[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

HJC’s Manager’s Amendment Blows Open 702 Metadata Queries

I realized something as I was doing a last minute review comparing the Manager’s Amendment of 702 reauthorization that will be marked up in the House Judiciary Committee with a recent version. Here’s the language the two bills propose for querying of metadata:

Recent Version:

RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only upon a determination by the Attorney General that

(i) such communications are relevant to an authorized investigation or assessment, provided that such investigation or assessment is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(ii) any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Manager’s Amendment

(C) RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only—

(i) with supervisory approval;

(ii) [] if such information is not sought solely on the basis of activities protected by the first amendment to the Constitution of the United States;

(iii) if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime; and

(iv) if any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Inventing metadata-plus

I haven’t commented on this at length, but one thing the HJC bill does that the other drafts don’t is to invent a new, undefined category of “metadata plus.” They do so to get around the issue I laid out here: NSA has always treated as metadata stuff that from a packet architecture perspective is actually content. They did so by breaking the law from 2001 to 2004 and again from 2004 to 2009 and almost certainly still from 2010 to 2011. After 2011, they simply shut down the Internet metadata program and swapped it to access of metadata acquired under the name of content from upstream collection.

If HJC were a real legislative body, they’d take this opportunity, having clearly identified the need, to redefine metadata in a way that makes sense in the Internet era.

But they chose not to do that. Instead, they’ve just slapped a “or other similar non-contents information” onto the traditional definition of metadata, without defining it!!, so as to cover the continued access to such non-content information without debating the limits of the new definition.

Swapping AG approval for supervisor approval

That redefinition of metadata happens in both bills. But something new happens in the manager’s amendment. It swaps delegable Attorney General approval for “supervisory” approval. That’s still more than currently happens at FBI but possibly less than what currently happens at NSA. But it will ensure that such queries are common and easy.

Eliminating the tie to any investigation

Then the manager’s amendment eliminates the requirement that such queries are “relevant to” (whatever that means anymore) an authorized investigation. This will open up the data for assessments, meaning the FBI can use the data for far more than just investigating crimes. Again, that matches the status quo for FBI currently (which is effectively mostly what the HJC bill does, all while screaming LIBERTY cynically). But it does mean the FBI can continue to research whether you’ve been talking to foreigners without having any evidence of wrong-doing first.

Permitting the use of location and other enhanced metadata

Here’s the big tell, the addition of this language to the metadata querying language. The government can only do back door metadata searches on US persons  “if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime.”

My discussion of metadata-plus, above, is mostly important today for NSA, because it involves NSA’s use of “metadata” obtained from upstream queries. That stuff doesn’t get passed on to FBI and CIA (which like FBI refuses to count its metadata queries) yet, but I guarantee you it soon will.

But remember, FBI (and CIA) are getting raw PRISM information.

And PRISM data includes a lot of “non-content” information that is not DRAS that would be of interest to the FBI, starting with location data (among other things, FBI likes to obtain the location data from your phone that you share with apps like Facebook). This probably also allows FBI to skirt jurisdictions were obtaining content without a warrant would be illegal, given that it came from national collection. In any case, however, most jurisdictions will still give some content with a PRTT, so without probable cause.

Like all the other tweaks, this probably also reflects the status quo — meaning that the FBI is accessing as metadata stuff that is far more intrusive. But by laying out the prohibition in this way, it makes it clear that FBI (and CIA) will be (continuing to) access fairly intrusive metadata-plus collected by cloud providers that wouldn’t have been identified without the use of warrantless surveillance.

Watering the meaningless warrant requirement down still further

I have argued that the warrant requirement in the HJC bill is currently meaningless, because it permits queries for foreign intelligence information and permits the FBI to define foreign intelligence with the next certification (another area where HJC has abdicated its legislative role to the Intelligence Community).

By codifying that FBI can do metadata queries without an open investigation, the government is ensuring that it can continue to access this information at the assessment level, even if they’re not doing so under the guise of national security.

But two other changes in the manager’s amendment water down the meaningless warrant requirement even more.

First, the manager’s amendment eliminates this prohibition on using metadata to prove probable cause.

noncontents information accessed or disseminated pursuant to subparagraph (C) is not the sole basis for such probable cause;

That means the government can access metadata without an open investigation, and then use that metadata as the sole basis to access the content.

But under the manager’s amendment, the FBI can bypass the court altogether if the Attorney General (currently racist Jeff Sessions) reasonably determines the US person is communicating with someone engaged in, or materially supporting, terrorism.

Subject to section 706(a)(2), 25 based on a review described in item (II), the Attorney General reasonably determines that the person identified by the queried term is, or is communicating with—

(aa) a person reasonably believed to be engaged in international terrorism (as defined in section 101(c)) or activities in preparation therefore; or

(bb) a person reasonably believed to be acting for, or in furtherance of, the goals or objectives of an international terrorist or international terrorist organization.

And that review relies on the same metadata-plus.

A review described in this item is a review of information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information,

Again, all of this basically amounts to retaining the status quo (though at a time when Russia may pose a greater threat to the US than the shriveling ISIS, and when gun violence by regular old American whackos is proving far more lethal than that of ISIS, it’s not clear that prioritizing terrorism anymore makes sense).

But it is a testament both to how much the HJC bill is really just window dressing, Potemkin reform cynically called “Liberty,” and hints at how they’re really using metadata-plus.

image_print
6 replies
  1. SpaceLifeForm says:

    It’s about time to start the ‘Humpty Dumpty for President’ campaign.

    “if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime.”

    So is an order really a request or the other way around? Which comes first? The probable cause or the investigation?

    If If, Then Then. The Theorem Theorem.

    “When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean—neither more nor less.”

    “The question is,” said Humpty Dumpty, “which is to be master—that’s all.”

  2. PeasantParty says:

    Space, I agree. I love Jason and trust him. However, something is not right about that article. Also, maybe that ex-marine cyber sleuth needs more sunshine. Why would somebody that good, skill wise, work for that specific company? And, why would the DNC go to them first?

Comments are closed.