[Senate Hearing 110-385]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 110-385

  NATIONAL SECURITY LETTERS: THE NEED FOR GREATER ACCOUNTABILITY AND 
                               OVERSIGHT

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                       WEDNESDAY, APRIL 23, 2008

                               __________

                          Serial No. J-110-86

                               __________

         Printed for the use of the Committee on the Judiciary



                     U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2008
42-457 PDF

For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001




                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts     ARLEN SPECTER, Pennsylvania
JOSEPH R. BIDEN, Jr., Delaware       ORRIN G. HATCH, Utah
HERB KOHL, Wisconsin                 CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California         JON KYL, Arizona
RUSSELL D. FEINGOLD, Wisconsin       JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York         LINDSEY O. GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois          JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland         SAM BROWNBACK, Kansas
SHELDON WHITEHOUSE, Rhode Island     TOM COBURN, Oklahoma
            Bruce A. Cohen, Chief Counsel and Staff Director
           Stephanie A. Middleton, Republican Staff Director
              Nicholas A. Rossi, Republican Chief Counsel



                            C O N T E N T S

                              ----------                              

                    STATEMENTS OF COMMITTEE MEMBERS

                                                                   Page

Cardin, Hon. Benjamin L., a U.S. Senator from the State of 
  Maryland.......................................................     6
Feingold, Hon. Russell D., a U.S. Senator from the State of 
  Wisconsin......................................................     5
    prepared statement, letter and attachments...................    79
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................    84
Specter, Hon. Arlen, a U.S. Senator from the State of 
  Pennsylvania...................................................     3
Whitehouse, Hon. Sheldon, a U.S. Senator from the State of Rhode 
  Island.........................................................     7

                               WITNESSES

Baker, James A., former Counsel for Intelligence Policy, 
  Department of Justice, Washington, D.C.........................     8
Nojeim, Gregory T., Director, Project on Freedom, Security & 
  Technology, Center for Democracy & Technology, Washington, D.C.    11
Woods, Michael J., former Chief, National Security Law Unit, 
  Office of the General Counsel, Federal Bureau of Investigation, 
  Washington, D.C................................................    13

                         QUESTIONS AND ANSWERS

Responses of Michael J. Woods to questions submitted by Senator 
  Feingold.......................................................    35

                       SUBMISSIONS FOR THE RECORD

American Civil Liberties Union, Caroline Fredrickson, Director, 
  Washington Legislative Office, Washington, D.C., statement and 
  attachments....................................................    48
Baker, James A., former Counsel for Intelligence Policy, 
  Department of Justice, Washington, D.C., statement.............    66
Nojeim, Gregory T., Director, Project on Freedom, Security & 
  Technology, Center for Democracy & Technology, Washington, 
  D.C., statement................................................    86
Organizations supporting the National Security Letters Reform 
  Act, joint letter..............................................   100
Woods, Michael J., former Chief, National Security Law Unit, 
  Office of the General Counsel, Federal Bureau of Investigation, 
  Washington, D.C., statement....................................   102





 
  NATIONAL SECURITY LETTERS: THE NEED FOR GREATER ACCOUNTABILITY AND 
                               OVERSIGHT

                              ----------                              


                       WEDNESDAY, APRIL 23, 2008

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                     Washington, DC
    The Committee met, pursuant to notice, at 10:04 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Feingold, Cardin, Whitehouse, Specter, 
Kyl, and Sessions.

OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM 
                      THE STATE OF VERMONT

    Chairman Leahy. Good morning.
    When Congress last reauthorized and expanded the USA 
PATRIOT Act in March, 2006, I voted against it, although I 
voted for the first one. I stated then that I felt the 
administration and the Congress had missed an opportunity to 
get it right. But we were able to include some sunshine 
provisions, which has given us insight that we will use today 
in our examination of national security letters, or NSLs.
    I have long been concerned by the scope of the authority 
for NSLs and the lack of accountability for their use. 
Thankfully, we are able to include requirements for review of 
the NSL program by the Inspector General when we reauthorized 
the PATRIOT Act. There had not been that kind of a review 
before.
    Now, for 2 years, the reports by the Inspector General have 
revealed extremely troubling and widespread misuse of NSLs. The 
authority to issue NSLs allows the Federal Bureau of 
Investigation to request sensitive personal information: phone 
bills, e-mail transactions, bank records, credit reports, 
things that could basically stop a business while they try to 
put this all together, and do this without a judge, without a 
grand jury, without even having a prosecutor evaluate those 
requests.
    In the reports, the Inspector General has found some very, 
very disturbing misuse of this authority. The Inspector 
General's report found widespread violations, including failure 
to comply with even the minimal authorization requirements, and 
more disturbingly, that the FBI requested and received 
information to which it was not entitled under the law. The 
reports found some rampant confusion about the authorities, and 
virtually no checks to ensure compliance or correct mistakes.
    But what I found very significant, is the Inspector General 
found that NSL use has grown to nearly 50,000 a year, and 
nearly 60 percent of those NSLs are used to find information 
about Americans. It is a major change in the years since 9/11. 
I raised these concerns publicly and privately with Director 
Mueller of the FBI. In fairness, the FBI has acknowledged some 
problems. It has issued new guidelines, new guidance, a new 
data system to track issuance of these NSLs.
    It has also created an Office of Integrity and Compliance 
to ensure that there are processes and procedures in place to 
ensure compliance.
    I believe that the Director and his staff are sincere in 
their efforts, but I am not persuaded that the actions taken 
have been enough. So we are following up on an earlier 
oversight hearing to ask what changes are needed to the 
statutory authority. Among the things that concern me are 
whether the law should require higher level review and 
approval, perhaps judicial or Department of Justice review, 
before NSLs can be issued.
    Is a standard for issuance which requires only that it be 
relevant to a terrorism investigation too lenient? I mention 
this, because we have seen all the statistics, the sudden huge 
increase in the number of arrests that were related and said to 
be terrorism. Then when we asked the question about, if they 
are terrorists, why did they get a fine or 30 days in jail or 
60 days in jail? Well, it turned out they were just run-of-the-
mill cases that they reclassified so that the statistics were 
good. I want to know if that is the same thing here. Is the 
scope of documents available under NSLs too broad?
    I'd like to hear how we can ensure that there are adequate 
standards for determining when private records on U.S. persons 
that have been collected using NSLs, how can they be retained? 
Actually, how can they be disseminated and used?
    Simply because one of these NSLs is issued with no 
guidance, no checks and balances, or anything else and their 
name gets picked up, are they going to find some day when their 
kids are trying to get into college, are they blocked? If 
they're trying to get a job or a promotion, are they suddenly 
blocked and they don't know why?
    Now, I commend Senator Feingold. He's been a leader on this 
issue. I believe his bipartisan bill, the National Security 
Letter Reform Act of 2007, is on the right track, particularly 
in its recommendation for the need for a real check on 
independent oversight of NSLs.
    The bill would also narrow the extraordinarily broad scope 
of information that NSLs can acquire. They would make the 
standard for their issuance more rigorous. I look forward to 
hearing our witnesses' view on this important legislation, 
getting ideas from them if there are other important steps we 
can take.
    The problem we see with NSLs is just one part of a much 
broader concern. We all know that the changing nature of 
national security threats, and particularly the threat from 
international terrorism, has required changes in the way the 
government collects and uses intelligence, the kind of 
information it needs. Nobody disagrees with that.
    But we have to remember what a perilous undertaking it is 
when the government engages in domestic spying. Americans don't 
like it, and for very good reason. We have a long history of 
abuses: the Red scare of 1919; McCarthyism; co-intel for 
Watergate; the recent Pentagon Talon data base program; the 
collected information on Quakers and other anti-war protestors.
    Can you imagine the shock that must have been, those 
collecting that, to find that Quakers were protesting a war? 
Quakers always protest a war. The shock would have been if, 
when they did that, spying on these Quakers, if they had them 
saying, we're in favor of war. Now, that, that would have been 
worth collecting.
    So if we're going to adapt our collection and use of 
information for Americans as a changing threat, we have to be 
sure to do the same for the checks and accountability 
mechanisms, we have to protect our liberties as Americans. The 
FBI's misuse of NSLs is one example of the need for clearly 
defined procedures and careful controls when collecting and 
using domestic intelligence, but we have to be just as vigilant 
in other areas: data mining, use of satellites to collect 
domestic information, biometrics, fusion centers. They are all 
tools for national security, but each is fraught with the 
potential for privacy invasions and harm to American liberties. 
We in the Congress have a responsibility to see how these are 
being used.
    [The prepared statement of Senator Leahy appears as a 
submission for the record.]
    So I am looking forward to this. Senator Specter, who I 
mentioned is the senior Republican on the Committee, has a long 
history of asking these questions of both Republicans and 
Democrats, and I am glad you're here.

STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM THE STATE 
                        OF PENNSYLVANIA

    Senator Specter. Thank you, Mr. Chairman. I wouldn't be 
anywhere else, especially since I'm the Ranking Member and I'm 
really not needed here because there's such a large showing of 
Republican members of this Committee to handle this important 
issue.
    This is a prized Committee, very keenly sought after by 
members of the U.S. Senate. If any were here, I would exhort 
them to attend because this is a very important matter, 
especially in the context of what has happened with expansion 
of executive authority.
    Decades from now, I believe historians will look down on 
this period since 9/11 to the present time and beyond as an 
extraordinary expansion of executive power, necessary, at least 
to some extent, as I have stated by my votes and my positions 
in supporting the expansion of the PATRIOT Act.
    But I am concerned when we are having hearings on national 
security letters and we do so in the context of the President 
having issued a signing statement which purports to limit the 
executive's responsibility to comply with Section 119, 
notwithstanding the fact that this was a matter negotiated. 
That's my recollection, confirmed by Nick Rossi, who was on my 
staff at the time and is now Chief Counsel.
    We negotiated the oversight on review of national security 
letters, and then the President signs a statement in which he 
says that he'll interpret Section 119 in a manner consistent 
with the broader Article 2 powers. Well, that's not adequate. 
There's been expressed negotiations. This comes in the context 
where one of the reported incidents involves a matter where the 
FBI sought records under Section 215 under the order for 
business records from the FISA court, twice refused. Then the 
FBI goes to a national security letter based on the same 
information. Well, that sounds wrong to me. If they don't have 
a basis for it when it goes to a court, to come back to 
something they have unilateral control on, it's not exactly 
what Congress intends here. And all of this occurs in a context 
with vast, vast expansion.
    When you have the President violating the Foreign 
Intelligence Surveillance Act, the National Security Act, 
requiring reports to the Intelligence Committees, on his 
purported authority under Article 2, never tested judicially, 
but violations occur on unilateral action. You have the 
concerns about the State Secrets Act, and the Attorney General 
says there will be a calamitous result, violating the 
President's Article 2 powers.
    You have an effort to legislate under the Shield Law and 
letters from the FBI and the Attorney General and the Director 
of National Intelligence and Homeland Security that the world 
is going to collapse, notwithstanding the careful calculation 
of that statute to preserve national security interests.
    The attorney/client privilege, pressed by this 
administration far beyond any other administration. Former 
Attorney General Edwin Meece and former Attorney General 
Richard Thornburg testified in this room that the current 
interpretation is inappropriate. Two principles: the government 
proves its case, and the constitutional right to counsel, which 
necessarily implies confidential privilege. But now there is an 
expansion of executive authority. Thank God for the courts, 
because it has been more than frustrating to be on this 
Committee and to chair it, to be Ranking Member, and not to 
have the semblance of effective oversight. We simply can't 
chase the executive sufficiently to have effective oversight.
    Now there is a move to have retroactive immunity to the 
telephone companies. As yet on the record we don't know what 
that retroactive immunity is for, but we're asked to grant it 
legislatively. I believe that from what I know as to what the 
telephone companies have done, they've been good citizens and 
they ought to be protected. But the government can step into 
their shoes and defend those cases and preserve the open 
courts, and also to give the telephone companies their due.
    So I would say, Mr. Chairman, we ought to do a lot more, 
but I'm not quite sure what to do.
    Chairman Leahy. Well, if the Senator would yield, I was 
somewhat concerned when I became Chairman. I'd send letters 
down to Department of Justice asking questions and not get any 
response, and wondered if it was because I was a Democrat and 
it was a Republican administration. Then I found out that the 
chairman, when he was chairman, found it difficult to get 
answers to those letters also.
    Senator Specter. Well, I'm still co-signing the letters, 
Mr. Chairman.
    Chairman Leahy. I know you are, and I appreciate that very 
much. I think oversight--I agree with the Senator from 
Pennsylvania. Oversight is extremely important because if you 
have no check and balance, at a time when our government can be 
all-powerful, it is a terrible situation. The Senator from 
Pennsylvania, like myself, was a prosecutor. There are a lot of 
things we would have loved to have done unilaterally. But 
fortunately we couldn't. We had to have oversight by the 
courts, we had to have checks and balances. The country's safer 
that way.
    Senator Specter. I want to associate myself with the 
remarks which you made, following the interruption, and 
conclude my statement just by associating myself.
    Chairman Leahy. I apologize. I thought you had. I thought 
you had.
    Senator Specter. Oh, no you don't. It's fine. We do it all 
the time and it's totally acceptable.
    Chairman Leahy. You see? What you all missed was the 
opportunity to see Senator Specter and myself at a hearing in 
Vermont.
    Senator Specter. Where was everybody?
    Chairman Leahy. It was very interesting. They're still 
talking about it up there, approvingly.
    Senator Specter. It was an official Committee hearing. 
Where was everybody?
    Chairman Leahy. And Senator Specter was praised by 
Republicans and Democrats across the political spectrum for his 
participation.
    Senator Feingold, this is your legislation. If you want to 
say something, please feel free.

