Stingrays and Public Safety Operations

/2 Comments/in , /by

In my piece on the loopholes in the new Stingray policy, I noted that public safety applications for Stingray use might fall under what the policy calls the “exceptional circumstances” that aren’t exigent but nevertheless don’t require a warrant.

I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

We know there are public safety applications, because they are permitted even to localities by FBI’s Non-Disclosure Agreements.

Screen Shot 2015-09-07 at 4.52.54 PM

I suspect these uses are for public events to both track the presence of known targets and to collect who was present in case of any terrorist event or other serious disruption. Indeed, for a lot of reasons — notably the odd testimony of FBI’s telecom forensics witness, the way FBI’s witnesses were bracketed off from investigators, and some oddness about when and how they found the brothers’ phones (and therefore the brothers) — I suspect someone was running Stingrays at the Boston Marathon. A Stingray (or many) deployed at public events to help protect them (assuming, of course, the terrorists that attack such an event aren’t narcs for the DEA, as people have speculated Tamerlan Tsarnaev was).

Newsweek asked DOJ whether that exceptional circumstances paragraph covered the use of Stingrays in public places included in a policy released by the FBI in December and they confirmed it is (here’s my post on the December release, which anticipates all the loopholes in the policy I IDed the other day).

In December 2014, the FBI, which falls under Justice Department’s new policy, explained to members of Congress the situations in which it does not need a warrant to deploy the technology. They include: “(1) cases that pose an imminent danger to public safety, (2) cases that involve a fugitive, or (3) cases in which the technology is used in public places or other locations at which the FBI deems there is no reasonable expectation of privacy.”

Newsweek reached out to the Justice Department to determine whether its new policy allows the FBI to continue using stingrays without warrants in public places. In short, it does, fitting within the policy’s “exceptional circumstances” category.

“If somebody is in a public park, that is a public space,” Patrick Rodenbush, a Justice Department spokesman, says as an example, adding the condition that “circumstances on the ground make obtaining a warrant impracticable,” though he did not elaborate on what “impracticable” entails. But the dragnet nature of stingray collection means cellphone data of a person sitting in a nearby house may be picked up as well. “That’s why we have the deletion policy that we do,” Rodenbush responds. “In some cases it’s everyday that [bystander information] is deleted, it depends what they are using it for.… In some cases it is a maximum of 30 days.”

He adds: “The circumstances under which this exception will be granted will be very limited. Agents operating under this exception are still required to obtain a court order pursuant to the Pen Register Statute, and comply with the policy’s requirements to obtain senior-level department approval.”

Equally important as admitting that DOJ will use this in public places (like big sporting events) is Rodenbush’s confirmation that DOJ will obtain only Pen Registers for these uses.

That means they’ll virtually never get noticed to defendants, because the government will claim the evidence did not get introduced in court (just as no evidence collected from a Stingray was introduced, if they were used, in Dzhokhar’s case; in Dzhokhar’s case there was always another GPS device that showed his location).

The more I review this new policy and the December one the more I’m convinced they change almost nothing except the notice to the judge and the minimization (both still important improvements), except insofar as they recreate ignorance of Stingray use precisely in cases like public safety operations.

 

Did FBI Use Katrina as an Excuse for DIY Location Collection?

/10 Comments/in /by

fisa-prtt-bar-graphLast week, Muckrock’s Shawn Musgrave wrote a piece showing that, in the wake of Katrina and a slew of other 2005 hurricanes, in 2006 FBI’s Wireless Intercept and Tracking Team said they needed more equipment from Harris Corporation, the maker of Stingrays. They justified it because the hurricanes degraded the capabilities of something, which remains redacted. But as Musgrave notes, the storms took out a lot of the telecom infrastructure, which may be what the redacted passages describe.

“In the summer of 2005, the U.S. Gulf Coast bore the brunt of several hurricanes, including Hurricane Katrina which severely degraded the capabilities of the [redacted],” the memo reads in part. Subsequent, heavily redacted sentences suggest that the storm crippled the FBI’s capacity to conduct certain types of cell phone tracking operations via equipment on-hand at the time of landfall.

[snip]

Hurricane Katrina incapacitated wide swaths of telecommunications infrastructure along the Gulf Coast, including thousands of cell phone towers. Power outages also meant many people were unable to recharge their mobile devices. It’s thus unclear which Harris Corporation product the FBI’s cell phone tracking team identified as a critical solution.

In other words, it appears that almost a year after Katrina, the FBI used the 2005 damage to telecom infrastructure as justification for getting an urgent purchase of Harris equipment, possibly Stingrays, approved.

I find the timing curious. After all, Congress approved a slew of funding right after Katrina. And Congress was debating budgetary issues in October 2005. While there’s nothing that ties this request to a budget request, it just seems odd that FBI would have identified a need in September 2005, and then sat on that urgent request until the following July. Though that July request specifically mentioning Katrina seems to be the same request that got filed in March and was in process in April that did not mention Katrina in unredacted sections. That’s not as distant from the hurricanes that purportedly identified the need, but still an odd delay for something urgent.

There’s something else that was happening in 2005 and 2006, though, that may have been as central in creating a need for Stingrays as damage to telecom equipment caused by hurricanes.

