[Congressional Record Volume 153, Number 54 (Wednesday, March 28, 2007)]
[Senate]
[Pages S4039-S4042]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                      NSL INSPECTOR GENERAL REPORT

  Mr. FEINGOLD. Mr. President, I wish to speak today about the recent 
report by the inspector general of the Department of Justice on the 
FBI's use of national security letters. According to the inspector 
general's testimony before the Judiciary Committee, there was 
``widespread and serious misuse of the FBI's national security letter 
authorities''--misuse that violated statutes, Attorney General 
guidelines, and internal FBI policies. I was deeply concerned by the 
findings in that report. Unfortunately, I was not surprised.
  The national security letter, or NSL, authorities were dramatically 
expanded by Sections 358 and 505 of the PATRIOT Act. Unfortunately, in 
its haste to pass this flawed legislation, Congress essentially granted 
the FBI a blank check to obtain some very sensitive records about 
Americans, including people not under any suspicion of wrong doing, 
without judicial approval. So it is not surprising that the inspector 
general identified serious problems with the implementation of these 
broad authorities. Congress gave the FBI very few rules to follow. As a 
result, Congress shares some responsibility for the apparently lax 
attitude and in some cases serious misuse of these potentially very 
intrusive authorities by the FBI.
  This inspector general report proves that ``trust us'' doesn't cut it 
when it comes to the Government's power to obtain Americans' sensitive 
business records without a court order and without any suspicion that 
they are tied to terrorism or espionage. It was a grave mistake for 
Congress to grant the Government broad authorities and just keep its 
fingers crossed that they wouldn't be misused. We have the 
responsibility to put appropriate limits on Government authorities--
limits that allow agents to actively pursue criminals and terrorists 
but that also protect the privacy of innocent Americans.
  But let me back up a few steps. What are NSLs, and why are they such 
a concern? I am going to spend a little time on this because it is 
important. I believe there should be a legislative response to this 
report, so I want my colleagues to understand what we are dealing with 
here.
  National security letters are issued by the FBI to businesses to 
obtain certain types of records. So they are similar to the 
controversial section 215 business record orders but with one very 
critical difference. While section 215 involves an application to the 
FISA Court, the Government does not need to get any court approval 
whatsoever to issue NSLs. It doesn't have to go to the Foreign 
Intelligence Surveillance Court or any other court and make even the 
most minimal showing. Under the PATRIOT Act, the FBI can simply

[[Page S4040]]

issue the order signed by the special agent in charge of a field office 
or some other supervisory official--although we now know that many NSLs 
were issued without even the signatures required by the PATRIOT Act.
  Prior to the PATRIOT Act, the FBI had to certify specific and 
articulable facts giving reason to believe that the records sought with 
an NSL pertained to a terrorist or spy.
  But the PATRIOT Act expanded the NSL authorities to allow the 
Government to use them to obtain records of people who are not 
suspected of being or even being connected to terrorists or spies. The 
Government need only certify that the documents are either ``sought 
for'' or ``relevant to'' an authorized intelligence investigation, a 
far-reaching standard that--even if followed closely, which we now know 
it was not--could be used to obtain all kinds of records about innocent 
Americans. Indeed, as the inspector general suggested, it could be used 
to ``access NSL information about parties two or three steps removed 
from their subjects without determining if these contacts reveal 
suspicious connections.'' And just as with section 215, the recipient 
is subject to an automatic, permanent gag rule.
  NSLs can be used to obtain three categories of business records, 
while section 215 orders can be used to obtain ``any tangible things.'' 
But even the categories reachable by an NSL are quite broad, and the 
PATRIOT Act and subsequent legislation expanded them further.
  Specifically, NSLs can be used to obtain the following: First, 
subscriber and transactional information related to Internet and phone 
usage, including information about the phone numbers and e-mail 
addresses that an individual is in communication with. Second, full 
credit reports. Prior to the PATRIOT Act, the FBI could not get a full 
credit report without obtaining a court order--it could only obtain 
what is called ``credit header'' information, which includes name, 
current and former addresses, current and former places of employment, 
and the names of financial institutions at which the individual has 
accounts. But the PATRIOT Act expanded that authority to include full 
credit reports, which generally include many personal details about 
loans, credit scores, and other aspects of individuals' financial 
situations. And the third category is financial records, a category 
that includes bank transactions but also was expanded in 2002 to 
include records from all kinds of everyday businesses like jewelers, 
car dealers, travel agents and even casinos.
  Unfortunately, the PATRIOT Act reauthorization legislation that was 
enacted last year--over my opposition--did nothing to address the 
standard for issuing an NSL. It left in place the breathtakingly broad 
``relevance'' or ``sought for'' standards. Not only that, but it left 
in place the automatic gag rule for NSL recipients, albeit with a new 
exception for notifying a lawyer.
  What did the reauthorization legislation do with regard to NSLs? 
Well, primarily it created the illusion of judicial review, both for 
the letters themselves and for the accompanying gag rule. At a 
Judiciary Committee hearing this week, the FBI Director pointed to this 
after-the-fact judicial review provision as a privacy protection for 
NSLs. But if you look at the details, it was drafted in a way that 
makes that review virtually meaningless. With regard to the NSLs 
themselves, the reauthorization permits recipients to consult their 
lawyer and seek judicial review, but it also allows the Government to 
keep all of its submissions secret and not share them with the 
challenger, regardless of whether there are national security interests 
at stake.

