The Proliferation-as-Terrorism Rule

/1 Comment/in /by

Last week, Chairman of the House Homeland Security Committee tried to get Assistant Secretary of State Anne Patterson to list the Iran Republican Guard as a terrorist organization.

Rep. Michael McCaul (R., Texas) pressed Anne Patterson, assistant secretary of state in the bureau of near eastern affairs, during a hearing last week on Iran’s rogue activities.

Since the nuclear deal, “Iran has taken several provocative actions, including ballistic missile tests, the jailing of Americans on frivolous charges, and support for terrorist activities via the IRGC, the Iranian Revolutionary Guard Corps,” McCaul said.

The corps has been linked to terrorist operations across the Middle East and beyond, including arming terror proxy groups fighting against the United States and Israel.

“I sent a letter to the president of the United States requesting that the IRGC be placed on the Foreign Terrorist Organization list because they are the terror arm of Iran,” McCaul said. “This would not lift the sanctions. It would keep the sanctions in place on the very terrorist activities that Iran wants to take the $100 billion and ship them toward these activities. What is your response to whether or not designating the IRGC as an FTO [foreign terrorist organization], whether that is a good decision?”

Patterson sidestepped the question, but said that the State Department does not think the group can legally be categorized as a terrorist organization.

“I can’t answer that question, Mr. McCaul,” Patterson said. “I’ll have to get back to you. I would not think they would meet the legal criteria, but I don’t really know.”

Now, I’m not actually interested in getting the IRGC listed as a terrorist organization, particularly not for arming militias, because I think that would be a very bad precedent for the world’s biggest arms proliferator. Moreover, I’m sure Patterson sees this effort as another attempt to squelch efforts for peace with Iran.

But I am interested in her squirming given that for some years — we don’t know how many, but there was a new group approved in June 2007 and another approved in July 2009, so probably at least 6 years — the NSA has targeted Iran using the counterterrorism phone dragnet. So the government has convinced a FISC judge that IRGC (or Iran more generally) is a terrorist group. But now the State Department is telling us they’re not.

Up until USA F-ReDux passed this year, when Congress extended the proliferation-related definition of a foreign power under FISA to include those aiding or conspiring with those actually doing the proliferation, the government seems to have always pushed whom could be spied on well beyond the definitions in the law (there appears to have been a non-NSA certificate for it under Protect America Act, for example). That extends to the phone dragnet, and does so in such a way that probably includes a lot of American businesses.

And, Patterson’s dodges notwithstanding, the government hasn’t been above calling Iran a terrorist organization to do it.

 

The Government’s Bad Faith Arguments Demanding a Dragnet Stay

/3 Comments/in /by

As expected, the government requested an immediate stay of Richard Leon’s decision yesterday to enjoin the dragnet from collecting JJ Little’s phone records.

Their argument is noteworthy for its stubbornness — reasserting many of the same arguments Leon just ruled against — and logical inconsistency. The brief claims, for example, that termination of the dragnet would cause the government irreparable harm, even while suggesting that it’s possible they’ve stopped collecting data from Verizon Business Network Services, which they’ve just claimed would cause irreparable harm.

But the brief also argues that the only way to comply with the injunction is to shut down the entire dragnet.

As the Government Defendants have explained, however, the only practicable way for the NSA to comply with the Court’s preliminary injunction is immediately to cease all collection and queries of telephony metadata under the Section 215 program—that is, to shut the program down. That is so because the technical steps required in order to prevent the further collection of and to segregate the metadata associated with particular persons’ calls would take the NSA months to complete. Gov’t Defs.’ Opp. to Pls.’ Renewed Mot. for a Prelim. Inj. (ECF No. 150) (“Gov’t PI Opp.”) at 41-44, citing Potter Decl. (Gov’t PI Opp. Exh. 4) ¶¶ 20-27.

That’s not actually what the Potter declaration the discussion cites to says. Potter says there is a way to make Little’s records inaccessible — though it claims implausibly that it would take two weeks to accomplish.

With respect to a requirement that the NSA cease analytic access to any records about plaintiffs’ calls that may already have been collected under the Program, NSA has developed a process that can be used to prevent analytic access to metadata containing specified identifiers. This capability prevents the use of particular identifiers to conduct queries, and prevents analysts from accessing records containing those identifiers even if responsive to queries using different identifiers. NSA technical personnel estimate that eliminating analytic access to metadata associated with plaintiffs’ calls could be completed within approximately 2 weeks after receipt of the plaintiffs’ telephone numbers and the time-frames during which they were used.

