Wired disclosed a letter from the intelligence community inspector general (IC IG, McCullough) responding to Senate Intelligence Committee questions about the intercepts of American citizens, per the FISA Amendments Act (FAA).
The IC IG response letter was not satisfactory, and claimed it would be difficult to find an answer. This appears to be a delaying tactic, similar to then-FBI Director Hoover's delays before the Church Committee hearings revealing other intercept numbers of American citizens.
However, if true, this raises questions whether the intelligence community can adequately demonstrate they remain in compliance with the Constitution; and the basis for their information technology requests and modernization plans.
This diary raises some issues about the IC IG method of delegating this task to the NSA; and points to possible sources of other intelligence community information at FBIHQ related to Section 702 datafiles and purges which might be more responsive to the Senate Committee request.
Diary concludes with recommendations related to increased oversight, consistent with the Church Committee recommendations. Several tables include detailed questions to assist with analysis of IC IG testimony, letter, and other disclosures.
This diary is a follow-up to an original diary, sources of information to estimate the number of intercepts. [Originally raised questions about IC IG here, September 2011.]
Update: FAA/702-related information, files, correspondence, and plans here can be used to identify specific records, files, and summary tables where incidents are document, files retained, and identify personnel and outside agencies of origin with knowledge of 702-related intercepts .
Recently, two Senators sent the IC IG a letter related to a question about interceptions of American citizens under the FISA Amendments Act (FAA) of 2008, Section 702.
The question relates, in part, to an issue raised during the IC IG confirmation hearings: How many citizens were intercepted under FAA 702?
Question to McCullough, IC IG Nomination Hearing
As Senator Wyden explained, we’ve been told that it isn’t ‘‘reasonably possible’’ to count the number of Americans whose communications have been reviewed under this law."
Analysis
IC IG response-letter is related to confirmation hearing-interest area.
(Apparent) Unresponsive IG Letter Raises Questions About Legal Compliance Program: Duty to Report Unlawful Activity to AG
The intelligence community inspector general (IC IG) written response is disappointing. The Church Committee recommended that intelligence agencies are responsible for reporting alleged violations of the law. However, based on the IC IG response, it is unclear how violations of the law could be detected if there is (supposedly) no provision to detect whether information retained or analyzed is or isn't collected outside FISA authorities
Recommendation 77 . . .As provided in Recommendation 74, the heads of the FBI and of other intelligence agencies are responsible for reporting to the Attorney General alleged violations of law. When such reports are made, the appropriate congressional committees should be notified.
In his response during his confirmation hearing, IC IG-nominee said he would evaluate the question, scope the audit, then consult appropriate IGs to respond to this interest area.
Question to McCullough, IC IG Nomination Hearing: "Which IG do you think would be best positioned to conduct such an audit? Would it be you or the DOJ IG, the NSA IG, another IG, or perhaps a combination of IGs?"
. . .
Later, McCullough said, "So I would certainly, as the IC/IG, if I’m confirmed, I will also be the chair of the IC forum, which includes all of the element IGs. And I’m going to work with those IGs."
Analysis
At the IC IG confirmation hearing:
(a) the Senator asked about possibly consulting the DOJ IG in answering the question;
(b) IC IG was aware of Senator interest in conducting an audit of data captured on American citizens; and
(c) As IC Forum Chair, he had the responsibility to work with, and guide other Intelligence Community Inspector Generals.
However, there was no requirement that the IC IG focus exclusively on the NSA when generating an estimate of the total intercepts per FAA 702. IC IG was aware of questions related to DOJ IG, and the possibility of a combination. IC IG chose, according to the letter, to focus on NSA IG, not DOJ IG.
Questions
- What information from the IC IG Forum sheds light on how NSA IG may have coordinated with non-NSA personnel, at the DOJ IG or FBI HQ related to FAA 702 data retention, archiving, purging?
- How did NSA IG incorporate information, data, or purge records from FBI HQ, available through DOJ IG?
