Ron Wyden’s History of Bogus Excuses for Not Counting 702 US Person Collection

/6 Comments/in , /by

The other day, Ron Wyden gave a long speech on FISA Section 702, purportedly explaining why he was voting against Dan Coats to be Director of National Intelligence. Wyden voted against Coats because his former colleague would not commit to providing a number of the number of Americans swept up under Section 702. Given that it’s always a good idea to read Wyden closely, I wanted to summarize what he said. I’ll look at his complaints in a separate post, but for now I wanted to focus on Wyden’s description of the bogus explanations James Clapper and others gave Wyden in his past efforts to get the number of Americans sucked up in 702. I summarized the known exchanges that occurred on this issue before Clapper’s famous “not wittingly” lie here.

In 2011, both Wyden and John Bates were asking for numbers at the same time — NSA refused both

The first request for a count is temporally significant(update: I think I just missed this one in the past). In April 2011, Wyden and Mark Udall asked for the number.

In April of 2011, our former colleague, Senator Mark Udall, and I then asked the Director of National Intelligence, James Clapper, for an estimate.

According to Clapper’s response, they sent a written letter with the request on July 14, 2011. The timing of this request is critically important because it means Wyden and Udall made the request during the period when NSA and FISA Judge John Bates were discussing the upstream violations (see this post for a timeline). As part of that long discussion Bates had NSA do analysis of how often it collected US person communications that were completely unrelated to a targeted one (MCTs). Once Bates understood the scope of the problem, he asked how many US person communications it collected that were a positive hit on the target that were the only communication collected (SCTs).

But the timing demands even closer scrutiny. On July 8, John Bates went to DOJ to express “serious concerns” — basically, warning them he might not be able to reauthorize upstream surveillance. On July 14 — the same day Wyden and Udall asked Clapper for this information — DOJ asked Bates for another extension to respond to his questions, promising more information. Clapper blew off Wyden and Udall’s request in what must be record time — on July 26. On August 16, DOJ provided their promised additional information to Bates. That ended up being a count of how many Americans were affected in MCTs.

That means Clapper claimed he couldn’t offer a number even as NSA was doing precisely the kind of count that Wyden and Udall wanted, albeit for just one kind of 702 collection. And, as Wyden suggested in his speech, Clapper’s answer was non-responsive, answering how many US persons had their communications reviewed, rather than how many had their communications collected.

In July of that year, the director wrote back and said, and I quote, it was not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority of the Foreign Intelligence Surveillance Act. He suggested reviewing the classified number of disseminated intelligence reports containing a reference to a U.S. Person, but that is very different than the number of Americans whose communications have been collected in the first place. And that’s what this is all about.

Then, after the government presented the information on how many US persons were collected via MCTs to Bates in August, Bates asked them to go back and count SCTs.

NSA refused.

Both FISC and members of SSCI were asking for this information in the same time period, and NSA refused to provide the count.

Since NSA wouldn’t help him, Bates invented an estimate himself, calculating that some 46,000 entirely domestic communications were collected under upstream collection each year.

NSA’s manual review focused on examining the MCTs acquired through NSA’s upstream collection in order to assess whether any contained wholly domestic communications. Sept. 7, 2011 Hearing Tr. at 13-14. As a result, once NSA determined that a transaction contained a single discrete communication, no further analysis of that transaction was done. See Aug. 16 Submission at 3. After the Court expressed concern that this category of transactions might also contain wholly domestic communications, NSA conducted a further review. See Sept. 9 Submission at 4. NSA ultimately did not provide the Court with an estimate of the number of wholly domestic “about” SCTs that may be acquired through its upstream collection. Instead, NSA has concluded that “the probability of encountering wholly domestic communications in transactions that feature only a single, discrete communication should be smaller — and certainly no greater — than potentially encountering wholly domestic communications within MCTs.” Sept. 13 Submission at 2.

The Court understands this to mean that the percentage of wholly domestic communications within the universe of SCTs acquired through NSA’s upstream collection should not exceed the percentage of MCTs within its statistical sample. Since NSA found 10 MCTs with wholly domestic communications within the 5,081 MCTs reviewed, the relevant percentage is .197% (10/5,081). Aug. 16 Submission at 5.

NSA’s manual review found that approximately 90% of the 50,440 transactions in the same were SCTs. Id. at 3. Ninety percent of the approximately 13, 25 million total Internet transactions acquired by NSA through its upstream collection during the six-month period, works out to be approximately 11,925,000 transactions. Those 11,925,000 transactions would constitute the universe of SCTs acquired during the six-month period, and .197% of that universe would be approximately 23,000 wholly domestic SCTs. Thus, NSA may be acquiring as many as 46,000 wholly domestic “about” SCTs each year, in addition to the 2,000-10,000 MCTs referenced above.

Presumably, Wyden learned that NSA had been doing such a count in October, well after Clapper had given his first non-responsive answer.

The 2012 privacy violation claim

Wyden skips the next request he made, when on May 4, 2012, he and Udall asked the Intelligence Community Inspector General Charles McCullough for a number (I laid out the timing of the request in this post). When they also tried to include language in the FAA reauthorization requiring the IGs to come up with a number, SSCI refused, citing their outstanding request to McCullough. Of course, McCullough did not get back to the Senators with his refusal to do such a count until after the bill had passed out of committee. He responded by saying NSA IG George Ellard didn’t have the capacity for such a review, and besides, it would violate the privacy of Americans to find out how much NSA was violating their privacy.

I defer to his conclusion that obtaining such an estimate was beyond the capacity of his office and dedicating sufficient additional resources would likely impede the NSA’s mission. He further stated that his office and NSA leadership agreed that an IG review of the sort suggested would itself violate the privacy of U.S. persons.

Clapper blows off 12 Senators

In response, Wyden rounded up some privacy minded Senators to sign onto a letter asking for an estimate of the number. In this week’s speech, Wyden noted that he said he’d be willing to take an estimate. He didn’t remind his listeners that he and his friends also asked whether such an estimate had been done.

  • Have any entities made any estimates — even imprecise estimates — about how many US communications have been collected under section 702 authorities?

The answer to that question — at least with regards to upstream collection — was yes. NSA had estimated the MCTs and Bates, using their estimate, had made an even rougher estimate of the SCTs. But as I noted here, members of Congress relying on the purported disclosure to Congress about the upstream violations wouldn’t know that — or that the upstream violations involved entirely US person collection. As Wyden noted in his speech, Congress didn’t get this information before the reauthorized FAA.

We still got no answer. And section 702 was reauthorized without this necessary information.

Clapper’s least untruthful answer

Wyden also doesn’t address Clapper’s famous March 2013 lie. Since the exposure of the phone dragnet, most discussions have assumed Wyden was probing only about that program. But the question, as asked, absolutely applied to incidental collection.

Wyden: Does the NSA collect any type of data, at all, on millions, or hundreds of millions of Americans?

Clapper: No sir.

Wyden: It does not?

Clapper: There are cases where they could inadvertently, perhaps, uh, collect, but not wittingly.

Indeed, several of Clapper’s many excuses claim he was thinking of content when he responded. Even if he were, his first answer would still be yes: the NSA collects on so many millions of Americans incidentally that it refuses to count it. But Clapper’s “not wittingly” response is almost certainly not a goof, since he gave it after Wyden had provided a day’s warning the question would be asked and after two different John Bates’ opinions that made it clear that he would forgive the collection of content so long as NSA didn’t know about it, but once they knew about it, then it would become illegal. The not wittingly response reinforces my firm belief that the reason the government refuses to count this is because then a great deal of their Section 702 collection would be deemed illegal under those two FISC precedents.

