I Con the Record Transparency Bingo (1): Only One Positive Hit on a Criminal Search

/in /by

As we speak, a bunch of privacy experts are on Twitter trying to make sense of I Con the Record’s transparency report, which is a testament to the fact that the Transparency Report obfuscates as much as makes transparent (and the degree to which you need to have read a great deal of other public reports to understand these things).

So I’m going to deal with the obvious errors I’m seeing made as I see them, then will do a more comprehensive working thread.

The first confusion I’m seeing pertains to this factoid showing how many US person queries designed to return criminal information returned a positive hit.

First, it is not the case that this number, 1, means the FBI affirmatively searched a dedicated FISA 702 database for criminal data and only found data once. The FISA 702 data, the traditional FISA data, and other data are all mixed in together. What this means is when the FBI searched databases including that FISA 702 data and other stuff looking for information on a criminal case, on just one occasion did they get a positive hit showing evidence of a non-national security crime that landed in the database via Section 702 and no other authority (some amount of this information will come into the database via multiple authorities), then obtain that information (whether via their own 702 clearance or by asking a buddy cleared into 702), and review it.

So right off the bat, there are some things this number doesn’t include: positive hits on criminal queries that a person receives but doesn’t receive and review. One reason they might get a positive hit they don’t review is if a non-cleared person doesn’t go through the effort to get a FISA-cleared person to access it. But as I pointed out when the opinion ordering this count got released, there are other possibilities.

FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)

Furthermore, this will only count a positive hit if the Agent is making an exclusively criminal search. Hogan’s opinion and (we now know from some recently liberated documents) the underlying discussion didn’t deal with the full scope of queries done for assessment reasons in the name of national security, such as profiling various ethnic communities or more generally searching on leads identified via national security mapping. Those queries would count as national security queries, but a big point of doing them would be to find derogatory information, including evidence of criminal behavior, to use to recruit informants.

Finally, consider how the Attorney General Guidelines defines Foreign Intelligence information.

Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.

FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.

It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.

As I understand it, the reporting to Congress on this has been a bit more circumspect than members might have liked. That means the other details FISC judge Thomas Hogan required about this one positive hit — what query resulted in a positive hit, what kind of investigative action it led to, and why FBI believes it to fall under minimization procedures — aren’t as sexy as this number, 1.

Prior to this positive hit, the FBI had always assured oversight authorities that the possibility that Section 702 data would result in criminal information was “theoretical.”

Even as a factoid of limited meaning, it does mean the possibility is no longer theoretical.

What Queries of Metadata Derived from Upstream Data Might Include

/2 Comments/in , /by

In this post, I explained that at virtually the exact moment the NSA shut down the PRTT dragnet in 2011, FISC permitted it to start querying metadata derived from upstream collection. After that happened, it started distinguishing between data that was “handled” according to minimization procedures and data that was “processed” before being intelligible.

In this post, I want to talk about what we can learn about metadata derived from FAA 702 from the opinion that authorized it and this document which based on the date, I assume pertains at least to upstream 702 derived metadata (from which the two kinds of MCTs most likely to include domestic communications would be excluded).

First, assuming that this querying document does include upstream, then it means that entirely domestic communications might be included in the querying. The opinion allows,

NSA to copy metadata from Internet transactions that are not subject tosegregation pursuant to Section 3(b) without first complying with the other rules for handlingnon-segregated transactions – i.e., without ruling out that the metadata pertained to a discretewholly domestic communication or to a discrete non-target communication to or from a U.S.person or a person inside the United States.

This means that after the data comes in to NSA and the two types of metadata most likely to include domestic MCTs are segregated, it can be made available to metadata analysis. The NSA prevented queries of segregated data via technical means.

NSA’s technical implementation will ensure that USP metadata queries of FAA 702 collection will only run against communications metadata derived from FAA 702 [redacted] and telephony collection.

The document stated that “NSA’s Technical Directorate (TD) continues to work to implement this requirement.” It’s not clear whether that language dates to December 16, 2011, when it was first written, or to August 19, 2013, when it was most recently revised.

Yet even assuming that technical protection occurred, there would still be Americans in the pool. According to John Bates’ estimate from the same year, there might be 46,000 domestic communications in there that ended up in the batch because the domestic communication that made mention of targeted selector transited internationally, which led them to get caught in filters supposedly targeted at international traffic.

The opinion mandates that, if after doing the analysis, the analyst realizes she has a completely domestic communication, she has to destroy it (though that requirement would get softer the next year). But a footnote also reveals that the means of determining if a selector was American was not failsafe.

NSA will rely on an algorithm and/or a business rule to identify queries of communications metadata derived from the FAA 702 [redacted] and telephony collection that start with a United States person identifier. Neither method will identify those queries that start with a United States person identifier with 100 percent accuracy.

Moreover, in an apparent bid to have this querying process interact relatively seamlessly with Special Procedures Communications Metadata Analysis (SPCMA — a way to query EO 12333 metadata incorporating US person identifiers), the standards were lackadaisical. As with SPCMA, an analyst had to come up with a foreign intelligence justification, but that’s just a “memory aid” in case the analyst gets questioned about it “long after the fact” in a fact check. Analysts don’t have to seek approval before they use a particular selector to query and they’re not required to attach any supporting documentation for their justification (this was in 2013, so requirements may be stronger in the wake of the PCLOB report). And SPCMA training is considered adequate to query metadata derived from 702.

In other words (again, assuming this pertains to upstream querying), there are several risks: that US person data will get thrown in the mix, that it won’t get identified by an algorithm as such, and so that that query result will lead to further spying on a US person without getting destroyed.

Still, as made clear, the alternative is SPCMA, which offers even fewer protections than 702 querying.

One more thought: the NSA report on the aftermath of Bates’ upstream decision (and the implementation of the 2012 certificates) revealed the PRISM providers incurred cost with the transition between certificates. It’s actually quite possible that the upstream metadata queries would come to constitute a critical part of the targeting process, effectively identifying what Goole or Yahoo content might be of interest at the metadata stage, only then to submit that to the provider for the content. If that’s true, it would be somewhat easy to end up targeting a US person for content collection via such upstream searches (though that presumably would be captured in the post-targeting process).

At the Moment NSA Shut Down the PRTT Metadata Dragnet, FISC Permitted It to Query Upstream Metadata

/2 Comments/in /by

In this post, I showed in really weedy inaccessible language how NSA started changing the vocabulary it uses to refer to the access to and manipulation of data in 2011. Before, almost everything used the word “processing” when what it meant was to connote “handling” according to minimization procedures. Now that “processing” is only used for special instances, I believe it serves as a kind of realm of plausible deniability in minimization procedures during which period, because the data is unintelligible, the rules obviously can’t apply.

