A Radical Proposal of Following the Law

Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.

But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.

Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”

As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform.  Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.

[snip]

How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.

As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.

Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.

Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses).  That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.

Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.

Read more

How to Fix the FISA Court … Or Not

The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)

That line, from the FISCR opinion finding the Protect America Act constitutional, gets to the core problem with the FISA Court scheme. Even in 2009, when the line was first made public, it was pretty clear the government had made a false claim to the FISA Court of Review.

Now that we know that FBI had already been given authority to keep PAA-collected content in databases that they could search at what is now called the assessment stage of investigations — warrantless searches of the content of Americans against whom the FBI has no evidence of wrong-doing — the claim remains one of the signature moments where the government got approval for a program by being less than candid to the court (the government has been caught doing so in both Title III courts and at FISC, and continues to do so).

That’s also why I find Greg McNeal’s paper on Reforming the FISC, while very important, ultimately unconvincing.

McNeal’s paper is invaluable for the way he assesses the decision — in May 2006 — to authorize the collection of all phone records under Section 215. Not only does the paper largely agree with the Democratic appointees on PCLOB that the program is not authorized by the Section 215 statute, McNeal conducts his own assessment of the government’s application to use Section 215 for that purpose.

The application does not fare well.

Moreover, the government recognized that not all records would be relevant to an investigation, but justified relevance on what could best be described as usefulness or necessity to enable the government’s metadata analysis, stating:

The Application fully satisfies all requirements of title V of FISA. In particular, the Application seeks the production of tangible things “for” an international terrorism investigation. 50 U.S.C. § 1861(a)(1). In addition, the Application includes a statement of facts demonstrating that there are reasonable grounds to believe that the business records sought are “relevant” to an authorized investigation. Id.  § 1861(b)(2). Although the call detail records of the [redacted] contain large volumes of metadata, the vast majority of which will not be terrorist-related, the scope of the business records request presents no infirmity under title V. All of the business records to be collected here are relevant to FBI investigations into [redacted] because the NSA can effectively conduct metadata analysis only if it has the data in bulk.49

The government went even further, arguing that if the FISC found that the records were not relevant, that the FISC should read relevance out of the statute by tailoring its analysis in a way that would balance the government’s request to collect metadata in bulk against the degree of intrusion into privacy interests. Disregarding the fact that the balancing of these interests was likely already engaged in by Congress when writing section 215, the government wrote:

In addition, even if the metadata from non-terrorist communications were deemed not relevant, nothing in title V of FISA demands that a request for the production of “any tangible things” under that provision collect only information that is strictly relevant to the international terrorism investigation at hand. Were the Court to require some tailoring to fit the information that will actually be terrorist-related, the business records request detailed in the Application would meet any proper test for reasonable tailoring. Any tailoring standard must be informed by a balancing of the government interest at stake against the degree of intrusion into any protected privacy interests. Here, the Government’s interest is the most compelling imaginable: the defense of the Nation in wartime from attacks that may take thousands of lives. On the other side of the balance, the intrusion is minimal. As the Supreme Court has held, there is no constitutionally protected interest in metadata, such as numbers dialed on a telephone.50

Thus, what the government asked the court to disregard the judgment of the Congress as to the limitations and privacy interests at stake in the collection of business records. Specifically, the government asked the FISC to disregard Congress’s imposition of a statutory requirement that business records be relevant, and in disregarding that statutory requirement rely on the fact that there was no constitutionally protected privacy interest in business records. The government’s argument flipped the statute on its head, as the purpose of enhancing protections under section 215 was to supplement the constitutional baseline protections for privacy that were deemed inadequate by Congress.

McNeal is no hippie. That he largely agrees and goes beyond PCLOB’s conclusion that this decision was not authorized by the statute is significant.

But as I said, I disagree with his remedy — and also with his assessment of the single source of this dysfunction.

McNeal’s remedy is laudable. He suggests all FISC decisions should be presumptively declassified and any significant FISC decision should get automatic appellate review, done by FISCR. That’s not dissimilar to a measure in Pat Leahy’s USA Freedom Act, which I’ve written about here. With my cautions about that scheme noted, I think McNeal’s remedy may have value.

The reason it won’t be enough stems from two things.

First, the government has proven it cannot be trusted with ex parte proceedings in the FISC. That may seem harsh, but the Yahoo challenge — which is the most complete view we’ve ever had of how the court works, even with a weak adversary — really damns the government’s conduct. In addition to the seemingly false claim to FISCR about whether the government held databases of incidentally collected data, over the course of the Yahoo challenge, the government,

  • Entirely restructured the program — bringing the FBI into a central role of the process — without telling Reggie Walton about these major changes to the program the challenge he was presiding over evaluated; this would be the first of 4 known times in Walton’s 7-year tenure where he had to deal with the government withholding materially significant information from the court
  • Provided outdated versions of documents, effectively hiding metadata that would have shown EO 12333, which was a key issue being litigated, was more fluid than presented to the court
  •  Apparently did not notice either FISC or FISCR about an OLC opinion — language from which was declassified right in the middle of the challenge — authorizing the President to pixie dust EO 12333 at any time without noting that publicly
  • Apparently did not provide the underlying documents explaining another significant change they made during the course of the challenge, which would have revealed how easily Americans could be reverse targeted under a program prohibiting it; these procedures were critical to FISCR’s conclusion the program was legal

In short, the materials withheld or misrepresented over the course of the Yahoo challenge may have made the difference in FISCR’s judgment that the program was legal (even ignoring all the things withheld from Yahoo, especially regarding the revised role of FBI in the process). (Note, in his paper, McNeal rightly argues Congress and the public could have had a clear idea of what Section 702 does; I’d limit that by noting that almost no one besides me imagined they were doing back door searches before that was revealed by the Snowden leaks).

