FISA Archives - Page 28 of 179

The Intelligence Community Continues to Pretend Ignorance of Its Deliberate 702 Spying

January 14, 2016/2 Comments/in FISA /by emptywheel

As I noted in an update to this post, over the last several months, the Brennan Center has led an effort among privacy organizations to get the Intelligence Community to provide the transparency over its Section 702 surveillance that it dodged under the USA Freedom Act. On October 29, 2015, it send James Clapper a letter asking for:

A public estimate of the number of communications or transactions involving American citizens and residents subject to Section 702 surveillance on a yearly basis.
The number of times each year that the FBI uses a U.S. person identifier to query databases that include Section 702 data, and the number of times the queries return such data.
Policies governing agencies’ notification of individuals that they intend to use information “derived from” Section 702 surveillance in judicial or administrative proceedings.

On December 23, Privacy Officer Alex Joel responded on behalf of Clapper, largely dodging the requests but offering to have a meeting at which he could further dodge the request. Then yesterday, Brennan replied, calling out some of those dodges and posing new questions in advance of any meeting.

While the reply asks some worthwhile new questions, I wanted to look at some underlying background to the response Joel and ODNI gave.

The number of communications or transactions involving American citizens and residents subject to Section 702 surveillance on a yearly basis

In response to Brennan’s request for the number of US persons sucked up in 702, Joel points back to the PCLOB 702 report (which was far more cautious than the earlier 215 report) and its report on the status of recommendations from January 2015 and basically says, “we’re still working on that.” Brennan deemed the response non-responsive and noted that the IC is still working on 4 of PCLOB’s 5 recommendations 18 months after they issued it.

I would add one important caveat to that: PCLOB’s fifth recommendation was that the government provide,

the number of instances in which the NSA disseminates non-public information about U.S. persons, specifically distinguishing disseminations that includes names, titles, or other identifiers potentially associated with individuals.

We’ve just learned — through curiously timed ODNI declassification — that the numbers FBI gives to Congress on 702 dissemination are dodgy, or at least were dodgy in 2012, in part because they had been interpreting what constituted US person information very narrowly. For whatever reason, PCLOB didn’t include FBI in this recommendation, but they should be included, especially given the issues of notice to defendants dealt with below.

More importantly, there’s something to remember, as the IC dawdles in its response to this recommendation. In 2010, John Bates issued a ruling stating that knowingly collecting US person content constituted an illegal wiretap under 50 USC 1809(a). Importantly, he said that if the government didn’t know it was conducting electronic surveillance, that was okay, but it shouldn’t go out of its way to remain ignorant that it was doing so.

When it is not known, and there is no reason to know, that a piece of information was acquired through electronic surveillance that was not authorized by the Court’s prior orders, the information is not subject to the criminal prohibition in Section 1809(a)(2). Of course, government officials may not avoid the strictures of Section 1809(a)(2) by cultivating a state of deliberate ignorance when reasonable inquiry would likely establish that information was indeed obtained through unauthorized electronic surveillance.

The following year, Bates held that when it collected entirely domestic communications via upstream Section 702 collection, that collection was intentional (and therefore electronic surveillance), not incidental, though Clapper’s lawyer Bob Litt likes to obfuscate on this point. The important takeaway, though, is that the IC can illegally collect US person data so long as it avoids getting affirmative knowledge it is doing so, but it can’t be too obvious in its efforts to remain deliberately ignorant.

I’d say 18 months begins to look like willful ignorance.

The number of times each year that the FBI uses a U.S. person identifier to query databases that include Section 702 data, and the number of times the queries return such data

Brennan asked for solid numbers on back door searches, and Joel pointed to PCLOB’s recommendations that pertain to updated minimization procedures, a totally different topic.

And even there Joel was disingenuous in a way that the Brennan letter did not note.

Joel asserts that “with the recent reauthorization of the 702 Certification … this recommendation 2 [has] been implemented.” The recommendation included both additional clarity in FBI’s minimization procedures as well as further limits on what non-national security crimes FBI can use 702 data for.

Back in February 2015, Bob Litt revealed the latter information, what FBI could use 702 data for:

crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

But after Litt made that disclosure, and either after or during the process of negotiating new 702 certificates, the ODNI released updated minimization procedures. But they where the MPs for 2014, not 2015! (See this post for a discussion of new disclosures in those documents.) Joel’s answer makes clear that FBI’s minimization procedures were updated significantly in the 2015 application beyond what they had been in 2014 (because that’s the only way they could have not fulfilled that recommendation last January but have since done so).

In other words, Joel answers Brennan’s question by boasting about fulfilling PCLOB’s recommendations, but not Brennan’s answer. But even there, if ODNI had just released the current FBI MPs, rather than year-old ones, part of Brennan’s questions would be answered — that is, what the current practice is.

I think the recent new disclosures about the limits on FBI’s very limited disclosure reporting (at least until 2012) provide some additional explanation for why FBI doesn’t count its back door searches. We know:

At least until 2012, it appears FBI did not consider reports based off the content of a message (“about”) not including the US person mentioned, certain kinds of identifiers (probably including phone numbers and Internet identifiers), or metadata to be sharing non-public US person information.
At least until the most recent certification, FBI was permitted to use metadata to analyze communications and transfer “all such metadata to other FBI electronic and data storage systems for authorized and foreign intelligence purposes” (page 11) without marking it as disseminated Section 702 data (footnote 2). This likely increases the chance that FBI does not treat metadata derived from Section 702 — and analysis integrating it and other data — to be 702 derived (especially given its apparent belief that such metadata does not equate to person identifying information).
FBI’s databases surely include redundant information for people whose communications are collected — either as target or incidentally — under both Section 702 and traditional FISA (and possibly even under Title III warrants). If, as Charlie Savage reported last year, FBI is now acquiring raw EO 12333 data, it may be in the same databases as well. This is undoubtedly even more true with respect to metadata. Given known practice on the NSA side, FBI likely uses the multiple designations to avoid disclosure rules.

In other words, there is a great deal of room to launder where data comes from, particularly if it has been used for metadata link analysis as an interim step. To try to count the specifically Section 702 queries, even just of content, though all the more so of metadata, would require revealing these overlaps, which FBI surely doesn’t want to do.

Policies governing agencies’ notification of individuals that they intend to use information “derived from” Section 702 surveillance in judicial or administrative proceedings

All that’s also background to Brennan’s request for information about notice to defendants. Joel pretty much repeated DOJ’s unhelpful line, though he did direct Brennan to this OLC memo on notice to those who lose clearance. Not only does that memo reserve the right to deem something otherwise subject to FISA’s notice requirements privileged, it also cites from a 1978 House report excluding those mentioned in, but not a party to, electronic surveillance from notice.

[A]s explained in a FISA House Report, “[t]he term specifically does not include persons, not parties to a communication, who may be mentioned or talked about by others.”

That, of course, coincides with one of the categories of people that it appears FBI was not counting in FISA dissemination reports until at least 2012 (and, of course, metadata does not count as electronic surveillance).

All of which is to say this appears to hint at the scope of how FBI has collected and identified people using 702 derived data that nevertheless don’t get 702 notice.