STATEMENT OF HON. RUSSELL D. FEINGOLD, A U.S. SENATOR FROM THE 
                       STATE OF WISCONSIN

    Senator Feingold. Thank you, Mr. Chairman and Ranking 
Member Specter. Thank you for holding this important hearing, 
and for your commitment to this issue.
    I could not agree more that greater oversight and 
accountability are needed with respect to national security 
letters. The Justice Department's Inspector General documented 
serious misuse and abuse of national security letters from 2003 
to 2006.
    A followup audit conducted by the FBI itself not only 
confirmed the Inspector General's findings, it documented even 
more violations. These widespread problems are directly 
attributable to the PATRIOT Act, which expanded the NSL 
statutes to essentially grant the FBI a blank check to obtain 
sensitive information about innocent Americans.
    Congress gave the FBI very few rules to follow and then 
failed to adequately fix these problems when it reauthorized 
the PATRIOT Act. I appreciate that Director Mueller and others 
in the FBI leadership ranks have taken these problems 
seriously, but leaving this to the FBI alone to fix is not the 
answer. These Inspector General reports prove that ``trust us'' 
simply doesn't cut it.
    It was a significant mistake for Congress to grant the 
government broad powers and just keep its fingers crossed that 
they wouldn't be misused. Congress has the responsibility to 
put appropriate limits on government powers, limits that allow 
agents to actively pursue criminals, terrorists, and spies, but 
that also protect the privacy of innocent Americans.
    Congress must also ensure that the statute complies with 
the Constitution. In that vein, last fall a Federal District 
Court struck down one of the new NSL statutes, as modified by 
the PATRIOT Act Reauthorization legislation enacted in 2006 on 
First Amendment grounds.
    This is why I introduced the National Security Letter 
Reform Act with a bipartisan group of Senators, including 
Senators Sununu, Durbin, Murkowski, Salazar, Hagel, and others. 
This bill places new safeguards on the use of national security 
letters and related PATRIOT Act authorities to protect against 
abuse and ensure the constitutionality of the statute.
    Among other things, it restricts the type of records that 
can be obtained without a court order to those that are the 
least sensitive and private, and it ensures that the FBI can 
only use NSLs to obtain information about individuals that have 
at least some nexus to a suspected terrorist or spy. I am 
pleased that it has received endorsements from all over the 
political spectrum, from the Center for American Progress, to 
the League of Women Voters, to Grover Norquist of Americans For 
Tax Reform.
    I would ask, Mr. Chairman, that an April 22 letter in 
support of the bill, as well as a ``Dear Colleague'' about the 
bill, be included in the record.
    Chairman Leahy. Without objection, so ordered.
    [The prepared statement of Senator Feingold, with 
attachments, appears as a submission for the record.]
    Senator Feingold. Thank you, Mr. Chairman.
    This legislation is a measured, reasonable response to a 
serious problem. Again, thank you very much for holding the 
hearing on the bill and on this topic, and I look forward to 
the witnesses' testimony.
    Chairman Leahy. Thank you.
    Senator Cardin, did you wish to--

 STATEMENT OF HON. BENJAMIN L. CARDIN, A U.S. SENATOR FROM THE 
                       STATE OF MARYLAND

    Senator Cardin. Thank you, Mr. Chairman. Just very briefly, 
let me first comment that I will be moving between this 
Committee and the Foreign Relations Committee that has a 
hearing on Darfur today. I'm saying that for Senator Specter's 
benefit, because I'm sure his colleagues are very busy in other 
committees that are holding hearings today.
    But obviously this is an extremely important hearing, and I 
thank you very much for conducting this hearing.
    I just want to make a quick observation, if I might. I 
think Americans would be very surprised to learn that there are 
tens of thousands of national security letters issued every 
year--every year--the majority of which are directed toward 
Americans, requesting sensitive information such as their 
credit information or their telephone records, and it is done 
without any court supervision. They also, I think, would be 
surprised to learn about the Inspector General's report that 
pointed out that a large number of these letters were issued 
contrary to the law, in violation of the authority that the 
Department had.
    So I think it's very important for us to do the appropriate 
oversight. I'm sure we're going to hear today, Mr. Chairman, 
that as a result of the Inspector General's report, as a result 
of the oversight that this Committee has done, that the 
circumstances are improved, that procedures are now in place, 
that the number of violations of laws have been reduced 
dramatically and that the circumstances and the use of national 
security letters have improved dramatically.
    But what happens when we turn off the spotlight? What 
happens when Congress does not hold regular oversight hearings 
on the use of national security letter? Will we revert back to 
the use of these letters, contrary to law? When one agency can 
make a decision without review of the courts, without 
oversight, there is the potential for abuse.
    So I just want to compliment Senator Feingold for his 
legislation. I think it's important that we look at ways in 
which we can establish the appropriate check-and-balance in our 
system to make sure that the agencies have the tools that they 
need to protect our country and to pursue investigations that 
are important so they can get the material necessary for 
investigations, but at the same time protect the civil 
liberties of the people of our Nation. Clearly that was not 
done over the last five or 6 years. Clearly that was abused and 
did not further justice, and it did hurt the civil liberties of 
the people of our country.
    So I think that we should not only be holding the oversight 
hearing that Senator Specter has talked about the importance 
of, but to look at ways in which we can institutionalize a 
better check-and-balance system on the use of this 
extraordinary power by the Department of Justice.
    Mr. Chairman, I look forward to our witnesses. Again, I 
apologize if I have to leave to attend another hearing on the 
circumstances within the Darfur region of Sudan.
    Chairman Leahy. Thank you very much.
    Senator Whitehouse, did you have anything you wanted to 
add?

 STATEMENT OF HON. SHELDON WHITEHOUSE, A U.S. SENATOR FROM THE 
                     STATE OF RHODE ISLAND

    Senator Whitehouse. Thank you, Mr. Chairman.
    Very briefly, I just wanted to commend Senator Feingold for 
his legislation. He has undertaken what those of us who have 
the honor of working with him have come to expect as a very 
thoughtful and thorough approach to this issue. I think we 
should also take a moment, if it has not been done already, to 
commend Inspector General Glen Fine. We are here, in large 
part, because of the research work that he did.
    Our job is to oversee the executive branch and remark and 
bring attention to situations where folks have failed in their 
duties or failed in their responsibilities, and assure that 
those mistakes are cured. It is also, I think, our 
responsibility to express appreciation and pride when folks in 
the executive branch do their duties particularly well.
    I think the Department of Justice Office of Inspector 
General did its duties particularly well in this respect, and I 
think the record of the hearing should reflect that. I remain a 
little bit dismayed that the FBI, as an institution--I had this 
discussion with Director Mueller when he was here--did not more 
highly value the rather extraordinary powers that they were 
given in this legislation and the responsibilities, the 
concomitant responsibilities that came with that.
    The fact that there wasn't adequate internal oversight, 
that there weren't checks and balances going, frankly, right up 
to the Director's office, because this is an issue that 
directly affects the credibility of one of our proudest law 
enforcement agencies with this Congress, and if they're not 
minding the store when we give them the kind of scope--I think 
mistakenly, but irrespective of that--that they are and it's 
cabined with particular congressional restrictions, the level 
of disinterest in attending to those congressional limitations 
is kind of surprising.
    You would have thought that the highest levels of the FBI, 
somebody would be saying, you know, this is pretty serious 
stuff, they put some pretty serious boundaries around it. We're 
going to look like real dopes if we foul this up. You know, 
somebody in my office is going to be in charge of making sure 
this is done right. The failure of that, I think, is an 
interesting and significant failure in this whole process.
    So I very much look forward to the testimony of all the 
witnesses. I appreciate the Chairman holding this hearing, and 
I thank Senator Feingold for, once again, his thoughtful and 
thorough approach to an important issue.
    Chairman Leahy. Well, thank you very much.
    Gentlemen, you've had a chance to hear our views on this. 
Don't let that influence you in any way, shape, or manner as 
you give your testimony. I mean that, seriously.
    The first witness will be James Baker. He has an extensive 
background in the area of national security. He served at the 
Justice Department for 17 years. He was Counsel for 
Intelligence Policy in the Office of Intelligence Policy & 
Review from 2001 to 2007. Is that correct? A former Federal 
prosecutor, he's worked on a wide variety of national security 
matters. He taught national security law at Harvard Law School 
in 2007. He's a Fellow at the Institute of Politics at 
Harvard's Kennedy School of Government. He currently serves as 
the Assistant General Counsel for National Security at Verizon.
    He received his bachelor's degree from the University of 
Notre Dame and his law degree from the University of Michigan 
Law School.
    Mr. Baker, please go ahead, sir.

 STATEMENT OF JAMES A. BAKER, FORMER COUNSEL FOR INTELLIGENCE 
        POLICY, DEPARTMENT OF JUSTICE, WASHINGTON, D.C.

