2018 FISC opinion, the court concluded that the revised procedures, as expected to be implemented, comply with agencies’ applicable statutory and Fourth Amendment requirements. However, the court will continue to monitor implementation, especially regarding U.S. person queries.

Conclusion

Having made the foregoing findings, the court made the following orders:

From the government's Sept. 17, 2019 submission, the court approved:

  • The 2019 certifications and the certifications in the prior 702 dockets, as amended;
  • The use of the targeting procedures for acquisitions conducted pursuant to the 2019 certifications;
  • The use of the minimization procedures and querying procedures, with respect to information acquired under the 2019 certifications; and
  • The use of the minimization procedures, in conjunction with the respective requirements of agencies’ querying procedures, with respect to information acquired under the certifications in the prior 702 dockets.

The court affirmed that the following provisions of the Oct. 18, 2018 FISC opinion remain in effect:

  • Raw information obtained by NSA's upstream internet collection under Section 702 shall not be provided to the FBI, the CIA or NCTC unless pursuant to revised minimization procedures adopted by the attorney general and director of national intelligence and submitted to the FISC for review pursuant to Section 702;
  • By Dec. 31 of each year, the government shall submit a written report to FISC describing all administrative, civil or criminal litigation matters requiring preservation by the FBI, NSA, CIA or NCTC of Section 702-acquired information otherwise subject to purge; describing the Section 702- acquired information preserved for each such litigation matter; and describing the status of each such litigation matter.
  • The government shall promptly submit a written report describing each instance in which an agency invokes the exemption for responding to congressional mandates in its minimization or querying procedures, the circumstances of the deviation from the procedures and its justification.
  • The government shall promptly submit in writing a report concerning each instance in which FBI personnel accessed unminimized Section 702-acquired contents information returned by a query that used a U.S. person query term and not designed to elicit foreign intelligence information. The report should include a detailed description of the information at issue and the manner in which it has been or will be used for analytical, investigative or evidentiary purposes. It shall also identify the query terms used and provide the FBI's basis for concluding that the query was consistent with applicable procedures. The government need not file such a report for a query for which it files an application with the FISC pursuant to Section 702(f)(2).
  • The government shall continue to submit reports to the court on a quarterly basis that, in part, explain how the government ensures it only acquires communications to or from a Section 702 target, describe the methods used to monitor compliance and report on the results of such monitoring.

Document 2: FBI’s 2019 § 702 Targeting Procedures

This is an FBI memorandum that outlines the agency’s targeting procedures used to collect foreign intelligence information against the electronic communications of accounts, addresses and identifiers that the NSA has designated as being used by non-U.S. persons reasonably believed to be located outside the United States. The NSA must explain to the FBI why it concluded that the user of a designated account is a person reasonably believed to be located outside the United States and how it determined the user is a non-United States person. The FBI will then evaluate this information. If the FBI determines that the user of an NSA-designated account is actually located within the United States or is a U.S. person, the FBI will inform the NSA and will not target the account. In an emergency situation, the FBI can immediately take action on a designated account provided by the NSA without reviewing the NSA’s explanation. However, the FBI must review the sufficiency of the provided information at the earliest possible opportunity, no later than one business day after taking action, and must promptly report the departure from procedures to the National Security Division of the Justice Department and ODNI. The National Security Division is required to notify the FISC promptly of such activity.

Additionally, the FBI may provide information to the NSA that establishes an individual is a non-United States person reasonably believed to be located outside the United States. Pursuant to Section 702, the NSA may then target that individual for surveillance in compliance with the NSA's targeting procedures. One partially redacted line from the procedures reads, “in no event will the FBI [redacted] communications that contain a reference to, but are not to or from, a person targeted in accordance with these procedures.”

In retaining certain communications, the FBI must process that information in compliance with its minimization and querying procedures pursuant to subsections 702(e) and 702(f)(l) of FISA, respectively. Furthermore, the FBI retains information it receives from NSA concerning the non-U.S. person status of the user of a designated account and the factual basis for NSA's determination that the user is reasonably believed to be located outside the United States on file with the National Archives and Records Administration (NARA) and, as appropriate, with the FBI's Records Management Division and/or Security Division.