Clapper’s blow-off becomes Dan Coats’ blow-off

Which is where Wyden brings us up to date, with both house of Congress asking for such a number and — after promises it would be forthcoming — not getting it.

So last year looking at the prospect of the law coming up, there was a renewed effort to find out how many law-abiding Americans are getting swept up in these searches of foreigners. In April 2016 a bipartisan letter from members of the House Judiciary Committee asked the Director of National Intelligence for a public estimate of the number of communications or transactions involving United States persons are collected under section 702 on an annual basis. This letter coming from the House Democrats and Republicans, again asked for a rough estimate. This bipartisan group suggested working with director clapper to determine the methodology to get this estimate.

In December there were hints in the news media that something might be forthcoming, but now we’re here with a new administration considering the nomination of the next head of the intelligence community who has said that reauthorizing section 702 is his top legislative priority and that there is no answer in sight to the question Democrats and Republicans have been asking for over six years. How many innocent law-abiding Americans are getting swept up in these searches under a law that targets foreigners overseas?

There’s one tiny tidbit he doesn’t mention here. Coats never answered that he wouldn’t provide an answer. Rather, he said he didn’t understand the technical difficulties behind providing one (not even after participating in the 2012 vote where this was discussed). In his confirmation hearing, Coats explained one reason why he couldn’t learn what the technical difficulties were before he was confirmed. When he resigned the Senate, his clearance had lapsed, and during his confirmation process, his new clearance was being processed. That meant that for this — and any other classified question that Coats might want to consider anew — he was unable to get information.

The Senate doesn’t seem to care about this serial obstruction, however. Coats was confirmed with an 85-12 vote, with the following Senators voting against confirmation.

Baldwin (D-WI)
Booker (D-NJ)
Duckworth (D-IL)
Gillibrand (D-NY)
Harris (D-CA)
Markey (D-MA)
Merkley (D-OR)
Paul (R-KY)
Sanders (I-VT)
Udall (D-NM)
Warren (D-MA)
Wyden (D-OR)

Given how hard the IC is trying to hide this, the actual exposure of US persons must be fairly significant. We’ll see whether Congress finds another way to force this information out of the IC.

Updated with more granular timing on the 2011 exchange.

The Yahoo Indictment: Erectile Dysfunction Marketing, Plus Stuff NSA Does All the Time

/10 Comments/in , /by

With much fanfare today, DOJ indicted four men for pawning Yahoo from 2014 to 2016. The indictment names two FSB officers, Dmitry Dokuchaev (who was charged by Russia with treason in December) and Igor Sushchin (who worked undercover at a Russian financial company), and two other hackers, Alexsey Belan (who has been indicted in the US twice and was named in December’s DNC hack sanctions) and Karim Baratov (who, because he lives in Canada, was arrested and presumably will be extradited).

Among the charged crimes, they accused Belan of using his access to the Yahoo network to game search results for erectile dysfunction drugs, for which he got commission from the recipient of the redirected traffic.

BELAN leveraged his access to Yahoo’s network to enrich himself: (a) through an online marketing scheme, by manipulating Yahoo search results for erectile dysfunction drugs; (b) by searching Yahoo user email accounts for credit card and gift card account numbers and other information that could be monetized; and (c) by gaining unauthorized access to the accounts of more than 30 million Yahoo users, the contacts of whom were then stolen as part of a spam marketing scheme.

But almost the entirety of the rest of the indictment — forty-seven charges worth — consist of stuff the FBI and NSA do both lawfully in this country and under EO 12333 in other countries (almost certainly including Russia).

Collect metadata and then collect content over time

Consider the details the indictment provides about how these Russians obtained information from Yahoo and other email services, including Google.

First, they collected a whole bunch of metadata.

[T]he conspirators stole non-content information regarding more than 500 million Yahoo user accounts as a result of their malicious intrusion.

The US did this in bulk under the PRTT Internet dragnet program from 2004 to 2011, and now conducts similar metadata collection overseas (as well as — in more targeted fashion — under PRISM). Mind you, the Russians got far more types of metadata than the US did under the PRTT program.

account users’ names; recovery email accounts and phone numbers, which users provide to webmail providers, such as Yahoo, as alternative means of communication with the provider; password challenge questions and answers; and certain cryptographic security information associated with the account, i.e. the account’s “nonce”

But this likely gives you an understanding of the kinds of things the US does collect overseas, as well as via the PRISM program.

The Russians then either accessed the accounts directly or created fake cookies to access accounts (note, the US also gets cookies lawfully from at least some Internet providers; I suspect they also do so under the new USA Freedom collection).

The indictment provides this comment about how many Yahoo user accounts the Russians accessed by minting cookies over the almost three years they were in Yahoo’s networks (January 2014 to December 1, 2016; this may not represent the entirety of the Yahoo content they accessed).

The conspirators utilized cookie minting to access the contents of more than 6,500 Yahoo user accounts.

Compare that to US requests from Yahoo in just 2015. Yahoo turned over content on at least 40,000 accounts under FISA (first half, second half) and content in response to 2,356 US law enforcement requests during a period when government requests averaged 1.8 account per request (so roughly 4,240 accounts).

Once they accessed the accounts, they maintained access to them, as the government does under PRISM.

The conspirators used their access to the AMT to (among other unauthorized actions) maintain persistent unauthorized access to some of the compromised accounts.

The Russians used both the metadata and content stolen from Yahoo to obtain access to other accounts, both in the US and in Russia.

the conspirators used the stolen Yahoo data to compromise related user accounts at Yahoo, Google, and other webmail providers, including the Russian Webmail Provider

Again, this is a key function of metadata requests by the US — to put together a mosaic of all the online accounts of a given target, so they can access all the accounts that may be of interest.

Like PRISM (but reportedly unlike the scan of all Yahoo emails FBI had done in 2015), the Russians were not able to search all of Yahoo’s email for content. Instead they searched metadata to find content of interest.

The AMT did not permit text searches of underlying data. It permitted the conspirators to access information about particular Yahoo user accounts. However, by combining their control of the stolen UDE copy and access to the AMT, the conspirators could, for example, search the UDE contents to identify Yahoo user accounts for which the user had provided a recovery email account hosted by a specific company of interest to the conspirators (e.g., “[email protected]”)­ showing that the user was likely an employee of the company of interest-and then use information from the AMT to gain unauthorized access to the identified accounts using the means described in paragraph 26.

And, as we’ll see below, the Russians “hunted SysAdmins,” as we know NSA does, to get further access to whatever networks they managed.

In other words, aside from the Viagra ads and credit card theft, the Russians were doing stuff that America’s own spies do all the time, using many of the same methods.

Let me be clear: I’m not saying this means America is just as evil as Russia. Indeed, as the list of targets suggests, a lot of this collection serves for internal spying purposes, something the US primarily does under the guise of Insider Threat analysis. Rather, I’m simply observing that except for some of the alleged actions of Belan, this indictment is an indictment for spying, not typical hacking.

The US didn’t indict anyone in China when it hacked Google in 2013. Nor did China indict the US when details of America’s far greater sabotage of Huawei networks emerged under the Snowden leaks. But the US chose to indict not just Belan, but also three people engaged in nation-state spying. Why?

