U.S. Department of Justice Office of Legislative Affairs December 14, 2009 The Honorable Silvestre Reyes Chairman Permanent Select Committee on Intelligence United States House of Representatives HVC-304, The Capitol Washington, DC 20515 Dear Chairman Reyes: Thank you for your letter of September 30, 2009, requesting that the Department of Justice provide a document to the House Permanent Select Committee on Intelligence (HPSCT) that describes the bulk collection program conducted under Section 215 -- the "business records" provision of the Foreign Intelligence Surveillance Act (FISA) We agree that it is important that all Members of Congress have access to information about this program, as well as a similar bulk collection program conducted under the pen register/trap and trace authority of FISA, when considering reauthorization of the expiring USA PATRIOT Act provisions. The Department has therefore worked with the Intelligence Community to prepare the enclosed document that describes these two bulk collection programs, the authorities under which they operate, the restrictions imposed by the Foreign Intelligence Surveillance Court, the National Security Agency's record of compliance, and the importance of these programs to the national security of the United States. We believe that making this document available to all Members of Congress is an effective way to inform the legislative debate about reauthorization of Section 215 and any changes to the FISA pen register/trap and trace authority. However, as you know, it is critical that Members understand the importance to national security of maintaining the secrecy of these programs, and that the HPSCI's plan to make the document available to other Members is subject to strict rules. Therefore, the enclosed document is being provided on the understanding that it will be provided only to Members of Congress (and cleared HPSCI, Judiciary Committee, and leadership staff), in a secure location in the HPSCI's offices, for a limited time period to be agreed upon, and consistent with the rules of the HPSCI regarding review of cla**ified information and non-disclosure agreements. No photocopies may be made of the document, and any notes taken by Members may not be removed from the secure location. We further understand that HPSCI staff will be present at all times when the document is being reviewed, and that Executive Branch officials will be available nearby during certain, pre-established times to answer questions should they arise. We also request your support in ensuring that the Members are well informed regarding the importance of this cla**ified and extremely sensitive information to prevent any unauthorized disclosures resulting from this process. We intend to provide the same document to the Senate Select Committee on Intelligence (SSCI) under similar conditions, so that it may be made available to the Members of the Senate, as well as cleared leadership, SSCI and Senate Judiciary Committee staff. Thank you again for your letter, and we look forward to continuing to work with you and your staff as Congress continues its deliberations on reauthorizing the expiring provisions of the USA PATRIOT Act. Sincerely, Ronald Weich Assistant Attorney General Report on the National Security Agency's Bulk Collection Programs Affected by USA PATRIOT Act Reauthorization THE INFORMATION CONTAINED IN THIS REPORT DESCRIBES SOME OF THE MOST SENSITIVE FOREIGN INTELLIGENCE COLLECTION PROGRAMS CONDUCTED BY THE UNITED STATES GOVERNMENT. THIS INFORMATION IS HIGHLY CLASSIFIED AND ONLY A LIMITED NUMBER OF EXECUTIVE BRANCH OFFICIALS HAVE ACCESS TO IT. PUBLICLY DISCLOSING ANY OF THIS INFORMATION WOULD BE EXPECTED TO CAUSE EXCEPTIONALLY GRAVE DAMAGE TO OUR NATION'S INTELLIGENCE CAPABILITIES AND TO NATIONAL SECURITY. THEREFORE IT IS IMPERATIVE THAT ALL WHO HAVE ACCESS TO THIS DOCUMENT ABIDE BY THEIR OBLIGATION NOT TO DISCLOSE THIS INFORMATION TO ANY PERSON UNAUTHORIZED TO RECEIVE IT. Key Points - Provisions of the USA PATRIOT Act affected by reauthorization legislation support two sensitive intelligence collection programs; - These programs are authorized to collect in bulk certain dialing, routing, addressing and signaling information about telephone calls and electronic communications, such as the telephone numbers or e-mail addresses that were communicating and the time: and dates but not the content of the calls or email messages themselves; - Although the programs collect a large amount of information, the vast majority of that information is never reviewed by anyone in the government, because the information is not responsive to the limited queries that are authorized for intelligence purposes; - The programs are subject to an extensive regime of internal checks, particularly for US. persons, and are monitored by the Foreign Intelligence Surveillance Court (“FISA Court") and Congress; - The Executive Branch, including DOJ, ODNI, and NSA, takes any compliance problems in the programs very seriously and substantial progress has been made in addressing those problems. [...] and - NSA's bulk collection programs provide important tools in the fight against terrorism, especially in identifying terrorist plots against the homeland. These tools