“Tor Stinks” … because It Requires Manual (Digital) Tails

/8 Comments/in , /by

Screen shot 2013-10-04 at 11.31.05 AM“Tor stinks,” the Guardian reports one NSA document asserting, in a new story on NSA’s efforts to break that encryption system.

And while Bruce Schneier explains how the NSA uses similar techniques to those the Chinese government uses to spy on its users — something called Egotistical Giraffe — to break Tor, and the NSA has been able to crack other users’ communications via their poor hygiene outside of Tor (as with this week’s bust of Silk Road), the NSA has thus far been unable to systematically break the system.

At base, though, NSA believes that Tor stinks because,

We will never be able to de-anonymize all Tor users all the time.

With manual analysis we can de-anonymize a very small fraction of Tor users, however no success at de-anonymizing a user in response to a TOPI request/on demand.

Another complaint the NSA has is their methods for cracking Tor right now are “difficult to combine meaningfully with passive Sigint.” That is, they can’t just feed everything into a system and get potential targets to pop out.

To me, this boils down to a complaint that if the NSA wants to track users — the ones they can identify — they have to work as hard as cops used to in physically tracking suspects. That means (as NSA’s recent success busting 2 Tor users makes clear) they can track people. They just have to work at it.

We’ll hear a lot about how breaking Tor is a noble cause and NSA (and GCHQ) have to do it to keep us safe from the “very naughty people” who use Tor. But ultimately, it seems, one question is whether the NSA should get to break the law to make it as easy to track encrypted users as using GPS to track physical location has become.

NSA wants its targets to — effectively — come to it. It doesn’t want to have to identify targets and then crack their communications. But Tor, at least thus far, has made it as hard to do so as it used to be to physical track suspects.

Upstream US Person Collection: EO 12333 and/or FISA?

/10 Comments/in /by

Screen shot 2013-10-04 at 2.42.00 AMKeith Alexander had a really bizarre response to a question from Mazie Hirono in Tuesday’s hearing.

SEN. HIRONO: I have one more question, Mr. Chairman. General Alexander, is PRISM the only intelligence program NSA runs under FISA Section 702?

GEN. ALEXANDER: Well, PRISM was (the statement ?), but, yes. Essentially, the only program was that — that, you know, is PRISM under 702, which under — operates under that authority for the court. But we also have programs under 703, 704 and 705.

Perhaps he was confused by her question (which came in the context of questions about the NYT’s report on the construction of dossiers, potentially on Americans). But he seems to have claimed that PRISM — the collection of Internet content from Internet providers under Section 702 — is the only way the NSA uses FISA Amendments Act to collect content.

Not only does the PRISM slide above belie that (and there’s also phone content that is not covered under PRISM).

But the government itself released the October 3, 2011 John Bates FISC opinion (and other related documents) which describes the government’s collection of Internet transactions directly from the phone company switches (see footnote 24 where Bates distinguishes between the two kinds of Section 702 Internet collection). In an attempt to spin this collection as a big mistake last week, Dianne Feinstein even confirmed that this “upstream” collection comes from the backbone operated by the phone companies.

In mid 2011, NSA notified the DOJ, the DNI, and the FISA court, and House and Senate Intelligence Committees, of a series of compliance incidents impacting a subset of NSA collection under Section 702 of FISA, known as upstream collection.

This comprises about 10 percent of all collection that takes place under 702, and occurs when NSA obtains Internet communications, such as e-mails, from certain U.S. companies that operate the Internet background;[sic] i.e., the companies that own and operate the domestic telecommunication lines over which Internet traffic flows.

So there’s PRISM, there’s phone content collection, and there’s the upstream Internet collection from the phone companies’ switches. All operated, per the 2011 Bates memo, under Section 702 (and therefore overseen by the FISA Court and Congress).

Which is why I’ve been pondering this chart and related explanation, from NSA’s internal review of compliance incidents for the first quarter of 2012.

Screen shot 2013-10-04 at 2.18.15 AM

The chart shows all the violation incidents NSA discovered under programs authorized under Executive Order 12333 — the EO that covers entirely foreign collection, over which FISC and Congress exercise much less oversight than FISA. And what NSA calls “Transit Program” violations appear in the EO 12333, not the FISA, chart. In the first quarter of 2012 (the first quarter after the government started to resolve the 702 upstream collection problems laid out in the Bates memo), Transit Program violations went up from 7 in a quarter to 27.

NSA describes Transit Program violations this way.

