Tuesday, June 15, 2010

DOJ's surveillance reporting failure

In both 2004, and 2009, the US Department of Justice provided Congress with a "document dump", covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.

Professor Paul Schwartz, who first highlighted DOJ's pen register reporting deficiencies in a law review article, has argued that the lack of timely reporting creates "blank spaces on the map of telecommunications surveillance law."

In his 2008 article, Schwartz stated:
[T]he reports do not appear to have been made annually, but as one document dump with five years of reports in November 2004. The reports also fail to detail all of the information that the Pen Register Act requires to be shared with Congress.
The cover letter for the 2004 document dump to Congress can be seen embeded below and the yearly reports (later obtained through a FOIA by the Electronic Frontier Foundation) can be viewed here: 1999, 2000, 2001, 2002, 2003,

Unfortunately, it appears that after the 2004 document dump, DOJ went back to its old ways, and stopped providing the reports to Congress. As a result, in April 2009, the Electronic Privacy Information Center wrote a letter to Senator Leahy, to ask him to look into the issue.

There is no indication that the DOJ provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008.19 This failure would demonstrate ongoing, repeated breaches of the DOJ's statutory obligations to inform the public and the Congress about the use of electronic surveillance authority....

We request that you ask the Attorney General to make public pen register and trap and trace reports from 2004 through the present, and to publicly disclose all future reports as a matter of course. This might be accomplished by requiring the DOJ to submit the annual pen register reports to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

Earlier this year, I obtained (via a FOIA request) copies of the reports for the years 2004-2008. I also obtained the cover letter that DOJ sent to members of Congress in October of 2009, attached to the reports. The wording of the October 2009 letter is practically identical to the letter that accompanied the 2004 document dump, suggesting that DOJ failed to comply with the annual reporting requirements in 2005, 2006, 2007 and 2008.

Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

In a forthcoming law review article, I dig through the currently published surveillance statistics, and find many of them to be woefully lacking. I also propose several ways that Congress could overhaul the reporting requirements. Hopefully, if Congress does look into this issue, they will expand the scope of their inquiry to cover all surveillance reporting, and not just the pen register reports.

While my article is still in very rough shape, I've extracted the section on surveillance statistics, and included it here. I'd love feedback.