FBI HQ maintains records:
"If the product contains USPER information, then upload a copy of the product into the appropriate FISA Section 702 dissemination subfile maintained at FBIHQ." [Italics in original]
Mentioned five (5) times, pages 45, 61, 62, 63, and 64 of 65
Analysis
A subfile maintained at FBIHQ related to FISA 702 information; this information relates to products containing information on US Persons:
1. There is a provision for dealing with intelligence products containing information related to a US Person;
2. That information is uploaded as a copy of the product;
3. There is a subfile of this information maintained at FBIHQ;
4. DOJ IG had access to FBIHQ information; and
5. IG statute and Church Committee recommendations include provisions for IGs to access data
However, IC IG focused in his written response not on the DOJ IG-accessible information -- the 702 training for FBI agents -- but the NSA IG response.
NSA IG provided a response on June 6th, 2012. IC IG wrote,
"I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA's mission."
. . .
NSA IG ". . .further stated that his office and NSA leadership agreed than an IG review of the sort suggested would itself violate the privacy of U.S. persons."
Source: IC IG letter
Analysis
IC IG did not publicly discuss non-NSA sources of information. There was a meeting between the NSA IG and NSA leadership, outside what DOJ IG may have had access to at FBIHQ.
Personnel assigned to the FBI purge data of US persons:
CXS Case Coordinators
There are personnel who adjust data to ensure it is properly presented. There should be records related to these CXS purges
30 of 65: The CXS Case Coordinator's duties include making necessary minimization decisions in accordance with the SMP and Policy Implementation Guidelines. an applying the minimization markings to the Section 702 data within . . .
41 of 65: CXS Case Coordinators will serve as the primary point of contact for marking, disseminating, or purging Section 702-acquired data.
Questions
- What records does FBI HQ retain related to the number of purges by CXS Case coordinators?
- What is the relationship/ratio between (a) the number of NSA products provided to FBI; and (b) the number of purges?
- How is this numerical relationship automatically archived, retained, and used for IT storage, upgrade, maintenance, and other planning purposes within DOJ?These areas are subject to audit:
SPIG
Additionally, the FBI's SMP Policy Implementation Guidelines, dated October 31, 2003, and which the FBI's Deputy Director approved, will be updated to include corresponding modifications to the SMP as they pertain to Section 702 data.
29 of 65: "Compliance with the above is subject to review by DOJ and ODNI."
Analysis
This is a known, auditable item, not something that is news to the intelligence community. It is a known source of information, available for making estimates.
DOJ and non-DOJ personnel have access to, and can audit this FAA 702 data, contained at FBIHQ.
Questions
- How was it determined that NSA IG was the appropriate IG to lead the review?
- What coordination did NSA IG make with DOJ and ODNI when providing a response to the Committee?
- What coordination did NSA IG make with DOJ IG on 702 purge data held at FBI HQ?
- What provision did NSA IG or IC IG make when reviewing DOJ personnel inputs on FAA 702 data contained in the purge files?
- Are there historical metrics, rules of thumb, or other relevant ratios between the numbers in the FBI 702 files and the NSA intercepts of American citizens per FAA 702; how might these relationship provide a rough order of magnitude response to the Committee?
- What information from the IC IG Forum gives insight into other methods considered to estimate the intercepts of American citizens in re 702?
- What percentage of the total data provided to FBI from the NSA includes information on US persons?
- How many files are contained in the FBI HQ records?
- What is the relationship between the number of files at FBI HQ and the total NSA intercepts of US citizens?
The
purge procedures further provide other time-related information including emails, forming another line of evidence:
Step VII: Purge of ACS/ Disseminations
If a document in ACS contains information from a purged account, CXS will coordinate with the Originating Office (00) to have their personnel permanently charge out the document from ACS or will contact RDU via an e-mail to [ redacted ] and work with RDU to have the document permanently charged out. CXS will confirm deletion of the document in ACS after deletion has reportedly occurred.
Source: Page 5 of 6.
