EO 12333 Archives - Page 19 of 27

More Visibility on Stingrays

January 6, 2015/4 Comments/in EO 12333 /by emptywheel

On New Year’s Eve, Chuck Grassley released details of ongoing discussions he and Patrick Leahy have had with the FBI about its use of Stingray (or IMSI catcher) technology, which the FBI and other agencies use to identify cell phone location. Also early last month, the Minneapolis Star-Tribune liberated copies of the documents Minnesota’s Bureau of Criminal Apprehension had to sign to get a Stingray (which is less redacted than an NDA released by the Tacoma Police Department to Muckrock in September). Together the documents provide new insight onto how the FBI manages the use of Stingrays around the country.

In his release on Stingrays, Grassley revealed that FBI had recently changed its policy on Stingray use — though the “changed” policy probably affects very little Stingray use.

[W]e understand that the FBI’s new policy requires FBI agents to obtain a search warrant whenever a cell-site simulator is used as part of a FBI investigation or operation, unless one of several exceptions apply, including (among others): (1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.

We have concerns about the scope of the exceptions. Specifically, we are concerned about whether the FBI and other law enforcement agencies have adequately considered the privacy interests of other individuals who are not the targets of the interception, but whose information is nevertheless being collected when these devices are being used. We understand that the FBI believes that it can address these interests by maintaining that information for a short period of time and purging the information after it has been collected. But there is a question as to whether this sufficiently safeguards privacy interests.

I say this probably doesn’t affect much Stingray use because we already know the US Marshal Service makes up a lot of the known Federal use of Stingrays (at least that use that obtains Pen Registers to use the Stingrays). They would presumably be hunting fugitives, which is one of the overly broad exceptions in FBI’s “new” policy. We discovered last year just how elastic the federal government’s interpretation of “imminent danger” can be. And the most common — and troubling — known use of Stingrays are in public spaces (like legal protests) to track participants.

Indeed, in the one known example where a Stingray was used to discover the identity of a suspect, Daniel Rigmaiden, the government got a warrant for its use, albeit one obtained without fully explaining how it works.

So it’s not clear that this “new” policy will change all that much. Moreover, Grassley is focused on federal use of the technology, and not the way federal use intersects with and controls local use.

Now couple that with this non-disclosure agreement (pages 10-15, h/t SanLeandroPrivacy) sent in June 2012. The NDA explains that,

Disclosing the existence of and the capabilities provided by such equipment/technology to the public would reveal sensitive technological capabilities possessed by the law enforcement community and may allow individuals who are the subject of investigation wherein this equipment/technology is used to employ countermeasures to avoid detection by law enforcement. This would not only potentially endanger the lives and physical safety of law enforcement officers and other individuals, but also adversely impact criminal and national security investigations.

If that’s such a big worry, then maybe it shouldn’t be so widely available in the first place? Also, I see how seamlessly the FBI moves from law enforcement to national security functions…

The NDA then goes onto tell the BCA the following (among other things):

BCA should only use it for “public safety operations or criminal investigations.”
BCA accepts liability for violations of Federal law, irrespective of the FBI approval, if any, of [redacted].
The BCA will [redacted] to ensure deconfliction of respective missions.

Then there’s a very long paragraph laying out something else the BCA “shall not” do.

So over the course of the NDA, we got from “law enforcement” purposes, to national security investigations, to “public safety operations.” The NDA clearly envisions FBI approval of some use of this technology, suggesting an ongoing relationship with this local agency. That is further established by FBI’s concern about “deconfliction of respective missions,” meaning FBI expects BCA to communicate about how it will use its Stingray with out agencies who might be using their Stingrays (or BCA’s Stingray?) in ways that might set off a turf war. Plus whatever that “shall not” paragraph says.

The point is, the FBI is not just demanding that BCA not tell anyone that it has a Stingray and how Stingray’s use (see this Chris Soghoian and Stephanie Pell paper for why that’s a futile fight anymore anyway). It is also demand certain things about cooperation between agencies. And while that makes sense from a bureaucratic standpoint, it also may suggest there’s more reason to keep FBI involved in these local operations than just secrecy. After all, as more and more local police departments get Stingrays and sign these agreements with FBI, the FBI is assured there’s a network of Stingrays across the country that will be deployed if necessary. Given the inclusion of national security investigations in this NDA (which, after all, is all that FBI thought it needed to get NSA to collect all our phone records), it at least introduces the possibility of a more systematic FBI program for which the FBI relies on local Stingrays.

