How FBI Could Use Reverse Targeting to Use Section 702 against Keith Gartenlaub

/2 Comments/in , /by

Some weeks ago, in a post named, “Evidence the US Government Used Section 702 against Keith Gartenlaub[‘s Parents-in-Law],” I laid out the evidence that Section 702 was used against Keith Gartelaub. As I showed,

  • A warrant in his case seemed to parallel construct Yahoo and Google content, often a sign the government is trying to introduce a second source for PRISM content
  • In spite of reference to Skype metadata, nothing in the court case ever seemed to reflect the content from those calls, in spite of the fact they’d be readily collectible
  • After approving the sharing of FISA information with the National Center for Missing and Exploited Children for traditional FISA data, the government approved such sharing for 702 data the day before they arrested Gartenlaub

But there was just one problem with that argument — one made clear in the title of the post. Ultimately, the government is only supposed to be allowed to target foreigners like Gartenlaub’s “well connected” Chinese parents-in-law, not Gartenlaub. Yet by all appearances, the investigation started with Gartenlaub, basically by deciding that allegations of Boeing theft must mean there was a Boeing theft at Gartenlaub’s location and then, very quickly, settling on Gartenlaub as the likely culprit.

Around January 28, 2013: Agent Wesley Harris reads article that leads him to start searching for Chinese spies at Boeing

February 7, 8, and 22, 2013: Harris interviews Gartenlaub

June 18, 2013: Agent Harris obtains search warrant for Gartenlaub and his wife, Tess Yi’s, Google and Yahoo accounts

So if Agent Harris did obtain 702 data between February, when he first showed interest in Gartenlaub, and June, when he appeared to be parallel constructing Google and Yahoo content, it would have been for the purpose of obtaining information on Gartenlaub, already a focus of the investigation.

That would pretty clearly be reverse targeting (unless, for some reason, the FBI already had a big stash of his in-laws’ communications in their 702 collection, in which it’d come up in a back door search).

In other words, while there’s a good deal of circumstantial evidence that the government used 702 to spy on his conversations with his in-laws, that shouldn’t be allowed under a common sense definition of what reverse targeting does.

Except, as Senator Wyden’s 702 reform and the SSCI bill report make clear, that kind of reverse targeting actually is permitted by current practice.

In his comments to the SSCI bill report, for example, Wyden explained,

The bill does not include a meaningful prohibition on reverse targeting, which would require a warrant when a significant purpose of targeting a foreigner is actually to collect the communications of the American communicant. The current standard permits the government to conduct unlimited warrantless searches on Americans, disseminate the results of those searches, and use that information against those Americans, so long as it has any justification at all for targeting the foreigner.

His own bill would insert language prohibiting the targeting someone outside the US if a significant purpose is to get the communications of someone inside the US. If it was, the bill would require the government to get a Title I (traditional) order. [Bolded language is new.]

(d) Targeting procedures
(1) Requirement to adopt–The Attorney General, in consultation with the Director of National Intelligence, shall adopt targeting procedures that are reasonably designed to—
(A) ensure — 

(aa) that any acquisition authorized under subsection (a) is limited to targeting persons reasonably believed to be located outside the United States; and
(bb) that an application is filed under title I, if otherwise required, when a significant purpose of an acquisition authorized under subsection (a) is to acquire the communications of a particular, known person reasonably believed to be located in the United States; 

And a SSCI Wyden amendment modified by Angus King would prohibit the targeting of someone overseas if a purpose of the targeting was to collect on someone in the US.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden, as modified by Senator King, which would have revised the standard on current reverse targeting prohibitions to replace ‘‘the’’ with ‘‘a,’’ such that the statute would state ‘‘If a purpose of such acquisition is to target a particular known person.’’ The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden—aye; Senator Heinrich— aye; Senator King—aye; Senator Manchin—no; and Senator Harris—aye.

 

Clearly, the current prohibition on reverse targeting actually would nevertheless permit the government to obtain Gartenlaub’s in-laws communications to find out what they talk about in order to assess whether he might be plotting to steal IP from Boeing with them. And even though we still only have circumstantial evidence this is what happened, if it did, it would show the problem with reverse targeting: because Gartenlaub had Chinese in-laws, it (may have) made it far easier to obtain potentially damning information using 702 than it would be for any of his colleagues who didn’t have such ties with anyone of interest in China.

Effectively (again, if Gartenlaub was indeed reverse targeted), it would mean the government could obtain communications without any suspicion from which they could look for evidence of probable cause that he (or his wife) was an agent of a foreign power.

Ultimately, after both a criminal warrant and a FISA warrant claiming they had probable cause Gartenlaub was spying for China, after reading his emails for months, searching his home, and searching multiple devices, the government never found evidence to support that claim. But they did find old child porn (though no forensic evidence showing he had accessed that porn). It appears likely that they would never have found it if he hadn’t had the bad luck of marrying a well-connected Chinese-American.

Yup: The Government Is Secretly Hiding Its Crypto Battles in the Secret FISA Court

/9 Comments/in /by

When I analyzed the Wyden-Paul Section 702 reform bill, I noted language that suggested Wyden was concerned about the government using the secrecy of FISA Court proceedings to demand technical assistance from providers they otherwise couldn’t get. Wyden’s bill makes it clear he’s concerned that the government would (or is) making technical demands without even telling the FISC it is doing so. His bill would explicitly require review of any technical demands by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

I suggested the most likely use of such a “technical assistance” demand would be requiring a company (cough, Apple) to back door its encryption.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

In his statement on the bill, Wyden made it clear that that’s precisely what he is concerned about.