In this post, I want to look at another change that occurred in the 2011 to 2012 transition: FISC permitted NSA to do back door searches of metadata collected under 702 upstream. It did so at precisely the moment — November to December 2011 — when NSA shut down the PRTT Internet dragnet.

In the set of minimization procedures released in 2013, this paragraph on page 6 is redacted entirely.

That passage became public in 2015, when I Con the Record released the 2014 minimization procedures.

Notwithstanding subsection 3(b)(4)b. above, NSA may use metadata extracted from Internet transactions acquired on or after October 31, 2011, that are not identified and segregated pursuant to subsection 3(b)(4)a. without first assessing whether the metadata was extracted from: a) a discrete communication as to which the sender and all intended recipients are located in the United States; or b) a discrete communication to, from, or about a tasked selector. Any metadata extracted from Internet transactions that are not identified and segregated pursuant to subsection 3(b)(4)a. above will be handled in accordance with the applicable provisions of these procedures. Any metadata extracted from an Internet transaction subsequently determined to contain a discrete communication as to which the sender and all intended recipients are reasonably believed to be located inside the United States shall be destroyed upon recognition.

The September, 20 2012 opinion re-released publicly last week revealed the discussion that remains redacted in the November 30, 2011 opinion and was redacted in the original release of the 2012 one. Starting with that November 30, 2011 opinion, FISC permitted NSA to pull the metadata off of all the upstream collection that wasn’t most likely to include entirely domestic MCT communications and do back door searches (which it had just approved for the first time on October 3, 2011) on it.

Another change to Section 3(b) of the NSA minimization procedures involves metadata. The procedures approved by the Court in the November 30, 2011 Memorandum Opinion contain a provision allowing NSA to copy metadata from Internet transactions that are not subject to segregation pursuant to Section 3(b) without first complying with the other rules for handling non-segregated transactions – i.e., without ruling out that the metadata pertained to a discrete wholly domestic communication or to a discrete non-target communication to or from a U.S. person or a person inside the United States. See Nov. 30, 2011 Mem. Op. at 15-20. Metadata
copied pursuant to this provision must be handled in accordance with the other provisions of the procedures. Id. at 16. Furthermore, in the event that NSA later identifies an Internet transaction as containing a wholly domestic communication, any metadata that has been extracted from that transaction must be destroyed. Id.

The amended procedures retain this provision, but now expressly limit it to Internet transactions acquired on or after October 31, 2011. Amended NSA Minimization Procedures at6 (§ 3(b)(4)(b)(4)). This date change accounts for the fact that, as discussed above, NSA’s upstream acquisitions before that date have been subject to an earlier set of minimization procedures that did not provide for the extraction and use of metadata by NSA. See Nov. 30,2011 Mem. Op. at 20-21. The addition of the date makes clear that although the amended NSA minimization procedures now generally apply to Section 702 information acquired by NSA underall certifications, this metadata provision continues to apply only to information acquired under the 2011 and 2012 certifications. Because this amendment serves only to preserve the status quo with respect to metadata, it presents no issue under Section 1801(h).

Along with the documents released last week, ACLU obtained four different versions of guidance for back door searches:

  • An undated one from the CIA that post-dates the PCLOB 702 report (because it references the report). It’s mostly redacted, and is most interesting for the two redacted purposes that qualify a query as a foreign intelligence query (I suspect they relate to leaks and either proliferation and/or hackers).
  • An undated “USP Queries within FAA 702 PRISM and Telephony Content Collection.” It is undated, but it was cleared for release on May 22, 2012 (perhaps as part of the last reauthorization effort). It breaks these back door searches into three categories/approval processes:
    • Identifiers approved for other kinds of querying, whether under traditional FISA or RAS approval from the now-defunct Section 215 phone dragnet program.
    • Identifiers approved under 704/705b (overseas targeting), US persons held captive, or some other emergency. (Remember that in 2013 Dianne Feinstein pretended the last category was the only one they used back door searches for.)
    • Other identifiers, for which the NSA would set its own duration for permissible querying and describe its own reason for approving the query.
  • An undated “Emergency USP Content Queries within FAA 702 PRISM and Telephony Content Collection.” Given that this is completely undated, it’s not entirely clear whether this is an amendment to the one released in 2012, but the procedures seem to be consistent with what was required under that.
  • A “USP Queries of Communications Metadata Derived from FAA [redacted] and Telephony Collection.” The file name of the document shows it was originally dated December 16, 2011, and was revised August 19, 2013. Footnote 2 in the document explains that “communications metadata” will be “the same as the description of ‘metadata’ provided in the response to question 9 within the Government’s Responses to FISC Questions re: Amended 2011 Section 702 Certification, filed on November 15, 2011, pages 3-8. Given the date, these guidelines seem to lay out the implementation of (at a minimum) the queries on metadata from upstream 702. I would guess the redaction says something like, “PRISM or SCT” or “non-MCT upstream.”

I’ll have more to say about the last document in a follow-up post, as it seems to explain what the NSA accomplished by transferring its PRTT Internet dragnet partly to upstream metadata queries.

Processing versus Handling in Section 702

/in /by

I’m working through some weedy NSA stuff, and wanted to “handle” a discrete point about a change in NSA’s Section 702 minimization procedures dating to 2012.

Earlier this year, the government provided ACLU with the full Section 702 order from 2012, though ACLU re-released it last week with a bunch of other things (and the opinion makes more sense in conjunction with these releases). Previously, the government had just released the 9 pages of the opinion pertaining to John Bates’ satisfaction that the NSA had properly dealt with all the domestic upstream transactions it had acquired prior to October 31, 2011. The newly unredacted material in the version of the opinion released this year include details about changes to the 702 minimization procedures in 2012, as well as language describing five pages from a November 2011 opinion resolving the upstream surveillance.

NSA starts formally distinguishing between “processing” and “handling” data (without defining the latter in minimization procedures)

One change the government made in 2012 was to distinguish in minimization procedures between data it “processed” and data it “handled.”

“Processing” versus “handling” information. In a number of places in the amended NSA minimization procedures, the government has replaced the term “processed” with the word “handled.” See Amended NSA Minimization Procedures at 9 (§ 5(1)) & 12 (§§ 6(c)(l) & 6(c)(2)). Both the previously-approved NSA minimization procedures and the amended procedures define the terms “processed” or “processing” to mean “any step necessary to convert a communication into an intelligible form intended for human inspection.” Id. at 2 (§ 2(h)). The previously-approved procedures did not uniformly use the terms in a manner consistent with that narrow definition. This clarifying change remedies that inconsistency by using the distinct term “handled” or “handling” to refer to the treatment of communications after they have been rendered intelligible for human inspection. This non-substantive change reduces the potential for confusion and mistake and raises no issue under Section 1801(h).

