Surveillance Hawk Stewart Baker Confirms Dragnet Didn’t Work as Designed

/4 Comments/in , /by

The French authorities are just a day into investigating the horrid events in Paris on Friday. We’ll know, over time, who did this and how they pulled it off. For that reason, I’m of the mind to avoid any grand claims that surveillance failed to find the perpetrators (thus far, French authorities say they know one of the attackers, who is a French guy they had IDed as an extremist, but did not know of people identified by passports found at the Stade — though predictably those have now been confirmed to be fake [update: now authorities say the Syrian one is genuine, though it’s not yet clear it belonged to the attacker], so authorities may turn out to know their real identity). In any case, Glenn Greenwald takes care of that here. I think it’s possible the terrorists did manage to avoid detection via countersurveillance — though the key ways they might have done so were available and known before Edward Snowden’s leaks (as Glenn points out).

But there is one claim by a surveillance hawk that deserves a response. That’s former DHS and NSA official Stewart Baker’s claim that because of this attack we shouldn’t stop the bulk collection of US persons’ phone metadata.

Screen Shot 2015-11-15 at 7.41.03 AM

The problem with this claim is that the NSA has a far more extensive dragnet covering the Middle East and Europe than it does on Americans. It can and does bulk collect metadata overseas without the restrictions that existed for the Section 215 dragnet. In addition to the metadata of phone calls and Internet communications, it can collect GPS location, financial information, and other metadata scraped from the content of communications.

The dragnet covering these terrorists is the kind of dragnet the NSA would love to have on Americans, if Americans lost all concern for their privacy.

And that’s just what the NSA (and GCHQ) have. The French have their own dragnet. They already had permission to hold onto metadata, but after the Charlie Hebdo attacks, they expanded their ability to wiretap without court approval. So the key ingredients to a successful use of the metadata were there: the ability to collect the metadata and awareness that one of the people was someone of concern.

The terrorists may have used encryption and therefore made it more difficult for authorities to get to the content of their Internet communications (though at this point, any iPhone encryption would only now be stalling investigators).

But their metadata should still have been available. There’s no good way to hide metadata, which is why authorities find metadata dragnets so useful.

French authorities knew of at least one of these guys, and therefore would have been able to track his communication metadata, and both the Five Eyes and France have metadata dragnets restricted only by technology, and therefore might have been able to ID the network that carried out this attack.

Stewart Baker claims that Section 215 was designed to detect a plot like this. But the metadata dragnet covering France and the Middle East is even more comprehensive than Section 215 ever was. And it didn’t detect the attack (it also didn’t detect the Mumbai plot, even though — or likely because — one of our own informants was a key player in it). So rather than be a great argument for why we need to keep a dragnet that has never once prevented an attack in the US, Baker’s quip is actually proof that the dragnets don’t work as promised.

 

Share this entry

It’s Harder for FBI to Get Location Data from Phone Companies Under FISA than Other Ways

/1 Comment/in /by

I was looking for something else on Ron Wyden’s website yesterday and noticed this exchange between Wyden and Jim Comey from January 29, 2014 (see my transcription below). At first it seemed to be another of Wyden’s persistent questions about how the government collects location data — which we generally assume to be via telephone provider or Stingray — but then realized he was asking something somewhat different. After asking about Cell Site Location Information from phone companies, Wyden then asked whether the FBI uses the same (order, presumably a Pen Register) standard when collecting location from a smart phone app.

Oh yeah! The government can collect location information via apps (and thereby from Google or WhatsApp other providers) as well.

Here’s the FBI’s response, which hasn’t been published before.

The response is interesting for several reasons, some of which may explain why the government hasn’t been getting all the information from cell phones that it wanted under the Section 215 phone dragnet.

First, when the FBI is getting prospective CSLI, it gets a full FISA order, based on a showing of probable cause (it can get historical data using just an order). The response to Wyden notes that while some jurisdictions permit obtaining location data with just an order, because others require warrants, “the FBI elects to seek prospective CSLI pursuant to a full content FISA order, thus matching the higher standard imposed in some U.S. districts.”

Some of this FISA discussed in 2006 in response to some magistrates’ rulings that you needed more than an order to get location, though there are obviously more recent precedents that are stricter about needing a warrant.

This means it is actually harder right now to get prospective CSLI under FISA than it is under Title III in some states. (The letter also notes sometimes the FBI “will use criminal legal authorities in national security investigations,” which probably means FBI will do so in those states with a lower standard).

