Michael Mosman’s Deadlines Raise (More) Questions about the FISC Advocate

/2 Comments/in /by

In the series of letters purporting to speak for “the judiciary,” Director of the Administrative Office of US Courts John Bates and (after Duff replaced him) James Duff expressed concern about how a FISC amicus would affect the timeliness of proceedings before the court. Bates worried that any involvement of an amicus would require even more lead time than the current one week requirement in FISC applications. He also worried that the presumption an amicus (and potentially tech experts) would have access to information might set off disputes with the Executive over whether they could really have it. Duff apparently worried that the perception that an amicus would oppose the government would lead the government to delay in handing over materials to the FISC.

Which is why I’m interesting in the briefing order Chief FISC Judge Thomas Hogan, signing for Michael Mosman, issued on Wednesday (see below for a timeline).

Back on September 17, Mosman appointed spook lawyer Preston Burton amicus. As part of that order, he gave the government 4 days to refuse to share information with Burton, but otherwise required Burton receive the application and primary order in this docket.

(Pursuant to 50 U.S.C. § 1803(i)(6)(A)(i), the Court has determined that the government’s application (including exhibits and attachments) and the full, unredacted Primary Order in this docket are relevant to the duties of the amicus. By September 22, 2015, or after receiving confirmation from SEPS that the amicus has received the appropriate clearances and access approvals for such materials, whichever is later, the Clerk of the Court shall make these materials available to the amicus.

Yet even after the almost month long delay in deciding to appoint someone and deciding that someone would be Burton, it still took Mosman two weeks after the date when Burton was supposed to have received the relevant information on this issue before setting deadlines. And in setting his deadlines, Mosman has basically left himself only 2 weeks during which time he will have to to decide the issue and the government will have to prepare to keep or destroy the data in question (in past data destruction efforts it has taken a fairly long time). That could be particularly problematic if Mosman ends up requiring the government to pull the data from EFF’s clients from the data retained under their protection order.

On November 28, the order authorizing the retention of this data expires.

To be fair, Mosman is definitely making a more concerted effort to comply with the appearance if not the intent of USA F-ReDux’s amicus provision than, say, Dennis Saylor (who blew if off entirely). And there may be aspects of this process — and FISC’s presumed effort to start coming up with a panel of amici by November 29 — that will take more time than future instances down the road.

Still, it’s hard to understand the almost 3 week delay in setting a briefing schedule.

Unless the government slow-walked giving even a spook lawyer not explicitly ordered to represent the interests of privacy approval to receive and then a packet of documents to review.

I suspect this represents a stall by the government, not FISC (though again, the month long delay in deciding to appoint an amicus didn’t help things, and FISC’s thus far 4 month delay in picking amici likely doesn’t help either). But whatever the cause of the delay, it may indicate a reluctance on someone’s part to use the amicus as intended.

Timeline

July 27: ODNI declares that “NSA has determined” that “NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months”

By August 20: Government asks for permission to retain data past November 28 (the government must submit major FISA orders at least a week in advance)

August 27: Mosman approves dragnet order, defers decision on data retention

September 17: Mosman appoints Burton and orders the government to cough up its application and the full order

September 21: Last date by which government can complain about sharing information with Burton

September 22: Date by which Burton must receive application and order

October 7: Mosman sets deadlines

October 29: Deadline for Burton’s first brief

November 6: Deadline for Government response

November 10: Deadline for Burton reply, if any

November 28: Expiration of authorization to retain data

On Same Day Cabinet Decided to Punt on Back Doors, Tim Cook Said NSA Would Stop Asking for Them

/1 Comment/in /by

The WaPo has an update on the Administration’s debate about whether to push for legislation for back doors. It reports that the Obama Administration decided to punt — and not ask for legislation right now while continuing efforts to cajole companies to back door their own products. WaPo even provided the date that decision was made: October 1.

“The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry,” FBI Director James Comey said at a Senate hearing Thursday of the Homeland Security and Governmental Affairs Committee.

The decision, which essentially maintains the status quo, underscores the bind the administration is in — between resolving competing pressures to help law enforcement and protecting consumer privacy.

[snip]

The decision was made at a Cabinet meeting Oct. 1.

“As the president has said, the United States will work to ensure that malicious actors can be held to account – without weakening our commitment to strong encryption,” National Security Council spokesman Mark Stroh said. “As part of those efforts, we are actively engaged with private companies to ensure they understand the public safety and national security risks that result from malicious actors’ use of their encrypted products and services.”

I’m particularly interested in the date given that’s when Tim Cook gave an interview (see NPR’s excerpts) where he stated fairly clearly the NSA would not ask for back doors, but FBI might.

Apple CEO Tim Cook said he doesn’t think we will hear the U.S. National Security Agency asking for a back door into our iPhones, at least not any more. In an interview on NPR’s All Things Consideredon Thursday, Mr. Cook implied that even the FBI is coming around on the need for end-user encryption.

The intelligence community has asked for a back door. They want access into the communications that are going through Apple’s devices. No?

Tim Cook: I don’t think you will hear the [National Security Agency] asking for a back door.

Robert Siegel: The FBI?