It leaves in place current statutory authority to compel companies to provide assistance, potentially opening the door to government mandated de-encryption without FISA Court oversight. [my emphasis]

And note: he is saying that the government will (that is, has already, most likely) done this without asking the FISC to review whether its technical demands are narrowly tailored and necessary.

Update: This post has been updated in response to comments to clarify that Wyden is not concerned about technical demands per se, but about technical demands with no FISC review.

Update: One more point to make clear: for “individual” orders, the court will review every facility, which will involve some review of what kinds of access the government will get (such as when, in 2015, the government ordered Yahoo to scan all its users for some kind of signature).

But under 702, the “assistance” language that the government could use to obligate back doors (or whatever else) is not tied to anything the court reviews. Annual certifications have to affirm that the collection requires domestic provider assistance (but does not require a description of what that assistance entails).

vi) the acquisition involves obtaining foreign intelligence information from or with the assistance of an electronic communication service provider; and

But then once that certificate is signed, the government can work at the level of directives, demanding, compensating, and indemnifying the provider for that assistance all without any court review.

(h) Directives and judicial review of directives

(1) Authority: With respect to an acquisition authorized under subsection (a), the Attorney General and the Director of National Intelligence may direct, in writing, an electronic communication service provider to—

(A) immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services that such electronic communication service provider is providing to the target of the acquisition; and

(B) maintain under security procedures approved by the Attorney General and the Director of National Intelligence any records concerning the acquisition or the aid furnished that such electronic communication service provider wishes to maintain.

(2) Compensation

The Government shall compensate, at the prevailing rate, an electronic communication service provider for providing information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

(3) Release from liability
No cause of action shall lie in any court against any electronic communication service provider for providing any information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).

That’s why the risk is that much greater for 702: because the court is never going to review the individual directives which is where the specific technical assistance gets laid out (unless a provider is permitted to challenge those directives).

Eleven (or Thirteen) Senators Are Cool with Using Section 702 to Spy on Americans

/7 Comments/in /by

The Senate Intelligence Committee report on its version of Section 702 “reform” is out. It makes it clear that my concerns raised here and here are merited.

In this post, I’ll examine what the report — particularly taken in conjunction with the Wyden-Paul reform — reveals about the use of Section 702 for domestic spying.

The first clue is Senator Wyden’s effort to prohibit collection of domestic communications — the issue about which he and Director of National Intelligence Dan Coats have been fighting about since June.

By a vote of four ayes to eleven noes, the Committee rejected an amendment by Senator Wyden that would have prohibited acquisition under Section 702 of communications known to be entirely domestic under authority to target certain persons outside of the United States. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—aye; Senator Wyden—aye; Senator Heinrich— aye; Senator King—no; Senator Manchin—no; and Senator Harris—aye.

It tells us that the government collects entirely domestic communications, a practice that Wyden tried to prohibit in his own bill, which added this language to Section 702.

(F) may not acquire communications known to be entirely domestic;

This would effectively close the 2014 exception, which permitted the NSA to continue to collect on a facility even after it had identified that Americans also used it. As I have explained is used to collect Tor (and probably VPN) traffic to obtain foreigners’ data. I suspect that detail is what Wyden had in mind when, in his comments in the report, he said the report itself “omit[s] key information about the scope of authorities granted the government” (though there are likely other things this report hides).

I have concerns about this report. By omitting key information about the scope of authorities granted the government, the Committee is itself contributing to the continuing corrosive problem of secret law

As the bill report lays out, Senators Burr, Risch, Rubio, Collins, Blunt, Lankford, Cotton, Cornyn, Warner, King, and Manchin are all cool using a foreign surveillance program to spy on their constituents, especially given that Burr has hidden precisely the impact of that spying in this report.

Any bets on whether they might have voted differently if we all got to know what kind of spying on us this bill authorized.

That, of course, is only eleven senators who are cool with treating their constituents (or at least those using location obscuring techniques) like foreigners.

But I’m throwing Feinstein and Harris in with that group, because they voted against a Wyden amendment that would have limited how the government could use 702 collected data in investigations.

By a vote of two ayes to thirteen noes, the Committee rejected an amendment by Senator Wyden that would have imposed further restrictions on use of Section 702-derived information in investigations and legal proceedings. The votes in person or by proxy were as follows: Chairman Burr—no; Senator Risch—no; Senator Rubio—no; Senator Collins—no; Senator Blunt—no; Senator Lankford—no; Senator Cotton—no; Senator Cornyn—no; Vice Chairman Warner—no; Senator Feinstein—no; Senator Wyden— aye; Senator Heinrich—aye; Senator King—no; Senator Manchin— no; and Senator Harris—no.

While we don’t have the language of this amendment, I assume it does what this language in Wyden’s bill does, which is to limit the use of Section 702 data for purposes laid out in the known certificates (foreign government including nation-state hacking, counterproliferation, and counterterrorism — though this language makes me wonder if there’s a Critical Infrastructure certificate or whether it only depends on the permission to do so in the FBI minimization procedures, and the force protection language reminds me of the concerns raised by a recent HRW FOIA permitting the use of 12333 language to do so).

(B) in a proceeding or investigation in which the information is directly related to and necessary to address a specific threat of—

(i) terrorism (as defined in clauses (i) through (iii) of section 2332(g)(5)(B) of title 18, United States Code);

(ii) espionage (as used in chapter 37 of title 18, United States Code);

(iii) proliferation or use of a weapon of mass destruction (as defined in section 2332a(c) of title 18, United States Code);

(iv) a cybersecurity threat from a foreign country;

(v) incapacitation or destruction of critical infrastructure (as defined in section 1016(e) of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (42 U.S.C. 5195c(e))); or

(vi) a threat to the armed forces of the United States or an ally of the United States or to other personnel of the United States Government or a government of an ally of the United States.