  The other significant problem with the judicial review provisions is 
the standard for getting the gag rule overturned. In order to prevail, 
the recipient has to prove that any certification by the Government 
that disclosure would harm national security or impair diplomatic 
relations was made in bad faith. This is a standard of review that is 
virtually impossible to meet.
  Now, judicial review is not at issue in the IG's report, and indeed, 
the chances that a business receiving an NSL would seek judicial review 
rather than just comply are relatively slim, but I think it is 
important to point out that even on the one issue that the 
reauthorization legislation did address with regard to NSLs, judicial 
review, the result was entirely inadequate.
  I want to make one additional point about national security letters. 
There is a crucial difference between obtaining records in national 
security investigations and in standard criminal investigations. As the 
General Counsel of the FBI testified before the House Judiciary 
Committee last week, actions in national security investigations ``are 
typically taken in secret and they don't have the transparency of the 
criminal justice system.'' She explained that in the criminal system, 
agents know that ``if they mess up during the course of an 
investigation, they're going to be cross-examined, they're going to 
have a federal district judge yelling at them.'' That means that more 
vigorous controls and compliance mechanisms are needed with respect to 
sensitive authorities like national security letters than their 
analogues in the criminal justice system--something I think the 
inspector general report demonstrates.
  With that background, what did the inspector general find as a result 
of his audit of the use of NSLs from 2003 to 2005? He found that even 
the very limited protections in the existing statute were not being 
followed.
  The inspector general found, based on FBI records, that the FBI's use 
of NSLs expanded exponentially after the PATRIOT Act, moving from 
approximately 8,500 requests in 2000, to 39,000 requests in 2003, 
56,000 requests in 2004, and 47,000 requests in 2005. The total number 
of requests was 143,074 over the 3-year period.
  But the inspector general also found that even those numbers are 
inaccurate because the FBI had no policies in place with respect to the 
retention or tracking of NSLs. In many cases, agents did not even keep 
copies of signed NSLs. As a result, the FBI significantly undercounted 
its NSL requests. In a sample of 77 case files that the IG looked at, 
the NSL requests were undercounted by roughly 22 percent.
  Although it is hard to know how much can be extrapolated from that 
figure, if that figure holds throughout the Bureau, that could mean 
that there were roughly 30,000 more NSL requests issued that the FBI 
didn't keep track of. That is appalling--that the privacy rights of 
Americans would be treated so cavalierly that there are potentially 
tens of thousands of NSL requests out there that the FBI itself doesn't 
even have a record of. And it resulted in inaccurate information being 
reported to Congress about the use of NSLs, raising another grave 
concern.
  What else did the inspector general find? He found that the use of 
NSL requests regarding U.S. persons--that is, citizens and legal 
permanent residents--shifted from 39 percent of all NSL requests in 
2003 to 53 percent of all NSL requests in 2005, at least with respect 
to the NSL requests for which the FBI kept track of the U.S person 
status of the target. And, until 2006, the FBI did not keep track of 
how many NSL requests pertain to individuals who are not the subjects 
of authorized national security investigations. Obviously, if the FBI 
is using NSLs frequently to obtain information about people who are not 
the subjects of open investigations, that would present serious 
concerns about their use.
  The inspector general also found that the FBI significantly 
underreported violations of the NSL statutes and internal guidelines 
from 2003 to 2005, with respect to notifying both the FBI's Office of 
General Counsel, or OGC, and the President's Intelligence Oversight 
Board, or IOB, as required by Executive order. FBI employees did report 
26 violations to OGC, but the IG found examples of 22 more unreported 
violations in 17 investigative case files out of a sample of 77 
investigative files in 4 field offices.
  Some of these were significant violations, others less so. But that 
means that 22 percent of investigative files surveyed by the IG 
contained one or more violations not identified by the FBI or reported 
to the Intelligence Oversight Board, as required. According to the IG, 
``we have no reason to believe that the number of NSL-related possible 
IOB violations we identified in the four field offices was skewed or 
disproportionate to the number of possible IOB violations that exist in 
other