Redefine economic espionage

I find all this particularly interesting given that the government included four charges — counts 2 and 4 through 6 — related to economic espionage for stealing the following:

a. Yahoo’s UDB and the data therein, including user data such as the names of Yahoo users, identified recovery email accounts and password challenge answers, and Yahoo-created and controlled data regarding its users’ accounts;

b. Yahoo’s AMT, its method and manner of functioning and capabilities, and the data it contained and provided; and

c. Yahoo’s cookie minting source code.

The US always justifies its global spying by claiming that it does not engage in industrial espionage, based on the flimsy explanation that it doesn’t share any information with allegedly private companies (including government contractors like Lockheed) they can use to compete unfairly.

But here we are, treating nation-state information collection — the kinds of actions our own hackers do all the time — as economic espionage. The only distinction here is that Belan also used his Yahoo access for personal profit. And yet Sushchin and Dokuchaev are also named in those counts.

Which raises the question of why DOJ decided to indict this as they did, especially since it risks an escalation of spying-related indictments. If I were Russia (maybe even China) I’d draw up indictments of American spies who’ve accessed Vkontakte or Yandex and accuse them of economic espionage.

I’ve got several suggestions:

  • To leverage Baratov to learn more about the other three indictees (and FSB Officer 3, who is also mentioned prominently in the indictment)
  • To expose Russia’s targets
  • To expose FSB’s internal spying

Leverage Baratov to learn more about the other three indictees (and FSB Officer 3)

The US is almost certainly never going to get custody of Sushchin, Dokuchaev, or Belan, who are all in Russia safe from any extradition requests. That’s not true of Baratov, who was arrested and whose beloved Aston Martin and Mercedes Benz will be seized. These charges are larded on in such a way as to incent cooperation from Baratov.

Which means the government probably hopes to use the indictment to learn more about the other three indictees.

Remember: Belan was named in the sanctions on the DNC hack. So it may be that DOJ wants more information about those he works with, possibly up to and including on the DNC hack.

Expose Russia’s targets

Then there are the very long descriptions of the kind of people the accused collected on. The indictment highlights these three examples.

For example, SUSHCHIN, DOKUCHAEV, and BARATOV sought access to the Google, Inc. (“Google”) webmail accounts of:

a. an assistant to the Deputy Chairman of the Russian Federation;

b. an officer of the Russian Ministry of Internal Affairs;

c. a physical training expert working in the Ministry of Sports of a Russian republic;

Then provides this list of people hacked at Yahoo:

  • a diplomat from a country bordering Russia who was posted in a European country
  • the former Minister of Economic Development of a country bordering Russia (“Victim A”) and his wife (“Victim B”)
  • a Russian journalist and investigative reporter who worked for Kommersant Daily
  • a public affairs consultant and researcher who analyzed Russia’s bid for World Trade Organization membership
  • three different officers of U.S. Cloud Computing Company 1
  • an account of a Russian Deputy Consul General
  • a senior officer at a Russian webmail and internet-related services provider

And this list of people targeted by Belan (who may or may not have been related to his own efforts rather than FSB’s):

  • 14 employees of a Swiss bitcoin wallet and banking firm
  • a sales manager at a major U.S. financial company
  • a Nevada gaming official
  • a senior officer of a major U.S. airline
  • a Shanghai-based managing director of a U.S. private equity firm
  • the Chief Technology Officer of a French transportation company
  • multiple Yahoo users affiliated with the Russian Financial Firm

And this list of people Baratov hacked at Gmail and other ISPs:

  • an assistant to the Deputy Chairman of the Russian Federation
  • a managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
  • an officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
  • a physical training expert working in the Ministry of Sports of a Russian republic;
  • a Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation
  • the CEO of a metals industry holding company in a country bordering Russia
  • a prominent banker and university trustee in a country bordering Russia
  • a managing director of a finance and banking company in a country bordering Russia
  • a senior official in a country bordering Russia

For those who weren’t alerted by Yahoo or Google they’d been hacked, these descriptions provide enough detail (as well as partial email addresses for some targets) to figure it out from the indictment.

Expose FSB’s internal spying

As these descriptions make clear, some of these targets are potentially well-connected people in Russia: a Russian Deputy Consul General, someone from Department K, the office of the Deputy Chairman of the Russian Federation, the Chairman of a Russian Federation Council committee (who also happens to be a businessman). Perhaps those people were targeted for sound political reasons — perhaps counterintelligence or corruption, for example. Or perhaps FSB was just trying to gain leverage in the political games of Russia.

Remember: One of the guys — Dokuchaev — is already being prosecuted in Russia for treason. These details might give Russia more details to go after him.

Sushchin is a special example. As the indictment explains, he was working undercover at some Russian financial firm, but it’s unclear whether his firm knew he was FSB or not.

SUSHCHIN was embedded as a purported employee and Head of Information Security at the Russian Financial Firm, where he monitored the communications of Russian Financial Firm employees, although it is unknown to the grand jury whether the Russian Financial Firm knew of his FSB affiliation.

But it’s clear that Sushchin’s role here was largely to conduct some very focused spying on the firm that he worked for.

In one instance, in or around April 2015, SUSHCHIN ordered DOKUCHAEV to target a number ofindividuals, including a senior board member ofthe Russian Financial Firm, his wife, and his secretary; and a senior officer ofthe Russian Financial Firm (“Corporate Officer l “).

[snip]

[I]n or around April 2015, SUSHCHIN sent DOKUCHAEV a list of email accounts associated with Russian Financial Firm personnel and family members to target, including Google accounts. During these April 2015 communications, SUSHCHIN identified a Russian Financial Firm employee to DOKUCHAEV as the “main target.” Also during these April 2015 communications, SUSHCHIN forwarded to DOKUCHAEV an email sent by that “main target’s” wife to a number of other Russian Financial Firm employees. SUSHCHIN added the cover note “this may be of some use.”

Maybe that operation was known by his employers; maybe it wasn’t. Certainly, his cover has now been blown.

All of which is to say that — splashy as this indictment is — the unstated reasons behind it are probably far more interesting than the actual charges listed in it.

 

One Way to Hide Section 702 Spying on US Persons

/13 Comments/in /by

I noted something in the batch of Semiannual Section 702 Assessments I Con the Record released in January that may explain one reason why the government has such problems giving defendants who’ve been captured in Section 702 surveillance the notice required under the law.

Starting with the 14th Assessment — the one released in February 2016, which covers December 2014 to May 2015 (which also began to integrate feedback from PCLOB), the assessments started to reveal that disseminated reports don’t identify where information on a US Person comes from.

23 (C//NF) NSA does not maintain records that allow it to readily determine, in the case of a report that includes information from several sources, from which source a reference to a U.S. person was derived. Accordingly, the references to U.S. person identities may have resulted from collection pursuant to Section 702 or from other authorized signals intelligence activity conducted by NSA that was reported in conjunction with information acquired under Section 702. Thus, the number provided above is assessed to likely be over-inclusive. NSA has previously provided this explanation in its Annual Review pursuant to Section 702(l)(3) that is provided to Congress.

Presumably, the reports track that intelligence in the report comes from Section 702, or else they wouldn’t be able to track how often serialized reports contain US person information derived from Section 702- or PAA-acquired data, which is where this footnote appears. (In this reporting period, 9.7% of reports including US person information.) But they don’t track which tidbits come from 702 and which come from — say — EO 12333 authorized information or foreign partners.