    Mr. Baker. Thank you, Mr. Chairman, Ranking Member Specter, 
and members of the Committee. I appreciate the opportunity to 
be here today.
    Let me just say at the outset that I am appearing here 
today in my individual capacity at the request of the Committee 
and anything I say should not be taken as reflecting the views, 
necessarily, of my current or former employers.
    So, Mr. Chairman, you have my written statement, which I 
would ask to be made part of the record.
    Chairman Leahy. Without objection, it will be part of the 
record.
    Mr. Baker. Thank you, sir.
    [The prepared statement of Mr. Baker appears as a 
submission for the record.]
    Mr. Baker. I won't try to recapitulate what I say there, 
but my objective today is to try to be of whatever assistance I 
can to the Committee to try to put national security letters in 
context with what the intelligence community, the FBI, is doing 
every day to conduct national security investigations and to 
obtain foreign intelligence information. So what I am urging 
today is that we think about this in a holistic way and try to 
understand the perspective of the people on the ground who have 
to use these tools as they go about doing what everybody agrees 
we want them to do, which is to protect the country.
    And so what I urge is we not focus just on NSLs, but we 
think in a larger way about the whole question of what I refer 
to as metadata. I'll come back to that. Well, I'll just address 
that right now.
    Metadata, as I describe in my written statement, what I 
mean by that, and what other people have referred to or used 
that term to refer to, is really a distinction between content 
information and non-content information. Content information is 
the words that are spoken on a telephone call, the substance of 
an e-mail, what happens in the privacy of our homes, those 
kinds of things. That's the content that I refer to.
    When I'm talking about metadata I'm talking about non-
content. It's information about those things, maybe the date, 
the time, the duration of the telephone call, the ``to'' and 
``from'' of an e-mail, indications about where you moved at 
different points in time, but it's not your actual substance of 
your communications.
    So what I think, and what I'm trying to say today is that 
Congress, I suggest, should think about the problem or the 
issue of the collection of non-content information and how it 
wants the government to go about doing that, and what rules 
apply, what oversight there should be, and so on.
    Metadata, generally speaking, is not protected by the 
Fourth Amendment. Content is protected by the Fourth Amendment. 
Metadata is protected in some instances by statute, but in many 
instances by nothing. There are no statutes with respect to 
certain types of metadata. So what I think Congress needs to 
think about, is what does it want the government to do? What do 
we as Americans want the government to do with respect to the 
collection of all types of metadata, from the types of metadata 
we're talking about today from national security letters, but 
broadly, all different types of metadata? That's the big issue. 
That's the big privacy issue, I think, that faces us today.
    Let me just say, metadata is a critically important tool 
for conducting national security investigations. It's been 
referred to as the bread and butter of FBI investigations. But 
I don't want to over-sell it, either. It's not a panacea. It 
may be the bread and butter, but it's not necessarily the main 
course or the dessert. I mean, it's not everything. It provides 
you with certain guideposts and ways to think about problems 
and who to focus on, but it's an investigative tool, not an 
investigation.
    My main criticism, I think, of the current statutes that we 
have, and I urge the Congress to think about it as it decides 
what to do next, is that they are just way too complex. There 
are too many tools that are out there for the government to use 
with too many different standards, too many different approval 
levels, too many different oversight mechanisms with respect to 
the collection of metadata.
    For example, as I said in my written statement, there are 
eight different ways, by my count, at least, to get telephone 
toll records. There are eight different ways, with all kinds of 
different standards. That's too complex. That is what leads to, 
I think, some of the confusion that ensues that you see 
reflected in the Inspector General's report, which I also 
commend. I think it's an excellent report.
    So I think as you consider what to do next, you should 
worry about making things too complex. That's what I urge you 
to worry about with respect to that. You should also worry 
about making sure there's adequate oversight. You should make 
sure that there are the right people in the right jobs, working 
hard to get it right. That's critically important. I also urge 
that there be adequate and statutorily mandated minimization 
procedures with respect to all different types of metadata. 
Senator Feingold's bill urges that, or would require that with 
respect to national security letters, but you need to think 
broadly and think about other types of metadata that are 
collected from a variety of different sources.
    As I suggest in my written statement, one thing to think 
about would be a national security subpoena. It would be 
simple, it would be broad in scope. It wouldn't be unlimited in 
scope. It wouldn't be able to collect certain types of data if 
you wanted to restrict that, such as tax records and so on. It 
would not be an administrative subpoena, it would be a subpoena 
that would require the involvement of the Department of 
Justice.
    I see my time has expired, Mr. Chairman, so I will stop 
there. But what I urge is, do not approve a national security 
subpoena unless you also provide for adequate oversight 
mechanisms, provide resources for that, and require 
minimization.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you. We will go into what you mean by 
adequate oversight on that.
    The next witness is Gregory Nojeim--did I get that correct?
    Mr. Nojeim. Yes.
    Chairman Leahy. Thank you. He's a Senior Counsel and 
Director of the Project on Freedom, Security & Technology at 
the Center for Democracy & Technology in Washington. He's a 
recognized expert on Fourth Amendment and surveillance issues 
arising in the national security and intelligence areas. Before 
joining CDT in May of 2007, he was the Associate Director and 
Chief Legislative Counsel for the American Civil Liberties 
Union. He received his bachelor's degree from the University of 
Rochester and his law degree from the University of Virginia.
    Go ahead, sir.

 STATEMENT OF GREGORY T. NOJEIM, DIRECTOR, PROJECT ON FREEDOM, 
   SECURITY & TECHNOLOGY, CENTER FOR DEMOCRACY & TECHNOLOGY, 
                        WASHINGTON, D.C.

    Mr. Nojeim. Thank you, Senator Leahy, Senator Specter, 
members of the Committee. Thank you for the opportunity to 
testify today on behalf of CDT.
    The DOJ Inspector General found widespread errors and 
violations in the FBI's use of NSLs to obtain bank, credit, and 
communication records of U.S. citizens without prior judicial 
review. These violations are the natural, predictable outcome 
of the PATRIOT Act and other legal and technology changes. They 
weakened the rules under which FBI agents make these demands 
while dramatically expanding their scope. In response, the FBI 
issued detailed guidance on NSLs that contains many useful 
elements.
    But internal reforms can only fix so much. The only way to 
truly address the problems is to legislate traditional checks 
and balances under which a judge must approve governmental 
access to sensitive information.
    So far, NSL legislation has been a one-way street. With 
almost every change in the law, more records from more 
businesses with more personal information about people 
increasingly distant from the target of the investigation have 
been made available to more people in government, with more 
coercion and less judicial oversight. And, the judicial review 
that has been provided for has been largely toothless.
    Self-policing doesn't work. Going to a judge makes a 
difference in a way that is unachievable by merely internal 
reviews or by reviews conducted by attorneys in a different 
part of the executive branch.
    Senator Specter said, ``Thank God for the courts.'' It's 
time to give the courts something meaningful to do in this 
context.
    We ask that you enact legislation that reflects the 
principle that the more sensitive the information sought, the 
tighter the standard should be for getting it and the more 
exacting and detached the review for the request for 
information should be.
    When revealing information is sought in an intelligence 
investigation, mere relevance without judicial review and 
without a tie between the subject of the records and a foreign 
power is an inappropriate standard. The weak relevance standard 
is often justified by drawing parallels between NSLs and 
criminal subpoenas, which are issued without prior judicial 
review.
    But intelligence investigations are more dangerous to 
liberty than criminal investigations. They require stronger 
compensating protections.
    Intelligence investigations are broader than criminal 
investigations. They are not limited by the criminal code. They 
can investigate legal activity, including First Amendment 
activity.
    Intelligence investigations are conducted in much greater 
secrecy than criminal cases, even perpetual secrecy. When a 
person receives a grand jury subpoena, normally a person can 
complain about it. In an intelligence case, when a business 
gets an NSL, they're gagged. They're prohibited by law from 
complaining about it, and the subject of the NSL never learns 
of it.
    Finally, in a criminal investigation almost everything the 
government does is ultimately exposed to scrutiny. The 
prosecutor knows that at the end of the day, his actions will 
often come out in public. That is a powerful constraint. 
There's no public airing at the end of intelligence 
investigations.
    In this context, the relevance standard offers insufficient 
protection against abuse. There is just no substitute for 
tightening the standard and subjecting requests for sensitive 
information to judicial review.
    After-the-fact minimization, while it's important, doesn't 
prevent the initial intrusion. Minimization under FISA, the 
model that many urge for NSLs, is actually quite permissive.
    Moreover, none of the changes that the FBI has put in place 
can get to the core issue. That is to ensure that NSLs are used 
only in a focused way when there is a factual basis for 
believing that the individual whose data is sought is a 
terrorist or a foreign agent, or that information is otherwise 
sufficiently important to the activities under investigation.
    The NSL Reform Act, in contrast, does get to the core 
issue. It creatively honors the principle that sensitive 
information deserves more protection. First, it would separate 
information that can now be obtained with an NSL into sensitive 
and less-sensitive personal information.
    Not all metadata is created alike. Some of it is 
particularly sensitive. The ``to"/"from'' information about a 
person's e-mailing is more sensitive than information that 
merely identifies a person.
    Yesterday I applied for a loan at a bank. The records that 
I gave to the bank might be regarded as metadata under this 
proposal. I had to give them my tax return and a lot of other 
sensitive information that, frankly, I didn't want to give up, 
and frankly shouldn't be available to law enforcement without a 
really good reason.
    We like the way that the NSL Reform Act separates out these 
two types of sensitive information to less sensitive and more 
sensitive, and says that when the information is more sensitive 
there has to be some judicial authorization, usually -probably 
-through Section 215 of the PATRIOT Act before the information 
can be given to the government. These are necessary reforms. 
They and other measures can ensure that the government has the 
tools it needs to prevent terrorism and that those tools are 
subjected to appropriate checks and balances.
    Thank you very much.
    Chairman Leahy. Thank you very much.
    [The prepared statement of Mr. Nojeim appears as a 
submission for the record.]
    Chairman Leahy. Our next witness, Michael Woods, is an 
attorney with extensive expertise in national security areas. 
He served in a variety of national security-related positions 
at the Justice Department, beginning his service in 1993. He 
served as Chief of the FBI's National Security Law Unit from 
1997 to 2002. In private practice, he has advised Department of 
Defense clients in matters of national security policy. He has 
published Law Review articles on national security law issues, 
including those related to national security letters and the 
PATRIOT Act. He graduated from the University of Oxford and 
Harvard Law School.
    Mr. Woods, glad to have you here.

STATEMENT OF MICHAEL J. WOODS, FORMER CHIEF, NATIONAL SECURITY 
  LAW UNIT, OFFICE OF THE GENERAL COUNSEL, FEDERAL BUREAU OF 
                INVESTIGATION, WASHINGTON, D.C.

