Last July, NSA and CIA Decided They Didn’t Have to Follow Minimization Procedures, and Judge Hogan Is Cool with That

/9 Comments/in /by

Yesterday, I Con the Record released three FISA Court opinions from last year. This November 6, 2015 opinion, authorizing last year’s Section 702 certifications, has attracted the most attention, both for its list of violations (including the NSA’s 3rd known instance of illegal surveillance) and for the court’s rejection of amicus Amy Jeffress’ argument that FBI’s back door searches are not constitutional. I’ll return to both issues.

I’m surprised, however, that this passage hasn’t generated more attention.

The NSA and CIA Minimization Procedures included as part of the July 15, 2015 Submission each contain new language stating that “[n]othing in these procedures shall prohibit the retention, processing, or dissemination of information reasonably necessary to comply with specific constitutional, judicial, or legislative mandates.” See NSA Minimization Procedures at 1; CIA Minimization Procedures at 4-5. These provisions were not included in the draft procedures that were submitted to the Court in June 2015, but appear to have been added by the government thereafter. They are not discussed in the July 15, 2015 Memorandum.

So basically, NSA and CIA just slipped in language suggesting that they can blow off minimization procedures mandated by Congress, without prior explanation (which is highly unusual in FISA process). The language reminds me of the language NSA used in Intelligence Oversight Board reports to cover up for Stellar Wind. Or the language John Yoo used in his letter to Colleen Kollar-Kotelly saying that FISC couldn’t bind the President.

Thomas Hogan was, to some degree, suitably shocked by this. After laying out how much detail goes into minimization procedures, he said,

A provision that would allow the NSA and CIA to deviate from any of these restrictions based un unspecified “mandates” could undermine the Court’s ability to find the procedures satisfy the above-described statutory requirement.

Ya think?!?!

Hogan then went on to suggest — based on what evidence, he doesn’t say — that the NSA and CIA will only use this language sparingly because the NCTC, which apparently has similar language in their minimization procedures, claimed they’d only use it sparingly.

It appears, however, that the government does not intend to apply these provisions as broadly as their language would arguably permit. In 2012, the government proposed a similar provision as part of minimization procedures to be applied by NCTC in handling certain unminimized terrorism-related information acquired by FBI pursuant to other provisions of FISA. In requesting approval of a provision that would allow NCTC personnel to deviate from other requirements of its minimization procedures when “reasonably necessary to comply with specific constitutional, judicial, or legislative mandates,” the government asserted that “Executive Branch orders or directives will not trigger this provision, nor will general Congressional directives that are not specific to information NCTC receives pursuant to this motion. [citation removed] The Court approved the NCTC minimization procedures with the understanding that this provision would be applied sparingly.The Court described the provision as permitting NCTC personnel to “retain, process or disseminate information when reasonably necessary to fulfill specific legal requirements” and compared it to a more narrowly-drafted provision of separate procedures that permits CIA to retain or disseminate information that is “required by law to be retained or disseminated.”

This language, which if I’m counting correctly, is now in everyone’s minimization procedures but FBI’s, is alarming enough in the NCTC context, which will only get counterterrorism information and that only via FBI.

But CIA and NSA get raw data. Shit-tons of it. Which makes the scale of such language pretty damned alarming.

Having thus assumed the NCTC example is decent precedent for the NSA and CIA adoption, Hogan then does something else amazing. He relies on “informal communications.”

The Court understands based on informal communications between Court staff and attorneys for the government that NSA and CIA intend to apply the similar provisions at issue here in the same narrow manner. In any case, to avoid a deficiency under the above-described definition of “minimization procedures” the Court must construe the phrase “specific constitutional, judicial, or legislative mandates” to include only those mandates containing language that clearly and specifically requires action in contravention of an otherwise-applicable provision of the requirement of the minimization procedures. Such clear and specific language, for instance, might be found in a court order requiring the government to preserve a particular target’s communications beyond the date when they would otherwise be subject to age-off under the minimization procedures. On the other hand, these provisions should not be interpreted as permitting an otherwise prohibited retention or use of information simply because that retention of use could assist the government in complying with a general statutory requirement, such as those stated at 50 U.S.C. § 1881a(b).

This is batshit insane! The court has for years, fought, often unsuccessfully, to keep NSA within the scope of the law as interpreted in minimization procedures. The government slipped in a provision basically saying, if we decide we don’t have to follow minimization procedures mandated by law, we won’t. And Hogan hasn’t required written explanation for why the agencies need this?!?!?!

Hogan does it again in a footnote suggesting the government “may” use this provision to share data with Congress.

The Court understands that the government may have added these new provisions to clarify that information acquired under Section 702 may be shared with Members of Congress or Congressional committees in connection with Congressional oversight of the program. If so, the Court would urge the government to consider replacing these broadly-worded provisions with language that is narrowly tailored to that purpose.

Hey Judge Hogan? The law requiring you approve these minimization procedures and NSA follow them? That law comes from Congress. If Congress needs NSA to start sharing raw data with it (!!!!), then it can change the law. At the very least, don’t you owe your independent branch of government — and the American people — more certainty than that this may explain this alarming provision?

But no. Hogan required nothing in writing. He did require reporting on how NSA and CIA use it. I’m not sure how that’ll be effective when President Trump decides he can pass an Executive Order requiring NSA to keep all the US person data it collects but not tell FISC about it, because the order they report on this to him is part of the minimization procedures they say they can blow off.

And note this is not one of the two areas that Hogan asked amicus Amy Jeffress to weigh in on. Apparently this is either not a “novel or significant interpretation of the law” requiring amicus review or Hogan didn’t include it because it didn’t get included in the June draft, which is when he decided this should have amicus review.

There’s a lot that’s troubling in this opinion. But the most troubling is that the presiding Judge of the FISC court just rubber-stamped NSA and CIA blowing off entirely the minimization procedures that are the core of the FISC’s leverage over the government.

SS7 and NSA’s Redundant Spying

/9 Comments/in , , /by

SS7 countermeasuresOn Sunday, 60 Minutes brought attention to an issue first exposed by researchers some years back: the ease with which people can use the SS7 system that facilitates global mobile phone interoperability to spy on you.

Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?

Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.

60 Minutes was smart in that they got Congressman Ted Lieu to agree to be targeted.

Congressman Lieu didn’t have to do anything to get attacked.

All Karsten Nohl’s team in Berlin needed to get into the congressman’s phone was the number. Remember SS7 –that little-known global phone network we told you about earlier?