[[Page S4041]]

offices.'' Thus, the IG's findings ``suggest that a significant number 
of NSL-related possible IOB violations through the FBI have not been 
identified or reported by FBI personnel.''
  What else did the inspector general find? Perhaps the most disturbing 
revelation in his report, among many disturbing revelations, is that on 
more than 700 occasions, the FBI obtained telephone toll billing 
records or subscriber information from 3 telephone companies without 
first issuing NSLs or grand jury subpoenas. Instead, it relied on what 
it called ``exigent letters'' signed by personnel not authorized by 
statute to sign NSLs. Although the Electronic Communications Privacy 
Act does contain an emergency provision permitting the FBI to obtain 
certain communications records in emergencies where there is an 
immediate threat to a person's physical safety, many of these exigent 
letters were issued, admittedly, in nonemergency circumstances. Indeed, 
they were used as a matter of course by one headquarters unit. This 
violated both the statute and internal FBI policy.
  The inspector general also found that FBI headquarters issued more 
than 300 NSLs without determining whether there was an authorized 
investigation in progress. Issuing an NSL without tying it an 
authorized investigation is a violation of the statute.
  The inspector general also found that internal FBI guidance on how to 
properly use NSLs was woefully lacking, and that even to the degree 
there were FBI policies in place to govern the use of NSLs, those 
policies were not being followed. In 60 percent of the 77 case files 
that the IG examined in detail, there was some infraction of FBI 
guidance. Sixty percent. That is absolutely astounding.
  But that is not all. Once information is obtained through an NSL, the 
Inspector general reported that the FBI retains it indefinitely and 
uploads it into databases like the ``Investigative Data Warehouse,'' 
where it is retrievable by the thousands of authorized personnel, both 
inside and outside the FBI, who have access to these types of FBI 
databases. The FBI has no process for removing that information from 
its databases depending on the results of the investigation. So if a 
person's full credit report is obtained with an NSL as part of a 
preliminary investigation and that preliminary investigation is closed 
because the FBI determines that the person has done nothing wrong, it 
doesn't matter--the FBI can keep it anyway.
  Although the FBI keeps all the data it collects using NSLs, it does 
not tag or mark that information to indicate that it was derived 
through an NSL. So the FBI does not track whether information from NSLs 
ends up in intelligence analysis products or is passed on to 
prosecutors for criminal investigations. You would think that these 
would be key indicators of the usefulness and effectiveness of NSLs, 
but that information is not available, other than anecdotally.
  That is what the inspector general's report told us. The report 
revealed that the FBI took a shockingly cavalier attitude toward the 
privacy of innocent Americans in its implementation of the PATRIOT Act 
NSL authorities.
  Congress meant for the inspector general's report to help it in its 
oversight of the use of national security letters, which are issued and 
enforced entirely in secret, and there is no question it has done that. 
The inspector general deserves a great deal of credit for his thorough 
and careful report. As I have already mentioned, much of the reporting 
to Congress on the use of NSLs since the PATRIOT Act has been 
inaccurate or misleading due to FBI recordkeeping problems, so having 
the results of this independent audit is invaluable.
  But the report also reveals that the Justice Department essentially 
tried to whitewash this issue over the past several years. When 
Congress was considering whether to make changes to the NSL authorities 
as part of the PATRIOT Act reauthorization debate, the Attorney General 
came to Congress and resisted any changes, touting the strength of the 
checks on its power to obtain NSLs and assuring us that the power was 
being used carefully.
  On April 5, 2005, Attorney General Gonzales told the Senate Judiciary 
Committee, ``[T]he PATRIOT Act includes a lot of safeguards that 
critics of the Act choose to ignore.'' On November 23, 2005, the 
Justice Department wrote Senators Specter and Leahy a ten-page letter 
defending the FBI's use of National Security Letters, asserting that 