Tim Cook: There have been different conversations with the FBI, I think, over time. And I’ve read in the newspapers myself. But my own view is everyone’s coming around to some core tenets. And those core tenets are that encryption is a must in today’s world. And I think everyone is coming around also to recognizing that any back door means a back door for bad guys as well as good guys. And so a back door is a nonstarter. It means we’re all not safe.

When I first read this interview, I was struck by Cook’s certainty about the NSA, compared to his uncertainty about FBI. I wondered at the time whether that certainty meant that the rumored FISC request for a back door was ultimately rejected, which would close off the possibility for NSA for the moment(that would affect FBI, too, but only part of FBI’s requests).

Given the coincidence of these two events — Cook’s stated certainty and the cabinet decision not to pursue back doors right now — I’m all the more curious.

Has FISC secretly told the government it can’t force Apple to back door its products?

Apple’s Transparency Numbers Suggest Claims of Going Dark Overblown

/in , /by

Apple recently released its latest transparency report for the period ending June 30, 2015. By comparing the numbers for two categories with previous reports (2H 2013, 1H 2014, 2H 2014)  we can get some sense of how badly Apple’s move to encrypt data has really thwarted law enforcement.

Thus far, the numbers show that “going dark” may be a problem, but nowhere near as big of one as, say, NY’s DA Cy Vance claims.

The easier numbers to understand are the national security orders, presented in the mandated bands.

Screen Shot 2015-09-30 at 4.34.08 PM

Since the iPhone 6 was introduced in September 2014, the numbers for orders received have gone up — one band in the second half of 2014, and two more bands in the first half of this year. Curiously, the number of accounts affected haven’t gone up that much, possibly only tens or a hundred more accounts. And Apple still gets nowhere near the magnitude of requests Yahoo does, which number over 42,000.

Equally curiously, in the last period, Apple clearly received more NatSec orders than accounts affected, which is the reverse of what other companies show (before Apple had appeared close to one-to-one). One thing that might explain this is the quarterly renewal of Pen Register orders for metadata of US persons (which might be counted as 4 requests for each account affected).

In other words, clearly NatSec requests have gone up, proportionally significantly, though Apple remains a tiny target for NatSec requests compared to the bigger PRISM participants.

The law enforcement account requests are harder to understand.

Screen Shot 2015-09-30 at 1.51.47 PM

Note, Apple distinguishes between device requests, which are often users seeking help with a stolen iPhone, and account requests, which are requests for either metadata or content associated with an account (and could even include purchase records). The latter are the ones that represent law enforcement trying to get data to investigate a user, and that what I’ve laid out the latter data here [note, I fully expect to have made some data errors here, and apologize in advance — please let me know what you see!!].

Here, too, Apple has seen a significant increase, of 23%, over the requests it got in the second half of last year. Though, note, the iPhone 6 introduction would not be the only thing that would affect this: so would, probably, the June 2014 Riley Supreme Court decision, which required law enforcement to get a warrant to access cell phones, would also lead law enforcement to ask Apple for data more often.

Interestingly, however, there were fewer accounts implicated in the requests in the last half of the year, suggesting that for some reason law enforcement was submitting requests with a slew of accounts listed for each request. Whereas last year, LE submitted an average of over 6.5 accounts per request, this year they have submitted fewer than 3 accounts per request. This may reflect LE was submitting more identifiers from the same account — who knows?

The percentage of requests where content was obtained has gone up too, from 16% in 2013 to 24% in the first period including the iPhone 6 to 30% last quarter. Indeed, over half the period-on-period increase this period may stem from an increase in content requests (that is, the 107 more requests where content was obtained in the first half of the year, which was a period in which Apple got 183 more requests overall). Still, that number, 107 more successful requests for content this year than the second half of last year, seems totally disproportionate to NYC DA Cy Vance’s claim that the NYPD was unable to access the content in 74 iPhones since the iPhone 6 was established (though note, that might represent 1 request for content from 74 iPhones).

Perhaps the most interesting numbers to compare are the number of times Apple objected (because the agency didn’t have the right kind of legal process or a signed document) and the number of times Apple disclosed no data (which would include all those times Apple successfully objected — which appears to include all those in the first number — as well as those times Apple didn’t have the account, as well as times Apple was unable to hand over the data because a user hadn’t used default iCloud storage for messages. [Update, to put this more simply, the way to find the possible number of requests where encryption prevented Apple from sharing information is to subtract the Apple objected number from the no data number.] In the second half of 2013, Apple did not disclose any data 28.5% of the time. In the first half of this year, Apple did not disclose any data in just 18.6% of requests. Again, there are a lot of reasons why Apple would not turn over any data at all. But in general, cops are getting data more of the time when they give Apple requests than they were a few years ago.

More importantly, for just 65 cases in the first half of this year and 80 cases in the second half of last year did Apple not turn over any data for a request for reasons other than some kind of legal objection — and those numbers are both lower than the two half years preceding them. Each of those requests might represent hundreds of phones, but overall it’s a tiny number. So tiny it’s tough to understand where the NYPD’s 74 locked iPhones (unless they did request data and Apple actually had it).