Karsten Nohl: I’ve been tracking the congressman.

[snip]Sharyn Alfonsi: Are you able to track his movements even if he moves the location services and turns that off?

Karsten Nohl: Yes. The mobile network independent from the little GPS chip in your phone, knows where you are. So any choices that a congressman could’ve made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network. That of course, is not controlled by any one customer.

[snip]

Sharyn Alfonsi: What is your reaction to knowing that they were listening to all of your calls?

Rep. Ted Lieu: I have two. First, it’s really creepy. And second, it makes me angry.

Sharyn Alfonsi: Makes you angry, why?

Rep. Ted Lieu: They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank.

Karsten Nohl’s team automatically logged the number of every phone that called Congressman Lieu — which means there’s a lot more damage that could be done than just intercepting that one phone call.

So now Lieu is furious — and pushing House Oversight Committee to conduct an investigation into SS7’s vulnerabilities.

Of course, it’s probably best to think of SS7’s vulnerabilities not as a “flaw,” as 60 Minutes describes it, but a feature. The countries that collectively aren’t demanding change are also using this vulnerability to spy on their subjects and adversaries.

But the fact that Lieu — who really is one of the smartest Members of Congress on surveillance issues — is only now copping onto the vulnerabilities with SS7 suggests how stunted our debate over dragnet surveillance was and is. For two years, we debated how to shut down the Section 215 dragnet, which collected a set of phone records that was significantly redundant with what we collected “overseas” — though in fact the telecoms’ production of such records was mixed together until 2009, suggesting for years Section 215 probably served primarily as legal cover, not the actual authorization for the collection method used. We had very credulous journalists talking about what a big gap in cell phone records NSA faced, in part because FISC frowned on letting NSA collect location data domestically. Yet all the while (as some smarter commenters here have said), NSA was surely exploiting SS7 to collect all the cell phone records it needed, including the location data. Members of Congress like Lieu — on neither the House Intelligence (which presumably has been briefed) or the House Judiciary Committees — would probably not get briefed on the degree to which our intelligence community thrives on using SS7’s vulnerabilities.

What I find perhaps most interesting about this new flurry of attention on SS7 is that the researchers behind it were hired by some “international telecoms” to find ways to improve security sometime in advance of December 2014 (when they first presented their work). The original CCC presentation on this vulnerability (see after 40:00) included a general discussion of what cell phone providers could do to increase the security of their users (see above). 60 Minutes noted that some US providers were doing more than others.

The NSA presumably could and did use entirely SS7 collection for cell phones — especially US based ones — until such time as domestic providers started making them less accessible (and once they were unaccessible overseas, then subject to legal process, though even some of the countermeasures would still leave a US user exposed to other US providers). That needs to be understood (should have been, before the passage of USA Freedom) to really understand the degree to which Congress has any influence over the NSA.

Apple’s Spiking National Security Requests Could Reflect USA Freedom Compliance

/2 Comments/in /by

A number of outlets are pointing to an alarming spike in Apple’s national security requests, as reflected in its privacy numbers (though I think they are exaggerating the number). Here’s what the numbers look like since it began reporting national security requests. [I’ll put this in a table later, but I’m trying to get this done in the last window I’ll have for a while.]

Orders received, accounts affected

1H 2013: 0-249, 0-249

2H 2013: 0-249, 0-249

1H 2014: 0-249, 0-249

2H 2014: 250-499, 0-249

1H 2015: 750-999, 250-499

2H 2015: 1250-1499, 1000-1249

As you can see, Apple’s numbers were already rising from a baseline of 0-249 for both categories in the second half of 2014 (not incidentally when encryption became default), though really started to grow the first half of last year. Where the request-to-number-of-accounts affected ratio has differed, it shows more requests received than accounts affected, suggesting either that Apple is getting serial requests (first iMessage metadata, then content), or that the authorities are renewing requests — say, after a 90-day 215 order expires (though Apple reiterates in this report that they have never received a bulk order, so they are presumably, but not definitely, not the additional bulk provider that appears to have shown up in the June 29 order last year. The number of requests may have doubled or even nearly tripled in the reporting reflecting the first half of last year, and may have almost doubled again, but it appears that Apple continues to get multiple orders affecting the same account.

In other words, this appears to be a spike in the number of accounts affected, accompanied by a more gradual spike in the orders received, but it follows on what could be a straight doubling of both categories from the prior period.

It appears Apple is reporting under paragraph 3 reporting, described as follows.

(3) A semiannual report that aggregates the number of orders, directives, or national security letters with which the
person was required to comply in the into separate categories of–

(A) the total number of all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249;
and

(B) the total number of customer selectors targeted under all national security process received, including all national security letters, and orders or directives under this Act, combined, reported in bands of 250 starting with 0-249.

[snip]

(2) A report described in paragraph (3) of subsection (a) shall include only information relating to the previous 180 days.

That should work out to the same reporting method they were using, provided there was no 2-year delay in reporting of a new kind of production, which doesn’t appear to have happened.

One possible explanation of what’s partly behind the increase is that the more recent number reflects USA Freedom Act collection. USAF became law on June 2, with the new 2-hop production going into effect on November 29. Marco Rubio made it clear last year that USAF extended the 2-hop collection to “a large number of companies.” The Intelligence Authorization made it clear a fair number of companies would be covered by it as well. In its discussion of what kind of responses it gave to San Bernardino requests Apple said they got legal process.

Especially given that Apple is a “phone company,” it seems highly likely the government included iMessage data in its roll out of the expanded program (which, multiple witnesses have made clear, was functioning properly in time for the December 2 San Bernardino attack). So it’s quite possible what look to be 500 first-time requests are USAF’s new reporting, though that would seem to be a very high number of requests for the first month of the program.

Probably, the bulk of the increase is from something else, perhaps PRISM production, because iMessage is an increasing part of online communication. Apple’s numbers are still far below Google’s (though Yahoo’s had a big drop off in this reporting period). But it would make sense as more people use iMessage, it will increase Apple’s PRISM requests.

Update: This post has been updated to better reflect my understanding of how this reporting and the new production work.

The Obama Administration Almost Doubled Down on Yoo’s Illegality

/4 Comments/in , /by

Over at JustSecurity the other day, ACLU’s Patrick Toomey argued that the Administration’s current interpretation of FISA — especially its embrace of upstream surveillance — means the Obama Administration has gone beyond John Yoo’s thinking on surveillance as exhibited in his May 17, 2002 letter to FISC judge Colleen Kollar-Kotelly.

