Oversight Report Says DEA Ran Multiple Bulk Data Collection Programs With Zero Legal Clearance

from the can't-have-your-rules-interfering-with-our-drug-war,-man dept

The NSA isn't the only collector of bulk phone records. The NSA may not even be doing this anymore, but for a long time, it was not only the NSA's bread-and-butter, but the DEA's as well.

The DEA has run multiple bulk records collections for more than 20 years, given the green light by our current Attorney General, William Barr, who also ran the DOJ back in 1992. These not only targeted calls placed to "drug nexus" countries, but purchase records as well. "Nexus" is a slippery word -- one the NSA takes advantage of as well. US law enforcement considers almost anywhere in or out of the country to be a "drug nexus," which gives it the suspicion it needs to pull over drivers on interstate highways or rifle through their belongings at airports looking for drugs cash.

Using this flimsy connective tissue and a bunch of subpoenas, the DEA approached private companies and demanded vast amounts of third party records. Some of these details were exposed when the DEA's "Hemisphere" documents were published. Six years after Ed Snowden let the world know the NSA was collecting phone records in bulk, the Inspector General of the DOJ has finally released a report [PDF] on the DEA's bulk collections.

According to the IG report, the DEA ran three bulk collection programs. Program A collected bulk telephone records on calls from the US to "drug nexus" countries. These were obtained with "non-target-specific" subpoenas directly from the service provider. Like the NSA, the DEA wanted metadata about these calls, like date, time, and duration.

Program B did pretty much the same thing: non-targeted subpoenas were handed to "selected vendors" to gather data on purchases, which were then cross-referenced with the DEA's bulk records database to (finally!) identify targets to investigate. (What purchases? According to Charlie Savage of the New York Times, the DEA is tracking purchases of money counting machines. This is probably information the DEA didn't want the public to have, but a redaction failure caught by Savage exposed the intent of this collection program.)

That instruction, it said, “was intended to protect the program’s sources and methods; criminals would obtain money counters by other means if they knew that the D.E.A. collected this data.”

Program C resembled the modified Section 215 program -- the one that appears to never have gotten off the ground following the USA Freedom Act reforms. Non-targeted subpoenas were handed to telcos, which then searched their own databases to find connections that might be of interest to the DEA, handing it only the results of these restricted searches, rather than dumping everything into the DEA's data stores.

There's a similar thread holding all of these programs together: they weren't strictly legal.

Our review found that the DEA (and the Department with respect to Program A, Collection 1) failed to conduct a comprehensive legal analysis of the DEA's use of its administrative subpoena authority to collect or exploit bulk data before initiating or participating in any of the three programs. We found this failure troubling with respect to Program A, Collection 1 and Program B because these programs involved a uniquely expansive use of Section 876(a) authority to collect data in bulk without making a prior finding that the records were, in the language of that statutory provision enabling DEA's subpoena authority, "relevant or material" to any specific defined investigation.

Several published court decisions have clearly suggested potential challenges to the validity of the DEA's use of its statutory subpoena power in this expansive, non-targeted manner. We also found the absence of a robust legal review troubling because the DEA utilized the bulk data collected by means of Program A, Collection 1 and Program B subpoenas on an unknown number of occasions in support of investigations by non-DEA federal agencies that had no apparent connection to specific drug investigations. This utilization raised significant legal questions because the DEA had amassed the Program A, Collection 1 and Program B bulk data collections under its statutory authority, in 21 U.S.C. § 876(a), to require the production of data that was "relevant or material" to a drug investigation.

We found that Program C raised different kinds of challenging legal issues that the DEA also failed to fully assess. We found that the DEA failed to formalize a complete and adequate legal assessment regarding its use of Program C to obtain reports and other advanced analytical information to ensure such use was lawful and appropriate under its administrative subpoena authority, 21 U.S.C. § 876(a), and the Electronic Communications Privacy Act, 18 U.S.C. § 2703(c)(2).