With regard to oversight and compliance, the memorandum explains that the FBI Inspection Division will conduct oversight of the FBI's exercise of these procedures, including periodic reviews at least once every two years to evaluate the implementation of the procedures and personnel training. The Justice Department and ODNI will also conduct oversight of the FBI's exercise of the authority under Section 702, including periodic reviews to evaluate procedure implementation, every 60 days. Lastly, the FBI will report to the Justice Department and ODNI any incidents of noncompliance with these procedures within five business days of learning of the incident.

Document 3: NSA’s 2019 § 702 Targeting Procedures

This is an NSA memorandum that explains how the NSA determines that a person targeted under Section 702 is a non-U.S. person reasonably believed to be located outside the United States—and, in so doing, protects against intentional acquisition of purely domestic communications.

The NSA determines whether an individual is a non-U.S. person reasonably believed to be outside the United States through an assessment of the totality of the circumstances and the information available. This includes the information the NSA has received regarding the potential target that has led the agency to become interested in conducting surveillance, as well as information on and verification of the individual’s location. Surveillance pursuant to these procedures will not intentionally acquire communications that contain reference to, but were not sent or received by, a person targeted under these procedures—informally known as “about” communications.

When the NSA gains information about a possible target and proposes surveillance of that target, it will examine the lead information for indicators of the target’s physical location.The NSA will also review its existing databases for information on the target’s location. These databases have information from the NSA and other agencies, including signals intelligence, human intelligence, law enforcement information and other sources. The information used to assess the physical location of a target will often also assist in determining whether the target is a U.S. person.

In the absence of specific information determining whether a target is a U.S. person, a person reasonably believed to be located outside the United States or whose location is unknown will be presumed to be a non-U.S. person. A person known to have been at any time a lawful permanent resident will be presumed to be a United States person, unless a determination is made that this individual is no longer a U.S. person.

The NSA must also must make a particularized and fact-based assessment, based on the totality of the circumstances, that the target is expected to possess, receive and/or is likely to communicate foreign intelligence information concerning a foreign power or foreign territory authorized for targeting under a certification or authorization executed by the DNI and the Attorney General.

Analysts who request tasking—that is, turning the agency’s attention to a certain target—must document citations of the information that led them to reasonably believe that a targeted person is located outside the United States, as well as identify the authorized foreign power or foreign territory about which they expect to obtain foreign intelligence information and the basis for their assessment that the tasking will elicit foreign intelligence information concerning that foreign power or territory. Before tasking is approved, the database entry for that tasking will be reviewed in order to verify that the database entry contains the necessary “citations” identifying the source of the information, such as a report number or communications intercept identifier, which NSA maintains. Citations are subject to oversight.

In emergency situations where the NSA determines that it must act in contravention of these targeting procedures, the NSA must report that activity promptly to ODNI and to the National Security Division, which will promptly notify FISC.

After a person has been targeted based on the reasonable belief they are outside the United States, the NSA conducts post-targeting analysis to ensure the person is outside the United States and is not a U.S. person. The NSA uses special procedures in its post-targeting analysis for targeted telephone numbers and electronic communications. If the target is determined to be within the United States or a U.S. person, the NSA will terminate the acquisition from the target without delay. Likewise, information will be purged if it is obtained not in compliance with procedures by intentionally targeting a U.S. person or a person not reasonably believed to be outside the U.S.

With regard to oversight and compliance, the memorandum explains that the NSA conducts ongoing oversight activities with respect to its activities under Section 702, including processes for ensuring that raw traffic is labeled and stored only in authorized repositories and is accessible only to those with proper training. The NSA also makes any necessary reports, including for incidents of noncompliance, to the agency’s inspector general and Office of General Counsel. Periodic compliance spot checks of targeting decisions, intelligence disseminations, and queries in data repositories are also conducted. Furthermore, the Justice Department and ODNI will conduct oversight of the NSA's exercise of the authority under Section 702, including periodic reviews to evaluate procedure implementation, every 60 days. Lastly, the NSA will report to the Justice Department and ODNI any incidents of noncompliance with these procedures within five business days of learning of the incident.