Perhaps most remarkably, however, the Obama Justice Department has pressed legal theories even more expansive and extreme than Yoo himself was willing to embrace. Yoo rounded out his Stellar Wind memo with an effort to reassure Judge Kollar-Kotelly that the government’s legal interpretation had limits, saying: “Just to be clear in conclusion. We are not claiming that the government has an unrestricted right to examine the contents of all international letters and other forms of communication.” But that is essentially the power the NSA claims today when it conducts Upstream surveillance of Americans’ Internet communications. The NSA has installed surveillance equipment at numerous chokepoints on the Internet backbone, and it is using that equipment to search the contents of communications entering or leaving the country in bulk. As the ACLU recently explained in Wikimedia v. NSA, this surveillance is the digital analogue of having a government agent open every letter that comes through a mail processing center to read its contents before determining which letters to keep. In other words, today the Obama administration is defending surveillance that was a bridge too far for even John Yoo.

I’m not sure I’m convinced. After all, the Administration claims it is not examining the contents of all international letters, but rather only looking at those where selected identifiers show up in data packets. Yeah, I know it’s a bullshit argument, but they pretend that’s not searching the contents, really. Moreover we have substantial reason to believe they were doing (some) of this anyway.

But there is a curious relationship between a claim Yoo made in his letter and the Obama Administration’s views on FISA.

In the letter, Yoo writes,

FISA purports to be the exclusive means for conducting electronic surveillance for foreign intelligence, … FISA establishes criminal and civil sanctions for anyone who engages in electronic surveillance, under color of law, except as authorized by statute, warrant, or court order. 50 U.S.C. § 1809-10. It might be thought, therefore, that a warrantless surveillance program, even if undertaken to protect the national security, would violate FISA’s criminal and civil liability provisions.

Such a reading of FISA would be an unconstitutional infringement on the President’s Article II authorities. FISA can regulate foreign intelligence surveillance only to the extent permitted by the Constitution’s enumeration of congressional authority and the separation of powers.

[snip]

[A]s we explained to Congress during the passage of the Patriot Act, the ultimate test of whether the government may engage in foreign surveillance is whether the government’s conduct is consistent with the Fourth Amendment, not whether it meets FISA.

This is especially the case where, as here, the executive branch possess [sic] the inherent constitutional power to conduct warrantless searches for national security purposes.

Effectively, Yoo is saying that even if they blow off FISA, they will be immune from the penalties under 50 USC §1809-10 so long as what they were doing fulfilled the Fourth Amendment, including an expansive reading of special needs that Yoo lays out in his memo. (Note, this was explained in the DOJ Stellar Wind IG Report — starting at PDF 47 — but this letter makes it more clear.)

As a reminder, on two occasions, John Bates disagreed with that interpretation, first in 2010 when he ruled NSA couldn’t continue to access the five years of data it overcollected under the PRTT Internet dragnet, and then again in 2011 when he said the government couldn’t disseminate the illegally collected upstream data (and Vaughn Walker disagreed in a series of rulings in the Al Haramain case in 2010, though the 9th Circuit partially overturned that in 2012). We know, thanks to Snowden, that the government considered appealing the order. And in his summary of the resolution of this issue, Bates made it clear that the government’s first response was to say that limits on illegally collected data don’t apply.

However, issues remained with respect to the past upstream collection residing in NSA’s databases. Because NSA’s upstream collection almost certainly included at least some acquisitions constituting “electronic surveillance” within the meaning of 50 U.S.C. § 1801 (f), any overcollection resulting from the government’s misrepresentation of the scope of that collection implicates 50 U.S.C. § 1809(a)(2). Section 1809(a)(2) makes it a crime to “disclose[] or use[] information obtained under color of law by electronic surveillance, knowing or having reason to know that the information was obtained through electronic surveillance not authorized” by statute. The Court therefore directed the government to make a written submission addressing the applicability of Section 1809(a), which the government did on November 22, 2011. See [redacted — probably a reference to Bates’ July 2010 opinion], Oct. 13, 2011 Briefing Order, and Government’s Response to the Court’s Briefing Order of Oct. 13, 2011 (arguing that Section 1809(a)(2) does not apply).

Ultimately, though, the government not only (said it) destroyed the illegal upstream data, but claims to have destroyed all its PRTT data in a big rush (so big a rush it didn’t have time to let NSA’s IG certify the intake collection of data).

And it replaced that PRTT program by searching data under SPCMA it claimed to have collected legally … somewhere.

I don’t pretend to understand precisely went on in those few weeks in 2011, though it’s clear that Obama’s Administration at least considered standing by the spirit of Yoo’s claim, even though the opinion itself had been withdrawn.

But I do know that at least through 2009, the government treated all its PRTT and Section 215 data as EO 12333 data, and in fact the providers appear not to have distinguished it either (more on this in upcoming days, hopefully). That is, it was collecting data with FISC sanction that it treated as data it collected outside of FISC sanction (that is, under EO 12333), and it was ignoring the rules FISC imposed.

Which leads me to wonder whether the government still doesn’t believe it remains immune from penalties laid out in FISA.

John Yoo’s Two Justifications for Stellar Wind

/7 Comments/in , /by

Because I’m a hopeless geek, I want to compare the what we can discern of the November 2, 2001 memo John Yoo wrote to authorized Stellar Wind with the letter he showed FISA Presiding Judge Colleen Kollar-Kotelly on May 17, 2002. The former is almost entirely redacted. But as I’ll show, the two appear to be substantially the same except for small variations within paragraphs (which possibly may reflect no more than citations). The biggest difference is that Yoo’s memo appears to have two pages of content not present in the letter to Kollar-Kotelly.

What follows is a comparison of every unredacted passage in the Yoo memo, every one of which appear in exactly the same form in the letter he wrote to Kollar-Kotelly.

The first unredacted line in Yoo’s memo — distinguishing between “electronic surveillance” covered by FISA and “warrantless searches” the President can authorize — appears in this paragraph in the letter.

