Beginning over a decade ago, the country’s surveillance court intervened to limit the FBI’s ability to act on some sensitive information that it collected while monitoring phone calls.
The wrangling between the FBI and the secret court is contained in previously undisclosed documents obtained by the Electronic Privacy Information Center, or EPIC. The documents, part of an ongoing Freedom of Information Act lawsuit, were shared with The Intercept.
The documents reveal that the Foreign Intelligence Surveillance Court (FISA) told the FBI several times between 2005 and 2007 that using some incidental information it collected while monitoring communications in an investigation — specifically, numbers people punch into their phones after they’ve placed a call — would require an explicit authorization from the court, even in an emergency.
“The newly obtained summaries are significant because they show the power that the [Foreign Intelligence Surveillance Court] has to limit expansive FBI surveillance practices,” Alan Butler, an attorney for EPIC, wrote in an email to The Intercept.
Additionally, The Intercept independently obtained sections of the FBI’s 2011 Domestic Investigations and Operations Guide describing how the FBI currently deals with information it obtains after getting a court order for what’s called a “pen register,” or “trap and trace” on a target — a capability built into the phone lines that records incoming and outgoing phone numbers for a particular phone. The 2011 guide is currently public but heavily redacted.
The Operations Guide, in addition to shedding light on how the FBI uses pen registers, reveals that the surveillance court’s pushback more than a decade ago has become internal FBI policy.
During an investigation, the FBI is often interested in who a target is talking to — what calls they make and receive, and where those calls physically originate.
By simply telling a judge the information is “relevant,” the FBI can demand that a phone company, or email or other online provider, immediately hand over any and all “telephone numbers, email addresses, and other dialing, routing, addressing, or signaling information.” That information can sometimes include locational data. They don’t need to notify the target or demonstrate probable cause that he or she committed a crime to get it.
But the FBI’s monitoring can end up getting more information than just phone numbers, though pen-register and trap-and-trace orders are not intended to get any “content” that would provide insight into the substance or subject of a communication.
For example, the numbers people punch into the phone after making a call can reveal financial or personal information — like a credit card number, a social security number, a PIN, a prescription number, or any other type of response via automated telephone prompts. The “term of art” for this information is “post-cut-through dialed digits.”
The FBI in the 2011 Domestic Investigations and Operations Guide has described the digits dialed after someone makes a call as “content.”
Following the release of documents by NSA whistleblower Edward Snowden, many have described the secretive court as a “rubber stamp” because it rarely rejects a surveillance request. But there’s nuance in what the judges have challenged or modified in response to requests over the years.
Between July and December in 2005, the surveillance court approved pen registers and trap-and-trace devices to target “at least 138” people.
However, one judge started asking the FBI more probing questions about what exactly it did with post-cut through dialing digits it “incidentally” obtained with those orders — launching what Butler describes as an “open secret” fight between the Foreign Intelligence Surveillance Court and FBI over the information. The judge’s request for a “memorandum of law” appears in the July 2006 Department of Justice report to Congress on its use of FISA pen registers, obtained by EPIC. Some of that pushback was documented by Wired in 2008.
In May 2006, the government told the court that it had the authority to collect that sensitive information, and would “in some cases … specifically seek authority for secondary orders requiring a service provider to provide all dialing, routing, addressing or signaling information transmitted by a target telephone, which, in light of technological constraints, may include content and non-content digits alike,” the report continues. (According to the Domestic Investigations and Operations Guide, the FBI agent requesting the pen register has to specifically ask for any additional dialing information following the first nine or 10 digits — it isn’t automatic.)
The government also insisted it wouldn’t actually use that information in an investigation — unless there’s an emergency, that is, to prevent death, serious physical injury, or “harm to national security,” though it’s never made explicit what exactly that means.
Between January and June in 2006, the surveillance court modified some of the FBI’s applications to stop it from using that information without additional permission, no matter the urgency.
The court “had made modifications to the government’s proposed pen register orders,” reads the biannual report to Congress obtained by EPIC. “Although the [FISA Court] has authorized the government to record and decode all post-cut-through digits dialed by the targeted telephone, it has struck the language specifically authorizing the government to make affirmative investigative use of possible content” unless permission is specifically granted by the court.
The surveillance court wasn’t the only judicial body rejecting the FBI’s requests to hold on to the additional dialing information. In July 2006, a magistrate judge in Texas denied an application for a pen register because filtering technology would not eliminate the additional content information. That led then-chief judge of the surveillance court, Colleen Kollar-Kotelly, to ask the government to respond to the Texas court, and explain how it might impact decisions in foreign intelligence investigations.
The government said the court should basically ignore the decision — and take note of new revisions to the USA Patriot Act, which said the government could obtain “noncontent” dialing information. (Because there isn’t technology that can reliably separate out content from noncontent when it comes to this type of dialing information, the law basically allows for all of it, the government argued.)
In 2006, the court had not yet written a formal decision on whether or not the government could keep getting this information — let alone use it in an investigation.
But “most” of the judges continued to strike the “emergency” language from the FBI’s requests, despite the government continuing to insist that “the proposed exception is reasonable under the Fourth Amendment” because its use is so rare.
By August 2006, the court asked the FBI to produce an entire report on how the dialing information obtained through pen registers is stored and kept in its databases. By 2007, the court reported that it modified 18 different government requests out of 98 within six months.
The secret court continued to delete language that would allow the government to use the post-cut-through dialed digits in an emergency — and added a time limit on when it could come back to ask to use that content.
By 2011, the court’s resistance appeared to enter into formal policy, according to the Domestic Investigations and Operations Guide section obtained by The Intercept. The FBI, the guide states, can never in these cases use information like credit card numbers or social security numbers obtained after dialing a phone number, “even in cases of emergency.”
However, that exception still applies in criminal cases, according to the 2011 Operations Guide. “In an emergency,” information obtained from the numbers people dial “may be used as necessary in criminal investigations to prevent immediate danger of death, serious physical injury, or harm to national security,” reads the section on post-cut through dialing digits. And if the target is calling a bank, for example — the FBI cannot get the account number from the call, but it can use the call as a lead and subpoena the bank for that information instead.
Butler points out that despite the FBI and the secret court’s fight over the information, it is basically impossible to tell whether that information triggered investigative leads agents wouldn’t have otherwise had without the pen register.
The FBI declined to comment on the previously redacted portions of the 2011 Domestic Investigations and Operations Guide obtained by The Intercept as well as the FOIA documents obtained by EPIC.
“The Domestic Investigations and Operations Guide establishes the FBI’s internal rules and procedures, and describes the FBI’s authority to use specific investigative tools as determined through the Constitution, U.S. statutes, executive orders, and the AG Guidelines for Domestic FBI Operations,” Chris Allen, an FBI spokesperson, wrote in an email. “These rules are audited and enforced through a rigorous compliance mechanism designed to ensure that FBI assessments and investigations are subject to responsible review and approval.”