(TS//SI//REL TO USA, FVEY) International Transit Switch Collection*: International Transit switches, FAIRVIEW (US-990), STORMBREW (US-983), ORANGEBLOSSOM (US-3251), and SILVERZEPHYR (US-3273), are Special Source Operations (SSO) programs authorized to collect cable transit traffic passing through U.S. gateways with both ends of the communication being foreign. When collection occurs with one or both communicants inside the U.S., this constitutes inadvertent collection. From 4QCY11 to 1QCY12, there was an increase of transit program incidents submitted from 7 to 27, due to the change in our methodology for reporting and counting of these types of incidents,

That is, these “Transit Program” violations reflect the collection of US person data in upstream collection, the very same problem described in the Bates opinion.

As I’ve been puzzling through why Transit Program violations would appear under EO 12333 rather than FISA, I wondered whether NSA collects off switches under both authorities — some content that the telecoms provide after doing an initial screening (as described in this WSJ article and backhandedly confirmed by the DNI), and some programs that the NSA collects and sorts off undersea cables itself. Both FAIRVIEW and STORMBREW show up — seemingly as Section 702 collection — on the PRISM slide above, but ORANGEBLOSSOM and SILVERZEPHYR don’t (WSJ also lists OAKSTAR and LITHIUM).

If so, though, you’d expect NSA to be finding violations under both authorities, because we know the government collects US person data under the 702 authorized upstream collection (they call this unintentional but Bates deemed it intentional).

This is all the more confusing given the way former Assistant Attorney General David Kris discusses “vacuum cleaner” collection taking place under EO 12333. His paper is on metadata collection, not content, but the vacuum cleaner (that is, dragnet) collection collects content as well (and the distinction may get distorted in discussions of Internet packets).

I don’t, yet, know the answer to this question, but the question itself raises several others:

  • Given that there’s not a 702-authorized Transit Program violation category, does that mean NSA wasn’t and may still not be tracking it? That doesn’t make sense, because there are greater mandates to track these things under 702.
  • If there wasn’t a 702-authorized Transit Program violation category before the revelations to John Bates, is it possible NSA instead treated upstream collection as authorized by 12333 so as not to have to report these violations?
  • Are these known violations being reported now? Are they getting reported to Congress and the Court? Or has the NSA simply decided they’re not violations since Bates has okayed them, sort of, as intentional collection?
  • If some of the upstream collection yielding US person content operates under 12333, does it have to be treated under any minimization rules?
  • What do the 7 and 27 violation numbers reflect in relation to the figures of 10,000 SCT and 46,000 MCT estimates involving US persons provided to Bates?
  • Did these violations ever get reported to Congress and the FISC?

In short, either all this upstream collection falls under 702, in which case there’s a big question why NSA tracks it as 12333 collection. Or the NSA’s ability to operate upstream collection under both authorities raises real questions about the protections it accords US person data collected under the 12333 collection.

Update: Two more things on this.

First, remember back in 2001, John Yoo pixie dusted EO 12333, basically holding the President could change the content of it without changing the language of it publicly. That was done, according to Sheldon Whitehouse, to permit the government to “wiretap Americans traveling abroad.” But I suspect it was done to permit the government to “wiretap Americans’ communications traveling abroad” — that is, American Internet traffic that transits foreign switches.

That said, I suspect the 2010 OLC memo on using 2511(2)(f) for collection was meant to clean up some of that (and also Yoo’s reliance on claiming the Fourth Amendment didn’t apply in DOD searches of entire apartment buildings if they were searching for terrorists).

Also, remember that the language of the 2008 Yahoo opinion makes it clear that the Protect America Act — Section 702’s predecessor — relied on 12333 for particularity. While we should soon learn more (FISC is releasing much more of this opinion and underlying documents), it seems that PAA was treated as a nested program within 12333.

The Scandal of Lying about “Thwarted” “Plots” Started 4 Years Ago

/13 Comments/in , , /by

As predicted, one big takeaway from yesterday’s NSA hearing (the other being the obviously partial disclosure about location tracking) is Keith Alexander’s admission that rather than 54 “plots” “thwarted” in the US thanks to the dragnet, only one or maybe two were. Here are some examples.

But they’re missing this real scandal about the government’s lies about the central importance of Section 215.

That scandal started 4 years ago, when an example the FBI now admits had limited import played a critical role in the reauthorization of Section 215 without limits on the dragnet authority.

First, note that even while Leahy got Alexander to back off his “54 plots” claim, the General still tried to insist Section 215 had been critical in two plots, not just one.