FISA Safe Harbor

The line appears on page 7 of Yoo’s memo, but page 5 of his letter (which also includes some foofy introductory language for Kollar-Kotelly). That says there’s already 2 pages of information in Yoo’s memo that doesn’t appear in the letter. Yoo’s description of the surveillance program in the letter to Kollar-Kotelly is actually fairly short (and written entirely in the conditional voice), so there may be more of that in the actual memo. Also, anything that didn’t involve electronic surveillance — such as the collection of financial data — would not necessarily be relevant to FISC. But as I argue below, it’s also possible Yoo made claims about executive power in those two paragraphs that he rewrote as a two-page addition to for Kollar-Kotelly’s benefit.

The next unredacted passage in the memo consists of the first sentences of these two paragraphs.

Screen Shot 2016-04-05 at 5.34.32 PM

They appear on page 9 of Yoo’s memo and page 7 of the letter, and it appears that the space in between the two is consistent — suggesting that the interim content remains the same.

The next unredacted passage appears on page 12 of Yoo’s memo, page 10 of the letter.

FISA Restrict

While the general pagination still seems to be roughly tracking (again, suggesting the interim content is at least similar), the spacing of this paragraph is clearly different (note how the sentence begins in a different place in the column), suggesting Yoo may have made an even stronger defense of inherent authority in his memo, or perhaps that OLC has precedents for such a claim that Yoo thought inappropriate to share with the FISC. It’s possible this and later paragraph spacing differences arise from classification marks at the beginning of each paragraph, except the passages from the beginning of paragraphs seem to match up more closely than those from the middle of them.

Screen Shot 2016-04-05 at 7.30.51 PM

The next unredacted passage, on page 17 of Yoo’s memo and 15 of the letter, extend the claim that Congress can’t limit the President’s use of pen registers used to defend the nation. That’s followed closely by Yoo’s shift to arguing that intelligence gathering “in direct support” of military operations does not trigger the Fourth Amendment.

Intel Military Ops

Read more

DOJ Claims the Cybersecurity Related OLC Memo Is Also A Stellar Wind Memo

/1 Comment/in , , /by

I’ve written a bunch of times about an OLC memo Ron Wyden keeps pointing to, suggesting it should be declassified so we all can know what outrageous claims DOJ made about common commercial service agreements. Here’s my most complete summary from Caroline Krass’ confirmation process:

Ron Wyden raised a problematic OLC opinion he has mentioned in unclassified settings at least twice in the last year (he also wrote a letter to Eric Holder about it in summer 2012): once in a letter to John Brennan, where he described it as “an opinion that interprets common commercial service agreements [that] has direct relevance to ongoing congressional debates regarding cybersecurity legislation.” And then again in Questions for the Record in September.

Having been ignored by Eric Holder for at least a year and a half (probably closer to 3 years) on this front and apparently concerned about the memo as we continue to discuss legislation that pertains to cybersecurity, he used Krass’ confirmation hearing to get more details on why DOJ won’t withdraw the memo and what it would take to be withdrawn.

Wyden: The other matter I want to ask you about dealt with this matter of the OLC opinion, and we talked about this in the office as well. This is a particularly opinion in the Office of Legal Counsel I’ve been concerned about — I think the reasoning is inconsistent with the public’s understanding of the law and as I indicated I believe it needs to be withdrawn. As we talked about, you were familiar with it. And my first question — as I indicated I would ask — as a senior government attorney, would you rely on the legal reasoning contained in this opinion?

Krass: Senator, at your request I did review that opinion from 2003, and based on the age of the opinion and the fact that it addressed at the time what it described as an issue of first impression, as well as the evolving technology that that opinion was discussing, as well as the evolution of case law, I would not rely on that opinion if I were–

Wyden: I appreciate that, and again your candor is helpful, because we talked about this. So that’s encouraging. But I want to make sure nobody else ever relies on that particular opinion and I’m concerned that a different attorney could take a different view and argue that the opinion is still legally valid because it’s not been withdrawn. Now, we have tried to get Attorney General Holder to withdraw it, and I’m trying to figure out — he has not answered our letters — who at the Justice Department has the authority to withdraw the opinion. Do you currently have the authority to withdraw the opinion?

Krass: No I do not currently have that authority.

Wyden: Okay. Who does, at the Justice Department?

Krass: Well, for an OLC opinion to be withdrawn, on OLC’s own initiative or on the initiative of the Attorney General would be extremely unusual. That happens only in extraordinary circumstances. Normally what happens is if there is an opinion which has been given to a particular agency for example, if that agency would like OLC to reconsider the opinion or if another component of the executive branch who has been affected by the advice would like OLC to reconsider the opinion they will  come to OLC and say, look, this is why we think you were wrong and why we believe the opinion should be corrected. And they will be doing that when they have a practical need for the opinion because of particular operational activities that they would like to conduct. I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

Wyden: I appreciate that and you were very straightforward in saying that. What concerns me is unless the opinion is withdrawn, at some point somebody else might be tempted to reach the opposite conclusion. So, again, I appreciate the way you’ve handled a sensitive matter and I’m going to continue to prosecute the case for getting this opinion withdrawn.

The big piece of news here — from Krass, not Wyden — is that the opinion dates to 2003, which dates it to the transition period bridging Jay Bybee/John Yoo and Jack Goldsmith’s tenure at OLC, and also the period when the Bush Administration was running its illegal wiretap program under a series of dodgy OLC opinions. She also notes that it was a memo on first impression — something there was purportedly no law or prior opinion on — on new technology.

Back in November, ACLU sued to get that memo. The government recently moved for summary judgment based on the claim that a judge in DC rejected another ACLU effort to FOIA the document, which is a referral to ACLU’s 2006 FOIA lawsuit for documents underlying what was then called the “Terrorist Surveillance Program” and which we now know as Stellar Wind. Here’s the key passage of that argument.

The judgment in EPIC precludes the ACLU’s claim here. First, EPIC was an adjudication on the merits that involved the district court’s reviewing in camera the same document that is at issue in this litigation, and granting summary judgment to the government after finding that the government had properly asserted Exemptions One, Three, and Five – the same exemptions asserted here – to withhold the document. See Colborn Decl. ¶ 13; EPIC, 2014 WL 1279280, at *1. Second, the ACLU was a plaintiff in EPIC. Id. Finally, the claims asserted in this action were, or could have been, asserted in EPIC. The FOIA claim at issue in EPIC arose from a series of requests that effectively sought all OLC memoranda concerning surveillance by Executive Branch agencies directed at communications to or from U.S. citizens.2at See id.  Even if the ACLU did not know that this specific memorandum was included among the documents reviewed in camera by the EPIC court, the ACLU had a full and fair opportunity to make any and all arguments in seeking disclosure of that document. Indeed, in EPIC, the government’s assertion of exemptions received the highest level of scrutiny available to a plaintiff in FOIA litigation—the district court issued its decision after reviewing the document in camera and determining that the government’s assertions of Exemptions One, Three, and Five were proper. Colborn Decl. ¶ 13. The ACLU’s claim in this lawsuit is therefore barred by claim preclusion.

