FBI’s use of Exigent Letters

Valerie E. Caproni, General Counsel, Federal Bureau of Investigation
Statement Before the House Judiciary Committee, Subcommittee on the Constitution, Civil Rights, and Civil Liberties
April 14, 2010

Good morning Mr. Chairman, Ranking Member Smith, and members of the committee. It is my pleasure to appear before you today to discuss the recent report by Department of Justice's Office of the Inspector General (OIG) on the FBI’s use of exigent letters and other informal requests for telephone records.

The 2010 OIG report is a follow-on to the OIG’s 2007 report on the FBI’s use of national security letters (NSLs). The 2010 report discusses in detail a practice utilized between 2003 and 2006 by one FBI Headquarters unit, of issuing so-called “exigent letters” to obtain telephone toll records—I i.e., the date, time, duration, and originating and terminating numbers of calls—but not the content of any calls. That practice, which ended almost three-and-a-half years ago, reflected a failure of internal controls at the FBI. It was, however, a wake-up call for the FBI. Although we cannot unring the bell or undo the fact that exigent letters were issued, the FBI used the lessons we learned from that event to substantially change our control and compliance environment.

The FBI has significantly improved its policies, training, and procedures for requests for information protected by the Electronic Communications Privacy Act (ECPA) Indeed, in 2008, the OIG concluded that the FBI had made significant progress in addressing the serious problems and deficiencies identified in the 2007 report. But the lessons learned from this entire experience went well beyond ECPA and exigent letters. Instead, we saw the exigent letter situation—where a good-faith decision to co-locate telephone company employees with FBI agents and analysts to ensure rapid receipt of telephone records when responding to terrorist threats, led to an extremely negative OIG report because we did not follow that action with adequate internal controls—as emblematic of the need to systematically and carefully assess compliance risks, particularly in the national security arena. That realization has led to the formation of the Office of Integrity and Compliance, whose mission is to ensure that there are processes and procedures in place that facilitate FBI compliance with both the letter and spirit of all applicable laws, regulations, rules, and policies, as well as to assist FBI management at all levels in maintaining a culture where ethics and compliance are emphasized as paramount considerations in all decision making. We think that program is a positive step and should help prevent future situations like the one encountered with exigent letters.

The OIG makes 13 recommendations in its 2010 report, most of which have already been satisfied. The FBI is working on the few recommendations that have not been fully satisfied to date.

Exigent Letters

In 2007, the OIG found that one unit at FBI Headquarters had issued over 700 exigent letters requesting toll billing records for various telephone numbers. All of the letters stated that there were exigent circumstances but did not describe the exigency. In fact, sometimes there was no emergency. Although ECPA’s emergency disclosure provision found at 18 U.S.C. § 2702(c)(4) (discussed in more detail below) does not require the FBI to provide any legal process to obtain records voluntarily from a telephone company in order to respond to a qualifying emergency, many of the letters stated that federal grand jury subpoenas had been requested for the records. In fact, no such request for grand jury subpoenas had been made, and no one intended that such a request would be made. Similarly, other exigent letters promised NSLs, which—though also legally unnecessary if there is a qualifying emergency—the agents and analysts, in fact, intended would be sent. Unfortunately, the FBI did not keep adequate records reflecting the nature of the emergencies, the telephone numbers for which records were sought, and whether the promised future process—whether legally required or not—was ever actually issued.

It should be emphasized, however, that exigent letters were not—and were never intended to be—NSLs. Rather, they appear to have been a sort of “place-holder,” borne out of a misunderstanding of the import of the USA Patriot Act’s amendments to ECPA. For reasons lost in the fog of history—but no doubt partially the result of the intense pace of activity in the months following the 9/11 attacks—the FBI did not adequately educate our workforce that Congress had provided a clear mechanism to obtain records in emergency situations. Although guidance was eventually provided in August 2005, the employees who had been using exigent letters for several years simply did not recognize the applicability of that guidance to their situation.

In its most recent report on the issue, the OIG confirmed what the FBI acknowledged to Congress and the public in 2007: Exigent letters were sometimes used when there was no emergency and the FBI had inadequate internal controls to ensure that the promised legal process was provided. The 2010 report confirmed that these practices resulted in the FBI requesting telephone toll billing records associated with approximately 4,400 telephone numbers between 2003 and 2006.

In response to the OIG’s 2007 report, in March 2007 the FBI formally barred the use of exigent letters to obtain telephone records and established detailed policies for obtaining toll billing records during an emergency situation. Since that time, employees who need to obtain ECPA-protected records on an emergency basis must do so in accordance with 18 U.S.C. § 2702. Section 2702(c)(4), which permits a carrier to provide information regarding its customers to the government “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” In addition to providing guidance on Section 2702 itself, we established approval and documentation requirements for requests made under this provision.