    Mr. Woods. Thank you, Mr. Chairman.
    Mr. Chairman and members of the Committee, I am very 
pleased to have the opportunity to appear this morning. I 
think, really, I have two things to offer the Committee in this 
very important work. The first, is my practical experience. As 
a former Chief of the FBI's National Security Law Unit, I was 
basically in charge of the national security letter production 
process during the time I was there. I would add and would 
underline that I left the FBI in 2002, and so I am probably not 
the person who can comment on what has gone on more recently 
than that internally, or about the measures that have taken 
place.
    But I can certainly give some insight into how these 
letters were used investigatively prior to the PATRIOT Act, 
into the rationale for the changes that were sought in the 
PATRIOT Act, and into some of the investigative concerns that I 
think persist to this day.
    The second, of course, as the Chairman has noted, I have 
written on what I call transactional data, which Mr. Baker is 
referring to as metadata. I will use whatever term the 
Committee wants. I do not mean to create confusion. I have 
summarized this research in my written testimony, and I have 
appended a Law Review article that I think might be helpful.
    Chairman Leahy. Incidentally, all the written testimony of 
all the witnesses will be put in the record in total.
    Mr. Woods. Thank you, Mr. Chairman.
    Like the other witnesses this morning, and I'm sure 
everyone on the Committee, I see in this constantly evolving 
digital environment an enormous challenge for our government. 
The cloud of transactional information or metadata that each of 
us now creates in our daily lives, though it may not contain 
the direct content of our private communications, reveals a 
steadily more detailed picture of our activities, our personal 
habits, our social networks, our finances. This information 
largely resides in the custody of third parties, in quantities, 
formats, and conditions of which most of us remain unaware.
    The constant expansion in the capacity of digital storage 
systems and in the power of search engine technology make this 
transactional information at once more permanent and more 
easily accessible than ever before. This situation poses a real 
challenge to counterintelligence and counterterrorism 
investigators. On the one hand, it allows a new window into the 
hidden activities of our most sophisticated adversaries. On the 
other, the compromise of privacy by the acquisition of 
transactional data seems much greater now, that the quantity 
and detail of that information has increased.
    I believe it is critically important that the Committee 
leave the FBI with a flexible and effective tool for obtaining 
transactional information. That tool should incorporate 
safeguards that inspire public confidence, but safeguards that 
are proportionate and carefully tailored in response to the 
actual harms.
    Though I disagree based on my experience with the 
suggestion that the legal standard for national security should 
be returned to its pre-PATRIOT Act level, I think many parts of 
the current legislative proposal represent very promising steps 
in the right direction.
    I am very happy to elaborate on these views in response to 
your questions, and look forward to assisting the Committee in 
this important work.
    Again, thank you for inviting me.
    Chairman Leahy. Thank you very much, Mr. Woods.
    [The prepared statement of Mr. Woods appears as a 
submission for the record.]
    Chairman Leahy. Over the last several years, the FBI issued 
virtually no guidance. They had no real checks or oversight on 
the expanded use of national security letters. We have had 
several Inspector General reviews which came about because 
Congress, in its oversight, insist on these reviews. They 
pointed out errors in every single aspect of the national 
security letters: they're drafted incorrectly; they're issued 
without even the minimal administration requirements; their use 
was not monitored; the information collected is often not even 
recorded or tracked.
    So, in other words, these Inspector General reports showed 
that the FBI failed in every respect to police its use of NSLs. 
It was only after these devastating IG reports came out that 
the FBI took steps to control use, and then started issuing 
guidance, creating a data bank, and so forth.
    But even now the FBI resists any process for outside 
review. Even though they had this abysmal record following on 
them, they don't want any outside approval. One article likens 
this to the stereotypical male driver who has circled the same 
block four times, but still stubbornly refuses to ask anyone 
for directions. My wife would like that one.
    Now, haven't we seen enough from these IG reports? Though 
the FBI can't effectively check it's own use of this very 
powerful authority, do we have to wait for more years, and 
documents, and so on or should Congress require approval of the 
NSLs outside of the FBI? Who should be the reviewing authority? 
Should we have judicial review? You have differing views.
    Mr. Baker, let me begin with you, then go to Mr. Nojeim, 
then Mr. Woods.
    Mr. Baker. Thank you, Mr. Chairman. Yes. I mean, I 
subscribe to the notion that it's appropriate to have review of 
metadata collection tools, whatever legal tool Congress ends up 
approving outside of the FBI. I think it's appropriate. I think 
it works well when you think about it in the criminal context 
or the grand jury process where the FBI agents need to go--must 
go--to a Federal prosecutor to obtain approval to issue the 
grand jury subpoena so there's an outside check on what happens 
before the document goes out that results in the collection of 
the information. So, I think that's very appropriate.
    I think that system has worked well with respect to grand 
juries. The difficult thing for the Committee is to try to 
calibrate what it does with respect to what the effect is. So 
the higher you ratchet up the approval levels, if you indeed 
require the FBI to go to a court in addition to a Justice 
Department attorney, it's just going to make it that much more 
difficult and that much more time-consuming to obtain the 
information. It will be something that discourages the FBI from 
actually trying to pursue those.
    Now, some people say that's a good idea, we don't want them 
to do all these NSLs. But the volume, as you can see, of the 
number of NSLs is so huge and the time pressure is so great, 
that we need to have something that's--
    Chairman Leahy. But even now they're not even going to the 
U.S. Attorney.
    Mr. Baker. No, I agree. But with the NSLs, they just do it 
internally. It goes to the SAC, Special Attorney in Charge.
    Chairman Leahy. But you would not support judicial review 
because of the volume?
    Mr. Baker. For much of the information, I think judicial 
review is too much. I concede and think it would be a good idea 
if Congress wanted to carve out a certain set of records--tax 
return records, firearms records, educational records, the sort 
of things that are listed in the current 215--out and say, if 
you're going to have this category of material you have to go 
to the court. But for the transaction, for much of the 
transactional data, again, I agree with Mr. Woods, we need to 
be very careful. It needs to be carefully calibrated. You need 
to think about what categories you want to carve out and make 
sure they're really important.
    Chairman Leahy. Mr. Nojeim?
    Mr. Nojeim. That is exactly what the Feingold bill does. It 
carves out the more sensitive information and says for that tax 
return that was given to the bank so a person can get a loan, 
for e-mail ``to''/``from'' information, you've got to go to a 
court first. It's not good enough for the FBI to check itself.
    Let me just say a word about the checks and balances that 
we're calling for. One doesn't normally think of a person in 
the executive branch charged with being a prosecutor or 
protecting national security as being the person who provides 
the check and the balance. It's the judge who has to provide 
that check and the balance. That's their role in our system. 
It's just not the proper role of prosecutors to be actually 
charged with that. They can certainly help, but a true check 
has to be judicial.
    Chairman Leahy. And Mr. Woods?
    Mr. Woods. I guess I would agree with the idea that there 
needs to be judicial review available, but I would focus 
directly on the calibration. I would draw the analogy to the 
grand jury. The former prosecutors on the Committee know that, 
as a prosecutor, you might issue hundreds of grand jury 
subpoenas. Now, the possibility of judicial review is there, 
but it's the prior approval of the court, and in most instances 
in the Federal system, prior approval of a grand jury is not 
something that is required. I think we have to shift toward 
that analysis.
    Chairman Leahy. Of course, in the grand jury the prosecutor 
eventually is going to have to answer to the court how he 
collected the evidence.
    Mr. Woods. Exactly.
    Chairman Leahy. They're not going to say, OK, on every one 
of these subpoenas you have to have a witness come in, but at 
some point they're going to say, it appears you overreached, or 
you didn't. Is that not correct?
    Mr. Woods. That is correct. But I think that one of the 
things we'll certainly end up discussing here is the very 
fundamental distinction between the collection of intelligence 
and criminal investigations. I mean, Congress and the executive 
branch have struggled with the oversight of these activities 
for a long time because that public accounting is not present 
in the intelligence world.
    Chairman Leahy. Thank you.
    Senator Specter?
    Senator Specter. Thank you, Mr. Chairman.
    Mr. Baker, in my opening statement I referred to a 
situation where the FBI had been twice turned down by the FISA 
court on a request for a Section 215 order for business records 
and they then used a national security letter. I am advised, 
further, that at the time you were head of the Office of 
Intelligence, Policy & Review in the Department of Justice and 
that you advised the FBI that they ought not to use a national 
security letter in that context. Is all of that true?
    Mr. Baker. It is true, Senator, that I was head of the 
Office of Intelligence & Policy Review at that time. Senator, I 
don't recall, sitting here today, giving that advice with 
respect to NSLs.
    Senator Specter. Do you recall the situation where the FBI 
had twice been turned down by the FISA court for a Section 215 
order?
    Mr. Baker. I remember the case in general, Senator. I would 
just comment, just as a point of clarification--and I can talk 
more about how the FISA process works--but it was--
    Senator Specter. Well, I don't have much time. There was 
such a case. Then the FBI did use a national security letter in 
that situation?
    Mr. Baker. With respect to that investigation, yes.
    Senator Specter. Well, that's pretty blatantly wrong, isn't 
it, Mr. Baker?
    Mr. Baker. Well, technically speaking, under the law they 
were authorized to do it. Now, that doesn't mean necessarily 
that it was a good idea to do it with respect to the facts that 
are here in this case.
    Senator Specter. Well, did the court turn it down because 
there was a First Amendment issue?
    Mr. Baker. My understanding is that the court did not 
officially turn it down. There was a back-and-forth between the 
government on a number of--
    Senator Specter. OK. But the court didn't grant it?
    Mr. Baker. I beg your pardon?
    Senator Specter. The court didn't grant it.
    Mr. Baker. I'm sorry. I didn't--
    Senator Specter. The court didn't authorize the order?
    Mr. Baker. No, it did not, sir.
    Senator Specter. OK. Well, with 5 minutes of talk, that's 
enough on this issue. To me it's pretty plain that the FBI is 
circumventing the court, which had it twice before it. It 
wasn't granted. That's the critical aspect.
    Let me move to you, Mr. Nojeim. You call for ``specific and 
articulatable facts'' for NSLs. Others have contended that the 
relevance standard is sufficient. Isn't a standard of 
relevance, which is not even reviewed by an attorney, highly 
subjective and highly questionable just on the say-so of an FBI 
agent?
    Mr. Nojeim. It is. It is. One of the problems with a 
relevance standard--
    Senator Specter. Would it slow down the process to make it 
impractical if your standard of a specific and articulatable 
facts standard were to be required?
    Mr. Nojeim. No, I don't think so. The FBI guidance actually 
requires agents now to articulate the reasons why they believe 
that the information sought is relevant to the investigation.
    Senator Specter. Mr. Woods, what do you think about a 
``specific and articulable facts'' standard for NSLs?
    Mr. Woods. I think it's inappropriate.
    Senator Specter. You think what?
    Mr. Woods. I think it's inappropriate. I believe it's 
inappropriate because it was the standard prior to the PATRIOT 
Act. It did slow the process prior to the PATRIOT Act and it 
did make these tools far less available.
    Senator Specter. Well, was it a good process? Just being 
part of the PATRIOT Act doesn't speak to its value, speak to 
its appropriateness.
    Mr. Woods. As I've outlined in my written testimony, it was 
a process and a standard that worked very well in the 
traditional counterintelligence cases of the FBI in chasing 
spies, in cases where you make fairly common investigative 
links from known agents out to their associates, et cetera.
    It did not work very well in the kind of inchoate threat 
situations that we were encountering in terrorism where you 
don't have a lot of facts about the individual, therefore you 
don't have specific facts about the person to whom you are 
trying to connect. This is where that standard started to break 
down in the 1990's, and it's why the FBI asked for it to be 
changed.
    Senator Specter. Mr. Woods, what do you think of Judge 
Posner's argument, which was made again in March of 2007 in the 
Wall Street Journal that the FBI, really, institutionally, is 
not the best agency to handle this, going again and looking to 
the idea of a United States Mi-5. What do you think of that?
    Mr. Woods. I've never been in favor of that. I disagree 
with Judge Posner on that, and some other things.
    I actually think it is a good--I mean, the critics like 
Judge Posner say that it's the FBI's investigative criminal 
orientation that slows down the intelligence gathering process. 
I think that if you're going to have anyone do domestic 
intelligence collection, and I think someone needs to, it ought 
to be people who are steeped in the criminal process, in the 
constitutional process rather than the kind of people we have 
collecting foreign intelligence, for example, who lack that 
background.
    Senator Specter. Thank you very much.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you, Senator Specter.
    Senator Feingold?
    Senator Feingold. Thank you, Mr. Chairman.
    Mr. Baker and Mr. Woods, according to the Inspector 
General's reports the FBI uploads information it obtains 
through NSLs into numerous data bases that are widely 
accessible to tens of thousands of personnel at the FBI and 
other agencies.
    I'd like to ask you both, should all this information be 
retained indefinitely, and what type of limit should the FBI be 
required to impose on the type of information it retains and 
the length of time it is kept?
    Mr. Baker?
    Mr. Baker. Well, as I have said in my written statement, 
Senator Feingold, I think there should be rules. There need to 
be minimization rules. As your bill would require for national 
security letters, I would urge you to require it for all types 
of metadata. It's something that Congress needs to worry about, 
not just with respect to the fruits of the national security 
letters, but with respect to all the types of data from all the 
different tools that the government uses to collect metadata, 
including grand jury subpoenas, pen register trap and trace 
orders, all kinds of things.
    That said, with respect to destruction, I do say in my 
statement that I think, if you're going to allow the government 
to collect a lot of data on the front end, you need to minimize 
the retention and dissemination, and at some point in time it 
needs to be destroyed.
    Senator Feingold. Well, the FBI would probably argue that 
you can never predict when the information might be useful. 
Based on your government experience, how quickly does the 
utility of this type of information as actionable intelligence 
start to decrease? I realize you can't say an absolute answer, 
but what is your sense as a professional in this area?
    Mr. Baker. If you're trying to get actionable intelligence 
which will allow you to actually do something to stop a threat, 
stop a spy, it starts to dwindle relatively quickly. So what I 
suggest in my testimony is a pretty long time period, which is 
5 years, destruction after 5 years.
    You can come up with examples where 10, 15, 20 years would 
reveal something about someone, but it is--I don't know how you 
want to say it, but it's a slope that drops pretty quickly, 
Senator. So I think definitely after 5 years, and at some point 