There’s one more place where unavailable encrypted data might show up in these numbers: in the number of specific accounts for which data was disclosed. But as a percentage, what happened this year is not that different from what happened in 2013. In the second half of 2013, Apple provided some data (and this can be content or metadata) for 57.6% of the accounts specified in requests. In the first half of this year, Apple provided some data for 51.6% of the accounts specified in requests — not that huge a difference. And of course, the second half of last year, which may be an outlier, but during much of which the iPhone 6 was out, Apple provided data for 88.5% of the accounts for which LE asked for data.

Overall, it’s very hard to see where the FBI and other law enforcement agencies are going dark — though they are having to ask Apple for content more  often (which I consider a good thing).

Update: In talking to EFF’s Nate Cardozo about Apple’s most recent report, we agreed that Apple’s new category for Emergency Requests may be one other place where iPhone data is handed over (it doesn’t exist in the reports for previous half year periods). Apple defines emergency content this way:

Table 3 shows all the emergency and/or exigent requests that we have received globally. Pursuant to 18 U.S.C. §§ 2702(b)(8) and 2702(c)(4) Apple may voluntarily disclose information, including contents of communications and customer records, to a federal, state, or local governmental entity if Apple believes in good faith that an emergency involving imminent danger of death or serious physical injury to any person requires such disclosure without delay. The number of emergency requests that Apple deemed to be exigent and responded to is detailed in Table 3.

Given the scale of Apple’s other requests, though not in the scale of cloud requests comparatively, these are significant numbers, especially for the US (107) and UK (98).

Of significant note, Apple may give out content under emergency requests.

This is more likely to be a post-Riley response than an encryption response, but still notable given the number.

Someone Tell Bill Nelson Apple Isn’t a Telecom and that Metadata Is Available with Encryption

/3 Comments/in /by

There were a number of interesting exchanges in the Senate Armed Services Committee on cybersecurity hearing today, which I’ll return to in a bit. But for the moment I wanted to point to this bizarre exchange featuring Bill Nelson.

Nelson: Admiral, I’m concerned about all of these private telecoms that are going to encrypt. If you have encryption of everything, how, in your opinion, does that affect Section 702 and 215 collection programs?

Rogers: It certainly makes it more difficult.

Nelson: Does the Administration have a policy position on this?

Rogers: No. I think we’re still — I mean, we’re the first to acknowledge this is an incredibly complicated issue, with a lot of very valid perspectives. And we’re still, I think, collectively trying to work through what’s the right way ahead, here, recognizing that there’s a lot of very valid perspectives but from the perspective as CyberCommand and NSA as I look at this issue, there’s a huge challenge here that we have got to deal with.

Nelson: A huge challenge? And I have a policy position. And that is that the telecoms better cooperate with the United States government or else … it just magnifies the ability for the bad guys to utilize the Internet to achieve their purposes.

Bill Nelson is apparently very upset by the increasing use of encryption, but seems to believe Apple — which is at the center of these discussions — is a telecom. I’m happy to consider Apple a “phone company,” given that iMessage messages would go through the Internet and Apple rather than cell providers, and I think the IC increasingly thinks of Apple as a phone company. But it’s not a telecom, which is a different legal category.

He also believes that Apple’s encryption would hurt NSA’s Section 215 collection program. And NSA Director Mike Rogers appears to agree!

It shouldn’t. While Apple’s use of encryption will make it harder to get iMessage content, the metadata should still be available. So I’m rather curious why it is that Rogers agreed with Nelson?

In any case, Nelson doesn’t seem very interested in why Rogers immediately noted how complicated this question is — this is, after all, a hearing on cybersecurity and we know the Administration admits that more widespread encryption actually helps cybersecurity (especially since sophisticated hackers will be able to use other available encryption methods).

But I am intrigued that Rogers didn’t correct Nelson’s assertion that encryption would hurt the Section 215 program.

Update: This, from Apple’s transparency report, is one more reason Rogers’ agreement that encryption creates problems for the Section 215 program is so curious.

To date, Apple has not received any orders for bulk data.

Preston Burton Was Not Necessarily Appointed to Represent Privacy Interests; Was He Appointed to Undercut EFF?

/4 Comments/in /by

In my post on Michael Mosman’s appointment of Preston Burton as an amicus to decide whether NSA should be permitted to keep bulk telephony data collected under section 215 past November 28, 2015 I noted he was appointed pursuant to provisions of USA F-ReDux. But I want to correct something: Burton was not — at least not necessarily — appointed to protect civil liberties and privacy.

In his order appointing Burton, here’s how Mosman cited USA F-ReDux.

This appointment is made pursuant to section, 103(i)(2)(B) of the Foreign Intelligence Surveillance Act (“FISA”), codified at 50 U.S.C. § 1803(i)(2)(B), as most recently amended by the USA FREEDOM Act, Pub. L. No. 114-23, 129 Stat. 268, 272 (2015).

[snip]

By the terms of 50 U.S.C. § 1803(i)(2)(A), the Court “shall appoint” to serve as amicus curiae an individual who has been designated as eligible for such service under section 1803(i)(l) “to assist … in the consideration of any application for an order or review that, in the opinion of the court, presents a novel or significant interpretation of the law, unless the court issues a finding that such appointment is not appropriate.” Under section 1803(i)(l), the presiding judges of the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review have until November 29, 2015, to jointly designate individuals to serve as amici under section  1803(i)(l). 1 To date, no such designations have been made. Under present circumstances, therefore, the appointment of such an individual “is not appropriate” under section 1803(i)(2)(A), because, as of yet, there are no designated individuals who can serve.

