Did the FISA Court Approve the “Relevant To” Dragnet Collection before Congress Passed the PATRIOT Reauthorization?
I want to point to a passage of the 2008 DOJ IG Report on use of Section 215. I think it adds new details about how the government came to use Section 215 to spy on all of us.
On page 20, the report describes what it calls “combination Section 215 Applications and Orders in 2006.” It reveals that for a period, when FBI got pen register/trap and trace orders, it would also use Section 215 to get subscriber information.
A combination application is a term used by OIPR to refer to a Section 215 request that was added to or combined with a FISA application for a pen register/trap and trace. The use of the combination request evolved from OIPR’s determination that FISA pen register/trap and trace orders did not require providers to turn over subscriber information associated with telephone numbers obtained through those orders. As a result, Section 215 requests were added to pen register/trap and trace orders to seek subscriber information.
That’s all for regular FBI use of the program.
But then it includes one of those heavily redacted passages that, we now know, refer to the bulk metadata collection program(s).
OIPR also used combination orders in 2005 and 2006 to obtain [two lines redacted]23
After passage of the Reauthorization Act on March 9, 2006, combination orders became unnecessary for subscriber information and [one line redacted]. Section 128 of the Reauthorization Act amended the FISA statute to authorize subscriber information to be provided in response to a pen register/trap and trace order. Therefore, combination orders for subscriber information were no longer necessary. In addition, OIPR determined that substantive amendments to the statute undermined the legal basis for which OIPR had received authorization [half line redacted] from the FISA Court. Therefore, OIPR decided not to request [several words redacted] pursuant to Section 215 until it re-briefed the issue for the FISA Court. 24
23 [One line footnote redacted]
24 OIPR first briefed the issue to the FISA Court in February 2006, prior to the Reauthorization Act. [two lines redacted]
This may actually pertain solely to the phone metadata collection (as far as we know, they never used 215 for Internet metadata because (James Cole implied yesterday) Internet companies don’t keep records of their customers’ metadata.
And the reference to 2005-2006 may simply refer to the period, after the initial NYT reports, when phone companies asked to be required to turn over their customers’ metadata.
If so, then this is nothing new … except for one detail. It suggests the government used PR/TT for the initial period of this collection, until such time as Congress passed the “relevant to” language in Section 215.
But that would also suggest that DOJ had developed and briefed this new use of Section 215 orders even before Congress approved the bill.
Only, it doesn’t appear to have told those pushing the bill through Congress.
Perhaps that’s why Jim Sensenbrenner — who was one of the bill managers — is so pissed.
It sounds almost as if the Department of Justice, NSA and FBI found that it was easier to work in secret with the FISA court rather than to work with (read that as inform) the Congressional committees like Judiciary and Intelligence that had jurisdiction.
Somehow that doesn’t surprise me.
I’m almost sure congress just meets a few times a week to hear themselves speak and to collect a check other than that they haven’t been in the game since the late Senator Church.
The redacted portions are about the telephone metadata. And if you recall from the classified Draft NSA IG Report that the Guardian published you can see where it discussed they needed a new rationale for the telephone metadata (in addition to obtaining actual orders for the other things).
As I mentioned in a previous comment it is almost certainly the case that what the government did was to retrieve the telephone metadata as Business Records rather than as Pen Register / Trap & Trace. The data that would be in pen register data under a PRTT would be a subset of the data the telephone companies retain for other purposes as there is nothing unique or distinct about PRTT data and it is useful and used for other business purposes. So long as it has some other business purpose or use by the telecommunications company and wasn’t solely collected at the behest of a PRTT then I am sure the government argued it was a business record and thus 215 applies.
As we know from the Verizon Order it doesn’t refer to any of the PRTT authorities under any law and there is the requirement that the Orders identify the authorities supporting the order. So, this is where I reach the conclusion that telephone metadata is being collected via the Business Record order (any tangible thing under 215). That the data would be identical to what could be obtained under PRTT is irrelevant and it allows them to bypass the restrictiveness of the PRTT protections of the various PRTT laws.
As for what Cole implied about internet metadata I don’t believe he was suggesting that internet companies don’t collect it but rather was dodging the question because, if I am not mistaken, the UPSTREAM program (even its name) from the PRISM slides has not been declassified for anyone to talk about it. And again from the Classified Draft NSA IG Report we know that they can target internet metadata directly by sending selectors to internet servers and need no interaction with internet companies to facilitate the use of those selectors which sounds pretty much like what one would expect a program like UPSTREAM to be capable of doing.
It seems what Sensenbrenner and Wyden and Udall are dancing around is that Congress never intended to allow a loophole to bypass PRTT when the act by the FBI/NSA et al is for all intents and purposes PRTT. They end up hinting at this because the Business Records Order under the FISC is still classified – including its very existence let alone the content of the orders and supporting arguments and exhibits.
Congress could close that loophole very easily if it wanted to but none of the proposed legislation put forth since this stuff came out seems to do that. Right now it seems to be the case that what they want is for the Administration to voluntarily not use that loophole or reduce what it obtains via that loophole but leave the loophole in place. Why that is I don’t know but that seems to be where we are.
