The US Person Back Door Search Number DOJ Could Publish Immediately

/3 Comments/in /by

The Senate Judiciary Committee had a first public hearing on Section 702 today, about which I’ll have several posts.

One piece of good news, however, is that both some of the witnesses (Liza Goitein and David Medine; Ken Wainstein, Matt Olsen, and Rachel Brand were the other witnesses) and some of the Senators supported more transparency, including requiring the FBI to provide a count of how many US person queries of 702-collected data it does, as well as a count of how many US persons get sucked up by Section 702 more generally.

Liza Goitein presented a very reasonable view of the efforts the privacy community is making to work with the government to come up with reasonable counts.

But no one mentioned the very easy count of US person back door searches that FBI could provide today.

As I noted when this was released, as part of last year’s 702 Certification process, Judge Thomas Hogan required FBI to report every time FBI reviews data on a US person query of 702 data that doesn’t pertain to National Security.

[Hogan] imposed a requirement that FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” Such reporting, if required indefinitely, is worthwhile — and should have been required by Congress under USA Freedom Act.

But FBI can and presumably will game this information in two ways. First, FBI’s querying system can be set such that, even if someone has access to 702 data, they can run a query that will flag a hit in 702 data but won’t actually show the data underlying that positive return. This provides one way for 702-cleared people to learn that such information is in such a collection and — if they want the data without having to report it — may be able to obtain it another way. It is distinctly possible that once NSA shares EO 12333 data directly with FBI, for example, the same data will be redundantly available from that in such a way that would not need to be reported to FISC. (NSA used this arbitrage method after the 2009 problems with PATRIOT-authorized database collections.)

Plus, such reporting depends on the meaning of foreign intelligence information as defined under the Attorney General Guidelines.

FOREIGN INTELLIGENCE: information relating to the capabilities, intentions, or activities of foreign governments or elements thereof, foreign organizations or foreign persons, or international terrorists.

It would be relatively easy for FBI to decide that any conversation with a foreign person constituted foreign intelligence, and in so doing count even queries on US persons to identify criminal evidence as foreign intelligence information and therefore exempt from the reporting guidance. Certainly, the kinds of queries that might lead the FBI to profile St. Paul’s Somali community could be considered a measure of Somali activities in that community. Similarly, FBI might claim the search for informants who know those in a mosque with close ties overseas could be treated as the pursuit of information on foreign activities in US mosques.

Hogan imposed a worthwhile new reporting requirement. But that’s still a very far cry from conducing a fair assessment of whether FBI’s back door searches are constitutional.

This requirement went into effect on December 4, 2015, and Hogan required updates on such reporting by January 27, 2016, so FBI is already reporting on this.

It would take minimal effort for ODNI to release how many of these notices got sent to FISC — it could do it quarterly so we didn’t learn too much from the process. Maybe there wouldn’t be any notices, though for a variety of reasons I doubt it. Maybe, as I note, the number is too fake to be useful.

But it is a number, one FBI is already required to report. So they should start reporting it.

2015 I Con the Record Transparency™ Working Thread

/2 Comments/in /by

ODNI has released the Transparency Report and DOJ has released the FISA Report for 2015. The former is the first that falls under USA Freedom Act expanded reporting requirements, so I’m going to do a very detailed report on it. Here are the ODNI and DOJ equivalent reports from last year and my post on both from last year.

The big news here is a 200% plus increase, either in the reporting or the actual back door searches of US person data collected under Section 702. And remember, this doesn’t include the FBI at all.

Preamble

(2 fn 3) ODNI admits that AOUSC counts each certificate under 702 as an order, whereas ODNI counts all the certificates as one order, so ODNI makes AOUSC redact its more accurate number.

(2) The report confirms something not everyone understood before: the report counts renewals (so an order that gets renewed 4 times a year will be counted 4 times) but not modifications.

(2) ODNI here admits that selector can be a much bigger number than target — I suspect maybe a hundred times bigger (because even for Google one target will have up to 45 selectors).

Within the IC, the term “target” has multiple meanings. With respect to the statistics provided in this report, the term “target” is defined as the individual person, group, entity comprised of multiple individuals, or foreign power that uses the selector, such as a telephone number or email address. If a target were known to use four different selectors, the IC would count one target, not four.

(2) ODNI is using the timing of the implementation of USAF to not report on how the new phone dragnet works.

Title V of FISA. The IC implemented the USA FREEDOM Act’s Title V provisions on November 30, 2015, resulting in one additional month’s worth of data for calendar year 2015. Because statistical information tied to a particular FISA authority for a particular month remains classified, Title V data specifically associated with December 2015 – i.e., the information required under Section 603 (b)(4)(A) and (B) and 603 (b)(5)(A), (B) and (C) – is included only in the classified annex to this report that has been provided to Congress.

Here’s all the reporting that we don’t get this year as a result (though we appear to get the top-line for 4 and 5 — see page 8 below):

(4) the total number of orders issued pursuant to applications made under section 501(b)(2)(B) and a good faith estimate of– [This is traditional 215 orders]

(A) the number of targets of such orders; and

(B) the number of unique identifiers used to communicate information collected pursuant to such orders;

(5) the total number of orders issued pursuant to applications made under section 501(b)(2)(C) and a good faith estimate of– [This is new style phone dragnet orders]

(A) the number of targets of such orders;

(B) the number of unique identifiers used to communicate information collected pursuant to such orders; and

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

(3) ODNI used a definition for US person that is not the one used in USAF (in that it includes incorporated and non-incorporated US persons). At one level, this should provide a more realistic number, as it might include additional targets. At another level, it could very easily hide bulky collection, both by not counting (for example) a targeted mosque or US run chat room, or for non-communications signifiers, hide that a US corporation was used as part of a selector term.

(3) As a reminder, the unique identifiers used for 215 and PRTT collection does not include non-communications identifiers (say, bank accounts) or pings (say, stingray collection). It probably also doesn’t include data flow collections.

Targeted FISA

(4/DOJ 1-2) In 2015, the government got 1,585 targeted FISA orders targeting 1,695. That’s based off 1,499 applications, of which 1,497 were for electronic surveillance only.

One of those applications was withdrawn after submission stage (which is tantamount to a denial). In addition, DOJ included a footnote reminding that they don’t include pre-final submissions withdrawn to be withdrawn, which suggests the number of what would normally count as rejections might be significant this year.