Section 1803(i)(2)(B) provides that the Court “may appoint an individual or organization to serve as amicus curiae … in any instance as such court deems appropriate.” Persons appointed under this provision need not have been designated under section 1803(i)(l ). Pursuant to section l 803(i)(3)(B), however, they must “be persons who are determined to be eligible for access to classified information, if such access is necessary to participate in the matters in which they may be appointed.”

Here, the Court finds it appropriate to appoint Preston Burton as amicus curiae under section 1803(i)(2)(B). Mr. Burton is well qualified to assist the Court in considering the issue specified herein. The Security and Emergency Planning Staff (SEPS) of the Department of Justice has advised that he is eligible for access to classified information.

Effectively, he points to the new language on amicus curiae as “codifying” the authority FISC already had (and has already used, when permitting Center for National Security Studies to file an amicus on phone dragnet orders and tech companies to submit amici briefs in discussions about transparency, though the latter was dismissed before the court considered those briefs, not to mention FISCR’s permission of ACLU and NACDL to submit briefs in In Re Sealed Case in 2002).

He then notes that he cannot appoint one of the 5 selected amici set up to consider “novel or significant interpretation of law” because FISC hasn’t gotten around to appointing those 5 people yet (they have until early December to do so and seem to be taking their time).

He then points to a second means of appointing an amicus — 1803(i)(2)(B) — which says the court “may” appoint an amicus “in any instance as such court deems appropriate or, upon motion, permit an individual or organization leave to file an amicus curiae brief,” as his basis for appointing Burton.

Mosman doesn’t explain why he “finds it appropriate” to appoint an amicus here, unlike when he deemed FreedomWorks an amicus addressing the issue of whether USA F-ReDux restored the phone dragnet to its prior state and therefore justified another phone dragnet order. This is what he said in that instance.

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.

Nor does Mosman explain what, in particular, qualifies Burton to serve as amicus here, which might provide some insight as to why he decided it appropriate to appoint an amicus at all. He just says he’s qualified and is eligible for access to classified information. Even under the appointed amici, FISC can appoint someone for reasons other than privacy, and that’s all the more true for this optional appointment.

So reports — including by me! — that Burton would represent the interests of civil liberties may not be correct. For all we know, he could be representing the interests of the spies or DC Madams.

I find Mosman’s silence on his appointment of Burton interesting for two reasons.

First, the genesis of this entire request and deferral is unclear. Back in July — after it had gotten its first post-USA F-ReDux order, and a month before this current one was approved — ODNI issued a statement out of the blue asserting they could keep the data.

On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

When that second dragnet order came out in August, I noticed NSA had applied for authority to keep the data, but that Mosman had deferred his answer to whether they could.

The Application requests authority for the Government to retain BR metadata after November 28, 2015, in accordance with the Opinion and Order of this Court issued on March 12,. 2014 in docket number BR 14-01, and subject to the conditions stated therein, including the requirement to notify this Court of any material developments in civil litigation pertaining to such BR metadata. The Application also requests authority, for a period ending on February 29, 2016 for appropriately trained and authorized technical personnel (described in subparagraph B. above) to access BR metadata to verify the completeness and accuracy of call detail records produced under the targeted production orders authorized by the USA FREEDOM Act. The Court is taking these requests under advisement and will address them in a subsequent order or orders. Accordingly, this Primary Order does not authorize the retention and use of BR metadata beyond November 28, 2015.

So for some reason, ODNI was asserting they were going to keep the data before they had asked whether they could — or perhaps when ODNI made that assertion someone at DOJ or in FISC realized they needed to ask permission first. I have asked ODNI for an explanation on this. Update: ODNI General Counsel Bob Litt didn’t exactly explain the timing, but did say “No one ever had any doubt that we would have to ask the court” for permission to keep this data.

But I also find Mosman’s silence about why he appointed Burton curious given that the FISC judge clearly thinks both retention issues — whether the data should be retained under EFF’s protection order issued in NDCA, and whether the data can be retained for 3 months after expiration of the 6 month extension for technical verification — are at issue.

That’s because there’s a far more qualified potential amicus to address the EFF retention issue: EFF. Indeed, Jon Eisenberg, who argued the al-Haramain suit, is a Special Counsel associated with EFF, and he either still has or is qualified to have a Top Secret clearance, and still gets classified documents in Gitmo detainee suits. Particularly given DOJ’s serial failure to accurately represent the nature of EFF’s suit (post one, post two, post three), and DOJ’s failure to notice Reggie Walton (to say nothing of Yahoo itself) of all issues relevant to Yahoo’s challenge of Protect America Act, it would be far better to have someone who has worked on these issues already and who at least has an association with EFF to weigh in, because the FISC is going to get a far better idea of the issues involved, including the stakes for privacy. So why did Mosman appoint a less qualified amicus to address this issue?

Luckily, in deeming FreedomWorks an appropriate amicus in June, Mosman has demonstrated a willingness to appoint amici for the other reason permitted under 103(i)(2)(B), because an organization asks for leave to file one. So maybe EFF should ask! I’ve asked EFF if they will respond to this appointment, but have not received an answer.

