[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

NSA’s Unsatisfying Response to Rosemary Collyer’s “Lack of Candor” Accusations

/2 Comments/in /by

In yesterday’s 702 hearing, Chuck Grassley asked NSA and FBI to explain why Rosemary Collyer (who I believe is the worst presiding FISA judge of the modern tennis era) accused them of a lack of candor.

FBI’s Carl Ghattas dodged one such accusation, but basically admitted what I laid out here with regards to the other — that FBI really wasn’t set up to fulfill Thomas Hogans 2015 order to report on any queries that return criminal information. Ghattas promised FBI would fix that; I’m skeptical the current structure of FBI audits will facilitate that happening but I’m happy to be proven wrong.

I want to look more closely at how Paul Morris, NSA’s Deputy General Counsel for Operations, explained the 10-month delay in informing the FISC about the NSA’s prohibited searches of upstream content.

We had initially identified that we had made some errors of US person queries against our upstream collection. So since 2011, our minimization procedures had prohibited outright any US person queries running against upstream 702 collection, largely because of abouts communications. We had reported the initial query errors — I believe it was in 2015 when we made the initial report, but our Office of Inspector General as well as our compliance group had separate reviews ongoing to try to determine the scope and scale of the problem. So during the course of filing the renewal for the 702 certifications that were pending, the court held a hearing in early October 2016 when it asked about various compliance matters to include the improper queries and we reported on the status of those investigations as we knew them to be at that time. On about two, I think, two or three weeks later, the Office of Inspector General completed its follow-up review of the US person query and discovered that the scope of the problem was larger than we’d originally reported. Soon as we identified that the problem was larger than we thought it was, we notified the Justice Department and the ODNI, in turn the court was notified and the court held a hearing on October 26 to go into further detail about the problem and it ultimately led to a couple of extensions of the certifications and ultimately our decision to terminate abouts collection in order to remedy the compliance problem. So my sense is that the institutional lack of candor that the court was referring to was really frustration that when we had the hearing on October 6 [sic] we did not know the full scope and scale of the problem until later which was reported roughly, again, October 24, which led to a hearing on October 26, which was the day before the court was supposed to rule on extending the certification.

As a reminder, this problem actually extends back to at least 2013. As I’ll eventually show, NSA obtained back door search authority in 2011 after a series of unauthorized back door searches, meaning they were just approving something that was already being done, just as this year’s opinion just approved searches that were going on in uncontrolled fashion.

Furthermore, while NSA surely informed the FISC of some of these problems along the way (otherwise I wouldn’t have known about them when I called them out last August), it did not deal with the ongoing problems in its application, which would have flagged an ongoing compliance problem of the magnitude shown even by the 2016 IG Report.

Morris’ claim that NSA’s IG reached some kind of conclusory decision between the first hearing on October 4 and the notice of the further problems on October 24 is dubious, given that the NSA said that follow-up study was still ongoing in a January 3 filing.

In anticipation of the January 31 deadline, the government updated the Court on these querying issues in the January 3, 2017 Notice. That Notice indicated that the IG’s follow-on study (covering the first quarter of 2016) was still ongoing.

As Collyer noted, at that point the NSA was still identifying all the systems implicated, notably finding queries that elude NSA’s query audit system.

It also appeared that NSA had not yet fully assessed the scope of the problem: the IG and OCO reviews “did not include systems through which queries are conducted of upstream data but that do not interface with NSA’s query audit system.” Id. at 3 n.6. Although NSD and ODNI undertook to work with NSA to identify other tools and systems in which NSA analysts were able to query upstream data, id., and the government proposed training and technical measures, it was clear to the Court that the issue was not yet fully scoped out.

Also at this point, NSA was “disclosing” the root cause of the problem as the same one identified back in 2013 and 2014, when NSA dismissed the possibility of a technical fix to the opt-out problem.

The January 3, 2017 Notice stated that “human error was the primary factor” in these incidents, but also suggested that system design issues contributed. For example, some systems that are used to query multiple datasets simultaneously required analysts to “opt-out” of querying Section 702 upstream Internet data rather than requiring an affirmative “opt-in,” which, in the Court’s view, would have been more conducive to compliance. See January 3, 2017 Notice at 5-6.

Ultimately, this chronology — and Morris’ unsatisfactory explanation for it — ought to raise real questions about what the bar is for the NSA declaring systems to be totally out of control, requiring immediate corrective action. I believe the NSA had reached that point on upstream searches at least by 2015. But it kept doing prohibited back door searches (which Collyer, because she’s the worst presiding FISC judge in recent memory, retroactively blessed) on abouts collection for another two years before the front end of about collection was shut down.