Those numbers compare with 1,519 orders affecting 1,562 targets, based off 1,416 applications, of which 1,379 were for electronic surveillance only.

So the total number of orders has gone up 4%, the number of persons affected as gone up 8.5%, and the number of applications has gone up almost 6%.

The really alarming change is in modifications. Last year, there were 19 modifications to proposed orders (1.3% of all applications); this year there were 80 modifications (5.3% of all applications).

Section 702

(5) Last year there were 94,368 targets of 702 surveillance, up from 92,707 last year, which is less than a 2% increase. But remember, for each of these targets, NSA may have a hundred or so selectors.

This is the first year I Con the Record has to report back door searches (though FBI is excluded from this reporting). Last year, there were 4,672 back door searches of US person content. In 2013, there were 198 NSA US person identifiers whitelisted, some of which will get searched more than once; there were 1,900 CIA content back door searches, representing 1,400 unique identifiers (see pages 57-58). While these numbers are not exact, that suggests there was a 223% increase in back door searches of Americans by these two “foreign” intelligence agencies. There were 9,500 NSA US person metadata queries in 2013, and CIA didn’t count them. There were 23,800 metadata searches, with one IC element not being able to provide this information. That probably means CIA was not able to, which means there may have been a 250% increase in NSA back door searches of metadata. [Update: here’s the James Clapper certification indicating that one IC agency couldn’t count this number.]

(6) NSA discretionarily reports that NSA released 4,280 reports based on 702 including US person information, of which the information was unmasked upon release in 1,122 cases and got unmasked on request in 654 cases. (Note, given the number of 702 reports they issue, this is actually impressive, but since they don’t tell us how big that number is, they don’t get the PR value of it.)

PRTT

(7) The number of PRTT orders was down last year, from 135 orders affecting 516 targets in 2014 to 90 orders affecting 456 targets in 2015. 134,987 unique identifiers were used to communicate information in those PRTT orders, but that number doesn’t include:

  • FBI orders that don’t include email addresses or phone numbers (that is, this doesn’t include Stingray use or data flow, among other usages)
  • Data turned over in hard copy or portable media (only those turning over such information electronically gets counted)

Section 215

(8/DOJ 2) Because of the transition period, the 215 numbers may be a mess (see page 2 above).

There were 142 215 applications approved last year, as compared to 170 in 2014.

There were 134 specific targets of 215 orders as compared to 160 last year (in both cases it appears all but 6% of the orders are individualized, and the discrepancy may have had to do with the timing of the year, and this may not include December at all).

There were 56 RAS approved selectors last year, as compared to 161 in 2014. These numbers are probably the same (in which case far fewer selectors are being RAS approved), but it’s possible last year’s numbers don’t include those who, by virtue of having a traditional FISA order, automatically get treated as RAS-approved. I will try to clarify this.

There were 183 US person queried identifiers last year, as compared with 227 in 2014 (this partly reflects the automatic approval of those with FISA orders). But the number for last year definitely doesn’t include phone dragnet queries in December (so compare the 183 to 208, which is what 11 months of last year’s number would be).

The DOJ report notes that,

One application made by the Government after the effective data of the business records provisions of the USA FREEDOM Act did not specifically identify an individual, account, or personal device as the specific selection term.

The footnote explains that there’s a discrepancy between the reporting requirement, which is limited to individual, account, or personal devices, and the definition of specific selection term, which also includes “address” and anything else they can get the FISC to approve. Perhaps this is just about targeting an address, or perhaps this is a bulk or bulky collection (in any case, 215 can be very bulky on its own). That’s a problem with the transparency guidelines.

There’s also one more problem. The 2015 702 reauthorization opinion revealed that in summer of last year, a PRTT used a novel interpretation of specific selection term, which FISC might have otherwise gotten an amicus for. They didn’t because by the time they considered doing so, the emergency PRTT was done. But that may mean that novel interpretation of specific selection term will never get amicus review, because it will no longer be novel.

NSLs

(9/DOJ 3) Keep in mind that the NSL numbers aren’t exactly apples to oranges, because this year adds subscriber numbers. But this is what the comparison looks like. (I will update this once I figure out why the Total NSL numbers don’t add up, which presumably has to do with how they request for subscriber information.)

Screen Shot 2016-05-02 at 4.32.28 PM

The key takeaway here is that while a lot more of the requests affect non-US persons, there were more US persons affected by non-subscriber requests than foreigners (though this sort of makes sense, as they’d be issued for US providers which would disproportionately affect US persons).

Rosemary Collyer’s Worst FISA Decision

/4 Comments/in /by

In addition to adding former National Security Division head David Kris as an amicus (I’ll have more to say on this) the FISA Court announced this week that Rosemary Collyer will become presiding judge — to serve for four years — on May 19.

Collyer was the obvious choice, being the next-in-line judge from DC. But I fear she will be a crummy presiding judge, making the FISC worse than it already is.

Collyer has a history of rulings, sometimes legally dubious, backing secrecy and executive power, some of which include,

2011: Protecting redactions in the Torture OPR Report

2014: Ruling the mosaic theory did not yet make the phone dragnet illegal (in this case she chose to release her opinion)

2014: Erroneously freelance researching the Awlaki execution to justify throwing out his family’s wrongful death suit

2015: Serially helping the Administration hide drone details, even after remand from the DC Circuit

I actually think her mosaic theory opinion from 2014 is one of her (and FISC’s) less bad opinions of this ilk.

The FISC opinion I consider her most troubling, though, is not a FISC decision at all, but rather a ruling from last year in an EFF FOIA. Either Collyer let the government hide something that didn’t need hidden, or it has exploited EFF’s confusion to hide the fact that the Internet dragnet and the Upstream content programs are conducted by the same technical means, a fact that would likely greatly help EFF’s effort to show all Americans were unlawfully spied on in its Jewell suit.

Back in August 2013, EFF’s Nate Cardozo FOIAed information on the redacted opinion referred to in this footnote from John Bates’ October 3, 2011 opinion ruling that some of NSA’s upstream collected was illegal.

Screen Shot 2015-10-31 at 6.52.30 PM

Here’s how Cardozo described his FOIA request (these documents are all attached as appendices to this declaration).