The big question, in that situation, would be whether EFF would be given the same information he has already promised to Burton, which includes the application to the court. Again, given DOJ’s serial misinformation of the court on the EFF request, it would sure be interesting to see what representations it made in that application.

Q: Whose Secrets Are More Sensitive than the DC Madam’s? A: NSA’s.

/8 Comments/in /by

On September 17, FISC Judge Michael Mosman appointed the first known amicus under the terms laid out in USA F-ReDux; notice of which got posted yesterday (Mosman could have done so before USA F-ReDux, of course, but he did cite the statute in making the appointment). The question this amicus will help him determine is whether FISC should permit the government to retain bulk collected data past November 28, when the six month extension of the program ends. The government wants to retain the data it is collecting today for three months to make sure the new dragnet program collects the same data as the last one. But the data in question also includes data being held under an old protection order renewed last year as part of EFF’s suits against government dragnets; I suspect that data would show the extent to which one of the plaintiffs in EFF’s First Unitarian Church suit was dragnetted, and as such is critical to showing injury in that suit.

Mosman had deferred the decision on whether or not to let the government keep that data when he signed the August 28 dragnet order.

So who is the lawyer who will represent the interests of civil liberties and privacy in this question? [Update: In this post, I note Mosman may not have appointed Burton to represent privacy at all.]

White collar defense attorney Preston Burton. In addition to Russian moles Aldrich Ames and Robert Hanssen, Burton represented Monica Lewinsky and the DC Madam, Deborah Jeane Palfrey.

Burton is, undoubtedly, an excellent lawyer. And his experience representing the biggest spies of the last several decades surely qualifies him to work with the phone dragnet data, including data that probably shows NSA mapped out an entire civil liberties’ organization’s structure using the phone dragnet 5 years ago. Though given this description, it’s not clear Burton would learn of that information from the government’s application, which is what he’ll get.

Pursuant to 50 U.S.C. § l 803(i)(6)(A)(i), the Court has detennined that the government’s application (including exhibits and attachments) and the full, unredacted Primary Order in this docket are relevant to the duties of the amicus. By September 22, 2015, or after receiving confirmation from SEPS that the amicus has received the appropriate clearances and access approvals for such materials, whichever is later, the Clerk of the Court shall make these materials available to the amicus.

Moreover, remember the government can claim privilege over this data and not share it with Burton. Mosman even invited the government to tell the Court sharing information with Burton was not consistent with national security (though he set a deadline for doing so for September 21, so I assume they did not complain).

But it’s entirely unclear to me why Burton would be picked to represent the privacy interests of Americans, including those whose First Amendment rights had been violated under this program, in deciding whether to keep or destroy this data. Mosman made no mention of those interests when he explained his choice.

Mr. Burton is well qualified to assist the Court in considering the issue specified herein. The Security and Emergency Planning Staff (SEPS) of the Department of Justice has advised that he is eligible for access to classified information.

Which is why I take this to be one more in the series of Burton’s famous clients, in which discretion about DC’s secrets is the most important factor.

Delusional DOJ Claims Documents Declassified, Released Under FOIA Not Declassified, Not Authentic

/7 Comments/in /by

Screen Shot 2015-08-28 at 11.22.34 AM
Back in March, NYT’s Charlie Savage sued to get the NSA to respond to a FOIA request asking for “copies of — and declassification review of, as necessary” a bunch of things, including IG reports on “bulk phone records collection activities under Section 215 of the PATRIOT Act.”

In late August, they delivered an installment of their response to that suit to him including a series of IG Reports on the 215 program. Among other things, the FOIA response included an August 2, 2010 letter to FISC Judge John Bates referring to a compliance violation in Docket BR 10-10 (the order is dated February 26, 2010). In referring to the caption of that docket (and the caption redactions in other dockets are consistent in size), it named Verizon Wireless.

As I pointed out at the time, this provides Larry Klayman and other Verizon Wireless subscribers challenging the phone dragnet basis to establish standing to sue. While in the Klayman suit, Judge Richard Leon invited Klayman just to add a plaintiff who subscribed to Verizon Business Services, in Northern CA, EFF requested the 9th Circuit take judicial notice of the document.

So now DOJ has gone a bit batshit. (Josh Gerstein first reported on this here.) It mocks that EFF head Cindy Cohn “apparently believes” it fair to conclude Verizon Wireless took part in the phone dragnet because of a reference to “a company name that includes the term ‘Verizon Wireless’ in the caption of a purported FISC filing” that happens to govern the entire phone dragnet. It suggests the accuracy of the document DOJ gave to Savage can be reasonably questioned, apparently disputing its own FOIA response to Savage. And it bitches that EFF “does not contend that this document was declassified,” even though it was given to Savage pursuant to his request for “declassification review [] as necessary.”

In short, in an effort to argue the document doesn’t say what it says (which may, I admit, not mean what it says, but such is the wackiness of the secret FISA Court and the secret phone dragnet), DOJ is saying that DOJ didn’t provide Charlie Savage authentic, declassified documents like he sued to get. DOJ uses words like “purported” to describe DOJ’s own FOIA response.