Document 4: NCTC’s 2019 § 702 Querying Procedures

This is an NCTC memorandum that overviews the agency’s procedures for querying unminimized information pursuant to Section 702.

A person known to be located in the United States will be treated as a U.S. person unless the person is identified as an alien who is not a lawful permanent resident, or the circumstances otherwise give rise to the reasonable belief that such person is not a U.S. person. A person known to be located outside the United States, or whose location is unknown, will be treated as a non-United States person unless the person is identified as or is reasonably believed to be a U.S. person. A person known to have been at any time a lawful permanent resident is treated as a U.S. person, unless a contrary determination is made.

NCTC queries for unminimized information acquired pursuant to Section 702 must be reasonably likely to retrieve foreign intelligence information unless otherwise specifically excepted in these procedures. Specifically, NCTC must create and maintain electronic records of each U.S. person query term used, which must, at a minimum, include: the query term(s) used, the date of the query, the identifier of the user who conducted the query, and a statement of facts showing that the use of that query term is reasonably likely to retrieve foreign intelligence information. These records are subject to oversight by the National Security Division and ODNI and must be maintained for a period of five years.

In emergency situations where the NCTC determines that it must act in contravention of these targeting procedures, the NCTC must report that activity promptly to ODNI and to the National Security Division, which will promptly notify the FISC.

Document 5: CIA’s 2019 § 702 Minimization Procedures

This is a CIA memorandum that explains the agency’s minimization procedures in compliance with Section 702.

The CIA will hold the unminimized information in a controlled manner, accessible only to people who have gone through the required training. Any information about people located in the United States that does not meet the requirements for retention can only be held for five years unless the deputy director of the CIA for operations, or one of the deputy director’s superiors, believes the information “contain[s] significant foreign intelligence information, or evidence of a crime that has been, is being, or is about to be committed.” If any of this information is revealed in an unauthorized manner, it will be destroyed.

The memorandum also details how the CIA can keep information indefinitely on a person located in the U.S. The person’s name should be removed from all documents. If the name cannot be removed, then the information can still be retained if it concerns details about foreign intelligence, is encoded or “contains secret meaning,” if it is needed to keep individuals or entities in safety, if it concerns a U.S. person who may be an agent of a foreign power or is engaged in terrorism, or other exceptions related to national security. If the identities of the people concerned cannot be removed, the material can still be shared outside the CIA if the dissemination of the information is necessary for national security.

The CIA can receive unminimized information about privileged communications with an attorney under Section 702. If the material does not contain foreign intelligence information or evidence of a crime, it must be destroyed. If the information does involve foreign intelligence information, it must be shown to the CIA's Office of General Counsel; if it involves a criminal charge, it will be segregated from other information held by the CIA. Any authorized sharing of information must include a note that it contains attorney-client privilege information and can only be shared upon approval from the assistant attorney general for national security.

Unminimized information can be shared with other federal agencies for the sole purpose of helping translate or analyze the information. Any dissemination must be temporary, and either destroyed or returned upon the end of its use. There is a similar procedure to sharing such information with foreign governments: material can only be shared upon approval of the attorney general or procedures approved by the CIA and the attorney general. Information can be shared with foreign governments for the purpose of analysis or translation, but any dissemination should be temporary.

Any information that concerns criminal activity but that is not about foreign intelligence can be retained and passed to the FBI and other law enforcement agencies.

The document also details how to deal with information that either concerns a United States person thought to be abroad, but was not when the information was collected, or a person whose information was indeterminate. If a person thought to be outside the U.S. is determined to have been in the US, then the information will be destroyed unless the director of the CIA writes that the information is determined to be of value to foreign intelligence. If the CIA cannot determine if the person was located outside the U.S., it will follow internal procedures to disseminate the information.