So perhaps the problem isn’t a lack of candor? Perhaps the problem is NSA can continue spying on entirely domestic communications for two years after identifying the problem before any fix is put in place?

Share this entry

The FBI’s Standards for Ingesting Raw 702 Data

/2 Comments/in /by

In most Section 702 hearings, there is no FBI witness, which means NSA witnesses can make claims about back door searches that are completely irrelevant to the biggest concern — FBI’s far more frequent back door searches.

Today was different. Carl Ghattas, FBI’s Executive Assistant Director for National Security, testified. And aside from totally dodging a Chuck Grassley question about why, according to Rosemary Collyer, FBI waited 11 months before informing the FISA Court about one violation, he was a very informative witness.

Take, for example, a detail he provided in his written testimony (after 34:50) about what FBI obtains in raw form (this may be public in the DIOG that the Intercept leaked, but I’m not otherwise aware of this detail). The FBI can only get raw data for selectors “relevant to” full investigations, not preliminary investigations or assessments.

It’s important to remember FBI receives a small fraction of the total collection that NSA receives under this program. In fact, the FBI only receives a small percentage of NSA’s downstream collection and none of NSA’s upstream collection. The reason for this is that the FBI can only request and receive Section 702 collection if the selector — that is, an email address or social media handle, for example — is relevant to a pending full investigation. The FBI cannot receive Section 702 collection during either a preliminary inquiry or an assessment. As a result, although the FBI conducts significantly more US person queries than NSA, those queries are running against a small fraction of the total 702 collection that is acquired by the US government. In other words, when the FBI runs a US person identifier through our database, that query is run against only FBI’s 702 collection that’s obtained during FBI full investigations and not the total collection maintained by NSA.

This does limit things, though as the FBI likes to say, it has thousands of investigations going at any time, the most emphasized of which (terrorism and counterintelligence) would likely implicate 702 data. Moreover, it raises questions about the foreign intelligence designations made, especially (prior to this year) regarding the data FBI shared in raw form with NCTC. And of course, we all know that the word “relevant to” has ceased to have real limiting meaning.

Also, the FBI may only obtain this information at the Full Investigation level, but it can query it at the assessment level. And today’s hearing, like all others, failed to discuss that the FBI uses those queries, in part, to find informants, some of whom may be guilty of nothing beyond doing something that FBI can use to coerce their cooperation.

So a full investigation (which may include an enterprise investigation targeted generally at, for example, ISIS or Russian spies) sucks in all relevant tasked selectors (Ghattas did not describe how the FBI nominates selectors), which can then be queried at the assessment level for the US person being queried.

Share this entry

The Willful FBI 702 Violation No One Admitted

/2 Comments/in /by

In today’s 702 hearing, both Senators and (most) witnesses repeated over and over that while there had been compliance problems, there had been no willful violations.

I think that as of Rosemary Collyer’s recent opinion, that can no longer be said to be true. Among the violations she laid out, she described an “improper disclosure of raw information” to a contractor in a way that violated minimization procedures (starting on page 83).

Apparently, the FBI (possibly in a fusion center or JTTF situation) had provided access to raw data to an entity “largely staffed by private contractors” to obtain analytical assistance. The contractors’ access to raw data “went well beyond what was necessary to respond to the FBI’s requests.” Collyer considered their access under the provision of FBI SMPs that permit sharing of information for technical assistance, but she noted, “their access was not limited to raw information for which the FBI sought assistance and access continued even after they had completed work in response to an FBI request.”

FBI also appears to have delivered data to a non-Federal agency (it appears to be some kind of tech contractor) where employees were not under the direct supervision of FBI employees.

With one of these violations (it appears, though is not certain, to be the second one), the decision to give improper access to contractors “was the result of deliberate decisionmaking” supported by an interagency memorandum of understanding. As Collyer notes, “such a memorandum of understanding could not override the restrictions of Section 702 minimization procedures.”

The Intelligence Committees started requiring copies of all interagency IC related MOUs last year; this may be one reason why. Nevertheless, that doesn’t change the history, that FBI at an institutional level made a decision to provide (apparently small amounts of) data to people outside of the minimization procedures.

I don’t think witnesses and Senators can claim they know of no willful violations anymore.

Share this entry

USA Freedom Act Booster Misses Opportunity to Note FISC Blew off USAF

/3 Comments/in /by

The Brennan’s Center Liza Goitein is the privacy community’s go-to witness for Section 702 hearings. She’s a decent choice: she’s unflappable, she has worked in Congress (which nevertheless doesn’t prevent members from routinely butchering her name), and she’s superb at invoking case law to support her points. She has a fine understanding of how the program is implemented.

But she did, in my opinion, affirmative damage in today’s hearing on Section 702.