That actually makes some sense. Internet data is broken to individual packets and each one delivered more or less separately. Each character of this message may very well arrive to the emptywheel site via a different path. Thus unlike phone conversations which have one endpoint routing metadata for the actual bits of the e-mail may be quite large and bluffdale couldn’t hold it all let alone the average ISP. Moreover the unwrap and repack policy of internet routing means that whatever information the packet arrives with may not actually reflect the path initially taken so its value is limited.
One interesting question is whether things like the e-mail post route (different from the packet route) are treated as data or metadata.
Today at the Brookings Institution James S. Litt spoke. As Spencer Ackerman reported in the Guardian:
But Litt also noted: “All of the metadata we get under this program is information that the telecommunications companies obtain and keep for their own business purposes.”
So they are avoiding the PRTT provisions under the Wiretap statutes to bypass any of those protections as using Business Records orders under section 215. Though I suspect that Congress did not intend 215 to be a dragnet provision in using the phrase “Any tangible thing” but rather so they didn’t have to define each and every specific business record out there as each company may store their records differently. At the same time I suspect that the argument made by the government (that we haven’t seen yet) is that “Any” can mean “All” as in “Any tangible thing” being a List (a single thing) that contains all customer records.
Quite likely we are in the semantic parsing realm analogous to the meaning of “is”.
@Mindrayge: Oh, we KNOW they used 215. They’ve been very explicit about it. And that is, in fact, declassified. What is not yet declassified is that this metadata serves as a kind of index for the already collected content.
I know that. What I am pretty much convinced of is that they are avoiding using PRTT. And further I think they are doing so to avoid any chance of getting anywhere near the Supreme Court and having to stand on Smith v. Maryland from 1979 which decided there was no expectation of privacy in the numbers you dial or the numbers that dial you.
But the Telecommunications Act of 1996 section 702 created an explicit expectation of privacy in the numbers you dialed or that dialed you (among other data) with very limited exceptions. This is not limited to whether telecoms can sell customer data to marketers or other third parties. The only exceptions are explicit and with regards to law enforcement only apply in emergencies in the use of 911 service. This not only covered land lines but also cell phones and voice over IP services such as your cable company providing your phone service, Skype, Vonage, etc. as well as services like OnStar. And it includes not only the number calling and number called, date/time, and duration but also location information, the telecom services used, and the type of telephone device you used in any call.
That is, if a case with the exact same circumstances as Smith v. Maryland were to come to the Supreme Court today it would not hold up. I believe that is the basis on which the telecoms were demanding to be ordered to deliver data and the reason for the Telecom immunity as otherwise each of the telecoms would have faced fines of over $1.3 million per day that they had been providing data. But that would be the best case as they could also have faced $12,500 per incident per day with no fine limit (billions or trillions in fines per day) depending on exactly what they did.
A law from 1996 can’t be usurped by a decision from 1979 especially when it specifically addresses the two tests of that 1979 decision.
So there is nothing classified about the fact that they are using 215. But the Business Record Order – there will have been a generic argument and exhibits for it to apply to data that otherwise would fall under PRTT – is still classified and we have not seen it. If there were not a generic form of these, the government would have to re-argue the same for each and every telecom. So the Verizon Order we have seen is a specific implementation of an order based on a settled prior argument that we haven’t seen.
If the FISC accepted Smith v. Maryland as a basis the government can end up with the problem that the orders are invalid and would require new orders under PRTT to obtain telephony metadata and those are much more restrictive and are more in line with the way the government explains how they do this surveillance publicly – but that we know isn’t true – and it would make collection for contact chaining, for telephone contacts at a minimum, impossible.
It is entirely possible that they made the argument that they are pulling the data as a business record only and didn’t bring Smith v. Maryland into it but I doubt it. The government (at all levels) has been trying to redefine the 4th amendment as only the tests in Katz and by implication Smith v. Maryland for 4 decades now and as of late have been overturned several times in the past few years – including twice in the past 12 months (though neither had to do with metadata they both had to do with government attempts to redefine the 4th amendment protections).
In the response to the ACLU suit that the government made on Thursday they cited records already collected by the business but went on to also cite Smith v. Maryland. But also they asked to delay the full response to September 16th because they claim that multiple agencies are working to declassify portions of the surveillance and the assessment of what might be declassified is on-going but expected to be completed by end of August. And thus, what they would say in their response would be different than what they could say with the earlier response date.
Anything that stops just the telephony metadata dragnet opens the door to making the Lone Wolf provisions of the PATRIOT ACT nearly impossible to be operated on by the government domestically. And it would have impacts on any criminal case (non terrorism or foreign intelligence related) that derived from telephony metadata collection. After all somehow the FBI miraculously ends up with confidential informants that get themselves into stings like the Liberty 7, the New Jersey pizza delivery plot, the two guys in Washington and Fort Lewis, and so on and so on that had no foreign connection whatsoever. It can’t all be happenstance and I suspect none of it was. Heck, the very first bust using the PATRIOT Act was on a brothel in New Orleans that had nothing to do with terrorism at all.
@Mindrayge:
You’re very learned, thanks. Definitely a seat for you in the escape pod.