Given that these reports get circulated outside of NSA (and even outside those people cleared into Section 702), that might mean someone with a dual intelligence/law enforcement role would see the information, pursue further investigation, and yet not know that the investigation “derived” from 702 data, which would then mean the defendant might never get notice.

FISA Is Not a Magic Word

/10 Comments/in , /by

The NYT had an article yesterday reporting on investigations into three (not four) of Donald Trump’s associates. The lead explains that authorities are reviewing “intercepted communications” in an investigation.

American law enforcement and intelligence agencies are examining intercepted communications and financial transactions as part of a broad investigation into possible links between Russian officials and associates of President-elect Donald J. Trump, including his former campaign chairman Paul Manafort, current and former senior American officials said.

The article differs from many of the reports on investigations into Trump because it is not so breathless and shows far more understanding of how DOJ works. Sadly, most readers appear not to have gotten this far into the story, which admits it’s not even clear whether the investigation is primarily about ties between Trump and the DNC hack.

It is not clear whether the intercepted communications had anything to do with Mr. Trump’s campaign, or Mr. Trump himself. It is also unclear whether the inquiry has anything to do with an investigation into the hacking of the Democratic National Committee’s computers and other attempts to disrupt the elections in November.

A number of people, including — bizarrely! — former DHS Assistant Secretary for Intergovernmental Affairs Juliette Kayyem have asked why the NYT article doesn’t mention FISA.

Great piece. Honest ? Is there reason why it doesn’t mention word FISA? I don’t know other ways to intercept comms.

Kayyem asks that, even about an article that partially raises another — the most common — way intercepts get done: by targeting foreigners.

The counterintelligence investigation centers at least in part on the business dealings that some of the president-elect’s past and present advisers have had with Russia. Mr. Manafort has done business in Ukraine and Russia. Some of his contacts there were under surveillance by the National Security Agency for suspected links to Russia’s Federal Security Service, one of the officials said.

The Russians alleged to have bought off Manafort, and the Russians alleged to have hacked the DNC are all legal targets without a FISA order (unless they’re targeting in the US, and even then, in some cases you wouldn’t need a FISA order). But these people are described as Russians and Ukrainians in Europe, so no FISA order needed. Moreover, the BBC article that started this line of reporting made clear the investigation arises from an intercept from a Baltic ally. Even if the US did the spying, foreign targets could be collected on under EO 12333 or under Section 702 of FISA without an individual order, and the Manafort sides of those conversations would be read. Indeed, those communications would be read precisely because a US person was having conversations with targets of interest.

So to review, here are the ways that the government might collect data in this case.

  • As the BBC reported, the US gets intercepts from its foreign partners, and appears to have done so here.
  • For foreign targets like those described, much US surveillance takes place under EO 12333. The NSA is collecting on switches and satellites carrying such communications, and to the extent that they’re not encrypted (or encrypted using technology the NSA has broken) those communications are readily available without a court order.
  • Those foreign targets located in Europe are also legal targets under Section 702. For national security cases (including counterintelligence ones) NSA routinely shares the raw feed off such collection with FBI, and FBI is not only allowed to read both sides of those conversations, but to go back and search for US persons in them without any suspicion of wrong-doing.
  • This counterintelligence investigation is primarily about money changing hands. That’s Treasury’s job, and its methods of coercion for collecting information don’t usually involve courts. Banks are obliged to hand over certain kinds of suspicious transfers in any case. Treasury also gets to go to SWIFT and get what it wants. That’s not an “intercept” in the traditional sense, but is likely a key piece of evidence in this case.

The issue, then, is when someone like Manafort becomes the target of the investigation and/or when Russians in the US (but not exclusively at an Embassy) are targeted. In that case, the following might explain intercepts.

  • In some respects, Manafort’s behavior reeks of classic influence peddling, a lobbyist gone wrong. To the extent that’s the case, it might be investigated under regular criminal law with pretty much the same secrecy that FISA will give you (especially given that multiple sources are leaking like sieves about FISA orders now). So FBI could have obtained a criminal warrant targeting Manafort’s communications.
  • To target Manafort anywhere in the world, the FBI/NSA would need a FISA order. Domestically, that’d be a traditional order(s). Given the overseas connection, they’d likely get a 705b order, allowing them to keep spying if Manafort were to leave the country.
  • To target Russians who are in the country but not at the Russian embassy, the government would need a FISA order.

To be sure, there were earlier reports that FBI asked for FISA orders in June and July, finally obtaining one (not three) in October. Even there, the original BBC report suggested the Americans were not the primary targets, but foreign targets, though it misstates who could actually be targeted (and seems to think Russian banks would require a FISA order).

Lawyers from the National Security Division in the Department of Justice then drew up an application. They took it to the secret US court that deals with intelligence, the Fisa court, named after the Foreign Intelligence Surveillance Act. They wanted permission to intercept the electronic records from two Russian banks.

Their first application, in June, was rejected outright by the judge. They returned with a more narrowly drawn order in July and were rejected again. Finally, before a new judge, the order was granted, on 15 October, three weeks before election day.

Neither Mr Trump nor his associates are named in the Fisa order, which would only cover foreign citizens or foreign entities – in this case the Russian banks

A more recent, but breathless, version of the story originally misstated the standard for FISA, but does get closer to suggesting Trump’s associates are the targets.

Note that in one place NYT refers to “investigations” plural.

The F.B.I. is leading the investigations, aided by the National Security Agency, the C.I.A. and the Treasury Department’s financial crimes unit.

It is possible that there are separate investigation(s), one targeting Manafort for clear influence peddling, another targeting Roger Stone for apparent involvement in the hand-off of DNC documents to Wikileaks, and a third for corrupt business dealings on the part of Carter Page. It is also possible that such independent investigations could converge on the election, if what the Trump dossier claims is true. It is further possible that if all of those investigations converged into one election-related investigation, there’d still be no way to prove Trump knew of Russian involvement; right now, only his associates have been “targeted,” to the extent even that has occurred. (Roger Stone, of course, is an old hand at giving the President plausible deniability about the rat-fucking done in his name.)

Finally, there’s one more (delicious) detail most people have missed. Just last week the intelligence community rolled out its new EO 12333 sharing guidelines. I suspect such guidelines were in place between FBI and NSA before then; for a variety of reasons I think they may have been sharing such data since … September. But as I’ll show in a follow-up, one very clear objective for the expanded EO 12333 sharing is to give FBI (and CIA) direct access to raw EO 12333 collected information for counterintelligence purposes. That means all those intercepts on Russian and Ukrainian people talking to Manafort, going back over a year? At least as of January 3, the FBI (and CIA) can have those, including Manafort’s side of the conversation, in raw form.

The Dragnet Donald Trump Will Wield Is Not Just the Section 215 One

/4 Comments/in , , /by

I’ve been eagerly anticipating the moment Rick Perlstein uses his historical work on Nixon to analyze Trump. Today, he doesn’t disappoint, calling Trump more paranoid than Nixon, warning of what Trump will do with the powerful surveillance machine laying ready for his use.

Revenge is a narcotic, and Trump of all people will be in need of a regular, ongoing fix. Ordering his people to abuse the surveillance state to harass and destroy his enemies will offer the quickest and most satisfying kick he can get. The tragedy, as James Madison could have told us, is that the good stuff is now lying around everywhere, just waiting for the next aspiring dictator to cop.