Now, we can’t see exactly what this change looks like, because we only have the 2011 and 2014 minimization procedures, not the 2012 that implemented this change. In 2011 the minimization procedures mentioned “processing” data 18 times (including the definition) and “handling” it just three times (neither of these minimization procedures define “handling”). By the 2014 minimization procedures, “process” is mentioned just four times (including the two definitional references), and “handl[e]” is mentioned 18 times. As I’ll lay out below, the word processing came to be used exclusively for data manipulation for which the NSA would want plausible deniability regarding the status of US person communications. So I wanted to track all the changes and retentions of the two terms.

Three changes are made immediately

The 2012 and 2013 minimization procedures may have made some interim changes. As noted, the opinion cites just three passages of what would become the 2012 minimization procedures where the language changed.

The first, at page 9§5(1) in the 2014 minimization procedures, is part of the language changed in 2012 to allow NSA to keep and play with domestic communications that have significant foreign intelligence value, as opposed to just handing it on to FBI. [my emphases, using bold for things changed to “handle” and italics for things that remain “process” throughout]

such domestic communication is reasonably believed to contain significant foreign intelligence information. Such domestic communication (and, if applicable, the transaction in which it is contained) may be retained, handled, and disseminated in accordance with these procedures;

And on page 13 at §§ 6(c)(l) & 6(c)(2), which permit the sharing of information with CIA and FBI.

(1) (U) NSA may provide to the Central Intelligence Agency (CIA) unminimized communications acquired pursuant to section 702 of the Act. CIA will identify to NSA targets for which NSA may provide unminimized communications to CIA. CIA will handle any such unminimized communications received from NSA in accordance with CIA minimization procedures adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

(2) (U) NSA may provide to the FBI unminimized communications acquired pursuant to section 702 of the Act. The FBI will identify to NSA targets for which NSA may provide unminimized communications to the FBI. The FBI will handle any such unminimized communications received from NSA in accordance with FBI minimization procedures adopted by the Attorney General, in consultation with the Director of National Intelligence, pursuant to subsection 702(e) of the Act.

Handle got introduced in the discussion of transactions

But, as noted above, either the NSA made the “process” to “handle” change in far more places in 2012 than noted in the opinion or it continued to change things from “process” to “handle” between 2012 and 2014.

To begin with, in 2011 there were already three uses of the word “handle.” Those were all in the discussion on how to deal with upstream transactions, and so would have been new in 2011.

On page 4, §3(b)(5)(a)(1)(b), which discusses how the NSA should treat multiple communication transactions (MCTs) that have been reviewed and moved into more generally accessible repositories.

Any information moved or copied from the segregated repository into repositories more generally accessible to NSA analysts will be processed in accordance with subsection 3(b)(5)(b) below and handled in accordance the other applicable provisions of these procedures.

On page 5, §3(b)(5)(a)(2), which discusses upstream communications that are not segregated as MCTs most likely to include US person transactions.

Internet transactions that are not identified and segregated pursuant to subsection 3(b)(5)a. will be processed in accordance with subsection 3(b)(5)(b) below and handled in accordance with the other applicable provisions of these procedures.

And on page 5, §3(b)(5)(b)(2)(a), which explains that if an analyst wants to use a communication within a transaction that involves the actual selector that identified the communication, the analyst can treat US person information as it would normally (that is, as incidental communication).

If the discrete communication is to, from, or about a tasked selector, any U.S. person information in that communication will be handled in accordance with the applicable provisions of these procedures.

The transition from “process” to “handle” may have happened in interim minimization procedures

So the minimization procedures started to move to “handle” in 2011, at least three more instances did so in 2012, but by the 2014 minimization procedures, “process” is retained just four times (including the two definitional references). The two remaining non-definitional uses of processing are page 4, §3(b)(4)(a)(1), which effectively permits an exception to the segregation rules on upstream MCTs in order to render upstream collection intelligible to analysts.

Notwithstanding subsection 3(b)(4)a. above, NSA may process Internet transactions acquired through NSA upstream collection techniques in order to render such transactions intelligible to analysts.

In 2011, this was the introduction of the following clause, though it defined processing as “(e.g., decryption, translation).”

And page 14 §8(b), which permits NSA to share information with foreign governments for technical and linguistic assistance.

It is anticipated that NSA may obtain information or communications that, because of their technical or linguistic content, may require further analysis by foreign governments to assist NSA in determining their meaning or significance. Notwithstanding other provisions of these minimization procedures, NSA may disseminate computer disks, tape recordings, transcripts, or other information or items containing unminimized information or communications acquired pursuant to section 702 to foreign governments for further processing and analysis, under the following restrictions with respect to any materials so disseminated:

The other mentions of processing that get lost between 2011 and 2014 are §3(b)(1), which takes out a reference to the “processing cycle.”  §3(b)(3) provides explicit permission to process magnetic tapes or other storage media.

Finally, one use of “process” got dropped at §3(b)(4). In 2011, the passage stated that only domestic transactions that are fit the retention exception may be “processed,” a meaning which would now be handled. But the 2011 clause still permitted other transactions to be “retained or disseminated,” according to the procedures.

2011:

As a communication is reviewed, NSA analyst(s) will determine whether it is a domestic or foreign communication to, from, or about a target and is reasonably believed to contain foreign intelligence information or evidence of a crime. Only such communications may be processed. All other communications may be retained or disseminated only in accordance with Sections 5, 6, and 8 of these procedures.

2014:

As a communication is reviewed, NSA analyst(s) will determine whether it is a domestic or foreign communication to, from, or about a target and is reasonably believed to contain foreign intelligence information or evidence of a crime for purposes of assessing how the communication should be handled in accordance with these procedures.

 

 

 

The Upstream “About” Problem Probably Pertains to SCTs, not MCTs

/4 Comments/in /by

Much of the reporting on the reason NSA is shutting down Section 702 authorized upstream “about” collection has assumed the problem pertains to multiple communication transactions, which is when emails get sent in batches, which can include targeted emails (meaning they include a selector tied to an approved foreign target) as well as untargeted, completely domestic ones. But we know that upstream collection also collects single communication transactions that constituted entirely domestic communications, which would happen if an email from one American to another included the selector (and remember, the selector can be things beyond email and phone numbers; it might include things like encryption keys or dark web forum addresses). Collection of a completely domestic SCT would happen for different technical reasons than an MCT: it would happen whenever an Internet communication between two Americans transited overseas and got caught in filters purportedly focused exclusively on international traffic. Here’s how John Bates described SCTs in his October 3, 2011 opinion on the upstream problems.