The most ardent supporter for a special advocate in the FISA Court, Richard Blumenthal, asked the panel if the provision could be improved. All witnesses supported a FISA amicus, with both Goitein and CNAS’ Adam Klein supporting some strengthening of the provision.

But Goitein misstated how the current provision for an amicus — passed as law as part of USA Freedom Act — has been implemented. After calling the provision “a really important contribution of the USA Freedom Act,” Goitein claimed “for the most part the Court has” appointed an amicus for a novel or significant legal issue. [my transcription]

Goitein: I think that was a really important contribution of the USA Freedom Act. I think it’s very clear from the act that Congress intended for the FISA Court to make use of amici in really any case in which there was a novel or significant legal issue unless there were some extraordinary circumstances. I think for the most part the Court has done that. There have been a couple of occasions in which the court has found participation inappropriate based on the rationale that the Court just didn’t need help. I don’t think that’s really consistent with what was intended. But that’s been rare. That’s something I think this committee should keep an eye on. I do think it makes sense to have participation in the annual certification process be mandatory, and the one other thing I would suggest is that there’s currently no provision for amici to appeal rulings of the FISA Court if the amici’s arguments were rejected. And sometimes that’s important. I think we saw in the FISA Court’s decision on back door searches — there were a number of, to say the least, very novel legal issues that would have benefitted from review.

Except the Court hasn’t always appointed, much less considered, appointing an amicus.

Just two months ago, Rosemary Collyer permitted the back door searches of collection that she explicitly admitted can include entirely domestic communications. The decision goes well beyond what John Bates authorized in 2011 when he permitted back door searches, because Bates specifically excluded the upstream collection he knew to include entirely domestic communications.

Collyer approved that practice on top of all the other issues she ruled on, such as the sharing of raw data with NCTC (which will permit it to do back door searches for designations without the due process FBI provides) and letting NSA keep reports it developed using legally prohibited queries. Moreover, it came in an opinion where Collyer appeared to be unclear on the technical aspects of the question in front of her, resulting in an opinion that leaves little clarity on whether ending “about” collection (which was never defined in technical terms) will actually end the collection of unrelated American targets.

And not only didn’t Collyer appoint an amicus to deal with this difficult technical and legal issue. She didn’t even consider it, as mandated by USA Freedom Act.

A court established under subsection (a) or (b), consistent with the requirement of subsection (c) and any other statutory requirement that the court act expeditiously or within a stated time–

(A) shall appoint an individual who has been designated under paragraph (1) to serve as amicus curiae to assist such court in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate;

I have asked some people on the Hill whether they consider this decision an significant opinion or not, and had mixed responses (meaning at least some of the privacy focused congressional figures I spoke with would have been okay with Collyer finding that she didn’t need an amicus or even are okay that she didn’t consider it).

But this question was an opportunity for the privacy community to point out to the amicus’ chief booster — and three other witnesses who generally support the amicus provision — how the FISC can and did in a hugely significant ruling sidestep necessary input. At the very least, it was an opportunity to point out that permitting the judges to decide what constitutes a significant legal issue permits too much discretion, because it allows the FISC to avoid justifying not appointing an amicus.

Instead of making those points, Goitein instead answered in a way that suggested she believes the first time approval of back door searches on content that includes entirely domestic collection is not a significant legal issue.

Share this entry

The [Publicly] Unanswered John Bates Question about How You Define an Active User of a Targeted Facility

/11 Comments/in , /by

In this post, I showed how sometime in fall 2010, the government tried to get the FISA Court to let it use Section 702 to spy on Americans. Specifically, it defined one of the terms used in its application (presumably its targeting certification) “to include US persons,” which Bates took to understand as a request to undertake the “intentional acquisition of communications of US persons reasonably believed to be located outside the United States.”

In addition to the big dump of 702 related documents released last week, Charlie Savage liberated some of the documents pertaining to upstream surveillance from 2011. One of the documents included a set of questions John Bates asked on November 7, in advance of approving the new minimization procedures. And one of the questions is one I asked — and for the same reason — in my post on Rosemary Collyer’s recent upstream opinion: how you define an “active user.”

The Court’s Memorandum defined “active user” to be “the individual using the electronic communications account/address/identifier to interact with his/her Internet service provider.” See Oct. 3, 2011 Memorandum Opinion at 35 n. 34 (emphasis added). However, the amended minimization procedures state that NSA will identify and segregate through technical means MCTs where “the active user of the transaction (i.e., the electronic communications account/address/identifier used to send or receive the Internet transaction to or from a service provider) is reasonably believed to be located in the United States; or the location of the active user is unknown.” See Section 3(b)(5)(a). Please confirm that NSA’s “technical means” for identification and segregation will focus on the location of the individual using the account.

