More thoughts on the House Judiciary Committee report on USA F-ReDux.
The Data Handshake
The bill seems to explicitly envision a data handshake, based off contractual agreements.
This section does not require any private entity to retain any record or information other than in the ordinary course of business.However, nothing in current law or this Act prohibits the government and telecommunications providers from agreeing voluntarily to retain records for periods longer than required for their business purposes.
[snip]
This section explicitly permits the government to compensate third parties for producing tangible things or providing information, facilities, or assistance in accordance with an order issued under Section 501. It is customary for the government to enter into contractual agreements with third parties in order to compensate them for products and services provided to the government.
CBO provides a $15 million estimate for the unclassified costs of the bill over 5 years (though that includes $5 million for the amicus). But most of the contracts would be highly classified, so we have no way of knowing how much the providers will get for holding onto our data.
Minimization
The language on the section requiring the government to destroy data that is not foreign intelligence information is … underwhelming (though it might at least get the government to destroy high volume numbers, which they do anyway).
This section requires the government to adopt minimization procedures that require the prompt destruction of call detail records that are not foreign intelligence information.
The passage discussing the new minimization procedures is more interesting.
This section provides that the court may evaluate the adequacy of minimization procedures under Section 501. Under current law, the court is only empowered to determine whether the government has minimization procedures in place. This section also makes clear that the FISC may require additional, particularized minimization procedures beyond those required under Section 501 with regard to the production, retention, or dissemination of certain business records, including requiring the destruction of such records within a reasonable time period. This language is intended to capture an existing practice by the FISC to require heightened minimization procedures when appropriate.
As the language makes clear (and contra a bunch of boosters last year), this simply “capture[s] an existing practice.” It does codify it, though. (Note, last year there were very few obvious modifications for minimization procedures, though that may mean everything is already set up with existing procedures).
Emergency Provision
There’s nothing in the language on the Attorney General enforced emergency provision language that leads me to believe they won’t just parallel construct any data the FISC tells them they’ve obtained illegally.
If the court denies an emergency application, the government may not use any of the information obtained under the emergency authority exceptin instances of a threat of death or serious bodilyharm.
Specific Selection Term
This section is worth examining at length.
This section requires that each application for the production of tangible things include ‘‘a specific selection term to be used as the basis for the production.’’ In so doing, the Act makes clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record under Section 501 of FISA. Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation. . . .’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection ‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.
Although this Act eliminates bulk collection, this section maintains Section 501 as a business records authority. The additional showing of a ‘‘specific selection term’’ that will be required in all Section 501 applications does not provide any new authority, but it is defined in such a way as to allow for standard business records collection to continue while prohibiting the use of this authority for indiscriminate, bulk collection.
First, the definitions section does not adopt an English language definition of “bulk.” It uses the IC’s version, which means “everything.” Thus, the promise that the government won’t engage in “indiscriminate bulk collection” only says “they won’t get all,” not that they won’t engage in bulky production.
The language on SST — along with the explicit permission to use more than one term — leads me to wonder if they’re going to limit this with descriptions of the cross-references they’ll make (so, the purchase records for all pressure cookers, which will be crossed against anyone who called the Tsarnaev brothers).
HJC’s insistence this doesn’t ratify FISC’s crummy “relevant to” definition would be a lot more convincing if it provided some sense of where the limits are. Further, the language “allow[ing] standard business records collection” to continue does not raise my confidence about past/existing bulk programs. (And remember, the bill adds language requiring reporting to Congressional oversight committees on bulky programs.)
But the definitions section adds to that.
For purposes of the call detail record authority, the term ‘‘specific selection term’’ is defined as a term specifically identifying an individual, account, or personal device.
The term ‘‘address’’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address. This definition may overlap with the term ‘‘account,’’ which also can be considered a ‘‘specific selection term’’ under the bill. These terms are not mutually exclusive, and an electronic mail address or account also qualifies as an ‘‘account’’ for purposes of the bill.
The term ‘‘personal device’’ refers to a device that can reasonably be expected to be used by an individual or a group of individuals affiliated with one another. For example, ‘‘personal device’’ would include a telephone used by an individual, family, or housemates, a telephone or computer provided by an employer to an employee or employees, a home computer or tablet shared by a family or housemates, and a Wi-Fi access point that is exclusively available to the inhabitants of a home, the employees of a business, or members of an organization. It would also include a local area network server that is used by a business to provide e-mail to its employees. The term ‘‘personal device’’ does not include devices that are made available for use by the general public or by multiple people not affiliated with one other, such as a pay phone available to the public, a computer available to library patrons to access the Internet, or a Wi-Fi access point made available to all customers at an Internet cafe´. Depending on the circumstances, however, such devices could qualify as ‘‘any other specific identifier’’ that is used to limit the scope of the tangible things sought consistent with the purpose for seeking the tangible things. The term ‘‘personal device’’ also does not include devices that are used by companies to direct public communications, such as a router used by an Internet service provider to route e-mails sent by its customers, or a switch used by a telecommunications carrier to route calls made by its customers.
As I wrote in an update here, this language adds to the evidence they plan on chaining on Internet “calls.” It also makes suggests they will chain on devices that use the same private IP, as opposed to an IP tied to an Internet cafe.
Effective date
I love how they make it very clear that any prohibition on bulk collection of any sort can continue for 6 months.
This section provides that the new call detail records authority, the new Section 501 emergency authority, and the prohibition on bulk collection of tangible things under Section 501 take effect 180 days after enactment.
Transparency
The latest version of USA F-ReDux included language on “unique identifiers used to communicate information collected pursuant to such orders,” which was not defined. Here, they say it includes all people collected under the authority, “not just the number of target email addresses or telephone numbers.” That’s actually a good thing. The transparency provisions still exempt out the FBI because “the agency has indicated it lacks the capacity to provide,” which is a piss poor reason to exempt an agency that can throw people into jail for this. And the report doesn’t explain why it eliminated the top level number for Section 702.
Material Support
The report doesn’t even try to explain why it needs to bump the punishment for material support for terrorism — which, remember, can be no more than speech — from 15 to 20 years.