One problem with McNeal’s suggestion, then, is that the government simply can’t be trusted to engage in ex parte proceedings before the FISC or FISCR. Every major program we’ve seen authorized by the court has featured significant misrepresentations about what the program really entailed. Every one! Until we eliminate that problem, the value of these courts will be limited.

But then there is the other problem, my own assessment of the source of the problem with FISC. McNeal thinks it is that Congress wants to pawn its authority off onto the FISC.

The underlying disease is that Congress wants things to operate the way that they do; Congress wants the FISC and has incentives to maintain the status quo.

Why does Congress want the FISC? Because it allows them to push accountability off to someone else. If members ofCongress are responsible for conducting oversight of secretoperations, their reputations are on the line if the operations gotoo far toward violating civil liberties, or not far enoughtoward protecting national security. However, with the FISC conducting operations, Congress has the ability to dodge accountability by claiming they have empowered a court to conduct oversight.

I don’t, in general, disagree with this sentiment in the least. The last thing Congress wants to do is make a decision that might later be tied to an intelligence failure, a terrorist attack, a botched operation. Heck, I’d add that the last thing most members of Congress serving on the Intelligence Committees would want to do is piss off the contractors whose donations provide one of the perks of the seat.

But the dysfunction of the FISC stems, in significant part, from something else.

In his paper on the phone dragnet (which partly incorporates the Internet dragnet), David Kris suggests the original decision to bring the dragnets under the FISC (in the paper he was limited by DOJ review about what he could say of the Internet dragnet, so it is not entirely clear whether he means the Colleen Kollar-Kotelly opinion that paved the way for the flawed Malcolm Howard one McNeal critiques, or the Howard one) was erroneous. Read more

If the NSA “Won” the War in Iraq, Why Are We Still Losing It?

To Shane Harris’ misfortune, his book, @War, out today, came out on the same day that General Daniel Bolger’s book, Why We Lost, came out.

That means Harris’ first excerpt, initially titled “How the NSA Sorta Won the Last Iraq War,” came out just days before Bolger’s op-ed today, mourning another Veteran’s Day to contemplate the 80 men he lost. Bolger wants us to stop telling the lie that the surge won the Iraq War.

Here’s a legend that’s going around these days. In 2003, the United States invaded Iraq and toppled a dictator. We botched the follow-through, and a vicious insurgency erupted. Four years later, we surged in fresh troops, adopted improved counterinsurgency tactics and won the war. And then dithering American politicians squandered the gains. It’s a compelling story. But it’s just that — a story.

The surge in Iraq did not “win” anything. It bought time. It allowed us to kill some more bad guys and feel better about ourselves. But in the end, shackled to a corrupt, sectarian government in Baghdad and hobbled by our fellow Americans’ unwillingness to commit to a fight lasting decades, the surge just forestalled today’s stalemate. Like a handful of aspirin gobbled by a fevered patient, the surge cooled the symptoms. But the underlying disease didn’t go away. The remnants of Al Qaeda in Iraq and the Sunni insurgents we battled for more than eight years simply re-emerged this year as the Islamic State, also known as ISIS.

Harris’s story, which explains how network analysis and then hacking of Iraqi insurgents — including Al Qaeda in Iraq — helped us to win the surge, relies on that legend.

TAO hackers zeroed in on the leaders of the al Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

For TAO, hacking into the communications network of the senior al Qaeda leaders in Iraq helped break the terrorist group’s hold on the neighborhoods around Baghdad. By one account, it aided U.S. troops in capturing or killing at least ten of those senior leaders from the battlefield.

[snip]

For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed U.S. forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture insurgents, and protect Iraq’s civilians. The cities became less violent, and the people felt safer and more inclined to help the U.S. occupation. Second, insurgent groups who were outraged by al Qaeda’s brutal, heavyhanded tactics and the imposition of religious law turned against the terrorists, or were paid by U.S. forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included 80,000 fighters, whose leaders publicly denounced al Qaeda and credited the U.S. military with trying to improve the lives of Iraqi citizens.

But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that U.S. spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.

Gen. David Petraeus, the commander of all coalition forces in Iraq, credited this new cyber warfare “with being a prime reason for the significant progress made by U.S. troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.” The tide of the war in Iraq finally turned in the United States’ favor.

I didn’t get a review copy of Harris’ book, so I’ll have to let you know whether he grapples with the fact that this victory lap instead led us to where we are now, escalating the war in Iraq again, with ISIL even more powerful for having combined Saddam’s officers with terrorist methods. I’ll also have to let you know why Harris claims this started in 2007, when we know NSA was even wiretapping Iraqi targets in the US as early as 2004, a program that got shut down in the hospital confrontation.

Harris would have done well to consider Bolger’s call for an assessment of this failure.

That said, those who served deserve an accounting from the generals. What happened? How? And, especially, why? It has to be a public assessment, nonpartisan and not left to the military. (We tend to grade ourselves on the curve.) Something along the lines of the 9/11 Commission is in order. We owe that to our veterans and our fellow citizens.

Such an accounting couldn’t be more timely. Today we are hearing some, including those in uniform, argue for a robust ground offensive against the Islamic State in Iraq. Air attacks aren’t enough, we’re told. Our Kurdish and Iraqi Army allies are weak and incompetent. Only another surge can win the fight against this dire threat. Really? If insanity is defined as doing the same thing over and over and expecting different results, I think we’re there.

That is, if this network analysis and hacking is so superb, then why didn’t it work? Did we not understand the networks that our spectacular tech exposed? Or did we do the wrong thing with it, try to kill it rather than try to win it over? Not to mention, did we account for the necessarily temporary value of all these techniques, given that targets will figure out that their cell phones, the RFID tags, their laptops, or whatever new targeting means we devise are serving as a beacon.