Taken in the wake of the government’s 2010 effort to target a group that includes Americans, the importance of the answer is obvious. If, for example, the active user of a selector is the targeted group rather than a specific individual, then the Americans that are part of that targeted group would also have their communications collected and those communications wouldn’t get segregated as a result. For example, if the NSA were targeting the encryption keys that ISIS uses, and an American were also using that key to talk to other Americans, that communication would be collected but not segregated. So Bates, a year after backing the government down off its effort to use 702 to spy on Americans only to find that the government had been collecting on Americans for 4 years, seemed to be trying to make sure that the government didn’t achieve the same goal via different means.

Except, nowhere in the public record, did he explicitly force the government to integrate this focus on individual users into the minimization procedures. In his November 30, 2011 opinion approving the new MCT scheme, he cited of the requirement that MCTs including the communications of possible US persons get segregated, he added “the [user of]” to the language he cited from the minimization procedures.

Under the amended NSA minimization procedures, NSA must segregate and restrict access to certain portions of its upstream collection following acquisition.3 Section 3(b)(5)(a) requires NSA to

take reasonable steps post-acquisition to identify and segregate through technical means Internet transactions that cannot be reasonably identified as containing single, discrete communications where: the active user of the transaction (i.e., the [user of] the electronic communications account/address/identifier used to send or receive the Internet transaction to or from a service provider) is reasonably believed to be located in the United States; or the location of the active user is unknown.

But he didn’t specify that that user had to be an individual. In the same passage, he cited what are probably the responses to his November 7 questions, without citing the language used to respond to him.

Then, in restating the requirement to segregate such communications, Bates cited to his earlier opinion, but not the page he cited in his question invoking “individual” users.

Unlike the measures previously proposed by the government for MCTs, the new procedures require NSA, following acquisition, to identify and segregate the two categories of Internet transactions that are most likely to contain discrete wholly domestic communications and non-target communications to or from United States persons or persons located in the United States: (1) those as to which the “active user” is located inside the United States; and (2) those as to which the location of the active user is unknown. See Amended NSA Minimization Procedures at 4 (§ 3(b)(5)(a)); see also Oct. 3 Opinion at 37-41.

And neither the September 2012 opinion authorizing the next year’s certificates and clearing the government of ongoing violation of 1809(a)(2) doesn’t appear to mention active users.

I raised this issue with respect to Collyer’s opinion because, if the government can treat a group as a target and the group’s communication methods as a facility, then upstream surveillance will still collect entirely domestic communications that will newly be available via back door search (though in reality, NSA never fully implemented the scheme laid out in the 2011 opinion). Yet nowhere is this made clear.

Share this entry

In 2010, the Government Tried to Use Section 702 against US Persons

/4 Comments/in /by

I’m working my way through the FISA related documents released last week. And I wanted to point out something that happened around October 2010: the NSA tried to turn 702 into a domestic surveillance program.

First, some background. Before 2011, it appears the government got 702 certificates approved every six months. Also, because the initial certificates were approved a month apart (in part because the initial PAA certificates were also approved a month apart for some really interesting reasons), the government submitted two sets of documents. That’s what explains the nearly identical pairs of documents released last week (Documents 11 and 5 approve 2009 certs, and Documents 4 and 2 approve 2010 certs).

Sometime in late summer to fall 2010, the government submitted a pretty dramatically altered request (see Document 16). [Update: This targeting certificate from 2010 was submitted on July 16, though that feels like odd timing and none of the targets are described as including US persons.]

As part of that, the government defined one of the targets to include US persons (albeit ones apparently located overseas).

Moreover, the government has defined the term [redacted] to include US persons, which raises the question whether permitting the intentional acquisition of communications of US persons reasonably believed to be located outside the United States is consistent with the requirements of 50 U. S.C. § 1881 a(b)(3).

In addition, the government requested to keep and disseminate any US person or domestic data it found “to the extent reasonably necessary to counter any imminent threat to human life or the national security that is related to the target.”

Another significant change to the minimization procedures relates to the provisions that allow NSA to retain, process, and disseminate any communication acquired while a target of 702 collection was inside the United States or after a target has been determined to be a United States person, “to the extent reasonably necessary to counter any imminent threat to human life or the national security that is related to the target, including obtaining authorization against the target pursuant to another section of the Act.” NSA Minimization Procedures at 7-10.

Whereas later minimization procedures have language about protecting imminent threats (defined broadly to include property), this request included vague “threat to national security” language.

Finally, John Bates implied that the submission implicated some prior court decision(s), including one by the FISCR.