None of that excuses ODNI for refusing to respond to these obvious questions. But it does seem to indicate that the heart of FBI’s silence about its own 702 practices has a lot to do with its ability to arbitrage the multiple authorities it uses to spy.

As Recently as 2012, FBI Didn’t Think Your Phone Number Was Your Identity

January 11, 2016/1 Comment/in FISA /by emptywheel

Last week, Charlie Savage liberated additional disclosures on three IG reports he liberated last year: the 2007 NSL report, the 2009 Stellar Wind report, and a 2012 DOJ IG Section 702 report. With the NSL report, DOJ disclosed numbers that I believe were otherwise public or intuitable. With the Stellar Wind report, DOJ disclosed additional information on how the Department was dodging its obligation to notify defendants of the surveillance behind their cases; I hope to return to this issue.

By far the most important new disclosure, however, pertains to the FBI’s reporting on reports on US persons identified under Section 702 (see pages 17-18, highlighted by Savage here). Introducing the Executive Summary description of whether FBI was fulfilling reporting requirements, the report explained that the IG had adopted a fairly strict understanding of what constituted a US person dissemination.

Although the key passage is redacted (and the report body on this topic is almost entirely redacted), it’s clear that the IG considered reports that identified a US person via something other than his or her name without sharing the content of communications constituted a report “with respect to” 702 acquisitions.

The FBI had been arguing about these definitions internally and with DOJ’s IG since at least 2006, when it failed to comply with the legally mandated requirement for new minimization procedures to go with Section 215. One way to understand an early version of the debate is whether, by retaining call records that don’t include a name but do include phone numbers that clearly belong to a specific person, the FBI was retaining US person identifying information. For obvious reasons — because if their minimization procedures treated a phone number as US person identifying information, then it would mean it couldn’t retain 5 years of phone records — FBI didn’t want to treat a person’s unique identifiers as person identifying information. The minimization procedures adopted in 2013 must mirror this problem given that FBI and NSA kept those records for another two years.

It appears the IG found the FBI’s reporting lacking in several ways: it did not include Section 702 related reports that identify a US person if that person (which I assume to mean that person’s identity) was identified via other means, and argued FBI should also count reports if the US person information in it was publicly available. In addition, the IG considered a metadata reference to also constitute a US person reference.

This suggests the FBI was, until 2012, at least, not including the sharing of an email or even a report that identified the person tied to an email if it found that email, but not that person’s identity, via Section 702 in its reports to Congress. Imagine, for example, if FBI didn’t consider my emptywheel email personally identifying of me, emptywheel, until such time as it publicly tied that email address to me. It would be bullshit, but we know that seems to be the kind of game FBI was and probably still is playing.

I’m particularly interested in this because of a speech Dianne Feinstein made in December 2012 — presumably after FBI had made whatever response they might make to this IG report — that named a number of people as if they had been IDed using Section 702. But when several of them demanded notice of Section 702 surveillance, none of them got it, and Feinstein and the Senate’s lawyer insisted they could not make anything of her insinuation that Section 702 had discovered them.

In other words, the two standards at issue here — the minimization procedures standard and the notice one — may be implicated in DOJ’s opaque notice guidelines. We don’t know whether it is or not, of course, but if it is, it would suggest that DOJ is limiting 702 notices based on what kinds of identifiers 702 produces.

1/13: Tweaked this post for clarity. In addition, note these letters from the Brennan Center which relate to this issue.

What We Know about the Section 215 Phone Dragnet and Location Data

January 8, 2016/in EO 12333, FISA /by emptywheel

Last month’s squabble between Marco Rubio and Ted Cruz about USA Freedom Act led a number of USAF boosters to belatedly understand what I’ve been writing for years: that USAF expanded the universe of people whose records would be collected under the program, and would therefore expose more completely innocent people, along with more potential suspects, to the full analytical tradecraft of the NSA, indefinitely.

In an attempt to explain why that might be so, Julian Sanchez wrote this post, focusing on the limits on location data collection that restricted cell phone collection. Sanchez ignores two other likely factors — the probable inclusion of Internet phone calls and the ability to do certain kinds of connection chaining — that mark key new functionalities in the program which would have posed difficulties prior to USAF. But he also misses a lot of the public facts about location collection and cell phones under the Section 215 dragnet. This post will lay those out.

The short version is this: the FISC appears to have imposed some limits on prospective cell location collection under Section 215 even as the phone dragnet moved over to it, and it was not until August 2011 that NSA started collecting cell phone records — stripped of location — from AT&T under Section 215 collection rules. The NSA was clearly getting “domestic” records from cell phones prior to that point, though it’s possible they weren’t coming from Section 215 data. Indeed, the only known “successes” of the phone dragnet — Basaaly Moalin and Adis Medunjanin — identified cell phones. It’s not clear whether those came from EO 12333, secondary database information that didn’t include location, or something else.

Here’s the more detailed explanation, along with a timeline of key dates:

There is significant circumstantial evidence that by February 17, 2006 — two months before the FISA Court approved the use of Section 215 of the PATRIOT Act to aspire to collect all Americans’ phone records — the FISA Court required briefing on the use of “hybrid” requests to get real-time location data from targets using a FISA Pen Register together with a Section 215 order. The move appears to have been a reaction to a series of magistrates’ rulings against a parallel practice in criminal cases. The briefing order came in advance of the 2006 PATRIOT Act reauthorization going into effect, which newly limited Section 215 requests to things that could be obtained with a grand jury subpoena. Because some courts had required more than a subpoena to obtain location, it appears, FISC reviewed the practice in the FISC — and, given the BR/PR numbers reported in IG Reports, ended, sometime before the end of 2006 though not immediately.

The FISC taking notice of criminal rulings and restricting FISC-authorized collection accordingly would be consistent with information provided in response to a January 2014 Ron Wyden query about what standards the FBI uses for obtaining location data under FISA. To get historic data (at least according to the letter), FBI used a 215 order at that point. But because some district courts (this was written in 2014, before some states and circuits had weighed in on prospective location collection, not to mention the 11th circuit ruling on historical location data under US v. Davis) require a warrant, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.” In other words, as soon as some criminal courts started requiring a warrant, FISC apparently adopted that standard. If FISC continued to adopt criminal precedents, then at least after the first US v. Davis ruling, it would have and might still require a warrant (that is, an individualized FISA order) even for historical cell location data (though Davis did not apply to Stingrays).

FISC doesn’t always adopt the criminal court standard; at least until 2009 and by all appearances still, for example, FISC permits the collection, then minimization, of Post Cut Through Dialed Digits collected using FISA Pen Registers, whereas in the criminal context FBI does not collect PCTDD. But the FISC does take notice of, and respond to — even imposing a higher national security standard than what exists at some district levels — criminal court decisions. So the developments affecting location collection in magistrate, district, and circuit courts would be one limit on the government’s ability to collect location under FISA.

That wouldn’t necessarily prevent NSA from collecting cell records using a Section 215 order, at least until the Davis decision. After all, does that count as historic (a daily collection of records each day) or prospective (the approval to collect data going forward in 90 day approvals)? Plus, given the PCTDD and some other later FISA decisions, it’s possible FISC would have permitted the government to collect but minimize location data. But the decisions in criminal courts likely gave FISC pause, especially considering the magnitude of the production.