That’s just a latent concern of mine — we don’t yet have the proof of it (we’ll have to liberate far more NDAs to get it). But it does seem logical, given the role FBI is playing in this process, all in the guise of futile secrecy.

The NSA’s Funny Numbers, Again

January 5, 2015/5 Comments/in EO 12333, FISA /by emptywheel

Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).

According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).

Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).

Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.

And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.

Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).

Here’s what the NSA reported internally:

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

Here’s what NSA told the IOB about this violation:

[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]

Here’s what PCLOB had to say about this violation:

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.

Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.

One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.

The glitches are letting us down.

Hacking in the IOB Reports

January 4, 2015/3 Comments/in Cybersecurity, EO 12333 /by emptywheel

If I’m not mistaken, this — in the Q3 2008 NSA Report to the Intelligence Oversight Board — is the first mention of Computer Network Exploitation in the reports.

As with almost every single reference to CNE — that is, hacking, or the use of malware to be able to spy on a target — this one is entirely redacted. (The sole exception is a targeted email that was detasked because the target entered the US, in the Q1 2009 report).

The number/complexity of incidents or details expand for some years, as with this in Q2 2009.

The entries invariably cite 18 USC 798 as a FOIA exemption. They vary on whether they’re FVEY (that is, permissibly shared with members of the Five Eyes) or NF (that is, not to be shared with any foreign government), though in later years the entries have much more frequently been NF — take that, Brits! And the entries appear under “Other,” not EO 12333 (which is curious, given that hacking should be governed by EO 12333).

After that first, single-incident mention, CNE appears in each report until Q4 2011, after which it doesn’t appear again (though there is an entirely redacted section that appears in all but the most recent report in the EO 12333 section).

I make these observations not because they tell us anything about what kind of hacking the NSA is doing (you can look to Snowden’s documents for that). But to lay out several questions.

If — as claimed in Shane Harris’ @War hacking is increasingly how we collect SIGINT — how is it regulated? Did NSA, does NSA still, consider it to be something other than EO 12333 collection? What counts as a violation when you’re hacking to collect intelligence? To what degree is IOB overseeing the methods used, as opposed to just the actions that’d be violations regardless of the collection type (as detasking someone in the US would be)? And if CNE (hacking) has entirely disappeared from these reports, does that mean NSA has just cleaned up its act, or that it simply doesn’t report on this anymore?

I get why these passages are entirely redacted. In part, NSA is sustaining the same myth it sustains when it doesn’t admit StuxNet. It’s pretending it is not engaging in the same hacking it sanctions North Korea for.

Only it is. Which raises real questions about what kind of oversight it gets.

NSA Obfuscated to Congress about Back Door Searches in 2009

December 31, 2014/5 Comments/in EO 12333, FISA /by emptywheel

The NSA got a lot of criticism for releasing its IOB reports on December 23, just as everyone was preparing for vacation. But there were three reports that — at least when I accessed the interface — weren’t originally posted: Q3 and Q4 2009 and Q3 2010 — all conveniently important dates for the Internet dragnet (I’ll have more on what they didn’t disclose soon).

Apparently those reports were added on New Year’s Eve Eve Eve, an even bigger wasteland for document dumps than Christmas Eve.

In addition to details about what NSA did and didn’t reveal about the Internet and (to a lesser degree) phone dragnet, the Q3 report also claimed to rebut this June 16, 2009 Risen and Lichtblau article.

The article pretty clearly reveals the outlines of what we’ve since learned to be big privacy problems behind NSA’s programs — definitely back door searches, and probably upstream collection.

Since April, when it was disclosed that the intercepts of some private communications of Americans went beyond legal limits in late 2008 and early 2009, several Congressional committees have been investigating. Those inquiries have led to concerns in Congress about the agency’s ability to collect and read domestic e-mail messages of Americans on a widespread basis, officials said. Supporting that conclusion is the account of a former N.S.A. analyst who, in a series of interviews, described being trained in 2005 for a program in which the agency routinely examined large volumes of Americans’ e-mail messages without court warrants. Two intelligence officials confirmed that the program was still in operation.