If the CIA recovers information that involves a matter of life and death, and the CIA does not have the necessary time to go through the proper procedures, the CIA can act without following the procedures, but the CIA must report the action to the ODNI and the National Security Division, both of which will notify the FISC. The CIA will regularly communicate the information concerning these procedures with the Justice Department and National Security Division, who will both advise the CIA on the information and will use the information if it relates to litigation matters.

Document 6: NCTC’s 2019 § 702 Minimization Procedures

This is an NCTC memorandum that explains the minimization procedures that the NCTC follows to be in compliance with Section 702. Procedures need to be followed unless it is a matter of life and death, In which the NCTC will report the action to the ODNI and the National Security Division, both of which will notify the FISC.

If material is not relevant to foreign intelligence but still provides evidence of a domestic crime, the NCTC will share this information with the FBI and other law enforcement.

Unminimized information can be retained but only in a way that is secure, only available to employees who have been properly trained on the manner and follows all proper procedures from Section 702. All material that is not reviewed by the NCTC within five years shall be destroyed unless NCTC’s deputy director for intelligence or the deputy director of terrorist identities orders the information to be retained. Material about a U.S. person that is reviewed by the NCTC, but is not labeled as relevant to foreign intelligence or containing evidence of a crime, can be retained and accessible for up to 10 years, but will only be accessible upon permission from the deputy director for intelligence or the deputy director of terrorist identities. The information will be destroyed after 15 years unless the director of NCTC and National Security Division directs otherwise, and the FISC approves the retention. Material about a U.S. person that is related to foreign intelligence or contains evidence of a crime may be retained without a time limit.

Any information acquired about someone believed to be outside of the U.S. but was actually in the U.S. must be destroyed unless the director of the NCTC intervenes in writing to keep the data due to its relevance to foreign intelligence. The National Security Division may determine that information in this category that is not related to foreign intelligence may be temporarily retained for litigation matters. If the agency does retain it, the access will be limited to only people dealing with the litigation issue.

Access to the data will be limited to authorized personnel and be kept in a database that only authorized employees can review. Particularly sensitive information—such as a person’s religious, educational, sexual or medical background, along with any information about related minors—will be kept out of reports and analyses unless the information is crucial to foreign intelligence. Any attorney-client sensitive information obtained should be destroyed unless it is related to foreign intelligence, in which case it should be referred to the NCTC legal counsel. If such information pertains to criminal charges in the U.S., it will be segregated. Any dissemination of the information within the NCTC should include notice that the information is subject to attorney-client privilege; that it should not be used unless approved by the attorney general; and that it cannot be disseminated without approval from the assistant attorney general for national security.

Information can be shared with other agencies—not only at the federal level, but also with state, local, territorial or tribal agencies—if the identity of the U.S. person in question is removed, unless the identity of the person is needed for national security reasons. Material that is evidence of a crime but is not foreign intelligence information can be retained or disseminated only for law enforcement purposes. Material can also be shared with foreign governments if doing so is necessary for foreign intelligence reasons.

Raw information can be shared with the CIA, FBI and NSA if those agencies use the established Section 702 procedures for minimization and querying. Additionally, other federal agencies can view the information for purposes of analysis and translation. If the NCTC accesses information from the FBI that is not related to foreign intelligence matters, the NCTC should delete and destroy the information. The NCTC will consult with the National Security Division and ODNI to maintain the information and ensure NCTC employees handle the information properly.

Document 7: NSA’s 2019 § 702 Minimization Procedures

This is an NSA memorandum that explains the minimization procedures that the agency follows to be in compliance with Section 702.The memorandum states that the procedures should not interfere with the legal oversight duties of the NSA. Procedures must be followed unless it is a matter of life and death—in which case the NSA will report the action to the ODNI and National Security Division, both of which will notify the FISC.