Analysis
This shows there is a line of evidence between FBI/CSX and (in the case of 702-related information) to the agency of origin (AOO).
There is a relationship between the number of emails CSX sends to an outside/originating agency, and the incoming data from that agency, AOO. This data can be averaged to help form an estimate of total intercepts re 702.
Each agency providing information through this method will, on average, have a discrete relationship between (a) purge requests; (b) incoming issues or problems related to 702-connected intercepts; and (c) the original number of intercepts of American citizens.
The available data accessible to DOJ IG are the emails, records, or other outgoing CSX communications related to this incoming information.
It remains unclear whether the IC IG did not consult with -- or get information from -- DOJ IG related to 702 intercept data which is stored in files within DOJ at the FBI.
Questions
- What are the average number of CSX information files, records, or emails sent to outside agencies?
- What is the relationship between the incoming files related to 702 and the original interceptions?
Outside agencies are important in re FBI, because here is a copy of a
Memorandum of Agreement, presumably related to information sharing re 702 between the FBI and the Outside Agencies (AOO). Thus, this agreement should have been one that identified which agencies were -- or should have been -- subject to IC IG review, not just NSA IG.
Another line of evidence available to IC IG were the summary tables related to which outside agencies were or were not timely providing responses to these memorandums of agreement. Here is a copy of that coordination document sent between the FBI and those outside agencies.
CSX is also related to the specific changes in targeting procedures, as, by example, are shown here:
"If NSLB opines that the searches are reasonable calculated, CXS is inquiring as to the possibility of amending language in the FBI's targeting procedures to allow for deviations of [redacted] ACS and [redacted] searches when an identifier submitted to the FBI is no [redacted]."
Analysis
Presumably, identifiers are changed when they are no longer effective; or they have returned results that are not producing information of value. These changes, and records of those changes, would help IC IG identify the scope of FAA/702-related intercepts.
The CXS communication discloses specifics related to email key words, which presumably would have to be stored, compared to a general file, and indexed:
"CXS requests that the targeting procedures allow for deviations of the required three databases when the identifier submitted to the FBI is not an e-mail account."
Source
Analysis
CXS is able to differentiate between databases and the source (email). This shows us that there is a method to distinguish between record types before a purge occurs.
FBI, as a user of information, can independently adjust targeting and searching procedures then send relevant electronic messages and notes to purge records, discoverable by IC IG in a summary format when requested.
This information would be useful to IC IG when making an estimate of the total 702-related intercepts.
Source: Purge guidance.
Analysis
This shows that there are periodic reviews, subsequent legal analysis, and then adjustments. This means that there are incoming data-volumes, which are checked, and then can be subsequently adjusted to align that aincoming data with more profitable information.
There must be summary tables within the FBI -- as a subset of the whole -- showing how the FBI requests are related to total interceptions; and this data must be available from other agencies receiving information per the Memorandum of Agreement.There are known limitations of 702, as disclosed on Slide 7, upper left: US persons are part of the collection.
This file shows us that there are records created -- and filed -- with the Foreign Intelligence Surveillance Court:
Section 702
Who May Be Targeted
- Non-US Person
- OCONUS
- US Service Provider
Type of Collection: Elsur and stored
Type of Process: Annual Certification filed with FISC
Analysis
Note that the ELSUR (electronic surveillance) is stored, and there is an electronic record of that storage. It is irrelevant whether the information is purged or not.
IC IG could ask for the summary tables from the FBI related to total US records electronically stored, and how this number relates/does not relate to the data provided to FISC.
This document shows us that there is a desk-officer assigned to "all" 702 requests, presumably a similar assignment in other, non-DOJ intelligence collection agencies, under IC IG review:
ITOS II is requested to select at last one FISA 702 P.O.C. in each substantive unit to serve as the interface with CTD/CXS/EOPS for all FISA 702 matters.
Source
Analysis
This shows us that there are "multiple" desks, each assigned to a different "substantive" unit. Shows there are multiple-coordinating agencies with access to the same records, summaries, and decisions.