The FBI’s answer about smart phone apps was far squirrelier. It did say that when obtaining information from the phone itself, it gets a full-content FISA order, absent any exception to the Fourth Amendment (such as the border exception, which is one of many reasons FBI loves to search phones at the border and therefore hates Apple’s encryption); note this March 6, 2014 response was before the June 24, 2014 Riley v. CA decision that required a warrant to search a cell phone, which says FISA was on a higher standard there, too, until SCOTUS caught up.

But as to getting information from smartphone apps itself, here’s what FBI answered.

Which legal authority we would use is very much dependent upon the type of information we are seeking and how we intend to obtain that information. Questions considered include whether or not the information sought would target an individual in an area in which that person has a reasonable expectation of privacy, what type of data we intend to obtain (GPS or other similarly precise location information), and how we intend to obtain the data (via a request for records from the service provider or from the mobile device itself).

In other words, after having thought about how to answer Wyden for five weeks rather than the one they had promised, they didn’t entirely answer the question, which was what it would take for the FBI to get information from apps, rather than cell phone providers, though I think that may be the same standard as a CSLI from a cell phone company.

But this seems to say that, in the FISA context, it may well be easier — and a lower standard of evidence — for the FBI to get location data from a Stingray.

This explains why Wyden’s location bill — which he was pushing just the other day, after the Supreme Court refused to take Quartavious Davis’ appeal — talks about location collection generally, rather than using (for example) a Stingray.

Wyden: I’d like to ask you about the government’s authority to track individuals using things like cell site location information and smart phone applications. Last fall the NSA Director testified that “we–the NSA–identify a number we can give that to the FBI. When they get their probable cause then they can get the locational information they need.”

I’ve been asking the NSA to publicly clarify these remarks but it hasn’t happened yet. So, is the FBI required to have probable cause in order to acquire Americans’ cell site location information for intelligence purposes?

Comey: I don’t believe so Senator. We — in almost all circumstances — we have to obtain a court order but the showing is “a reasonable basis to believe it’s relevant to the investigation.”

Wyden: So, you don’t have to show probable cause. You have cited another standard. Is that standard different if the government is collecting the location information from a smart phone app rather than a cell phone tower?

Comey: I don’t think I know, I probably ought to ask someone who’s a little smarter what the standard is that governs those. I don’t know the answer sitting here.

Wyden: My time is up. Can I have an answer to that within a week?

Comey: You sure can.

Share this entry

The Proliferation-as-Terrorism Rule

/1 Comment/in /by

Last week, Chairman of the House Homeland Security Committee tried to get Assistant Secretary of State Anne Patterson to list the Iran Republican Guard as a terrorist organization.

Rep. Michael McCaul (R., Texas) pressed Anne Patterson, assistant secretary of state in the bureau of near eastern affairs, during a hearing last week on Iran’s rogue activities.

Since the nuclear deal, “Iran has taken several provocative actions, including ballistic missile tests, the jailing of Americans on frivolous charges, and support for terrorist activities via the IRGC, the Iranian Revolutionary Guard Corps,” McCaul said.

The corps has been linked to terrorist operations across the Middle East and beyond, including arming terror proxy groups fighting against the United States and Israel.

“I sent a letter to the president of the United States requesting that the IRGC be placed on the Foreign Terrorist Organization list because they are the terror arm of Iran,” McCaul said. “This would not lift the sanctions. It would keep the sanctions in place on the very terrorist activities that Iran wants to take the $100 billion and ship them toward these activities. What is your response to whether or not designating the IRGC as an FTO [foreign terrorist organization], whether that is a good decision?”

Patterson sidestepped the question, but said that the State Department does not think the group can legally be categorized as a terrorist organization.

“I can’t answer that question, Mr. McCaul,” Patterson said. “I’ll have to get back to you. I would not think they would meet the legal criteria, but I don’t really know.”

Now, I’m not actually interested in getting the IRGC listed as a terrorist organization, particularly not for arming militias, because I think that would be a very bad precedent for the world’s biggest arms proliferator. Moreover, I’m sure Patterson sees this effort as another attempt to squelch efforts for peace with Iran.

But I am interested in her squirming given that for some years — we don’t know how many, but there was a new group approved in June 2007 and another approved in July 2009, so probably at least 6 years — the NSA has targeted Iran using the counterterrorism phone dragnet. So the government has convinced a FISC judge that IRGC (or Iran more generally) is a terrorist group. But now the State Department is telling us they’re not.