And there’s one more lesson in Harris’ excerpt, one I doubt he admits.

Earlier in the except, he explains in giddy language how the NSA’s hackers broke an insurgent method of leaving draft unsent emails.

Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.

Even while he provides David Petraeus opportunity to do a victory lap for the surge that in fact did not win the war, he doesn’t mention that Petraeus adopted this insurgent technique to communicate with his mistress, Paula Broadwell. Harris also doesn’t mention that the FBI, like the NSA before it, easily broke the technique.

More important still, Harris doesn’t mention that FBI found reason to do so. These techniques — described with such glee — were turned back on even the man declaring victory over them. They didn’t win the war in either Iraq or Afghanistan, but they sure made it easy for President Obama to take out Petraeus when he became inconvenient.

I have no sympathy for Petraeus, don’t get me wrong. But he is an object lesson in how these techniques have not brought victory to the US. And it’s time to start admitting that fact, and asking why not.

Update: In a post I could have written (though probably not as well), Stephen Walt engages in a counterfactual asking if we didn’t have the dragnet we might be doing better at fighting terrorism. Go read the whole thing, but here’s part of it:

Second, if we didn’t have all these expensive high-tech capabilities, we might spend a lot more time thinking about how to discredit and delegitimize the terrorists’ message, instead of repeatedly doing things that help them make their case and recruit new followers. Every time the United States goes and pummels another Muslim country — or sends a drone to conduct a “signature strike” — it reinforces the jihadis’ claim that the West has an insatiable desire to dominate the Arab and Islamic world and no respect for Muslim life. It doesn’t matter if U.S. leaders have the best of intentions, if they genuinely want to help these societies, or if they are responding to a legitimate threat; the crude message that drones, cruise missiles, and targeted killings send is rather different.

If we didn’t have all these cool high-tech hammers, in short, we’d have to stop treating places like Afghanistan, Pakistan, Iraq, and Syria as if they were nails that just needed another pounding, and we might work harder at marginalizing our enemies within their own societies. To do that, we would have to be building more effective partnerships with authoritative sources of legitimacy within these societies, including religious leaders. Our failure to do more to discredit these movements is perhaps the single biggest shortcoming of the entire war on terror, and until that failure is recognized and corrected, the war will never end.

Even the Government Can’t Figure Out How It Uses Its FISA Dragnet

Things are getting interesting in the case of Raez Qadir Khan in Oregon, who was charged in 2011 with conspiring to materially support a suicide bombing that took place in Pakistan in 2009.

As I laid out in September, his lawyers asked to know what types of surveillance it used to collect all the data that went into a search warrant on Khan’s house.

At a hearing on September 11, the government said that it had provided all the notice Khan needed with its traditional, FAA, and physical search FISA notices.

JUDGE MOSMAN: Am I reading your brief correctly that in some way the defense has been told which authorities they ought to think about challenging here, maybe informally?

MR. GORDER: Well, both formally and informally, Your Honor. The formal way was the notices that we filed with the Court, which indicates that the government intends to use evidence derived from FISA Title I and FISA Title IIand FISA Title VII.

In response, at the hearing, Khan attorney Amy Baggio said she’d hold the government to those 3 FISA authorities.

MS. BAGGIO: Now, I understand the point that you made earlier, Your Honor, is they’ve narrowed that somewhat if we’re going to hold them to Title 1, 3 and 7,

Just over a month later, the government wrote the judge, Michael Mosman, a letter, changing its mind. It basically said:

  • It didn’t have to give Khan notice that they used FISA’s PRTT authority against him (most likely in the illegal Internet dragnet), because he didn’t meet all 5 of the criteria required before the government would have to give notice.
  • It didn’t have to give notice under FAA 703 because the government doesn’t intend to enter that electronic surveillance into evidence.
  • It didn’t have to give notice it used Section 215 (note, they almost surely used both the phone dragnet and the Western Union dragnet against him), because Khan lacks standing to contest the admission of this evidence. (Predictably, the government made no mention of the language in phone dragnet orders specifically permitting it to be used for discovery purposes.)

The government said nothing about Protect America Act, Section 704 of FISA (at least according to a Snowden document, the government doesn’t use 703, they use 704, which if that remains true Judge Mosman should know as a FISC judge), or EO 12333. The latter of which, in particular, Baggio has raised repeatedly.

In short, after a month of thinking about it, the government realized that its statements at the hearing were not correct, and that these other authorities were used, and maybe it ought to sort of confess to that after all.

Which Baggio pointed out in a letter filed yesterday.

In the October 15, 2014, letter, the government no longer claims that FISA Titles I, II, and VII (§702) are the only authorities relied on in this case. Instead the government advances, for the first time, arguments about why it is not legally required to provide Mr. Khan with notice that it used FISA subchapters III (PR/TT), IV (§ 215 business records), or FAA § 703. Effectively, the October 15, 2014, letter tacitly admits use of these provisions, but goes on to argue that there are other reasons it need not provide notice.

She also pointed out that, in submitting its letter over a month after the hearing, the government had violated the court’s briefing schedule without obtaining permission to do so.

On October 15, 2014, 65 days after the government’s briefing was due and 34 days after the motion was taken under advisement by the Court, the government submitted a letter raising new arguments and taking new positions in support of its request that the Court deny Mr. Khan’s Motion to Compel Notice. Exhibit B.

[snip]

When the Court sets deadlines in a Rule 12(c) scheduling order, a party who fails to raise a “defense, objection, or request” related to a pretrial motion to suppress waives that argument. Fed. R. Crim. P. 12(e).1 A court may grant a party leave to submit a late argument if the party establishes “good cause.” Id. Here, the government did not seek leave before offering additional arguments over two months after its briefing was due. Moreover, the letter makes no attempt to establish good cause.