In addition to these MCTs, NSA likely acquires tends of thousands more wholly domestic communications every year, given that NSA’s upstream collection devices will acquire a wholly domestic “about” SCT if it is routed internationally.

And I think the problem at issue probably pertains to the SCTs, not to MCTs.

The NSA statement on the issue says nothing that would suggest this is a problem with MCTs. Indeed, its example of an “about” collection is an SCT — an email that itself contains the designated selector.

An example of an “about” email communication is one that includes the targeted email address in the text or body of the email, even though the email is between two persons who are not themselves targets. The independent Privacy and Civil Liberties Oversight Board described these collection methods in an exhaustive report published in 2014.

More tellingly, Ron Wyden’s statement about the risk of the practice also describes an SCT — an American’s email that got collected because she mentioned the targeted selector.

“This change ends a practice that could result in Americans’ communications being collected without a warrant merely for mentioning a foreign target,”

The government hasn’t liked to talk much about SCTs. It appears to have made no mention of them in the notice to Congress of upstream problems leading up to reauthorization in 2012. And when Bates asked NSA to count SCTs as part of upstream discussions in 2011, it basically refused to do so. Bates came up with his own estimate of 46,000 communications a year (which represented the majority of the domestic communications collected via upstream surveillance). Ron Wyden has been pushing for a real estimate since literally the same period Bates was making his own up.

But basically, the government has been permitted to collect entirely domestic communications of Americans using targeted selectors since 2007, even as Internet usage means more and more completely domestic communications will transit overseas.

And SCTs are the ones most likely to show up in a query of a US person communication.

That’s because, when Bates was trying to sort through these issues in 2011, he viewed SCTs differently than he did MCTs, figuring that an SCT might itself have foreign intelligence value, whereas a completely unrelated email would not.

NSA’s upstream collection also likely results in the acquisition of tens of thousands of wholly SCTs that contain references to targeted selectors. See supra, pages 33-34 & note 33 (discussing the limits [redacted] Although the collection of wholly domestic “about” SCTs is troubling, they do not raise the same minimization-related concerns as discrete, wholly domestic communications that are neither to, from, nor about targeted selectors, or as discrete communications that are neither to, from, nor about targeted selectors, to any target, either of which may be contained within MCTs. The Court has effectively concluded that certain communications containing a reference to a targeted selector are reasonably likely to contain foreign intelligence information, including communications between non-target accounts that contain the name of the targeted facility in the body of the message. See Docket No. 07-449, May 31, 2007 Primary Order at 12 (finding probable cause to believe that certain “about” communications were “themselves being sent and/or received by one of the targeted foreign powers”). Insofar as the discrete, wholly domestic “about” communications at issue here are communications between non-target accounts that contain the name of the targeted facility, the same conclusion applies to them. Accordingly, in the language of FISA’s definition of minimization procedures, the acquisition of wholly domestic communications about targeted selectors will generally be “consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information.” See 50 U.S.C. 1801(h)(1). Nevertheless, the Court understands that in the event NSA identifies a discrete, wholly domestic “about” communication in its databases, the communication will be destroyed upon recognition.

Accordingly, most of the special minimization procedures pertaining to upstream collection — most importantly, that it be segregated in a special database — don’t apply to SCTs.

Importantly, that destroy upon recognition is not absolute: if an analyst sees it and determines a communication has Foreign Intelligence value or is evidence of a crime (or two other things), then it can be retained, with DIRNSA approval. Of course, some kinds of selectors — such as certain dark web addresses and encryption keys — might by themselves be evidence of a crime, meaning a back door search could (hypothetically at least) lead directly to an American being implicated via 702 collection.

There are just two special limits that would protect these completely domestic SCTs: a two year — rather than five year — aging off process. And the rule that appears to have gotten broken: NSA can’t do queries on US persons (that is, back door searches) on upstream collection.

Identifiers of an identifiable U.S. person may not be used as terms to identify and select for analysis any Internet communication acquired through NSA’s upstream collection techniques.

That’s the importance of this post — describing violations involving the use of US person selectors to search upstream communications. It shows how it was possible, in 2013 and 2014, for analysts to “inadvertently” do back door searches on upstream collection. Those violations almost certainly occurred with SCTs, not MCTs, because SCTs would be the ones in general repositories that analysts who weren’t specially trained would access.

We can see in those past violations how a US person search on upstream content might happen. In 2013, analysts would avoid searching on upstream data by formally excluding it as part of their search term (maybe by adding “NOT upstream” to their query). But on “many” occasions, analysts forget to exclude “upstream” in their back door searches on US person identifiers (and none of the unredacted discussion seems to have suggested requiring them to find a better approach to prevent searches on upstream data). Then, in 2014, ODNI and DOJ seemed to think that analysts were doing searches on identifiers they didn’t know were US person identifiers and as a result doing US person searches on upstream data because they hadn’t thought about excluding it (and, in fact, the wording of the minimization procedures permit searches using selectors that are not yet identifiable as US person selectors).

We’ll find out soon enough what the current inadvertent method of searching upstream collected data using US person selectors is. But the point is, under the minimization procedures, MCTs would be segregated from general repositories but SCTs would not be, and so the mistakes are going to be easier to make (and the volume of entirely domestic communications will be greater) with SCTs. To fix the SCT problem you’d either have to move all upstream about content out of general repositories, find a better way to avoid collecting domestic communications that transited internationally, stop doing back door searches, or stop collecting on about. They’re choosing the latter option. (Note, if this were an MCT problem, then you could just delete all about MCTs on intake.)

Here’s the rub though. If the problem with upstream collection arises because so many entirely domestic US person communications now transit internationally, then shutting down upstream collection will not offer much further protection for US persons, because SCTs are — by definition! — communications that the NSA claims were transiting internationally, and so would be readily available under EO 12333 collection. And EO 12333 collection is now easier to share under Obama’s EO 12333 sharing guidelines that were passed even as the debate about what to do about upstream collection was taking place. Those guidelines do prohibit the agencies from using “a query, identifier, or other selection term that is intended to select domestic communications,” but if NSA couldn’t prevent that with the heightened scrutiny that happens under FISA, how are they going to prevent it under EO 12333 analysis?

Now, to be fair, to do a content query of EO 12333 data, you’d need to get Attorney General (Jeff Sessions!) authorization or the head of the agency, the latter of which may be used for two entirely redacted reasons.

Still, if I’m right and the problem is SCTs, then ending upstream collection under Section 702 simply shifts the privacy problems under a new shell.

NSA Had Found “Many” Improper Queries on Upstream US Person Data at Least by 2013

/2 Comments/in /by

As noted, the government has shut down some upstream about collection. According to Charlie Savage, they did so, because “last year, officials said, the N.S.A. discovered that analysts were querying the bundled messages in a way that did not comply with those rules.”