SEN. LEAHY: Let’s go into that discussion, because both of you have raised concerns that the media reports about the government surveillance programs have been incomplete, inaccurate, misleading or some combination of that. But I’m worried that we’re still getting inaccurate and incomplete statements from the administration.

For example, we have heard over and over again the assertion that 54 terrorist plots were thwarted by the use of Section 215 and/or Section 702 authorities. That’s plainly wrong, but we still get it in letters to members of Congress; we get it in statements. These weren’t all plots, and they weren’t all thwarted. The American people are getting left with an inaccurate impression of the effectiveness of NSA programs.

Would you agree that the 54 cases that keep getting cited by the administration were not all plots, and out of the 54, only 13 had some nexus to the U.S. Would you agree with that, yes or no?

DIR. ALEXANDER: Yes.

SEN. LEAHY: OK. In our last hearing, Deputy Director Inglis’ testimony stated that there’s only really one example of a case where, but for the use of Section 215, bulk phone records collection, terrorist activity was stopped. Is Mr. Inglis right?

DIR. ALEXANDER: He’s right. I believe he said two, Chairman; I may have that wrong, but I think he said two, and I would like to point out that it could only have applied in 13 cases because of the 54 terrorist plots or events, only 13 occurred in the U.S. Business Record FISA was only used in (12 of them ?).

SEN. LEAHY: I understand that, but what I worry about is that some of these statements that all is — all is well, and we have these overstatements of what’s going on — we’re talking about massive, massive, massive collection. We’re told we have to do that to protect us, and then statistics are rolled out that are not accurate. It doesn’t help with the credibility here in the Congress; doesn’t help with the credibility with us, Chairman, and it doesn’t help with the credibility with the — with the country. [my emphasis]

Here’s the transcript at I Con the Record from the previous hearing, where Inglis in fact testified that Section 215 was only critical in the Basaaly Moalin case (which was not a plot against the US but rather funding to defeat a US backed invasion of Somalia).

MR. INGLIS: There is an example amongst those 13 that comes close to a but-for example and that’s the case of Basaaly Moalin.

 

That is, in fact, Inglis said it had been critical in just one “plot.”

After he did, FBI Deputy Director Sean Joyce piped in to note the phone dragnet also “played a role” by identifying a new phone number of a suspect we already knew about in the Najibullah Zazi case.

MR. JOYCE: I just want to relate to the homeland plots. So in Najibullah Zazi and the plot to bomb the New York subway system, Business Record 215 played a role; it identified specifically a number we did not previously know of a —

SEN. LEAHY: It was a — it was a critical role?

MR. JOYCE: What I’m saying — what it plays a

SEN. LEAHY: (And was there ?) some undercover work that was — took place in there?

MR. JOYCE: Yes, there was some undercover work.

SEN. LEAHY: Yeah —

MR. JOYCE: What I’m saying is each tool plays a different role, Mr. Chairman. I’m not saying that it is the most important tool —

SEN. LEAHY: Wasn’t the FBI — wasn’t the FBI already aware of the individual in contact with Zazi?

MR. JOYCE: Yes, we were, but we were not aware of that specific telephone number, which NSA provided us. [my emphasis]

So, when pressed, Joyce admitted that Section 215 wasn’t critical to finding Adis Medunjanin, one of Zazi’s conspirators. (And if you read Matt Apuzzo and Adam Goldman’s Enemies Within, you see just how minor a role it played.)

That’s important, because the Administration’s use of Section 215 in the Zazi case was crucially important to the defeat of two efforts to rein in the dragnet in 2009.

Read more

EFF: The Fourth Amendment Is Not Top Secret

/8 Comments/in /by

EFF is requesting that the judge in its FOIA for the October 3, 2011 John Bates FISA Court opinion, Amy Berman Jackson, review the redactions currently in the document to ensure they are properly classified. (h/t Mike Scarcella) It argues the court should undertake such a review because disclosure of the things DOJ had previously claimed were Top Secret has now proven “the agency’s previous blanket withholding assertions were overbroad and wholly without merit.”

To support that case, they point to this passage originally withheld from production.

Upon even a cursory review of the Opinion, it is apparent, DOJ’s blanket exemption claims were far broader than the law allows. For example, this passage, according to the agency, was appropriately “classified at the TOP SECRET level” and withheld from the Opinion:

The Fourth Amendment provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Opinion at 67 (reciting Fourth Amendment); see also Bradley Decl., ¶ 5 (Opinion “withheld in full pursuant to FOIA Exemptions b(1) and b(3)”).