Up until USA F-ReDux passed this year, when Congress extended the proliferation-related definition of a foreign power under FISA to include those aiding or conspiring with those actually doing the proliferation, the government seems to have always pushed whom could be spied on well beyond the definitions in the law (there appears to have been a non-NSA certificate for it under Protect America Act, for example). That extends to the phone dragnet, and does so in such a way that probably includes a lot of American businesses.

And, Patterson’s dodges notwithstanding, the government hasn’t been above calling Iran a terrorist organization to do it.

 

Share this entry

The Government’s Bad Faith Arguments Demanding a Dragnet Stay

/3 Comments/in /by

As expected, the government requested an immediate stay of Richard Leon’s decision yesterday to enjoin the dragnet from collecting JJ Little’s phone records.

Their argument is noteworthy for its stubbornness — reasserting many of the same arguments Leon just ruled against — and logical inconsistency. The brief claims, for example, that termination of the dragnet would cause the government irreparable harm, even while suggesting that it’s possible they’ve stopped collecting data from Verizon Business Network Services, which they’ve just claimed would cause irreparable harm.

But the brief also argues that the only way to comply with the injunction is to shut down the entire dragnet.

As the Government Defendants have explained, however, the only practicable way for the NSA to comply with the Court’s preliminary injunction is immediately to cease all collection and queries of telephony metadata under the Section 215 program—that is, to shut the program down. That is so because the technical steps required in order to prevent the further collection of and to segregate the metadata associated with particular persons’ calls would take the NSA months to complete. Gov’t Defs.’ Opp. to Pls.’ Renewed Mot. for a Prelim. Inj. (ECF No. 150) (“Gov’t PI Opp.”) at 41-44, citing Potter Decl. (Gov’t PI Opp. Exh. 4) ¶¶ 20-27.

That’s not actually what the Potter declaration the discussion cites to says. Potter says there is a way to make Little’s records inaccessible — though it claims implausibly that it would take two weeks to accomplish.

With respect to a requirement that the NSA cease analytic access to any records about plaintiffs’ calls that may already have been collected under the Program, NSA has developed a process that can be used to prevent analytic access to metadata containing specified identifiers. This capability prevents the use of particular identifiers to conduct queries, and prevents analysts from accessing records containing those identifiers even if responsive to queries using different identifiers. NSA technical personnel estimate that eliminating analytic access to metadata associated with plaintiffs’ calls could be completed within approximately 2 weeks after receipt of the plaintiffs’ telephone numbers and the time-frames during which they were used.

This is the defeat list process I’ve discussed repeatedly, by which high volume numbers (like Verizon’s voice mail number and pizza joints) and other sensitive numbers (likely including Congress’ official numbers as well as informants) are made inaccessible to querying.

Consider me skeptical that it really takes 2 weeks to put something on a defeat list, as not doing so makes queries unusable. If it took 2 weeks, then the dragnet would frequently return crap for 2 weeks as techs tried to stay ahead of the defeat list numbers.

There’s one more thing that yesterday’s brief and the underlying declaration make clear though: The government is collecting records off telecom backbones, not off any billing system (contrary to what some reports still claim).

That’s true because the only way that the government wouldn’t be sure that Little’s records were collected under an order to VBNS is if they weren’t getting actual subscribers information. Moreover, Little’s records still show up on AT&T’s compliance, too (anytime his calls transit their backbone, not to mention any time he calls someone who uses AT&T).

That, of course, means that Larry Klayman and everyone else in the United States has standing if the Fourth Amendment injury comes with collection — because everyone’s records transit the major telecom backbones of the country. But the government has been claiming all this time they can’t be sure that’s the case.

The government will get their stay, and they will moot this decision (if not overturn it) at the end of the month. But not before engaging in some serious bad faith in claims to the court.

Share this entry

Richard Leon Halts the Dragnet for One Plaintiff

/1 Comment/in /by

Judge Richard Leon has just issued an injunction on the NSA’s collection of the phone metadata of J.J. Little and his lawfirm. Little got added as a plaintiff to Larry Klayman’s suit (in which Leon earlier found the program unconstitutional but stayed his own injunction) so as to have a Verizon Business Services customer who could be certain his phone records had been collected.