Then there’s the chaos of the program up to 2009.

At least between January 2008 and March 2009, and to some degree for the entire period preceding the 2009 clean-up of the phone and Internet dragnets, the NSA was applying EO 12333 standards to FISC-authorized metadata collection. In January 2008, NSA co-mingled 215 and EO 12333 data in either a repository or interface, and when the shit started hitting the fan the next year, analysts were instructed to distinguish the two authorities by date (which would have been useless to do). Not long after this data was co-mingled in 2008, FISC first approved IMEI and IMSI as identifiers for use in Section 215 chaining. In other words, any restrictions on cell collection in this period may have been meaningless, because NSA wasn’t heeding FISC’s restrictions on PATRIOT authorized collection, nor could it distinguish between the data it got under EO 12333 and Section 215.

Few people seem to get this point, but at least during 2008, and probably during the entire period leading up to 2009, there was no appreciable analytical border between where the EO 12333 phone dragnet ended and the Section 215 one began.

There’s no unredacted evidence (aside from the IMEI/IMSI permission) the NSA was collecting cell phone records under Section 215 before the 2009 process, though in 2009, both Sprint and Verizon (even AT&T, though to a much less significant level) had to separate out their entirely foreign collection from their domestic, meaning they were turning over data subject to EO 12333 and Section 215 together for years. That’s also roughly the point when NSA moved toward XML coding of data on intake, clearly identifying where and under what authority it obtained the data. Thus, it’s only from that point forward where (at least according to what we know) the data collected under Section 215 would clearly have adhered to any restrictions imposed on location.

In 2010, the NSA first started experimenting with smaller collections of records including location data at a time when Verizon Wireless was named on primary orders. And we have two separate documents describing what NSA considered its first collection of cell data under Section 215 on August 29, 2011. But it did so only after AT&T had stripped the location data from the records.

It appears Verizon never did the same (indeed, Verizon objected to any request to do so in testimony leading up to USAF’s passage). The telecoms used different methods of delivering call records under the program. In fact, in August 2, 2012, NSA’s IG described the orders as requiring telecoms to produce “certain call detail records (CDRs) or telephony metadata,” which may differentiate records that (which may just be AT&T) got processed before turning over. Also in 2009, part of Verizon ended its contract with the FBI to provide special compliance with NSLs. Both things may have affected Verizon’s ability or willingness to custom what it was delivering to NSA, as compared to AT&T.

All of which suggests that at least Verizon could not or chose not to do what AT&T did: strip location data from its call records. Section 215, before USAF, could only require providers to turn over records they kept, it could not require, as USAF may, provision of records under the form required by the government. Additionally, under Section 215, providers did not get compensated after the first two dragnet orders.

All that said, the dragnet has identified cell phones! In fact, the only known “successes” under Section 215 — the discovery of Basaaly Moalin’s T-Mobile cell phone and the discovery of Adis Medunjanin’s unknown, but believed to be Verizon, cell phone — did, and they are cell phones from companies that didn’t turn over records. In addition, there’s another case, cited in a 2009 Robert Mueller declaration preceding the Medunjanin discovery, that found a US-based cell phone.

There are several possible explanations for that. The first is that these phones were identified based off calls from landlines and/or off backbone records (so the phone number would be identified, but not the cell information). But note that, in the Moalin case, there are no known land lines involved in the presumed chain from Ayro to Moalin.

Another possibility — a very real possibility with some of these — is that the underlying records weren’t collected under Section 215 at all, but were instead collected under EO 12333 (though Moalin’s phone was identified before Michael Mukasey signed off on procedures permitting the chaining through US person records). That’s all the more likely given that all the known hits were collected before the point in 2009 when the FISC started requiring providers to separate out foreign (EO 12333) collection from domestic and international (Section 215) collection. In other words, the Section 215 phone dragnet may have been working swimmingly up until 2009 because NSA was breaking the rules, but as soon as it started abiding by the rules — and adhering to FISC’s increasingly strict limits on cell location data — it all of a sudden became virtually useless given the likelihood that potential terrorism targets would use exclusively cell and/or Internet calls just as they came to bypass telephony lines. Though as that happened, the permissions on tracking US persons via records collected under EO 12333, including doing location analysis, grew far more permissive.

In any case, at least in recent years, it’s clear that by giving notice and adjusting policy to match districts, the FISC and FBI made it very difficult to collect prospective location records under FISA, and therefore absent some means of forcing telecoms to strip their records before turning them over, to collect cell data.

The Three Kinds of Dragnet Searches NSA Did When Only Doing Contact Chaining

January 7, 2016/5 Comments/in EO 12333, FISA /by emptywheel

This is going to be a weedy post in which I look at a key detail revealed by 2010 NSA Inspector General reviews of the Section 215 phone dragnet. The document was liberated by Charlie Savage last year.

At issue is the government’s description, in the period after the Snowden leaks, of what kind of searches it did on the Section 215 phone dragnet. The searches the government did on Section 215 dragnet data are critical to understanding a number of things: the reasons the parallel Internet dragnet probably got shut down in 2011, the squeals from people like Marco Rubio about things the government lost in shutting down the dragnet, and the likely scope of collection under USA Freedom Act.

Throughout the discussion of the phone dragnet, the administration claimed it was used for “contact chaining” — that is, exclusively to show who was within 3 (and starting in 2014, 2) degrees of separation, by phone calls [or texts, see update] made, from a suspected terrorist associate.

Here’s how the administration’s white paper on the program described it in 2013.

This telephony metadata is important to the Government because, by analyzing it, the Government can determine whether known or suspected terrorist operatives have been in contact with other persons who may be engaged in terrorist activities, including persons and activities within the United States. The program is carefully limited to this purpose: it is not lawful for anyone to query the bulk telephony metadata for any purpose other than counterterrorism, and Court-imposed rules strictly limit all such queries.

Though some claims to Congress and the press were even more definitive that this was just about contact chaining.

The documents on the 2009 violations released under FOIA made it clear that, historically at least, querying wasn’t limited to contact chaining. Almost every reference in these documents to the scope of the program includes a redaction after “contact chaining” in the description of the allowable queries. Here’s one of many from the government’s first response to Reggie Walton’s questions about the program.

The redaction is probably something like “pattern analysis.”

Because the NSA was basically treating all Section 215 data according to the rules governing EO 12333 in 2009 (indeed, at the beginning of this period, analysts couldn’t distinguish the source of the two authorizations), it subjected the data to a number of processes that did not fit under the authorization in the FISC orders — things like counts of all contacts and automatic chaining on identifiers believed to be the same user as one deemed to have met the Reasonable Articulable Standard. The End to End report finished in summer 2009 described one after another of these processes being shut down (though making it clear it wanted to resume them once it obtained FISC authorization). But even in these discussions, that redaction after “contact chaining” remained.

Even in spite of this persistent redaction, the public claims this was about contact chaining gave the impression that the pattern analysis not specifically authorized by the dragnet orders also got shut down.