Accordingly, EFF hereby requests the following records:

1. The “separate order” or orders, as described in footnote 15 of the October 3 Opinion quoted above, in which the Foreign Intelligence Surveillance Court “address[ed] Section 1809(a) and related issues”; and,

2. The case, order, or opinion whose citation was redacted in footnote 15 of the October 3 Opinion and described as “concluding that Section 1809(a)(2) precluded the Court from approving the government’s proposed use of, among other things, certain data acquired by NSA without statutory authority through its ‘upstream collection.’”

Request 2 was the only thing at issue in Collyer’s ruling. By my read, it would ask for the entire opinion the citation to which was redacted, or at least identification of the case.

EFF, of course, is particularly interested in upstream collection because it’s at the core of their many years long lawsuit in Jewell. To get an opinion that ruled upstream collection constituted unlawful collection sure would help in EFF’s lawsuit.

In her opinion, Collyer made a point of defining “upstream” surveillance by linking to the 2012 John Bates opinion resolving the 2011 upstream issues (as well as to Wikipedia!), rather than to the footnote he used to describe it in his October 3, 2011 opinion.

The opinion in question, referred to here as the Section 1809 Opinion, held that 50 U.S.C. § 1809(a)(2) precluded the FISC from approving the Government’s proposed use of certain data acquired by the National Security Agency (NSA) without statutory authority through “Upstream” collection. 3

3 “Upstream” collection refers to the acquisition of Internet communications as they transit the “internet backbone,” i.e., principal data routes via internet cables and switches of U.S. internet service providers. See [Caption Redacted], 2012 WL 9189263, *1 (FISC Aug. 24, 2012); see also https://en.wikipedia.org/wiki/Upstream_collection (last visited Oct. 19, 2015); https://en.wikipedia.org/wiki/Internet_backbone (last visited Oct. 19, 2015).

As it was, Collyer paraphrased where upstream surveillance comes from as ISPs rather than telecoms, which was redacted in the opinion she cited. But by citing that and not Bates’ 2011 opinion, she excluded an entirely redacted sentence from the footnote Bates used to explain it, which in context may have described a little more about the underlying opinion.

Screen Shot 2016-04-28 at 11.38.32 AM

Having thus laid out the case, Collyer deferred to NSA declarant David Sherman’s judgment — without conducting a review of the document — that releasing the document would reveal details about the implementation of upstream surveillance.

Specifically, the release of the redacted information would disclose sensitive operational details associated with NSA’s “Upstream” collection capability. While certain information regarding NSA’s “Upstream” collection capability has been declassified and publicly disclosed, certain other information regarding the capability remains currently and properly classified. The redacted information would reveal specific details regarding the application and implementation of the “Upstream” collection capability that have not been publicly disclosed. Revealing the specific means and methodology by which certain types of SIGINT collections are accomplished could allow adversaries to develop countermeasures to frustrate NSA’s collection of information crucial to national security. Disclosure of this information could reasonably be expected to cause exceptionally grave damage to the national security.

[snip]

With respect to the FISC opinion withheld in full, it is my judgment that any information in the [Section 1809 Opinion] is classified in the context of this case because it can reasonably be expected to reveal classified national security information concerning particular intelligence methods, given the nature of the document and the information that has already been released. . . . In these circumstances, the disclosure of even seemingly mundane portions of this FISC opinion would reveal particular instances in which the “Upstream” collection program was used and could reasonably be expected to encourage sophisticated adversaries to adopt countermeasures that may deprive the United States of critical intelligence. [my emphasis]

Collyer found NSA had properly withheld the document as classified information the release of which would cause “grave damage to national security.”

Read more

The Shell Game the Government Played During Yahoo’s Protect America Act Challenge

/4 Comments/in /by

In his opinion finding Protect America Act constitutional, Judge Reggie Walton let his frustration with the way the government kept secretly changing the program at issue show.

For another, the government filed a classified appendix with the Court in December 2007, which contained the certifications and procedures underlying the directives, but the government then inexplicably modified and added to those certifications and procedures without appropriately informing the Court or supplementing the record in this matter until ordered to do so. These changes and missteps by the government have greatly delayed the resolution of its motion, and, among other things, required this Court to order additional briefing and consider additional statutory issues, such as whether the P AA authorizes the government to amend certifications after they are issued, and whether the government can rely on directives to Yahoo that were issued prior to the amendments.

The unsealed classified appendix released today (the earlier released documents are here) provides a lot more details on the shell game the government played during the Yahoo litigation, even with Walton. (It also shows how the government repeatedly asked the court to unseal documents so it could share them with Congressional Intelligence Committees or other providers it wanted to cooperate with PAA).

I mean, we expected the government to demand that Yahoo litigate blind, as it did in this February 26, 2008 brief arguing Yahoo shouldn’t be able to see any classified information as it tried to represent the interests of its American customers. (PDF 179)

In the approximately thirty years since the adoption of FISA, no court has held that disclosure of such documents is necessary to determine the legality of electronic surveillance and physical search. Similarly, there is of course a long history of ex parte and in camera proceedings before this Court. For almost three decades, this Court has determined, ex parte and in camera, the lawfulness of electronic surveillance and physical search under FISA. See 50 U.S.C. § 1805(a) (“the judge shall enter an ex parte order as requested or as modified approving the electronic surveillance” upon making certain findings); 50 U.S.C. § 1824(a) (same with respect to physical search).

Under the Protect America Act, then, the government has an unqualified right to have the Court review a classified submission ex parte and in camera which, of course, includes the unqualified right to keep that submission from being disclosed to any party in an adversarial proceeding before this Court.

But we shouldn’t expect a FISC judge presiding over a key constitutional challenge to have to beg to learn what he was really reviewing, as Walton had to do here. (PDF 159-160)

The Court is issuing this ex parte order to the Government requiring it to provide clarification concerning the impact on this case of various government filings that have been made to the FISC under separate docket.

[snip]

lt is HEREBY ORDERED that the government shall file a brief no later than February 20. 2008, addressing the following questions: 1. Whether the classified appendix that was provided to the Court in December 2007 constitutes the complete and up-to-date set of certifications and supporting documents (to include affidavits, procedures concerning the location of targets, and minimization procedures) that are applicable to the directives at issue in this proceeding. If the answer to this question is .. yes,'” the government” s brief may be filed ex parte. If the government chooses to serve Yahoo with a copy of the brief~ it shall serve a copy of this Order upon Yahoo as well.