Compare this list with the one included in the bill, which codifies the use of 702 data for issues that,

“Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

[snip]

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

The bill report’s description of this section makes it clear that — in spite of its use of the word “restriction,” — this is really about providing affirmative “permission.”

Section 6 provides restrictions on the Federal Bureau of Investigation’s (FBI’s) use of Section 702-derived information, so that the FBI can use the information as evidence only in court proceedings [my emphasis]

That is, Wyden would restrict the use of 702 data to purposes the FISC has affirmatively approved, rather than the list of 702 purposes expanded to include the most problematic uses of Tor: all hacking, dark markets, and child porn.

So while Feinstein and Harris voted against the use of 702 to collect known domestic communications, they’re still okay using domestic Tor commuincations they say they don’t want to let NSA collect to prosecute Americans (which is actually not surprising given their past actions on sex workers).

Again, they’re counting on the fact that the bill report is written such that their constituents won’t know that this is going on. Unless they read me.

Look, I get the need to collect on Tor traffic to go after its worst uses. But if you’re going to do that, stop pretending this is a foreign surveillance bill, and instead either call it a secret court bill (one that effectively evades warrant requirements for all Tor wiretapping in this country), or admit you’re doing that collection and put review of it back into criminal courts where it belongs.

Today in the Ben Wittes (And Friends) Utter Lack of Self-Awareness File: Family and Friends Edition

/10 Comments/in , , /by

This morning, Ben Wittes called Ashley Feinberg’s discovery of the Twitter account that Jim Comey had himself disclosed the existence of publicly, “a creepy stalking effort.”

Shortly thereafter he went on to backtrack a bit, calling Feinberg’s work “very impressive,” but then pitching his privacy concern as pertaining to Comey’s adult-aged son.

Later in the day he defended against claims he was “being mean” to her by pointing to the time she used his name to get Comey to click on a test phish.

Then Matt Tait weighed in, reaffirming that tracking Comey down through his adult-aged son was very stalkery.

Ultimately, though, they (and Susan Hennessey) end up asking what the news value of Feinberg identifying Comey’s Twitter account was.

Let’s review, shall we? We’re talking about whether it is acceptable for a journalist to use public means (facilitated by a loophole in Instagram), hopping through a public figure’s 22-year old son, to find the public figure’s Twitter account, which he revealed in a televised appearance.

And not just any public figure. This is Jim Comey, the man who, in 2004, declined to reauthorize a bulk Internet metadata dragnet (Comey showed no such compunction about reauthorizing a phone metadata dragnet), only to run to the FISA Court and tell Colleen Collar-Kotelly that she had no discretion but to approve it.

And thus was born the legal codification of the definition of “relevant to” that holds that the metadata of all Americans can be considered “relevant to” FBI’s standing terrorism investigations, the definition that, two years later, would be used to justify collection aspiring to obtain the metadata of all phone calls placed in this country. Not just those who talk to terrorists, but those who talk to the people who talk to them and the people who talk to those who talk to those who talk to them. Including their children.

The Internet dragnet (and the upstream collection that replaced it) collects things like what people get tagged or favorited in Instagram and Twitter accounts — precisely the kind of metadata that led Feinberg to identify Comey’s account.

But that’s not all that’s “relevant to” whether there is any news value to using publicly available metadata to identify a Twitter account that Comey himself revealed.

In 2014, when Jim Comey headed the FBI, DOJ’s Inspector General argued for at least the second time (with the first including practices that occurred while Comey was DAG) that FBI should not be obtaining all records associated with the Friends and Family account of a target.

[T]he significance of the FBI’s request for “associated” records is that the FBI has sought and in some cases received not only the toll billing records and subscriber information of the specific telephone number identified in the NSL, but also the toll billing numbers that belong to the same account — such as numbers in a group or family plan account — without a separate determination and certification by the FBI that the additional records are relevant to an authorized international terrorism investigation. Yet before the FBI may specifically request in an NSL the records of a subject’s family member or partner, Section 2709 would require an authorized official to certify that such records are relevant to a national security investigation. (158)

That is, DOJ’s IG had to tell the FBI for the second time, when Comey was running it, that they shouldn’t be collecting the phone records of a target’s mom or (dependent aged) child or girlfriend because they were associated with accounts relevant to an investigation.

The FBI accepted DOJ IG’s recommendation to ensure that records “associated to” those “relevant to” investigations not be collected, but had only implemented it thus far on the non-automated side of NSL submissions by the time of the report.

Now that we’ve reviewed Jim Comey’s great tolerance for using three hop metadata records as an investigative technique (if not the more targeted collection of records “associated to” those “relevant to” investigations) as well as the mind-numbing definition of what constitutes “relevant to,” let’s return to the context of his discussions about social media. While the Twitter revelation served as evidence for a story that he’s non-partisan, the Instagram one he likes to tell serves to support his claim to care about privacy. Here’s the quote Feinberg included in her piece, but Comey has made this speechlet numerous times over the years.

I care deeply about privacy, treasure it. I have an Instagram account with nine followers. Nobody is getting in. They’re all immediate relatives and one daughter’s serious boyfriend. I let them in because they’re serious enough. I don’t want anybody looking at my photos. I treasure my privacy and security on the internet.