This is the defeat list process I’ve discussed repeatedly, by which high volume numbers (like Verizon’s voice mail number and pizza joints) and other sensitive numbers (likely including Congress’ official numbers as well as informants) are made inaccessible to querying.

Consider me skeptical that it really takes 2 weeks to put something on a defeat list, as not doing so makes queries unusable. If it took 2 weeks, then the dragnet would frequently return crap for 2 weeks as techs tried to stay ahead of the defeat list numbers.

There’s one more thing that yesterday’s brief and the underlying declaration make clear though: The government is collecting records off telecom backbones, not off any billing system (contrary to what some reports still claim).

That’s true because the only way that the government wouldn’t be sure that Little’s records were collected under an order to VBNS is if they weren’t getting actual subscribers information. Moreover, Little’s records still show up on AT&T’s compliance, too (anytime his calls transit their backbone, not to mention any time he calls someone who uses AT&T).

That, of course, means that Larry Klayman and everyone else in the United States has standing if the Fourth Amendment injury comes with collection — because everyone’s records transit the major telecom backbones of the country. But the government has been claiming all this time they can’t be sure that’s the case.

The government will get their stay, and they will moot this decision (if not overturn it) at the end of the month. But not before engaging in some serious bad faith in claims to the court.

Richard Leon Halts the Dragnet for One Plaintiff

/1 Comment/in /by

Judge Richard Leon has just issued an injunction on the NSA’s collection of the phone metadata of J.J. Little and his lawfirm. Little got added as a plaintiff to Larry Klayman’s suit (in which Leon earlier found the program unconstitutional but stayed his own injunction) so as to have a Verizon Business Services customer who could be certain his phone records had been collected.

The order will undoubtedly set off a bit of a scramble, not because pulling Little’s phone records really presents any difficulty for the NSA (they already defeat list so many records it’s clear they have the ability to at least make those records inaccessible to a search, though they don’t want to explain the full application of that process; hopefully this ruling will lead to more candor on this point). Rather, the NSA will want to ensure this program has constitutional sanction because it also collects so many other records of Americans (in his book, for example, Charlie Savage confirmed my earlier analysis that the Internet dragnet moved, in part, overseas rather than being shut down). And the DC Circuit is likely to respond to quickly override Leon.

That said, Leon’s order is most interesting for its analysis of the government’s claim it can carry out this program because of a Special Need. In it, he repeats efficacy arguments he made in his earlier ruling: rather than present any new evidence that the program has been useful, it has instead just said the threat environment requires it. But he also notes that this special need, unlike that of, say, a TSA check, does not have a deterrence effect. That’s interesting because the government’s own secrecy about how many calls are collected would make any deterrence uncertain (indeed, terrorists might be expected to move communications to the Internet, believing falsely that attracts less attention).

As I said, the DC Circuit is likely to overturn this. But it will give the government a few days of headaches until that point.

Defining Stingray Emergencies … or Not

/4 Comments/in , , /by

A couple of weeks ago, ACLU NoCal released more documents on the use of Stingray. While much of the attention focused on the admission that innocent people get sucked up in Stingray usage, I was at least as interested in the definition of an emergency during which a Stingray could be used with retroactive authorization:
Screen Shot 2015-11-08 at 9.27.59 AM

I was interested both in the invocation of organized crime (which would implicate drug dealing), but also the suggestion the government would get a Stingray to pursue a hacker under the CFAA. Equally curiously, the definition here leaves out part of the definition of “protected computer” under CFAA, one used in interstate communication.

(2) the term “protected computer” means a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

Does the existing definition of an emergency describe how DOJ has most often used Stingrays to pursue CFAA violations (which of course, as far as we know, have never been noticed to defendants).

Now compare the definition Jason Chaffetz used in his Stingray Privacy Act, a worthwhile bill limiting the use of Stingrays, though this emergency section is the one I and others have most concerns about. Chaffetz doesn’t have anything that explicitly invokes the CFAA definition, and collapses the “threat to national security” and, potentially, the CFAA one into “conspiratorial activities threatening the national security interest.”