The order will undoubtedly set off a bit of a scramble, not because pulling Little’s phone records really presents any difficulty for the NSA (they already defeat list so many records it’s clear they have the ability to at least make those records inaccessible to a search, though they don’t want to explain the full application of that process; hopefully this ruling will lead to more candor on this point). Rather, the NSA will want to ensure this program has constitutional sanction because it also collects so many other records of Americans (in his book, for example, Charlie Savage confirmed my earlier analysis that the Internet dragnet moved, in part, overseas rather than being shut down). And the DC Circuit is likely to respond to quickly override Leon.

That said, Leon’s order is most interesting for its analysis of the government’s claim it can carry out this program because of a Special Need. In it, he repeats efficacy arguments he made in his earlier ruling: rather than present any new evidence that the program has been useful, it has instead just said the threat environment requires it. But he also notes that this special need, unlike that of, say, a TSA check, does not have a deterrence effect. That’s interesting because the government’s own secrecy about how many calls are collected would make any deterrence uncertain (indeed, terrorists might be expected to move communications to the Internet, believing falsely that attracts less attention).

As I said, the DC Circuit is likely to overturn this. But it will give the government a few days of headaches until that point.

Share this entry

Defining Stingray Emergencies … or Not

/4 Comments/in , , /by

A couple of weeks ago, ACLU NoCal released more documents on the use of Stingray. While much of the attention focused on the admission that innocent people get sucked up in Stingray usage, I was at least as interested in the definition of an emergency during which a Stingray could be used with retroactive authorization:
Screen Shot 2015-11-08 at 9.27.59 AM

I was interested both in the invocation of organized crime (which would implicate drug dealing), but also the suggestion the government would get a Stingray to pursue a hacker under the CFAA. Equally curiously, the definition here leaves out part of the definition of “protected computer” under CFAA, one used in interstate communication.

(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Does the existing definition of an emergency describe how DOJ has most often used Stingrays to pursue CFAA violations (which of course, as far as we know, have never been noticed to defendants).

Now compare the definition Jason Chaffetz used in his Stingray Privacy Act, a worthwhile bill limiting the use of Stingrays, though this emergency section is the one I and others have most concerns about. Chaffetz doesn’t have anything that explicitly invokes the CFAA definition, and collapses the “threat to national security” and, potentially, the CFAA one into “conspiratorial activities threatening the national security interest.”

(A) such governmental entity reasonably determines an emergency exists that—

(i) involves—

(I) immediate danger of death or serious physical injury to any person;

(II) conspiratorial activities threatening the national security interest; or

(III) conspiratorial activities characteristic of organized crime;

Presumably, requiring conspiratorial activities threatening the national security interest might raise the bar — but would still permit — the use of Stingrays against low level terrorism wannabes. Likewise, while it would likely permit the use of Stingrays against hackers (who are generally treated as counterinteligence threats among NatSec investigators), it might require some conspiracy between hackers.

All that said, there’s a whole lot of flux in what even someone who is often decent on civil liberties like Chaffetz considers a national security threat.

And, of course, in the FISA context, the notion of what might be regarded as an immediate danger of physical injury continues to grow.

These definitions are both far too broad, and far too vague.

Share this entry

It’s Not Just the FISA Court, It’s the Game of Surveillance Whack-a-Mole

/5 Comments/in , , /by

In response to this post from Chelsea Manning, the other day I did the first in what seems to have become a series of posts arguing that we should eliminate the FISA Court, but that the question is not simple. In that post, I laid out the tools the FISC has used, with varying degrees of success, in reining in Executive branch spying, especially in times of abuse.

In this post, I want to lay out how reining in surveillance isn’t just about whether the secret approval of warrants and orders would be better done by the FISC or a district court. It’s about whack-a-mole.

That’s because, right now, there are four ways the government gives itself legal cover for expansive surveillance:

  • FISC, increasingly including programs
  • EO 12333, including SPCMA
  • Magistrate warrants and orders without proper briefing
  • Administrative orders and/or voluntary cooperation

FISA Court

The government uses the FISA court to get individualized orders for surveillance in this country and, to a less clear extent, surveillance of Americans overseas. That’s the old-fashioned stuff that could be done by a district court. But it’s also one point where egregious source information — be it a foreign partner using dubious spying techniques, or, as John Brennan admitted in his confirmation hearing, torture — gets hidden. No defendant has ever been able to challenge the basis for the FISA warrant used against them, which is clearly not what Congress said it intended in passing FISA. But given that’s the case, it means a lot of prosecutions that might not pass constitutional muster, because of that egregious source information, get a virgin rebirth in the FISC.