Nobody is getting into his Instagram account (with its loophole permitting people like Feinberg or FBI agents to get to his metadata), Comey said. With respect to content, that seems to be true.

Presumably, he also believed nobody was getting into his Twitter account that at that point just one person — the weak link, Ben Wittes — had followed.

He was wrong.

Jim Comey’s understanding of his own well guarded privacy was overblown, in part because of the inherent insecurity of the platforms he uses and in part because of the OpSec practices of his friend and his son’s friend. I don’t think Comey much cares — in his business, the likelihood that a dumb associate might thwart otherwise admirable operational security (especially on the part of a 22-year old) of a target is a blessing, not a curse.

But it is an awesome illustration of the power and danger of this metadata soup that, under Comey, the government got far more access to.

Now, in threads where I’ve made this argument, people have rightly pointed out that the power of the FBI (which gets far more metadata) and a reporter is somewhat different, as might be the necessity for avoiding any chains involving children. Though the frequency with which Trump and his associates’ own (admittedly older) spawn get included in stories of his corruption demonstrates how important such connections are, even for journalists.

But the contention that FBI’s contact chaining and a journalist’s contact chaining are that different is belied by Comey’s own reaction, his first tweet ever.

Not only did he say he wasn’t mad and compliment her work, but he posted the link to FBI jobs.

I’d say Jim Comey sees a similarity in what Feinberg did.

I’m all in favor of protecting the accounts of children from such contact chaining — and am really not a big fan of contact chaining, generally. But those who, like Comey and Wittes and Hennessey and Tait, have championed a system that endorses at least two hop chaining irrespective of who gets hopped, not to mention those who’ve tolerated the collection on family members in even more targeted surveillance, I’m not all that interested in complaints about the privacy of a 22-year old son.

Or rather, I point to it as yet another example of surveillance boosters not understanding what the policies they embrace actually look like in practice.

Which is precisely why this “doxing” was so newsworthy.

Update: For the benefit of Al, I’m including this link to Comey introducing his children (Brian was 19 at the time, his youngest was 13) at his FBI Director confirmation hearing in 2013; a screencap is above. It sounds like he did the same at his DAG hearing 10 years earlier.

So if you’ve got a concern about their safety you might want to talk to the Senate about the practice of featuring families during confirmation hearings.

Update: Here we are Monday and Gates and Manafort still haven’t found anything liquid to put up as bail. Not only that, but in a filing raising a potential conflict with one of Gates’ money laundering expert lawyers, prosecutors reveal Gates is trying to have his partner from a movie-related firm’s brother serve as surety while also doing so for the partner.

Marc Brown, the brother of defendant Steven Brown, was proposed by Gates as a potential surety despite the facts that they seemingly do not have a significant relationship, they have not had regular contact over the past ten years, and Marc Brown currently serves as a surety for his brother Steven in his ongoing criminal prosecution in New York. In an interview with the Special Counsel’s Office on November 16, Marc Brown listed as a reason for seeking to support Gates that they belonged to the same fraternity (although they did not attend the same college) and that, as such, he felt duty bound to help Gates. Of note, Marc Brown’s financial assets were significantly lower, almost by half, than previously represented by Gates.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

HJC’s Manager’s Amendment Blows Open 702 Metadata Queries

/6 Comments/in /by

I realized something as I was doing a last minute review comparing the Manager’s Amendment of 702 reauthorization that will be marked up in the House Judiciary Committee with a recent version. Here’s the language the two bills propose for querying of metadata:

Recent Version:

RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only upon a determination by the Attorney General that

(i) such communications are relevant to an authorized investigation or assessment, provided that such investigation or assessment is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(ii) any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Manager’s Amendment

(C) RELEVANCE AND SUPERVISORY APPROVAL TO ACCESS NON-CONTENTS INFORMATION.—Except as provided by subparagraph (D), the information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information may be accessed or disseminated only—

(i) with supervisory approval;

(ii) [] if such information is not sought solely on the basis of activities protected by the first amendment to the Constitution of the United States;

(iii) if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime; and

(iv) if any use of such communications pursuant to section 706 will be carried out in accordance with such section.

Inventing metadata-plus

I haven’t commented on this at length, but one thing the HJC bill does that the other drafts don’t is to invent a new, undefined category of “metadata plus.” They do so to get around the issue I laid out here: NSA has always treated as metadata stuff that from a packet architecture perspective is actually content. They did so by breaking the law from 2001 to 2004 and again from 2004 to 2009 and almost certainly still from 2010 to 2011. After 2011, they simply shut down the Internet metadata program and swapped it to access of metadata acquired under the name of content from upstream collection.

If HJC were a real legislative body, they’d take this opportunity, having clearly identified the need, to redefine metadata in a way that makes sense in the Internet era.

But they chose not to do that. Instead, they’ve just slapped a “or other similar non-contents information” onto the traditional definition of metadata, without defining it!!, so as to cover the continued access to such non-content information without debating the limits of the new definition.

Swapping AG approval for supervisor approval

That redefinition of metadata happens in both bills. But something new happens in the manager’s amendment. It swaps delegable Attorney General approval for “supervisory” approval. That’s still more than currently happens at FBI but possibly less than what currently happens at NSA. But it will ensure that such queries are common and easy.

Eliminating the tie to any investigation

Then the manager’s amendment eliminates the requirement that such queries are “relevant to” (whatever that means anymore) an authorized investigation. This will open up the data for assessments, meaning the FBI can use the data for far more than just investigating crimes. Again, that matches the status quo for FBI currently (which is effectively mostly what the HJC bill does, all while screaming LIBERTY cynically). But it does mean the FBI can continue to research whether you’ve been talking to foreigners without having any evidence of wrong-doing first.