[snip]

A new law enacted by Congress last year gave the N.S.A. greater legal leeway to collect the private communications of Americans so long as it was done only as the incidental byproduct of investigating individuals “reasonably believed” to be overseas.

But after closed-door hearings by three Congressional panels, some lawmakers are asking what the tolerable limits are for such incidental collection and whether the privacy of Americans is being adequately protected.

“For the Hill, the issue is a sense of scale, about how much domestic e-mail collection is acceptable,” a former intelligence official said, speaking on condition of anonymity because N.S.A. operations are classified. “It’s a question of how many mistakes they can allow.”

[snip]

The N.S.A. is believed to have gone beyond legal boundaries designed to protect Americans in about 8 to 10 separate court orders issued by the Foreign Intelligence Surveillance Court, according to three intelligence officials who spoke anonymously because disclosing such information is illegal. Because each court order could single out hundreds or even thousands of phone numbers or e-mail addresses, the number of individual communications that were improperly collected could number in the millions, officials said.

[snip]

But even before that, the agency appears to have tolerated significant collection and examination of domestic e-mail messages without warrants, according to the former analyst, who spoke only on condition of anonymity.

He said he and other analysts were trained to use a secret database, code-named Pinwale, in 2005 that archived foreign and domestic e-mail messages. He said Pinwale allowed N.S.A. analysts to read large volumes of e-mail messages to and from Americans as long as they fell within certain limits — no more than 30 percent of any database search, he recalled being told — and Americans were not explicitly singled out in the searches.

Over and over, this report clearly describes the accessing of US person data, without warrants, that has been incidentally collected. Rush Holt — then leading an oversight investigation into the NSA — even goes on the record in the article.

The report helpfully includes the rebuttal NSA sent to Congress (starting at PDF 18). The rebuttal goes like this:

The NYT story made “it seem as if NSA is broadly irresponsible in executing its mission” under EO 12333 or FISA “The opposite is true.”
NSA recently identified compliance issues but these “accusations are far afield of the compliance matters” related to the metadata dragnets and other recent violations. [The NYT had never said they were related, and there’s no evidence Risen and Lichtblau knew of them, except insofar as they also finally confirmed that the hospital confrontation pertained to the Internet dragnet in this article.]
It is difficult to know what the NYT’s anonymous sources mean. [The rebuttal makes no mention of Holt’s on the record comments, or the obvious references to back door searches.]
Maybe the reference to the examination of US person content is a reference to David Faulk but those allegations are false as the NSA IG will soon report.
A largely redacted bullet seems to admit they suck in related emails, as alleged in the article.
“The article also identifies a 30% threshold for inclusion of U.S. person information within NSA databases. There is no truth to this statement.” [Of course, that’s not what the article says, as the red text above makes clear — it talks about how much US person content a search may pull up, not how much is in the databases.]
The access of Bill Clinton’s email was in 1992 and it is used as an example in oversight training [which is what the article described — though the rebuttal makes it far more clear that this is an “about” search on what other people are saying about Clinton].

How ABC Investigative Reports Turn into NSA Briefings to the SSCI

December 31, 2014/1 Comment/in EO 12333 /by emptywheel

I’m still working through the NSA reports to the Intelligence Oversight Board posted right before Christmas. Here’s a detail (in the Q4 2008 report) I find interesting:

The Shadow Factory was published on October 14, 2008.

8 days before that, the NSA notified the Senate Intelligence Committee (just the SSCI at first?!?!) about an impending (it aired on October 9) Brian Ross interview with whistleblowers from James Bamford‘s book on ABC.

The interview included a clip from Michael Hayden’s 2006 CIA Director confirmation hearing before SSCI in which he claimed Americans’ private conversations would never be intercepted.

In testimony before Congress, then-NSA director Gen. Michael Hayden, now director of the CIA, said private conversations of Americans are not intercepted.

“It’s not for the heck of it. We are narrowly focused and drilled on protecting the nation against al Qaeda and those organizations who are affiliated with it,” Gen. Hayden testified.

He was asked by Senator Orrin Hatch (R-UT), “Are you just doing this because you just want to pry into people’s lives?”

“No, sir,” General Hayden replied.

It also included flaccid responses from both then CIA Director Hayden and his spokesperson Mark Mansfield (who was actively involved in pre-emptive leaks to the press on torture) and Keith Alexander (who was Deputy Chief of Staff for Army Intelligence at the time of the violations).