``the use of NSLs is subject to significant internal oversight and 
checks,'' and that there are ``robust mechanisms for checking misuse,'' 
and that ``[t]he FBI must and does conduct its investigations within 
the bounds of our Constitution, statutes, strict internal guidelines, 
and Executive Orders.''
  On December 14, 2005, the Washington Post quoted Attorney General 
Gonzales as saying, ``[T]he PATRIOT Act has already undergone extensive 
review and analysis by Congress, by the DOJ Inspector General, and by 
other bodies . . . This extensive review has uncovered not one verified 
example of abuse of any of the Act's provisions.''
  It is now quite evident that the Attorney General must not have been 
looking very hard, and certainly not trying very hard to ensure the 
protection of Americans' privacy rights. There is a lot going on right 
now that suggests we should be skeptical of assurances from the Justice 
Department, but this report highlights just how overtly political, and 
how lacking in fact, were DOJ's representations regarding the 
implementation of the Patriot Act.
  Indeed, as recently as November 2006, the Justice Department 
asserted--in response to an inspector general memo warning against the 
potential for abuse of national security letters--that the FBI is 
``aggressively vigilant in guarding against any abuse,'' a claim we now 
know was simply false.
  It is an understatement to say that the inspector general's report 
uncovered serious flaws in the use of national security letters. But 
these were flaws waiting to happen. It should not have taken this type 
of highly critical report to convince Congress to do something about 
such wide-ranging Government power.
  In fact, a bipartisan group of Senators proposed changes to the NSL 
statutes years ago, in the Security and Freedom Enhancement Act, or 
SAFE, Act. I, along with Senators Craig, Durbin, Sununu, Murkowski, 
Salazar, and many others, pushed for changes to the NSL statutes to try 
to prevent precisely the types of abuses that have now come to light. 
For example, the SAFE Act would have required that agents demonstrate 
that the records pertain to a suspected terrorist or spy before the FBI 
can issue an NSL, rather than the extremely loose standard in the 
PATRIOT Act.
  The SAFE Act also would have given the recipient of an NSL a 
meaningful right to challenge the letter and the nondisclosure 
requirement, and placed a time limit on the nondisclosure requirement, 
which could be extended by the court. As is the case for FISA 
authorities, the SAFE Act would have required notice to the target of 
an NSL if the Government sought to use the records obtained from the 
NSL in a subsequent proceeding and given the target an opportunity to 
challenge the use of those records.
  So the idea that the NSL statutes need to be revised is not new. But 
the inspector general's report has now highlighted the need for 
legislation and suggested some problems with the statutes that had not 
previously been identified.
  The time for changing the lax and unchecked system for issuing 
national security letters is now. The hearings the Judiciary Committee 
has held with the inspector general and the FBI Director have been 
immensely helpful.
  But we must not stop there. Legislation is needed. During the 
reauthorization of the PATRIOT Act, we were unable to fix the NSL 
statutes. The administration and its supporters even refused to put a 
sunset on the NSL powers. So we need to act, and soon. I hope to work 
closely with the bipartisan group of Senators who cosponsored the SAFE 
Act. I plan to press for Senate action on sensible reforms to help 
prevent future abuses of national security letters.
  Let me say, in conclusion, that this report shows beyond doubt that 
Congress made a grave mistake when it let this administration 
intimidate us into silence and inaction rather than protecting the 
rights and freedoms of the American people. The Justice Department's 
credibility concerning the powers contained in the PATRIOT Act is in

[[Page S4042]]

shreds. Congress needs to exercise extensive and searching oversight of 
those powers, and it must take corrective action. The inspector 
general's report has shown both that current safeguards are inadequate 
and that the Government cannot be trusted to exercise those powers 
lawfully. Congress must address these problems and fix the mistakes it 
made in passing and reauthorizing the flawed PATRIOT Act.

                          ____________________