Criminal Justice & the Rule of Law Terrorism & Extremism

The Life Cycle of an FBI Terrorism Investigation

Nora Ellingsen
Monday, June 20, 2016, 1:00 PM

Following a terrorist attack, questions unavoidably arise as to whether the FBI did enough to prevent it. It is not only the press speculating, the FBI is asking itself the same questions—the Inspection Division is currently interviewing dozens of agents and analysts and combing through emails and case files in search of an answer.

Published by The Lawfare Institute
in Cooperation With

Following a terrorist attack, questions unavoidably arise as to whether the FBI did enough to prevent it. It is not only the press speculating, the FBI is asking itself the same questions—the Inspection Division is currently interviewing dozens of agents and analysts and combing through emails and case files in search of an answer. But as the ISIL threat continues to evolve, it is worthwhile to understand what options the FBI has when encountering someone who likely supports a terrorist group but has not yet committed a violent act, and recognizing who simply falls beyond what law enforcement can charge.

The FBI Domestic Investigations and Operations Guide, commonly known as the DIOG, spells out what an FBI agent is allowed to do and when he or she is allowed to do it. In 2011, the FBI posted a slightly redacted version to their FOIA website, providing the public with some insight into the lifespan of an FBI investigation.

The basics are relatively intuitive: There are different levels of FBI investigations, and at each level, different investigative techniques or methods are authorized to be used. As the allegations become more serious and valid, the FBI is permitted to open a higher level of investigation. The higher the level of investigation, the more tools become available to disrupt the threat.

There are three categories of FBI investigations: Assessments, Preliminary Investigations, and Full Investigations, although only the later two are technically considered full-fledged cases. However, even before opening up an assessment on an individual, the FBI can conduct minimal investigative activity. For example, if my neighbor calls our local FBI switchboard and reports that I’m a terrorist, the FBI can Google me, and look through government records or publically available resources for more information, all before opening an assessment. They can also call back my neighbor and conduct an interview to clarify any questions or issues. But at that point, in order to continue further they are required to open an assessment.

While the DIOG outlines several types of assessments, those that target and investigate individuals suspected of terrorist activity are designed to be relatively short, and require special authorization to extend beyond 30 days. Of the 25 investigative methods, or tools, listed in the DIOG, agents and analysts are allowed to use nine under an assessment. These include searching for and reviewing any publically available information, requesting information from other agencies or foreign partners, tasking a source to report on the subject, interviewing individuals beyond the initial complainant, conducting physical surveillance where there is no reasonable expectation of privacy, and issuing subpoenas for telephone and email subscriber information, i.e., what name is registered on your Verizon account.

On its face, these tasks seem manageable within 30 days. However, the deeper one dives into the DIOG, the more complex the tools become—and more time-challenging. Some techniques require extensive coordination and approval within the FBI. For example, passing and requesting information to and from a foreign government, requires coordination with five units within the FBI. The challenge of a 30 day assessment is clearer when considering the daunting number of leads—the FBI estimates that in fiscal year 2006 they opened over 2,800 counterterrorism assessments alone. That number has only grow in the subsequent decade.

The majority of assessments are closed at the end of 30 days, but some—six percent in 2012—are instead converted to Preliminary Investigations (PI). A PI is a “true” FBI case, one that may be opened on the basis of information or an allegation that a threat to national security or activity constituting a federal crime has, may, or will occur. To illustrate this definition, the DIOG gives two examples of information that would be sufficient to open a PI: first, a source, who has had no previous interactions with the FBI, alleges that an individual is a member of a terrorist group; second, a scenario in which, while conducting an assessment, an analyst discovers a blog threat to a specific person.

Like Assessments, Preliminary Investigations are limited in duration. They should be closed within six months, although the head of each office can grant an additional six-month extension. In the course of these six months, the team can use all the previously listed techniques as well as several new ones: They can now ask their sources to wear a wire or record telephone conversations with a subject, depending, of course, on the laws of the state. They can install fixed-location cameras, referred to as “pole cameras” because of their typical placement on telephone poles, in a place where no reasonable expectation of privacy exists. In the event their subject still uses snail mail, they can ask the Post Office to photocopy the outside of each letter the subject receives, but are not allowed to open the mail. A subject’s trash is also fair game, and the case agent is allowed to go through any trash the subject puts out on the curb.

At this stage, the agents and analysts can gain more access to the individual’s communications. Agents can issue National Security Letters and receive financial records, credit reports, and transactional records. Unlike the assessment stage, the FBI is now able to see more than just account names, such as all phone numbers an individual has dialed. Communications content, of course, is still unavailable. Pen registers and trap/trace devices can also provide the FBI that information in real time. Under a preliminary investigation, agents can conduct polygraphs, not only of the subject, but also of any source, victim or witness to verify the truthfulness of statements. Finally, under a PI, undercover operations, when weighed with the risk to privacy, are authorized.

At the end of six months, a Preliminary Investigation is either closed or, if information discovered during the course of an investigation warrants, is converted to a Full Investigation. The DIOG gives several examples of what would allow a full investigation. For example, corroborated information from an intelligence agency stating that an individual is a member of a terrorist group would warrant a full investigation, as would an analyst discovering an online threat to some specific individual and additional information connecting the blogger to a known terrorist group.

Once at the Full Investigation stage, the FBI can conduct searches with a warrant or a court order. They also now have the option of undertaking electronic surveillance, in the case of national security cases through FISA. Unlike an Assessment or PI, Full Investigations do not have a time limit, although these investigations must be reviewed on a regular basis. In contrast to lesser investigations, in order to close a FI, the case agent requires several levels of approval.

Nora Ellingsen is a third-year student at Harvard Law School. Prior to graduate school, she spent five years working for the FBI's Counterterrorism Division. She graduated cum laude from Northwestern University with a B.A. in Psychology and Political Science.

Subscribe to Lawfare