As promised by Director Mueller and me in our testimony following the OIG’s first report and by me in repeated briefings of congressional staff, beginning in 2007, the FBI commenced an effort to ensure that we retained only exigent letter-related telephone records for which we had a lawful basis. To that end, we dedicated significant resources to researching all of the numbers that appeared on known exigent letters and on the so-called “blanket NSLs” (discussed in more detail below). The reconciliation project team conducted a complete review, even though the disclosure of approximately half of the records at issue was not forbidden by ECPA and/or was connected to a clear emergency situation. The reconciliation project team used a conservative approach: they initially retained records for which already-existing legal process (usually an NSL or grand jury subpoena) was located. If no legal process was found, then new “corrective” NSLs were issued where ECPA allowed us to do so (i.e., the national security investigation to which the telephone records were relevant was still pending). In fact, we located or issued legal process for the overwhelming majority of the 4,400 telephone numbers. If we found no previously existing legal process and we could not legally issue new process (e.g., the case to which the records were relevant had since been closed), we would only then consider whether emergency circumstances existed at the time we requested the records. As to that group of telephone numbers, if we could not conclude that there had, in fact, been an emergency that would have qualified under section 2702, we purged the telephone records from our files and databases. These actions were fully briefed to the FBI’s congressional oversight committees last year, and we appreciate the finding of the OIG that our “approach to determine which records to retain and which to purge was reasonable” (Report at 276).

We are currently developing an automated system—similar in concept to the NSL system that

we have briefed and demonstrated to your staffs—to generate and document emergency disclosure requests pursuant to Section 2702. Our experience with the NSL system is that it has greatly reduced non-substantive errors in NSLs, and we believe that an automated Section 2702 system would do the same.

I would now like to address a few specific matters raised by the OIG’s 2010 report.

Blanket NSLs

The OIG’s 2010 report discusses in detail 11 so-called “blanket NSLs.” These blanket NSLs were not discussed with an FBI attorney prior to their preparation nor reviewed by an FBI attorney prior to their issuance. We continue to believe—as we briefed this committee in 2007—that the blanket NSLs were a good-faith but ill-conceived attempt by the Counterterrorism Division to address the backlog of numbers for which the FBI believed it had unfulfilled obligations to provide legal process as they had promised through exigent letters. The common problem with all of the blanket NSLs was that there was no electronic communication (EC) prepared describing how the information sought by the NSL was relevant to a national security investigation. Under FBI policy, such ECs are required for all NSLs. Because there was no EC, there was no documentation that connected the telephone numbers listed on the blanket NSLs to specific, pending national security investigations. As discussed above, following the 2007 report, the FBI examined each telephone number included on a blanket NSLs to determine whether there was a legal basis to retain any records obtained for the number. If we could not confirm a legal basis for retention, we purged any records we had for the number.

As noted, none of the blanket NSLs was reviewed by an FBI attorney. In March 2007, the FBI changed its policy to require attorney approval before an NSL may be issued. That policy requirement is enforced through the NSL system that automatically routes all NSLs though an attorney prior to issuance.

Other Informal Requests

In addition to exigent letters and blanket NSLs, the 2010 report discusses other informal means by which the FBI Headquarters unit obtained information regarding telephone numbers. “Quick peeks” and “sneak peeks” are the terms used in the report to describe an FBI employee asking a telephone company employee to determine whether records for a telephone number existed, not what those records actually contained.

In a similar type of request, FBI employees would ask whether there was “calling activity” associated with a particular number (i.e., whether the particular telephone number was being used). Such information was conveyed to the FBI for 39 telephone numbers.1

As the OIG noted, the mere existence of records or the fact that there is calling activity associated with a particular telephone number is protected by ECPA. Accordingly, we made clear in March 2007 that no telephone records may be acquired in advance of legal process, unless there is an emergency situation under Section 2702 and the emergency request procedures are followed. In addition, our Domestic Investigation Operational Guidelines (DIOG), which compiled all FBI operational policy into one document, provides an exclusive list of acceptable methods for obtaining telephone toll records.

Reporter Records

The OIG’s 2010 report describes three situations in which the FBI might have come into contact with protected telephone toll information of reporters. In fact, in only one case were any reporter’s toll records actually provided to the FBI, and that occurred over five years ago. In that one instance, neither the substantive case agent nor any member of the investigative or prosecutorial team was aware that records had been obtained, and the FBI made no use of them. Furthermore, the only FBI employees who ever accessed the records were the analyst who initially uploaded them to our telephone records databases and an analyst involved in the exigent letter reconciliation project described above. When we learned in 2008 that we had such records, we purged them from our telephone records databases.