But along the way, Perlstein presents a bizarre picture of what happened to the Section 215 phone dragnet under Barack Obama.

That’s not to say that Obama hasn’t abused his powers: Just ask the journalists at the Associated Press whose phone records were subpoenaed by the Justice Department. But had he wanted to go further in spying on his enemies, there are few checks in place to stop him. In the very first ruling on the National Security Administration’s sweeping collection of “bulk metadata,” federal judge Richard Leon blasted the surveillance as downright Orwellian. “I cannot imagine a more ‘indiscriminate’ and ‘arbitrary’ invasion than this collection and retention of personal data,” he ruled. “Surely, such a program infringes on ‘that degree of privacy’ that the founders enshrined in the Fourth Amendment.”

But the judge’s outrage did nothing to stop the surveillance: In 2015, an appeals court remanded the case back to district court, and the NSA’s massive surveillance apparatus—soon to be under the command of President Trump—remains fully operational. The potential of the system, as former NSA official William Binney has described it, is nothing short of “turnkey totalitarianism.”

There are several things wrong with this.

First, neither Richard Leon nor any other judge has reviewed the NSA’s “sweeping collection of ‘bulk metadata.'” What Leon reviewed — in Larry Klayman’s lawsuit challenging the collection of phone metadata authorized by Section 215 revealed by Edward Snowden — was just a small fraction of NSA’s dragnet. In 2013, the collection of phone metadata authorized by Section 215 collected domestic and international phone records from domestic producers, but even there, Verizon had found a way to exclude collection of its cell records.

But NSA collected phone records — indeed, many of the very same phone records, as they collected a great deal of international records — overseas as well. In addition, NSA collected a great deal of Internet metadata records, as well as financial and anything else records. Basically, anything the NSA can collect “overseas” (which is interpreted liberally) it does, and because of the way modern communications works, those records include a significant portion of the metadata of Americans’ everyday communications.

It is important for people to understand that the focus on Section 215 was an artificial creation, a limited hangout, an absolutely brilliant strategy (well done, Bob Litt, who has now moved off to retirement) to get activists to focus on one small part of the dragnet that had limitations anyway and NSA had already considered amending. It succeeded in pre-empting a discussion of just what the full dragnet entailed.

Assessments of whether Edward Snowden is a traitor or a saint always miss this, when they say they’d be happy if Snowden had just exposed the Section 215 program. Snowden didn’t want the focus to be on just that little corner of the dragnet. He wanted to expose the full dragnet, but Litt and others succeeded in pretending the Section 215 dragnet was the dragnet, and also pretending that Snowden’s other disclosures weren’t just as intrusive on Americans.

Anyway, another place where Perlstein is wrong is in suggesting there was just one Appeals Court decision. The far more important one is the authorized by Gerard Lynch in the Second Circuit, which ruled that Section 215 was not lawfully authorized. It was a far more modest decision, as it did not reach constitutional questions. But Lynch better understood that the principle involved more than phone records; what really scared him was the mixing of financial records with phone records, which is actually what the dragnet really is.

That ruling, on top of better understanding the import of dragnets, is important because it is one of the things that led to the passage of USA Freedom Act, a law that, contrary to Perlstein’s claim, did change the phone dragnet, both for good and ill.

The USA Freedom Act, by imposing limitations on how broadly dragnet orders (for communications but not for financial and other dragnets) can be targeted, adds a check at the beginning of the process. It means only people 2 degrees away from a terrorism suspect will be collected under this program (even while the NSA continues to collect in bulk under EO 12333). So the government will have in its possession far fewer phone records collected under Section 215 (but it will still suck in massive amounts of phone records via EO 12333, including massive amounts of Americans’ records).

All that said, Section 215 now draws from a larger collection of records. It now includes the Verizon cell records not included under the old Section 215 dragnet, as well as some universe of metadata records deemed to be fair game under a loose definition of “phone company.” At a minimum, it probably includes iMessage, WhatsApp, and Skype metadata, but I would bet the government is trying to get Signal and other messaging metadata (note, Signal metadata cannot be collected retroactively; it’s unclear whether it can be collected with standing daily prospective orders). This means the Section 215 collection will be more effective in finding all the people who are 2 degrees from a target (because it will include any communications that exist solely in Verizon cell or iMessage networks, as well as whatever other metadata they’re collecting). But it also means far more innocent people will be impacted.

To understand why that’s important, it’s important to understand what purpose all this metadata collection serves.

It was never the case that the collection of metadata, however intrusive, was the end goal of the process. Sure, identifying someone’s communications shows when you’ve been to an abortion clinic or when you’re conducting an affair.

But the dragnet (the one that includes limited Section 215 collection and EO 12333 collection limited only by technology, not law) actually serves two other primary purposes.

The first is to enable the creation of dossiers with the click of a few keys. Because the NSA is sitting on so much metadata — not just phone records, but Internet, financial, travel, location, and other data — it can put together a snapshot of your life as soon as they begin to correlate all the identifiers that make up your identity. One advantage of the new kind of collection under USAF, I suspect, is it will draw from the more certain correlations you give to your communications providers, rather than relying more heavily on algorithmic analysis of bulk data. Facebook knows with certainty what email address and phone number tie to your Facebook account, whereas the NSA’s algorithms only guess that with (this is an educated guess) ~95+% accuracy.

This creation of dossiers is the same kind of analysis Facebook does, but instead of selling you plane tickets the goal is government scrutiny of your life.

The Section 215 orders long included explicit permission to subject identifiers found via 2-degree collection to all the analytical tools of the NSA. That means, for any person — complicit or innocent — identified via Section 215, the NSA can start to glue together the pieces of dossier it already has in its possession. While not an exact analogue, you might think of collection under Section 215 as a nomination to be on the equivalent of J Edgar Hoover’s old subversives list. Only, poor J Edgar mostly kept his list on index cards. Now, the list of those the government wants to have a network analysis and dossier on is kept in massive server farms and compiled using supercomputers.

Note, the Section 215 collection is still limited to terrorism suspects — that was an important win in the USA Freedom fight — but the EO 12333 collection, with whatever limits on nominating US persons, is not. Plus, it will be trivial for Trump to expand the definition of terrorist; the groundwork is already being laid to do so with Black Lives Matter.

The other purpose of the dragnet is to identify which content the NSA will invest the time and energy into reading. Most content collected is not read in real time. But Americans’ communications with a terrorism suspect will probably be, because of the concern that those Americans might be plotting a domestic plot. The same is almost certainly true of, say, Chinese-Americans conversing with scientists in China, because of a concern they might be trading US secrets. Likewise it is almost certainly true of Iranian-Americans talking with government officials, because of a concern they might be dealing in nuclear dual use items. The choice to prioritize Americans makes sense from a national security perspective, but it also means certain kinds of people — Muslim immigrants, Chinese-Americans, Iranian-Americans — will be far more likely to have their communications read without a warrant than whitebread America, even if those whitebread Americans have ties to (say) NeoNazi groups.

Of course, none of this undermines Perlstein’s ultimate categorization, as voiced by Bill Binney, who created this system only to see the privacy protections he believed necessary get wiped away: the dragnet — both that authorized by USAF and that governed by EO 12333 — creates the structure for turnkey totalitarianism, especially as more and more data becomes available to NSA under EO 12333 collection rules.