While it’s not clear it’s the same problem, DOJ and ODNI have been aware that NSA analysts conducted improper queries of upstream data. The October 2014 Semiannual Report covering the period from June 1 through November 30, 2013, for example, describes the oversight teams finding enough instances of analysts querying upstream data with US person identifiers that it qualified “many” of the violations to be inadvertent.

The joint oversight team, however, is concerned about the increase in incidents involving improper queries using United States person identifiers, including incidents involving NSA’s querying of Section 702-acquired data in upstream data using United States Person identifiers. Specifically, although section 3(b)(5) of NSA’s Section 702 minimization procedures permits the scanning of media using United States person identifiers, this same section prohibits using United States person identifiers to query Internet communications acquired through NSA’s upstream collection techniques. NSA [redacted] incidents of non-compliance with this subsection of its minimization procedures, many of which involved analysts inadvertently searching upstream collection. For example, [redacted], the NSA analyst conducted approved querying with United States persons identifiers ([long redaction]), but inadvertently forgot to exclude Section 702-acquired upstream data from his query.

At least at this point, analysts had to affirmatively exclude upstream 702 from queries to avoid the search. A previous semiannual report described tracking such queries as difficult because all the data wasn’t in one place.

The following review period, December 1, 2013 to May 31, 2014, reviewers felt that NSA should require analysts to reveal whether they knew they were using a US person identifier to prevent similar queries.

Additionally, but separately, the joint oversight team believes NSA should assess modifications to systems used to query raw Section 702-acquired data to require analysts to identify when they believe they are using a United States person identifier as a query term. Such an improvement, even if it cannot be adopted universally in all NSA systems, could help prevent instances of otherwise approved United States person query terms being used to query upstream Internet transactions, which is prohibited by the NSA minimization procedures.64

The footnote explaining the need is redacted.

Again, it’s not clear that this is the problem that led to the shut-down of upstream about queries. But it is clear that problems go back years.

NSA to Stop Upstream “About” Searches

/3 Comments/in /by

Charlie Savage reports that the NSA is going to halt “about” searches, in which it collects the communications of Americans that mention a selector.

National security officials have argued that such surveillance is lawful and helpful in identifying people who might have links to terrorism, espionage or otherwise are targeted for intelligence-gathering. The fact that the sender of such a message would know an email address or phone number associated with a surveillance target is grounds for suspicion, these officials argued.

For what it’s worth, I am virtually certain the depiction here — the suggestion that the NSA only searches on an email or phone number — is incorrect. We know, for example, that the NSA searched or searches on cyber signatures. I have a lot of reason to believe it used to search on some signature (perhaps the encryption code) associated with Inspire magazine. I would be shocked if they didn’t search on the dark mail addresses for terrorist and other forums. Edward Snowden has said that NSA can search on any kind of selector that it can claim is tied to a target (and for 702, it wouldn’t have to make sure arguments on a selector by selector basis).

All that said, the First Amendment implications of searching on things like that was not why the NSA is shutting it down. According to Savage’s report, the NSA was querying multiple communication transactions including US person data.

N.S.A. discovered that analysts were querying the bundled messages in a way that did not comply with those rules. The agency brought the matter to the court’s attention, resulting in a delay in reauthorizing the broader warrantless surveillance program until the agency proposed ceasing this collection practice.

There’s abundant reason to believe the NSA knew about this all the time — that they just revealed it for the first time (which brings me back to questions about the departures of John Carlin and Mary McCord during this process). But good riddance to the process.

Update: Here’s the NSA’s statement.

 

How to Spy on Carter Page

/2 Comments/in , , /by

I have no personal knowledge of the circumstances surrounding the alleged wiretapping of Carter Page, aside from what WaPo and NYT have reported. But, in part because the release of the new, annual FISC report has created a lot of confusion, I wanted to talk about the legal authorities that might have been involved, as a way of demonstrating (my understanding, anyway, of) how FISA works.

FISC did not (necessarily) reject more individual orders last year

First, let’s talk about what the FISC report is. It is a new report, mandated by the USA Freedom Act. As the report itself notes, because it is new (a report covering the period after passage of USAF), it can’t be compared with past years. More importantly, because the FISA Court uses a different (and generally more informative) reporting approach, you cannot — as both privacy groups and journalists erroneously have — compare these numbers with the DOJ report that has been submitted for years (or even the I Con the Record report that ODNI has released since the Snowden leaks); that’s effectively an apples to grapefruit comparison. Those reports should be out this week, which (unless the executive changes its reporting method) will tell us how last year compared with previous years.

But comparing last year’s report to the report from the post-USAF part of 2015 doesn’t sustain a claim that last year had record rejections. If we were to annualize last year’s report (covering June to December 2015) showing 5 rejected 1805/1824 orders (those are the individual orders often called “traditional FISA”) across roughly 7 months, it is actually more (.71 rejected orders a month or .58% of all individual content applications) than the 8 rejected 1805/1824 orders last year (.67 rejected orders a month or .53% of all individual content applications). In 2016, the FISC also rejected an 1861 order (better known as Section 215), but we shouldn’t make too much of that either given that that authority changed significantly near the end of 2015, plus we don’t have this counting methodology for previous years (as an example, 2009 almost surely would have at least one partial rejection of an entire bulk order, when Reggie Walton refused production of Sprint records in the summertime).

Which is a long-winded way of saying we should not assume that the number of traditional content order rejections reflects the reports that FBI applied for orders on four Trump associates but got rejected (or maybe only got one approved for Page). As far as we can tell from this report, 2016 had a similar number of what FISC qualifies as rejections as 2015.

The non-approval of Section 702 certificates has no bearing on any Russian-related spying, which means Page would be subject to back door searches

Nor should my observation — that the FISC did not approve any certifications for 1881a (better known as Section 702, which covers both upstream and PRISM) reflect on any Carter Page surveillance. Given past practice when issues delayed approvals of certifications, it is all but certain FISC just extended the existing certifications approved in 2015 until the matters that resulted in an at least 2 month delay were resolved.

Moreover, the fact that the number of certificates (which is probably four) is redacted doesn’t mean anything either: it was redacted last year as well. That number would be interesting because it would permit us to track any expansions in the application of FISA 702 to new uses (perhaps to cover cybersecurity, or transnational crime, for example). But the number of certificates pertains to the number of people targeted only insofar as any additional certificates represent one more purpose to use Section 702 on.

