FBI Finds It Frequently Overstepped in Collecting Data

In 10 additional investigations, FBI agents used NSLs to request other information that the relevant laws did not allow them to obtain. Officials said that, for example, agents might have requested header information from e-mails -- such as the subject lines -- even though NSLs are supposed to be used to gather information only about the e-mails' senders and the recipients, not about their content.

The FBI audit also identified three dozen violations of rules requiring that NSLs be approved by senior officials and used only in authorized cases. In 10 instances, agents issued National Security Letters to collect personal data without tying the requests to specific, active investigations -- as the law requires -- either because, in each case, an investigative file had not been opened yet or the authorization for an investigation had expired without being renewed.

FBI officials said the audit found no evidence to date that any agent knowingly or willingly violated the laws or that supervisors encouraged such violations. The Justice Department's report estimated that agents made errors about 4 percent of the time and that third parties made mistakes about 3 percent of the time, they said. The FBI's audit, they noted, found a slightly higher error rate for agents -- about 5 percent -- and a substantially higher rate of third-party errors -- about 10 percent.

The officials said they are making widespread changes to ensure that the problems do not recur. Those changes include implementing a corporate-style, continuous, internal compliance program to review the bureau's policies, procedures and training, to provide regular monitoring of employees' work by supervisors in each office, and to conduct frequent audits to track compliance across the bureau.

The bureau is also trying to establish for NSLs clear lines of responsibility, which were lacking in the past, officials said. Agents who open counterterrorism and counterintelligence investigations have been told that they are solely responsible for ensuring that they do not receive data they are not entitled to have.

The FBI audit did not turn up new instances in which another surveillance tool known as an Exigent Circumstance Letter had been abused, officials said. In a finding that prompted particularly strong concerns on Capitol Hill, the Justice Department had said such letters -- which are similar to NSLs but are meant to be used only in security emergencies -- had been invoked hundreds of times in "non-emergency circumstances" to obtain detailed phone records, mostly without the required links to active investigations.

Many of those letters were improperly dispatched by the bureau's Communications Analysis Unit, a central clearinghouse for the analysis of telephone records such as those gathered with the help of "exigent" letters and National Security Letters. Justice Department and FBI investigators are trying to determine if any FBI headquarters officials should be held accountable or punished for those abuses, and have begun advising agents of their due process rights during interviews.

The FBI audit will be completed in the coming weeks, and Congress will be briefed on the results, officials said. FBI officials said each potential violation will then be extensively reviewed by lawyers to determine if it must be reported to the Intelligence Oversight Board, a presidential panel of senior intelligence officials created to safeguard civil liberties.

The officials said the final tally of violations that are serious enough to be reported to the panel might be much less than the number turned up by the audit, noting that only five of the 22 potential violations identified by the Justice Department's inspector general this spring were ultimately deemed to be reportable.

"We expect that percentage will hold or be similar when we get through the hundreds of potential violations identified here," said a senior FBI official, who spoke on the condition of anonymity because the bureau's findings have not yet been made public.