Remarkably, these prior decisions (as well as the name of the target that includes US persons) were redacted with the b(7)E law enforcement technique exemption, not the b(1) or b(3) that covers most of the other redactions in these memos. I can’t recall any other b(7)E redaction in all the FISA orders I’ve read.

Also note, that in 2010, there were only two known FISCR opinions, the one tearing down the wall in 2002, and the one authorizing PRISM in 2008; this may be an as yet unidentified FISCR opinion.

By all appearances, in fall of 2010, the government tried to get approval to use 702 against US persons.

In response to this request, Bates basically said, “submit a legal justification.”

To date, the government has not provided the Court with an adequate legal basis upon which to undertake this review and make the required findings. Therefore, and in accordance with Rule 10(a)(ii) of the Foreign Intelligence Surveillance Court Rules of Procedure, the Court hereby ORDERS the government to file a written memorandum of law that addresses the legal issues identified in this Briefing Order and any others that have not previously been presented to the Court.

Document 4 and Document 2 reveal that the government submitted that memorandum. But after the court saw it and discussed it, the government basically said, “um, nevermind”

The government timely filed its Memorandum of Law on [redacted] 2010.

The Court then discussed the issues presented with representatives of the government on [redacted] 2010, at which time the Court identified certain concerns regarding the government’s submissions. On [redacted], 2010, the Attorney General and the DNI executed two amendments regarding the [redacted] Submission, which were filed with the Court as part of the [redacted] Submission. These amendments have the effect of reverting to the use of targeting and minimization procedures previously approved by the Court in the context of prior certifications.

Just to make sure the government got the message, Bates emphasized that his 2010 approvals were limited to non-US persons outside of the US.

Like the acquisitions approved by the Court in all of the Prior 702 Dockets, acquisitions under are limited to “the targeting of non-United States persons reasonably believed to be located outside the United States.”

This all had to have happened after July 2010 (because the approvals cite Bates July 2010 opinion restarting the PRTT dragnet). But the approvals almost certainly happened in November, because the government submitted its reauthorization applications on April 20 and 22 the following year and they were still doing reauthorizations every six months with applications submitted a month in advance.

So in 2010, the government asked to use 702 to spy on Americans, Bates called them on it, and they backed down.

Sort of. On May 2, the government confessed for the first time that it had been collecting US person data all along.

Share this entry

Wyden to Coats: Admit You Know NSA Is Collecting Domestic Communications under 702

/22 Comments/in /by

Last week, I noted that Ron Wyden had asked Director of National Intelligence Dan Coats a question akin to the one he once asked James Clapper.

Can the government use FISA Act Section 702 to collect communications it knows are entirely domestic?

Coats responded much as Clapper did four years ago.

Not to my knowledge. It would be against the law.

But, as I pointed out, Coats signed a certification based off an application that clearly admitted that the government would still collect entirely domestic communications using upstream collection. Rosemary Collyer, citing the application that Coats had certified, stated,

It will still be possible for NSA to acquire [a bundled communication] that contains a domestic communication.

When I asked the Office of Director of National Intelligence about this, they said,

Section 702(b)(4) plainly states we “may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” The DNI interpreted Senator Wyden’s question to ask about this provision and answered accordingly.

Yesterday, Ron Wyden wrote Dan Coats about this exchange. Noting everything I’ve just laid out, Wyden said,

That was not my question. Please provide a public response to my question, as asked at the June 7, 2017 hearing.

Wyden doesn’t do the work of parsing his question for Coats. But he appears to be making a distinction. The language ODNI’s spox pointed to discusses “intentionally acquir[ing a] communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.” Wyden’s question, however, did not use the term “intentionally” and did not include the language about “knowing at the time of collection” that the communication is domestic.

The distinction he is making appears to be the one I pointed out in this post. In a 2010 opinion, John Bates distinguished data that NSA had no reason to know was domestic communication (in this case, categories of packet information prohibited by the FISC in 2004, effectively content as metadata, but the precedent holds for all FISA collection), which he treated as legal, from that the NSA had reason to know was domestic.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

If NSA knew the data it was collecting was domestic, it was illegal. If NSA didn’t know the data it was collecting was domestic, it was not illegal.

But don’t you dare deliberately cultivate ignorance about whether the data you’re collecting is domestic, John Bates warned sternly!

Here, of course, the government has told the court in its application, “Hey, we’re going to be collecting domestic communications,” but then, in testimony to Congress, said, “nah, we’re not collecting domestic communications.”

Having said in its application that it is still possible to collect domestic communications, it sure seems the government has ceded any claim to be ignorant that it is collecting domestic communications.

Which would make this collection of domestic communications illegal.

Share this entry

Privacy Community Lets Dan Coats Off Easy in Letter Accusing Him of Reneging on His Promise

/2 Comments/in /by

This post may make me some enemies in DC.