I mean, I’ll grant you, those of us outside DOJ often doubt the accuracy of their FOIA responses to us. But usually DOJ at least pretends they’re giving us authentic documents.

DOJ Threatens to Invoke State Secrets Over Something Released in FOIA

/9 Comments/in , /by

Screen Shot 2015-08-28 at 11.22.34 AM
In a hearing today, Judge Richard Leon said that Larry Klayman could pursue his dragnet challenge by adding a plaintiff who did business with Verizon Business Services. But as part of Klayman’s effort, he noted — weakly — that evidence got released showing Verizon Wireless was included in the dragnet. Klayman cited just the Charlie Savage article, not the document released under FOIA showing VZ Wireless on a FISC caption (though I presume his underlying 49 page exhibit includes the actual report — just not necessarily with the passage in question highlighted).

It was disclosed on August 12, 2015 by Charlie Savage of The New York Times that Verizon Wireless, as this Court had already ruled in its Order of December 16, 2013, at all material times was conducting and continuing to conduct unconstitutional and illegal dragnet “almost Orwellian” surveillance on Plaintiffs and millions of other American citizens. See Exhibit 1, which is a Government document evidencing this, incorporated herein by reference, and see Exhibit 2, the New York Times article.

Moreover, Klayman surely overstated what the inclusion of VZ Wireless in a phone dragnet Primary Order caption from 2010 showed. Which probably explains why DOJ said “The government has not admitted in any way, shape, or form that Verizon Wireless participated” in the Section 215 phone dragnet, according to Devlin Barrett.

The point is, they should have to explain why it is that, according to a document they’ve released, VZ Wireless was targeted under the program. Perhaps we’ll get that in Northern California, where EFF very competently pointed to what evidence there was.

Which is why the government’s threat to invoke state secrets was so interesting.

The Court should avoid discovery or other proceedings that would unnecessarily implicate classified national-security information, and the potential need to assert and resolve a claim of the state secrets privilege: Plaintiffs’ proposed amendments, in particular their new allegations regarding the asserted participation of Verizon Wireless in the Section 215 program, implicate matters of a classified nature. The Government has acknowledged that the program involves collection of data from multiple telecommunications service providers, and that VBNS (allegedly the Little Plaintiffs’ provider) was the recipient of a now-expired April 25, 2013, FISC Secondary Order. But otherwise the identities of the carriers participating in the program, now, or at any other time, remain classified for reasons of national security. See Klayman, 2015 WL 5058403, at *6 (Williams, S.J.).

At this time the Government Defendants do not believe that it would be necessary to assert the state secrets privilege to respond to a motion by Plaintiffs for expedited injunctive relief that is based on the allegations of the Little Plaintiffs, or even the proposed new allegations (and exhibit) regarding Verizon Wireless. Nor should it be necessary to permit discovery into matters that would risk or require the disclosure of classified national-security information and thus precipitate the need to assert the state secrets privilege. Nevertheless, if Plaintiffs were permitted to seek discovery on the question of whether Verizon Wireless is now or ever has been a participating provider in the Section 215 program, the discovery sought could call for the disclosure of classified national-security information, in which case the Government would have to consider whether to assert the state secrets privilege over that information.

As the Supreme Court has advised, the state secrets privilege “is not to be lightly invoked.” United States v. Reynolds, 345 U.S. 1, 7 (1953). “To invoke the . . . privilege, a formal claim of privilege must be lodged by the head of the department which has control over the matter after actual personal consideration by that officer.” Id. at 7-8. To defend an assertion of the privilege in court also requires the personal approval of the Attorney General. Policies and Procedures Governing Invocation of the State Secrets Privilege at 1-3, http://www.justice.gov/opa/documents/state-secret-privileges.pdf. The Government should not be forced to make so important a decision as whether or not to assert the state secrets privilege in circumstances where the challenged program is winding down and will end in a matter of weeks. Moreover, discovery into national-security information should be unnecessary to the extent the standing of the newly added Little Plaintiffs, and the appropriateness of injunctive relief, may be litigated without resort to such information.

If, however, discovery into national-security information is permitted, the Government must be allowed sufficient time to give the decision whether to assert the state secrets privilege the serious consideration it requires. And if a decision to assert the privilege is made, the Government must also be given adequate time to prepare the senior-level declarations and other materials needed to support the claim of privilege, to ensure that the national security interests at stake are appropriately protected. See, e.g., Mohamed v. Jeppesen Dataplan, Inc., 614 F.3d 1070, 1077, 1090 (9th Cir. 2009).

I think it’s quite possible that VZW was not turning over phone records under the Section 215 program in 2010 (which is quite another matter than suggesting NSA was not obtaining a great deal, if not most, of VZW phone records generally). I believe it quite likely NSA obtained some VZW records under Section 215 during the 2010 period.

But I also believe explaining the distinctions between those issues would be very illuminating.

Meanwhile, the threat of stalling, with all the attendant rigamarole, served to scare Leon — he wants this to move quickly as badly as Klayman does. After all, Leon will have much less ability to issue a ruling that will stand after November 28, when the current dragnet dies.

We shall see what happens in CA when DOJ attempts to make a similar argument.

Transcribing James Clapper

/10 Comments/in , , /by
Hamid Karzai refused to meet with Obama during a surprise visit just after MYSTIC disclosures, so Obama called from Air Force One instead.