Permitting the use of location and other enhanced metadata

Here’s the big tell, the addition of this language to the metadata querying language. The government can only do back door metadata searches on US persons  “if an order based on probable cause would not be required by law to obtain such information if requested as part of an investigation of a Federal crime.”

My discussion of metadata-plus, above, is mostly important today for NSA, because it involves NSA’s use of “metadata” obtained from upstream queries. That stuff doesn’t get passed on to FBI and CIA (which like FBI refuses to count its metadata queries) yet, but I guarantee you it soon will.

But remember, FBI (and CIA) are getting raw PRISM information.

And PRISM data includes a lot of “non-content” information that is not DRAS that would be of interest to the FBI, starting with location data (among other things, FBI likes to obtain the location data from your phone that you share with apps like Facebook). This probably also allows FBI to skirt jurisdictions were obtaining content without a warrant would be illegal, given that it came from national collection. In any case, however, most jurisdictions will still give some content with a PRTT, so without probable cause.

Like all the other tweaks, this probably also reflects the status quo — meaning that the FBI is accessing as metadata stuff that is far more intrusive. But by laying out the prohibition in this way, it makes it clear that FBI (and CIA) will be (continuing to) access fairly intrusive metadata-plus collected by cloud providers that wouldn’t have been identified without the use of warrantless surveillance.

Watering the meaningless warrant requirement down still further

I have argued that the warrant requirement in the HJC bill is currently meaningless, because it permits queries for foreign intelligence information and permits the FBI to define foreign intelligence with the next certification (another area where HJC has abdicated its legislative role to the Intelligence Community).

By codifying that FBI can do metadata queries without an open investigation, the government is ensuring that it can continue to access this information at the assessment level, even if they’re not doing so under the guise of national security.

But two other changes in the manager’s amendment water down the meaningless warrant requirement even more.

First, the manager’s amendment eliminates this prohibition on using metadata to prove probable cause.

noncontents information accessed or disseminated pursuant to subparagraph (C) is not the sole basis for such probable cause;

That means the government can access metadata without an open investigation, and then use that metadata as the sole basis to access the content.

But under the manager’s amendment, the FBI can bypass the court altogether if the Attorney General (currently racist Jeff Sessions) reasonably determines the US person is communicating with someone engaged in, or materially supporting, terrorism.

Subject to section 706(a)(2), 25 based on a review described in item (II), the Attorney General reasonably determines that the person identified by the queried term is, or is communicating with—

(aa) a person reasonably believed to be engaged in international terrorism (as defined in section 101(c)) or activities in preparation therefore; or

(bb) a person reasonably believed to be acting for, or in furtherance of, the goals or objectives of an international terrorist or international terrorist organization.

And that review relies on the same metadata-plus.

A review described in this item is a review of information of communications acquired under subsection (a) relating to the dialing, routing, addressing, signaling, or other similar non-contents information,

Again, all of this basically amounts to retaining the status quo (though at a time when Russia may pose a greater threat to the US than the shriveling ISIS, and when gun violence by regular old American whackos is proving far more lethal than that of ISIS, it’s not clear that prioritizing terrorism anymore makes sense).

But it is a testament both to how much the HJC bill is really just window dressing, Potemkin reform cynically called “Liberty,” and hints at how they’re really using metadata-plus.

Ron Wyden Is Worried the Government Will Use FISA Process to Force Companies to Make Technical Changes

/4 Comments/in , /by

Ron Wyden and Rand Paul just introduced their bill to fix Section 702. It’s a good bill that not only improves Section 702 (by prohibiting back door searches, prohibiting the 2014 exception, and limiting use of 702 data), but also improves FISC and PCLOB.

The most alarming part of the bill, though, is Section 14. It prohibits the Attorney General and Director of National Intelligence from asking for technical assistance under Section 702 that is not narrowly targeted or explicitly laid out and approved by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

This suggests that Wyden is concerned the government might use — or has used — FISA to make sweeping onerous technical demands of companies without explicitly explaining what those demands are to the Court.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

/16 Comments/in , /by

Richard Burr has released his draft Section 702 bill.

Contrary to what you’re reading about it not “reforming” 702, the SSCI bill makes dramatic changes to 702. Effectively, it makes 702 a domestic spying program.

The SSCI expands the kinds of criminal prosecutions with which it can use Section 702 data

It does so in Section 5, in what is cynically called “End Use Restriction,” but which is in reality a vast expansion of the uses to which Section 702 data may be used (affirmatively codifying, effectively, a move the IC made in 2015). It permits the use of 702 data in any criminal proceeding that “Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

This effectively gives affirmative approval to the list of crimes for which the IC can use 702 information laid out by Bob Litt in 2015 (in the wake of the 2014 approval).

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

“So what?” you might ask, this is a foreign surveillance program. So what if they find evidence of child porn in the course of spying on designated foreign targets, and in the process turn it over to the FBI?

The reason this is a domestic spying program is because of two obscure parts of 702 precedent.

The 2014 exception permits NSA to collect Tor traffic — including the traffic of 430,000 Americans

First, there’s the 2014 exception.

In 2014, the FISC approved an exception to the rule that the NSA must detask from a facility when it discovers that a US person was using it. I laid out the case that the facilities in question were VPNs (collected in the same way PRISM would be) and Tor (probably collected via upstream collection). I suggested then that it was informed speculation, but it was more than that: the 2014 exception is about Tor (though I haven’t been able to confirm the technical details of it).