IC IG knows or should know that the lines of evidence helping to identify 702-related intercepts is large, and should already be summarized for agency-head review, updates, and coordination.
It defies reason that the "single" point of contact (POC) would not have a "single summary sheet showing total incoming intercepts, total files to be purged, and permissible retention per 702.
IC IG should review what this "single" POC is or isn't reviewing; and why IC IG hasn't provided a summary of these "single" desks to the Senate.
Also,
the summary reports by the IGs indicating "incidents". This is a redacted document, but the document shows us that 702 "incidents" are regularly reported, documented, and known:
See page 3 of 22 for key word "incidents"
Note that the memos-letters tend to be a standard template, presumably there is standard, periodic reporting, documentation, and knowledge of 702-related "incidents".
Someone is keeping track of "incidents" but its unclear whether IC IG or others at NSA were prepared to discuss the information released by DOJ.Had IC IG consulted the Church Committee report findings, he would have found that the FBI similarly provided a non-response, on the grounds that the information was not available. Subsequent testimony before Congress showed that the information was available.
The letter says that NSA IG would take the "lead" in the review:
IC IG: IC IG Letter: "On May 2012, I informed you that the NSA Inspector General, George Ellard, would be taking the lead on the requested feasibility assessment, as his office could provide an expedited response to this important inquiry."
One of the Church Committee recommendations include IGs providing data directly to the Congressional Committee without consulting the agency head:
"[The Inspector General or General Counsel of an intelligence agency can . . .] provide information directly to the Attorney General or appropriate congressional oversight committees without informing the head of the agency"
Source Church Committee Report
Questions:
- Is it an "extraordinary circumstance" that FBI HQ files, per FAA 702, have files related to data on US Persons, and may be responsive to a Congressional question related to interceptions of US citizens communications?
- Has any employee of the DOJ requested that information -- related to FAA 702 files at FBI HQ -- be provided to the Committee?
However, in the IC IG letter,
McCullough, IC IG: "He further stated that his office and the NSA leadership agreed. . ."
Source
Analysis:
Despite the Church Committee report conclusion that no coordination with agency head is required in extraordinary circumstances, shows NSA leadership and NSA IG did consult on the Congressional question.
Questions:
- Why did NSA IG consult on this issue with NSA leadership?
- Has IC IG taken a different view than the Church Committee on whether NSA IG or other IGs should coordinate with agency heads before providing responses to the Committee?
- Is it NSA IG's view that breaches of FISA and/or interception of data outside FAA 702 authorities is not an extraordinary circumstance; if not, what would be an "extraordinary circumstance" prompting a direct communication to the Committee without consulting with NSA leadership?
US Code also provides for direct reporting by agency personnel to the DoD IG:
An employee of the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the National Reconnaissance Office, or the National Security Agency, or of a contractor of any of those Agencies, who intends to report to Congress a complaint or information with respect to an urgent concern may report the complaint or information to the Inspector General of the Department of Defense (or designee).
5 USC 8H (a) (1) (A)
Analysis:
There are provisions for NSA employees to provide information to the DoD IG.
Question:
- Is DOD IG in receipt of any complaint by NSA personnel related to FAA 702 purge data contained in FBI HQ?
It's unclear how this information, provided from outside the FBI, would have addressed what the Senators were asking. It is not clear that NSA was the only source of this information related to intercepts of American citizens.
Without support or communication on issues he's not familiar, its unclear how effective IC IG will be in self-generating audits outside his expertise at Treasury.
At issue is the effectiveness of IC IG to properly lead the IC Forum, generate support from the other IGs, and solicit relevant guidance from the IGs to scope an audit, investigation, or information response.
(1) The Inspector General of the Defense Intelligence Agency, the National Geospatial-Intelligence Agency, the National Reconnaissance Office, and the National Security Agency shall each submit to the congressional intelligence committees each year a report that sets forth the following:
. . .