Now, I’m actually not sure about this argument. In recent years, after all, the Fourth Amendment has been almost entirely disappeared without a trace. I wouldn’t be surprised if the government had disappeared it as a conscious policy decision. So perhaps they really do maintain that the Fourth Amendment must now be hidden pursuant to the Executive Order governing classified information.

Technically, the government previously argued that revealing the existence and text of the Fourth Amendment would cause exceptionally grave harm to the United States — that’s what the Top Secret classification it withheld this material under means. [Update: Or, as Nigel puts it, that the opinion referenced the Fourth. Except that’s even more absurd because the FOIA was a response to Ron Wyden’s declassification of a statement that said the FISC had found in this opinion that the program violated the Fourth.]

We’ll see whether Judge Jackson agrees that was a reasonable claim.

James Clapper Proves Inadequate Oversight by Refusing to Answer EO 12333 Questions

/2 Comments/in /by

The headlines from today’s Senate Judiciary Committee hearing on NSA will no doubt be that Pat Leahy forced Keith Alexander to admit they’ve been lying about whether the 54 “plots” they “thwarted” were really “plots” or “thwarted” in the first place. Perhaps just two were.

More astute reporters might note that, in response to questions about the NYT’s report on the dossiers created in the course of foreign intelligence collection analysis, Keith Alexander offered several equivocations first claiming NYT got things wrong, then realizing that was a too broad claim. More interesting, he ultimately admitted that the NSA conducts some of this under Executive Order 12333 — the collection David Kris outlined in his paper.

There was even some follow-up on the NSA’s use of EO 12333, with James Clapper and Alexander claiming Congress had some oversight of that collection (in spite of Dianne Feinstein’s admission that they don’t get news of EO 12333 violations even when they involve Americans).

But the most telling exchange occurred between Amy Klobuchar, Keith Alexander, and James Clapper. (after 1:25) Klobuchar asked why they hadn’t told the Committee of the violations reported in an internal NSA review when they last appeared before the committee. After Alexander tried to filibuster (actually addressing the report in question and noting only ODNI and DOJ get those numbers, not FISC or Congress), Clapper interrupted and pretended she had asked about the LOVEINT incidents just reported to Charles Grassley. Clapper claimed those hadn’t been reported because they were 12333 violations.

Clapper: I think the answer to the question, Senator, was that the subject of the hearing was 215 and 702, and these 12 violations over 10 occurred under the foreign collection under the auspices of Executive Order 12333. [Sits back]

Klobuchar: I thought we were broadly asking questions and it would have been nice to have heard about it there but it’s behind us now.

But Clapper is absolutely incorrect. The review Klobuchar asked about reported 195 FISA violations. Of those, 20% were due diligence violations — of an analyst not following Standard Operating Procedures she has been trained on. 31% are what amount to insufficient intelligence (these are called “resource violations”), resulting in searches on targets who shouldn’t be targeted. A number of the incidents included not detasking someone quickly enough.

In other words, while this may (or may not) be minor, they are real violations of FISA authorities, the stuff that Congress and the Courts are supposed to oversee. And Clapper just blew off the question by saying they don’t have to disclose any violations pertaining to EO 12333 (even though a chunk of these violations weren’t EO 12333 violations).

Which of course demonstrates a further point. The Intelligence Community is basically refusing to discuss any EO 12333 violations and/or programs, even while it also picks up US person information at least incidentally.

And yet they claimed there was adequate oversight over those programs.

David Kris Outlines the Internet Dragnet Elephant

/4 Comments/in , /by

Way back on page 64 (of 67) of former Assistant Attorney General for National Security David Kris’ paper “On the Bulk Collection of Tangible Things,” he invokes the elephant metaphor the President used to promise more NSA disclosures on multiple programs.

What I’m going to be pushing the IC to do is rather than have a trunk come out here and leg come out there and a tail come out there, let’s just put the whole elephant out there so people know exactly what they’re looking at.

In keeping with the President’s direction, the Intelligence Community has released many new details about the bulk telephony metadata collection program, as described above. In addition, as also noted above, the FISC itself has released significant new information. The key remaining question is whether there will be additional, authorized releases concerning intelligence activity that has not been subject to prior, unauthorized releases. [my emphasis]

Kris uses the President’s elephant to ask whether they really will disclose their intelligence programs. He mentions just the phone dragnet (even though the Administration, in response to two FOIAs, also released information about their Section 702 upstream collection programs), even as he suggests the Administration might do well to admit to other programs before they are exposed by an Edward Snowden leak.