But it is important to understand Obama’s history with this dragnet. Because while Obama did tweak the dragnet, two facts about it remain. First, while there are more protections built in on the domestic collection authorized by Section 215, that came with an expansion of the universe of people that will be affected by it, which must have the effect of “nominating” more people to be on this late day “Subversives” list.

Obama also, in PPD-28, “limited” bulk collection to a series of purposes. That sounds nice, but the purposes are so broad, they would permit bulk collection in any area of the world, and once you’ve collected in bulk, it is trivial to then call up that data under a more broad foreign intelligence purpose. In any case, Trump will almost certainly disavow PPD-28.

Which makes Perlstein’s larger point all the more sobering. J Edgar and Richard Nixon were out of control. But the dragnet Trump will inherit is far more powerful.

As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

/9 Comments/in , /by

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

Working Thread: HPSCI’s Full Unbelievably Shitty Snowden Report

/11 Comments/in , , /by

In September, I did a post asking why the House Intelligence Committee report on Edward Snowden was so unbelievably shitty. My post was just based off a summary released by the Committee. HPSCI has now released the full report.

This will be a working thread.

Summary: The summary, with all its obvious errors, remains unchanged. So see my earlier post for the problems with that.

PDF 6: The report starts with a claim that Snowden’s leaks were the “most massive and damaging in history.” But the claim was made in 2014. Since then we’ve had two more damaging leaks, the OPM leak and the Shadow Brokers leak.

PDF 6: In my earlier post, I wrote about how the deference given to the ongoing criminal investigation into Snowden seemed very similar to — but was far less defensible than — the approach Stephen Preston used when he was General Counsel at CIA. He was General Counsel at DOD when this report started, suggesting he adopted the same approach. Worse, we now know from emails released this year that the exec had actually moved on by May 2014, meaning the claim was not sustainable when made in August 2014.

PDF 7: On the education paragraph, see this post.

PDF 7: Rather than asking the military why Snowden was discharged, the committee asked NSA’s security official. As Bart Gellman notes, his official Army record backs Snowden, not the security official.  Then they say (in the footnote) that they “found node evidence that Snowden was involved in a training accident.”

PDF 9: This page cites from a CIA IG report on Snowden’s complaints about the treatment of TISOs overseas. It actually shows him trying to complain through channels.

PDF 10: Note that HPSCI claimed a paragraph based on information classified confidential was classified secret.

PDF 11: I’m curious why they redacted footnote 43.

PDF 11: Report notes a new derogatory report was submitted after Snowden left Geneva but also after his next employer hired him. It doesn’t seem too serious. Report notes that the alert function for Scattered Castles got updated after that.

PDF 12: The reports that he went to Thailand and China are second-hand, based off what an NSA lawyer said his former co-workers said. Both support an awareness that Snowden was making his privacy concerns known, including this quote (which is likely out of context and may refer to an individual program):

… Snowden expressing his view that the U.S. government had overreached on surveillance and that it was illegitimate for the government to obtain data on individuals’ personal computers.

PDF 13: Why would HPSCI (or NSA, for that matter) depend on the comments of co-workers to learn what Snowden did during a leave of absence? Also note, this is classified Secret, which means it must have some security function.

PDF 13: Note they had an interview with a lawyer and a security official on the same day.

PDF 13: His co-workers claimed Snowden frequently showed up late. That would mean he’d be home for the entirely of the East Coast day.

PDF 13: Snowden expressed concern that SOPA/PIPA would lead to online censorship, but his co-worker was dismissive bc he hadn’t read the bill.

PDF 14: The claim that Snowden went to a hackers conference in China is sourced to a co-worker who didn’t like Snowden much.

PDF 14: Note in the patch discussion, they hide the kind of person that the interviewee for this information is.

PDF 14: Snowden did something after being called out for bringing in a manager.

PDF 15: The report claims that Snowden started downloading docs in July 2012. Snowden has said that was part of transferring docs. But it also coincides with the period when he was trouble shooting a 702 template, so they may think this is how he got the FISA data.

PDF 15: Snowden had access to wget on NSA’s networks for the same reason Chelsea Manning did, IIRC: because the networks were unreliable. Snowden said he did this to move files from MD to HI. There’s a redacted paragraph that it sourced to a “HPSCI recollection summary paper,” which seems odd and unreliable.

PDF 15: The methods Snowden used paper is classified REL to USA, FVEY, presumably because Snowden was grabbing GCHQ documents.

PDF 16: Here’s the funny quote about Snowden violating privacy. Note the first redacted sentence here is not sourced to an NSA document, but instead to a NSA Legislative Affairs document.

PDF 18: The end of this betrays NSA’s efforts to make light of glaring security holes: the CD-ROM/USB port on Snowden’s computer, and the ability for him to download data w/o a buddy (they currently require a buddy).

PDF 19: THe complaints about Snowden’s “resumé inflation” are a valid point. But what does it say that no one at NSA checks these things.

PDF 20: After Snowden moved to Booz, he went back to his old computer to be able to download the files he had new access to. I had been wondering about that.

PDF 20: All the details about Snowden’s flight are taken from public reports, not FBI or CIA reports or even NSA’s timeline, which must cover it. Did NSA’s timeilne, which is dated . That is bizarre.

PDF 21: Note the classification mark for 132, which seems to conclude that Snowden’s motivation was to inform the public.

PDF 21: The report says Snowden left some encrypted hard drives behind, sourced to a 2/4/14 briefing not cited elsewhere. Working from memory I think this is the Flynn one.

PDF 21: The description of what others had said about Snowden’s interest in privacy conflicts with what NSA said internally. 

PDF 22: I will return to the description of the 702 training.

PDF 22: Note they source the training issue to someone unnamed. This appears to be the same person who described the patch issue (PDF 14), with an interview on October 28. That means it couldn’t have been the training person, and surely didn’t have first-hand knowledge.

PDF 23: The report cites the emails (without describing who they were addressed to) and the I Con the Record report on the email. Which means I’ve reviewed this issue more closely than HPSCI.

PDF 23: The section on whether Snowden was a whistleblower doesn’t cite his CIA IG contact.

PDF 25: Some of the foreign influence section obviously says there was none (see the Keith Alexander comment). Plus, this doesn’t cite other public comments saying there is no evidence of any foreign tie.

PDF 26: FN 166 is the bad briefing. Note that 1/5 of the documents Snowden took were blank.

PDF 29: This section describes the damage assessment. I find it very significant the NCSC has stopped reviewing T3 and T2 documents, which must suggest, in part, that they trust the security of the documents and/or have confirmed via some means that there aren’t more out there.

PDF 34: Yet another complaint about not fixing the removable media problem.

PDF 34: A description of the Secure the Net initiative, with four measures outstanding, and taking over a year to get to buddy system with SysAdmins.

PDF 35-36: There’s a list of things HPSCI ordered the IC to do after Snowden.

How HPSCI’s Staffers Used Miscitations to Turn Edward Snowden into a Lying Flunkie

/7 Comments/in /by

I want to take a close look at this paragraph (from PDF 7) of the House Intelligence report on Snowden, to show how they’re (mis)using information.

In its first claim, HPSCI says Snowden was “by his own account,” a “poor student.” It cites this Greenwald and Poitras intro to Snowden, which says something different: “By his own admission, he was not a stellar student.”

The next claim says he dropped out of high school in his sophmore year and then took community college classes, which relies on this report, which in turn cites the public schools as well as the Guardian story.