NSA is collecting Tor traffic, including the traffic of the 430,000 Americans each day who use Tor.

One way to understand how NSA gets away with this is to consider how the use of upstream surveillance with cybersecurity works. As was reported in 2015, NSA can use upstream for cybersecurity purposes, but only if that use is tied to known indicators of compromise of a foreign government hacking group.

On December 29 of last year, the Intelligence Community released a Joint Analysis Report on the hack of the DNC that was considered — for cybersecurity purposes — an utter shitshow. Most confusing at the time was why the IC labeled 367 Tor exit nodes as Russian state hacker indicators of compromise.

But once you realize the NSA can collect on indicators of compromise that it has associated with a nation-state hacking group, and once you realize NSA can collect on Tor traffic under that 2014 exception, then it all begins to make sense. By declaring those nodes indicators of compromise of Russian state hackers, NSA got the ability to collect off of them.

NSA’s minimization procedures permit it to retain domestic communications that are evidence of a crime

The FISC approved the 2014 exception based on the understanding that NSA would purge any domestic communications collected via the exception in post-tasking process. But NSA’s minimization procedures permit the retention of domestic communications if the communication was properly targeted (under targeting procedures that include the 2014 exception) and the communication 1) includes significant foreign intelligence information, 2) the communication includes technical database information (which includes the use of encryption), 3) contains information pertaining to an imminent threat of serious harm to life or property OR,

Such domestic communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed. Such domestic communication may be disseminated  (including United States person identities) to appropriate law enforcement authorities, in accordance with 50 U.S.C. § 1806(b) and 1825(c), Executive Order No 12333, and, where applicable, the crimes reporting procedures set out in the August 1995 “Memorandum of Understanding: Reporting of Information Concerning Federal Crimes,” or any successor document.

So they get the data via the 2014 exception permitting NSA to collect from Tor (and VPNs). And they keep it and hand it off to FBI via the exception on NSA’s destruction requirements.

In other words, what Richard Burr’s bill does is affirmatively approve the use of Section 702 to collect Tor traffic and use it to prosecute a range of crimes, some of them potentially quite minor.

 

After the Ad Hominem Approach to Surveillance Reauthorization Fails, Spooks Now Revert to Secrecy

/5 Comments/in /by

As I have noted, thus far the surveillance boosters’ favored approach to Section 702 reauthorization has been to engage in ad hominem attacks against people engaging in good faith in the legislative process (even while they, themselves, make what would most charitably be called significant errors). Even when people make a concerted effort to avoid such sloppy attacks — as FBI Director Christopher Wray did at a recent appearance — they still accuse others of believing in myths while ignoring their own myth-making.

But now Richard Burr and the spooks he caters to are adopting another approach: legislating in secret.

The SSCI is reportedly moving to mark up their own version of Section 702 reauthorization this week — a bill crafted by Senators Burr, Warner, Feinstein, and Cornyn. The make-up of the team is key: because Cornyn and Feinstein are also on Senate Judiciary, they can sink any alternate bill that moves through that committee (something Feinstein has been doing since at least 2009).

As Wyden says in a letter objecting to the secret mark-up,

Section 702 has been the subject of extensive public testimony, while relevant FISA Court orders, minimization procedures and other documents have been declassified and released to the public. In this context, the public is right to expect that Congress debate the reauthorization of this authority in the open. Indeed, a transparent legislative process is a fundamental hallmark of our democracy.

A bunch of NGOs have also called on Burr to make this mark-up public.

There are several likely reasons why Burr and the spooks want to craft their legislation in secret.

Perhaps most importantly, by holding a closed session, you delay by about a month and a half what happened in the session, what the cleared Senators debated, and the tactical means the Chair (in this case Burr) used to shut down reform suggestions. That’s what happened in 2012, when Feinstein delayed the release of the bill report for about that long, hiding details about Ron Wyden’s attempt to get a count of US persons affected by 702 (see these three posts — one, two, three — for details, though Wyden did manage to call Feinstein out for lying about FISC always finding the collection to be constitutional).

Indeed, I’d bet a lot of money that one reason Burr wants to have a secret mark-up is to the very same thing Feinstein did four years ago: hide the government’s lies about their alleged inability to do a count of how many Americans get sucked up as part of 702, and how.

But the other reason Burr and the spooks likely want to have a mark-up in secret is precisely because of the transparency won since 2013, they don’t have winning arguments anymore. While courts, because of the secrecy reviewing cases without any adversarial process and often not getting a full picture of how 702 works, have found 702 itself constitutional (though the Ninth Circuit largely dodged the question of back door searches), as more and more people understand how it works (and as white men watching the Mike Flynn case come to understand how fragile life can get for those picked up incidentally), the program seems problematic.

And even those who believe 702 in its current form serves an irreplaceable role in our surveillance system can see the need for no-nonsense reforms, such as requiring an amicus help review yearly reauthorization.

In other words, by hiding this mark-up, Burr is conceding that he can’t win this legislative battle democratically. He, and the spooks, have to cheat. And they’re willing to do so, to codify parts of this program that likely wouldn’t pass court review if done in a real adversarial process.

We are at a critical tipping point with surveillance in this country, as the government chips away at the technologies that allow individuals to retain some kind of privacy. And to ensure we slide over that tipping point and down the dangerous slope on the other side, a bunch of spooks and their servants are cowering from democracy.

Dot Connecting about Failure to Connect the Dots: Trump Tower Edition

/16 Comments/in , /by

I’d like to throw two dots out there. Well, maybe four.