even before that it drops off quickly.
    Senator Feingold. Thank you, Mr. Baker.
    Your response to this issue, Mr. Woods?
    Mr. Woods. I think, definitely, there needs to be a 
mechanism for governing the retention of this information. The 
national security letter statutes were developed kind of 
quickly. They've been ignored and in a corner for most of their 
life. It's really a mistake that these statutes didn't have 
something like this from the beginning. And I would agree with 
Mr. Baker. I think for a model we would look at other things, 
the retention rules that we put in the Attorney General 
guidelines, the retention rules that are in the DoD guidelines. 
There should be that kind of review to eliminate retention as 
quickly as possible.
    Senator Feingold. Based on those responses, I'd like to ask 
each of the witnesses if you could give a ``yes'' or ``no'' 
answer. Is it safe to assume that all the witnesses support the 
provision of the NSL Reform Act mandating that the FBI issue 
minimization and retention procedures for NSLs?
    Mr. Baker?
    Mr. Baker. Yes, I do. But I would also suggest that you 
should worry about acquisition, minimization at the stage of 
acquisition. Don't get more than you really need for the 
purpose that you're searching for it.
    Senator Feingold. Mr. Nojeim?
    Mr. Nojeim. Yes, I agree.
    Senator Feingold. OK.
    Mr. Woods?
    Mr. Woods. Yes, I agree, too.
    Senator Feingold. And I want to thank the Ranking Member 
for raising the issue of the relevance standard, which I 
consider, of course, to be woefully inadequate to protect the 
privacy of Americans who have done nothing wrong. I believe 
that the specific and articulable facts standard is an 
appropriate standard, but we will certainly work on this 
legislation to make sure that the government can get what it 
needs, but not go too far.
    I do think that the relevance standard is not adequate, and 
as Senator Specter said, the mere fact that it was put in as a 
change in the PATRIOT Act is not to me, a recommendation. It is 
actually a sign that it might not have been looked at closely 
enough, because that's my view of the whole legislation.
    Mr. Nojeim, the most recent Inspector General report 
indicated that the percentage of NSL requests generated in the 
course of investigations of U.S. persons has increased steadily 
in the past several years, from 39 percent in 2003 to 57 
percent in 2006. Is this cause for concern?
    Mr. Nojeim. Yes, it is. I think that you can trace that 
increase to the PATRIOT Act itself, which eliminated the 
requirement that the records pertain to an agent or a foreign 
power. Most Americans don't fit that description.
    Senator Feingold. And also, Mr. Nojeim, the FBI conducted 
its own internal review of 10 percent of all NSLs issued from 
2003 to 2006. According to the most recent Inspector General 
report, the FBI's review found more than 550 instances in which 
the FBI received records it had not requested in response to an 
NSL, yet out of those hundreds of incidents only four times did 
the FBI realize that this violation had occurred. That's less 
than 1 percent. The IG report also stated that at least some of 
this unlawfully obtained information was uploaded into an FBI 
data base that is shared more widely with the intelligence 
community. What does that tell us about the extent to which 
these data bases may contain unlawfully obtained information?
    Mr. Nojeim. It suggests that there could be a big, big 
problem. We won't know what information in the data base was 
lawfully obtained and what information wasn't. It's not tagged, 
so you just won't know.
    Senator Feingold. Thanks to all the witnesses.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you.
    I believe Senator Sessions is next in order.
    Senator Sessions. Well, I think the FBI deserves criticism 
for not managing this program well, not following strictly the 
guidelines and accounting correctly in the beginning. Wouldn't 
you agree, Mr. Woods?
    Mr. Woods. Yes, I would.
    Senator Sessions. And Mr. Mueller came here and promised to 
do better, and the OIG report indicates that they have done 
better and fixed the problem in recent months. Is that correct?
    Mr. Woods. That's the testimony.
    Senator Sessions. I think we heard--we know what happened. 
We saw the Director in here. This oversight Committee, which 
has the responsibility to make sure this program is going 
right, we grilled Mr. Mueller, we made him promise to do 
better, and he's done better.
    Now, let me ask you this, Mr. Woods. Isn't it true that a 
DEA agent investigating an American citizen can issue a 
subpoena for some person's telephone toll records if he thinks 
it's relevant to a drug-dealing operation?
    Mr. Woods. That is absolutely true.
    Senator Sessions. And IRS can get your bank records if they 
think you may be cheating on your income tax.
    Mr. Woods. That's correct. There are actually over 300 
Federal agencies that have administrative subpoena authority 
that is based on the relevance standard.
    Senator Sessions. And Mr. Nojeim, forgive me if I object, 
but I do not believe, and strongly reject the idea that we 
ought to give greater protection to terrorists and spies than 
we give to drug dealers and tax cheats. I just do not believe 
that's accurate, and fundamentally that is what I understood 
you to be saying.
    Mr. Nojeim. What I have said, Senator, is that intelligence 
investigations are different. If you're conducting a criminal 
investigation of a terrorist who may have committed a crime or 
a spy who may have committed espionage, which is a crime, the 
same rules apply. What we're talking about is a different kind 
of investigation, one untethered from a criminal charge or from 
criminal suspicion.
    Senator Sessions. Well, OK. Now, Senator Specter asked the 
question about specific and articulable facts, shouldn't that 
be the standard. Well, Mr. Woods, isn't it true that DEA 
doesn't have to quote articulable facts to get your telephone 
toll records?
    Mr. Woods. That's correct.
    Senator Sessions. Or the bank records.
    Mr. Woods. No. These--
    Senator Sessions. Or your motel records.
    Mr. Woods. All of these transactional records are basically 
available in the other context, criminal, administrative 
subpoenas, on relevance to the investigation, Senator.
    Senator Sessions. So we absolutely ought not to be adding 
greater difficulties for investigators investigating a life-
and-death situation, perhaps, than we do for drug dealers. And 
let's make this clear, Mr. Baker. You're a lawyer, and all of 
this. But the reason is, these are not the individual's 
records. These are records in the possession of a third party. 
They have a diminished right of privacy in those records 
because they're not their records. You can't subpoena an 
individual's home computer. You can't subpoena their personal 
records and obtain those records without a warrant, if they 
object. But you can subpoena records at the Office of Motor 
Vehicles, at the telephone records or bank records, right?
    Mr. Woods. That's correct. The Fourth Amendment protects 
things with respect to which you have an expectation of 
privacy, and the type of things we're talking about today, the 
transactional data, is not protected by the Fourth Amendment.
    Senator Sessions. And every day in America, Mr. Woods, 
every county attorney in America investigating any kind of 
misdemeanor or offense that wants records can issue a subpoena 
based on the standard of relevance to that investigation in 
every State in America that I know of. Would you agree?
    Mr. Woods. Yes, I would.
    Senator Sessions. And since time immemorial, that's been 
the standard that prosecutors have used.
    Mr. Woods. Yes.
    Senator Sessions. And how we're in this deal where we want 
to put more standards, more burdens on people who are trying to 
protect the American people from an attack is beyond my 
comprehension, and I'd object to it.
    Let me ask this, Mr. Woods. Let's say you're investigating 
a person that you think may be connected to--you have some 
indication they may be connected to Al Qaeda and you issue a 
subpoena on the relevance to the investigation and get those 
telephone toll records. You see a lot of other calls to someone 
else and you want to now subpoena that person's records to see 
if they may have--see what connections those phone numbers 
show.
    Now, in this context there may not be anything. It may be a 
perfectly innocent series of phone records you receive. But 
isn't it possible, and isn't it what we pay our investigators 
to do, if lo and behold there's a call to some known Al Qaeda 
number in Iraq or Afghanistan? Isn't that what we're about?
    Mr. Woods. Well, yes. I mean, that's the goal of these 
investigations, along with the goal of eliminating the people 
who are not, which is another function of these types of legal 
authorities.
    Senator Sessions. Well, I don't know if somebody got my 
phone--my time is up. We also need to be sure that the 
information we're obtaining is not the power to listen in on 
these phone calls, but it's just simply the telephone toll 
records that show where that person may have called in the 
past. Is that correct?
    Mr. Woods. That is correct. These national security letters 
do not get content of phone conversations or e-mail content.
    Senator Sessions. And I would point out that we tightened 
these standards when we reauthorized the PATRIOT Act. I didn't 
think they needed to be tightened, but we tightened them, all 
to make sure that spies and terrorists have their full rights--
in fact, more rights than we give the drug dealers in America.
    Senator Whitehouse. Senator Kyl? While I am chairing, I am 
going to be the last person here, I'm very happy to have you go 
ahead, if you would like to. I'd be happy to defer to you at 
this point.
    Senator Kyl. I am going to be here for a while, so please 
go ahead.
    Senator Whitehouse. Thank you.
    This is, I think, a very, very interesting question that we 
have and it's a very interesting hearing. I see it in a 
slightly different context than Senator Sessions does, although 
we share the experience of both having been prosecutors and 
U.S. Attorneys.
    It strikes me that there is a privacy interest that is 
raised that is separate from the privacy interest or value of a 
particular piece of data once you start to multiply and 
aggregate it into an enormous pool of data. It's something we 
don't have much guidance on from the Constitution, because at 
the time the Constitution was written the way an investigation 
worked was, the marshall or the sheriff came to your house, 
seized whatever evidence was necessary, brought it before the 
prosecutor or the magistrate, whoever, and when it was done, 
whether it was a bloody axe, a contract document, or whatever, 
it was either contraband, in which case it was destroyed, or it 
was of no value, in which case it was discarded, or it was 
returned and that was the end of that.
    Then along comes the Xerox machine. Now documents start to 
live on in the files of government agencies. Fortunately--or 
unfortunately--they are paper files. They're very hard to go 
back and search.
    So while they're still there for somebody who remembers, 
you know, in the so and so investigation I think we did this, 
let's go back and see what we found when we searched Joe 
Smith's house, we still have that in that file in this paper 
record, it's not a very live record.
    Now, electronically we can not only preserve it, but we can 
aggregate it and we can maintain it indefinitely, and we can 
build, in theory, a massive consolidated data base of all of 
this information that people could plow through at will.
    I do think, despite the fact that none of those individual 
pieces of data might rise over Fourth Amendment levels, it does 
raise a new question that we as a society need to address. So I 
would ask you to comment a little bit on those thoughts, and in 
particular the sort of nexus or matrix between the intensity of 
the privacy value of a particular piece of data that is sought 
versus the intensity of the investigation itself.
    I am not sure whether I would be more concerned as a 
citizen about my privacy if the government said, look, I want 1 
year's tax records for this one purpose or if they said, every 
phone call you have ever made, we are going to track who you 
made it to, when you made it, when it ended, and we're going to 
share it with all people who are interested.
    The privacy balance, I just think isn't that easy, yet it's 
hard to measure that intensity of government investigation 
component. It's so much easier when the document itself is the 
trigger. How would you recommend--do you have thoughts on how 
you'd recommend we cope with that concern? And I'll followup 
further.
    Mr. Baker. Senator, at the end of my written statement I 
have a statement in there about, as time goes by--you're 
exactly right--and our data collection capabilities increase, 
every human endeavor that can be reduced to a digital form will 
be collected by someone for some purpose, either commercially 
or for intelligence purposes or law enforcement. That's the 
direction we're heading in. These do become extremely powerful 
tools. They're powerful tools to protect the country. They're 
powerful tools that, when you have an urgent situation, you can 
go into a data base, you can search through, you can look for 
connections.
    Senator Whitehouse. And they're valuable tools. They're 
important tools, I think we all agree.
    Mr. Baker. Right. Extremely valuable.
    Senator Whitehouse. But they still need some--
    Mr. Baker. They need oversight. They need oversight and 
they need minimization. They need oversight by people. We can 
have all of our technology, we can have all of our systems, we 
can have all of our laws, quite frankly, but at a certain point 
in time the people matter.
    For example, it mattered that Glen Fine was Inspector 
General at the Department of Justice at the time that you 
ordered a review of these things. I've worked with Glen closely 
and he's a very tenacious, intelligent, hard-working person. It 
mattered who he was. So you really have to make sure you have 
the right people in those jobs, doing the right thing.
    At a certain point--I know time is almost up--you are 
right, I think, to focus on the Fourth Amendment issues. At a 
certain point in time, when the government's knowledge about 
our activities becomes so pervasive, that may, in fact, raise 
Fourth Amendment concerns. I think it's something that we're 
going to be struggling with.
    Senator Whitehouse. Let me interrupt you now, because my 
time has expired and I do have plenty of time with you once 
Senator Kyl has a chance to ask his questions, and yield to the 
distinguished Senator.
    Senator Kyl. Thank you very much. I think we all agree 
that, over time, the challenge presented by the acquisition of 
this transactional information is going to require us to 
develop new regimes or protocols of dealing with it.
    What I'd like to do, especially with regard to how long you 
keep it, I do suspect that the last thing government agencies 
are going to want are roomfuls of data that they can't do 
anything with because they're simply too massive.
    But what I'd like to do here is focus just a little bit on 
how this process actually works, the typical situation, because 
it gets to the standard that we're debating here and the reason 
why we went to a relevance standard.
    This is transactional information about which the 
individuals had no expectation of privacy. Mr. Woods, you had 
experience in actually doing this and actually supervising it. 
Give us an example of how it worked. I'm specifically 
interested in why it's different in the context of preventing a 
crime from being committed, a terrorist act, as opposed to 
investigating a crime that has been committed.
    Mr. Woods. OK. I think that probably the best example is 
the sort of classic terrorist threat scenario that we run into 
a lot these days, where there is information, perhaps from 
foreign intelligence, which indicates maybe a particular target 
or a particular city or a particular--there's been a foreign 
communication that is suspect. We don't know who made the 
communication, but it has enough characteristics that we're 
concerned about it and it says something about Washington, DC.
    This is thrown to the FBI in a proactive mode. What can the 
FBI do? Well, the FBI could say--say it's sort of an e-mail, or 
the FBI might want to look at other e-mails that had connected 
to the same source, maybe it's from an internet cafe or 
something like that, and just do a quick scan to see, is this 
point of communication been in contact with anybody else that 
we know about, anything that might give us a lead? That 
transactional information about those communications is 
certainly relevant to the threat. It would be, I think, 
impossible in those situations to make out a specific and 
articulable facts case.
    We don't know who the person on the other end of the 
communication is. We don't know for sure that they're an agent 
of a foreign power. It becomes very gray and circumstantial. We 
could spend a lot of time trying to work with that standard. 
That's kind of--I mean, that is why we asked, in the Bureau, 