Which is interesting, because Kris’ paper — in spite of his title and in spite of that reference to the phone dragnet — is really about what the government has declassified (the phone dragnet) as well as what the government has left partly hidden (the Internet dragnet and broader phone dragnet).

Kris discusses the PATRIOT-authorized Internet dragnet along with the phone dragnet

Kris, after all, provides the following facts about the PATRIOT-authorized Internet dragnet, citing the named sources:

  • Internet and telephony metadata was collected starting in 2001, until the 2004 hospital disagreement led to the former being moved to Pen Register/Trap & Trace authority in 2004, which was the first bulk order (“purported” NSA IG Report)
  • One company — which the “purported” IG report makes clear was an Internet one and is probably Yahoo — did not participate in the illegal wiretap program (“purported” NSA IG Report)
  • The Internet metadata collection ended in 2011 (an ODNI spokesperson in a Charlie Savage story)

Kris also points to four different Administration acknowledgements of the Internet metadata program. He refers to the 2009 and 2011 notice letters to Congress (though he focuses on the phone dragnet language in them), and the James Clapper response to Wyden and 25 other Senators. Perhaps most interestingly, Kris notes that government witness(es) have confirmed the program and the use of PR/TT to authorize it…

At a July 17, 2013 hearing of the House Judiciary Committee, government witnesses confirmed the pen-trap bulk collection.

But unlike just about every other comment in a hearing cited in his paper, Kris doesn’t quote the exchange, which went like this.

SUZAN DELBENE: The public also now knows that the telephone metadata collection is under Section 215, the Business Records provision of FISA, and that allows for the collection of tangible things. But we’ve also seen reports of a now-defunct program collecting email metadata. With regard to the email metadata program that is no longer being operated, can you confirm that the authority used to collect that data was also Section 215?

GEN. COLE: It was not. It was the Pen Register Trap and Trace Authority under FISA, which is slightly different, but it amounts to the same kind of thing. It does not involve any content. It is, again, only to and from. It doesn’t involve, I believe, information about identity. It’s just email addresses. So it’s very similar, but not under the same provision.

REP. DELBENE: And could you have used Section 215 to collect that information?

GEN. COLE: It’s hard to tell. I’d have to take a look at that.

The transcript from this hearing is up at the I Con the Record site, so it’s unclear why Kris didn’t quote it.  Read more

David Kris Joins Ben Wittes in His NAKED! Choir

/8 Comments/in , /by

I know, I know. I’ve promised my substantive post on David Kris’ paper on the phone and Internet dragnets.

I know, I know. My repeated harping on the failure to inform the 2011 House freshmen about the dragnet is getting tedious.

But Kris dedicated 16 pages of his 67 page paper to arguing that the statutory requirements for briefing Congress about the dragnets (which Kris says require only Intelligence and Judiciary Committee briefing) have been met. He ultimately makes a half-hearted attempt to make the same argument Claire Eagan did about Congress adopting judicial interpretation. And he lays out the fatally weak case Ben Wittes has in the past to justify his wails of NAKED!

In doing so, Kris claims that, “all Members were offered briefings on the FISC’s interpretation.”

The briefings and other historical evidence raise the question whether Congress’s repeated reauthorization of the tangible things provision effectively incorporates the FISC’s interpretation of the law, at least as to the authorized scope of collection, such that even if it had been erroneous when first issued, it is now—by definition—correct. There is a basic principle of statutory construction that “Congress is presumed to be aware of an administrative or judicial interpretation of a statute and to adopt that interpretation when it reenacts a statute without change,”208 as it did repeatedly with the tangible things provision.

[snip]

Of course, it would be ridiculous to presume that Congress adopted a classified interpretation of a law of which it could not have been aware. As described above, however, the historical record shows that many Members were aware, and that all Members were offered briefings on the FISC’s interpretation, even if they did not attend the briefings.

And yet, in all those 16 pages, he offers not one whit of evidence that the 93 members of Congress elected in 2010 (save the 7 on the Intelligence and Judiciary Committees) could have learned about the program save two briefings offered in May 2011.

Unless you count this argument, which suffers from a basic logic problem.