In addition, the ABC report included a quote from then SSCI Chair Jello Jay Rockefeller (who, of course, would have found out about it from the agency days before the report).

The chairman of the Senate Intelligence Committee, Jay Rockefeller (D-WV), called the allegations “extremely disturbing” and said the committee has begun its own examination.

“We have requested all relevant information from the Bush Administration,” Rockefeller said Thursday. “The Committee will take whatever action is necessary.”

It also made clear that Orrin Hatch had been the one to pitch the softball to Hayden in 2006, about which — it is abundantly clear — he lied about.

Finally, it includes an anonymous quote from a “US intelligence official” making it clear that all US government employees might be spied on, contrary to Hayden’s public claims during the confirmation process.

Asked for comment about the ABC News report and accounts of intimate and private phone calls of military officers being passed around, a US intelligence official said “all employees of the US government” should expect that their telephone conversations could be monitored as part of an effort to safeguard security and “information assurance.”

There appear to be several things going on with this.

First, this is ABC News, one of the outlets notorious for laundering intelligence claims; indeed, it is possible this is a limited hangout, an attempt to preempt one of the most alarming revelations in Bamford’s book. While the report doesn’t say it explicitly, it implies the claims of whistleblowers Kinne and Faulk prove Hayden to have lied in his CIA Director confirmation hearing, in response to the softball thrown by Hatch. In any case, the briefing about this disclosure appears to have gone exclusively to SSCI (with follow-up briefings to both intelligence oversight committees afterwards), the committee that got the apparently false testimony (and not for the last time, from Michael Hayden!). But by briefing the Committee, it also gave Jello Jay an opportunity — and probably, explicit permission — to sound all stern about a practice the Committee likely knew about.

In the IOB Report, this is portrayed as a model of oversight. But from what we know about the parties involved, it is just as likely to have been an effort at press management.

Update: The 3Q 2009 report describes the outcome of the report. It found “no targeting of US persons.”

Stellar Wind and the Intelligence Oversight Board Reports

December 27, 2014/3 Comments/in EO 12333 /by emptywheel

As I noted, the NSA released its quarterly reports to the Intelligence Oversight Board as a FOIA-coal-for-Christmas present. In them, we see how the NSA executed a bit of legal chicanery with respect to Stellar Wind which had previously been revealed in the 2009 Draft IG Report on Stellar Wind.

The report claims that NSA’s Inspector General did not get read into the program until August 2002. The IG Report claims to be mystified as to why NSA operated an illegal program for 9 months before reading in the IG; it offers the suggestion that President Bush didn’t want to read in the IG until NSA had a named IG, rather than an Acting one — but that doesn’t explain why they waited 4 months after Joel Brenner came in in April 2002.

(TS//SI//NF) We could not determine exact reasons for why the NSA IG was not cleared for the PSP until August 2002. According to the NSA General Counsel, the President would not allow the IG to be briefed sooner. General Hayden did not specifically recall why the IG was not brought in earlier, but thought that it had not been appropriate to do so when it was uncertain how long the Program would last and before operations had stabilized. The NSA IG pointed out that he did not take the IG position until April 2002, so NSA leadership or the White House may have been resistant to clearing either a new or an acting IG.

One of the things Brenner instituted — the report claims it started almost a year after he came in and more than 6 months after he got read into the program — was to make the IOB reports technically correct by stating that there might be incidents not noticed to IOB but instead noticed to the President.

(C) Second, in March 2003, the IG advised General Hayden that he should report violations of the Authorization to the President. In February of 2003, the OIG learned of PSP incidents or violations that had not been reported to overseers as required, because none had the clearance to see the report.

(TS//SI//OC/NF) Before March 2003, NSA quarterly reports on intelligence activities sent to the President’s Intelligence Oversight Board (through the Assistant to the Secretary of Defense for Intelligence Oversight) stated that the Director was not aware of any unlawful surveillance activities by NSA other than that described in the report. Beginning in March 2003, at the IG’s direction, NSA quarterly reports stated that except as disclosed to the President, the Director was not aware of any unlawful surveillance activities by NSA. Also beginning in March 2003, PSP violations, including those not previously reported to the Intelligence Oversight Board, were reported in “Presidential Notifications.”