2 One of the FOIA requests at issue in EPIC sought “[a]ll memoranda, legal opinions, directives or instructions from [DOJ departments] issued between September 11, 2001, and December 21, 2005, regarding the government’s legal authority for surveillance activity, wiretapping, eavesdropping, and other signals intelligence operations directed communications to or from U.S. citizens.” Elec. Privacy Information Ctr. v. Dep’t of Justice, 511 F. Supp. 2d 56, 63 (D.D.C. 2007).

Wyden just sent a letter to Loretta Lynch disputing some claim made in DOJ’s memorandum of law.

I encourage you to direct DOJ officials to comply with the pending FOIA request.

Additionally, I am greatly concerned that the DOJ’s March 7, 2016 memorandum of law contains a key assertion which is inaccurate. This assertion appears to be central to the DOJ’s legal arguments, and I would urge you to take action to ensure that this error is corrected.

I am enclosing a classified attachment which discusses this inaccurate assertion in more detail.

Here are some thoughts about what the key inaccurate assertion might be:

ACLU never had a chance to argue for this document as a cybersecurity document

Even the section I’ve included here pulls a bit of a fast one. It points to EPIC’s FOIA request (these requests got consolidated), which asked for OLC memos in generalized fashion, as proof that the plaintiffs in the earlier suit had had a chance to argue for this document.

But ACLU did not. They asked for “legal reviews of [TSP] and its legal rationale.” In other words, back in 2006 and back in 2014, ACLU was focused on Stellar Wind, not on cybersecurity spying (which Wyden has strongly suggested this memo implicates). So they should be able to make a bid for this OLC memo as something affecting domestic spying for a cybersecurity purpose.

DOJ claimed only Wyden had commented publicly about the document, not Caroline Krass

DOJ makes a preemptive effort to discount the possibility that Ron Wyden’s repeated efforts to draw attention to this document might constitute new facts for the ACLU to point to to claim they should get the document.

Nor is there any evidence the memorandum has been expressly adopted as agency policy or publicly disclosed. Colborn Decl. ¶¶ 23-24. Although the ACLU’s complaint points to statements about the document by Senator Wyden, he is not an Executive Branch official, and his statements cannot effect any adoption or waiver

[snip]

The ACLU may argue that statements made by Senator Ron Wyden regarding the document, including in letters to the Attorney General, constitute new facts or changed circumstances. See Compl. ¶ 2 (“In letters sent to then–Attorney General Eric Holder, Senator Wyden suggested that the executive branch has relied on the Opinion in the past and cautioned that the OLC’s secret interpretation could be relied on in the future as a basis for policy.”). But such statements do not constitute new facts or changed circumstances material to the ACLU’s FOIA claim because they do not evince any change of the Executive Branch’s position vis-à-vis the document or otherwise affect its status under FOIA. See Drake, 291 F.3d at 66; Am. Civil Liberties Union, 321 F. Supp. 2d at 34. As the Senator is not an Executive Branch official, his statements about the document do not reflect the policy or position of any Executive Branch agency. See Brennan Center v. DOJ, 697 F.3d 184, 195, 206 (2d Cir. 2012); Nat’l Council of La Raza v. DOJ, 411 F.3d 350, 356-59 (2d Cir. 2005); infra at 11-12. Senator Wyden’s statements are simply not relevant to whether the document has been properly withheld under Exemptions One, Three, and Five, and do not undermine the applicability of any of those exemptions. Additionally, the Senator has made similar statements regarding the document at issue in letters sent during at least the last four years. Compl. ¶ 2. Thus, the Senator’s statements regarding the document are not new facts since they were available to Plaintiffs well before the district court ruled in EPIC.

That’s all well and good. But the entire discussion ignores that then Acting OLC head and current CIA General Counsel Caroline Krass commented more extensively on the memo than anyone ever has on December 17, 2013 (see my transcript above). This is a still-active memo, but the then acting OLC head said this about the memo in particular.

I have been thinking about your question because I understand your serious concerns about this opinion, and one approach that seems possible to me is that you could ask for an assurance from the relevant elements of the Intelligence Community that they would not rely on the opinion. I can give you my assurance that if I were confirmed I would not rely on the opinion at the CIA.

That seems to be new information from the Executive branch (albeit before the March 31, 2014, final judgment in that other suit).

I’d say this detail is the most likely possibility for DOJ’s inaccuracy, except that Krass’ comments are in the public domain, and have been been written about by other outlets. It wouldn’t seem that Wyden would need to identify this detail in secret.

(I think it’s possible some of the newly declassified language in Stellar Wind materials may be relevant to, but I will have to return to that.)

The document may be a different document

DOJ’s memo and the Paul Colborn declaration describe this as a March 30, 2003 memo written by John Yoo.

The withheld document is a 19-page OLC legal advice memorandum to the General Counsel of an executive branch agency, drafted at the request of the General Counsel, dated March 30, 2003 and signed by OLC Deputy Assistant Attorney General John Yoo. The memorandum was written in response to confidential communications from an executive branch client soliciting legal advice from OLC attorneys. As with all such OLC legal advice memoranda, the document contains confidential client communications made for the purpose of seeking legal advice and predecisional legal advice from OLC attorneys transmitted to an executive branch client as part of government deliberative processes. In light of the fact that the document’s general subject matter is publicly known, the identity of the recipient agency is itself confidential client information protected by the attorney-client privilege.

But their claim that ACLU has already been denied this document under FOIA is based on the claim that this document is the same document as one identified in a Steven Bradbury declaration submitted in the Stellar Wind suit. Here’s how he described the document.

DAG 42 is a 19-page memorandum, dated May 30, 2003, from a Deputy Assistant Attorney General in OLC to the General Counsel of another Executive Branch agency. This document is withheld under FOIA Exemptions One, Three, and Five.