But the privacy community appears to be missing some critical points in this letter accusing Dan Coats of reneging on his promise to provide an estimate of how many Americans have been sucked up in Section 702 surveillance. The letter rehearses what it claims is the history of NSA counting or not counting how many Americans get collected under Section 702, going back to 2011.

This debate began in 2011 when Senator Wyden first asked Director Clapper to provide an estimate.2 In 2012, the Inspector General of the Intelligence Community claimed that such an estimate would not be possible because the process of establishing the estimate would violate the privacy of U.S. persons, and require too many resources.3

Yet in the same letter, it claims that NSA managed to do a count of Americans implicated in upstream surveillance in 2011.

First, the NSA previously undertook an effort to provide the Foreign Intelligence Surveillance Court (FISC) with a similar estimate, and “there is no evidence that this undertaking impeded any NSA operations.”5 There, in order to address the FISC’s concerns about the number of wholly domestic communications that were being collected under Section 702, the NSA “conducted a manual review of a random sample consisting of 50,440 Internet transactions taken from the more than 13.25 million Internet transactions acquired through the NSA’s upstream collection during a six month period.”6

It is absolutely true that NSA “undertook an effort” to provide the number of Americans implicated in upstream surveillance. But it was not “a similar estimate.” On the contrary, NSA only obtained an estimate of entirely domestic communications collected as part of multiple communication transactions, MCTs. It did not — not even after Bates asked — come up with an estimate of how many entirely domestic communications NSA collected via upstream collection as single communication transactions, much less an estimate of all the Americans collected.

Here’s how John Bates described it in the opinion cited in footnote 6.

NSA’s manual review focused on examining the MCTs acquired through NSA’s upstream collection in order to assess whether any contained wholly domestic communications. Sept. 7, 2011 Hearing Tr. at 13-14. As a result, once NSA determined that a transaction contained a single, discrete communication, no further analysis of that transaction was done. See August 16 Submission at 3. After the Court expressed concern that this category of transactions might also contain wholly domestic communications, NSA conducted a further review. See Sept. 9 Submission at 4. NSA ultimately did not provide the Court with an estimate of the number of wholly domestic “about” SCTs that may be acquired through its upstream collection. Instead, NSA has concluded that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” Sept. 13 Submission at 2.

The Court understands this to mean that the percentage of wholly domestic communications within the universe of SCTs acquired through NSA’s upstream collection should not exceed the percentage of MCTs within its statistical sample. Since NSA found 10 MCTs with wholly domestic communications within the 5,081 MCTs reviewed, the relevant percentage is .197% (10/5,081). Aug. 16 Submission at 5.

NSA’s manual review found that approximately 90% of the 50,440 transactions in the same were SCTs. Id. at 3. Ninety percent of the approximately 13.25 million total Internet transactions acquired by NSA through its upstream collection during the six-month period, works out to be approximately 11,925,000 transactions. Those 11,925,000 transactions would constitute the universe of SCTs acquired during the six-month period, and .197% of that universe would be approximately 23,000 wholly domestic SCTs. Thus, NSA may be acquiring as many as 46,000 wholly domestic “about” SCTs each year, in addition to the 2,000-10,000 MCTs referenced above.

Now, ODNI might raise this detail and say that the 2011 review was not as intensive as the one the privacy community wants to conduct. They’d be right, not least because the upstream review should be easier to conduct than the PRISM review, even though there should be less upstream collection under the new rules (under 702, anyway — much of it would have just gone to EO 12333 collection).

But the other critical point is that, having done the sampling, NSA wasn’t even willing to give Bates the information he requested t0 explain the scope of illegal collection under Section 702.

NSA’s refusal to count all the entirely domestic communications collected in their own right is particularly important given another point that would be worth mentioning here.

It’s not so much that this debate started when Ron Wyden made his request. Rather, Ron Wyden, with Mark Udall, made a written request for such a count on the very same day, July 14, 2011, that DOJ obtained an extension to conduct the count for John Bates.

In April 2011, Wyden and Mark Udall asked for the number.

In April of 2011, our former colleague, Senator Mark Udall, and I then asked the Director of National Intelligence, James Clapper, for an estimate.

According to Clapper’s response, they sent a written letter with the request on July 14, 2011. The timing of this request is critically important because it means Wyden and Udall made the request during the period when NSA and FISA Judge John Bates were discussing the upstream violations (see this post for a timeline). As part of that long discussion Bates had NSA do analysis of how often it collected US person communications that were completely unrelated to a targeted one (MCTs). Once Bates understood the scope of the problem, he asked how many US person communications it collected that were a positive hit on the target that were the only communication collected (SCTs).