are also unique in that they can produce intelligence not otherwise available to NSA. Background Since the tragedy of 9/1 I, the Intelligence Community has developed an array of capabilities to detect, identify and disrupt terrorist plots against the United States and its interests. Detecting threats by exploiting terrorist communications has been, and continues to be, one of the critical tools in that effort. Above all else, it is imperative that we have a capability to rapidly identify any terrorist threats emanating from within the United States. to the attacks of 9/ I l, the National Security Agency (NSA) intercepted and transcribed seven calls from hijacker Khalid al-Mihdhar to a facility a**ociated with an al Qa'ida safehouse in Yemen. However, NSA's access point overseas did not provide the technical data indicating the location from when: al-Mihdhar was calling. Lacking the originating phone number, NSA an*lysts concluded that al-Mihdhar was overseas. In fact, al Mihdhar was calling from San Diego, California. According to the 9/ l l Commission Report (pages 269-272): "Investigations or interrogation of them [Khalid al-Mihdhar, etc], and investigation of their travel and financial activities could have yielded evidence of connections to other participants in the 9/11 plot. The simple fact of their detention could have derailed the plan. In any case, the opportunity did not arise.” Today, under Foreign Intelligence Surveillance Court authorization pursuant to the “business records” authority of the Foreign Intelligence Surveillance Act (FISA) (commonly referred to as “Section 215"), the government has developed a program to close the gap that allowed al-Mihdhar to plot undetected within the United States while communicating with a known terrorism target overseas. This and similar programs operated pursuant to FlSA provide valuable intelligence information. USA PATRIOT Act reauthorization legislation currently pending in both the House and the Senate would alter, among other things, language in two parts of FlSA: Section 215 and the FISA “pen register/trap and trace" (or “pen-trap”) authority. Absent legislation, Section 215 will expire on December 31, 2009, along with the so-called “lone wolf" provision and roving wiretaps (which this document does not address). The FISA pen-trap authority does not expire, but the pending legislation in the Senate and House includes amendments of this provision. The Section 215 and pen-trap authorities are used by the US. Government in selected cases to acquire significant foreign intelligence information that cannot otherwise be acquired either at all or on a timely basis. Any US. person information that is acquired is subject to strict, court-imposed restrictions on the retention, use, and dissemination of such information and is also subject to strict and frequent audit and reporting requirements. The largest and most significant uses of these authorities are to support two critical and highly sensitive intelligence collection programs under which NSA collects and an*lyzes large amounts of transactional data obtained from telecommunications providers [...] Although these programs hnvc been briefed to the Intelligence and Judiciary Committees, it is important that other Members of Congress have access to information about these two programs when considering reauthorization of the expiring PATRIOT Act provisions. The Executive Branch views it as essential that an appropriate statutory basis remains in place for NSA to conduct these two programs. Under the program based on Section 215, NSA is authorized to collect from telecommunications service providers certain business records that contain information about communications between two telephone numbers, such as the date, time, and duration of a call. There is no collection of the content of any telephone call under this program, and under longstanding Supreme Court precedent the information collected is not protected by the Fourth Amendment In this program, court orders (generally lasting 90 days) are served on [...] telecommunication companies [...] The orders generally require production of the business records (‘21s described above) relating to substantially all of the telephone calls handled by the companies, including both calls made between the United States and a foreign country and calls made entirely within the United States. Under the program based on the pen-trap provisions in FlSA, the government is authorized to collect similar kinds of information about electronic communications — such as “to” and “from” lines in c-mail and the time an c-mail is sent — excluding the content of the e-mail and the “subject” line. Again, this information is collected pursuant to court orders (generally lasting 90 dag) and, under relevant court decisions is not protected by the Fourth Amendment. [...] Both of these programs operate on a very large scale. [...] Checks and Balances To conduct these bulk collection programs, the government has obtained orders from several different FISA Court judges based on legal standards set forth in Section 215 and the FISA pen-trap provision. Before obtaining any information from a telecommunication service provider, the government must