for the relevance standard. There are situations where, you 
know, when the FBI is being mandated to be proactive and to 
depart from the investigative model, it's encountering these 
situations that don't fall into line with the standard that was 
designed for an investigative model. It is more dangerous. It 
is more risky in terms of civil liberties, but it is, in my 
view, what needs to be done now.
    I would focus, therefore, more on the oversight, retention, 
and minimization end of this than on the legal standard itself.
    Senator Kyl. Now, that is the precise thing that I think we 
need to focus on. Why would you do that? Why would you want to 
retain the relevancy standard rather than going back to the 
articulable facts standard that we discussed earlier? Why would 
minimization procedures or other oversight be a better answer 
to the privacy concerns?
    Mr. Woods. Well, I think the standard itself, the scenario 
that I laid out, I think is going to become more and more 
common. We're going to need to assess threats quickly. We're 
going to need to respond to them quickly. But by their very 
nature, many of them are going to fall into the sort of fuzzy 
environment that the relevance standard is far better for. I 
mean, there's a reason why it's the standard for criminal 
investigations. This is how you quickly figure out what's going 
on.
    I do think, though, where the system is breaking down is, 
once that's done, once that information is collected, how long 
do we keep it? What impulse is there for the government to sort 
through that? If I might, just one sort of side issue on this. 
The government--the FBI and other agencies--are facing two 
pressures. I mean, one is, get out there in front of the 
threats.
    The other pressure is, share information. These data bases 
didn't exist when I was first in the FBI. They exist now 
because of our examination of the failure of information 
sharing prior to 9/11. So I think with those two things 
together, you need to reinvigorate the rules on minimization 
and retention. They were never added to national security 
letter statutes in the first place. All these things came into 
existence without those, very unlike, say, FISA or criminal 
statutes in that regard. But that is why I would focus the 
attention there.
    Senator Whitehouse. Senator, can I just followup on that? 
Since it's down to just the two of us, we can be off the clock.
    Senator Kyl. Sure. That's fine. Go on, please. Senator 
Feingold might object to that now, but it's fine with me.
    Senator Whitehouse. Continue as long as you please, though.
    Senator Kyl. No. Let's just go ahead and have others 
respond to that if they like, and then a final comment. That 
will be fine.
    Mr. Nojeim. Mr. Woods has made a good case for the 
relevance standard, but the problem that we see with it is that 
it really doesn't have a good articulable end.
    Say, for example, the threat information that is received 
is that there's a terrorist in Washington, DC. What information 
is relevant to investigating that threat? Is information about 
everyone who is staying at a hotel in Washington relevant? Is 
information about everyone who rented a car in Washington 
relevant? It just seems like there's no end.
    Once you decide that information about who that person has 
communicated with is relevant, is information about who they 
communicated with also relevant, and so on, and so forth? So I 
guess the problem with the relevance standard is that it seems 
to untethered in that when we're talking about an intelligence 
investigation that is, again, not tied to the investigation of 
a particular crime, it seems like there's just no end to the 
information that could be obtained.
    Senator Kyl. I appreciate that point. But it seems to me 
that it, in some respects, ignores realities of life. That is, 
you've got some people who we have a lot of confidence in, 
we've given a great deal of authority to, to protect us from 
terrorism. We have put them into that position and they're in 
real-time situations trying to sort through a lot of material 
to be able to track something to get to the point where they 
can maybe stop a terrorist act from occurring.
    They don't have time in that context, it seems to me, to 
sit around saying, oh, look at this juicy bit of information, 
let's set that aside and maybe we can deal with that later and 
really embarrass this political figure, or why don't we stop 
what we're doing here and gather up all this information for 
some other purpose?
    I mean, they're on the tail of something, they're trying to 
get through it quickly. It seems to me that the problem is 
really quite the other way, and that is to be able to barrel 
through a whole of information as quickly as possible and not 
go back to what they just went through because it's of no 
immediate use to them, and they've simply got too much work to 
do to figure out what the terrorist attack might be to sit 
around and focus on all that.
    So I think that the realities, the practical realities 
don't suggest that the problem is a likely big problem. I 
think, though, that ultimately there's got to be some decision 
made about, OK, now that's over did all of that stuff get 
captured someplace or did we simply go through it and it's 
simply out there in the ether again? To the extent we did make 
a record of some of it, what should be done with it?
    I mean, I can see why privacy concerns there would require 
some mitigation or some procedures and protocols and so on. But 
during the process of trying to prevent the crime or the 
terrorist act itself, it seems to me that the broader standard 
giving them more flexibility and leeway to protect us is the 
appropriate way to approach it. That's my own point of view 
which I believe is pretty consistent with Mr. Woods'.
    Senator Whitehouse. The Senator from Wisconsin?
    Senator Feingold. Thank you, Mr. Chairman.
    Let me briefly respond to what Senator Sessions, and to 
some extent Senator Kyl, said about the standard for getting an 
NSL. Senator Sessions mentioned grand jury subpoenas, which of 
course are to investigate crimes.
    I believe that Congress should change the current relevance 
standard for NSLs. Intelligence investigations are not, as has 
been pointed out, subject to the same built-in checks that are 
present in criminal investigations. They are much broader, 
meaning that virtually anything could be relevant to an 
intelligence investigation. They are conducted entirely in 
secret. Investigative techniques are rarely tested through the 
adversary judicial process. I think that is why more oversight 
is needed, and that is why a more targeted standard is needed 
for the NSL authority.
    So in that connection I would like to ask Mr. Nojeim, we 
have heard a proposal today for a new national security 
subpoena authority. Would you please address your thoughts on 
that proposal?
    Mr. Nojeim. I think that if the response to the Inspector 
General's reports is that there be a broader collection 
device--and that's what these subpoenas would be--that it's 
exactly the wrong response.
    It's not clear to me who could receive one of these 
subpoenas. It does seem to me that they could be received by 
anyone as opposed to just the limited entities that are now 
possible recipients of national security letters.
    There was no discussion about the gag that would come with 
one of these subpoenas. I put those two together because I 
think about who might be a recipient. What we're talking about 
is expanding the class of people who might receive a demand 
from the FBI for information, but, the demand says that they 
can't disclose anything about that demand.
    It could be served on any person. I just don't know how my 
mom would respond to that request. I don't know how other 
people would respond to that request. I don't think that we 
should go in that direction as a result of the abuses that have 
been uncovered in the IG reports.
    Senator Feingold. I couldn't agree with you more. I can't 
imagine how granting the FBI administrative subpoena authority 
is a response to evidence of abuse of their current authority. 
We just barely dodged this bullet in the last round. For this 
to be a response to what we learned about the NSLs strikes me 
as kind of bizarre.
    Mr. Nojeim, two Supreme Court decisions in the 1970s 
determined that Americans do not have Fourth Amendment rights 
to information they reveal to their phone companies or banks, 
such as the phone numbers they dial or the checks they write.
    Given the unprecedented technological advances of the past 
30 years, do you think these decisions would come out the same 
way again today?
    Mr. Nojeim. I think they're on shaky ground today. Take 
Smith v. Maryland, for example. That's the decision where the 
court decided that numbers dialed on a telephone didn't have 
Fourth Amendment protection. They reached that decision in part 
because those numbers dialed are not so revealing. The court 
said, for example, you can't even tell whether the telephone 
call was actually completed. You can't tell who was 
communicated with when those numbers were dialed.
    Fast forward to today and think about the kinds of 
information that qualify as metadata, but that are much more 
revealing. E-mail ``to''/``from'' information. It's usually the 
case that you know who you're communicating with and the 
government will know when it gets that information. It knows 
the communication actually happened. So right there, it's much 
more revealing.
    URL information--where a person went on the Internet. The 
closest parallel to that is probably library sign-out records, 
and most States protect those and require extra procedures. 
Yet, in the internet context, URL information, at least before 
the first backslash, is available with a national security 
letter.
    Senator Feingold. I commend all the witnesses for their 
testimony today. Mr. Nojeim, I particularly commend you for 
your ability today to distinguish not simply between metadata 
and content, but to point out that within the context of 
metadata there really need to be distinctions. It's not simply 
one kind of information or another, there are vast differences. 
You've done an excellent job of pointing out the dangers of not 
having those kind of distinctions within the metadata category.
    Thank you, Mr. Chairman.
    Senator Whitehouse. Thank you.
    I will sort of pick up where I left off, because I find 
this subject so intriguing. I think it's our next really big 
civil liberties issue to address. Does anyone dispute that it 
is essentially inevitable that, given the way we can 
electronically gather and store data, government data bases 
containing personal information are going to continue to 
proliferate and that, given the ease with which access to 
different electronic data bases can be increasingly achieved, 
there will be more and more access points for government 
agencies to those data bases? Are we not, to some degree, 
headed for a situation in which there is essentially a large, 
multi-accessed, multi-inputted, but essentially single 
government data base containing a vast amount of personal data 
related to American citizens?
    Mr. Baker. Senator, there may be a number of reasons you 
wouldn't want to create one data base, but you could have data 
bases that are linked in certain ways.
    Senator Whitehouse. Linkage makes it effectively the same, 
I think.
    Mr. Baker. It would allow you, with certain tools, to go 
through the different data bases. If your query fit the 
criteria for going into a data base, you could come up with 
some kind of a model to do that. So, I think that's right.
    If I could just quickly respond to something that Senator 
Feingold said before he left, since it was my sort of bizarre 
idea to come up with this national security subpoena. Just, I 
want to be clear, and when Senator Kyl was talking about the 
different standards that apply, you can have relevance, you can 
have specific and articulable facts, you can have probable 
cause, but relevance, specific and articulable facts as to 
what? As to what? You have a twofold task in front of you. You 
have to pick the right standard, the right predication, how 
much facts you want to support it, but then as to what? You 
need to think about that.
    My concern is, and the reason I came up with this bizarre 
idea--other people have too--is that if you raise the standard 
with respect to national security letters so high, FBI agents 
in the field will find some other way to get what they need 
because they are charged with, and have tremendous pressure on 
them, to prevent the next attack, as we all know.
    So if national security letters are too difficult, well, 
let's see if we can find something else. 215? Oh, you've got to 
go to a judge. That's a pain in the neck; forget that. Oh. 
Grand jury subpoena? I'll just go to this AUSA that I work with 
all the time, we'll get that, and there's no court oversight in 
the real-time sense and you just get it from the AUSA. There's 
no minimization requirements. Boom, we've got it.
    We've got the information that I believe I, the agent, need 
to protect the country and I'm not going to mess with these 
other statutes. So the volume will drop with respect to 
national security letters, it will be a less effective tool, 
but your insight into what is going on--your, the Congress' 
insight--the government's insight will just change. It will be 
harder to conduct oversight of those kinds of activities, and I 
urge that you worry about that.
    Senator Whitehouse. I understand that. But I think, in 
addition to the question you have raised of the ``how do you 
get it'' problem, we also have to address the ``what do you 
with it'' problem, which I think, as those of us familiar with 
this area--we would generally categorize that as the 
minimization problem. So you've got the ``how do you get it'' 
problem, then once you've got it, what do you do with it, how 
long can you keep it, do you destroy it, who can you connect to 
it, all that sort of stuff.
    Then you have, as you mentioned, the predication problem, 
which is, who is allowed to query it. Who's allowed to hit the 
data base and under what circumstances? Is strikes me that if 
we're going to solve this problem we have to address really all 
of those three issues, that those are the three big prongs of 
this question from the government's point of view: what are you 
allowed to get, what are you allowed to do with it once you get 
it, and who are you allowed to let have a look at it, and on 
what terms?
    Mr. Nojeim. And to add just a couple more things. Not just 
what can you get, but what do you have to show to get it, and 
also what do you do with it after a few years? I mean, do you 
just throw it away or do you save it to see whether it might be 
useful in some other investigation 10 decades from now? I think 
that your--
    Senator Whitehouse. And minimization, I think, has become a 
hugely moving target. In my days as a U.S. Attorney, 
minimization basically meant that the agent flipped off the 
switch on the microphone and stopped listening when it became 
apparent that the conversation was with the subject about pork 
chops for the weekend, that he'd called the butcher. Once you 
learned that this was an every Thursday call for Friday dinner, 
you didn't listen to it at all because you didn't any longer 
have a reasonable basis to listen to it. It was just kind of 
that simple.
    Now, particularly in the FISA minimization context, it's 
gotten much more complex, much more deep in time, and into 
questions of distribution. So the simple ground rules very 
recently have had to adapt to a much more complex landscape, 
and I'm not sure that they're well understood.
    Yes, Mr. Woods?
    Mr. Woods. Senator, there is a reason for that. That is--
and we keep coming back to this matter of intelligence 
investigations--this is fundamentally different than the 
criminal context in that the adversaries we are facing are 
different. We are facing intelligence services with the full 
resources and backing of foreign governments. We are facing 
transnational terrorist groups.
    So FISA minimization, for example, is structured after the 
fact, I think largely because of the language difficulties. You 
may be intercepting something on FISA that's in a dialect of, 
choose the language, and therefore the Congress allowed that to 
be done after the fact. I think we face the same thing here. To 
go to your earlier comments, it is important to remember that 
these intelligence investigations are not solely restrained by 
these statutes. We have 30 years of oversight, of regulation, 
of Attorney General guidelines, of executive orders.
    The reason I put so much emphasis on retention/minimization 
issues is, over the years that has been the least-glamorous 
part of this work. I would say that minimization rules are 
stuck in the Xerox era, at best. What we need--I mean, 
minimization in the FBI, in my experience, was done with 
respect to FISA quite carefully, and one of the reasons is that 
every so often the Justice Department comes by and audits it. 
There's nothing like that. We've had national security letters 
since 1986. This is the first serious audit of how they are 
being used. I think, going forward, the Committee really ought 
to look at creating some of that, and at the same time maybe 