The IG Reports that Savage liberated gives a better sense of precisely what the NSA was doing after it cleared up all its violations in 2009.

The Reports were ordered up by the FISC and covered an entire year of production (there was a counterpart of the Internet dragnet side, which was largely useless since so much of that dragnet got shut down around October 30, 2009 and remained shut down during this review period).

The show several things:

NSA continued to disseminate dragnet results informally, even after Reggie Walton had objected to such untrackable dissemination
Data integrity techs could — and did on one occasion, which was the most significant violation in the period — access data directly and in doing so bypass minimization procedures imposed on analysts (this would be particularly useful in bypassing subject matter restrictions)
Already by 2010, NSA did at least three different kinds of queries on the database data: in addition to contact chaining, “ident lookups,” and another query still considered Top Secret

It’s the last item of interest here.

The first thing to understand about the phone dragnet data is it could be queried two places: the analyst front-end (the name of which is always redacted), and a “Transaction Database” that got replaced with something else in 2011. (336)

Basically, when the NSA did intake on data received from the telecoms, it would create a table of each and every record (which is I guess where the “transaction” name came from), while also making sure the telecoms didn’t send illegal data like credit card information.

Doing queries in the Transaction Database bypassed search restrictions. The March 2010 audit discovered a tech had done a query in the Transaction Database using a selector the RAS approval (meaning NSA had determined there was reasonable articulable suspicion that the selector had some tie to designated terrorist groups and/or Iran) of which had expired. The response to that violation, which NSA didn’t agree was a violation, was to move that tech function into a different department at NSA, away from the analyst function, which would do nothing to limit such restriction free queries, but would put a wall between analysts and techs, making it harder for analysts to ask techs to perform queries they would be unable to do.

Because the direct queries done for data integrity purposes were not subject to auditing under the phone dragnet orders, the monthly reports distinguished between those and analyst queries, the latter of which were audited to be sure they were RAS approved. But as the April 2010 report and subsequent audits showed, analysts also would do an “ident lookup.” (83)

The report provided this classified/Five Eyes description of “ident lookups.”

The Emphatic Access Restriction was a tool implemented in 2009 to ensure that analysts only did queries on RAS-approved selectors. What this detail reveals is that, rather than consulting a running list somewhere to see whether a selector was RAS approved, analysts would instead try to query, and if the query failed, that’s how they would learn the selector was not RAS approved.

We can’t be sure, but that suggests RAS approval went beyond simple one-to-one matching of identifiers. It’s possible an ident lookup needed to query the database to see if the data showed a given selector (say, a SIM card) matched another selector (say, a phone number) which had been RAS approved. It might go even further, given that NSA had automatically done searches on “correlated” numbers (that is, on a second phone number deemed to belong to the same person as the approved primary number that had been RAS approved). At least, that’s something NSA had done until 2009 and said it wanted to resume.

In other words, the fact that an ident lookup query queried the data and not just a list of approved selectors suggests it did more than just cross-check the RAS approval list: at some level it must tested the multiple selectors associated with one user to see if the underlying selectors were, by dint of the user himself being approved, themselves approved.

Indent lookups appear fairly often in these IG reports. Less frequent is an entirely redacted kind of query such as described but redacted in the September 2010 report. (166)

The footnote description of that query is classified Top Secret NOFORN and entirely redacted.

I have no idea what that query would be, but it’s clear it is done on the analyst facing interface, and only on RAS approved selectors.

The timing of this third query is interesting. Such queries appear in the September and October 2010 audits. That was a period when, in the wake of the July 2010 John Bates approval to resume the Internet dragnet, they were aligning the two programs again (or perhaps even more closely than they had been in 2009). It also appears after a new selector tracking tool got introduced in June 2010. That said, I’m unaware of anything in the phone dragnet orders that would have expanded the kinds of queries permitted on the phone dragnet data.

We know they had used the phone dragnet until 2009 to track burner phones (that is, matching calling patterns of selectors unknown to have a connection to determine which was a user’s new phone). We know that in November 2012, FISC approved an automated query process, though NSA never managed to implement it technically before Obama decided to shut down the dragnet. We also know that in 2014 they started admitting they were also doing “connection” chaining (which may be burner phone matching or may be matching of selectors). All are changes that might relate to more extensive non-chain querying.

We also don’t know whether this kind of query persisted from 2010 until last year, when the dragnet got shut down. I think it possible that the reasons they shut down the Internet dragnet in 2011 may have implicated the phone dragnet.

The point, though, is that at least by 2010, NSA was doing non-chain queries of the entire dragnet dataset that it considered to be approved under the phone dragnet orders. That suggests by that point, NSA was using the bulk set as a set already (or, more accurately, again, after the 2009 violations) by September 2010.

Last March James Clapper explained the need to retain records for a period of time, he justified it by saying you needed the historical data to discern patterns.

Q: And just to be clear, with the private providers maintaining that data, do you feel you’ve lost an important tool?

Clapper: Not necessarily. It will depend though, for one, retention period. I think, given the attitude today of the providers, they will probably do all they can to minimize the retention period. Which of course, from our standpoint, lessens the utility of the data, because you do need some — and we can prove this statistically — you do need some historical data in order to, if you’re gonna discern a pattern. And again, 215 to me, is much like my fire insurance policy. You know, my house has never burned down but every year I buy fire insurance just in case.

This would be consistent with the efforts to use the bulk dataset to find burner identities, at a minimum. It would also be consistent with Marco Rubio et al’s squeals about needing the historical data. And it would be consistent with the invocation of the National Academy of Sciences report on bulk data (though not on the phone dragnet), which NSA’s General Counsel raised in a Lawfare post today.

In other words, contrary to public suggestions, it appears NSA was using the phone dragnet to conduct pattern analysis that required the bulk dataset. That’s not surprising, though it is something the NSA suggested they weren’t doing.

They surely are still doing that on the larger EO 12333 dataset, along with a lot more complex kinds of analysis. But it seems some, like Rubio, either think we need to return to such bulk pattern analysis, or has used the San Bernardino attack to call to resume more intrusive spying.

Update: One of the other things the IG Reports make clear is that NSA was (unsurprisingly) collecting records of non-simultaneous telephone transactions. That became an issue when, in 2011, NSA started to age-off 5 year old data, because they would have some communication chains that reflected communications that were more than 5 years old but which were obtained less than 5 years before.

My guess is this reflects texting chains that continued across days or weeks.

Why Tell the Israeli Spying Story Now?

December 31, 2015/19 Comments/in EO 12333, FISA, WMD /by emptywheel

“Intelligence professionals have a saying: There are no friendly intelligence services,” the WSJ describes former House Intelligence Chair Mike Rogers saying, on the record. While there’s no way of telling — particularly not with WSJ’s described “more than two dozen current and former U.S. intelligence and administration officials” sources behind it’s blockbuster story on US spying on Bibi Netanyahu and other Israelis, Rogers is a likely candidate for some of the other statements attributed to “former US officials,” a moniker that can include agency officials, consultants, and members of Congress.