1991-1998: Snowden attends schools in the Anne Arundel County Public School System in Maryland from the elementary level to high school, where he dropped out his sophomore year. He’ll later say he earned his GED. (Source: Anne Arundel County Public Schools, The Guardian)

1999-2005: Snowden takes a variety of classes from Anne Arundel Community College in Arnold, Maryland. He does not take any cyber security or computer science classes, however, and he never earns a certificate or degree. (Source: Anne Arundel Community College)

Note, the committee has said it didn’t do an investigation because of the ongoing criminal investigation into Snowden. But there is no reason they couldn’t have called Anne Arundel County Public Schools rather than relying on an ABC piece; it wouldn’t have required a long distance call!

The third claim is that Snowden hoped the (community college) classes would permit him to earn a GED, “but nothing the Committee found indicates he did so.” That’s not sourced. Again, it doesn’t say whether or not they called Maryland.

This is what Bart Gellman said in September about Snowden’s claim to have gotten a GED.

I do not know how the committee could get this one wrong in good faith. According to the official Maryland State Department of Education test report, which I have reviewed, Snowden sat for the high school equivalency test on May 4, 2004. He needed a score of 2250 to pass. He scored 3550. His Diploma No. 269403 was dated June 2, 2004, the same month he would have graduated had he returned to Arundel High School after losing his sophomore year to mononucleosis. In the interim, he took courses at Anne Arundel Community College.

The fourth claim is that Snowden told TAO he did have a GED, claiming to have received it on 6/21/2001 from “Maryland High School.”

Finally, the report says that Snowden stated that he did not have a degree of any type, citing this NYT profile rather than citing the forum itself or even the Ars Technica article that first reported it. It is absolutely true that Snowden said he didn’t have a high school diploma, but in context, Snowden was responding to someone focused primarily on a college degree.

Visigothan: No college degree.

Over 10 years work experience in my field

No communicable or other diseases

Not a religious wackjob

I think I’m good on everything except the college degree.

TheTrueHOOHA: First off, the degree thing is crap, at least domestically. If you really have ten years of solid, provable IT experience (and given that you say you’re 25, I think it’d probably be best to underestimate), you CAN get a very well paying IT job. You just need to be either actively looking now or get the fuck out of California. I have no degree, nor even a high school diploma, but I’m making much more than what they’re paying you even though I’m only claiming six years of experience. It’s tough to “break in,” but once you land a “real” position, you’re made.

Now, unless the forum has changed over the years (in which case the date could be wrong), the NYT miscited Snowden, claiming he said “I don’t have a degree of ANY type. I don’t even have a high school diploma,” when in fact the forum itself says he said, “I have no degree, nor even a high school diploma.” Moreover, in context, Snowden is distinguishing between a “degree” and a “diploma,” which may suggest he’s thinking of the actual class work versus the (GED) degree.

That claim is modified by this footnote, citing an unnamed “associate” — is this Pulitzer Prize winning Bart Gellman they’re talking about? — describing that Snowden did get a GED in 2004. [Update: Indeed it is! HPSCI hid how credible the source for this was and what he based if off of!!]

But having acknowledged that there are official records they could consult but have not, they instead just present the admittedly conflicting claims made in secondary sources (assuming they got the dates correct, but there are dates that are absolutely incorrect elsewhere in this report). There’s no actual attempt to contact local schools to get to the bottom of it all.

And yet, they then use these conflicting claims (based on inaccurate citations) to claim, in the summary, that Snowden is a “serial exaggerator.”

To make that claim with respect to his high school education, you would actually have had to do the work to ascertain the truth. The report made no effort to do so.

Matt Olsen Admits He Didn’t Bargain on a President Trump

/11 Comments/in , , /by

Something predictable, but infuriating, happened at least week’s Cato conference on surveillance.

A bunch of spook lawyers did a panel, at which they considered the state of surveillance under Trump. Former White House Director of Privacy and Civil Liberties Tim Edgar asked whether adhering to basic norms, which he suggested would otherwise be an adequate on surveillance, works in a Trump Administration.

In response, former NSA General Counsel Matt Olsen provided an innocuous description of the things he had done to expand the dragnet.

I fought hard … in the last 10 [years] when I worked in national security, for increasing information sharing, breaking down barriers for sharing information, foreign-domestic, within domestic agencies, and for the modernization of FISA, so we could have a better approach to surveillance.

Then, Olsen admitted that he (who for three years after he left NSA headed up the National Counterterrorism Center managing a ton of analysts paid to imagine the unimaginable) did not imagine someone like Trump might come along.

As I fought for these changes, I did not bargain on a President Trump. That was beyond my ability to imagine as a leader of the country in thinking about how these policies would actually be implemented by the Chief Executive.

It was beyond his ability [breathe, Marcy, breathe] to imagine someone who might abuse power to come along!!!

What makes Olsen’s comment even more infuriating that I called out Olsen’s problematic efforts to “modernize” FISA and sustain the phone dragnet even in spite of abuse in September, in arguing that Hillary could not, in fact, be supporting a balanced approach on intelligence if she planned on hiring him, as seemed likely.

Olsen was the DOJ lawyer who oversaw the Yahoo challenge to PRISM in 2007 and 2008. He did two things of note. First, he withheld information from the FISC until forced to turn it over, not even offering up details about how the government had completely restructured PRISM during the course of Yahoo’s challenge, and underplaying details of how US person metadata is used to select foreign targets. He’s also the guy who threatened Yahoo with $250,000 a day fines for appealing the FISC decision.

Olsen was a key player in filings on the NSA violations in early 2009, presiding over what I believe to be grossly misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets. Basically, working closely with Keith Alexander, he hid the fact that NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.

These comments were used, in this post by former NSA Compliance chief John DeLong and former NSA lawyer Susan Hennessey (the latter of whom was on this panel) to unbelievably dishonestly suggest that surveillance skeptics, embodied by me and EFF’s Nate Cardozo (who has been litigating some of these issues for years), took our understanding of NSA excesses from one footnote in a FISA Court opinion, rather than from years of reading underlying documents.

Readers are likely aware of the incident, which has become a persistent reference point for NSA’s most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that “NSA lawyers routinely lie, even to the secret rubber stamp FISA court”; another cited it in claiming DOJ’s attorneys made “misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets” and that “NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333.”

These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight.

Never mind that I actually hadn’t cited the footnote. Never mind that then FISA Judge Reggie Walton was the first to espouse my “false” view, even before seven more months of evidence came out providing further support for it.

The underlying point is that these two NSA people were so angry that I called out Matt Olsen for documented actions he had taken that they used it as a foil to make some pretty problematic claims about the oversight over NSA spying. But before they did so, they assured us of the integrity of the people involved (that is, Olsen and others).

It’s tempting to respond to these accusations by defending the integrity of the individuals involved. After all, we know from firsthand experience that our former colleagues—both within the NSA and across the Department of Justice, the Office of the Director of National Intelligence, and the Department of Defense—serve the public with a high degree of integrity. But we think it is important to move beyond the focus on who is good and who is bad, and instead explore the history behind that footnote and the many lessons learned and incorporated into practice. After all, we are ultimately a “government of laws,” not of people.

 

 

We are a government of laws, not people, they said in October, before laying out oversight that (they don’t tell you, but I will once I finally get back to responding to this post) has already proven to be inadequate. I mean, I agree with their intent — that we need(ed) to build a bureaucracy that could withstand the craziest of Executives. But contrary to what they claim in their piece and the presumably best intent of DeLong, they didn’t do that.