(A) such governmental entity reasonably determines an emergency exists that—

(i) involves—

(I) immediate danger of death or serious physical injury to any person;

(II) conspiratorial activities threatening the national security interest; or

(III) conspiratorial activities characteristic of organized crime;

Presumably, requiring conspiratorial activities threatening the national security interest might raise the bar — but would still permit — the use of Stingrays against low level terrorism wannabes. Likewise, while it would likely permit the use of Stingrays against hackers (who are generally treated as counterinteligence threats among NatSec investigators), it might require some conspiracy between hackers.

All that said, there’s a whole lot of flux in what even someone who is often decent on civil liberties like Chaffetz considers a national security threat.

And, of course, in the FISA context, the notion of what might be regarded as an immediate danger of physical injury continues to grow.

These definitions are both far too broad, and far too vague.

It’s Not Just the FISA Court, It’s the Game of Surveillance Whack-a-Mole

/5 Comments/in , , /by

In response to this post from Chelsea Manning, the other day I did the first in what seems to have become a series of posts arguing that we should eliminate the FISA Court, but that the question is not simple. In that post, I laid out the tools the FISC has used, with varying degrees of success, in reining in Executive branch spying, especially in times of abuse.

In this post, I want to lay out how reining in surveillance isn’t just about whether the secret approval of warrants and orders would be better done by the FISC or a district court. It’s about whack-a-mole.

That’s because, right now, there are four ways the government gives itself legal cover for expansive surveillance:

  • FISC, increasingly including programs
  • EO 12333, including SPCMA
  • Magistrate warrants and orders without proper briefing
  • Administrative orders and/or voluntary cooperation

FISA Court

The government uses the FISA court to get individualized orders for surveillance in this country and, to a less clear extent, surveillance of Americans overseas. That’s the old-fashioned stuff that could be done by a district court. But it’s also one point where egregious source information — be it a foreign partner using dubious spying techniques, or, as John Brennan admitted in his confirmation hearing, torture — gets hidden. No defendant has ever been able to challenge the basis for the FISA warrant used against them, which is clearly not what Congress said it intended in passing FISA. But given that’s the case, it means a lot of prosecutions that might not pass constitutional muster, because of that egregious source information, get a virgin rebirth in the FISC.

In addition, starting 2004, the government started using the FISA Court to coerce corporations to continue domestic collection programs they had previously done voluntarily. As I noted, while I think the FISC’s oversight of these programs has been mixed, the FISC has forced the government to hew closer (though not at) the law.

EO 12333, including SPCMA

The executive branch considers FISA just a subset of EO 12333, the Reagan Executive Order governing the intelligence community — a carve out of collection requiring more stringent rules. At times, the Intelligence Community have operated as if EO 12333 is the only set of rules they need to follow — and they’ve even secretly rewritten it at least once to change the rules. The government will always assert the right to conduct spying under EO 12333 if it has a technical means to bypass that carve out. That’s what the Bush Administration claimed Stellar Wind operated under. And at precisely the time the FISC was imposing limits on the Internet dragnet, the Executive Brach was authorizing analysis of Americans’ Internet metadata collected overseas under SPCMA.

EO 12333 derived data does get used against defendants in the US, though it appears to be laundered through the FISC and/or parallel constructed, so defendants never get the opportunity to challenge this collection.

Magistrate warrants and orders

Even when the government goes to a Title III court — usually a magistrate judge — to get an order or warrant for surveillance, that surveillance often escapes real scrutiny. We’ve seen this happen with Stingrays and other location collection, as well as FBI hacking; in those cases, the government often didn’t fully brief magistrates about what they’re approving, so the judges didn’t consider the constitutional implications of it. There are exceptions, however (James Orenstein, the judge letting Apple challenge the use of an All Writs Act to force it to unlock a phone, is a notable one), and that has provided periodic checks on collection that should require more scrutiny, as well as public notice of those methods. That’s how, a decade after magistrates first started to question the collection of location data using orders, we’re finally getting circuit courts to review the issue. Significantly, these more exotic spying techniques are often repurposed foreign intelligence methods, meaning you’ll have magistrates and other TIII judges weighing in on surveillance techniques being used in parallel programs under FISA. At least in the case of Internet data, that may even result in a higher standard of scrutiny and minimization being applied to the FISA collection than the criminal investigation collection.