This may be an error (if so, Bradbury is probably correct, as March 30, 2003 was a Sunday), but a document dated March 30, 2003 cannot be the same document as one dated May 30, 2003. If it’s not a simple error in dates, it may suggest that the document the DC court reviewed was a later revision, perhaps one making less outrageous claims. Moreover, as I’ll show in my post on newly learned Stellar Wind information, the change in date (as well as the confirmation that Yoo wrote the memo) make the circumstances surrounding this memo far more interesting.

Update: In Ron Wyden’s amicus in this case, he made it clear the correct date is May 30, 2003.

The document may not have been properly classified

As noted, this is a March 2003 OLC memo written by John Yoo. That’s important not just because Yoo was freelancing on certain memos at the time. But more importantly, because a memo he completed just 16 days earlier violated all guidelines on classification. Here’s what former ISOO head Bill Leonard had to say about John Yoo’s March 14, 2003 torture memo.

The March 14, 2003, memorandum on interrogation of enemy combatants was written by DoJ’s Office of Legal Counsel (OLC) to the General Counsel of the DoD. By virtue of the memorandum’s classification markings, the American people were initially denied access to it. Only after the document was declassified were my fellow citizens and I able to review it for the first time. Upon doing so, I was profoundly disappointed because this memorandum represents one of the worst abuses of the classification process that I had seen during my career, including the past five years when I had the authority to access more classified information than almost any other person in the Executive branch. The memorandum is purely a legal analysis – it is not operational in nature. Its author was quoted as describing it as “near boilerplate.”! To learn that such a document was classified had the same effect on me as waking up one morning and learning that after all these years, there is a “secret” Article to the Constitution that the American people do not even know about.

[snip]

In this instance, the OLC memo did not contain the identity of the official who designated this information as classified in the first instance, even though this is a fundamental requirement of the President’s classification system. In addition, the memo contained neither declassification instructions nor a concise reason for classification, likewise basic requirements. Equally disturbing, the official who designated this memo as classified did not fulfill the clear requirement to indicate which portions are classified and which portions are unclassified, leading the reader to question whether this official truly believes a discussion of patently unclassified issues such as the President’s Commander-in-Chief authorities or a discussion of the applicability to enemy combatants of the Fifth or Eighth Amendment would cause identifiable harm to our national security. Furthermore, it is exceedingly irregular that this memorandum was declassified by DoD even though it was written, and presumably classified, by DoJ.

Given that Yoo broke all the rules of classification on March 14, it seems appropriate to question whether he broke all rules of classification on March 30, 16 days later, especially given some squirrelly language in the current declarations about the memo.

Here’s what Colborn has to say about the classification of this memo (which I find to be curious language), after having made a far more extensive withholding argument on a deliberative process basis.

OLC does not have original classification authority, but when it receives or makes use of classified information provided to it by its clients, OLC is required to mark and treat that information as derivatively classified to the same extent as its clients have identified such information as classified. Accordingly, all classified information in OLC’s possession or incorporated into its products has been classified by another agency or component with original classifying authority.

The document at issue in this case is marked as classified because it contains information OLC received from another agency that was marked as classified. OLC has also been informed by the relevant agency that information contained in the document is protected from disclosure under FOIA by statute.

As far as the memo of law, it relegates the discussion of the classified nature of this memo to a classified declaration by someone whose identity remains secret.

As explained in the classified declaration submitted for the Court’s ex parte, in camera review,1 this information is also classified and protected from disclosure by statute.

Remember, this memo is about some secret interpretation of common commercial service agreements.  Wyden believes it should be “declassified and released to the public, so that anyone who is a party to one of these agreements can consider whether their agreement should be revised or modified.”

If this is something that affects average citizens relationships with service providers, it seems remarkable that it can, at the same time, be that secret (and remain in force). While Wyden certainly seems to treat the memo as classified, I’d really love to see whether it was, indeed, properly classified, or whether Yoo was just making stuff up again during a period when he is known to have secretly made stuff up.

In any case, given DOJ’s continued efforts to either withdraw or disclose this memo, I’d safe it’s safe to assume they’re still using it.

On the Coming Showdown over Promiscuous Sharing of EO 12333 Data

/2 Comments/in , /by

A number of outlets are reporting that Ted Lieu and Blake Farenthold have written a letter to NSA Director Mike Rogers urging him not to implement the new data sharing effort reported by Charlie Savage back in February. While I’m happy they wrote the letter, they use a dubious strategy in it: they suggest their authority to intervene comes from Congress having “granted” NSA authority to conduct warrantless collection of data.

Congress granted the NSA extraordinary authority to conduct warrantless collection of communications and other data.2

2 See Foreign Intelligence Surveillance Act and the Patriot Act.

As an initial matter, they’ve sent this letter to a guy who’s not in the chain of approval for the change. Defense Secretary Ash Carter and Attorney General Loretta Lynch will have to sign off on the procedures developed by Director of National Intelligence James Clapper; they might consult with Rogers (if he isn’t the one driving the change), but he’s out of the loop in terms of implementing the decision.

Furthermore, the Congressionally granted authority to conduct warrantless surveillance under FISA has nothing to do with the authority under which NSA collects this data, EO 12333. In his story, Savage makes clear that the change relies on the [what he called “little-noticed,” which is how he often describes stuff reported here years earlier] changes Bush implemented in the wake of passage of FISA Amendments Act. As I noted in 2014,

Perhaps the most striking of those is that, even while the White House claimed “there were very, very few changes to Part 2 of the order” — the part that provides protections for US persons and imposes prohibitions on activities like assassinations — the EO actually replaced what had been a prohibition on the dissemination of SIGINT pertaining to US persons with permission to disseminate it with Attorney General approval.

The last paragraph of 2.3 — which describes what data on US persons may be collected — reads in the original,

In addition, agencies within the Intelligence Community may disseminate information, other than information derived from signals intelligence, to each appropriate agency within the Intelligence Community for purposes of allowing the recipient agency to determine whether the information is relevant to its responsibilities and can be retained by it.

The 2008 version requires AG and DNI approval for such dissemination, but it affirmatively permits it.

In addition, elements of the Intelligence Community may disseminate information to each appropriate element within the Intelligence Community for purposes of allowing the recipient element to determine whether the information is relevant to its responsibilities and can be retained by it, except that information derived from signals intelligence may only be disseminated or made available to Intelligence Community elements in accordance with procedures established by the Director in coordination with the Secretary of Defense and approved by the Attorney General.