She goes on to hammer the government for its tortured definitions of “collect,” citing — among other things — James Clapper’s lie to Oregon’s Senator.

That is, the DoD definition permits the NSA to obtain communications and store them in a government database without a “collection” occurring. These regulations establish that government takes the position that the communications were “collected” only after an algorithm searches them for key words and analyzes the metadata.

Similarly, Director of National Intelligence (DNI) Clapper explained in Senate testimony in response to a direct question from Senator Wyden in which DNI Clapper denied “collecting” data on millions or hundreds of millions of Americans by stating: “[T]here are honest differences on the semantics when someone says ‘collection’ to me, that has a specific meaning, which may have a different meaning to him [Senator Wyden].”

While she doesn’t say it, we know that the government uses both phone and Internet dragnet data — the Section 215 and PRTT collection the government refuses to notice — as the index to pull up this already collected data. Given that the investigation into Khan likely started only after his alleged co-conspirator’s suicide bombing, much of the evidence was almost certainly stored communication, pulled up using metadata as an index.

Baggio ends by calling on Mosman — a Title III judge but also a FISC judge — to guard his prerogative as the former.

The government’s letter attempts to justify a blanket policy of non-disclosure by coopting this Court’s constitutional role to resolve legal questions about whether (1) particular government conduct constitutes a search or seizure, (2) whether the search or seizure violated Mr. Khan’s constitutional rights and (3) if so, whether evidence obtained or derived from the search or seizure should be suppressed. The government’s argument amounts to an assertion that it need not provide Mr. Khan with notice because, even if it did, Mr. Khan would lose a motion to suppress. Such arguments offend the fundamental principles of the criminal justice system, and the Court should reject them. Without the type of notice requested in Mr. Khan’s Motion to Compel Notice,

I originally thought that having Mosman preside over this case would be a bit of a disaster, given FISC judges’ apparent willingness to make ridiculous arguments to defend the viability of their secret court. But I think Baggio is giving Mosman an important lesson in how the authorities he approves in secret actually play out in practice.

We’ll see whether he’s more interested in defending the prerogative of his Title III role or the claimed legitimacy of his secret judge role.

New and Improved FBI! Now with 12 New Pages of Investigative Methods!

Among the documents ACLU obtained as part of its EO 12333 FOIA are 3 pages out of the bajillion-paged Domestic Investigations and Operations Guide.

The actual content of the pages isn’t all that interesting. The content has been available for years.

But this is interesting.

Screen Shot 2014-11-03 at 2.29.38 PM

The pagination of the third page, discussing wiretapping of a targeted American overseas, shows two things.

First — as the description of the document provided to ACLU also describes — this is a new version of the DIOG. The publicly available DIOG is dated October 15, 2011. This DIOG is dated October 16, 2013, two years later.

Also, the pagination reveals that there are at least 12 new pages in Section 18, which describes investigative methods.

What do you want to bet FBI has already added hacking to its investigative methods?

Update: Via Mike German, I learn that FBI did a 2012 edition as well, for which just a fragment plus the Table of Contents got released. The methods section grew about 4 pages between 2011 and 2012. So that leaves 8 pages that are new in this 2013 edition.

Also note, the latest revision came the day before Charlie Savage reported that DOJ would start giving defendants notice of Section 702 usage.

An Unclassified Statement about Where NSA’s Internet Dragnet Went

In a declaration submitted in EPIC’s FOIA for the PRTT dragnet data, NSA’s David Sherman tried to explain why NSA can’t reveal additional details of the domestic Internet dragnet shut down in 2011.

In an effort to explain why NSA can’t reveal the categories of content-as-metadata the NSA had been (illegally) collecting in the US, as well as why it can’t reveal all the types of electronic communications metadata it collects (ALL), he says the following.

While the bulk PR/TT electronic communications metadata program is no longer operational, NSA is authorized to acquire and collect certain categories of electronic communications metadata under other authorities (such as Executive Order 12333, as amended, and Section 702 of the FISA Amendments Act of 2008). The continuing importance of the specific categories of Internet metadata that were collected under the bulk PR/TT program underscores the need to protect the still-classified operational details of this activity.

[snip]

As noted above, while the  bulk PR/TT program is no longer operational, NSA’s core mission continues to include the acquisition and collection of electronic communications under other authorities.

That is, in a declaration reminding that NSA shut down its domestic bulk dragnet program, it admits it still conducts Internet metadata collection, and suggests it does so under EO 12333 and FAA.

Which is precisely where I’ve been suggesting it moved the program.

There are other aspects of this declaration that are interesting — especially when read in conjunction with DOJ National Security Division Mark Bradley’s declaration.

But for the moment, I’ll just leave it at this language, affirming NSA’s known continued collection of Internet metadata, even after shutting down the domestic Internet dragnet.

ICREACH and EO 12333

Because I need a hobby, I’m knee deep in tracking how EO 12333 got changed in 2008. Part of the impetus came from Congress, some members of which were furious that OLC had given the President authority to pixie dust EO 12333 in secret.

But the bigger impetus came from the Intelligence Community.

That’s why this document — an NSA OGC memo on the sharing of raw SIGINT through database access released as part of ACLU’s FOIA for EO 12333 documents — is so interesting.

It captures a July 12, 2007 discussion about whether or not NSA could share its data with other agencies by making it available in databases.

You have asked us to conduct a legal review in order to set out the limits — and the rationale associated with the limits — on allowing personnel from other agencies access to NSA databases under the existing rules governing such access, and the advisability of changes to the Executive Order that would allow other agencies access to SIGINT databases.