But that’s actually not correct. The change appears in the December 4, 2002 report.

If the remaining chronology is correct — that Brenner had not yet convinced Hayden to tell the President about violations and that there were some February 2003 violations that did not get reported — then the December 2002 report was inaccurate, because the President would not have been noticed.

What I find interesting about it is how signatures were handled before that. In the June 2002 report — at a time when Brenner was not read into the program — he signed the report himself. In the August 27, 2002 report (which was presumably submitted just after Brenner got read into Stellar Wind), Brian McAndrew, who had been Acting IG before Brenner took over, signed for him.

And, in perhaps related metadata, there’s this, from the December 2001 report (that is, the first one after the initiation of Stellar Wind).

I think, though am not certain, this note comes from Michael Hayden (with an “H” in the circle), to whom the memo is addressed. He appears to have asked Robert Deitz to discuss the implications of this notice further before he signed it. And someone amended the notice, to include violations known to affiliated (agency?) directors but not to Hayden.

That is, it seems possible that even Michael Hayden hesitated to say this report included all violations of law without Robert Deitz (who has written some robust defenses of NSA since the Snowden leaks) holding his hand somewhat.

Update: Note that the coversheet with Hayden’s note was initially dated December 7, 2001. But the date on the letter he signed was January 4, 2002. That suggests they could have actually changed the content of the letter in response to Hayden’s concerns, though such a delay appears normal given the other reports.

Of course, this entire structure is premised on the caveat that the President can instruct agency heads not to include violations he doesn’t want them to. And the gaming of some signatures to avoid making false declarations is child’s play compared to what Obama did at the beginning of his Administration, which was basically to let the entire board lapse by not appointing anyone.

Still, the games they were playing with their declarations suggests these men — who’ve made broad comments about how well NSA follows the law — know they were fibbing.

Section 309: A Band-Aid for a Gaping Wound in Democracy

December 14, 2014/2 Comments/in EO 12333 /by emptywheel

Someone surveilling our conversation "connection chained" Bob Litt and I while chatting at CATO.

Metadata: Someone surveilling our conversation “connection chained” Bob Litt and me chatting about spying on Americans in the Hayek Auditorium at CATO on 12/12/14.

On Friday, officials from James Clapper’s office confirmed in a number of different ways that the government obtains “vast troves” of Americans’ communication overseas. And rather than enforce Dianne Feinstein and Mark Udall’s suggestion that the intelligence community treat it under FISA — as the spirit of FISA Amendment Acts, which extended protection to Americans abroad, would support — Congress instead passed Section 309, a measure to impose limited protections on vast unregulated spying on Americans.

This all happened at CATO’s conference on surveillance, an awesome conference set up by Julian Sanchez.

My panel (moderated very superbly by Charlie Savage) revisited at length the debate between former State Department whistleblower John Napier Tye and Director of National Intelligence Civil Liberties Officer Alex Joel (into which I stuck my nose). As he did in his Politico post responding to Tye’s alarms about the risk of EO 123333 collection against Americans to democracy, Joel pointed to the topical limits on bulk collection Obama imposed in his Presidential Policy Directive 28, which read,

The United States must consequently collect signals intelligence in bulk in certain circumstances in order to identify these threats. Routine communications and communications of national security interest increasingly transit the same networks, however, and the collection of signals intelligence in bulk may consequently result in the collection of information about persons whose activities are not of foreign intelligence or counterintelligence value. The United States will therefore impose new limits on its use of signals intelligence collected in bulk. These limits are intended to protect the privacy and civil liberties of all persons, whatever their nationality and regardless of where they might reside.

In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: (1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests; (2) threats to the United States and its interests from terrorism; (3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction; (4) cybersecurity threats; (5) threats to U.S. or allied Armed Forces or other U.S or allied personnel; and (6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.

I noted — as I did in my Salon piece on the topic — that bulk collection for even just one topic means the collection of everything, as counterterrorism serves as the excuse to get all phone records in the US in the phone dragnet. Joel did not dispute that, explaining that PPD-28 only limits the use of data that has been bulk collected to these six purposes. PPD-28 does nothing to limit bulk collection itself. Though the fact that these limitations have forced a change in how the NSA operates is testament that they were using data collected in bulk for even more reasons before January.

The NSA is, then, aspiring to collect it all, around the world.