2. If the answer to question number one is “no,” the Government shall state what additional documents it believes are currently in effect and applicable to the directives to Yahoo that are at issue in this proceeding. The government shall file copies of any such documents with the Court concurrent with filing its brief. The government shall serve copies of this Order, its brief, and any additional documents upon Yahoo, unless the government moves this Court for leave to file its submission ex parte, either in whole or in part. If the government files such a motion with the Court, it shall serve a copy of its motion upon Yahoo. The government shall also serve a copy of this Order upon Yahoo, unless the government establishes good cause for not doing so within the submission it seeks to file ex parte.

This is what elicited the government’s indignant brief about actually telling Yahoo what it was arguing about.

As a result of the government’s successful argument Yahoo had to argue blind, it did not learn — among other things — that CIA would get all the data Yahoo was turning over to the government, or that the government had basically totally restructured the program after the original expiration date of the program, additional issues on which Yahoo might have challenged the program.

Perhaps more interesting is that it wasn’t until Walton ruled on March 5 that he would not force the government to share any of these materials with Yahoo that the government finally provided the last relevant document to Judge Walton, the Special Procedures Governing Communications Metadata Analysis. (PDF 219)

On January 3, 2008, the Attorney General signed the “Department of Defense Supplemental Procedures Governing Communications Metadata Analysis,” which purported to supplement the DoD Procedures (“Supplement to DoD Procedures”), a copy of which is attached hereto as Exhibit A. The Supplement to DoD Procedures concerns the analysis of communications metadata that has already been lawfully acquired by DoD components, including the National Security Agency (NSA). Specifically, the Supplement to DoD Procedures clarifies that NSA may analyze communications metadata associated with U.S. persons and persons believed to be in the United States. The Supplement to DoD Procedures does not relate to the findings the Attorney General must make to authorize acquisition against a U.S. person overseas

This is particularly suspect given that one of the changes implemented after the original certification was to share data with CIA, something directly addressed in the memo justifying SPCMA to the Attorney General’s office (and a detail the government is still trying to officially hide).

Now, to be fair, in the original release, it was not clear that the government offered this much explanation for SPCMA, making it clear that the procedural change involved making American metadata visible. But the government very clearly suggested — falsely — that SPCMA had no Fourth Amendment implications because they didn’t make Americans overseas more likely to be targeted (which the government already knew was the key thrust of Yahoo’s challenge).

The opposite is true: by making US person metadata visible, it ensured the government would be more likely to focus on communications of those with whom Americans were communicating. These procedures — which were approved more than two months, one document dump, and one court order agreeing to keep everything secret from Yahoo earlier — were and remain the key to the Fourth Amendment exposure for Americans, as was argued just last year. And they weren’t given to even the judge in this case until he asked nicely a few times.

This was the basis for the dragnet that still exposes tens of thousands of Americans to warrantless surveillance. And it got briefed as an afterthought, well after the government could be sure it’d get no adversarial challenge.

The Easy Section 702 Surveillance Number James Clapper Can Share

/2 Comments/in /by

Last week, a bunch of House Judiciary Committee members set James Clapper a letter stating that before the Committee deals with Section 702 reauthorization next year, they’d like:

  • The number of telephone communications in which one caller is located in the United States
  • The number of Internet communications acquired through upstream collection that originate or terminate in the United States
  • The number of communications of or concerning U.S. persons that the NSA positively identifies as such in the routine course of its work

They asked for those numbers by May 6.

In response, Clapper is humming and hawing about “several options” for disclosing how many Americans get spied on under Section 702.

Clapper said that “any methodology we come up with will not be completely satisfactory to all parties.”

“If we could have made such an estimate and if such an estimate were easy to do — explainable without compromise — we would’ve done it a long time ago,” he said.

We just learned there is, however, one number that should be easy-peasy to make public (and one I’m frankly alarmed the HJC members didn’t mention, as they should have known about it for some time): the number of back door searches FBI conducts on Section 702 data for reasons other than national security.

As I noted the other day, in response to FISC amicus (and former Eric Holder counsel) Amy Jeffress’ argument that FBI’s back door searches of Section 702 are unconstitutional, Thomas Hogan required FBI “submit in writing a report concerning each instance … in which FBI personnel receive and review Section 702-acquired information that the FBI identifies as concerning a United States person in response to a query that is not designed to find and extract foreign intelligence information.” As I noted, that’s an easily gamed number — I’m sure FBI treats a lot of criminal matters as national security ones, and FBI has the ability to see if there is 702 data without looking at it, permitting it to see if the same data is available under another authority.

Nevertheless, DOJ must have an exact number of reports they’ve submitted in response to this reporting requirement, which has been in place for over four months.

That’s not to say HJC shouldn’t insist on getting estimates for all the other numbers they’re seeking. But they should also demand that this number — the number of times FBI is using a foreign intelligence exception for criminal prosecutions that should be subject to a probable cause standard — be made public.

NSA Failed to Fully Inform FISC Even After It Started Fact-Checking Itself

/4 Comments/in /by

On Friday, I described how, for four years after the FISA Court ruled that NSA couldn’t keep otherwise unlawfully collected information from a single traditional FISA order, the NSA continued to do just that with data from 702 orders.

Hogan was [] surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

That’s pathetic, given the history of material misstatements to FISC.

All the more so given that it happened after NSA implemented an effort to make sure it started telling FISC the truth (the date is redacted, but it probably happened sometime between October 2011 and March 2013).

As laid out in a 2013 reissue of a 2012 NSA IG report (this report starts at PDF 55; Charlie Savage liberated this via FOIA), NSA implemented a fact-checking process on its own FISC submissions. (See PDF 101)

Screen Shot 2016-04-25 at 9.15.54 AM

NSA is hiding when they first started fact-checking themselves, but it happened by March 2013. Which means the 2013 and 2014 702 recertification submissions were fact-checked. “The [Verification of Accuracy] procedures require all factual statements within the declarations to be verified.” Yet neither told FISC that NSA continued to retain communications from selectors on the Master Purge List in a management database two and three years after the time (at that point) FISC had told NSA, in an order titled, “Opinion and Order Requiring Destruction of Information Obtained by Unauthorized Electronic Surveillance,” it could not do so, not even with data unlawfully obtained on a single targeted FISA order. It took another year before NSA confessed to FISC it was keeping 702 data that should have been purged.