establish, and the FISA Court must conclude, that the information is relevant to an authorized investigation. In addition, the government must comply with detailed “minimization procedures" required by the FISA Court that govern the retention and dissemination of the information obtained. Before an NSA an*lyst may query bulk records, they must have reasonable articulable suspicion referred to as “RAS” — that the number or email address they submit is a**ociated with [...] The RAS requirement is designed to protect against the indiscriminate querying of the collected data so that onlv information oertainimz to one of the foreign powers listed in the relevant Court order [...] is provided to NSA personnel for further intelligence an*lysis . There are also limits on how long the collected data can be retained (5 years in the Section 215 program, and 4 1/2 years in the pen-trap program). Congressional Oversight These programs have been briefed to the Intelligence and Judiciary Committees, to include hearings, briefings, and, with respect to the Intelligence Committees, visits to NSA. In addition, the Intelligence Committees have been fully briefed on the compliance issues discussed below. Compliance Issues There have been a number of technical compliance problems and human implementation errors in these two bulk collection programs, discovered as a result of Department of Justice reviews and internal NSA oversight. However, neither the Department, NSA nor the FISA Court has found any intentional or bad-faith violations. The problems generally involved the implementation of highly sophisticated technology in a complex and everchanging communications environment which, in some instances, resulted in the automated tools operating in a manner that was not completely consistent with the specific terms of the Court's orders. In accordance with the Court's rules, upon discovery, these inconsistencies were reported as compliance incidents to the FISA Court, which ordered appropriate remedial action. The incidents, and the Court's responses, were also reported to the Intelligence Committees in great detail. The Committees, the Court and the Executive Branch have responded actively to the incidents. The Court has imposed additional safeguards. In response to compliance problems, the Director of NSA also ordered “end-to—end” reviews of the Section 215 and pentrap collection programs, and created a new position, the Director of Compliance, to help ensure the integrity of future collection. In early September of 2009, the Director of NSA made a presentation to the FISA Court about the steps taken to address the compliance issues. All parties will continue to report to the FISA Court and Congress on compliance issues as they arise, and to address them effectively. Intelligence Value of the Collection As noted, these two collection programs significantly strengthen the Intelligence Community's early warning system for the detection of terrorists and discovery of plots against the homeland. They allow the Intelligence Community to detect phone numbers and e-mail addresses within the United States contacting targeted phone numbers and e-mail addresses a**ociated with suspected foreign terrorists abroad and vice-versa; and connections between entities within the United States tied to a suspected foreign terrorist abroad. NSA needs access to telephony and e-mail transactional information in bulk so that it can quickly identify the network of contacts that a targeted number or address is connected to, whenever there is RAS that the number or address is a**ociated with [...] Importantly, there are no intelligence collection tools than, independently or in combination, provide an equivalent capability. To maximize the operational utility of the data, the data cannot be collected prospectively once a lead is developed because important connections could be lost in data that was sent prior to the identification of the RAS phone number or e-mail address. NSA identifies the network of contacts by applying sophisticated an*lysis to the ma**ive volume of metadata. (Communications metadata is the dialing, routing, addressing or signaling information a**ociated with an electronic communication, but not content). The more metadata NSA has access to, the more likely it is that NSA can identify or discover the network of contacts linked to targeted numbers or addresses. Information discovered through NSA's an*lysis of the metadata is then provided to the appropriate federal national security agencies, including the FBI, which are responsible for further investigation or an*lysis of any potential terrorist threat to the United States. In conclusion, the Section 215 and pen-trap bulk collection programs provide a vital capability to the Intelligence Community. The attacks of 9/ l I taught us that applying lead information from foreign intelligence in a comprehensive and systematic fashion is required to protect the homeland, and the programs discussed in this paper cover a critical scam in our defense against terrorism. Recognizing that the programs have implications for the privacy interests of U.S. person data, extensive policies, safeguards, and reviews have been enacted by the FISA Court, DOJ, ODNl and NSA.