But the timing demands even closer scrutiny. On July 8, John Bates went to DOJ to express “serious concerns” — basically, warning them he might not be able to reauthorize upstream surveillance. On July 14 — the same day Wyden and Udall asked Clapper for this information — DOJ asked Bates for another extension to respond to his questions, promising more information. Clapper blew off Wyden and Udall’s request in what must be record time — on July 26. On August 16, DOJ provided their promised additional information to Bates. That ended up being a count of how many Americans were affected in MCTs.

So this debate started when Wyden, simultaneously with the FISC, asked for numbers on how many Americans were affected. But the NSA proceeded to do a count that was only partially responsive to Bates’ concerns and barely responsive to Wyden’s.

NSA did a count in 2011. But even though they had requests for a number from both other co-equal branches of government, they refused to do a responsive count, even as they were already committing the resources to doing the count.

The claim about resources made in 2011 rings hollow, because the resources were expended but the scope was narrowly drawn.

Which brings me to the last critical point here: the most likely motive for drawing the scope so narrowly even as both other co-equal branches of government were requesting the number.

In July 2010, John Bates wrote another opinion. On its face, it addressed the NSA’s collection of prohibited categories under the PR/TT Internet dragnet. But in reality, that collection was just upstream collection with some filtering to try to get down to the part of the packets that constituted metadata under rules set in 2004. Effectively, then, it was also an opinion about the deliberate collection of domestic content via upstream collection. And in that opinion, he weighed the government’s request to let it keep data it had collected that might contain entirely domestic content. Ultimately, Bates said that if the government knew it had obtained domestic content, it had to delete the data, but if it didn’t know, it could keep it.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

[snip]

In light of the government’s assertions of need, and in heavy reliance on the assurances of the responsible officials, the Court is prepared — albeit reluctantly — to grant the government’s request with respect to information that is not subject to Section 18099a)(2)’s prohibition. Hence, the government may access, use, and disseminate such information subject to the restrictions and procedures described above that will apply to future collection.

From that point forward, it was a precedent in the FISC that the government could obtain entirely domestic communications, provided that they didn’t know they were collecting it. But they couldn’t cultivate deliberate ignorance of what they were doing. (They still violated the precedent, but quickly destroyed all the data before they got caught in 2011.)

If the NSA knows they’re intentionally collecting entirely domestic communications, it is illegal. If the NSA doesn’t know they’re intentionally collecting entirely domestic collections, it’s not illegal.

You can see how, even with Bates’ stern warning not to deliberately cultivate ignorance, this provided a huge incentive to deliberately cultivate ignorance.

Of course, Dan Coats performed just that deliberate ignorance the other day, when Wyden made it clear Coats had signed the reauthorization certification for 702 even though the accompanying memo made it clear that the NSA would still be collection entirely domestic communications. Coats claimed they wouldn’t collect Americans’ communications even in spite of the fact that the memo accompanying his certification said it would do just that.

This is a concept the privacy community really needs to learn, quickly. Because Ron Wyden is laying all the ground work to make it clear that this is about deliberate ignorance, of just the sort that Bates said was improper, not actually a concern about resources.

Share this entry

Dan Coats Just Confirmed He Signed the Section 702 Certificate without Even Reading the Accompanying Memo

/8 Comments/in /by

Today, the Senate Intelligence Committee had a hearing on Section 702 of FISA. It basically went something like this:

It’s okay that we have a massive dragnet because the men running it are very honorable and diligent.

The men running the dragnet refuse to answer a series of straight questions, and when they do, they’re either wrong or deeply dishonest.

I’ll lay that out in more detail later.

But the most important example is an exchange between Ron Wyden and Dan Coats that will reverberate like Clapper’s now famous answer to Wyden that they don’t “wittingly” collect on millions of Americans. It went like this:

Wyden: Can the government use FISA 702 to collect communications it knows are entirely domestic?

Coats: Not to my knowledge. It would be against the law.

Coats’ knowledge should necessarily extend at least as far as Rosemary Collyer’s opinion reauthorizing the dragnet that Coats oversees, which was, after all, the topic of the hearing. And that opinion makes it quite clear that even under the new more limited regime, the NSA can collect entirely domestic communications.

Indeed, the passage makes clear that that example was presented in the memo tied to the certification about Section 702 that Coats signed (but did not release publicly). Effectively, Dan Coats signed a certificate on March 30 stating that this collection was alright.

I’m not sure what this example refers to. Collyer claims it has to do with MCTs, though like Dan Coats, she didn’t seem to understand the program she approved. There are multiple ways I know of where entirely domestic communications may be collected under 702, which I’ll write about in the near future.