Which was a point confirmed in an exchange between Joel and Tye. Joel claimed we weren’t collecting nearly all of the Internet traffic out there, saying it was just a small fraction. Tye said that was disingenuous, because 80% of Internet traffic is actually things like Netflix. Tye stated that the NSA does collect a significant percentage of the remainder (he implied most, but I’d want to see the video before I characterize how strongly he said that).

Again, collect it all.

Our panel didn’t get around to talking about Section 309 of the Intelligence Authorization, which I examined here. The Section imposes a 5 year retention limit on US person data except for a number of familiar purposes — foreign intelligence, evidence of a crime, encryption, all foreign participants, tech assurance or compliance, or an Agency head says he needs to retain it longer (which requires notice to Congress). Justin Amash had argued, in an unsuccessful attempt to defeat the provision, that the measure provides affirmative basis for sharing US person content collected under EO 12333.

In a later panel at the CATO conference, DNI General Counsel Bob Litt said that the measure doesn’t change anything about what the IC is already doing. Read more →

The Emergency EO 12333 Fix: Section 309

December 11, 2014/2 Comments/in EO 12333 /by emptywheel

In a last minute amendment to the Intelligence Authorization, the House and Senate passed a new section basically imposing minimization procedures for EO 12333 or other intelligence collection not obtained by court order. (See Section 309)

(3) Procedures.–

(A) Application.–The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B).

(B) Limitation on retention.–A covered communication shall not be retained in excess of 5 years, unless–

(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;

(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;

(iii) the communication is enciphered or reasonably believed to have a secret meaning;

(iv) all parties to the communication are reasonably believed to be non-United States persons;

(v) retention is necessary to protect against an imminent threat to human life, in which case both the nature of the threat and
the information to be retained shall be reported to the congressional intelligence committees not later than 30 days after the
date such retention is extended under this clause;

(vi) retention is necessary for technical assurance or compliance purposes, including a court order or discovery obligation, in which case access to information retained for technical assurance or compliance purposes shall be reported to the congressional
intelligence committees on an annual basis; or

(vii) retention for a period in excess of 5 years is approved by the head of the element of the intelligence community responsible for such retention, based on a determination that retention is necessary to protect the national security of the United States, in which case the head of such element shall provide to the congressional intelligence committees a written certification describing–
(I) the reasons extended retention is necessary to protect the national security of the United States; (II) the duration for which the head of the element is authorizing retention;

(III) the particular information to be retained; and

(IV) the measures the element ofthe intelligence community is taking toprotect the privacy interests of UnitedStates persons or persons locatedinside the United States.

The language seems to be related to — but more comprehensive than — language included in the RuppRoge bill earlier this year. That, in turn, seemed to arise out of concerns raised by PCLOB that some unnamed agencies had not revised their minimization procedures in the entire life of EO 12333.

Whereas that earlier passage had required what I’ll call Reagan deadenders (since they haven’t updated their procedures since him) to come up with procedures, this section effectively imposes minimization procedures similar to, though not identical, to what the NSA uses: 5 year retention except for a number of reporting requirements to Congress.

I suspect these are an improvement over whatever the deadenders have been using But as Justin Amash wrote in an unsuccessful letter trying to get colleagues to oppose the intelligence authorization because of the late addition, the section provides affirmative basis for agencies to share US person communications whereas none had existed.

Sec. 309 authorizes “the acquisition, retention, and dissemination” of nonpublic communications, including those to and from U.S. persons. The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations.

To be clear, Sec. 309 provides the first statutory authority for the acquisition, retention, and dissemination of U.S. persons’ private communications obtained without legal process such as a court order or a subpoena. The administration currently may conduct such surveillance under a claim of executive authority, such as E.O. 12333. However, Congress never has approved of using executive authority in that way to capture and use Americans’ private telephone records, electronic communications, or cloud data.

[snip]

In exchange for the data retention requirements that the executive already follows, Sec. 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications. The Senate inserted the provision into the intelligence reauthorization bill late last night.

Which raises the question of what the emergency was to have both houses of Congress push this through at the last minute? Back in March, after all, RuppRoge was happy to let the agencies do this on normal legislative time.