Hamid Karzai refused to meet with Obama during a surprise visit just after MYSTIC disclosures, so Obama called from Air Force One instead.

Yesterday, during the Q&A to his speech at INSA (which is where defense and intelligence contractors huddle with government paymasters), James Clapper conceded that Edward Snowden brought needed transparency but had also damaged operations. Rather than obliquely pointing to the exposure that Skype was no longer safe from surveillance, as he and his ilk normally do, Clapper pointed to what he claimed was a concrete example: what journalists have reported as revelations about full take cell phone content (SOMALGET or MYSTIC) leading to loss of access in Afghanistan.

After Clapper made the claim, a lot of reporters did what reporters do: they transcribed his comments uncritically. Lots of journalists did this, but here’s WaPo’s version from Ellen Nakashima:

One of the disclosures based on documents leaked by Edward Snowden, the former National Security Agency contractor, prompted the shutdown of a key intelligence program in Afghanistan, the nation’s top spy said Wednesday.

“It was the single most important source of force protection and warning for our people in Afghanistan,” Director of National Intelligence James R. Clapper Jr. said at an intelligence conference.

He was addressing a question about the impact of revelations by Snowden, whose leaks led to a global debate about the proper scope of U.S. surveillance at home and abroad.

Nakashima and other reporters assumed Clapper meant the MYSTIC/SOMALGET program, which Nakashima noted the WaPo first described (on March 18, 2014), followed by The Intercept two months later (on May 19, 2014), followed by WikiLeaks revealing Afghanistan as the target country several days later (on May 23, 2014). [Update: Note Cryptome correctly determined Afghanistan was the country on May 19, the day the Intercept published.]

Having laid all that out, however, Nakashima doesn’t quote the part of Clapper’s answer that would either discredit his description or reveal it’s something else. Here’s Ars Technica’s transcription of that part of it.

And programs that had a real impact on the security of American forces overseas, including one program in Afghanistan, “which he exposed and Glenn Greenwald wrote about, and the day after he wrote about it, the program was shut down by the government of Afghanistan,” Clapper noted.

If it’s the MYSTIC/SOMALGET program Clapper was really talking about, then his claim is self-refuting. Because either folks in Afghanistan recognized the program themselves back when WaPo wrote about it in March 2014, or probably didn’t until WikiLeaks confirmed they were the target. It wouldn’t have been Greenwald’s story, in which he withheld the information the government requested in any case.

For the moment, I’m going to assume that was the program, but let’s remember it might not be.

If so, consider what Clapper has done. As I mentioned, normally when people want to beat up Snowden, they point to his disclosure NSA had compromised Skype. But they never confirm that — they just mention it obliquely. Here, Clapper has confirmed the thing (actually just one of the things) that NSA had asked Greenwald to withhold. Given how vague WikiLeaks was about how they knew (after all, they’re not known to have the Snowden documents themselves), if this is MYSTIC/SOMALGET it seems that Clapper has definitively confirmed something that was at least of unknown provenance before.

Although, for reasons of source protection we cannot disclose how, WikiLeaks has confirmed that the identity of victim state is Afghanistan.

In other words, Clapper has confirmed something that hadn’t been confirmed before, precisely because the journalists involved had deferred to the government’s request not to publish it.

Or did he?

Clapper claimed “the program was shut down by the government of Afghanistan.”

Admittedly, the MYSTIC/SOMALGET disclosures came at an awkward time for US-Afghan relations. Hamid Karzai had been pushing back against night raids, prisoner transfers, and CIA militias. In part because the US wouldn’t cede Afghan sovereignty on such issues, Karzai was refusing to sign the Bilateral Security Agreement (raising the same kind of SOFA negotiation problems that forced us to withdraw troops from Iraq). Throughout this two month period, the election and run-off were going on.

So the disclosure that the US had compromised Afghanistan’s entire cell phone system — and implicitly, had copies of every cell call that Karzai and his potential replacements might make — would surely anger the Afghans, especially Karzai. Notably, two days after the WikiLeaks disclosure, Karzai refused to meet when President Obama made a surprise visit to the country on May 25, so (as shown by the White House image above) Obama called him from Air Force One instead.

But if that’s the case — if Afghanistan forced the US to shut down the full-take collection of cell phone content even as Obama was making surprise last minute visits (which may even have been an attempt to convince Karzai to reverse that decision) — then the fault lies not just, or even primarily, with Snowden. It lies with a long history of US refusal to cede to Afghanistan’s demands for some kind of functional sovereignty. This telecom disclosure may have been one more in a series of aggravations, but it was by no means the only one. Moreover, given that President Ghani’s relationship with the US is, thus far at least, far better than Karzai’s was at the time, it’s quite possible he has permitted the US to resume full-take collection.

James Clapper would be a lot more likely to confirm that Afghanistan had shut down NSA’s full-take collection if it had been resumed again under Karzai’s successor. Not least, because it would provide adversaries with false confidence the NSA didn’t have full take coverage.

Now consider this description of the Bahamian fallout from the equivalent disclosure. It shows that two parties were involved — the country’s telecom as well as the government. Indeed, all stories on this make it clear telecom providers are centrally involved in the collection program.