Administrative orders and/or voluntary cooperation

Up until 2006, telecoms willing turned over metadata on Americans’ calls to the government under Stellar Wind. Under Hemisphere, AT&T provides the government call record information — including results of location-based analysis, on all the calls that used its networks, not just AT&T customers — sometimes without an order. For months after Congress was starting to find a way to rein in the NSA phone dragnet with USA Freedom Act, the DEA continued to operate its own dragnet of international calls that operated entirely on administrative orders. Under CISA, the government will obtain and disseminate information on cybersecurity threats that it wouldn’t be able to do under upstream 702 collection; no judge will review that collection. Until 2009, the government was using NSLs to get all the information an ISP had on a user or website, including traffic information. AT&T still provides enhanced information, including the call records of friends and family co-subscribers and (less often than in the past) communities of interest.

These six examples make it clear that, even with Americans, even entirely within the US, the government conducts a lot of spying via administrative orders and/or voluntary cooperation. It’s not clear this surveillance had any but internal agency oversight, and what is known about these programs (the onsite collaboration that was probably one precursor to Hemisphere, the early NSL usage) makes it clear there have been significant abuses. Moreover, a number of these programs represent individual (the times when FBI used an NSL to get something the FISC had repeatedly refused to authorize under a Section 215 order) or programmatic collection (I suspect, CISA) that couldn’t be approved under the auspices of the FISC.

All of which is to say the question of what to do to bring better oversight over expansive surveillance is not limited to the short-comings of the FISC.  It also must contend with the way the government tends to move collection programs when one method proves less than optimal. Where technologically possible, it has moved spying offshore and conducted it under EO 12333. Where it could pay or otherwise bribe and legally shield providers, it moved to voluntary collection. Where it needed to use traditional courts, it often just obfuscated about what it was doing. The primary limits here are not legal, except insofar as legal niceties and the very remote possibility of transparency raise corporate partner concerns.

We need to fix or eliminate the FISC. But we need to do so while staying ahead of the game of whack-a-mole.

Kiddie Porn, Computer and Building Destruction, and Section 702

/1 Comment/in /by

At the end of September, I Con the Record released a bunch of documents relating to 2014’s Section 702 certification process including the August 26, 2014 Thomas Hogan opinion that, among other things, authorized an expansion of FBI’s minimization procedures.

The memo reflects a 2013 change to FBI minimization procedures (it was first approved on September 20, 2012) that permits it to disseminate information that,

is evidence of a crime and that it reasonably believes may assist in the mitigation or prevention of computer intrusions or attacks to private entities or individuals that have been or are at risk of being victimized by such intrusions or attacks, or to private entities or individuals … capable of providing assistance in mitigating or preventing such intrusions or attacks. Wherever reasonably practicable, such disseminations should not include United States person identifying information unless the FBI reasonably believes it is necessary to enable the recipient to assist in the mitigation or prevention of computer intrusion or attacks. (18)

This order expands that dissemination permission to include “dissemination of Section 702 information to someone in the private sector in order to mitigate other forms of serious harm, such as ‘a plot to destroy a building or monument.” The change “enables the FBI to disseminate information to private parties in less extreme cases.” Update: Since this language appears to exist only in the FBI minimization procedures, it should refer only to PRISM data, not upstream data, since FBI doesn’t get the latter in unminimized form, unless that has changed in some way that is not obvious in the minimization procedures.

Finally, Hogan approved a change to the FBI minimization procedures that permitted dissemination of 702-collected information to the National Center for Missing and Exploited Children if it is “evidence of a crime related to child exploitation material, including child pornography,” or for the purpose of obtaining technical assistance (the NCMEC keeps databases of images of child porn to track when new images are released).

While these are all generally included in the serious bodily harm provision of Section 702 — to say nothing of NSA’s broad inclusion of “property” in “bodily harm” — they show three clear expansions of the use of Section 702 for criminal investigations in recent years (and the computer intrusion language impacts my questions about how CISA interacts with Section 702).

Not only are those expansions worth noting in their own right, but they’re also worth considering in light of Bob Litt’s disclosure on February 4, 2015 (that is, chronologically after this change, but before this change got publicly released) of the crimes that FBI may use Section 702 information to prosecute.