Given that the DNI and AG certified the minimization procedures used with FAA, their approval for any dissemination under that program would be built in here; they have already approved it! The same is true of the SPCMA — the EO 12333 US person metadata analysis that had been approved by both Attorney General Mukasey and Defense Secretary Robert Gates earlier that year. Also included in FISA-specific dissemination, the FBI had either just been granted, or would be in the following months, permission — in minimization procedures approved by both the DNI and AG — to conduct back door searches on incidentally collected US person data.

In other words, at precisely the time when at least 3 different programs expanded the DNI and AG approved SIGINT collection and analysis of US person data, EO 12333 newly permitted the dissemination of that information.

What Bush did just as he finished moving most of Stellar Wind over to FISA authorities, was to make it permissible to share EO 12333 data with other intelligence agencies under the same kind of DNI/AG/DOD approval process already in place for surveillance. They’ve already been using this change (though as I note, in some ways the new version of EO 12333 made FAA sharing even more permissive than EO 12333 sharing). And Savage’s article describes that they’ve intended to roll out this further expansion since Obama’s first term.

Obama administration has been quietly developing a framework for how to carry it out since taking office in 2009.

[snip]

Intelligence officials began working in 2009 on how the technical system and rules would work, Mr. Litt said, eventually consulting the Defense and Justice Departments. This month, the administration briefed the Privacy and Civil Liberties Oversight Board, an independent five-member watchdog panel, seeking input. Before they go into effect, they must be approved by James R. Clapper, the intelligence director; Loretta E. Lynch, the attorney general; and Ashton B. Carter, the defense secretary.

“We would like it to be completed sooner rather than later,” Mr. Litt said. “Our expectation is months rather than weeks or years.”

All of which is to say that if Lieu and Farenthold want to stop this, they’re going to have to buckle down and prepare for a fight over separation of powers, because Congress has had limited success (the most notable successes being imposition of FAA 703-705 and Section 309 of last year’s intelligence authorization) in imposing limits on EO 12333 collection. Indeed, Section 309 is the weak protection Dianne Feinstein and Mark Udall were able to get for activities they thought should be covered under FAA.

Two more points. First, I suspect such expanded sharing is already going on between NSA and DEA. I’ve heard RUMINT that DEA has actually been getting far more data since shutting down their own dragnets in 2013. The sharing of “international” narcotics trade data has been baked into EO 12333 from the very start. So it would be unsurprising to have DEA replicate its dragnet using SPCMA. There’s no sign, yet, that DEA has been included under FAA certifications (and there’s not, as far as we know, an FAA narcotics certificate). But EO 12333 sharing with DEA would be easier to implement on the sly than FAA sharing. And once you’ve shared with DEA, you might as well share with everyone else.

Finally, this imminent change is why I was so insistent that SPCMA should have been in the Brennan Center’s report on privacy implications of EO 12333 collection. What the government was doing, explicitly, in 2007 when they rolled that out was making the US person participants in internationally collected data visible. We’ve seen inklings of how NSA coaches analysts to target foreigners to get at that US person content. The implications of basing targeting off of SPCMA enabled analysis under PRISM (which we know they do because DOJ turned over the SPCMA document, but not the backup, to FISC during the Yahoo challenge), currently, are that US person data can get selected because US persons are involved and then handed over to FBI with no limits on its access. Doing so under EO 12333 will only expand the amount of data available — and because of the structure of the Internet, a great deal of it is available.

Probably, the best way to combat this change is to vastly expand the language of FAA 703-705 to over US person data collected incidentally overseas during next year’s FAA reauthorization. But it will take language like that, because simply pointing to FISA will not change the Executive’s ability to change EO 12333 — even secretly! — at will.

In Bizarre Move, Dianne Feinstein Attacks Tech Companies for Profiting Off Spying on Their Customers

/9 Comments/in , /by

Dianne Feinstein attacked PRISM providers’ use of encryption in yesterday’s Senate Judiciary Committee hearing with Loretta Lynch in really bizarre fashion.

Feinstein: Google, Microsoft, Dropbox, and other email and cloud servers use forms of encryption to protect customer data. Their encryption techniques are strong and that makes them relatively well protected against outside attack. But the reality is that many companies only protect data like your email in ways that they can still use it themselves, and profit from it. I believe that the amount of personal information in the hands of private corporations and what some of those corporations are doing with that data is concerning. Isn’t it true that private companies can encrypt data so that it is protected from outsiders but at the same time those same companies can use our personal content data to target advertisements?

Attorney General Lynch: Thank you Senator for raising this important issue. It certainly is the case that many companies — those that you mentioned and others — have strong encryption, which we think is a very positive thing, and yet retain the ability to use the data that is transmitted along their systems, both for security purposes  as well as for marketing purposes. And so it is certainly the case, as we have seen in our talks with various companies, that strong encryption can be accompanied with the ability to still access the data and use the data in relevant ways. And we think that this is something that’s part of the overall debate on this important issue as we all consider — as you have also noted — how much personal information we willingly turn over to private companies and how we want that information handled. And certainly as we continue to discuss this issues I thank you for raising them and making them part of the debate.

Feinstein: Well, thank you very much because with my own devices, and I’m not the most “hep” person when it comes to all of this [raising phone] I’ve been amazed to learn what I can’t control. And my understanding is that it’s private information like web browsing history, email content, geolocation information, even when encrypted on smart phones. So I think it is an area of concern as companies want to defy a probable cause warrant, that they can use this data for their own profit making motives, and that’s of concern.

First, let me remind you: this woman represents Silicon Valley! And yet it’s not clear precisely what she means here.

Don’t get me wrong: I’d love to have a service with the facility of Google but without all the snooping on content and location. It concerns me that Google keeps much of that information even if you opt out of most data sharing.

But why is the Ranking Member of the Collect It All Committee raising these concerns — aside from maybe just now learning how much companies have on her? Indeed, it seems there are at least three reasons why a Collect It All fan should prefer this option:

  • The proprietary information these companies collect — at least the cookies and location data — is available both with a subpoena and under PRISM. Indeed, it should provide some of the most interesting information about intelligence and law enforcement targets.
  • DiFi has just championed a bill that makes the packet sniffing DiFi claims to be concerned about — which allows Google to target us for advertising — more useful for government cybersecurity purposes, too, as Google can not only sniff for their own security purposes, but also share what they find with the government.
  • The Administration is in the middle of a campaign — successful with at least Facebook and probably with some services on Google as well — to ask tech companies to use their marketing algorithm function to disfavor ISIS propaganda and favor counter-propaganda.

In other words, DiFi should love this state of affairs!