Which is awfully funny, given that two of the people squealing most loudly in response to the story are Rogers’ immediate predecessor, Crazy Pete Hoekstra, who called it a “Maybe unprecedented abuse of power,” and successor, Devin Nunes, who has already started an investigation into the allegations in the story.

It is the height of hypocrisy for these men, who have been privy to and by their silence have assented to this and, in Crazy Pete’s case, far worse patently illegal spying, to wail about a story that shows the Administration abiding by NSA minimization procedures they’ve both celebrated as more than adequate to protect US person privacy. If NSA’s minimization procedures are inadequate to protect US persons, the first thing Nunes should do is repeal FISA Amendments Act, which can expose far more people than the tailored, presumably EO 12333 tap placed on Bibi, not to mention OmniCISA, which can be targeted at Americans and will have even fewer protections for US persons.

The immediate attempt by a bunch of surveillance maximalists to turn compliant spying into a big scandal raises the question of why this story is coming out now, not incidentally just after Iran turned over its uranium stockpile over to Russia and in the process achieved another big step of the Iran deal.

I’m not in any way meaning to slight the WSJ reporting. Indeed, the story seems to show a breadth of sources that reflect a broad range of interests, and as such is not — as would otherwise be possible — Mike Rogers attempting to leak something to the WSJ so his fellow Republicans can make a stink about things.

This story includes “current and former U.S. officials” providing a list of leaders they claim were detasked from spying in 2014 — François Hollande, Angela Merkel, and other NATO leaders — and those they claim were not — along with Bibi Netanyahu, Turkey’s leader Recep Tayyip Erdogan. Of course, like James Clapper’s claim that Edward Snowden’s leaks forced the NSA to shut down its full take spying on Afghanistan, this “confirmation” may instead have been an effort to cover for collection that has since been restarted, especially given the story’s even more revealing explanation that, “Instead of removing the [surveillance] implants, Mr. Obama decided to shut off the NSA’s monitoring of phone numbers and email addresses of certain allied leaders—a move that could be reversed by the president or his successor.” Obama did not eliminate the infrastructure that allows him to request surveillance (in actually, monitoring of surveillance going on in any case) to be turned on like a switch, and this WSJ article just conveyed that detail to Hollande and Merkel.

So the story could serve as disinformation to cover up restarted surveillance, and it could serve as a cue for the bogus, unbelievably hypocritical political scandal that Crazy Pete and Nunes appear to want to make it.

But I’m just as interested in the dick-waving in the story.

Some of the most interesting details in the story — once you get beyond the wailing of people like Crazy Pete and Devin Nunes probably swept up in intercepts described in the story — pertain to what NSA did and did not learn about Bibi’s efforts, largely executed through Israeli Ambassador to the US Ron Dermer, to thwart the Iran deal. A key detail here is that while (it is implied) NSA destroyed most or all of the intercepts involving members of Congress directly with Bibi, they passed on (with US person identities masked) the reports back through foreign ministry channels of discussions with or on behalf of Bibi.

The NSA has leeway to collect and disseminate intercepted communications involving U.S. lawmakers if, for example, foreign ambassadors send messages to their foreign ministries that recount their private meetings or phone calls with members of Congress, current and former officials said.

“Either way, we got the same information,” a former official said, citing detailed reports prepared by the Israelis after exchanges with lawmakers.

In other words, NSA might not pass on the intercepts of calls members of Congress had with Bibi directly, but they would pass on the reports that Dermer or Bibi’s aides would summarize of such discussions. And according to “a former official” (curiously not described as high ranking) by passing on the reports of such conversations, “we got the same information.”

Usually, but not always, according to the story.

It describes that “Obama administration officials” (which may but probably doesn’t include intelligence officials) didn’t learn about John Boehner’s invitation to Bibi to address Congress ahead of time, even though Boehner extended that invite through Dermer.

On Jan. 8, John Boehner, then the Republican House Speaker, and incoming Republican Senate Majority Leader Mitch McConnell agreed on a plan. They would invite Mr. Netanyahu to deliver a speech to a joint session of Congress. A day later, Mr. Boehner called Ron Dermer, the Israeli ambassador, to get Mr. Netanyahu’s agreement.

Despite NSA surveillance, Obama administration officials said they were caught off guard when Mr. Boehner announced the invitation on Jan. 21.

According to the description of the article, this call should have been fair game to be shared with the White House as a report through the foreign ministry, but either wasn’t reported through normal channels on the Israeli side or NSA didn’t pass it along.

But, according to the story, the White House did get many of the details about Dermer’s attempt to scotch the Iran deal.

The NSA reports allowed administration officials to peer inside Israeli efforts to turn Congress against the deal. Mr. Dermer was described as coaching unnamed U.S. organizations—which officials could tell from the context were Jewish-American groups—on lines of argument to use with lawmakers, and Israeli officials were reported pressing lawmakers to oppose the deal.

[snip]

A U.S. intelligence official familiar with the intercepts said Israel’s pitch to undecided lawmakers often included such questions as: “How can we get your vote? What’s it going to take?”

Let me interject and note that, if the people squealing about these intercepts weren’t such raging hypocrites, I might be very concerned about this.

Consider the Jane Harman case. In 2009 it got reported that NSA and FBI collected conversations Jane Harman had (probably on an individual FISA wiretap) with AIPAC suspects in which Harman allegedly agreed to help squelch the criminal investigation into the organization in exchange for help getting the Chairmanship of the House Intelligence Committee. The position, not incidentally, that all the people (save Mike Rogers, who seems to have had no problem with them) squealing about these intercepts have held or currently hold. At least according to 2009 reports on this, lawyers in then Attorney General Alberto Gonzales’ DOJ considered criminal charges against Harman, but chose not to pursue them, because Gonzales — who had criminally, personally authorized the Stellar Wind program in March 2004 — needed Harman’s support in advance of NYT breaking the Stellar Wind story at the end of 2005. That suggests (if these stories are to be believed) Gonzales used Harman’s purported criminal exposure to get protection against his own.

Now, Crazy Pete was out of power well before these particular intercepts were described (though may have his own reason to be concerned about what such intercepts revealed), but in the same period, Devin Nunes got himself appointed HPSCI Chair, just like AIPAC was allegedly brokering with Harman. He got himself appointed HPSCI Chair by the guy, Boehner, who invited Bibi to address Congress.

And what were AIPAC and other groups — who allegedly were offering congressional leadership posts back in 2005 — offering lawmakers last year to oppose the Iran deal? “What’s it going to take?” the intercepts apparently recorded.

What were they offering?

This is the reason permitting lawmakers’ communications to be incidentally collected is such a risk — because it collects the sausage-making behind legislative stances — but also defensible — because it might disclose untoward quid pro quo by foreign governments of members of Congress. It is a real concern that the Executive is collecting details of Congress’ doings. More protections, both for Members of Congress and for regular schlubs, are needed. But wiretapping the incidentally collected communications with foreign leaders is not only solidly within the parameters of Congressionally-approved NSA spying, but may sometimes be important to protect the US.

That’s the kind of the thing the White House may have seen outlines of in the reports it got on Darmer’s attempts — though the report indicates that Democratic lawmakers and Israelis who supported the Iranian deal (probably including former Mossad head Efraim Halevy, who was criticizing Bibi and Darmer’s efforts in real time) were sharing details of Darmer’s efforts directly with the White House.