I can think of several possibilities:

The government is imminently going to have to explain some significant EO 12333 collection — perhaps in something like the Hassanshahi case or one of the terrorism cases explicitly challenging the use of EO 12333 data and it wants to create the appearance it is not a lawless dragnet (though the former was always described as metadata, not content)
The government is facing new scrutiny on tools like Hemisphere, which the DOJ IG is now reviewing; if 27-year old data is owned by HIDTA rather than AT&T, I can see why it would cause problems (though again, except insofar as it includes things like location, that’s metadata, not content)
This is Dianne Feinstein’s last ditch fix for the “trove” of US person content that Mark Udall described that John Carlin refused to treat under FISA
This is part of the effort to get FBI to use EO 12333 data (which may be related to the first bullet); these procedures are actually vastly better than FBI’s see-no-evil-keep-all-data for up to 30 years approach, though the language of them doesn’t seem tailored to the FBI

Or maybe this is meant to provide the patina of legality to some other dragnet we don’t yet know about.

Still, I find it an interesting little emergency the intelligence committees seem to want to address.

Dead Mediators Belie the Claim US Didn’t Know about Pierre Korkie

December 8, 2014/9 Comments/in EO 12333 /by emptywheel

A number of people have been pointing to the buried lead in a NYT story about the US killing South African aide worker Pierre Korkie the day before the charity he worked for finalized his freedom. Back in November, a group of tribal leaders who were brokering the deal got killed in a drone strike.

After months of silence, Gift of the Givers had a breakthrough in August, when tribal leaders sent a delegation, acting on behalf of the charity, into the remote badlands. The assembled Qaeda fighters took a vote on reducing the ransom, and half the jihadists voted “yes” while half voted “no,” Mr. Sooliman said. In October, the abductors said that they would accept $700,000. The family, which had already said it could not afford $3 million, still did not have enough money.

In November, the tribal leaders went back to meet with Qaeda members. The car was hit by a drone strike, killing the mediators, according to Mr. Sooliman. “We thought it was over,” he said.

Not only is it fairly shocking that the US first killed these mediators, then killed the guy they were trying to free, but this detail undermines the US claim they had no idea who was with Luke Somers when they tried to rescue him.

US special forces who tried to rescue photojournalist Luke Somers from al-Qaeda in Yemen were not aware of the identity of the other hostage held with him, a US official has told the BBC.

Both South African teacher Pierre Korkie and Mr Somers were shot by the militants during the raid, US officials say, and died as a result.,

A charity working with Mr Korkie said he was to have been freed on Sunday.

Its project director said the US rescue attempt had “destroyed everything”.

To believe this claim you’d have to believe the NSA’s 2-degree spying techniques, which just weeks ago had gotten some tribal leaders killed, had completely collapsed such that the US had no affirmative intelligence on the kidnappers (which of course they did because they knew where to try to rescue Somers). You’d also have to believe that a South African charity had managed to set up ongoing communications with the kidnappers, but the NSA wasn’t monitoring those communications (or, just as likely, using them as a means to track the kidnappers). The only way that’d be true is if we had forsworn SIGINT in favor of dodgy intelligence from our partners in the neighborhood; while I think many of our catastrophes in Yemen and Syria can be blamed on our dodgy partners lying to us, it is inconceivable we would not at the same time be checking their claims with SIGINT.

It may be convenient for the US to pretend it doesn’t engage in SIGINT in Yemen. But it is not longer believable.

The Government’s Unexplained Iran Dragnet

December 2, 2014/3 Comments/in EO 12333, FISA /by emptywheel

Just the other day, I observed that the government likely has a problem with the authorities it has used to police its sanction regime against Iran. First, the government appears to have had a counterproliferation certification under Protect America Act that may have had legal issues; with FISA Amendments Act, Congress authorized such a certification as foreign intelligence. Then, at some point over the course of the phone dragnet, FISC approved the use of the dragnet with Iran under an alleged terrorism purpose. But the primary claimed Iranian terrorism in this country was propagated by DEA; clearly the NSA was using the dragnet for an inherently counterproliferation purpose.

A judge in DC just ruled for the government in a case against an Iranian American, Shantia Hassanshahi, that implicates many of these problems, and broader problems with the dragnet, though he did so by largely sidestepping the underlying issue.