In an unclassified report published in March 2011, the Senate Intelligence Committee emphasized that it had offered a briefing to all Members of Congress concerning the bulk telephony metadata collection:

Prior to the extension of the expiring FISA provisions in February 2010, the Committee acted to bring to the attention of the entire membership of the Senate important information related to the nature and significance of the FISA collection authority subject to sunset. Chairman Feinstein and Vice Chairman Bond notified their colleagues that the Attorney General and the DNI had provided a classified paper on intelligence collection made possible under the Act and that the Committee was providing a secure setting where the classified paper could be reviewed by any Senator prior to the vote on passage of what became Public Law 111–141 to extend FISA sunsets. [my bold]

The entire membership of the Senate, after all, is not the same thing as “all Members of Congress.”

Ultimately, though, Kris concedes (citing just the white paper, and not citing me, the Guardian, any other reporting, or Justin Amash’s public statements to the effect) that just maybe this information wasn’t passed on in 2011 — but don’t worry, the Executive did its job!

Although the House Intelligence Committee did notify Members of the House of the classified documents and briefings in 2010 (when it was led by Chairman Sylvestre Reyes), it may not have done so in 2011 (when it was led by Chairman Mike Rogers). See White Paper at 18 n.13.

[snip]

Regardless of any intracongressional issues in 2011, as a matter of inter-branch relations, it is clear that the Executive Branch provided the materials with the intent that they be made available to all Members of Congress, as they had been in 2009.

Now, Kris is a much better lawyer than the flunkies who wrote the Administration’s far weaker White Paper on Section 215, and his argument here betrays not only that, but, I suspect, a hint that he realizes the flaw in his argument.

Notice in his claim that “all Members were offered briefings on the FISC’s interpretation,” he doesn’t argue all members got the Executive Branch notices on the program. He doesn’t argue that all members got briefed on the content on the notices. Rather, he claims only that they were offered briefings on the FISC’s interpretation.

Read more

David Kris Points to the Clause Loopholed Under David Barron on Metadata Collection

/10 Comments/in , /by

I’m working on a longer post on David Kris’ paper on the phone [and Internet] dragnets.

But for the moment, I want to note that he strongly implies the US is relying on 18 U.S.C. § 2511(2)(f) to collect international metadata. He does it when he first introduces the phone dragnet secondary order (page 2).

The order excluded production of metadata concerning “communications wholly originating and terminating in foreign countries.”5 215 Bulk Secondary Order at 2; see Business Records FISA NSA Review at 15 (June 25, 2009) [hereinafter NSA End-to-End Review], available at http://www.dni.gov/files/documents/section/pub_NSA%20Business%20Records%20
FISA%20Review%2020130909.pdf; August 2013 FISC Order at 10 n.10; cf. 18 U.S.C. §2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). [my emphasis]

And he does it just after suggesting that the FISA Court may have approved the phone dragnet in 2006 — however shabby the legal case — just to have it under FISC supervision (note, he also nods to the Internet metadata dragnet, but as I’ll note he goes through some contortions to avoid addressing it all that directly).

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.147

147 With respect to metadata concerning foreign-to-foreign communications, which the FISC’s order expressly does not address, see 18 U.S.C. § 2511(2)(f)

This is important because it is precisely the clause (the one Kris cites above) that the Office of Legal Counsel reinterpreted in 2010 to cover past illegal access to phone metadata, including US based phone metadata.

The existence of that memo was first disclosed by Glenn Fine in his Exigent Letter IG Report. (See also this post.) He described how, in the context of its effort to clean up the legal process free access of phone data from the telecoms, DOJ had ordered up this opinion (though they claimed they were not relying on it). In 2011, DOJ provided enough information in response to a FOIA to make it clear the memo pertained to this passage.

Now, in context, Kris is just implying that the government is using this clause to get the telecoms to voluntarily turn over foreign to foreign communications.

Except we know precisely how the NSA defines “foreign communications.”

Foreign communication means a communication that has at least one communicant outside of the United States. All other communications, including communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition, are domestic communications.

That is, so long as just one end of a communication is foreign, the NSA considers it a foreign communication (and therefore the telecoms can voluntarily disclose it under their interpretation of this clause of ECPA).

And remember: this opinion reinterpreting ECPA was written under the direction of — if not written by — David Barron, the guy Obama wants to have a lifetime appointment on the First Circuit.

I need to think through whether this means what I think it means. But it sure seems like Kris is not only saying that the government did use this loophole to collect metadata involving foreigners (and Americans). But given that DOJ claimed it could use this memo to clean up its entirely domestic communications problems (per the Fine IG Report), it sure seems like Kris is saying if we close the Section 215 collection, the government will just resume using ECPA.