And so today I want to say that in fact the list of crimes other than national security crimes for which we can use Section 702 information about U.S. persons is crimes involving death, kidnapping, substantial bodily harm, conduct that is a specified offense against a minor as defined in a particular statute, incapacitation or destruction of critical infrastructure, cyber security, transnational crimes, or human trafficking.

Litt’s list seems broader than, though clearly related to, the items approved in the unredacted parts of the FBI minimization procedures, though the language from the minimization procedures seems to explain what “incapacitation” of critical infrastructure is. As always, remember that “transnational crime” is a politicized subsection of mob crimes that never includes the crimes implicating our nations mob-banksters.

And keep in mind. This language would have been operative in the weeks leading up to the Sony hack. And yet the ability to share such intelligence with Sony did not prevent the hack.

In any case, I’m going to do a series of posts on the Snooper’s Charter released yesterday in the UK, and I wanted to clarify precisely what the available uses of Section 702 to investigate crimes are.

The FISA Court’s Uncelebrated Good Points

/in , /by

I’m working on a post responding to this post from Chelsea Manning calling to abolish the FISA Court. Spoiler alert: I largely agree with her, but I think the question is not that simple.

As background to that post, I wanted to shift the focus from a common perception of the FISC — that it is a rubber stamp that approves all requests — to a better measure of the FISC — the multiple ways it has tried to rein in the Executive. I think the FISC has, at times, been better at doing so than often given credit for. But as I’ll show in my larger post, those efforts have had limited success.

Minimization procedures

The primary tool the FISC uses is in policing the Executive is minimization procedures approved by the court. Royce Lamberth unsuccessfully tried to use minimization procedures to limit the use of FISA-collected data in prosecutions (and also, tools for investigation, such as informants). Reggie Walton was far more successful at using and expanding very detailed limits on the phone — and later, the Internet — dragnet to force the government to stop treating domestically collected dragnet data under its own EO 12333 rules and start treating it under the more stringent FISC-imposed rules. He even shut down the Internet dragnet in fall (probably October 30) 2009 because it did not abide by limits imposed 5 years earlier by Colleen Kollar-Kotelly.

There was also a long-running discussion (that involved several briefs in 2006 and 2009, and a change in FISC procedure in 2010) about what to do with Post Cut Through Dialed Digits (those things you type in after a call or Internet session has been connected) collected under pen registers. It appears that FISC permitted (and probably still permits) the collection of that data under FISA (that was not permitted under Title III pen registers), but required the data get minimized afterwards, and for a period over collected data got sequestered.

Perhaps the most important use of minimization procedures, however, came when Internet companies stopped complying with NSLs requiring data in 2009, forcing the government to use Section 215 orders to obtain the data. By all appearances, the FISC imposed and reviewed compliance of minimization procedures until FBI, more than 7 years after being required to, finally adopted minimization procedures for Section 215. This surely resulted in a lot less innocent person data being collected and retained than under NSL collection. Note that this probably imposed a higher standard of review on this bulky collection of data than what existed at magistrate courts, though some magistrates started trying to impose what are probably similar requirements in 2014.

Such oversight provides one place where USA Freedom Act is a clear regression from what is (today, anyway) in place. Under current rules, when the government submits an application retroactively for an emergency search of the dragnet, the court can require the government to destroy any data that should not have been collected. Under USAF, the Attorney General will police such things under a scheme that does not envision destroying improperly collected data at all, and even invites the parallel construction of it.

First Amendment review

The FISC has also had some amount — perhaps significant — success in making the Executive use a more restrictive First Amendment review than it otherwise would have. Kollar-Kotelly independently imposed a First Amendment review on the Internet dragnet in 2004. First Amendment reviews were implicated in the phone dragnet changes Walton pushed in 2009. And it appears that in the government’s first uses of the emergency provision for the phone dragnet, it may have bypassed First Amendment review — at least, that’s the most logical explanation for why FISC explicitly added a First Amendment review to the emergency provision last year. While I can’t prove this with available data, I strongly suspect more stringent First Amendment reviews explain the drop in dragnet searches every time the FISC increased its scrutiny of selectors.