Perhaps the continued discovery of three to four violations every time NSA submits its recertification process reflects the slow implementation of fact-checking. Or perhaps there are just too many databases in which willing NSA employees can stash information before it gets purged off all the other databases.

But if the VoA was supposed to “increase confidence” in what NSA says to courts and Congress, it’s not clear how continuing to miss things like ongoing retention of unlawfully collected information does that.

Related posts on the November 6, 2015 reauthorization opinion

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

FBI’s Back Door Searches: Explicit Permission … and Before That
Last July, NSA and CIA Decided They Didn’t Have to Follow Minimization Procedures, and Judge Hogan Is Cool with That

Please consider a donation to support this work.

The NSA Has Never Not Been Violating FISA Since It Moved Stellar Wind to FISA in 2004

/5 Comments/in /by

Back in 2013, I noted that FISA Judge John Bates had written two opinions finding NSA had violated 50 U.S.C. §1809(a)(2), which prohibits the “disclos[ure] or use[ of] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized by” FISA. Each time he did it, Bates sort of waggled around the specter of law-breaking as a way of forcing NSA to destroy data they otherwise wanted to retain and use. I suspect that is why NSA moved so quickly to shut down its PRTT program in 2011 in the wake of his upstream opinion.

In his November 6, 2015 opinion reauthorizing Section 702, presiding judge Thomas Hogan described two more definite violations of 50 U.S.C. §1809(a)(2), and one potential one, bringing the list of times the FISC caught NSA illegally surveilling Americans to four, and potentially five, times.

  1. Fall 2009 confession/July 2010 opinion: Collection of categories of data under the bulk PRTT program not permitted by the FISC (Bates’ opinion describes a category violation reported to FISC in the very first PRTT docket, along with NSA’s assurances it would never happen again)
  2. June 2010 confession/December 10 2010, May 13, 2011 opinions: Retention of overcollected data from a traditional FISA warrant in mission management systems ultimately not deemed necessary for collection avoidance
  3. May 2011 confession/October 3, 2011 opinion: Collection of entirely domestic communications on upstream surveillance MCTs
  4. July 13, 2015 confession/November 6, 2015 opinion: Retention of 702 communications that had been otherwise purged in mission management systems, even though FISC had ruled against such retention in 2011
  5. [Potential] July 13, 2015 confession/November 6, 2015 opinion: Retention of data that should have been purged or aged off in compliance databases

Hogan describes these incidents starting on 56.

Between June and August of 2010, the government filed some notices of violation in conjunction with a single electronic surveillance order (on page 58, he describes that as dealing “exclusively with Title I collection in a particular case.”) It’s unclear whether the scope of the surveillance extended beyond what had been authorized, or whether the government had conducted surveillance based on illegally collected data (Hogan refers to it both as overcollection but also as poison fruit). As part of its efforts to resolve the problem, the government argued it could keep some of this poisonous fruit in some kind of oversight database to prevent further collection. But it also argued that its minimization procedures “only applied to interceptions authorized by the Court and did not apply to the fruits of unlawful surveillance,” effectively arguing that if it broke the law the FISC could then not tell it what to do because it had broken the law. The government also argued 50 U.S.C. §1809(a)(2) “only prohibits use or disclosure of unlawfully obtained information for investigative or analytic purposes,” meaning it could keep illegal data for management purposes.

FISC didn’t buy this argument generally, but in a December 10, 2010 opinion did permit NSA to retain “the results of unauthorized surveillance [that] are needed to remedy past unauthorized surveillance or prevent similar unauthorized surveillance in the future.” In that opinion, FISC cited John Bates’ July 2010 PRTT opinion discussing the application of 50 U.S.C. §1809(a)(2).

After further review, on May 13, 2011, the court ruled that the specific data in question did not fall within that exception.

[C]ourts should not attempt “to restrict the unqualified language of a [criminal] statute to the particular evil that Congress was trying to remedy — even assuming that it is possible to identify that evil from something other than the text of the statute itself.” Brogan v United States, 522 U.S. 398, 403 (1998) … The exception recognized in the December 10, 2010 Opinion stands on narrower but firmer ground: that in limited circumstances, prohibiting use of disclosure of the results of unauthorized electronic surveillance would be “so ‘absurd or glaringly unjust’ … as to [call into] question whether Congress actual intended what the plain language of Section 1809(a)(2) “so clearly imports.”

That decision only related to one traditional FISA order — but it did lay out the principle that NSA couldn’t keep illegally collected data for vague management reasons.

Which is why Hogan was so surprised to learn NSA was doing the same thing — and had been! — with Section 702 data that had otherwise been purged, which the NSA confessed to Hogan in July of last year. That is, having stopped the practice with a single traditional FISA order, they kept doing it with programmatic 702 data.

In light of the May 2011 [redacted], the Court was very surprised to learn from the July 13, 2015 Notice that the NSA had not been deleting from [redacted] Section 702 records placed on the NSA’s Master Purge List (“MPL”).

[snip]

As the Court explained to the government at the October 8 Hearing, it expects the government to comply with its heightened duty of candor in ex parte proceedings at all times. Candor is fundamental to this Court’s effective operation in considering ex parte submissions from the government, particularly in matters involving large and complex operations such as the implementation of Section 702.

After the hearing, the government submitted several filings effectively saying it was purging the data, then admitting that the technical process it had implemented to effect the purge was only purging some of the selectors that had been illegally collected.

In any case, after 4 years of retaining 702 data that had to be purged, they were finally moving towards deleting it last year.

The second violation pertains to two tools (both names of which are redacted) that help determine whether a selector can be or has been properly tasked (on page 76, Hogan suggests “most Section 702 information [in these databases] that is otherwise subject to purge pertains to roamer communications.”

The first appears to be a pre-tasking tool to see whether it properly tasked. This tool has not aged off PRISM data within the required 5 years, nor upstream data within the required 2 years, though it has aged off pre-October 31, 2011 upstream data. NSA has not done so “because of the utility of these records for compliance and collection avoidance purposes.”  It also helps to respond to OSD and ODNI oversight questions.