NSA employees will use “reasonable judgment” in weighing whether information must be minimized. Information regarding a U.S. person will be destroyed “at the earliest practicable point” at which it can be identified as either not containing foreign intelligence information or not containing evidence of a crime, and the agency may only retain that information for five years after the authority to conduct the collection expires. In order to determine how to handle information in accordance with the minimization procedures, analysts will judge whether a communication is foreign or purely domestic, and whether it is reasonably believed to contain foreign intelligence information or evidence of a crime; they will also confirm that the information is not “about” material that references but is not to or from a target.

The procedures contain specific instructions for how to handle data obtained through different means. Information obtained “through tasking Internet selectors by or with the assistance of the FBI from internet service providers or through tasking telephony selectors,” which does not meet retention standards and that contains information of U.S. persons, will be destroyed as soon as it is recognized as such. Material obtained in this way can be retained for a maximum of five years after the collection authority expires, unless the NSA determines that it meets standards to be retained for longer. Meanwhile, “internet transactions” obtained on or before March 17, 2017 will be destroyed; such transactions obtained on or after March 18, 2017 will be destroyed only if it is determined that they do not meet retention standards, and they can be retained for five years after the expiration of the collection authority unless determined otherwise.

The Department of Justice may advise the NSA that information that would otherwise be destroyed is in fact subject to a preservation obligation in pending or anticipated litigation. On a yearly basis, the NSA and the National Security Division will review all litigation matters requiring preservation and the material that has been preserved.

If the NSA is collecting information on someone whom it reasonably believed to be outside of the U.S. but then discovers that this person was actually in the U.S., or if the agency is collecting information on someone it believes to be a non-U.S. person but whom it discovers is a U.S. person, acquisition of information will cease. Information obtained under these circumstances will be considered domestic communication under the procedures.

Any attorney-client sensitive information obtained should be destroyed if it is not related to foreign intelligence; if it is related then it should be referred to the NSA Office of General Counsel. Information concerning a criminal charge in the United States will be segregated. Any dissemination of the information within the NSA should include notice that the information is subject to attorney-client privilege, that it should not be used unless approved by the attorney general and it cannot be spread unless it is approved by the assistant attorney general for national security.

All domestic communication will be destroyed once it is identified, unless the director of the NSA determines in writing that the sender or recipient was properly targeted under Section 702 and that the communication is reasonably believed to be relevant to foreign intelligence or contains evidence of a crime; is necessary to understand cybersecurity vulnerabilities in government systems; or contains information relevant to “an imminent threat of serious harm to life or property.” If a domestic communication shows that a target has entered the U.S., the NSA may alert the FBI; it may also share information derived from domestic communications with the FBI, NCTC and CIA to help those agencies avoid collecting domestic communications.

Foreign communications may be retained for five years after the collection authority expires, unless the director of the NSA’s Operations writes that the information needs to be retained for longer to address foerign intelligence or counterintelligence issues. The NSA must report the decision to retain the information to the ODNI and National Security Division, both of which will notify the FISC. The NSA can retain technical information—such as encryption algorithms—to use in the future.

In terms of dissemination, a person’s identity from the information can be revealed if understanding that identity is necessary for assessing foreign intelligence; if the information indicates that the U.S. person is an agent of a foreign power or the target of intelligence activities by a foreign power; engaging in terrorism; if acquisition of the person’s information was authorized by a court order; or if the information contains evidence of a crime, among other exceptions. The NSA can share information with foreign governments if it is necessary for foreign intelligence, but any dissemination must be limited to analysis and translation, and not be retained. The NSA will perform careful internal policies to ensure that information remains secured when used by employees.

Document 8: CIA’s 2019 § 702 Querying Procedures

This is a CIA memorandum that explains the querying procedures that the CIA follows when handling unminimized information in compliance with Section 702. If the CIA recovers information that involves a matter of life and death that does not allow the necessary time to go through the proper procedures, the CIA can act without following the procedures, but it must report the action to the ODNI and National Security Division, which will notify the FISC.