While the memo adopts a cautious approach, recommending “case-by-case” access to SIGINT, it does embrace making SIGINT available by bringing Intelligence Committee partners into the production cycle (CIA and FBI both have people stationed at NSA), and finding ways to expand access to both phone and Internet metadata.

There are substantial and well-grounded legal limits on NSA’s ability to provide its partners and customers with access to raw SIGINT databases, both those that contain content and those that contain only metadata. Within those limits, NSA has lawfully expanded that access in two ways: with respect to content, we have expanded access by bringing IC partners within the SIGINT production chain in carefully defined circumstances. With respect to metadata, we have aggressively pushed telephony metadata to IC partners, and have plans in place to increase dramatically both the types and the completeness of the metadata we share.

Remember the timing of this: Read more

The Last Time NSA Submitted Secret Authorities, It Was Actively Hiding Illegal Wiretapping

Via Mike Masnick, I see that in addition to submitting a new state secrets declaration and a filing claiming EFF’s clients in Jewel v. NSA don’t have standing, the government also submitted a secret supplemental brief on its statement of authorities, which EFF has challenged.

The secret supplemental brief is interesting given the government’s outrageous state secrets claim in the lawsuit against United Against a Nuclear Iran, in which it refuses to explain why it must protect the intelligence sources and methods of an allegedly independent NGO. It seems the government’s state secrets claims are getting even more outrageous than they already were.

That’s particularly interesting given what appears to be the outlines of a claim that if the court recognizes Jewel’s standing, then all hell will break loose.

Due to the failings of Plaintiffs’ evidence described above, the Court need not consider the impact of the state secrets privilege on the standing issue. However, if the Court were to find Plaintiffs’ declarations admissible and sufficiently probative of Plaintiffs’ standing to raise a genuine issue meriting further inquiry (which it should not), adjudication f the standing issue could not proceed without risking exceptionally grave damage to national security (a threshold issue on which the Court requested briefing). That is so because operational details of Upstream collection that are subject to the DNI’s assertion of the state secrets privilege in this case are necessary to address Plaintiffs’ theory of standing. The Government presented this evidence to the Court in the DNI’s and NSA’s classified declarations of December 20, 2013, and supplements it with the Classified Declaration of Miriam P., NSA, submitted in camera, ex parte, herewith. Disclosure of this evidence would risk informing our Nation’s adversaries of the operational details of the NSA’s Upstream collection, including the identities of electronic-communications-service providers assisting with Upstream collection.

Behind these claims of grave harm are the reality that if US persons started to get standing under the dragnet, then under John Bates’ rules (in which illegal wiretapping is only illegal if the government knows US persons are targeted), the entire program would become illegal. So I suspect the government is ultimately arguing that Jewel can’t have standing because it would make the entire program illegal (which is sort of the point!).

But the biggest reason I’m intrigued by the government’s sneaky filing is because of what happened the last time it submitted such a sneaky filing.

I laid out in this post how a state secrets filing submitted in EFF’s related Shubert lawsuit by Keith Alexander on October 30, 2009 demonstrably lied. Go back and read it–it’s a good one. A lot of what I show involves Alexander downplaying the extent of the phone dragnet problems.

But we now know more about how much more Alexander was downplaying in that declaration.

As I show in this working thread, it is virtually certain that on September 30, 2009, Reggie Walton signed this order, effectively shutting down the Internet dragnet (I’m just now noticing that ODNI did not — as it has with the other FISC dragnet orders — release a copy with the timestamp that goes on all of these orders, which means we can’t determine what time of the day this was signed). Some time in the weeks before October 30, DOJ had submitted this notice, admitting that NSA had been violating the limits on “metadata” collection from the very start, effectively meaning it had been collecting content in the US for 5 years.

Precisely the kind of illegal dragnet Virginia Shubert was suing the government to prevent.

Mind you, there are hints of NSA’s Internet dragnet violations in Alexander’s declaration. In ¶59, Alexander says of the dragnet, “The FISC Telephone Business Records Order was most recently reauthorized on September 3, 2009, with authority continuing until October 30, 2009” (Walton signed the October 30, 2009 phone dragnet order around 2:30 ET, which would be 11:30 in NDCA where this declaration was filed). In ¶58, he says, “The FISC Pen Register Order was most recently reauthorized on [redacted], 2009, and requires continued assistance by the providers through [redacted] 2009” (this is a longer redaction than October 30 would take up, so it may reflect the 5PM shutdown Walton had imposed). So it may be that one of the redacted passages in Alexander’s declaration admitted that FISC had ordered the Internet dragnet shut down.

In addition, footnote 24 is quite long (note it carries onto a second page); particularly given that the tense used to describe the dragnets in the referenced paragraph differ (the Internet dragnet is in the past tense, the phone dragnet is in the present tense), it is possible Alexander admitted to both the compliance violation and that NSA had “voluntarily” stopped querying the dragnet data.

Further, in his later discussions, he refers to this data as “non-content metadata” and “records about communication transactions,” which may reflect a tacit (or prior) acknowledgment that the NSA had been collecting more than what, to the telecoms who were providing it, was legally metadata, or, if you will, was in fact “content as metadata.”

To the extent that the plaintiffs “dragnet” allegations also implicate other NSA activities, such as the bulk collection of non-content communications meta data or the collection of communications records, see, e.g., Amended Compl ¶58, addressing their assertions would require disclosure of NSA sources and methods that would cause exceptionally grave harm to national security.