(C) An assessment of the current ability of such Inspector General to hire and retain qualified personnel for the office of such Inspector General.
5 USC § 8H (g) (1) (C)
Analysis
Statute provides for IG IC to provide a skills assessment to Congress.
Questions
Congressional staffers have an interest in monitoring IG communications for indications of issues with personnel working for the IC IG or other intelligence community IGs.
- Are the Congressional committee staff members reviewing the IC IG/NSA IG responses re FAA 702 in evaluating the IG's ability to retain personnel qualified in FBI HQ data retention policies, procedures, data archving, and information technology related to FAA 702?
- How will the IG responses to Congressional questions re FAA 702 factor into a review of IC IG assessments related to personnel skills related to FBI HQ data retention, purging, and CSX?
The ratio between NSA intercepts and FBI HQ data retention is a useful metric when planning DOJ IT Acquisition Programs, not limited to cost estimates, program planning and testing.
- What method did the Independent Cost Estimate (ICE) use to access data on FBI HQ data purge, retention, transfer, and archiving when planning FBI HQ Information Technology budget requests and DOJ program acquisitions?
- Is it the IC IG position that this skills-reporting requirement to Congress does not apply to IC IG because IC IG is not specifically mentioned in the statute?
Gap Analysis: Can Auditors Do What Auditing Others in IC?
Gap analysis is a process of (a) examining information objectives relative to, in part, a decision maker's policy, options, or environmental risk; (b) identifying available information to answer questions; then (c) identifying the gaps in available information. It is unclear whether IC IG has or has not identified an information source within FBI/DOJ; and how NSA IG did or did not raise this possibility at the IC Forum.
There should be a method for IC IG to identify gaps in his staff's expertise, and ensure there is a method to identify the most appropriate source of information. Appropriate recommendations should be forwarded by the IC IGs to the IC IG for appropriation modernization of the IC IG Forum information-sharing.
McCullough, Confirmation hearing: "The FY 2010 Intelligence Authorization Act provides the IC/IG with the statutory authority to conduct IC-wide audits, investigations, and inspections. If confirmed, my primary goal will be to identify and address systemic deficiencies that cut across agency missions in order to positively impact IC-wide economies and efficiencies."
At issue, when the IC IG cannot (apparently) identify a solution to a gap of information or expertise, whether and how the IC IG, Forum, or IC IGs as a whole or individually, will identify similar intelligence issues within their department's "gap analysis" re intelligence solutions. This gap analysis is not limited to information, but may include legal compliance issues.
Gap Analysis is an issue for the IC IG to address at the Forum; then explore how these potential weaknesses within the Forum may have bearing on information sharing between departments.
Information-sharing issues were identified after 9-11 as a risk area (supposedly) contributing to 9-11. IC IG should demonstrate that this "gap analysis" and "lessons learned" is properly and coherently incorporated into audits of the department IGs, IC IG reviews, and the operations and discussions at the IC IG Forum.
Conclusions
The intelligence community inspector general McCullough responded to a recurring interest area from Senators, raised during the IC IG original confirmation hearings. IC IG was aware of Congressional interest in coordinating with other intelligence community IGs, including DOJ IG.
Senators have shown an interest in the number of intercepts of US citizens. We've outlined a methodology [internal link, Kos diary] to explore where this information might be located in files and reports provided to Congress.
However, this disappointing response from the intelligence community tends to mirror similar responses from the FBI to the Church Committee. Indeed, the Church Committee report and recommendations appear to have been lost on IC IG. Rather than demonstrating an ability to independently lead an independent audit of FAA 702 interceptions of US citizens, IC IG appears to have (inexplicably) deferred to NSA IG.
As a possible source of an estimate on intercepts of American citizens, there is no obvious intelligence community public consideration of FBIHQ information related to FBI 702 training or purge files within the NSA IG or IC IG responses to the Congress. Without a clear explanation whether the IC Forum did or did not consider FBIHQ information related to FAA 702 purge or retention subfiles, it's unclear whether IC IG or his staff do or do not have sufficient skills, expertise, or professional relationships within the intelligence community to properly oversee and conduct audits outside Treasury.