A person known to be located in the United States will be treated as a U.S. person unless the person is identified as an alien who is not a lawful permanent resident, or the circumstances otherwise give rise to the reasonable belief that such person is not a U.S. person. A person known to be located outside the United States, or whose location is unknown, will be treated as a non-United States person unless the person is identified as or is reasonably believed to be a U.S. person. A person known to have been at any time a lawful permanent resident is treated as a U.S. person, unless a contrary determination is made.

The CIA must keep electronic records of each query. If the CIA cannot access an electronic record, then it must create a written record. The CIA can deviate from the procedures for testing, training, IT matters and lawful oversight requirements.

Document 9: FBI’s 2019 § 702 Querying Procedures

This is an FBI memorandum that explains the query procedures that the FBI follows when handling unminimized information in compliance with Section 702. If the FBI recovers information that involves a matter of life and death that does not allow the necessary time to go through the proper procedures, the CIA can act without following the procedures, but the bureau must report the action to the ODNI and the National Security Division, which will notify the FISC.

The FBI applies similar presumptions regarding the status of individuals as U.S. persons as the CIA, listed above. The FBI must keep electronic records of each query. If the FBI cannot access an electronic record, then it must create a written record.The National Security Division and ODNI will provide oversight in regards to these queries. The FBI can deviate from the procedures for testing, training, IT matters and lawful oversight requirements.

Document 10: FBI’s 2019 § 702 Minimization Procedures

The FBI Minimization Procedures document details the range of necessary procedures for data collected under § 702 of FISA. The procedures involve everything from acquisition to interpretation, with significant detail made to various levels of retention. More specifically, the FBI procedures govern actions regarding nonpublic information on unconsenting United States persons. The minimization procedures are used in conjunction with querying procedures and give some allowance to act inconsistently with the procedures with prior approval. Furthermore, the procedures do not restrict review related to potential information “spills.”

Retention procedures change along two dimensions. The procedures shift depending on whether information is “raw”—that is, minimally processed—FISA-acquired information or other FISA-acquired information. Likewise, the procedures take note of whether information has been determined to reasonably appear to be foreign intelligence information, to be necessary to understand or assess foreign intelligence information, or to be evidence of a crime. In most instances, retention requires limited access, proper training and destruction of data that does not fit the necessary requirements. Information may be retained for either five or 10 years depending on whether it has been reviewed or if it meets the standard of relevant information. However, each of the time restrictions can be extended with approval from an FBI executive at the rank of assistant director or higher.

In addition to the general requirements for retention, the FBI also retains FISA-acquired information that reasonably appears to be discoverable or exculpatory or impeachment material for a criminal proceeding. Sensitive information—such as information related to religious, educational, political and sexual activities—is only analyzed or reported when it is first determined to have the reasonable appearance of being foreign intelligence information, necessary to understand or assess foreign intelligence information or to be evidence of a crime. Additional procedures are activated to protect attorney-client privilege when a target is charged with a crime. In certain circumstances, the FBI may temporarily retain FISA-acquired information connected to litigation that would otherwise have to be destroyed. Information that is encrypted or that must be translated may also be retained for the purpose of deciphering.

The FBI may disclose and disseminate FISA-acquired information to the broader intelligence community and to federal prosecutors. In addition, information may be disseminated to federal, state, local and tribal law enforcement agencies that are connected with national security and require access to foreign intelligence information. More specifically, information on United States persons may be passed on if doing so appears reasonably necessary to address actual or potential attacks, sabotage or clandestine activities by foreign powers. The FBI may also share FISA-acquired information on United States persons for law enforcement where the information reasonably appears to be evidence of a crime. Any FISA-acquired information from an electronic communication service provider may be conveyed with the NSA and CIA without minimization.

The procedures call for good faith compliance, instituting periodic minimization review and reporting for noncompliance or departure from the procedures to the National Security Division of the Department of Justice.