These legal problems were compounded by the DEA's careless approach to the few legal boundaries it chose to respect. The DEA used untargeted subpoenas that failed to show the records had relevance to active drug investigations. What little there was in place to vet subpoenas prior to issuance consisted of a pull-down menu that only listed kinds of sources (confidential informant, other ongoing investigation, etc.). Nothing specified exactly why the records requested were being sought. The DEA's sole backstop for auditing its subpoenas was nothing more than confirming the pulldown menu of vague sources had actually been used when filling in the boilerplate. The DEA allowed agents to shrug their way into hundreds or thousands of records at a time using nothing more than this:

In practice, the DEA typically did not require more "particularization" than a single conclusory sentence, and did not explicitly require the documentation or certification that the request was relevant to a drug investigation...

Then there's the DEA's massive data retention problem. However indiscriminate the collection process was, the retention/deletion "process" was even worse.

We also found that the DEA failed to establish any policies on storage or retention of the Program B bulk data at any time before or during the operation of that program. Although Program B is no longer active, the DEA has failed to develop a final disposition plan regarding tens of thousands of records of purchases that reside on DEA servers.

The IG has a few problems with the DEA's parallel construction, but it doesn't really have a problem with parallel construction itself. It doesn't consider hiding the origin of evidence "inappropriate," but it does draw the line at hiding this from everyone involved in a prosecution.

[P]arallel construction should not be used to prevent prosecutors from fully assessing their discovery and disclosure obligations in criminal cases.

However, most the DOJ IG's sympathies fall on the side of the prosecution, which should surprise no one.

While the DEA has denied misusing parallel construction in this manner, we found some troubling statements in the DEA's training materials and other documents, including that Program A investigative products cannot be shared with prosecutors. Such statements appear to be in tension with Department policy on a federal prosecutor's "duty to search" for discoverable information from all members of the "prosecution team," which typically includes federal law enforcement officers who participated in the investigation of the defendant.

This doesn't leave much consideration for defendants, who are forced to fight blind when challenging evidence used against them.

There are recommendations, but they're not of much use since two of three programs are pretty much dead. The bulk collection of purchase data (Program B) was killed in 2014, following the Snowden leaks. Program C operates pretty much like the modified Section 215 collection -- with telcos searching and storing records, rather than dumping them into the DEA's databases. Program A was also modified shortly after the Snowden leaks began, with a heavier emphasis on ensuring subpoenas were linked to ongoing drug investigations.

It will probably be several years before we see a follow-up report on the DEA's bulk collections. As the IG notes, the DEA did everything it could to stonewall this investigation.

For a substantial period after we initiated this review, the DEA took many actions that hindered the OIG's access to information available to it that the OIG was plainly authorized to obtain under the Inspector General Act.

These actions included failing to produce or delaying the production of relevant and responsive materials without any compelling or sufficient basis.

[...]

Further, the OIG discovered many highly relevant documents, which had not been produced, only after learning about them in witness interviews. This latter issue was particularly significant with respect to the dearth of documents containing legal reviews of programs in our review, which the DEA failed to produce to the OIG until a witness identified their existence to us. The DEA's actions significantly delayed our review and were wholly inconsistent with the requirements of the Inspector General Act.

This tracks with the Inspector General's problems with multiple DOJ agencies over the past several years. The FBI and DEA blow off investigations, refuse to produce documents, and do as little as possible to ensure their oversight can actually do any overseeing.

As the report notes, the programs were never on solid legal ground. It points out the programs were brought to life under AG Barr, who never bothered to ask for a legal opinion from the DOJ's Office of Legal Counsel before setting them in motion. The FBI had concerns about these programs when the DEA offered it access, but those questions went unanswered. The last time the legal questions were thoroughly discussed was in 1999, seven years after the programs went into effect.

Between 1999 and the 2013 Snowden leaks, only a single memo discussing the potential legal pitfalls of these bulk collections was issued. The single conclusion drawn was that the public should never be allowed to find out about these collections. And for the most part we didn't -- not until years after the fact. Good job... I guess.

Two decades and no definitive legal clearance. The only blip in the data stream was the unscheduled leaking of NSA documents. Without Snowden, these programs would likely still be running unaltered -- hoovering up millions of phone records with zero reasonable suspicion.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bulk data collection, dea, privacy