The only explanation (aside from some recent discovery of how much of her own data these companies have) I can think of is that DiFi has learned how little data iMessage and Signal collect on people, and was supposed to complain that she is furious that companies that, by collecting so little, limit how cooperative they can be in cases of legal requests, also offer security for their customers. But she appeared to be reading from a written statement, so that doesn’t make sense either.

The only other possibility I can imagine is that the government is trying to expand its access to this proprietary information under PRISM, and providers are balking. Which would be rather interesting.

The Government Spoliationing for a Fight with EFF

/2 Comments/in , /by

On November 6, 2007, Judge Vaughn Walker issued a preservation order in EFF’s challenge to what we now know to be Stellar Wind, the Shubert case (which would be applied to the Jewel case after that). Nevertheless, in spite of that order, in 2009 the NSA started destroying evidence that it had collected data outside of the categories Judge Colleen Kollar-Kotelly authorized way back in 2004.

Also in 2009, NSA shifted records showing 3,000 people — which highly likely included CAIR’s staff and clients — had been dragnetted without the First Amendment review mandated by Section 215 (CAIR wasn’t a plaintiff on EFF’s earlier suits but they are on EFF’s phone dragnet suit, First Unitarian United). When they did, the government even appeared to consider the existing protection order in the EFF case; I have FOIAed their deliberations on that issue, but thus far have been stonewalled.

Finally, in 2011, NSA destroyed — on very little notice and without letting their own IG confirm the destruction of data that came in through NSA’s intake process — all of its Internet dragnet data.

In other words, on three known occasions, the NSA destroyed data covered by the protection order in Northern California, one of them even after admitting a protection order might cover the data in question. In two of those cases, we know the data either exceeded FISA’s orders or violated the law.

In fact, it wasn’t until 2014, when the government started asking Judge Reggie Walton for permission to destroy the phone dragnet data and EFF complained mightily, that NSA started complying with the earlier protection order. Later that same year, it finally asked FISC to keep the Protect America Act and FISA Amendments Act data also included under that order in its minimization procedures.

These posts provide more background on this issue: postpost, post, post.

In other words, on three different occasions (even ignoring the content collection), NSA destroyed data covered by the protection order. spoiling the evidence related to EFF’s lawsuits.

Which is why I find this claim — in the January 8 filing I’ve been waiting to read, but which was just posted on March 4 (that is, 5 days after the NSA would have otherwise had to destroy everything on February 29 under USA Freedom Act).

The Government remains concerned that in these cases, absent relief from district courts or explicit agreement from the plaintiffs, the destruction of the BR Metadata, even pursuant to FISC Order, could lead the plaintiffs to accuse the Government of spoliation. In Jewel, the plaintiffs have already moved for spoliation sanctions, including an adverse inference against the Government on the standing issue, based on the destruction of aged-off BR Metadata undertaken in accordance with FISC Orders. See Jewel Pls.’ Brief Re: the Government’s Non-compliance with the Court’s Evidence Preservation Orders, ECF No. 233.

Gosh, after destroying data on at least three different occasions (again, ignoring at least two years of content they destroyed), the government is worried that if it destroyed more it might get in trouble? Please!

Elsewhere, the strategy in this filing seems to be to expand the possible universe they’d have to set aside under the three cases (plus Klayman) for which there is a protection order as to make it virtually impossible to set it aside so as to destroy the rest. In addition, having let the time when they could have set aside such data easily pass because they were still permitted to access the data (say, back in 2014, when they got caught violating their protection order), they now claim that the closure of the dragnet makes such a search virtually impossible now.

It’s a nifty gimmick. They can’t find a way to destroy the data because they already destroyed even legally suspect data. And we learn about it only now, after the data would otherwise be destroyed, but now can’t be because they didn’t find some better resolution 2 years ago.

More Evidence Secret “Tweaks” To Section 702 Coming

/1 Comment/in /by

Way at the end of yesterday’s Senate Intelligence Committee Global Threats hearing, Tom Cotton asked his second leading question permitting an intelligence agency head to ask for surveillance, this time asking Admiral Mike Rogers whether he still wanted Section 702 (the first invited Jim Comey to ask for access to Electronic Communications Transactions Records with National Security Letters, as Chuck Grassley had asked before; Comey was just as disingenuous in his response as the last time he asked).

Curiously, Cotton offered Rogers the opportunity to ask for Section 702 to be passed unchanged. Cotton noted that in 2012, James Clapper had asked for a straight reauthorization of Section 702.

Do you believe that Congress should pass a straight reauthorization of Section 702?

But Rogers (as he often does) didn’t answer that question. Instead, he simply asserted that he needed it.

I do believe we need to continue 702.

At this point, SSCI Chair Richard Burr piped up and noted the committee would soon start the preparation process for passing Section 702, “from the standpoint of the education that we need to do in educating and having Admiral Rogers bring us up to speed on the usefulness and any tweaks that may have to be made.”

This seems to parallel what happened in the House Judiciary Committee, where it is clear some discussion about the certification process occurred (see this post and this post).

Note this discussion comes in the wake of a description of some of the changes made in last year’s certification in this year’s PCLOB status report. That report notes that last year’s certification process approved the following changes:

  • NSA added a requirement to explain a foreign intelligence justification in targeting decisions, without fully implementing a recommendation to adopt criteria “for determining the expected foreign intelligence value of a particular target.” NSA is also integrating reviewing written justifications in its auditing process.
  • FBI minimization procedures were revised to reflect how often non-national security investigators could search 702-collected data, and added new limits on how 702 data could be used.
  • NSA and CIA write justifications for conducting back door searches on US person data collected under Section 702, except for CIA’s still largely oversight free searches on 702-collected metadata.
  • NSA and CIA twice (in January and May) provided FISC with a random sampling of its tasking and US person searches, which the court deemed satisfactory in its certification approval.
  • The government submitted a “Summary of Notable Section 702 Requirements” covering the rules governing the program, though this summary was not comprehensive nor integrated into the FISC’s reauthorization.

As the status report implicitly notes, the government has released minimization procedures for all four agencies using Section 702 (in addition to NSA, CIA, and FBI, NCTC has minimization procedures), but it did so by releasing the now-outdated 2014 minimization procedures as the 2015 ones were being authorized. At some point, I expect we’ll see DEA minimization procedures, given that the shutdown of its own dragnet would lead it to rely more on NSA ones, but that’s just a wildarseguess.