look at updating stuff from the Xerox era to something a little 
closer now.
    Senator Whitehouse. I also felt that the minimization 
process in Federal investigations that I oversaw, and at State 
investigations--I was a State Attorney General as well--was 
helped by the prospect that the Rhode Island State Police, 
local FBI agents, Secret Service agents, or ATF agents had that 
they were operating pursuant to an order allowing them to do 
this, which incorporated in its terms the legal requirement 
that they follow the minimization procedures, and that there 
was the prospect that a judge might at some point take an 
interest and say, you know, I signed this order and gave you 
the authority to collect this stuff, I told you you had to do 
it under these terms, I want to have a look. And just the 
prospect, I think, of judicial oversight was very helpful.
    It's one of the reasons we've had this fight on the Foreign 
Intelligence Surveillance Act, because they put out 
minimization rules but they wouldn't let it be set up so that 
the FISA court ever had the authority to see if they were being 
complied with, which completely undercut that motivation. I 
thought that was mistake, and thankfully I think we've 
corrected that in the FISA statute.
    Mr. Nojeim. I think that one of the reasons that we need 
the NSL Reform Act is that it requires that minimization 
procedures be adopted. There was a provision in the 
reauthorization legislation that required the Attorney General 
and the DNI to study whether minimization would be feasible. An 
NSL working group involving both agencies was put together. 
They recommended basically the FISA minimization procedures, 
but the Attorney General rejected that. I think it's time for 
you to say, we're going to have to step in and require that 
these minimization procedures be adopted.
    Senator Whitehouse. A lot of very sensible stuff seems to 
have been rejected for reasons that make absolutely no sense to 
me.
    Senator Kyl?
    Senator Kyl. Well, let me just play off that point. There's 
a hierarchy of values here. One, is the protection of the 
American people from known dangerous enemies who have struck us 
with great destruction. We have instructed others in our 
government to see that that never happens again. Every one of 
us ought to be strongly committed to that.
    Now, we also have the potential prospect of violations of 
privacy that might have an adverse consequence on someone, but 
I don't think there's a lot of evidence that that's happened 
yet.
    I recall the words of the FBI agent who, about two and a 
half weeks before 9/11, complained to another that, because of 
the wall that separated two groups within the FBI, the 
Terrorist and Criminal Investigation, that someday somebody was 
going to get killed and then questions would be asked, and of 
course that's what happened.
    So on the one hand, we have something that is critical for 
the protection of the American people, and we've seen 
breakdowns in that because we set up artificial legal barriers 
to the exchange of information and collection of information. 
On the other hand, we're all concerned about privacy because we 
can see in the future, if not today, a ballooning of 
information and access to information, and we're rightly 
concerned about how that's all used.
    But I suggest we keep this in perspective, and that 
enabling the people to do the job to protect this starts with, 
I would argue, a lower standard like the relevancy kind of 
standard. Then in order to prevent that other potential from 
occurring, you can build on it. All of you have addressed that 
in one way or another, and I think we're all in agreement that 
both of those require work.
    But just another specific example that we fixed, Zacharias 
Mousawi. He didn't fit into the two ways that you could get 
information. We couldn't prove that he was an agent of a 
foreign power or that he belonged to a terrorist organization. 
They don't carry cards anymore. He was acting on his own in 
concert, ultimately, with another group. So we had to create a 
third category after the fact, unfortunately.
    What it demonstrates is, I think we need to be a little bit 
more liberal on the front end for the purposes of the 
protection of the American people, and then make sure that, 
whether it's minimization procedures or other kinds of 
protocols that ensure the privacy of the American people, to 
put those into place. But looking at the relative challenges 
and relative threats and relative harms that have occurred so 
far, it seems that some may be balancing these equities, I 
think, in the wrong way.
    I would hope that as we draw on your expertise--all three 
of you have been very valuable to this exercise today. As we 
continue to draw on your expertise, would you also take into 
account what I am trying to say here? Because as policymakers, 
we've got to take all of these things into consideration. It 
seems to me that--well, I've made my point. If any of you would 
like to comment, I still have a little bit of green left.
    Mr. Baker?
    Mr. Baker. Yes, Senator. With respect to the law, I mean, 
Michael and I both lived through the era of the wall and we can 
probably go on for quite a bit of time about that.
    But let me just say, that's why I focused on creating--
urging you to create--a system that's simple and effective. One 
of the lessons from the wall was, the rules were complex, the 
rules were misunderstood, and people were afraid of the adverse 
consequences to their career of making a mistake, so they 
didn't do what they should have done in certain instances with 
respect to sharing information.
    I think that's one of the things you don't want to have 
happen here. I think with respect to the current regime that we 
have, as reflected in the IG's report, you do have confusion 
about what these statutes allow: you do have confusion with 
respect to what the scope is, you have confusion about what the 
standard is.
    So, I think that has contributed to the situation that we 
find ourselves in today. The only other comment I would make 
is, the IG's report with respect to national security letters 
are bad facts. I mean, that is a very bad situation. All I 
would suggest to the Congress, as we all learned in law school, 
bad cases make bad law. My urging is, don't let that happen.
    Senator Kyl. But fix the bad cases.
    Mr. Baker. Fix the bad cases, but make sure you don't 
inadvertently create some other problem.
    Mr. Nojeim. I think if we can learn one thing from the IG 
reports, it's that people who mean well and are in the business 
of collecting this information didn't do a good job about 
following the rules. I think there's just no question about 
that when you look at the Inspector General reports.
    I think there's also no question that some of the reforms 
that the FBI put in place are going to address some of those 
problems, but the bigger problems can't be addressed by 
changing the people who do the work or by changing what work 
they do. There just has to be a judicial check at some point in 
this process when the information is particularly sensitive. 
Again, the principle that we're asking you to abide by is that 
the more sensitive information ought to be under that judicial 
check, and that less sensitive identifying information could 
still be sought without it.
    Senator Kyl. A final word, Mr. Woods?
    Mr. Woods. All right.
    Senator Kyl. Again, thank you to all three of you. I 
appreciate it.
    Mr. Woods. I actually agree with what both of the other 
witnesses have been saying, in principle. I think the committee 
should be guided by a rule of proportion. I mean, I read the IG 
reports and I see errors and ineptitude in the nuts and bolts 
of this, the kind of right documentation here, what should be 
uploaded, what shouldn't be uploaded. I do not see, as one 
sometimes hears in the discussions, a malevolent presence in 
the government that is bent on subverting people's civil 
liberties or obtaining information that it should not obtain.
    I think the remedy ought to reflect the reality of what's 
in those reports, which to me means concentrating a lot of 
effort on that nuts-and-bolts level and not ratcheting up the 
legal standard that affects every case, or attempting to sort 
of, you know, throw up our hands and say, this is scary and 
we're going to try to back off, because that affects the 90 
percent of the cases that didn't even have these nuts-and-bolts 
problems in the IG report. That's what I've been trying to 
argue, and I'm happy to assist the Committee, as I'm sure my 
colleagues are.
    Senator Whitehouse. Well, I agree with you that there are 
two very different issues here. One is the very simple, old-
fashioned bureaucratic foul-up that took place at the FBI with 
respect to the implementation process for these NSLs, and that 
is an important problem. It's a problem that we have drilled 
into, that the Inspector General has drilled into that I think 
a variety of initiatives will help to minimize. But every time 
we touch on this issue I think it raises these larger questions 
of, really, what the rules are. I don't think we've adapted 
well enough yet to this modern electronic world in which there 
are vast pools of information available.
    I do think that the privacy of American citizens is a core 
value in our society and it's a core value for a reason because 
it affects the balance of power, if you will, between 
government and citizenry. In a democracy, that is absolutely 
vital. So I give it, perhaps, a higher value than some of my 
colleagues do.
    But wherever you assign its value, I think I agree with the 
Senator from Arizona's point, that the American people could 
feel more comfortable about what information is made available 
to law enforcement if they had a higher level of comfort with 
what would happen to it once law enforcement had its hands on 
it in terms of its duration, maintenance, and all of that, and 
with what uses it would be put to and who would have access to 
it.
    So I see the question as how you define what the government 
can get access to, how you define what the government can do 
with it once it's been allowed to get access to it, and how you 
define who's allowed to query that pool of information which, 
in a nutshell, are access, minimization, and predication, as 
related phenomena that I think this Committee and this Congress 
are going to have to deal with. I think I will ask you for 
final comments, because we're nearly done with our time. Your 
thoughts on how you see those are three related, cross-
referencing, interwoven concepts.
    Mr. Baker?
    Mr. Baker. Well, I think you're exactly right, Senator. If 
you look at old FISA that we've been talking about, the 
original FISA, that required minimization of acquisition in 
terms of, what does the government get and why; minimization of 
retention: once you've gotten it, what do you keep? Do you 
throw certain things away? Who has access to it? What do they 
do with it? Where do they store it? How can they look at it? 
And then minimization of dissemination: Who can they give it 
to, what purpose can they use it for, and so on.
    If you look at the definition of minimization under FISA, I 
think it's a pretty good one because it says that the Attorney 
General will approve minimization procedures that will be 
reviewed by the court and approved by the court, but that--on 
the one hand, do all that, limit the acquisition, retention, 
and dissemination of non-relevant, non-pertinent U.S. person 
information, consistent with the need of the United States to 
obtain, produce, and disseminate foreign intelligence 
information.
    So you've got to have the right balance, exactly what 
you're saying. You've got to have the right access to the right 
data, at the right time, for the right purposes, and to be able 
to use it effectively for what we all want to accomplish. So I 
think that is what you are focused on. I think that's exactly 
right.
    I would just add in, as we discussed earlier, you need to 
think about how long we're going to keep this stuff. As these 
data bases grow at a certain point in time, what should we be 
throwing away? Stuff that has not been found to be relevant or 
pertinent to an investigation in the sense that it's produced a 
lead that's really, really good during a 5-year period, should 
we throw it away at that point in time, or what are we going to 
do with it?
    Senator Whitehouse. Mr. Nojeim?
    Mr. Nojeim. It seems to me your ability to control some of 
the things that you want to control is limited, but is 
available for some of the things you want to deal with. So, for 
example, on ``what is the quality of the employees that are 
doing this work, accessing this information? '' I don't think 
you're going to have a lot of control over that.
    You'll be able to approve the people at the top, but the 
people below them you're not going to be able to control that 
much. ``Who in government can get the information once it's 
uploaded into one of the databases? '' I don't think you're 
going to want to put a lot of limits on that because of the 
imperative toward information sharing. So you might, but 
probably won't put limits on that. I think that we're really 
looking at the front end and the back end.
    Senator Whitehouse. Well, the logical limit on that, just 
to interject, would be not who gets access to it so much as 
when they get access, the predication question.
    Mr. Nojeim. For what purpose. For what purpose they get 
access.
    Senator Whitehouse. At what point does somebody in the 
government say, I'm interested in Mr. Nojeim's file, let me 
pull that up? It shouldn't be just on every government 
computer. There should be a question that has to be answered 
first: I need this because X. Particularly in the public 
corruption world, you've got to predicate before you can go 
after a public official. I think there's a similar test. It's 
not just who has access, it's what is required. What's the 
question that they have, and is it a legitimate question?
    Mr. Nojeim. I think that's exactly right. I think it's very 
hard to legislate because there are just so many contexts in 
which you're going to have to think down the road. I think that 
it's worth talking about.
    I also think, though, where you can be most effective is at 
the front end and the back end. It's articulating a standard 
that is what permits the data to get into the data base in the 
first place, and articulating the minimization procedures that 
must be followed for getting it cleared out at the end of the 
day.
    Senator Whitehouse. Yes. I appreciate it. Thank you.
    Mr. Woods, it looks like you have the final word.
    Mr. Woods. I think that we shouldn't simply take a step 
because it's easy. It's easy to look at the front end and say 
we need to change the standard. I really do believe that the 
core of this is in the sort of middle and back end of this, 
controlling what is done with information. But I would just end 
on your point about--
    Senator Whitehouse. In terms of the interrelationship, do 
you agree that if we're going to really get this right we're 
going to have to focus on not only acquisition, but also 
minimization and retention and also predication and the 
querying function, and that those three need to be seen as a 
coordinated group?
    Mr. Woods. They are all linked. I think--and you're seeing 
this--as soon as you enter into this question you get pulled 
into the much broader issue of information sharing, of access 
to digital information. I think a very important issue, and 
that is public confidence. Things like the IG report shake 
public confidence and make the public concerned about these 
issues. I don't think the public understands how their 
information is handled, either by the government or by 
commercial entities. It is a very large question and I think I 
would just urge the Committee to stick with it. It's not going 
to be easily resolved, but it desperately needs doing.
    Senator Whitehouse. Good.
    Well, I want to thank all the witnesses. I think this has 
been a helpful and interesting day. I would urge you also to 
stick with it and keep doing your work, and keep hammering on 
Members of Congress to get to this. We are, I think, in a very 
interesting time, driven by the technological leaps that we've 
taken. I will close by repeating the observation I made at the 
beginning when the Founding Fathers were designing the Fourth 
Amendment. It never crossed their mind that the sheriff would 
keep any evidence. It would be thrown out. It would be used at 
trial and it would be returned, or be destroyed if it was 
contraband. That was it.
    Now we have this facility for maintaining huge amounts of 
information and it raises a question that, because the Founding 
Fathers did not face, we can't go and grab an answer off the 
shelf. This generation has to figure it out based on the 
principles that have made this country great. I think it's a 
fascinating topic, and I appreciate your attention to it
    The record will remain open for 7 days for any additional 
submissions anybody chooses to make.
    The hearing is hereby adjourned.
    [Whereupon, at 11:54 a.m. the Committee was adjourned.]
    [Questions and answers and submissions for the record 
follow.]
[GRAPHIC] [TIFF OMITTED] T2457.001