They now seem to realize that.

In the wake of the Trump victory, a number of these people are now admitting that maybe their reassurances about the bureaucracy they contributed to — which were in reality based on faith in the good intentions and honesty and competence of their colleagues — were overstated. Maybe these tools are too dangerous for an unhinged man to wield.

And, it turns out, one of the people largely responsible for expanding the dragnet that its former defenders now worry might be dangerous for Donald Trump to control never even imagined that someone like Trump might come along.

9th Circuit Rules that Mohamed Osman Mohamud Might Have Killed Like a Bunch of White Mass Killers Had the FBI Not Intervened

/4 Comments/in /by

The last paragraph of a 9th Circuit Judge John Owens opinion rejecting Mohamed Osman Mohamud’s appeal reads,

Many young people think and say alarming things that they later disavow, and we will never know if Mohamud—a young man with promise—would have carried out a mass attack absent the FBI’s involvement. But some “promising” young people—Charles Whitman, Timothy McVeigh, and James Holmes, to name a few from a tragically long list—take the next step, leading to horrific consequences. While technology makes it easier to capture the thoughts of these individuals, it also makes it easier for them to commit terrible crimes. Here, the evidence supported the jury’s verdict, and the government’s surveillance, investigation, and prosecution of Mohamud were consistent with constitutional and statutory requirements.

Mohamud had appealed on several grounds. Generally, he argued that he had been entrapped, that Section 702 was unconstitutional, and that that evidence should be thrown out because he was not informed in timely fashion.

The court was (as they had been in the hearing) most sympathetic to Mohamud’s entrapment case, but found that even though he was first approached before he turned 18 (Mohamud was 19 when he pressed a button believing it would set off a bomb at Portland’s Pioneer Square), the entrapment was less than what happened with James Cromitie, a case the 2nd Circuit upheld.

Nevertheless, the court found that a jury might reasonably find that Mohamud was predisposed to commit a bombing, even before government incitement.

In sum, viewing the evidence in the light most favorable to the government, we cannot say that “no reasonable jury could have concluded that [Mohamud was] predisposed to commit the charged offense[].” Davis, 36 F.3d at 1430. We therefore conclude that the district court properly rejected his defense of entrapment as a matter of law.

The court was less sympathetic to Mohamud’s FISA challenge.

But their argument on this front is pretty weird. The court dodges any ruling on a foreign intelligence exception that the government claimed.

Because the incidental collection excepts this search from the Fourth Amendment’s warrant requirement, we need not address any “foreign intelligence exception.”

Instead, it invokes the Third Party doctrine, suggesting that because Mohamud wrote to someone — anyone! —  to suggest he had a diminished expectation of privacy in his side of emails.

It is true that prior case law contemplates a diminished expectation of privacy due to the risk that the recipient will reveal the communication, not that the government will be monitoring the communication unbeknownst to the third party. See, e.g., United States v. Miller, 425 U.S. 435, 443 (1976); United States v. White, 401 U.S. 745, 752 (1971); Hoffa v. United States, 385 U.S. 293, 302 (1966). While these cases do not address the question of government interception, the communications at issue here had been sent to a third party, which reduces Mohamud’s privacy interest at least somewhat, if perhaps not as much as if the foreign national had turned them over to the government voluntarily. See also Hasbajrami, 2016 WL 1029500 at *11 & n.18 (observing same distinction).

The court then admits that the sheer volume of incidental collection under Section 702 might be a problem, but suggests that minimization procedures thereby acquire more importance (while bracketing the problem of post-collection querying — also known as back door searches — the FBI conducts all the time).

Mohamud and Amici also contend that the “sheer amount of ‘incidental’ collection” separates § 702 from prior cases where courts have found such collection permissible. We agree with the district court’s observation that the most troubling aspect of this “incidental” collection is not whether such collection was anticipated, but rather its volume, which is vast, not de minimis. See PCLOB Report at 114 (“The term ‘incidental’ is appropriate because such collection is not accidental or inadvertent, but rather is an anticipated collateral result of monitoring an overseas target. But the term should not be understood to suggest that such collection is infrequent or that it is an inconsequential part of the Section 702 program.”). This quantity distinguishes § 702 collection from Title III and traditional FISA interceptions. However, the mere fact that more communications are being collected incidentally does not make it unconstitutional to apply the same approach to § 702 collection, though it does increase the importance of minimization procedures once the communications are collected.24

24 To the extent that Amici argue that the incidental overhear doctrine permits the unconstitutional and widespread retention and querying of the incidentally collected information, that issue is not before us.

Which brings us to this passage assessing the value of those minimization procedures with increased import.

While Executive Branch certification contributes some degree of further protection, it does not weigh heavily. Typically in the Fourth Amendment context, review from a neutral magistrate is considered the appropriate check on the Executive, which otherwise may be motivated by its interest in carrying out its duties. See, e.g., Leon, 468 U.S. at 913–14 (explaining that in obtaining a search warrant, a neutral magistrate is “a more reliable safeguard against improper searches than the hurried judgment of a law enforcement officer ‘engaged in the often competitive enterprise of ferreting out crime’” (citation omitted)). Under these circumstances, where the only judicial review comes in the form of the FISC reviewing the adequacy of procedures, this type of internal oversight does not provide a robust safeguard. The government notes that in In re Sealed Case, 310 F.3d 717, 739 (FISA Ct. Rev. 2002), the FISA Review Court observed that Congress recognized that certification by the AG in the traditional FISA context would “‘assure [ ] written accountability within the Executive Branch’ and provide ‘an internal check on Executive Branch arbitrariness.’” (citation omitted). However, as described above, § 702 differs in important ways from traditional FISA, and a mechanism that might provide additional protections above and beyond those already employed in a traditional FISA context provides far less assurance and accountability in the § 702 context, which lacks those baseline protections. See also Clapper, 133 S. Ct. at 1144–45.

Accordingly, although we do not place great weight on the oversight procedures, under the totality of the circumstnces, we conclude that the applied targeting and minimization procedures adequately protected Mohamud’s diminished privacy interest, in light of the government’s compelling interest in national security,

In other words, in the section assessing incidental collection, the court points to the import of minimization procedures. But when it comes to minimization procedures, it does “not place great weight” on them, because of the government’s compelling interest in national security. It is ultimately an argument about necessity based on national security.

Ultimately, then, the court argues that it was okay for the government to read Mohamud’s emails without a warrant, in spite of its admission of weaknesses in the government’s argument about a diminished expectation of privacy and minimization procedures. It does so by invoking three older (though still young) white mass killers, all of whom worked domestically.

While the court definitely relies on targeting rules limiting 702 to someone overseas, with its seeming admission that both its Third Party and its minimization procedure arguments are inadequate (as well as its decision that none of this has to do with a foreign intelligence exception), it gets frightfully close to making an argument that doesn’t distinguish foreign communications from domestic.

Perhaps Owens invokes those three white men to emphasize, unconvincingly, that that doesn’t mean Mohamud was targeted in a way a white non-Muslim wouldn’t be, but given the legal argument that’s left, the opinion is all the more troubling.

Update: Orin Kerr — who knows a lot more about law than I do — doesn’t like this opinion either. Among other common impressions, he’s not happy that Owens borrowed from a not really well written District opinion.