In any case, Snowden documents, among other things, show that a “foreign government” certificate has long been among the existing certificates. So we should assume that the NSA has collected the conversations of known or suspected Russian spies located overseas conducted on PRISM providers; we should also assume that as a counterintelligence issue implicating domestic issues, these intercepts are routinely shared in raw form with FBI. Therefore, unless last year’s delay involved FBI’s back door searches, we should assume that when the FBI started focusing on Carter Page again last spring or summer, they would have routinely searched on his known email addresses and phone numbers in a federated search and found any PRISM communications collected. In the same back door search, they would have also found any conversations Page had with Russians targeted domestically, such as Sergey Kislyak.

The import of the breakdown between 1805 and 1824

Perhaps the most important granular detail in this report — one that has significant import for Carter Page — is the way the report breaks down authorizations for 1805 and 1824.

1805 covers electronic surveillance — so the intercept of data in motion. It might be used to collect phone calls and other telephony communication, as well as (perhaps?) email communication collected via upstream collection (that is, non-PRISM Internet communication that is not encrypted); it may well also cover prospective PRISM and other stored communication collection. 1824 covers “physical search,” which when it was instituted probably covered primarily the search of physical premises, like a house or storage unit. But it now also covers the search of stored communication, such as someone’s Gmail or Dropbox accounts. In addition, a physical search FISA order covers the search of hard drives on electronic devices.

As we can see for the first time with these reports, most individual orders cover both 1805 and 1824 (92% last year, 88% in 2015), but some will do just one or another. (I wonder if FBI sometimes gets one kind of order to acquire evidence to get the other kind?)

As filings in the Keith Gartenlaub case make clear, “physical search” conducted under a FISA order can be far more expansive than the already overly expansive searches of devices under a Article III warrant. Using a FISA 1824 order, FBI Agents snuck into Gartenlaub’s house and imaged the hard drives from a number of his devices, ostensibly looking for proof he was spying on Boeing for China. They found no evidence to support that. They did, however, find some 9-year old child pornography files, which the government then “refound” under a criminal search warrant and used to prosecute him. Among the things Gartenlaub is challenging on appeal is the breadth of that original FISA search.

Consider how this would work with Carter Page. The NYT story on the Page order makes it clear that FBI waited until Page had left the Trump campaign before it requested an order covering him.

The Foreign Intelligence Surveillance Court issued the warrant, the official said, after investigators determined that Mr. Page was no longer part of the Trump campaign, which began distancing itself from him in early August.

I suspect this is a very self-serving description on the part of FBI sources, particularly given reports that FISC refused orders on others. But regardless of whether FISC or the FBI was the entity showing discretion, let’s just assume that someone was distinguishing any communications Page may have had while he was formally tied to the campaign from those he had after — or before.

This is a critical distinction for stored communications because (as the Gartenlaub case makes clear) a search of a hard drive can provide evidence of completely unrelated crime that occurred nine years in the past; in Gartenlaub’s case, they reportedly used it to try to get him to spy on China and they likely would do the equivalent for Page if they found anything. For Page, a search of his devices or stored emails in September 2016 would include emails from during his service on Trump’s campaign, as well as emails between the time Page was interviewed by FBI on suspicion of being recruited by Victor Podobnyy and the time he started on the campaign, as well as communications going back well before that. So if FISC (or, more generously, the FBI) were trying to exclude materials from during the campaign, that might involve restrictions built into the request or the final order

The report covering 2016 for the first time distinguishes between orders FISC modifies (FISC interprets this term more broadly than DOJ has in its reports) and orders FISC partly denies. FISC will modify an order to, among other things,

(1) impos[e] a new reporting requirement or modifying one proposed by the government;

(2)  chang[e] the description or specification of a targeted person, of a facility to be subjected to electronic surveillance or of property to be searched;

(3)  modify[] the minimization procedures proposed by the government; or

(4)  shorten[] the duration of some or all of the authorities requested

Using Page as an example, if the FISC were permitting FBI to obtain communications from before the time Page joined the campaign but not during it, it might modify an order to require additional minimization procedures to ensure that none of those campaign communications were viewed by the FBI.

The FISC report explains that the court will partly deny orders and “by approving some targets, some facilities, places, premises, property or specific selection terms, and/or some forms of collection, but not others.” Again, using Page as an example, if the court wanted to really protect the election related communications, it might permit a search of Page’s homes and offices under 1824, but not his hard drives, making any historic searches impossible.

There’s still no public explanation of how Section 704/Section 705b work, which would impact Page

Finally, the surveillance of Carter Page implicates an issue that has been widely discussed during and since passage of the FISA Amendments Act in 2008, but not in a way that fully supports a democratic debate: how NSA spies on Americans overseas.

Obviously, the FBI would want to spy on Page both while he was in the US, but especially when he was traveling abroad, most notably on his frequent trips to Russia.

The FISA Amendments Act for the first time required the NSA to obtain FISC approval before doing that. As I explain in this post, for years, public debate has claimed that was done under Section 703 (1881b in this report). But abundant evidence shows it is all done under 704 (1881c in this report). The biggest difference between the two, according to an internal NSA document, is the government doesn’t explain its methods in the latter case. With someone who would be spied on both in the US and overseas, that spying would be done under 705b (conducted under 1881d section b), which permits the AG to approve of spying overseas (effectively, 704 authority) for those already approved under a traditional order.

This matters in the context of spying on Carter Page for two reasons. First, as noted government doesn’t share details about how it spies overseas with the court. And some of the techniques we know NSA to use — such as XKeyscore searches drawing on bulk overseas collection — would seem to present additional privacy concerns on top of the domestic authorities. If the FBI (or more likely, the FISC) is going to try to bracket off any communications that occur during the period Page was associated with the campaign, that would have to be done for overseas surveillance as well, most critically, for Page’s July trip to Russia.

This report shows that 704, like the domestic authorities, also gets modified sometimes, so it may be that FISC did just that — permitted NSA to collect information covering that July meeting, but imposed some minimization procedures to protect the campaign.

But it’s unclear whether the court would have an opportunity to do so for 705b, which derives from Attorney General authorization, not court authorization. I assume that’s why 1881d was not included in this reporting requirement, but it seems adding 705b reporting to Title VII reauthorization this year would be a fairly minor change, but one that might reveal how often the government uses more powerful overseas spying techniques on Americans. It’s unclear to me, for example, whether any modifications or partial approvals the FISC made on a joint 1805/1824 order covering Page would translate into a 705b order, particularly if the modifications in question included additional reporting to the FISC.

Carter Page might one day be the first American to get review of his FISA dossier

All of which is why, no matter what you think of Carter Page’s alleged role in influencing the Trump campaign to favor Russia, I hope he one day gets to review his FISA dossier.