The second is a post-tasking tool to identify whether a Section 702 target may be in the US. It doesn’t age off PRISM data within the required 5 years, though it does treat upstream data properly. In addition, it doesn’t purge items that have been added to the Master Purge List. Rather than purging, it just masks certain fields from most users.

In general, Hogan seemed to believe most of this data did fall within the narrow exception laid out in the December 2010 opinion permitting the retention of unauthorized data for the purposes of collection avoidance, though he asked for further briefing that would have taken place in January.

He did point to the inclusion in these two tools of other selectors that had been put on the purge list, however, which would raise additional questions:

Examples would be incidentally acquired communications of or concerning United States persons that are clearly not relevant to the authorized purpose of the acquisition or that do not contain evidence of a crime which may be disseminated under the minimization procedures … attorney-client communications that do not contain foreign intelligence information or evidence of a crime … and any instances in which the NSA discovers that a United Staes person or person not reasonably believed to be outside the United States at the time of targeting has been intentionally targeted under Section 702.

That is, Hogan raised the possibility that these tools included precisely the kind of information that should be deliberately avoided.

Ah well. He still reauthorized Section 702.

Consider what this means: between the five years between when, in fall 2004, NSA told Colleen Kollar-Kotelly it was violating her category restrictions on the bulk Internet dragnet until the time, in 2009, it admitted it continued to do so with every single record collected, between the non-disclosure of what NSA was really doing with upstream surveillance between 2008 and 2011, and between the time FISC told NSA it couldn’t keep illegally collected data for management reasons in May 2011 to the time in July 2015 it confessed it had continued to do that with 702 data, NSA has always been in violation of 50 U.S.C. §1809(a)(2) since it moved Stellar Wind to FISA.

And that’s just the stuff they have admitted to.

The Government Admits 9 Defendants Spied On Under Section 702 Have Not Gotten FISA Notice

/1 Comment/in /by

As I noted, in his opinion approving the Section 702 certifications from last year, Judge Thomas Hogan had a long section describing the 4 different kinds of violations the spooks had committed in the prior year.

One of those pertained to FBI agents not establishing an attorney-client review team for people who had been indicted, as mandated by the FBI’s minimization procedures.

In his section on attorney-client review team violations, Hogan describes violations in all four of the Quarterly Reports submitted since the previous 702 certification process: December 19, 2014, March 20, 2015, June 19, 2015, and September 18, 2015. He also cites three more Preliminary Compliance Reports that appear not to be covered in that September 18, 2015 report: one on September 9, 2015, one on October 5, 2015, and one on October 8, 2015. His further discussion describes the government claiming at a hearing on October 8 to discuss the issue that, thanks to a new system FBI had deployed to address the problem, “additional instances of non-compliance with the review team requirement were discovered by the time of the October 8 Hearing.”

But as Hogan notes in his November 2015 opinion, FBI discovered a lot of these issues because FBI had had a similar problem the previous year and he required them to review for it closely in his 2014 order. A July 30, 2014 letter submitted as part of the recertification process describes two instances in depth: one noticed in February 2014 and reported in the March Quarterly report, and one noticed in April and reported in the June 2014, each involving multiple accounts. A footnote to that discussion admits “there have been additional, subsequent instances of this type of compliance incident.”

Set aside, for the moment, the persistence with which FBI failed to set up review teams to make sure prosecutorial teams were not reading the attorney-client conversations of indicted defendants (who are the only ones who get such protection!!!). Set aside the excuses they gave, such as that they thought this requirement — part of the legally mandatory minimization procedures — didn’t apply for sealed indictments or with targets located outside the United States.

Conservatively, this significantly redacted discussion identifies 9 examples (2 reported in Compliance Reports in 2014, at least 1 reported each in each of four quarterly Compliance report between applications, plus 3 individual compliance reports submitted after the September Compliance report) when people who have been indicted had their communications collected under Section 702, whether they were the target of the 702 directives or not.

And yet, as Patrick Toomey wrote in December, not a single defendant has gotten a Section 702 notice during the period in question.

Up until 2013, no criminal defendant received notice of Section 702 surveillance, even though notice is required by statute. Then, after reports surfaced in the New York Times that the Justice Department had misled the Supreme Court and was evading its notice obligations, the government issued five such notices in criminal cases between October 2013 and April 2014. After that, the notices stopped — and for the last 20 months, crickets.

We know both Mohamed Osman Mohamud — who received a 702 notice personally — and Bakhtiyor Jumaev — who would have secondary 702 standing via Jamshid Muhtorov, with whom he got busted — had their attorney-client communications spied on. But that wasn’t (damn well better not have been!!) 702 spying, because both parties to all those conversations were in the US.

These are 9 different defendants who’ve not yet been told they were being spied on under 702.

Why not?

The answer is probably the one Toomey laid out: that even though members of a prosecutorial team were listening in on attorney-client conversations collected under 702, DOJ made sure nothing from those conversations (or anything else collected via 702) got used in another court filing, and thereby avoided the notice requirement.

Based on what can be gleaned from the public record, it seems likely that defendants are not getting notice because DOJ is interpreting a key term of art in Fourth Amendment law too narrowly — the phrase “derived from.” Under FISA itself, the government is obliged to give notice to a defendant when its evidence is “derived from” Section 702 surveillance of the defendant’s communications. There is good reason to think that DOJ has interpreted this phrase so narrowly that it can almost always get around its own rule, at least in new cases.

It is clear from public reporting and DOJ’s filings in the ACLU’s lawsuit that it has spent years developing a secret body of law interpreting the phrase “derived from.” Indeed, from 2008 to 2013, National Security Division lawyers apparently adopted a definition of “derived” that eliminated notice of Section 702 surveillance altogether. Then, after this policy became public, DOJ came up with something else, which produced a handful of notices in existing cases.

Savage reports in Power Wars that then-Deputy Attorney General James Cole decided that Section 702 information had to have been “material” or “critical” to trigger notice to a defendant. But the book doesn’t provide any details about the legal underpinnings for this rule or, crucially, how Cole’s directive was actually implemented within DOJ. The complete absence of Section 702 notices since April 2014 suggests DOJ may well have found new ways of short-circuiting the notice requirement.