Update: I just realized this post, which adopts an argument I made almost two weeks ago (that there is no original opinion for the phone dragnet) was written by Marty Lederman (who was at OLC during roughly the same period that Barron was).

Which is why I find it weird that Lederman makes an extended argument noting that an earlier clause in ECPA tweaked during the original PATRIOT Act bill prohibits this sharing of phone metadata.

You wouldn’t know it from Judge Eagan’s opinion–or from David Kris’s paper, for that matter–but Congress has actually considered the specific question about whether and under what circumstance service providers may disclose to the government the telephony metadata of their customers, and has enacted a statute dealing specifically with that question–a statute that expressly prohibits such disclosure.  Moreover, the prohibition in question was enacted as part of the very same law that includes Section 215, namely, the PATRIOT Act of 2001.

A provision of the Electronic Communications Protection Act (ECPA), 18 U.S.C. 2702(a)(3), states that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.”

Statutory language doesn’t often get much clearer than that:  A provider of remote computing service or electronic communication service to the public — a category that includes phone service providers — cannot knowingly convey consumer records or information to any governmental entity.

Remarkably, Congress added this prohibition to ECPA in section 212(a)(1)(B)(iii) of the 2001 PATRIOT Act itself–the same law in which section 215 expanded the “business records” provision upon which the government relies here.  The two provisions are only three pages apart in the Statutes at Large.  In other words, the government is relying here upon a broad, general “business records” provision included in the PATRIOT Act; but in that very same legislation, Congress included another provision specifically involving the business records of telephone customers, and in that more specific provision it precluded the very sort of records transfer at issue here.

The thing is, I find it almost impossible to believe that Lederman wouldn’t know about (or even didn’t review) that January 8, 2010 opinion. And he certainly must know what the implications of invoking foreign communications in the context of 18 U.S.C. § 2511(2)(f) to be.

I’m confused.

Update: I missed one other mention of 2511(2)(f), which comes in Kris’ incomplete description of all the violations in the phone dragnet program (it is incomplete, in part, because he cites from the June report of the problems rather than the August filing presenting them, which includes several more, probably more troubling violations; but he also misses details of a few of the other violations which is particularly interesting because he, of all people, must know this stuff).

(8) acquisition of metadata for foreign-to-foreign telephone calls from a provider that believed such metadata to be within the scope of the FISC’s orders, when it was not, NSA End-to-End Review at 15; cf. August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); see generally 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”);

His inclusion of it here is interesting because this violation is likely the collection that Reggie Walton shut down temporarily on July 9, 2009. Does that mean they just kept collecting from this provider (I wonder, by the way, whether it’s something exotic like Skype), and deemed it covered by 18 U.S.C. § 2511(2)(f)? If so, Kris would have been among those who made the decision to do so.

“Everyday Americans” Are Increasingly Foreign Intelligence Now

/6 Comments/in , /by

[youtube]U-yLQPO_8E0[/youtube]

Yesterday, the Guardian revealed that the NSA is storing online metadata (including browsing information) for up to a year.

The National Security Agency is storing the online metadata of millions of internet users for up to a year, regardless of whether or not they are persons of interest to the agency, top secret documents reveal.

[snip]

The guide goes on to explain Marina’s unique capability: “Of the more distinguishing features, Marina has the ability to look back on the last 365 days’ worth of [Digital Network Information] metadata seen by the Sigint collection system, regardless whether or not it was tasked for collection.” [Emphasis original.]

So in addition to our phone metadata, the government is keeping our browsing metadata in case it needs it.

Remember, over a fifth of the query violations recorded by the NSA in the first quarter of 2012 accessed this database.

As interesting as this disclosure is, I’m just as interested in the way NSA responded to Guardian’s request for a rationale for this practice and some sense of how much of it includes US person data.

The Guardian approached the NSA with four specific questions about the use of metadata, including a request for the rationale behind storing 365 days’ worth of untargeted data, and an estimate of the quantity of US citizens’ metadata stored in its repositories.

But the NSA did not address any of these questions in its response, providing instead a statement focusing on its foreign intelligence activities.

“NSA is a foreign intelligence agency,” the statement said. “NSA’s foreign intelligence activities are conducted pursuant to procedures approved by the US attorney general and the secretary of defense, and, where applicable, the foreign intelligence surveillance (Fisa) court, to protect the privacy interests of Americans.

“These interests must be addressed in the collection, retention, and dissemination of any information. Moreover, all queries of lawfully collected data must be conducted for a foreign intelligence purpose.”