[snip]

Accordingly, adjudication of plaintiffs’ allegations concerning the collection of non-content meta data and records about communication transactions would risk or require disclosure of critical NSA sources and methods for [redacted] contacts of terrorist communications as well as the existence of current NSA activities under FISC Orders. Despite media speculation about those activities, official confirmation and disclosure of the NSA’s bulk collection and targeted analysis of telephony meta data would confirm to all of our foreign adversaries [redacted] the existence of these critical intelligence capabilities and thereby severely undermine NSA’s ability to gather information concerning terrorist connections and cause exceptionally grave harm to national security.

So it seems that Alexander provided some glimpse to Vaughn Walker of the troubles with the Internet dragnet program. So when after several long paragraphs describing the phone dragnet problems (making no mention even of the related Internet dragnet ones), Alexander promised to work with the FISC on the phone dragnet “and other compliance issues,” he likely invoked an earlier reference to the far more egregious Internet dragnet ones.

NSA is committed to working with the FISC on this and other compliance issues to ensure that this vital intelligence tool works appropriately and effectively. For purposes of this litigation, and the privilege assertions now made by the DNI and by the NSA, the intelligence sources and methods described herein remain highly classified and the disclosure that [redacted] would compromise vital NSA sources and methods and result in exceptionally grave harm to national security.

I find it tremendously telling how closely Alexander ties the violations themselves to the state secrets invocation.

The thing is, at this point in the litigation, the only honest thing to submit would have been a declaration stating, “Judge Walker? It turns out we’ve just alerted the FISC that we’ve been doing precisely what the plaintiffs in this case have accused of us — we’ve been doing it, in fact, for 5 years.” An honest declaration would have amounted to concession of the suit.

But it didn’t.

And that state secrets declaration, like the one the government submitted at the end of September, was accompanied by a secret statement of authorities, a document that (unless I’m mistaken) is among the very few that the government hasn’t released to EFF.

Which is why I find it so interesting that the government is now, specifically with reference to upstream collection, following the same approach.

Do these secret statements of authority basically say, “We admit it, judge, we’ve been violating the law in precisely the way the plaintiffs claim we have. But you have to bury that fact behind state secrets privilege, because our dragnets are more important than the Fourth Amendment”? Or do they claim they’re doing this illegal dragnettery under EO 12333 so the court can’t stop them?

If so, I can see why the government would want to keep them secret.

Update: I originally got the name of Shubert wrong. Virginia Shubert is the plaintiff.

Going Postal. And Digital. And Financial: The Dragnet Elephant

Blind MenThe NYT has a report on an IG Report from May that reveals the Postal Service has been doing a lot more “mail covers” (that is, tracking the metadata from letters) than it had previously revealed.

In a rare public accounting of its mass surveillance program, the United States Postal Service reported that it approved nearly 50,000 requests last year from law enforcement agencies and its own internal inspection unit to secretly monitor the mail of Americans for use in criminal and national security investigations.

The number of requests, contained in a little-noticed 2014 audit of the surveillance program by the Postal Service’s inspector general, shows that the surveillance program is more extensive than previously disclosed and that oversight protecting Americans from potential abuses is lax.

Among the most interesting revelations is that USPS previously lowballed the number of covers it does in response to a NYT FOIA by simply not counting most of the searches.

In information provided to The Times earlier this year under the Freedom of Information Act, the Postal Service said that from 2001 through 2012, local, state and federal law enforcement agencies made more than 100,000 requests to monitor the mail of Americans. That would amount to an average of some 8,000 requests a year — far fewer than the nearly 50,000 requests in 2013 that the Postal Service reported in the audit.

The difference is that the Postal Service apparently did not provide to The Times the number of surveillance requests made for national security investigations or those requested by its own investigation and law enforcement arm, the Postal Inspection Service. Typically, the inspection service works hand in hand with outside law enforcement agencies that have come to the Postal Service asking for investigations into fraud, pornography, terrorism or other potential criminal activity.

The report led Ben Wittes to engage in a thought experience, predicting the response to this revelation will be muted compared to that of the phone dragnet.

All of this raises the question: Will this program generate the sort of outrage, legal challenge, and feverish energy for legislative reform that the NSA program has? Or will it fall flat?

I have this feeling that the answer is the latter: The Postal Service’s looking at the outside of letters at the request of law enforcement just won’t have the same legs as does the big bad NSA looking at the routing information for telephone calls. The reason, I suspect, is not that there are profound legal differences between the two programs. Yes, one can certainly argue that the difference between a program that aspires to be totalizing and one that is notionally targeted, even if very large, is fundamental enough to justify regarding the former with great skepticism and tolerating the latter with a shrug. On the other hand, one could just as easily argue that a program that involves the active perusal of tens of thousands of people’s metadata without strict controls is far more threatening than one that involves tight procedures under judicial oversight and involves initial queries of only a few hundred people’s data.

The reason, I suspect, that this program will not excite the same sorts of passions as does the NSA’s program is that it involves old technology—paper—and it’s been going on for a long time.

I agree with Wittes that this won’t generate the same kind of outrage.

The fact that few noticed when Josh Gerstein reported on this very same report (and revealed that the USPS was trying to prevent the report’s release) back in June (I noticed, but did not write on it) supports Wittes’ point.

All that said, Wittes’ piece serves as an interesting example. Partly because he overstates the oversight of the phone dragnet program. Somehow Wittes doesn’t think the watchlisting of 3,000 presumed American persons with no First Amendment review until 2009 is not an example of abuse. Nor the preservation of 3,000 files worth of phone dragnet data on a research server, mixed in with Stellar Wind data, followed by its destruction before NSA had to explain what it was doing there (which is a more recent abuse than Joe Arpaio’s use of the mail dragnet to target a critic, reported in the NYT).

But also because Wittes misconstrues what a true comparison would entail.