In the final months of the campaign, NSA intercepts yielded few surprises. Officials said the information reaffirmed what they heard directly from lawmakers and Israeli officials opposed to Mr. Netanyahu’s campaign—that the prime minister was focused on building opposition among Democratic lawmakers.

Which brings me to the dick-waving part. Here’s the last line of the WSJ story.

The NSA intercepts, however, revealed one surprise. Mr. Netanyahu and some of his allies voiced confidence they could win enough votes.

Some of this story is likely to be disinformation for our allies, much of this story seems to be warning (both friendly and unfriendly) to those likely implicated by the intercepts. But this just seems like dick-waving, the spook-and-politician equivalent of spiking the football and doing a lewd dance in the end zone. The Israelis surely knew all the monitoring was going on (even if members of Congress may have been stupid about them), especially given the way John Kerry, as laid out in the story, raised concerns about Israeli spying during negotiations. But this line, the final reveal in the story, mocks the Israelis and their American interlocutors for assuming they had enough to offer — “What’s it going to take to get your vote?”– to kill the Iran deal.

This may, in part, be an effort to get those implicated in the intercepts to exercise some more caution. But it also seems to be a victory dance, just as Russia ships away Iran’s uranium stockpiles.

Richard Burr Just Told ISIS USAF Phone Program Gets Internet Phone Data

December 16, 2015/15 Comments/in FISA /by emptywheel

Richard Burr has apparently stated publicly that he’s looking into not Marco Rubio’s serial leaking of classified information, but Ted Cruz’s alleged disclosure of classified information at least night’s debate. That’s particularly curious given that Rubio has gotten privileged access to this information on the Senate Intelligence Committee, whereas Cruz has not.

I assume Burr is thinking of this passage, in which Cruz explained how the USA Freedom Act phone program adds to the tools the intelligence community gets.

It strengthened the tools of national security and law enforcement to go after terrorists. It gave us greater tools and we are seeing those tools work right now in San Bernardino.

And in particular, what it did is the prior program only covered a relatively narrow slice of phone calls. When you had a terrorist, you could only search a relatively narrow slice of numbers, primarily land lines.

The USA Freedom Act expands that so now we have cell phones, now we have Internet phones, now we have the phones that terrorists are likely to use and the focus of law enforcement is on targeting the bad guys.

[snip]

And the reason is simple. What he knows is that the old program covered 20 percent to 30 percent of phone numbers to search for terrorists. The new program covers nearly 100 percent. That gives us greater ability to stop acts of terrorism, and he knows that that’s the case.

Shortly thereafter, Rubio said,

RUBIO: Let me be very careful when answering this, because I don’t think national television in front of 15 million people is the place to discuss classified information.

Of course, that means Burr — who has the most privileged access to this information — just confirmed for ISIS and anyone else who wants to know (like, say, American citizens) that the IC is targeting “Internet phones” as well as the the more limited set of call records the Section 215 phone dragnet used to incorporate, and in doing so getting closer to 100% of “calls” (which includes texting and messaging) in the US.

I’m not sure why Burr would give OpSec tips to our adversaries, all to score political points against Cruz. Obviously, his tolerance for Rubio’s serial leaks, which effectively confirmed the very same information, shows this isn’t about protecting sources and methods.

Maybe it’s time to boot Burr, in addition to Rubio, from SSCI before he continues to leak classified information?

What a Social Media Check for Visas Would Require

December 15, 2015/3 Comments/in EO 12333, FISA /by emptywheel

There’s a bunch of fevered commentary arising out of the report that Tashfeen Malik, one of the perpetrators of the San Bernardino attack, espoused extremism on Facebook before she entered the country. Otherwise sane members of Congress are submitting legislation calling for the government to review social media before granting a visa.

Here’s why that’s dumb.

First, let’s look at whether the State Department really could have found Malik’s posting before granting her a K1 visa. As CNN reported, Malik hadn’t actually been plotting jihad in the open, as much of the reporting on this suggests.

Tashfeen Malik advocated jihad in messages on social media, but her comments were made under a pseudonym and with strict privacy settings that did not allow people outside a small group of friends to see them, U.S. law enforcement officials told CNN on Monday.

[snip]

The New York Times reported on Sunday that U.S. immigration officials conducted three background checks on Malik when she emigrated from Pakistan but allegedly did not uncover social media postings in which she said she supported violent jihad and wanted to be a part of it.

According to the law enforcement officials, because Malik used a pseudonym and privacy controls, her postings would not have been found even if U.S. authorities had reviewed social media as part of her visa application process.

A U.S. official told CNN shortly after the San Bernardino attack that the United States only recently began reviewing the social media activity of visa applicants from certain countries. The date that these types of reviews began is not clear, but it was after Malik was considered, the source said.

So to get to the posts in question, someone would have had to match her pseudonym to a known identifier of hers, access her private communication, and then translate it from Urdu.

The NSA (though not State) actually has the ability to do that. They’d probably find her pseudonym either the way the FBI reportedly did, by giving Facebook her known email which they’d find was tied to that account, or they’d stick known identifiers (including name, email, credit card with which she paid her visa fee) into a tool the NSA has for correlating identities.

This process would be helped, of course, if DHS’ online visa application system was working, because that would not only increase the chances you’d get a working email for the applicant, but it would also give you at least one IP address you could also correlate on. But the effort to do that has become the worst kind of boondoggle, with a billion dollars spent and just one online form working. So this whole process would be started with less certainty attached to any online identifier.

The NSA also has the ability to read private posts — on Facebook at least. Given that at the time Malik applied for her visa she was neither a US person (I’m still not certain whether she would have been treated as a US person just with a fiance visa, on application for a Green Card, or on receipt of one), nor in the country, NSA could have used PRISM (with the added benefit that it would provide a bunch more identities to check).

Of course, you’d also want to check non-US social media, like Telegram (which ISIS has reportedly been using) and Vkontakte (which the Tsarnaev brothers used). That’s going to be harder to do.

Finally, you’d have to translate any posts Malik wrote from Urdu to English. While an initial translation could be done by machine, to understand any subtleties of the posting, you’d need to get a human translator to do the work, and even for key languages like Urdu and Arabic, the government has far too few translators.

So you could do such a check, at least for US-based social media, but you’d have to involve the NSA.

Now consider the resource demands of doing this. There are upwards of 450,000 immigrant visas issued each year. There are another 750,000 student and temporary work visas, both categories of which are closer to a typical terrorist profile than a fiance visa (that doesn’t include exchange visitors and a range of other kinds of work visas).

Last year, the government targeted 92,000 people under Section 702, which you’d have to use to get just private (not encrypted) communications. So you’d have to do an order of magnitude more PRISM searches every year to thoroughly check the social media of just the most obvious visa applicants. You’d either have to vastly expand NSA’s workstaff — and require key social media providers, like Facebook, to do the same just to stay ahead of compliance requests — or you’d have to pull them off of investigating targets about which they have some reason to be interested already.