Basically, the case that Hassanshahi violated sanctions stems from the following evidentiary steps:

An unsolicited tip from an (apparently) paid informant
A query request submitted to some unnamed database on a suspect number, which returned a single call with a number associated with Hassanshahi
Based on that and 1 other call to Iran, the government stopped Hassanshahi as he returned from a trip to Iran and seized his devices in CA
A forensic search of his laptop resulted in incriminating documents showing the sale of non-military energy-related goods to Iran

Hassanshahi argued that the query of the database — which he argued was either the phone dragnet database or something nearly identical and therefore just as unconstitutional — was illegal, citing Richard Leon’s Larry Klayman ruling. And he argued that everything else not only followed as fruit of the poison tree from there, but that the device search violated the 9th Circuit’s precedent requiring probable cause to conduct a forensic border search (his devices were seized in CA, not in DC). Judge Rudolph Contreras rejected Hassanshahi’s bid to have the evidence suppressed by dodging the question of the legality of the database query, treating it as unconstitutional (I think this overstates what the government was saying here).

In response, the Government sidesteps Hassanshahi’s argument by taking the position that although the NSA telephony database was not used, the Court nevertheless should assume arguendo that the law enforcement database HSI did use was unconstitutional. See Gov’t’s Mem. Opp’n Mot. Suppress 12. Consistent with this position, the Government refuses to provide details about its law enforcement database on the basis that such information is irrelevant once the Court accepts the facial illegality of the database. See id. at 11-12. Regrettably, the Court therefore starts its analysis from the posture that HSI’s initial search of the mysterious law enforcement database, which uncovered one call between Sheikhi’s business telephone number and the 818 number linked to Hassanshahi, was unconstitutional

But based on the time that elapsed between the query he treated as unconstitutional and the border search, and based on Hassanshahi’s voluntary arrival in LAX (where a 9th Circuit ruling would require reasonable suspicion) and some really crazy details even the government didn’t argue that strongly constituted reasonable suspicion, he ruled the forensic search in LA legal.

This is where things get bizarre. Having already ruled that this was not flagrant enough to make the subsequent search improper, Contreras then throws up his hands, notes that if the government did use the NSA phone dragnet (which is supposed to be limited to counterterrorism purposes and therefore should be inapplicable in this case) or if the dragnet it used doesn’t have the controls that the NSA dragnet does it might be a problem, he says he will require the government to submit an ex parte filing explaining the database.

But, at the same time, the Court does not know with certainty whether the HSI database actually involves the same public interests, characteristics, and limitations as the NSA program such that both databases should be regarded similarly under the Fourth Amendment. In particular, the NSA program was specifically limited to being used for counterterrorism purposes, see Klayman, 957 F. Supp. 2d at 15-16, and it remains unclear if the database that HSI searched imposed a similar counterterrorism requirement. If the HSI database did have such a limitation, that might suggest some level of flagrancy by HSI because it was clear that neither Sheikhi nor Hassanshahi was involved in terrorism activities. With so many caveats, the Government’s litigation posture leaves the Court in a difficult, and frustrating, situation. Yet, even assuming that the HSI database was misused to develop the lead into Hassanshahi, HSI’s conduct appears no more flagrant than law enforcement conduct in other “unlawful lead” cases,which still held that the attenuation exception applied nonetheless.6

66 The Government’s silence regarding the nature of the law enforcement database has made the Court’s analysis more complex than it should be. Although the Court still concludes that the attenuation exception applies in large part based on the “unlawful lead” line of cases, the Court will order that the Government provide the Court with an ex parte declaration summarizing the contours of the mysterious law enforcement database used by HSI, including any limitations on how and when the database may be used.

Of course he only requires this after ruling that the evidence can come in!

Now, I can think of four possibilities to explain the search:

The government searched the dragnet under its “Iranian” allowance (which only Josh Gerstein and I have ever reported), exposing what I noted above — that they’re using a CT tool for a fundamentally CP function
The government searched Hemisphere
The government searched SPMCA, the authority permitting it to contact-chain on US person data collected under EO 12333 or it originally searched on the Section 215 phone dragnet then re-ran the search under EO 12333 so it could share the link
There’s yet another dragnet

Something’s definitely fishy about the government’s claims, because the Homeland Security investigator in the case, Joshua Akronowitz changed his story twice in meaningful ways.

For example, the affidavit the government used to justify his arrest said he personally searched “HSI accessible law enforcement databases.” Read more →