In addition, starting 2004, the government started using the FISA Court to coerce corporations to continue domestic collection programs they had previously done voluntarily. As I noted, while I think the FISC’s oversight of these programs has been mixed, the FISC has forced the government to hew closer (though not at) the law.

EO 12333, including SPCMA

The executive branch considers FISA just a subset of EO 12333, the Reagan Executive Order governing the intelligence community — a carve out of collection requiring more stringent rules. At times, the Intelligence Community have operated as if EO 12333 is the only set of rules they need to follow — and they’ve even secretly rewritten it at least once to change the rules. The government will always assert the right to conduct spying under EO 12333 if it has a technical means to bypass that carve out. That’s what the Bush Administration claimed Stellar Wind operated under. And at precisely the time the FISC was imposing limits on the Internet dragnet, the Executive Brach was authorizing analysis of Americans’ Internet metadata collected overseas under SPCMA.

EO 12333 derived data does get used against defendants in the US, though it appears to be laundered through the FISC and/or parallel constructed, so defendants never get the opportunity to challenge this collection.

Magistrate warrants and orders

Even when the government goes to a Title III court — usually a magistrate judge — to get an order or warrant for surveillance, that surveillance often escapes real scrutiny. We’ve seen this happen with Stingrays and other location collection, as well as FBI hacking; in those cases, the government often didn’t fully brief magistrates about what they’re approving, so the judges didn’t consider the constitutional implications of it. There are exceptions, however (James Orenstein, the judge letting Apple challenge the use of an All Writs Act to force it to unlock a phone, is a notable one), and that has provided periodic checks on collection that should require more scrutiny, as well as public notice of those methods. That’s how, a decade after magistrates first started to question the collection of location data using orders, we’re finally getting circuit courts to review the issue. Significantly, these more exotic spying techniques are often repurposed foreign intelligence methods, meaning you’ll have magistrates and other TIII judges weighing in on surveillance techniques being used in parallel programs under FISA. At least in the case of Internet data, that may even result in a higher standard of scrutiny and minimization being applied to the FISA collection than the criminal investigation collection.

Administrative orders and/or voluntary cooperation

Up until 2006, telecoms willing turned over metadata on Americans’ calls to the government under Stellar Wind. Under Hemisphere, AT&T provides the government call record information — including results of location-based analysis, on all the calls that used its networks, not just AT&T customers — sometimes without an order. For months after Congress was starting to find a way to rein in the NSA phone dragnet with USA Freedom Act, the DEA continued to operate its own dragnet of international calls that operated entirely on administrative orders. Under CISA, the government will obtain and disseminate information on cybersecurity threats that it wouldn’t be able to do under upstream 702 collection; no judge will review that collection. Until 2009, the government was using NSLs to get all the information an ISP had on a user or website, including traffic information. AT&T still provides enhanced information, including the call records of friends and family co-subscribers and (less often than in the past) communities of interest.

These six examples make it clear that, even with Americans, even entirely within the US, the government conducts a lot of spying via administrative orders and/or voluntary cooperation. It’s not clear this surveillance had any but internal agency oversight, and what is known about these programs (the onsite collaboration that was probably one precursor to Hemisphere, the early NSL usage) makes it clear there have been significant abuses. Moreover, a number of these programs represent individual (the times when FBI used an NSL to get something the FISC had repeatedly refused to authorize under a Section 215 order) or programmatic collection (I suspect, CISA) that couldn’t be approved under the auspices of the FISC.

All of which is to say the question of what to do to bring better oversight over expansive surveillance is not limited to the short-comings of the FISC.  It also must contend with the way the government tends to move collection programs when one method proves less than optimal. Where technologically possible, it has moved spying offshore and conducted it under EO 12333. Where it could pay or otherwise bribe and legally shield providers, it moved to voluntary collection. Where it needed to use traditional courts, it often just obfuscated about what it was doing. The primary limits here are not legal, except insofar as legal niceties and the very remote possibility of transparency raise corporate partner concerns.

We need to fix or eliminate the FISC. But we need to do so while staying ahead of the game of whack-a-mole.