In most FISA surveillance, there is supposed to be a prohibition on targeting someone for their First Amendment protected activities. Yet given the number of times FISC has had to police that, it seems that the Executive uses a much weaker standard of First Amendment review than the FISC. Which should be a particularly big concern for National Security Letters, as they ordinarily get no court review (one of the NSL challenges that has been dismissed seemed to raise First Amendment concerns).

Notice of magistrate decisions

On at least two occasions, the FISC has taken notice of and required briefing after magistrate judges found a practice also used under FISA to require a higher standard of evidence. One was the 2009 PCTDD discussion mentioned above. The other was the use of combined orders to get phone records and location data. And while the latter probably resulted in other ways the Executive could use FISA to obtain location data, it suggests the FISC has paid close attention to issues being debated in magistrate courts (though that may have more to do with the integrity of then National Security Assistant Attorney General David Kris than the FISC itself; I don’t have high confidence it is still happening). To the extent this occurs, it is more likely that FISA practices will all adjust to new standards of technology than traditional courts, given that other magistrates will continue to approve questionable orders and warrants long after a few individually object, and given that an individual objection isn’t always made public.

Dissemination limits

Finally, the FISC has limited Executive action by limiting the use and dissemination of certain kinds of information. During Stellar Wind, Lamberth and Kollar-Kotelly attempted to limit or at least know which data came from Stellar Wind, thereby limiting its use for further FISA warrants (though it’s not clear how successful that was). The known details of dragnet minimization procedures included limits on dissemination (which were routinely violated until the FISC expanded them).

More recently John Bates twice pointed to FISA Section 1809(a)(2) to limit the government’s use of data collected outside of legal guidelines. He did so first in 2010 when he limited the government’s use of illegally collected Internet metadata. He used it again in 2011 when he used it to limit the government’s access to illegally collected upstream content. However, I think it likely that after both instances, the NSA took its toys and went elsewhere for part of the relevant collection, in the first case to SPCMA analysis on EO 12333 collected Internet metadata, and in the second to CISA (though just for cyber applications). So long as the FISC unquestioningly accepts EO 12333 evidence to support individual warrants and programmatic certificates, the government can always move collection away from FISC review.

Moreover, with USAF, Congress partly eliminated this tool as a retroactive control on upstream collection; it authorized the use of data collected improperly if the FISC subsequently approved retention of it under new minimization procedures.

These tools have been of varying degrees of usefulness. But FISC has tried to wield them, often in places where all but a few Title III courts were not making similar efforts. Indeed, there are a few collection practices where the FISC probably imposed a higher standard than TIII courts, and probably many more where FISC review reined in collection that didn’t have such review.

The Second Circuit Attempts to Reassert Its Non-Definition of Relevant

/5 Comments/in /by

Orin Kerr and Steve Vladeck got in a bit of a squabble last week over the Second Circuit’s decision not to reach the constitutionality of the phone dragnet. Vladeck called it wrong-headed, because even if the constitutional injury of the dragnet is temporary (that is, only until November 29), it’s the kind of injury that can recur. Kerr reads both this — and the Second Circuit’s original opinion — to be nothing more than a pragmatic nudge to Congress. “If you liked that opinion, it’s a little hard to object to the Second Circuit’s pragmatic, politically savvy, we-got-Congress-to-act-on-this-so-we’re-done moves in the second opinion.”

But I think both are misreading what the Second Circuit tried to do with this.

Take Kerr’s suggestion that the initial ruling from the Second Circuit got Congress to act.  He doesn’t say what he means by that (or which civil libertarians he had in mind when asserting that). The earlier decision certainly added pressure to get the bill through Congress.

But look at how Gerard Lynch, in his opinion, describes the relationship: Congress not just passed a bill to prohibit bulk telephone collection, but it “endorsed our understanding of the key term ‘relevance.'”

Congress passed the Freedom Act in part to prohibit bulk telephone metadata collection, and in doing so endorsed our understanding of the key term “relevance.”  See H.R. Rep. No. 114‐109, at 19.

Lynch goes on to cite the House report on the bill to support this claim.

Section 103 of the Freedom Act, titled “Prohibition on Bulk Collection of Tangible Things,” states that “[n]o order issued under this subsection may authorize the collection of tangible things without the use of a specific selection term” that meets certain requirements.  Id.  The purpose of § 103 is to “make[] clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record.”  H.R. Rep. No. 114‐109, pt. 1, at 18 (2015).  Section 103 is also intended to “restore meaningful limits to the ‘relevance’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.”  Id. at 19.