Because of deference to the NSA IG, McCullough as IC IG, despite him leading the Intelligence Community Forum, has not publicly demonstrated that he conducted an independent gap analysis of intelligence community IG expertise, resources, or personnel.
McCullough has also not publicly demonstrated an ability to independently conduct an audit of IC data. He didn't show publicly that he could coordinate with agency heads and agency inspector generals when reviewing data related to substantial issues of extraordinary nature: Whether the US government can or cannot demonstrate it fully complies with the FISA Amendments Act 2008 provision 702 authorities.
This public demonstration would increase public confidence that the intelligence community IGs and staff can independently audit intelligence community gap analysis related to intelligence community
(a) programs,
(b) procedures,
(c) legal compliance plans,
(d) systems acquisition modernization programs and strategies, and
(e) management performance plans.
Then-FBI Director Hoover was (surprise, surprise) able to provide detailed wiretap information after initially indicating it was not possible to collect the information. Indeed, the Church Committee investigation shows public hearings shed light on information the intelligence community otherwise would have the public believe is "not" available.
IC IG should, as was done during previous eras of reform in the intelligence community, appear before the Senate Permanent Committee on Intelligence to discuss publicly, in a non-classified forum, the above issues, questions, and points related to his leadership, coordination, and written responses to the Senators.
Summation, Opinion, Judgement, Personal View: Not Necessarily Widely Held
We do not believe the intelligence community's written statement that there is no easy way to estimate the number of American citizens targeted under FAA 702 authorities. If this assertion were true, then the intelligence community has larger problem: An inability to demonstrate they have an adequate information technology archiving, auditing, or retention policy to ensure compliance with FISA, FAA, or the US Constitution.
Regardless, additional Congressional oversight is warranted.
If these estimates are "not" possible, as we are asked to believe, this raises doubts about the estimates the intelligence community provides to Congress re their information storage requirements and legal compliance programs.
Possible Implications: Personal Opinions
Either the IC IG or intelligence community IGs have (apparently) individually or collectively:
A. (Knowingly?) provided an incomplete, unresponsive answer to Congress (despite a statutory duty to provide information); or
B. Implicitly argued they cannot comply with their well promulgated legal requirements under the Constitution and Federal Statutes; or
C. Have not well demonstrated they can organize a review of available skills, expertise, information, and files in information technology, technology acquisition, or data archiving within the intelligence community, despite a statutory requirement to assess IG expertise and skills for Congress.
Recommendations
1. Evaluate Intelligence Community Skills, Communication, Information Sharing (Possible Repeat 9-11 Issue)
Senate Committee staff should review the IC IG responses to evaluate whether additional attention needs to be paid to inspector general skills and expertise assessments, especially in identifying creative information sources within the intelligence community, not just at FBIHQ.
2. Study Church Committee Report
IC IG and other intelligence community should carefully re-read the Church Committee recommendations and provide public assurances, in an open, non-classified setting that they are serious about applying the lessons of Senate Committee reports, and conducting independent oversight of the intelligence community.
3. Audit IC IG Forum
Senate Committee staff should review notes, memos, and other records from the IC IG Forum to gauge whether there is sufficient support, information, cross-talk, discussion, and expertise-sharing to properly identify the suitable sources of information in response to Committee requests. The results of this review should be compared with the (supposed) lesson learned after 9-11: That problems with information sharing contributed to gaps in analysis, risk mitigation, and appropriate defensive measures for national security purposes.
Summary Links of Interest:
IC IG (McCullough) Nomination Hearing:
http://www.fas.org/...
DOJ/FBI FAA/702-related files with ACLU:
http://www.aclu.org/...
Church Committee Report:
http://en.wikipedia.org/...
IC IG (McCullough) Letter, via Wired:
http://www.wired.com/...
FISA 702 Training, FBI:
http://www.aclu.org/...