Share this entry

Kiddie Porn, Computer and Building Destruction, and Section 702

/1 Comment/in /by

At the end of September, I Con the Record released a bunch of documents relating to 2014’s Section 702 certification process including the August 26, 2014 Thomas Hogan opinion that, among other things, authorized an expansion of FBI’s minimization procedures.

The memo reflects a 2013 change to FBI minimization procedures (it was first approved on September 20, 2012) that permits it to disseminate information that,

is evidence of a crime and that it reasonably believes may assist in the mitigation or prevention of computer intrusions or attacks to private entities or individuals that have been or are at risk of being victimized by such intrusions or attacks, or to private entities or individuals … capable of providing assistance in mitigating or preventing such intrusions or attacks. Wherever reasonably practicable, such disseminations should not include United States person identifying information unless the FBI reasonably believes it is necessary to enable the recipient to assist in the mitigation or prevention of computer intrusion or attacks. (18)

This order expands that dissemination permission to include “dissemination of Section 702 information to someone in the private sector in order to mitigate other forms of serious harm, such as ‘a plot to destroy a building or monument.” The change “enables the FBI to disseminate information to private parties in less extreme cases.” Update: Since this language appears to exist only in the FBI minimization procedures, it should refer only to PRISM data, not upstream data, since FBI doesn’t get the latter in unminimized form, unless that has changed in some way that is not obvious in the minimization procedures.

Finally, Hogan approved a change to the FBI minimization procedures that permitted dissemination of 702-collected information to the National Center for Missing and Exploited Children if it is “evidence of a crime related to child exploitation material, including child pornography,” or for the purpose of obtaining technical assistance (the NCMEC keeps databases of images of child porn to track when new images are released).

While these are all generally included in the serious bodily harm provision of Section 702 — to say nothing of NSA’s broad inclusion of “property” in “bodily harm” — they show three clear expansions of the use of Section 702 for criminal investigations in recent years (and the computer intrusion language impacts my questions about how CISA interacts with Section 702).

Not only are those expansions worth noting in their own right, but they’re also worth considering in light of Bob Litt’s disclosure on February 4, 2015 (that is, chronologically after this change, but before this change got publicly released) of the crimes that FBI may use Section 702 information to prosecute.

And so today I want to say that in fact the list of crimes other than national security crimes for which we can use Section 702 information about U.S. persons is crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

Litt’s list seems broader than, though clearly related to, the items approved in the unredacted parts of the FBI minimization procedures, though the language from the minimization procedures seems to explain what “incapacitation” of critical infrastructure is. As always, remember that “transnational crime” is a politicized subsection of mob crimes that never includes the crimes implicating our nations mob-banksters.

And keep in mind. This language would have been operative in the weeks leading up to the Sony hack. And yet the ability to share such intelligence with Sony did not prevent the hack.

In any case, I’m going to do a series of posts on the Snooper’s Charter released yesterday in the UK, and I wanted to clarify precisely what the available uses of Section 702 to investigate crimes are.

Share this entry

The FISA Court’s Uncelebrated Good Points

/in , /by

I’m working on a post responding to this post from Chelsea Manning calling to abolish the FISA Court. Spoiler alert: I largely agree with her, but I think the question is not that simple.

As background to that post, I wanted to shift the focus from a common perception of the FISC — that it is a rubber stamp that approves all requests — to a better measure of the FISC — the multiple ways it has tried to rein in the Executive. I think the FISC has, at times, been better at doing so than often given credit for. But as I’ll show in my larger post, those efforts have had limited success.

Minimization procedures

The primary tool the FISC uses is in policing the Executive is minimization procedures approved by the court. Royce Lamberth unsuccessfully tried to use minimization procedures to limit the use of FISA-collected data in prosecutions (and also, tools for investigation, such as informants). Reggie Walton was far more successful at using and expanding very detailed limits on the phone — and later, the Internet — dragnet to force the government to stop treating domestically collected dragnet data under its own EO 12333 rules and start treating it under the more stringent FISC-imposed rules. He even shut down the Internet dragnet in fall (probably October 30) 2009 because it did not abide by limits imposed 5 years earlier by Colleen Kollar-Kotelly.

There was also a long-running discussion (that involved several briefs in 2006 and 2009, and a change in FISC procedure in 2010) about what to do with Post Cut Through Dialed Digits (those things you type in after a call or Internet session has been connected) collected under pen registers. It appears that FISC permitted (and probably still permits) the collection of that data under FISA (that was not permitted under Title III pen registers), but required the data get minimized afterwards, and for a period over collected data got sequestered.