In any case, if Dan Coats was being truthful in response to Wyden’s question, then he, at the same time, admitted that he certified a program without even reading the accompanying memorandum, and certainly without understanding the privacy problems with the program as constituted.

He either lied to Wyden. Or admitted that the current 702 certification was signed by someone who didn’t understand what he was attesting to.

Update: I did a version of this (including comment on Mike Rogers’ testimony) for Motherboard. It includes this explanation for Coats’ comment.

Section 702(b)(4) plainly states we ‘may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of acquisition to be located in the United States.’ The DNI interpreted Senator Wyden’s question to ask about this provision and answered accordingly.

Share this entry

It Is False that Downstream 702 Collection Consists Only of To and From Communications

/9 Comments/in /by

I was swamped this week when Hoover Institute had this conference on Section 702 of FISA. But I heard so much about this panel, with Jim Baker, Susan Hennessey, Alex Abdo, and Julian Sanchez, I had to watch.

The panel generally and Hennessey especially gave far too much credence to the claim that NSA self-reported the upstream search violations revealed in the April 26 Rosemary Collyer opinion. You cannot claim NSA self-reported a problem they sat on for nine months before initially explaining, and pointedly didn’t mention in the initial reauthorization application, and that’s just one example of egregiously belated reporting described in the opinion. I’ll have far more to say about that — and NSA oversight generally — in the upcoming days.

I’m also frankly shocked that no one on the panel mentioned the approval to share EO 12333 data that was authorized between the time NSA belatedly declared these problems and the time it said it would discontinue an abusive problem. Here’s what the timing looked like:

  • January 2016: Several formal discoveries of the problems in upstream searches
  • September 26, 2016: Initial application (that didn’t disclose the problems) first submitted
  • October 24, 2016: The government first discloses the upstream search problems
  • January 3, 2017: Loretta Lynch signs procedures authorizing the sharing of raw EO 12333 data
  • March 30, 2017: The government submits their fix to upstream problems
  • April 26, 2017: Rosemary Collyer opinion authorizing the reframed upstream collection

The timing is critical because in between the time the government very belatedly revealed the problems with upstream and the time it decided to halt a narrowly defined “about” collection, it got approval to share raw EO 12333 data between agencies. The searches that NSA won’t be able to do under Section 702 are all, by definition, possible (though probably not as easy) to do under EO 12333. So the government can still obtain the very things they’ve told the FISC they won’t collect [under 702], and they can share them more easily with the FBI and CIA (which can do back door searches on them). In other words, even as the FISC was saying that the backdoor searches of upstream collection violated the Fourth Amendment, the government was self-authorizing a way to do the very same searches via means that don’t have any FISC oversight (and for which the existing oversight regime is flimsy).

But one thing that was most striking for me came when Hennessey stated “there are two forms of collection, upstream and downstream. Within downstream there’s only to and from collection.”

This is the kind of claim that seems to be correct. Indeed, much of Rosemary Collyer’s shitty opinion is premised on such an assumption. In all unclassified FISC discussions, back door searches of PRISM content are considered acceptable because (the assumption is) the searches would return only the side of the US person conversing with a foreign intelligence target. The idea is that the US person would be interesting and potentially valid foreign intelligence because they had knowingly communicated with a target.

But it is actually incorrect.

That’s because PRISM (which has been renamed “downstream” for some reason, which distracts from what kind of providers these actually are) is significantly about the collection of stored data. And the data it collects is not just electronic surveillance (that is, data in motion). As the WaPo described years ago, the NSA will collect other things that are in someone’s users account.

No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but also from people who may cross a target’s path.

Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

I raise this not to gotcha Hennessey for making a mistake at all; as I said, on its face the statement seems to be, but is not, correct. Rather, I wanted to point to an assumption virtually everyone has been making about PRISM collection and its suitability for back door searches that may not be valid. If you think about the hack-and-leak dumps in recent years, for example, often the most damaging, as well as the most ridiculous infringements on privacy, involve email attachments, such as the list of most Democratic members of Congress’ email many passwords for which were easily obtainable online, or phone conversations about routine housekeeping or illness. And that’s just attachments; most of the PRISM providers are actually cloud storage providers, in addition to being electronic communication providers, and from the very first requests to Yahoo there was mission creep of all the types of things the government might demand.

And while NSA and FBI aren’t supposed to keep stuff that doesn’t count as foreign intelligence or criminal information, it’s clear (from the WaPo report) that NSA, at least, does.

So as we talk about how inappropriate the upstream back door searches were and are because they can search on stuff that’s not foreign intelligence information, we should remember that the very same thing is likely true of back door searches of  the fruits of searches on a person’s cloud storage account.

 

Share this entry