First, this curious language in the House Judiciary Committee 702 bill, mandating that any FBI back door search of 702 data ensure it includes all data in its holdings.

(F) SIMULTANEOUS QUERY OF FBI DATABASES.—Except as otherwise provided by law or applicable minimization procedures, the Director of the Federal Bureau of Investigation shall ensure that all available investigative or intelligence databases of the Federal Bureau of Investigation are simultaneously queried when the Bureau properly uses an information system of the Bureau to determine whether information exists in such a database.

Here’s what it had been.

(E) SIMULTANEOUS ACCESS OF FBI DATABASES.—The Director of the Federal Bureau of Investigation shall ensure that all available investigative or intelligence databases of the Federal Bureau of Investigation are simultaneously accessed when the Bureau properly uses an information system of the Bureau to determine whether information exists in such a database. Regardless of any positive result that may be returned pursuant to such access, the requirements of this subsection shall apply.

In his commentary on the new language, Charlie Savage suggested the first change pertained to rules in the EO 12333 sharing language prohibiting the search for criminal purposes. I’m as interested by the second change: the language that originally said even if you got a positive hit from one source, you still had to make sure you pulled up the same positive hit via all databases. Requiring that FBI pull up all incidences of a piece of intelligence anytime they do a search would have several functions: ensure they found data that would be easier to parallel construct, because it was collected under Title III or didn’t have notice provisions, make sure an Agent understand the context from which the intelligence was collected, and ensure any associated analysis got seen along with the intelligence.

In my opinion this suggests there is at least once incidence when the FBI did a search and missed something.

My original thought was that the use of ad hoc databases removed certain information from the general search pool such that an important dot was missed. Ad hoc databases were formalized in 2013 to permit FBI to store raw 702 data in separate repositories; one reason among other redacted reasons to do so was to more easily manipulate the data, but the repositories might be as small as a single laptop.

The formalization of a requirement that all queries include all databases in the HJC would seem to require that ad hoc databases (at least those with unique data streams) be included in those searches. And that, it seems, would be formalized because some queries missed data.

But it also might be that an FBI Agent did a search and missed critical context that would have been obvious if he had gotten that hit in a different database.

Someone missed a dot.

Someone missed a dot sufficiently important to codify rules to avoid missing dots into law.

That dot could be on any subject pertaining to 702: terrorism, counterproliferation, hacking, or counterintelligence. That said, we certainly don’t have any counterterrorism dots — in the form of a foreign sponsored attack — that appear to be missed.

Now let’s look at another dot. Among the many Russia-related items the SSCI-passed intelligence authorization mandates for next year is an intelligence posture review — separate from the SSCI investigation going on right now — to examine (in part) whether the IC was collecting the right intelligence to identify and respond to the Russian tampering.

(b) Elements.—The review required by subsection (a) shall include, with respect to the posture and efforts described in paragraph (1) of such subsection, the following:

(1) An assessment of whether the resources of the intelligence community were properly aligned to detect and respond to the efforts described in subsection (a)(1).

(2) An assessment of the information sharing that occurred within elements of the intelligence community.

(3) An assessment of the information sharing that occurred between elements of the intelligence community.

Admittedly, this is what the IC does in the wake of every intelligence failure: figure out why they failed. But I’m interested in the focus on whether information was shared within and between intelligence agencies sufficiently.

That’s because the public reports of the Task Force investigating the operation in real time describe it as very compartmented — the kind of compartment that might require the use of an ad hoc database.

Brennan convened a secret task force at CIA headquarters composed of several dozen analysts and officers from the CIA, the NSA and the FBI.

The unit functioned as a sealed compartment, its work hidden from the rest of the intelligence community. Those brought in signed new non-disclosure agreements to be granted access to intelligence from all three participating agencies.

They worked exclusively for two groups of “customers,” officials said. The first was Obama and fewer than 14 senior officials in government. The second was a team of operations specialists at the CIA, NSA and FBI who took direction from the task force on where to aim their subsequent efforts to collect more intelligence on Russia.

Dot three.

None of this is definitive in any way.

But I raise it all because there is a dot that — dot four is stunning in retrospect — was missed: the June 9, 2016 meeting at Trump Tower. Rayne even noted it at the time it was reported. While I’m less sure than she is that Rinat Akhmetshin — a naturalized American — would be targeted under FISA, it seems likely that Natalia Veselnitskaya would be, or those in the background of those meetings.

A former Trump lawyer working for Aras Agalarov, Scott Balber, went to Moscow to obtain this partial email thread. It’s not a PRISM provider, but Veselnitskaya is a likely target whose emails could be obtained via upstream surveillance. And she was still in Russia — discussing the meeting with another likely target, Agalarov — days before the June 9 meeting.

Veselnitskaya has said she was interested in the Magnitsky Act issue on behalf of a private client. She was working closely in the United States with Akhmetshin, a Russian American lobbyist who has been accused of having ties to Russian intelligence. He has denied ties to the Russian government.

Veselnitskaya told Balber that she met with a series of well-connected Russians in early June 2016 to discuss her upcoming trip to the United States. One person with whom she met was Agalarov, for whom she had previously done legal work.

Veselnitskaya told Balber she did not seek a meeting with the Trump campaign but was “surprised and pleased” when Agalarov explained his business connection to the presidential candidate and offered to make a connection. Veselnitskaya told Agalarov that she had in October 2015 provided information intended to undermine the U.S. law to Yuri Chaika, the Russian prosecutor general, Balber said. Balber said he believes it is possible Veselnitskaya’s statement resulted in a misunderstanding about the prosecutor’s role.