Of course, if you did that — if you passed a law requiring all immigrants and long term visa applicants to be checked — then you’d make it far easier for people to evade detection, because you’d be alerting the few people who’d want to evade detection that you would check their accounts. They could then move to social media, like Telegram, that the US would have a harder time checking, and encrypt their messages.

Moreover, you’d be making this great effort at a time when much more obvious problems (such as that online form!) haven’t been fixed. Most importantly, since 9/11, it has been a top priority to track the exits of short term visitors (including those people with visa waivers), and the government still hasn’t managed that yet. If you want to make America more safe, you’d be far better served finally fixing that problem than reading a million people’s secret social media posts.

NSA Propagandist John Schindler Suggests Boston Marathon Terrorist Attack Not “Major Jihadist Attack”

December 14, 2015/25 Comments/in EO 12333, FISA /by emptywheel

NSA propagandist John Schindler has used the San Bernardino attack as an opportunity to blame Edward Snowden for the spy world’s diminished effectiveness, again.

Perhaps the most interesting detail in his column is his claim that 80% of thwarted attacks come from an NSA SIGINT hit.

Something like eighty percent of disrupted terrorism cases in the United States begin with a SIGINT “hit” by NSA.

That’s mighty curious, given that defendants in these cases aren’t getting notice of such SIGINT hits, as required by law, as ACLU’s Patrick Toomey reminded just last week. Indeed, the claim is wholly inconsistent with the claims FBI made when it tried to claim the dragnet was effective after the Snowden leaks, and inconsistent with PCLOB’s findings that the FBI generally finds such intelligence on its own. Whatever. I’m sure the discrepancy is one Schindler will be able to explain to defense attorneys when they subpoena him to explain the claim.

Then there’s Schindler’s entirely illogical claim that the shut-down of the phone dragnet just days before the attack might have helped to prevent it.

The recent Congressionally-mandated halt on NSA holding phone call information, so-called metadata, has harmed counterterrorism, though to what extent remains unclear. FBI Director James Comey has stated, “We don’t know yet” whether the curtailing of NSA’s metadata program, which went into effect just days before the San Bernardino attack, would have made a difference. Anti-intelligence activists have predictably said it’s irrelevant, while some on the Right have made opposite claims. The latter have overstated their case but are closer to the truth.

As Mike Lee patiently got Jim Comey to admit last week, if the Section 215 phone dragnet (as opposed to the EO 12333 phone dragnet, which remains in place) was going to prevent this attack, it would have.

Schindler then made an error that obscures one of the many ways the new phone dragnet will be better suited to counterterrorism. Echoing a right wing complaint that the government doesn’t currently review social media accounts as part of the visa process, he claimed “Tashfeen Malik’s social media writings [supporting jihad] could have been easily found.” Yet at least according to ABC, it would not have been so easy. “Officials said that because Malik used a pseudonym in her online messages, it is not clear that her support for terror groups would have become known even if the U.S. conducted a full review of her online traffic.” [See update.] Indeed, authorities found the Facebook post where Malik claimed allegiance to ISIS by correlating her known email with her then unknown alias on Facebook. NSA’s new phone program, because it asks providers for “connections” as well as “contacts,” is far more likely to identify multiple identities that get linked by providers than the old program (though it is less likely to correlate burner identities via bulk analysis).

Really, though, whether or not the dragnet could have prevented San Bernardino which, as far as is evident, was carried out with no international coordination, is sort of a meaningless measure of NSA’s spying. To suggest you’re going to get useful SIGINT about a couple who, after all lived together and therefore didn’t need to use electronic communications devices to plot, is silliness. A number of recent terrorist attacks have been planned by family members, including one cell of the Paris attack and the Charlie Hebdo attack, and you’re far less likely to get SIGINT from people who live together.

Which brings me to the most amazing part of Schindler’s piece. He argues that Americans have developed a sense of security in recent years (he of course ignores right wing terrorism and other gun violence) because “the NSA-FBI combination had a near-perfect track record of cutting short major jihadist attacks on Americans at home since late 2001.” Here’s how he makes that claim.

Making matters worse, most Americans felt reasonably safe from the threat of domestic jihadism in recent years, despite repeated warnings about the rise of the Islamic State and terrible attacks like the recent mass-casualty atrocity in Paris. Although the November 2009 Fort Hood massacre, perpetrated by Army Major Nidal Hasan, killed thirteen, it happened within the confines of a military base and did not involve the general public.

Two months before that, authorities rolled up a major jihadist cell in the New York City area that was plotting complex attacks that would have rivalled the 2005 London 7/7 atrocity in scope and lethality. That plot was backed by Al-Qa’ida Central in Pakistan and might have changed the debate on terrorism in the United States, but it was happily halted before execution – “left of boom” as counterterrorism professionals put it.

Jumping from the 2009 attacks (and skipping the 2009 Undiebomb and 2010 Faisal Shahzad attempts) to the Paris attack allows him to suggest any failure to find recent plots derives from Snowden’s leaks, which first started in June 2013.

However, the effectiveness of the NSA-FBI counterterrorism team has begun to erode in the last couple years, thanks in no small part to the work of such journalists-cum-activists. Since June 2013, when the former NSA IT contactor [sic] Edward Snowden defected to Moscow, leaking the biggest trove of classified material in all intelligence history, American SIGINT has been subjected to unprecedented criticism and scrutiny.

There is, of course, one enormous thing missing from Schindler’s narrative of NSA perfection: the Boston Marathon attack, committed months before the first Snowden disclosures became public. Indeed, even though the NSA was bizarrely not included in a post-Marathon Inspector General review of how the brothers got missed, it turns out NSA did have intelligence on them (Tamerlan Tsarnaev was in international contact with known extremists and also downloaded AQAP’s Inspire magazine repeatedly). Only, that intelligence got missed, even with the multiple warnings from FSB about Tamerlan.

Perhaps Schindler thinks that Snowden retroactively caused the NSA to overlook the intelligence on Tamerlan Tsarnaev? Perhaps Schindler doesn’t consider an attack that killed 3 and injured 260 people a “major jihadist attack”?

It’s very confusing, because I thought the Boston attack was a major terrorist attack, but I guess right wing propagandists trying to score points out of tragedy can ignore such things if it will spoil their tale of perfection.

Update: LAT reports that Malik’s Facebook posts were also private, on top of being written under a pseudonym. Oh, and also in Urdu, a language the NSA has too few translators in. The NSA (but definitely not the State Department) does have the ability to 1) correlate IDs to identify pseudonyms, 2) require providers to turn over private messages — they could use PRISM and 3) translate Urdu to English. But this would be very resources intensive and as soon as State made it a visa requirement, anyone trying to could probably thwart the correlation process.

Marco Rubio Explains the Dragnet

December 14, 2015/1 Comment/in EO 12333, FISA /by emptywheel

A penny dropped for me, earlier this week, when Marco Rubio revealed that authorities are asking “a large number of companies” for “phone records.” Then, yesterday, he made it clear that these companies don’t fall under FCC’s definition of “phone” companies, because they’re not subject to that regulator’s 18 month retention requirement.

His comments clear up a few things that have been uncertain since February 2014, when some credulous reporters started reporting that the Section 215 phone dragnet — though they didn’t know enough to call it that — got only 20 to 30% of “all US calls.”