To compare phone dragnet, generally, with the mail dragnet described by the NYT (now including both its national security and Postal Inspection searches), you’d have to compare Title III and local law enforcement phone metadata searches (which number in the hundreds of thousands and include the use of Stingrays to track phone location), Hemisphere (which must number in the 10s of thousands and not only undergo no court review, but are explicitly parallel constructed), the use of NSLs to obtain phone metadata (which number in the 10s of thousands, and which are not overseen by a court, have been subject to abuse, also miscount the most important requests, and access new kinds of data that probably aren’t really covered under the law), the Section 215 dragnet, the FBI bulk PRTT program, as well as the far far bigger EO 12333 phone dragnet.

That is, Wittes wants to compare the totality of the mail dragnet with a teeny segment of even the NSA phone dragnet, all while ignoring the state, local, and other federal agency (including at least FBI, USMS, and DEA) phone dragnets entirely, and declare the former roughly equivalent to the latter (better in some ways, worse in others). If you were to compare the totality of the mail dragnet (admittedly, you’d have to add Fedex and other courier dragnets) with the totality of the phone dragnet, the latter would vastly exceed the former in every way: in abuse, in lack of oversight, and in scale.

And to measure the “passions” mobilized against the phone dragnet, you’d have to measure it all. Attention to the various parts has been fleeting: today there’s more focus on Stingrays, for example, with comparatively less attention to the Section 215 phone dragnet, along with a focus on Hemisphere. There’s so much phone dragnet to go around, it’s like a never-ending game of whack-a-mole.

Or perhaps more appropriately, of that old fable of the 6 blind men and the elephant, where each of a series of blind men describe an elephant. These men each feel one part of the elephant and see a pillar, a rope, a tree branch, a hand fan, a wall, and a solid pipe.  Together, they fail to conceive of the elephant in its entirety.

Wittes’ partial view of the phone dragnet describes just one part of one part of the dragnet elephant. At both the NSA, the FBI, and local JTTFs (at a minimum) you’re not conceiving the dragnet unless you understand the implications of matching your phone records and email records to your financial purchases and Internet search cookies — and, your snail mail, which is ultimately just a part of the larger dragnet. Each of those dragnets has several interlocking forms, too. More Title III orders, more NSLs, more Section 215 orders, and more EO 12333 collection. All dumped into a black box that — even for the Section 215 phone dragnet — undergoes no apparent oversight.

But Wittes is by no means alone in his partial view of the dragnet elephant. We all suffer from it. Since the very start of the Snowden leaks, I have been trying hard to track how NSA data gets shared with other agencies (see, for example, NCTC, FBI and CIA, “Team Sport,” ATF). I suspect I’ve got as good an understanding of how this data worms its way through the government as anyone outside of some corners of government, but it still looks like an elephant trunk to me.

That, to me, is the real lesson from the focus on yet another dragnet available to yet more intelligence and law enforcement agencies. None of us yet have a good sense of the scope of the dragnet. It is, quite literally, inconceivable. And we have even less of an idea of what happens after the dragnet feeds all that data into a series of black boxes, most subject to very little oversight.

With each new elephant body part identified, we’d do well to remember, it’s just one more body part.

The Public Interest and the International Surveillance State

I’ve been contemplating how to respond to this hilarious piece from Yishai Schwartz — another of the many “rebuttals” to CitizenFour that betrays rank ignorance of many of the things Edward Snowden leaked. To some degree, Conor Friedersdorf already hit on many key points, notably his takedown of Schwartz’ claims that because people overwhelmingly support the drone program, Snowden shouldn’t be able to invoke it when defending his leaks.

Schwartz goes on to attack Snowden in a particularly unpersuasive way:

Snowden couches his policy disagreements in grandiose terms of democratic theory. But Snowden clearly doesn’t actually give a damn for democratic norms. Transparency and the need for public debate are his battle-cry. But early in the film, he explains that his decision to begin leaking was motivated by his opposition to drone strikes. Snowden is welcome to his opinion on drone strikes, but the program has been the subject of extensive and fierce public debate. This is a debate that, thus far, Snowden’s and his allies have lost. The president’s current drone strikes enjoy overwhelmingpublic support. So citing his opposition to a widely debated policy as his motivation for increasing transparency is, well, odd. But it’s also illustrative. Snowden’s leaks aren’t primarily aimed at returning transparency or triggering a public debate; they are about creating his preferred policy outcomes, outcomes that usually involve a weaker state.

This is a fantastical description of the debate over drones. The White House has repeatedly invoked the state-secrets privilege in lawsuits attempting to stop drone strikes as a violation of the Constitution. The American public was not permitted to see the legal rationale for a drone strike that targeted and killed a U.S. citizen until earlier this year, long after Snowden decided to become a whistleblower. To this day, the government suppresses information on the number of innocents killed in drone strikes.

“In refusing to release to Congress the rules and justifications governing aprogram that has conducted nearly 400 unmanned drone strikes and killed at least three Americans in the past four years, President Obama is ignoring the system of checks and balances that has governed our country from its earliest days,” John Podesta declared in a March 13, 2013, Washington Post op-ed. “And in keeping this information from the American people, he is undermining the nation’s ability to be a leader on the world stage and is acting in opposition to the democratic principles we hold most important.”

To this day the drone debate is a case study in executive-branch officials subverting democracy by withholding information from Congress, sidestepping the judiciary, and denying the public information vital to a policy debate; the matter was even worse when Snowden first decided to become a whistleblower. To cite it as an example of democracy in action betrays deep confusion about American democracy.

I had been thinking precisely the same thing — but also that the drone program also betrays how naive Schwartz’ dismissal of a public interest defense is.