Moreover, the Intercept version of the story makes it quite clear they withheld not just the target country, but also the provider at the center of it.

The NSA documents don’t specify who is providing access in the Bahamas. But they do describe SOMALGET as an “umbrella term” for systems provided by a private firm, which is described elsewhere in the documents as a “MYSTIC access provider.” (The documents don’t name the firm, but rather refer to a cover name that The Intercept has agreed not to publish in response to a specific, credible concern that doing so could lead to violence.) Communications experts consulted by The Intercept say the descriptions in the documents suggest a company able to install lawful intercept equipment on phone networks.

And they withheld it for the same reason, because revealing it would lead to violence. That provider name has not been made public (though for a variety of reasons I think that’s the key secret here). Shutting down the system would have to involve, at a minimum, the Afghan government, this provider, plus Afghanistan’s multiple cell providers.

There are more reasons to believe Clapper’s story is bullshit. From the 2005 STELLAR WIND disclosures, which revealed the US was collecting all US-Afghanistan calls, to reports as early as 2008 that the Taliban were targeting cell providers because they recognized the security risk the networks posed, there is zero chance our adversaries in Afghanistan were unaware that the US had close to full dominance over the communications lines. There were also earlier Snowden disclosures — including Tempora, XKeyscore, and what sounded like transcripts obtained using a Stingray from a Afghan raid — that would have confirmed that view. The US is collecting close to everything from most countries where it remains at war, via a variety of overlapping means. There’s little about this disclosure in particular that added to the risk — but then, our adversaries had long been learning of our tactics and adjusting accordingly.

There is, then, the possibility it was one of these other disclosures Clapper was whining about — such as the potential Stingray one.

But if Clapper was talking about SOMALGET, and if it is true that the full-take collection got shut down, it means he and the government are blaming Snowden for long-term mismanagement of the Afghan relationship. It also may well mean that Ghani has let the US resume collection and Clapper’s public “confirmation” was designed — in addition to launching some unwarranted shots at Edward Snowden — to create the false impression the collection remains inactive.

James Clapper is a confirmed liar. Even setting aside his lies to Congress, it is his job to lie to adversaries. While that doesn’t mean journalists shouldn’t report what he says, there’s a great deal of context that should accompany such transcriptions.

Stingrays and Public Safety Operations

/2 Comments/in , /by

In my piece on the loopholes in the new Stingray policy, I noted that public safety applications for Stingray use might fall under what the policy calls the “exceptional circumstances” that aren’t exigent but nevertheless don’t require a warrant.

I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

We know there are public safety applications, because they are permitted even to localities by FBI’s Non-Disclosure Agreements.

Screen Shot 2015-09-07 at 4.52.54 PM

I suspect these uses are for public events to both track the presence of known targets and to collect who was present in case of any terrorist event or other serious disruption. Indeed, for a lot of reasons — notably the odd testimony of FBI’s telecom forensics witness, the way FBI’s witnesses were bracketed off from investigators, and some oddness about when and how they found the brothers’ phones (and therefore the brothers) — I suspect someone was running Stingrays at the Boston Marathon. A Stingray (or many) deployed at public events to help protect them (assuming, of course, the terrorists that attack such an event aren’t narcs for the DEA, as people have speculated Tamerlan Tsarnaev was).

Newsweek asked DOJ whether that exceptional circumstances paragraph covered the use of Stingrays in public places included in a policy released by the FBI in December and they confirmed it is (here’s my post on the December release, which anticipates all the loopholes in the policy I IDed the other day).

In December 2014, the FBI, which falls under Justice Department’s new policy, explained to members of Congress the situations in which it does not need a warrant to deploy the technology. They include: “(1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.”

Newsweek reached out to the Justice Department to determine whether its new policy allows the FBI to continue using stingrays without warrants in public places. In short, it does, fitting within the policy’s “exceptional circumstances” category.

“If somebody is in a public park, that is a public space,” Patrick Rodenbush, a Justice Department spokesman, says as an example, adding the condition that “circumstances on the ground make obtaining a warrant impracticable,” though he did not elaborate on what “impracticable” entails. But the dragnet nature of stingray collection means cellphone data of a person sitting in a nearby house may be picked up as well. “That’s why we have the deletion policy that we do,” Rodenbush responds. “In some cases it’s everyday that [bystander information] is deleted, it depends what they are using it for.… In some cases it is a maximum of 30 days.”

He adds: “The circumstances under which this exception will be granted will be very limited. Agents operating under this exception are still required to obtain a court order pursuant to the Pen Register Statute, and comply with the policy’s requirements to obtain senior-level department approval.”

Equally important as admitting that DOJ will use this in public places (like big sporting events) is Rodenbush’s confirmation that DOJ will obtain only Pen Registers for these uses.

That means they’ll virtually never get noticed to defendants, because the government will claim the evidence did not get introduced in court (just as no evidence collected from a Stingray was introduced, if they were used, in Dzhokhar’s case; in Dzhokhar’s case there was always another GPS device that showed his location).

The more I review this new policy and the December one the more I’m convinced they change almost nothing except the notice to the judge and the minimization (both still important improvements), except insofar as they recreate ignorance of Stingray use precisely in cases like public safety operations.