One obvious way DOJ might have done so is by deeming evidence to be “derived from” Section 702 surveillance only when it has expressly relied on Section 702 information in a later court filing — for instance, in a subsequent FISA application or search warrant application. (Perhaps DOJ’s interpretation is slightly more generous than this, but probably not by much.) DOJ could then avoid giving notice to defendants simply by avoiding all references to Section 702 information in those court filings, citing information gleaned from other investigative sources instead — even if the information from those alternative sources would never have been obtained without Section 702.

So these 9 mystery defendants don’t tell us anything new. They just give us a number — 9 — of defendants the government now has officially admitted have been spied on under 702 who have not been told that.

As I noted, Judge Hogan did not include this persistent attorney-client problem among the things he invited Amy Jeffress to review as amicus. Whether or not she would have objected to the persistent violation of FBI’s minimization procedures, a review of them would also have given her evidence from which she might have questioned FBI’s compliance with another part of 702, that defendants get notice.

But DOJ seems pretty determined to flout that requirement going forward.

Former Top Holder Aide Says Back Door Searches Violate Fourth Amendment; FISC Judge Thomas Hogan Doesn’t Care

/8 Comments/in , /by

My apologies to Amy Jeffress.

When I first realized that FISA Court Presiding Judge Thomas Hogan picked her to serve as amicus for the review of the yearly 702 certifications last year, I complained that she, not Marc Zwillinger, got selected (the pick was made in August, but Jeffress would later be picked as one of the standing amicus curiae, along with Zwillinger). After all, Zwillinger has already argued that PRISM (then authorized by Protect America Act) was unconstitutional when he represented Yahoo in its challenge of the program. He’s got experience making this precise argument. Plus, Jeffress not only is a long-time national security prosecutor and former top Eric Holder aide, but she has been involved in some actions designed to protect the Executive. I still think Zwillinger might have done a better job. But Jeffress nevertheless made what appears to be a vigorous, though unsuccessful, argument that FBI’s back door searches of US person data are unconstitutional.

A former top DOJ lawyer believes FBI’s back door queries are unconstitutional

But it says a lot that Jeffress — someone who narrowly missed being picked as Assistant Attorney General for National Security and who presumably got at least some visibility on back door searches when working with Holder — argued that FBI’s warrantless back door searches of communications collected under Section 702 is unconstitutional. (I presume it would be unethical for Jeffress to use information learned while counseling Holder in this proceeding, which might have put her in an interesting position of knowing more than she could say.)

Sadly, Hogan didn’t care. Worse, his argument for not caring doesn’t make sense. As I’ll note, not only did Hogan pick a less than optimal person to make this argument, but he may have narrowly scoped her input, which may have prevented her from raising evidence in Hogan’s own opinion that his legal conclusion was problematic.

To be clear, Jeffress was no flaming hippie. She found no problem with the NSA and CIA practice of back door searches, concluding, “that the NSA and CIA minimization procedures are sufficient to ensure that the use of U.S. person identifiers for th[e] purpose of [querying Section 702-acquired information] complies with the statutory requirements of Section 702 and with the Fourth Amendment.” But she did find the FBI practice problematic.

Jeffress’ amicus brief included at least 10 pages of discussion of her concerns with the practice, though ODNI did not release her brief and Hogan cited very limited bits of it. She argued, “the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes” and said because the queries could do so they “go far beyond the purpose for which the Section 702-acquired information is collected in permitting queries that are unrelated to national security.”

To dismiss Jeffress’ arguments, Hogan does several things. He,

  • Notes the statute requires foreign intelligence just be “a significant purpose” of the collection, and points back to the 2002 In Re Sealed Case FISCR decision interpreting the “significant purpose” language added in the PATRIOT Act to permit the use of traditional FISA information for prosecutions
  • Cites the FISA minimization procedure language that “allow[s] for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed”
  • Dismisses a former top DOJ official’s concerns about the use of FISA data for non-national security crimes as “hypothetical”
  • Doesn’t address — at all — language in the FBI minimization procedures that permits querying of data for assessments and other unspecified uses
  • Invests a lot of faith in FBI’s access and training requirements that later parts of his opinion undermine

There are several problems with his argument.

In Re Sealed Case ties “significant purpose” to the target of an interception

First, Hogan extends the scope of what the FISA Court of Review interpreted the term “significant purpose,” which got added to traditional FISA in the PATRIOT Act and then adopted in FISA Amendments Act.

Hogan cites the FISCR decision in In Re Sealed Case to suggest it authorized the use of information against non-targets of surveillance. He does so by putting the court’s ultimate decision after caveats it uses to modify that. “The Court of Review concluded that it would be an “anomalous reading” of the “significant purpose” language of 50 U.S.C. § 1804(a)(6)(B) to allow the use of electronic surveillance in such a case. See id. at 736. The Court nevertheless stressed, however, that “[s]o long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution that it satisfies the significant purpose test.”

But that’s not what FISCR found. Here’s how that reads in the original, with Hogan’s citations emphasized.

On the one hand, Congress did not amend the definition of foreign intelligence information which, we have explained, includes evidence of foreign intelligence crimes. On the other hand, Congress accepted the dichotomy between foreign intelligence and law enforcement by adopting the significant purpose test. Nevertheless, it is our task to do our best to read the statute to honor congressional intent. The better reading, it seems to us, excludes from the purpose of gaining foreign intelligence information a sole objective of criminal prosecution. We therefore reject the government’s argument to the contrary. Yet this may not make much practical difference. Because, as the government points out, when it commences an electronic surveillance of a foreign agent, typically it will not have decided whether to prosecute the agent (whatever may be the subjective intent of the investigators or lawyers who initiate an investigation). So long as the government entertains a realistic option of dealing with the agent other than through criminal prosecution, it satisfies the significant purpose test.

The important point is–and here we agree with the government–the Patriot Act amendment, by using the word “significant,” eliminated any justification for the FISA court to balance the relative weight the government places on criminal prosecution as compared to other counterintelligence responses. If the certification of the application’s purpose articulates a broader objective than criminal prosecution–such as stopping an ongoing conspiracy–and includes other potential non-prosecutorial responses, the government meets the statutory test. Of course, if the court concluded that the government’s sole objective was merely to gain evidence of past criminal conduct–even foreign intelligence crimes–to punish the agent rather than halt ongoing espionage or terrorist activity, the application should be denied.