Purportedly, Snowden will not return to face American justice because he would not receive a “fair trial.” But in the movie, Snowden lawyer Ben Wizner admits that his use of the term is somewhat “unusual.” He accepts that Snowden won’t be denied due process, access to counsel or an impartial jury. Rather his complaint centers on the fact that the law doesn’t include a justification defense for leaks made “in the public interest.” Neither, of course, do many other such prohibitions (murder, theft, littering…).

Generally, Schwartz is right that you can’t murder someone and then claim you did it in the public interest.

You can’t, that is, unless you’re the CIA killing an American citizen with no due process. In that case, you can claim a public authority defense, even though you need to torque the law all out of recognition to do it. Ultimately, though, all you’re doing then is arguing that if the President orders you to do it, you can murder another American.

Then there’s Schwartz’ claim (also mocked by Friedersdorf), that he, a white male, doesn’t worry that the government will invade his house. I would add to Friedersdorf that the claim is especially neat coming as it did the day after EFF confirmed what everyone had predicted: the government has been conducting over 10,000 sneak-and-peak searches (ACLU’s Chris Soghoian insists we call these black bag jobs) a year, using a law justified by terrorism, to look for drugs.

Still, what I find funniest about Schwartz’ piece is the way he conflates categories without any apparent awareness.

Snowden’s experience holed up in his hotelhis fear, his precautions, and the U.S. government’s attempt to apprehend himbecomes an illustration of the very tyranny that Snowden set out to unmask.

That latter connection offends me, and it should offend others as well. The implication is that Snowden has been targeted and persecuted by the government because he is a dissenter. This is false. Snowden is a dissenter, but he is also a law-breaker. And the latter is the reason he has been targeted. There are a host of journalists, pundits, and commentators who share Snowden’s views, and they are all dissenters. But as far as I know, journalist Conor Friedersdorf and anchor Piers Morgan do not fear arrest.

For starters, Snowden was exhibiting that “paranoia” (the same paranoia he claims to have taught diplomats, of course) before the NSA knew to worry. He was not yet a law-breaker — at least not as far as the government knew. Moreover (even setting aside that Piers Morgan, newly re-implicated in illegal spying, should fear arrest), journalists are among a fairly broad class of people who should be paranoid even if they don’t fear arrest, because if they’re not sufficiently paranoid they can’t do their job.

But even if Snowden’s behavior were motivated from his role as “law-breaker,” Schwartz’ point should still be wrong, but is not. Snowden has been charged with Espionage, but even with all the propaganda out there, credible law enforcement sources have never claimed they had evidence Snowden was an Agent of a Foreign power. As such, he should be safe from the paranoia that an all-seeing state can find him in Hong Kong, because to find even a law-breaker in Hong Kong, the state should be using mutual legal assistance treaties and the like (though the downing of Evo Morales’ plane should disabuse you of the notion that the state would have in this case). They should be using law enforcement, not the dragnet.

Yet we know — thanks, in part, to Edward Snowden, that the government routinely uses the dragnet as it conducts assessments of people against whom it doesn’t even have evidence of wrong-doing. While the government might, in the first days of Snowden’s leaks, have been able to convince FISC Snowden was probably acting with Chinese or Russian help, that doesn’t change the fact — admitted now by the FBI — that they use the dragnet with mere racial profiling and the like.

Then finally there is Schwartz’ skepticism about the danger of this dragnet, operating globally.

Poitras has little do add to the debate over American surveillance programs. Through the mouths of privacy activist Jacob Appelbam, former NSA whistleblower William Binney and others, she argues that the reach of America’s (and our allies’) surveillance is unprecedented, which is true. But she also insists that our surveillance programs are unnecessary, that increases in government capabilities inherently infringe on our liberty, and warns ominously that dictatorships begin their oppression with the collection of data. 

Henry Farrell, in an awesome piece skewering the more liberal version of this American exceptionalism (read for the skewering, but definitely make sure to read through to the argument at the end), warns about the dangers of this globalizing dragnet.

Since September 11, 2001, surveillance has been quietly remaking domestic politics and international relations. The forces of globalization, which rapidly accelerated during the 1990s, made travel, trade and communication far easier and cheaper between the advanced industrial democracies and a key group of less developed countries. The 9/11 attacks exposed the dangers of interdependence. Domestic-security agencies sought—and usually got—vastly expanded resources, allowing them to implement new forms of large-scale data gathering, analysis and sharing. The risks and opportunities of interdependence also led them to work together across borders in unprecedented ways. Not only was it far easier and cheaper than ever before to gather information on how ordinary members of the population were behaving and communicating with each other, but it was also far easier and cheaper to share this information across countries. It is hard to overstate the importance of these data-sharing arrangements. 

[snip]

Most liberals assume a clear division between national politics, where we have strong rights and duties toward each other, and international politics, where these rights and duties are attenuated. National-security liberals, in contrast, start from the belief that we owe it to the world to remake it in more liberal ways and that America is uniquely willing to further this project and capable of doing so by projecting state power.

Snowden and Greenwald suggest that this project is not only doomed but also corrupt. The burgeoning of the surveillance state in the United States and its allies is leading not to the international spread of liberalism, but rather to its hollowing out in the core Western democracies. Accountability is escaping into a realm of secret decisions and shadowy forms of cross-national cooperation and connivance.

Almost all Snowden critics refuse to engage this larger problem, the degree to which America’s dragnet is turning its position as global hegemon from a force (debatably) for good into something far more ominous, an infrastructure of discipline. While it may now primarily target dissidents in other countries (though it already does target those who oppose American power), the infrastructure can easily be adapted (and may have, when it was still Stellar Wind) to target US dissidents. And it already does incorporate people — lawyers, human rights workers, journalists — whose roles need protection for democracy to function. In any case, given that it has already incorporated the dragnet into its efforts to racially profile and recruit informants, there’s adequate reason to be alarmed, even if you are a jingoistic American.