No criminal defendant has ever gotten a review of the FISA materials behind the spying, in spite of clear Congressional intent, when the law was passed in 1978, to allow that in certain cases. Because of the publicity surrounding this case, and the almost unprecedented leaking about FISA orders, Page stands a better chance than anyone else of getting such review (particularly if, as competing stories from CNN and Business Insider claim, the dossier formed a key, potentially uncorroborated part of the case against him). Whatever else happens with this case, I think Page should get that review.

Annual FISC Report Suggests the Court Did Not Approve ANY Section 702 Certificate in 2016

/2 Comments/in /by

The Administrative Office of the Courts just released the FISC annual report, the first full year report issued after USA Freedom Act.

I’ll work on more analysis in a moment, but wanted to point to something that is fairly remarkable, if I’m reading the report correctly.

Here’s the top line report for the year. Note, in particular, the 1881a line.

As last year’s report did, this year’s redacts the number of certificates the government applied for. But then the footnote reads, in part,

The government submitted this number of certification(s) during calendar year 2016 but the Court did not take action on any such certification(s) within the calendar year.

That, plus the “0”s in the table, seems to state clearly that the FISC did not approve last year’s Section 702 application.

What that likely means, given the precedent set in 2011, is that the government submitted applications (usually they do this with a month of lead time), but the court would not approve the applications as submitted. In 2011, the government got a series of extensions, so 702 never lapsed. The prior approval before last year was November 6, 2015, so it would only have had to have been extended 2 months to get into this year. So that seems to suggest there was at least a three month (application time plus extension) delay in approving the certifications for this year.

Note, too, that the report shows the only amicus appointed last year was Marc Zwillinger for a known PRTT application, so this hold up wasn’t even related to an amicus complaint.

In any case, this may reflect significant issues with 702.

Update: Here’s the 2011 702 opinion, which documents the last known time this happened (though there must have been a roughly month-long delay once since then). After submitting an application in April for May reauthorization, the government got two 60-day extensions, and one more month-long extensions, with final approval on October 3, 2011. It appears there was no big problem with getting the extensions (though at one point, Bates had a meeting with DOJ to tell them he was serious about the reapproval process), so presumably any extension in November would have been granted without much fuss.

One other thing that is worth noting. On September 27, 2016, then Assistant Attorney General John Carlin announced he would be leaving in a month. Mary McCord (who announced her own departure today) took over on October 15. So the transition between the two of them would have happened in the weeks before the certificates would have normally been reauthorized. Whatever Carlin’s reasons for leaving (which has never been made public, as far as I know) the transition between the two of them may have exacerbated any delay.

I Con the Record’s “Generally” Useful Section 702 Q&A

/1 Comment/in /by

As the next step in the effort to reauthorize FISA Section 702, I Con the Record has a released a “generally” useful Q&A document on the law. For those who haven’t been following along, it includes links to many (though not all) of the public resources on Section 702. It provides a generally fair overview, with some new almost admissions, which should at least provide Congress with a road map for unanswered questions they should demand answers on.

Downplaying FBI back door searches

My biggest gripe with the report parallels a gripe I’ve had about public testimony on Section 702 since the first confirmations that the NSA, CIA, and FBI can conduct queries on raw data — back door searches. In public hearings, the intelligence community always sends NSA witnesses who can describe, as former NSA lawyer April Doss did in March, a back door search process that is fairly constrained.

I’m most familiar with NSA’s processes: NSA analysts must obtain prior approval to run U.S. person identifier queries in FAA 702 content; there must be a basis to believe the query is reasonably likely to return foreign intelligence information; all queries are logged and reviewed after the fact by NSA; and DoJ and ODNI review every U.S. person query run at NSA and CIA, along with the documented justifications for those queries.

Of course, even though this description is completely true (as far as we know), it is completely useless when it comes to helping Congress understand the problems inherent to back door searches.

Here’s what the Q&A document says about back door searches.

The government’s minimization procedures restrict the ability of analysts to query the databases that hold “raw” Section 702 information (i.e., where information identifying a U.S. person has not yet been minimized for permanent retention) using an identifier, such as a name or telephone number, that is associated with a U.S. person. Generally, queries of raw content are only permitted if they are reasonably designed to identify foreign intelligence information, although the FBI also may conduct such queries to identify evidence of a crime. As part of Section 702’s extensive oversight, DOJ and ODNI review the agencies’ U.S. person queries of content to ensure the query satisfies the legal standard. Any compliance incidents are reported to Congress and the FISC.

12 Queries of Section 702 data using U.S. person identifiers are sometimes mischaracterized in the public discourse as “backdoor searches.”

While it’s true that NSA and CIA minimization procedures impose limits on when an analyst can query raw data for content (but not for metadata at CIA), that’s simply not true at FBI, where the primary rule is that if someone is not cleared for FISA themselves, they ask a buddy to access the information. As a result — and because FBI queries FISA data for any national security assessment and “with some frequency” in the course of criminal investigations. In other words, partly because FBI is a domestic agency and partly because it has broader querying authorities, it conduct a “substantial” number of queries as opposed to the thousands done by CIA. Here’s how PCLOB describes it:

In 2013, the NSA approved 198 U.S. person identifiers to be used as content query terms.

[snip]

In 2013, the CIA conducted approximately 1,900 content queries using U.S. person identifiers. Approximately forty percent of these content queries were at the request of other U.S. intelligence agencies. Some identifiers were queried more than once; the CIA has advised that approximately 1,400 unique identifiers were queried during this period.

[snip]

The CIA does not track how many metadata-only queries using U.S. person identities have been conducted.

[snip]

[T]he FBI’s minimization procedures differ from the NSA and CIA’s procedures insofar as they permit the FBI to conduct reasonably designed queries “to find and extract” both “foreign intelligence information” and “evidence of a crime.”

[snip]

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons. First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data. Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702– acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

So it’s simply dishonest to say that, “Generally, queries of raw content are only permitted if they are reasonably designed to identify foreign intelligence information,” because the most common queries involve national security and common criminal purposes as well. “Generally,” the queries don’t require such things, unless you’re focusing primarily at CIA and NSA, where the threat to US person privacy at the least.

Then, one thing this Q&A doesn’t say is that Judge Thomas Hogan required the FBI to tell FISC of any positive hits on searches for entirely criminal purposes. Congress should know that, because it’s an easy data point that the IC should be able to share with Congress.

And while the document generally describes giving notice to defendants,

Section 706 governs the use of Title VII-derived information in litigation; as with Traditional FISA, it requires the government to give notice to aggrieved persons when the government intends to use evidence obtained or derived from Title VII collection in legal proceedings.

It doesn’t hint at how apparently inadequate this notice has been. Those are all details that Congress needs to know.

Hiding a cybersecurity certificate in the cheap seats?