The claim came not long after Judge Richard Leon had declared the 215 phone dragnet to be unconstitutional. It also came just as the President’s Review Group (scoped to include all of the government’s surveillance) and PCLOB (scoped to include only the 215 phone dragnet) were recommending the government come up with a better approach to the phone dragnet.

The report clearly did several things. First, it provided a way for the government to try to undermine the standing claim of other plaintiffs challenging the phone dragnet, by leaving the possibility their records were among the claimed 70% that was not collected. It gave a public excuse the Intelligence Community could use to explain why PRG and PCLOB showed the dragnet to be mostly useless. And it laid the ground work to use “reform” to fix the problems that had, at least since 2009, made the phone dragnet largely useless.

It did not, however, admit the truth about what the 215 phone dragnet really was: just a small part of the far vaster dragnet. The dragnet as a whole aspires to capture a complete record of communications and other metadata indicating relationships (with a focus on locales of concern) that would, in turn, offer the ability to visualize the networks of the world, and not just for terrorism. At first, when the Bush Administration moved the Internet (in 2004) and phone (in 2006) dragnets under FISC authority, NSA ignored FISC’s more stringent rules and instead treated all the data with much more lax EO 12333 rules(see this post for some historical background). When FISC forced the NSA to start following the rules in 2009, however, it meant NSA could no longer do as much with the data collected in the US. So from that point forward, it became even more of a gap-filler than it had been, offering a thinner network map of the US, one the NSA could not subject to as many kinds of analysis. As part of the reforms imposed in 2009, NSA had to start tracking where it got any piece of data and what authority’s rules it had to follow; in response, NSA trained analysts to try to use EO 12333 collected data for their queries, so as to apply the more permissive rules.

That, by itself, makes it clear that EO 12333 and Section 215 (and PRTT) data was significantly redundant. For every international phone call (or at least those to countries of terrorism interest, as the PATRIOT authorities were supposed to be restricted to terrorism and Iran), there might be two or more copies of any given phone call, one collected from a provider domestically, and one collected via a range of means overseas (in fact, the phone dragnet orders make it clear the same providers were also providing international collection not subject to 215). If you don’t believe me on this point, Mike Lee spelled it out last week. Not only might NSA get additional data with the international call — such as location data — but it could subject that data to more interesting analysis, such as co-location. Thus, once the distinction between EO 12333 and PATRIOT data became formalized in 2009 (years after it should have been) the PATRIOT data served primarily to get a thinner network map of the data they could only collect domestically.

Because the government didn’t want to admit they had a dragnet, they never tried to legislate fixes for it such that it would be more comprehensive in terms of reach or more permissive in terms of analysis.

So that’s a big part of why four beat journalists got that leak in February 2014, at virtually the same time President Obama decided to replace the 215 phone dragnet with something else.

The problem was, the government never admitted the extent of what they wanted to do with the dragnet. It wasn’t just telephony-carried voice calls they wanted to map, it was all communications a person might make from their phone, which increasingly means a smart phone. It wasn’t just call-chaining they wanted to do, it was connection chaining, linking identities, potentially using far more intrusive technological analysis.

Some of that was clear with the initial IC effort at “reform.” Significantly, it didn’t ask for Call Detail Records, understood to include either phone or Internet or both, but instead “records created as a result of communications of an individual or facility.” That language would have permitted the government to get backbone providers to collect all addressing records, regardless if it counted as content. The bill also permitted the use of such tools for all purposes, not just counterterrorism. In effect, this bill would have completed the dragnet, permitting the IC to conduct EO 12333 collection and analysis on records collected in the US, for any “intelligence” purpose.

But there was enough support for real reform, demonstrated most vividly in the votes on Amash-Conyers in July 2013, that whatever got passed had to look like real reform, so that effort was killed.

So we got the USA F-ReDux model, swapping more targeted collection (of communications, but not other kinds of records, which can still be collected in bulk) for the ability to require providers to hand over the data in usable form. This meant the government could get what it wanted, but it might have to work really hard to do so, as the communications provider market is so fragmented.

The GOP recognized, at least in the weeks before the passage of the bill, that this would be the case. I believe that Richard Burr’s claimed “mistake” in claiming there was an Internet dragnet was instead an effort to create legislative intent supporting an Internet dragnet. After that failed, Burr introduced a last minute bill using John Bates’ Dialing, Routing, Addressing, and Signaling language, meaning it would enable the government to bulk collect packet communications off switches again, along with EO 12333 minimization rules. That failed (in part because of Mitch McConnell’s parliamentary screw ups).

But now the IC is left with a law that does what it said it wanted (plus some, as it definitely gets non-telephony “phone” “calls”), rather than one that does what it wanted, which was to re-establish the full dragnet it had in the US at various times in the past.

I would expect they won’t stop trying for the latter, though.

Indeed, I suspect that’s the real reason Marco Rubio has been permitted to keep complaining about the dragnet’s shortcomings.

Marco Rubio Leaks Classified Information for Political Gain Again

December 14, 2015/3 Comments/in FISA, Leak Investigations /by emptywheel

Last week, Marco Rubio leaked the classified detail that the new metadata program authorized by USA Freedom Act obtains records from “a large number” of companies. Yesterday, he leaked more classified details about the program, revealing that some of the companies in question aren’t subject to FCC regulations on phone companies (which require companies hold records for 18 months).

CHUCK TODD:

Your campaign has been pretty critical of one of your rivals, Senator Ted Cruz, for his vote on the U.S.A. Freedom Act. And Senator Mike Lee of Utah, somebody that you have a tax plan with, you guys are certainly allies on a lot of things, he has said that your rhetoric has been not based in fact and that it is not true, what you’ve been saying, that somehow federal officials can’t use the U.S.A. Freedom Act, use the courts to track the phone numbers that are necessary.

MARCO RUBIO:

Well on this issue, not only is he wrong, but others that argue that are wrong. We had a program that allowed us to collect the phone records, basically the phone bill. Not the content of your conversations or your emails or anything like that. Just your phone bill of every American. And it was stored.

Only 16 people in the U.S. government could look at that. And they could only look at it if they got a court order from a privacy court, from a FISA court to go in and look at those phone records. And they retained them for a significant period of time. Under this new law, we are trusting the phone companies to hold those records.

And all of these phone companies have different periods of time that they hold it. Some will hold it for 18 months. Some will hold it for six months. This is a valuable tool. If in fact you have identified someone as a potential terrorist or if in fact someone carries out a terrorist activity, the ability to look at who they’ve been calling and who they’ve been talking to is part of a larger puzzle that you can put together to see what network they’ve been working with, who they’ve been communicating with.

We have now lost that capacity in many cases.

For a guy who’s trying to out-hawk his presidential rivals, Marco Rubio sure leaks classified information frequently. And make no mistake. He’s leaking this classified information for political gain, after having been read into that classified information while serving on the Senate Intelligence Committee.

I don’t know why Rubio thinks revealing the details of this program that the Administration deliberately misled the public about qualifies him to be President.

I just want to know when he’s going to be kicked off the Intel Committee.