It continued: “We know there is a false perception out there that NSA listens to the phone calls and reads the email of everyday Americans, aiming to unlawfully monitor or profile US citizens. It’s just not the case.

“NSA’s activities are directed against foreign intelligence targets in response to requirements from US leaders in order to protect the nation and its interests from threats such as terrorism and the proliferation of weapons of mass destruction.” [my emphasis]

This non-answer does three things.

  • As with Ron Wyden’s repeated requests for the number of Americans targeted through the back door loophole, the NSA refuses to quantify the scope of this collection
  • It names all the spying on US person data “foreign intelligence” as a means to legitimize it
  • It denies accessing the content of “everyday Americans” rather than denying it accesses the content of Americans, period

I’m beginning to realize why NSA keeps responding with that last bullet — we are not reading your content. More and more, it appears not to be a denial that they access US person content (once you get into Internet “metadata” you’re quickly getting into content in any case), but rather a denial that they access the US person content of “everyday Americans.” Which suggests they do access the content of certain Americans who, because their activities might fall under categories the NSA claims “US leaders” have deemed foreign intelligence, are no longer considered “everyday Americans.”

And once you get beyond the fearmongering excuse of terror terror terror, you realize this is not just Muslims and Arabs (not that that would make it right in any case).

We live in an increasingly globalized world in which “everyday Americans” have a wide range of entirely legitimate reasons to engage with people outside of this country. At the core of this dragnet, it appears, is the argument that such legitimate activities somehow exclude you from the designation of “everyday Americans.”

But it’s not going to disclose whether it considers you an “everyday American” exempt from all this domestic-as-foreign spying or not.

Update: Musical accompaniment suggested by billmon.

Could an Independent NSA Inspector General Have Prevented 3 Years of Violations?

/4 Comments/in , /by

Last week, two former Senate Intelligence Committee members proposed a fix for the NSA no one has yet floated: making NSA’s Inspector General independent. Doing so, they argue, would give the IG more leeway to direct her investigations of the NSA and provide Congress needed insight into NSA’s real activities.

But one important option has yet to be proposed: creating an independent inspector general’s office at the NSA, comparable to the office that was created within the CIA in 1989.

[snip]

Not only was the inspector general’s office viewed differently after the law was passed, but the office itself was different. It decided which of the CIA’s activities would be investigated, inspected or audited without waiting for direction or approval from agency management. Employees of the IG’s office no longer had to worry about the potential effect on their careers if their findings and conclusions were critical of the agency. They may not have always gotten everything right, but they were freer to call things as they saw them and did so, at times to the chagrin of CIA management.

Having an independent inspector general at the CIA produced other advantages for the oversight process: It gave the congressional intelligence committees a more reliable partner — an office that lawmakers could call upon to conduct investigations beyond their own capabilities — and they learned of problems they otherwise might not have come across.

The same dynamic is not possible at the NSA today because the agency’s inspector general is appointed by and works for the NSA director. For all practical purposes, he is a member of the director’s staff and does not report directly to the intelligence committees.

I’m particularly interested in this recommendation given a few data points from the transition period between the illegal phone dragnet to the Section 215 dragnet in 2006.

As the documents submitted in 2009 make clear, the dragnet remained largely if not entirely unchanged from what it was before 2006. The initial “bug” that “arose” in 2009 was really just a “feature” — an alert system on suspect phone identifiers — of the illegal program that never got shut down or properly disclosed to the FISA Court. Many of the subsequent “bugs” (such as access to the queried data for FBI and CIA) also seem to be “features” no one turned off to keep the program legal.

And the Inspector General (from 2002 to 2006, NSA defender Joel Brenner served in that role) knew about the features of the illegal program because he was belatedly read into the illegal program in 2002 and actually provided 3 suggestions to improve oversight of it (see pages 45-46). Among other things, Brenner instituted and attended monthly due diligence meetings.

As Keith Alexander’s February 2009 declaration to Reggie Walton reveals, as the program was transferring to FISC authorization in 2006, someone in the IG office suggested NSA tell the FISA Court how the alert system worked, but NSA chose not to follow that suggestion.

Agency records indicate that, in April 2006, when the Business Records Order was being proposed, NSA’s Office of Inspector General (“OIG”) suggested to SID personnel that the alert process be spelled out in any prospective Order for clarity but this suggestion was not adopted.

More interesting still is the role of a 2006 study submitted to the FISA Court (starting at 85). Read more