Perhaps the most important use of minimization procedures, however, came when Internet companies stopped complying with NSLs requiring data in 2009, forcing the government to use Section 215 orders to obtain the data. By all appearances, the FISC imposed and reviewed compliance of minimization procedures until FBI, more than 7 years after being required to, finally adopted minimization procedures for Section 215. This surely resulted in a lot less innocent person data being collected and retained than under NSL collection. Note that this probably imposed a higher standard of review on this bulky collection of data than what existed at magistrate courts, though some magistrates started trying to impose what are probably similar requirements in 2014.

Such oversight provides one place where USA Freedom Act is a clear regression from what is (today, anyway) in place. Under current rules, when the government submits an application retroactively for an emergency search of the dragnet, the court can require the government to destroy any data that should not have been collected. Under USAF, the Attorney General will police such things under a scheme that does not envision destroying improperly collected data at all, and even invites the parallel construction of it.

First Amendment review

The FISC has also had some amount — perhaps significant — success in making the Executive use a more restrictive First Amendment review than it otherwise would have. Kollar-Kotelly independently imposed a First Amendment review on the Internet dragnet in 2004. First Amendment reviews were implicated in the phone dragnet changes Walton pushed in 2009. And it appears that in the government’s first uses of the emergency provision for the phone dragnet, it may have bypassed First Amendment review — at least, that’s the most logical explanation for why FISC explicitly added a First Amendment review to the emergency provision last year. While I can’t prove this with available data, I strongly suspect more stringent First Amendment reviews explain the drop in dragnet searches every time the FISC increased its scrutiny of selectors.

In most FISA surveillance, there is supposed to be a prohibition on targeting someone for their First Amendment protected activities. Yet given the number of times FISC has had to police that, it seems that the Executive uses a much weaker standard of First Amendment review than the FISC. Which should be a particularly big concern for National Security Letters, as they ordinarily get no court review (one of the NSL challenges that has been dismissed seemed to raise First Amendment concerns).

Notice of magistrate decisions

On at least two occasions, the FISC has taken notice of and required briefing after magistrate judges found a practice also used under FISA to require a higher standard of evidence. One was the 2009 PCTDD discussion mentioned above. The other was the use of combined orders to get phone records and location data. And while the latter probably resulted in other ways the Executive could use FISA to obtain location data, it suggests the FISC has paid close attention to issues being debated in magistrate courts (though that may have more to do with the integrity of then National Security Assistant Attorney General David Kris than the FISC itself; I don’t have high confidence it is still happening). To the extent this occurs, it is more likely that FISA practices will all adjust to new standards of technology than traditional courts, given that other magistrates will continue to approve questionable orders and warrants long after a few individually object, and given that an individual objection isn’t always made public.

Dissemination limits

Finally, the FISC has limited Executive action by limiting the use and dissemination of certain kinds of information. During Stellar Wind, Lamberth and Kollar-Kotelly attempted to limit or at least know which data came from Stellar Wind, thereby limiting its use for further FISA warrants (though it’s not clear how successful that was). The known details of dragnet minimization procedures included limits on dissemination (which were routinely violated until the FISC expanded them).

More recently John Bates twice pointed to FISA Section 1809(a)(2) to limit the government’s use of data collected outside of legal guidelines. He did so first in 2010 when he limited the government’s use of illegally collected Internet metadata. He used it again in 2011 when he used it to limit the government’s access to illegally collected upstream content. However, I think it likely that after both instances, the NSA took its toys and went elsewhere for part of the relevant collection, in the first case to SPCMA analysis on EO 12333 collected Internet metadata, and in the second to CISA (though just for cyber applications). So long as the FISC unquestioningly accepts EO 12333 evidence to support individual warrants and programmatic certificates, the government can always move collection away from FISC review.

Moreover, with USAF, Congress partly eliminated this tool as a retroactive control on upstream collection; it authorized the use of data collected improperly if the FISC subsequently approved retention of it under new minimization procedures.

These tools have been of varying degrees of usefulness. But FISC has tried to wield them, often in places where all but a few Title III courts were not making similar efforts. Indeed, there are a few collection practices where the FISC probably imposed a higher standard than TIII courts, and probably many more where FISC review reined in collection that didn’t have such review.