He cites language point to an entire section that the House says will restore limits to the relevance requirement of a section of a law “consistent” with his own earlier opinion.

All that said, it’s not clear that USA F-ReDux, as written, does do that. That’s true, first of all, because while the House report specifically states, “Congress’ decision to leave in place the ‘relevance’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term” (Lynch cites this language in his opinion), it also doesn’t state that Congress intended to override that definition. What the bill did instead was leave the word “relevant” (still potentially meaning “all” as FISC defined it) in place, but place additional limits for its application under FISA.

Moreover, I’m not convinced the limits as written in USA F-ReDux accomplish all that the Second Circuit’s earlier opinion envisioned, which is perhaps best described in the ways the dragnets didn’t resemble warrants or subpoenas.

Moreover, the distinction is not merely one of quantity – however vast the quantitative difference – but also of quality.  Search warrants and document subpoenas typically seek the records of a particular individual or corporation under investigation, and cover particular time periods when the events under investigation occurred.  The orders at issue here contain no such limits.  The metadata concerning every telephone call made or received in the United States using the services of the recipient service provider are demanded, for an indefinite period extending into the future.  The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created.

Even setting aside my concern that USA F-ReDux only explicitly prohibits the use of communications company names like Verizon and AT&T as a specific selection term — thus leaving open the possibility FISC will continue to let the government use financial company names as specific selection terms — USA F-ReDux certainly envisions the government imposing “a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis.” It also permits the collection of records that “are not those of suspects under investigation.”

In other words, Lynch used this second opinion to do more than say the Second Circuit was “done with it.” He used it to interpret USA F-ReDux — and the word “relevant” generally, outside of FISA, and to do so in ways that go beyond the clear language of the bill.

Vladeck is wrong when he suggested the Second Circuit would assess “whether and to what extent the Fourth Amendment applies to information we voluntarily provide to third parties” — that is, the Third Party Doctrine generally. The Second Circuit made it quite clear throughout that they were interested in the application of “relevant,” not whether the Third Party Doctrine still applied generally, which is probably why Lynch isn’t that worried about the injury recurring.

And I think Lynch used this opinion — one the government can’t really appeal — to suggest the application of USA F-ReDux is broader than it necessarily is, and to suggest the narrowing of “relevant to” is more general than it would be under USA F-ReDux (which applies just to certain sections of FISA, but not to the definition of “relevant” generally).

It’s not clear how useful the opinion will be in restricting other over-broad uses of the word “relevant” (especially given DEA claims it has eliminated its dragnet). But I do suspect, having interpreted the law as having narrowed the meaning of the law, Lynch felt like he had limited the egregious constitutional injury.

The Awkward Timing of the 2nd Circuit Denial of ACLU’s Request for a Phone Dragnet Injunction

/4 Comments/in /by

The 2nd circuit just denied the ACLU’s request for an injunction in the phone dragnet, finding that Congress intended to let the dragnet continue for 6 months after passage of USA F-ReDux.

That’s not all that surprising, but it also means the 2nd circuit is dodging constitutional issues for now (in part by claiming Congress had adopted their reasoning on the meaning of “relevant to,” which it did not; I will return to this).

But the court remanded the case on one main issue: what happens on November 29, when the 6 month transition period ends.

Appellants and the government disagree, however, regarding the mootness of the final relief requested after November 29: an injunction that would require the government to end the telephone metadata program and purge records collected unlawfully.  Appellants argue that the government intends to retain the records “indefinitely,” and are under no outside obligation to purge them, and thus that their claims for relief will not become moot on November 29.  The government argues that the claims will be moot on November 29, because the telephone metadata program will cease at that time, and an order enjoining the telephone metadata program will have no effect.

Further, the government notes that the Office of the Director of National Intelligence has announced that the government will not use § 215 data for law enforcement or investigatory purposes after November 29.  See Statement by the ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act (July 27, 2015).  Additionally, the government states that it will destroy all records as soon as possible after the government’s litigation‐preservation obligations end, id., and thus Appellants’ requests that their information no longer be queried and that their records be purged will also be moot.