I’m also interested in how the Q&A describes the purpose of 702. Here’s the 5 bullet points describing 702 successes (I’ve changed ODNI’s bullets to numbers for ease of reference):

  1. NSA has used collection authorized under FISA Section 702 to acquire extensive insight into the highest level decision-making of a Middle Eastern government. This reporting from Section 702 collection provided U.S. policymakers with the clearest picture of a regional conflict and, in many cases, directly informed U.S. engagement with the country. Section 702 collection provides NSA with sensitive internal policy discussions of foreign intelligence value.
  2. NSA has used collection authorized under FISA Section 702 to develop a body of knowledge regarding the proliferation of military communications equipment and sanctions evasion activity by a sanctions-restricted country. Additionally, Section 702 collection provided foreign intelligence information that was key to interdicting shipments of prohibited goods by the target country.
  3. Based on FISA Section 702 collection, CIA alerted a foreign partner to the presence within its borders of an al-Qaeda sympathizer. Our foreign partner investigated the individual and subsequently recruited him as a source. Since his recruitment, the individual has continued to work with the foreign partner against al-Qaeda and ISIS affiliates within the country.
  4. CIA has used FISA Section 702 collection to uncover details, including a photograph, that enabled an African partner to arrest two ISIS-affiliated militants who had traveled from Turkey and were connected to planning a specific and immediate threat against U.S. personnel and interests. Data recovered from the arrest enabled CIA to learn additional information about ISIS and uncovered actionable intelligence on an ISIS facilitation network and ISIS attack planning.
  5. NSA FISA Section 702 collection against an email address used by an al-Qaeda courier in Pakistan resulted in the acquisition of a communication sent to that address by an unknown individual located in the United States. The message indicated that the United States-based individual was urgently seeking advice regarding how to make explosives. The NSA passed this information to the FBI. Using a National Security Letter (NSL), the FBI was able to quickly identify the individual as Najibullah Zazi. Further investigation revealed that Zazi and a group of confederates had imminent plans to detonate explosives on subway lines in Manhattan. Zazi and his co-conspirators were arrested and pled guilty or were convicted of their roles in the planned attack. As the Privacy and Civil Liberties Oversight Board (PCLOB) found in its report, “[w]ithout the initial tip-off about Zazi and his plans, which came about by monitoring an overseas foreigner under Section 702, the subway bombing plot might have succeeded.”

The list has two advantages over the lists the IC was releasing in 2013. First, it’s more modest about its claims, not, this time, listing every quasi-thwarted terrorist funding opportunity as a big success. In addition, it describes all three confirmed certificates (from the Snowden documents): counterterrorism (bullets 3 through 5), counterproliferation (2), and foreign government (1, though if this is Iran, it might also be counterproliferation). It also admits that one point of all this spying is to find informants (bullet 3), even if not as explicitly as some court filings and IG reports do. That purpose — and the associated sensitivities (including whether and how it is used by FBI) is one thing all members of Congress should be briefed on.

That said, the description of the foreign government certificate doesn’t come close to describing the kinds of people who might be swept up in it, and as such provides what I believe to be a misleading understanding of who might be targeted under 702.

Note, too, the silence about the use of certificates for counterintelligence purposes, which the government surely does. Again, that would present different threats to Americans’ privacy.

Then there’s the last sentence of the document, in the upstream collection section.

Furthermore, this collection has allowed the IC to acquire unique intelligence that informs cybersecurity efforts.

Oh, huh, what’s that doing there in the last line of the document rather than in the successes section?

From the very first public discussions of 702 after Edward Snowden, ODNI included cybersecurity among the successes, even before it had a certificate. In fact, the document released June 8, 2013, just three days after the first Snowden release, echoed some of the same language:

Communications collected under Section 702 have provided significant and unique intelligence regarding potential cyber threats to the United States including specific potential computer network attacks. This insight has led to successful efforts to mitigate these threats.

This is a problem! Whether or not upstream 702 could be used for cyber purposes has been an undercurrent since the first USA Freedom Act. There are conflicting reports on whether NSA did obtain a cyber certificate in 2012, as they hoped to, or whether that was denied or so limited that it didn’t serve the function the NSA needed. I’ve even been told that CISA is supposed to serve the same purpose.That said, FBI’s minimization procedures (but not, by my read, NSA’s) include some language directed at cybersecurity.

Congress deserves to have a better sense of whether and how the government is using upstream 702 for cybersecurity, because there are unique issues associated with it. It’s clearly a great application of upstream searches, but not one without some risks. So the government should be more clear about this, at least in classified briefings available to all members.

Admitting NSA uses Section 704 not Section 703

Finally, this language is as close as the IC has come to admitting that it uses Section 704, not Section 703, to target Americans overseas.

In contrast to Section 702, which focuses on foreign targets, Section 704 provides additional protection for collection activities directed against U.S. persons located outside of the United States. Section 2.5 of Executive Order 12333 requires the AG to approve the use of “any technique for which a warrant would be required if undertaken for law enforcement purposes” against U.S. persons abroad for intelligence purposes. The AG’s approval must be based on a determination that probable cause exists to believe the U.S. person is a foreign power or an agent of a foreign power. Section 704 builds upon these pre-FAA requirements and provides that, in addition to the AG’s approval, the government must obtain an order from the FISC in situations where the U.S. person target has “a reasonable expectation of privacy and a warrant would be required if the acquisition were conducted inside the United States for law enforcement purposes.” The FISC order must be based upon a finding that there is probable cause to believe that the target is a foreign power, an agent of a foreign power, or an officer or employee of a foreign power and that the target is reasonably believed to be located outside the United States. By requiring the approval of the FISC in addition to the approval of the AG, Section 704 provides an additional layer of civil liberties and privacy protection for U.S. persons located abroad.

In addition to Sections 702 and 704, the FAA added several other provisions to FISA. Section 701 provides definitions for Title VII. Section 703 allows the FISC to authorize an application targeting a U.S. person located outside the U.S. when the collection is conducted inside the United States. Like Section 704, Section 703 requires a finding by the FISC that there is probable cause to believe that the target is a foreign power, an agent of a foreign power, or an officer or employee of a foreign power and is reasonably believed to be located outside the United States.

I’ve written about the distinction here.

Now, in theory, the authority used may not make a difference. Moreover, it’s possible that the NSA simply uses 705b for Americans overseas, meaning they can rely on domestic providers for stored Internet data, while using their more powerful spying for overseas content (in which case Congress should know that too).

But I also think the methods used may have an impact on US persons’ privacy, both the target and others. I’ll try to lay this out in a post in the coming days.

All of which is to say, this document is useful. But there are a few areas — particularly with FBI back door searches, which is the most important area — where the document gets noticeably silent.