Share this entry

The Second Circuit Attempts to Reassert Its Non-Definition of Relevant

/5 Comments/in /by

Orin Kerr and Steve Vladeck got in a bit of a squabble last week over the Second Circuit’s decision not to reach the constitutionality of the phone dragnet. Vladeck called it wrong-headed, because even if the constitutional injury of the dragnet is temporary (that is, only until November 29), it’s the kind of injury that can recur. Kerr reads both this — and the Second Circuit’s original opinion — to be nothing more than a pragmatic nudge to Congress. “If you liked that opinion, it’s a little hard to object to the Second Circuit’s pragmatic, politically savvy, we-got-Congress-to-act-on-this-so-we’re-done moves in the second opinion.”

But I think both are misreading what the Second Circuit tried to do with this.

Take Kerr’s suggestion that the initial ruling from the Second Circuit got Congress to act.  He doesn’t say what he means by that (or which civil libertarians he had in mind when asserting that). The earlier decision certainly added pressure to get the bill through Congress.

But look at how Gerard Lynch, in his opinion, describes the relationship: Congress not just passed a bill to prohibit bulk telephone collection, but it “endorsed our understanding of the key term ‘relevance.'”

Congress passed the Freedom Act in part to prohibit bulk telephone metadata collection, and in doing so endorsed our understanding of the key term “relevance.”  See H.R. Rep. No. 114‐109, at 19.

Lynch goes on to cite the House report on the bill to support this claim.

Section 103 of the Freedom Act, titled “Prohibition on Bulk Collection of Tangible Things,” states that “[n]o order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term” that meets certain requirements.  Id.  The purpose of § 103 is to “make[] clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record.”  H.R. Rep. No. 114‐109, pt. 1, at 18 (2015).  Section 103 is also intended to “restore meaningful limits to the ‘relevance’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.”  Id. at 19.

He cites language point to an entire section that the House says will restore limits to the relevance requirement of a section of a law “consistent” with his own earlier opinion.

All that said, it’s not clear that USA F-ReDux, as written, does do that. That’s true, first of all, because while the House report specifically states, “Congress’ decision to leave in place the ‘relevance’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term” (Lynch cites this language in his opinion), it also doesn’t state that Congress intended to override that definition. What the bill did instead was leave the word “relevant” (still potentially meaning “all” as FISC defined it) in place, but place additional limits for its application under FISA.

Moreover, I’m not convinced the limits as written in USA F-ReDux accomplish all that the Second Circuit’s earlier opinion envisioned, which is perhaps best described in the ways the dragnets didn’t resemble warrants or subpoenas.

Moreover, the distinction is not merely one of quantity – however vast the quantitative difference – but also of quality.  Search warrants and document subpoenas typically seek the records of a particular individual or corporation under investigation, and cover particular time periods when the events under investigation occurred.  The orders at issue here contain no such limits.  The metadata concerning every telephone call made or received in the United States using the services of the recipient service provider are demanded, for an indefinite period extending into the future.  The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created.

Even setting aside my concern that USA F-ReDux only explicitly prohibits the use of communications company names like Verizon and AT&T as a specific selection term — thus leaving open the possibility FISC will continue to let the government use financial company names as specific selection terms — USA F-ReDux certainly envisions the government imposing “a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis.” It also permits the collection of records that “are not those of suspects under investigation.”

In other words, Lynch used this second opinion to do more than say the Second Circuit was “done with it.” He used it to interpret USA F-ReDux — and the word “relevant” generally, outside of FISA, and to do so in ways that go beyond the clear language of the bill.

Vladeck is wrong when he suggested the Second Circuit would assess “whether and to what extent the Fourth Amendment applies to information we voluntarily provide to third parties” — that is, the Third Party Doctrine generally. The Second Circuit made it quite clear throughout that they were interested in the application of “relevant,” not whether the Third Party Doctrine still applied generally, which is probably why Lynch isn’t that worried about the injury recurring.

And I think Lynch used this opinion — one the government can’t really appeal — to suggest the application of USA F-ReDux is broader than it necessarily is, and to suggest the narrowing of “relevant to” is more general than it would be under USA F-ReDux (which applies just to certain sections of FISA, but not to the definition of “relevant” generally).

It’s not clear how useful the opinion will be in restricting other over-broad uses of the word “relevant” (especially given DEA claims it has eliminated its dragnet). But I do suspect, having interpreted the law as having narrowed the meaning of the law, Lynch felt like he had limited the egregious constitutional injury.

Share this entry