Side note: this entire press blitz based on former Trump lawyer Balber’s months old meeting with Veselnitskaya reeks of an attempt to compare notes in advance of someone’s testimony. CNN reported today that several of the Russians involved in the meeting had been interviewed by SSCI, and Richard Burr all but confirmed Veselnitskaya had been included among those at a press conference earlier this month.

Mind you, it’s not clear either of these likely targets would be in FBI’s databases in real time, in part because they’re less likely 702 targets. But they’d likely be in NSA databases. Which means as things heated up, particularly around meeting attendee Paul Manafort — who, as an individualized FISA target, could automatically be backdoor searched at NSA, against far more extensive NSA collection — this might have come up (though it’s not clear Manafort got mentioned until and except for the Rob Goldstone-Don Jr email thread).

All of which is to say when this meeting came out in July, Robert Mueller reportedly had just learned of it. That’s true, in spite of the fact that one reported FISA target (Manafort) and at least one likely NSA target (Veselnitskaya) attended the meeting.

As we learn more and more about that meeting, it seems more remarkable that it got missed for over a year after it happened (and only disclosed in response to subpoenas, not back door searches).

If we’re going to codify back door searches, even of Americans, can we first learn how it was this meeting never came up in a back door search?

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Technical Fixes in HJC Bill Suggest SCOTUS May Have Reviewed a (2015 ?) FISA Application

/3 Comments/in /by

HJC has released a new version of the bill they’re cynically calling USA Liberty. The most significant change in the bill is that it makes the warrant requirement for criminal backdoor queries that will never be used an actual probable cause warrant, with the judge having discretion to reject the warrant.

But that’ll never be used. If a warrant requirement falls in the woods but no one ever uses it does it make a sound?

I’m more interested in a series of changes that were introduced as technical amendments that make seemingly notable changes to the way the FISC and FISCR work.

The changes are:

In 50 USC 1803 and 50 USC 1822 eliminating the requirement that the FISA Court of Review immediately explain its reason for denying an application before sending it to the Supreme Court.

The Chief Justice shall publicly designate three judges, one of whom shall be publicly designated as the presiding judge, from the United States district courts or courts of appeals who together shall comprise a court of review which shall have jurisdiction to review the denial of any application made under this chapter. If such court determines that the application was properly denied, the court shall immediately provide for the record a written statement of each reason for its decision and, on petition of the United States for a writ of certiorari, the record shall be transmitted under seal to the Supreme Court, which shall have jurisdiction to review such decision.

Letting the FISA Court of Review, in addition to the FISC, ensure compliance with orders.

Nothing in this chapter shall be construed to reduce or contravene the inherent authority of the court established under subsection (a) [a court established under this section] to determine or enforce compliance with an order or a rule of such court or with a procedure approved by such court.

In 50 USC 1805 (traditional FISA), 50 USC 1842(d) and 50 USC 1843(e) (pen registers), and 50 USC 1861(c) (215 orders) stating that a denial of a FISC order under 50 USC 1804 may be reviewed under 50 USC 1803 (that is, by FISCR).

Now, I suppose these (especially the language permitting FISCR reviews) count as technical fixes, ensuring that the review process, which we know has been used on at least three occasions, actually works.

But the only reason anyone would notice these technical fixes — especially how something moves from FISCR to SCOTUS — is if some request had been denied (or modified, given the language permitting the FISCR to ensure compliance with an order) at both the FISA court and the FISA Court of Review, or if FISCR tried (and got challenged) to enforce minimization procedures imposed at that level.

There’s one other reason to think there must have been a significant denial: The report, in the 2015 FISC report, that an amicus curiae had been appointed four times.

During the reporting period, on four occasions individuals were appointed to serve as amicus curiae under 50 U.S.C. § 1803(i). The names of the three individuals appointed to serve as amicus curiae are as follows:  Preston Burton, Kenneth T. Cuccinelli II  (with Freedom Works), and Amy Jeffress. All four appointments in 2015 were made pursuant to § 1803(i)(2)(B). Five findings were made that an amicus curiae appointment was not appropriate under 50 U.S.C. § 1803(i)(2)(A) (however, in three of those five instances, the court appointed an amicus curiae under 50 U.S.C. § 1803(i)(2)(B) in the same matter).

We know of three of those in 2015: Ken Cuccinelli serving as amicus for FreedomWorks’ challenge to the restarted dragnet in June 2015, Preston Burton serving as amicus for the determination of what to do with existing Section 215 data, and Amy Jeffress for the review of the Section 702 certifications in 2015. (We also know of the consultation with Mark Zwillinger in 2016 and Rosemary Collyer’s refusal to abide by USA Freedom Act’s intent on amici on this year’s reauthorization.) I’m not aware of another, fourth consultation that has been made public, but according to this there was one more. I say Jeffress was almost certainly the amicus used in that case because she was one of the people chosen to be a formal amicus in November 2015, meaning she would have been called on twice. If it was Jeffress, then it likely happened in the last months of the year.

Obviously, we have no idea what this hidden consultation is. The scan of all of Yahoo’s email accounts was in 2015, but it has always been reported as “spring” and weeks before Alex Stamos left Yahoo, so that seems sure to have happened before June 8 and therefore without a post-USA Freedom Act amicus. Moreover, it seems very likely that this fourth amicus consultation involved a denial, because the government is supposed to release any significant decision. So I’m guessing that Jeffress proved persuasive in one case we don’t get to know about.

Update: In this bill I briefly called the bill USS Liberty but thought better of doing so.