Although we did not use the records, Department of Justice (DOJ) regulations require attorney general approval before the issuance of grand jury subpoenas seeking toll billing records of members of the media. While no grand jury subpoena was issued in this instance, such legal process would have been the appropriate way, if at all, to obtain the records at issue given the nature of the investigation. Accordingly, when we learned that we had reporters’ toll records without advance attorney general approval, we notified the reporters that their toll records had been obtained, and the Director personally called the editors of the newspapers to apologize.

Although this appears to have been an isolated incident, we issued guidance in 2008 making clear the requirements for obtaining toll records of members of the media. The DIOG similarly discusses the steps required to seek such records.

FISA

The OIG’s 2010 report examined a non-random sample of 37 applications that had been submitted to the Foreign Intelligence Surveillance (FISA) Court. In that sample, which was selected by the OIG because the applications referenced telephone numbers that appeared on an exigent letter or on a blanket NSL, there were five misstatements related to telephone records that had some connection to exigent letters. There is no evidence that anyone intended to provide inaccurate information to the court. Moreover, as the OIG and DOJ National Security Division (NSD) found, the substantive information provided in the application was entirely accurate; the misstatements pertained only to how the FBI obtained the information. NSD determined, and the OIG agreed, that the misstatements were non-material (meaning they did not affect the probable cause determination made by the FISA Court), but nonetheless NSD notified the FISA Court of the misstatements. Since the time those FISA applications were prepared, the FBI has made significant changes to its FISA accuracy procedures to catch errors like these. Those procedures, which were substantially revised beginning in February 2006 independently of either the 2007 or 2010 OIG reports, have proven effective in reducing the rate and significance of errors in FISA applications.

OLC Opinion

The OIG’s 2010 report discusses a January 8, 2010 opinion issued by the Department of Justice’s Office of Legal Counsel (OLC), which concluded that ECPA does not forbid electronic communications service providers, in certain circumstances, from disclosing certain call detail records to the FBI on a voluntary basis without legal process or a qualifying emergency under Section 2702. Many members of Congress have asked questions about this OLC opinion, which is classified. It is my understanding that this opinion has been shared with our oversight committees, including this committee, at the appropriate security level. Because of the classified nature of the OLC opinion, I cannot address it in this forum, but am available to discuss it in a secure setting. I can, however, state that the OLC opinion did not in any way factor into the FBI’s flawed practice of using exigent letters between 2003 and 2006 nor did it affect in any way the records-retention decisions made by the FBI as part of the reconciliation project discussed above.

Accountability

The 2010 report notes that the OIG provided its findings to the Department of Justice’s Public Integrity Section. The Public Integrity Section declined prosecution of any individuals relating to the exigent letters matter. Now that the OIG’s report is complete, the FBI’s Office of Professional Responsibility will have an opportunity to review the OIG’s findings and determine whether any discipline of any employee is appropriate.

Conclusion

Finally, the FBI appreciates the 2010 report’s recognition that FBI employees involved in this matter were attempting to advance legitimate FBI investigations, and that FBI personnel “typically requested the telephone records to pursue [their] critical counterterrorism mission” (Report at 214). This does not excuse our failure to have in place appropriate internal controls, but it places the practices of that one FBI Headquarters unit in context: “Some of the exigent letters and other improper practices [described] in this report were used to obtain telephone records that the FBI used to evaluate some of the most serious terrorist threats posed to the United States in the last few years” (Report at 281). These employees were and many remain on the front lines of our fight against terrorists.

At the same time, as Director Mueller has repeatedly acknowledged, we can only achieve our mission of keeping the country safe if we are trusted by all segments of the American public. As the events of the last several months demonstrate, the risk of a catastrophic attack from homegrown and foreign-based terrorists continues. Our single best defense against such an attack is the eyes and ears of all Americans—but particularly of those segments of the population in which the risk of radicalization is at its highest. We need those communities to call us when they hear or see something that seems amiss. We know that we reduce the probability of that call immeasurably if we lose the confidence of those we are responsible for protecting.

Since the OIG’s 2007 report, the FBI has endeavored to be more proactive in the areas described above and others: to assure all Americans that we respect individual rights, including privacy rights, and that we use the tools that have been provided to us consistent with the rules set out by Congress.

I appreciate the opportunity to appear before the committee and look forward to answering your questions.