The government claims that even prosecutions of non-foreign intelligence crimes are consistent with a purpose of gaining foreign intelligence information so long as the government’s objective is to stop espionage or terrorism by putting an agent of a foreign power in prison. That interpretation transgresses the original FISA. It will be recalled that Congress intended section 1804(a)(7)(B) to prevent the government from targeting a foreign agent when its “true purpose” was to gain non-foreign intelligence information–such as evidence of ordinary crimes or scandals. See supra at p.14. (If the government inadvertently came upon evidence of ordinary crimes, FISA provided for the transmission of that evidence to the proper authority. 50 U.S.C. § 1801(h)(3).) It can be argued, however, that by providing that an application is to be granted if the government has only a “significant purpose” of gaining foreign intelligence information, the Patriot Act allows the government to have a primary objective of prosecuting an agent for a non-foreign intelligence crime. Yet we think that would be an anomalous reading of the amendment. For we see not the slightest indication that Congress meant to give that power to the Executive Branch. Accordingly, the manifestation of such a purpose, it seems to us, would continue to disqualify an application. That is not to deny that ordinary crimes might be inextricably intertwined with foreign intelligence crimes. For example, if a group of international terrorists were to engage in bank robberies in order to finance the manufacture of a bomb, evidence of the bank robbery should be treated just as evidence of the terrorist act itself. But the FISA process cannot be used as a device to investigate wholly unrelated ordinary crimes.

Hogan ignores three key parts of this passage. First, FISCR’s decision only envisions the use of evidence against the target of the surveillance, not against his interlocutors, to in some way neutralize him. Any US person information collected and retained under 702 is, by definition, not the targeted person (whereas he or she might be in a traditional FISA order). Furthermore, FBI’s queries of information collected under 702 will find and use information that has nothing to do with putting foreign agents in prison — that is, to “investigate wholly unrelated ordinary crimes,” which FISCR prohibited. Finally, by searching data that may be years old for evidence of a crime, FBI is, in effect, “gaining evidence of past criminal conduct” — itself prohibited by FISCR — of someone who isn’t even the target of the surveillance.

Hogan only treats querying for criminal purposes

Having, in my opinion, expanded on what FISCR authorized back in 2002, Hogan then ignores several parts of what FBI querying permits.

Here’s (some of) the language FBI added to its minimization procedures, at the suggestion of PCLOB, to finally, after 8 years, fully disclose what it was doing to the FISC.

It is a routine and encouraged practice for FBI to query databases containing lawfully acquired information, including FISA-acquired information, in furtherance of the FBI’s authorized intelligence and law enforcement activities, such as assessments, investigations and intelligence collection. Section III.D governs the conduct of such queries. Examples of such queries include, but are not limited to, queries reasonably designed to identify foreign intelligence information or evidence of a crime related to an ongoing authorized investigation or reasonably designed queries conducted by FBI personnel in making an initial decision to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence, as authorized by the Attorney General Guidelines. These examples are illustrative and neither expand nor restrict the scope of the queries authorized in the language above.

This language makes clear FBI may do back door searches for:

  • To identify foreign intelligence information
  • To identify evidence of a crime related to an ongoing investigation
  • To decide whether to open an assessment concerning a threat to national security, the prevention or protection against a Federal crime, or the collection of foreign intelligence
  • Other things, because FBI’s use of such queries “are not limited to” these uses

Given Hogan’s stingy citations from Jeffress’ brief, it’s unclear how much of these things she addressed (or whether she was permitted to introduce knowledge gained from having worked closely with Eric Holder when these back door searches were being formalized).

Read more

FBI’s Back Door Searches: Explicit Permission … and Before That

/1 Comment/in /by

I have written numerous times about the timing of authorization for FBI to do back door searches. There’s a passage of the November 6, 2015 FISC opinion finding those searches to be constitutional that some have taken to clearly date the authority. But I believe the (unredacted sections of the) passage are being misread.

As Judge Thomas Hogan describes, “Queries by FBI personnel of Section 702-acquired data…

Screen Shot 2016-04-20 at 8.53.44 PM

As the unredacted parts of the section make clear, queries for both foreign intelligence information or evidence of a crime “have been explicitly permitted by the FBI Minimization Procedures since 2009.” [my emphasis] The footnote goes onto describe how Minimization Procedures approved by Attorney General Mukasey on October 22, 2008 and submitted on some redacted date were approved by an opinion issued on April 7, 2009.

Already, that’s a curious set of details. If the minimization procedures were approved in October 2008, normally they’d be submitted close to right away, though it’s not clear that that happened. But why bother, given that FISC had just approved FAA certifications on September 4 (this timing resembles what had happened earlier that year, when the government significantly changed the program within days of getting certificates approved)?  In any case, James Clapper’s censors want to hide what those dates were. One likely reason they might have done so would be to hide the dates from defendants, including a few of the ones challenging 702. Another would be to obscure how the approval process went after passage of FISA Amendments Act, specifically given that the FISA Court of Review finalized its Yahoo opinion in August of that year, in which it relied on DOJ’s promise that “there is no database” of incidentally collected US person information.

There Is No Database

But two other things suggest that’s not the end of the story. First, the use of “explicitly” suggests there may have been a period before FISC approved the minimization procedures when such a practice was approved but perhaps not explicitly. Perhaps that simply refers to that lag period, between the time Mukasey approved those minimization procedures and the time FISC approved them.

But then there’s that redacted paragraph (the next footnote, 25, starts after it). Hogan adds something to his discussion beyond his description of the explicit approval of those minimization procedures.

As I have pointed out, Mukasey (writing with then Director of National Intelligence Mike McConnell, who would also have to approve any PRISM minimization procedures) made it clear in response to a Russ Feingold amendment of FISA Amendments Act in February of 2008 that they intended to spy in Americans under PRISM.

So it sure seems likely the Administration at the very least had FBI back door searches planned, if not already in the works, well before FISC approved the minimization procedures in 2009. That’s probably what Hogan explained in that paragraph, but James Clapper apparently believes it would be legally inconvenient to mention that.