[GRAPHIC] [TIFF OMITTED] T2457.002

[GRAPHIC] [TIFF OMITTED] T2457.003

[GRAPHIC] [TIFF OMITTED] T2457.004

[GRAPHIC] [TIFF OMITTED] T2457.005

[GRAPHIC] [TIFF OMITTED] T2457.006

[GRAPHIC] [TIFF OMITTED] T2457.007

[GRAPHIC] [TIFF OMITTED] T2457.008

[GRAPHIC] [TIFF OMITTED] T2457.009

[GRAPHIC] [TIFF OMITTED] T2457.010

[GRAPHIC] [TIFF OMITTED] T2457.011

[GRAPHIC] [TIFF OMITTED] T2457.012

[GRAPHIC] [TIFF OMITTED] T2457.013

[GRAPHIC] [TIFF OMITTED] T2457.014

[GRAPHIC] [TIFF OMITTED] T2457.015

[GRAPHIC] [TIFF OMITTED] T2457.016

[GRAPHIC] [TIFF OMITTED] T2457.017

[GRAPHIC] [TIFF OMITTED] T2457.018

[GRAPHIC] [TIFF OMITTED] T2457.019

[GRAPHIC] [TIFF OMITTED] T2457.020

[GRAPHIC] [TIFF OMITTED] T2457.021

[GRAPHIC] [TIFF OMITTED] T2457.022

[GRAPHIC] [TIFF OMITTED] T2457.023

[GRAPHIC] [TIFF OMITTED] T2457.024

[GRAPHIC] [TIFF OMITTED] T2457.025

[GRAPHIC] [TIFF OMITTED] T2457.026

[GRAPHIC] [TIFF OMITTED] T2457.027

[GRAPHIC] [TIFF OMITTED] T2457.028

[GRAPHIC] [TIFF OMITTED] T2457.029

[GRAPHIC] [TIFF OMITTED] T2457.030

[GRAPHIC] [TIFF OMITTED] T2457.031

[GRAPHIC] [TIFF OMITTED] T2457.032

[GRAPHIC] [TIFF OMITTED] T2457.033

[GRAPHIC] [TIFF OMITTED] T2457.034

[GRAPHIC] [TIFF OMITTED] T2457.035

[GRAPHIC] [TIFF OMITTED] T2457.036

[GRAPHIC] [TIFF OMITTED] T2457.037

[GRAPHIC] [TIFF OMITTED] T2457.038

[GRAPHIC] [TIFF OMITTED] T2457.039

[GRAPHIC] [TIFF OMITTED] T2457.040

[GRAPHIC] [TIFF OMITTED] T2457.041

[GRAPHIC] [TIFF OMITTED] T2457.042

[GRAPHIC] [TIFF OMITTED] T2457.043

[GRAPHIC] [TIFF OMITTED] T2457.044

[GRAPHIC] [TIFF OMITTED] T2457.045

[GRAPHIC] [TIFF OMITTED] T2457.046

[GRAPHIC] [TIFF OMITTED] T2457.047

[GRAPHIC] [TIFF OMITTED] T2457.048

[GRAPHIC] [TIFF OMITTED] T2457.049

[GRAPHIC] [TIFF OMITTED] T2457.050

[GRAPHIC] [TIFF OMITTED] T2457.051

[GRAPHIC] [TIFF OMITTED] T2457.052

[GRAPHIC] [TIFF OMITTED] T2457.053

[GRAPHIC] [TIFF OMITTED] T2457.054

[GRAPHIC] [TIFF OMITTED] T2457.055

[GRAPHIC] [TIFF OMITTED] T2457.056

[GRAPHIC] [TIFF OMITTED] T2457.057

[GRAPHIC] [TIFF OMITTED] T2457.058

[GRAPHIC] [TIFF OMITTED] T2457.059

[GRAPHIC] [TIFF OMITTED] T2457.060

[GRAPHIC] [TIFF OMITTED] T2457.061

[GRAPHIC] [TIFF OMITTED] T2457.062

[GRAPHIC] [TIFF OMITTED] T2457.063

[GRAPHIC] [TIFF OMITTED] T2457.064

[GRAPHIC] [TIFF OMITTED] T2457.065

[GRAPHIC] [TIFF OMITTED] T2457.066

[GRAPHIC] [TIFF OMITTED] T2457.067

[GRAPHIC] [TIFF OMITTED] T2457.068

[GRAPHIC] [TIFF OMITTED] T2457.069

[GRAPHIC] [TIFF OMITTED] T2457.070

[GRAPHIC] [TIFF OMITTED] T2457.071

[GRAPHIC] [TIFF OMITTED] T2457.072

[GRAPHIC] [TIFF OMITTED] T2457.073

[GRAPHIC] [TIFF OMITTED] T2457.074

                                 