[snip]

We do not address whether Appellants’ claims will become moot on November 29, and leave this, and all other remaining questions, to the district court in the first instance.

While I don’t expect much to come of this question either, it is rather awkward that the court has chosen to remand that decision today, of all days.

As it is, the 2nd circuit misses one development in this case, which is that after declaring on July 27 that they were going to keep the data but not use it for law enforcement purposes, the FISC then refused the government’s request to just rubber stamp that decision. So the question of what will happen with the data is still being review at the FISC.

Not only that, but today is also the deadline Michael Mosman set for FISC-appointed amicus Preston Burton to submit his first brief on this question.

So Burton will submit something — there’s no reason to think we’ll get to see all of his brief — without the benefit of knowing that ACLU may still contest whatever he argues for regarding the use of the data past November 29. And of course, one reason the government may need to keep that data past November 29 is because EFF has a protection order that requires they keep it for their lawsuit(s).

That still doesn’t mean anything all that interesting will come of this, but we do have two courts addressing the same question at the same time, without full notice of the other.

The IRS Has Stingrays … But We Knew Stingrays Have Been Used to Chase Tax Fraud

/in /by

The Guardian reports that the IRS is among the federal agencies that has a Stingray.

The Internal Revenue Service is the latest in a growing list of US federal agencies known to have possessed the sophisticated cellphone dragnet equipment known as Stingray, according to documents obtained by the Guardian.

Invoices obtained following a request under the Freedom of Information Act show purchases made in 2009 and 2012 by the federal tax agency with Harris Corporation, one of a number of companies that manufacture the devices. Privacy advocates said the revelation “shows the wide proliferation of this very invasive surveillance technology”.

The 2009 IRS/Harris Corp invoice is mostly redacted under section B(4) of the Freedom of Information Act, which is intended to protect trade secrets and privileged information. However, an invoice from 2012, which is also partially redacted, reports that the agency spent $65,652 on upgrading a Stingray II to a HailStorm, a more powerful version of the same device, as well as $6,000 on training from Harris Corporation.

I think it is troubling the IRS has Stingrays.

But it should not be surprising.

After all, the single solitary person we know who was convicted using a Stingray, Daniel Rigmaiden, was busted for tax fraud in 2008. Here’s the WSJ’s description of how the government used a Stingray to spy on Rigmaiden without a warrant.

Federal investigators say they pursued Mr. Rigmaiden “through a virtual labyrinth of twists and turns.” Eventually, they say they linked Mr. Rigmaiden to use of a mobile-broadband card, a device that lets a computer connect to the Internet through a cellphone network.

Investigators obtained court orders to track the broadband card. Both orders remain sealed, but portions of them have been quoted by the defense and the prosecution.

These two documents are central to the clash in the Arizona courtroom. One authorizes a “pen register” and clearly isn’t a search warrant. The other document is more complex. The prosecution says it is a type of search warrant and that a finding of probable cause was made.

But the defense argues that it can’t be a proper search warrant, because among other things it allowed investigators to delete all the tracking data collected, rather than reporting back to the judge.

[snip]

In the Rigmaiden example, investigators used the stingray to narrow down the location of the broadband card. Then they went to the apartment complex’s office and learned that one resident had used a false ID and a fake tax return on the renter’s application, according to court documents.

Based on that evidence, they obtained a search warrant for the apartment. They found the broadband card connected to a computer.

Indeed, much of what we know about Stingrays comes from Rigmaiden’s years-long effort to demand details of how they used the Stingray to find him, and since he got released for time served, he has continued his efforts to uncover how they’ve been used.

What’s interesting about the Guardian report, then, is that the IRS itself owned a Stingray, which they were updating in 2009 and 2012, even as the government was being exposed for improperly using Stingrays without a warrant to prosecute tax fraud. Reports on Rigmaiden had suggested an FBI Stingray was used to catch him — and that may well be the case — but we now learn that they owned one before 2009 (so early enough to capture him with, presumably).

In Rigmaiden’s case, IRS was clearly partnering with FBI, so could have (and may have) used their Stingray. That would seem to be the case for all proper uses of the technology. So, among all the other things we should demand on Stingray use, one of them should be to limit their use to the FBI, which will increase the likelihood they’ll get properly noticed in any prosecution.