On October 14, 2005, a magistrate judge in Texas refused a request to yoke a Pen Register order onto a subscriber record subpoena to obtain location data from a telecom. Then some other magistrates started joining in. This created two problems. First, how would FBI get that location information in criminal cases. But also, in December 2005, Congress moved towards limiting the use of Section 215 orders to things that may be obtained with a subpoena, a move that would become official with the renewal of the PATRIOT Act on March 9, 2006. So even while magistrates were hashing out how the FBI might obtain such information from telecoms in garden variety criminal cases (a debate that is currently before SCOTUS), FISC and the government appear to have been having the same debate behind closed doors. In February 2006, FISC required briefing on what appears to be a parallel use of PRTT combined with a subpoena — a FISA PRTT yoked to a Section 215 order. And while the exact timing isn’t clear, we know those combined orders ended in 2006.

In other words, hurricanes may have damaged telecom infrastructure leading FBI to rely more on Stingrays. But at the same time, the legal landscape for location requests was changing, perhaps even more dramatically on the FISA side than on the criminal side.

And we know — yesterday’s change in policy admitted to FISA uses for Stingrays, though we knew this already — that FBI does use Stingrays to obtain location data under FISA as well as under criminal cases.

Katrina may have created part of the need for FBI to do more Do It Yourself location tracking, bypassing the telecoms. But legal issues created a need too, and I’d be willing to bet that the big urgency to expand FBI’s DIY location tracking abilities in 2006 had quite a bit to do with the need to find another way of location tracking, preferably one with a lot fewer people reviewing the paperwork involved.

If I’m right, then it would suggest some interesting things about the fluctuations in PRTTs (I stole the table above from EPIC). That is, in 2006, there were significant drops in PRTTs, followed by a huge drop in 2008.

On the criminal side, FBI still gets PRTT orders when it uses a Stingray. I assume the same is true on the FISA side (though it would be a lot harder to enforce here, especially because no defendant would ever get notice). But we also know the government has been hiding bulk collection under single orders, so it wouldn’t take too many orders to incorporate a lot of people.

Did FBI stock up on Harris equipment because of the weather, or because of the law?

The Loopholes in DOJ’s New Stingray Policy

/1 Comment/in /by

DOJ just announced a new policy on use of Stingrays which requires a warrant and minimization of incidentally-collected data. It’s big news and an important improvement off the status quo.

But there are a few loopholes.

Exigent and emergency uses

First, the policy reserves exigent uses. The exigent uses include most of DOJ Agencies known uses of Stingrays now.

These include the need to protect human life or avert serious injury; the prevention of the imminent destruction of evidence; the hot pursuit of a fleeing felon; or the prevention of escape by a suspect or convicted fugitive from justice.

[snip]

In addition, in the subset of exigent situations where circumstances necessitate emergency pen register authority pursuant to 18 U.S.C. § 3125 (or the state equivalent), the emergency must be among those listed in Section 3125: immediate danger of death or serious bodily injury to any person; conspiratorial activities characteristic of organized crime; an immediate threat to a national security interest; or an ongoing attack on a protected computer (as defined in 18 U.S.C. § 1030) that constitutes a crime punishable by a term of imprisonment greater than one year.

We know the US Marshals constitute the most frequent users of admitted Stingray use — they’d be covered in prevention of escape by a fugitive. DEA seems to use them a lot (though I think more of that remains hidden). That’d include “conspiratorial activities characteristic of organized crime.” And it’s clear hackers are included here, which includes the first known use, to capture Daniel Rigmaiden.

And I’m not sure whether the exigent/emergency use incorporates the public safety applications mentioned in the non-disclosure agreements localities sign with the FBI, or if that’s included in this oblique passage.

There may also be other circumstances in which, although exigent circumstances do not exist, the law does not require a search warrant and circumstances make obtaining a search warrant impracticable. In such cases, which we expect to be very limited, agents must first obtain approval from executive-level personnel at the agency’s headquarters and the relevant U.S. Attorney, and then from a Criminal Division DAAG. The Criminal Division shall keep track of the number of times the use of a cell-site simulator is approved under this subsection, as well as the circumstances underlying each such use.

In short, many, if not most, known uses are included in exceptions to the new policy.

Notice to defendants

The many known uses of Stingrays where warrants would not be necessary — and where DOJ would therefore just be using a PRTT — are of particular importance given the way new disclosure requirements work. There are, to be sure, admirable new requirements to tell judges what the fuck they’re approving and what it means. But nothing explicitly says defendants will not get noticed. DOJ has said no past or current usage of Stingrays will get noticed to defendants. And all these non-warrant uses of Stingrays will be noticed either, probably. In other words, this returns things to the condition where defendants won’t know — because they would normally expect to see a warrant that wouldn’t exist in these non-warrant uses.

Sharing with localities

The policy doesn’t apply to localities, which increasingly have their own Stingrays they permit federal agencies to use. Curiously, the language applying this policy to federal cooperation with localities would suggest the federal rules only apply if the Feds are supporting localities, not if the reverse (FBI borrowing Buffalo’s Stingray, for example) is the case.

The Department often works closely with its State and Local law enforcement partners and provides technological assistance under a variety of circumstances. This policy applies to all instances in which Department components use cell-site simulators in support of other Federal agencies and/or State and Local law enforcement agencies.

Thus, it may leave a big out for the kind of cooperation we know to exist.

National security uses

Then, of course, the policy only applies in the criminal context, though DOJ claims it will adopt a policy “consistent” with this one on the FISC side.

This policy applies to the use of cell-site simulator technology inside the United States in furtherance of criminal investigations. When acting pursuant to the Foreign Intelligence Surveillance Act, Department of Justice components will make a probable-cause based showing and appropriate disclosures to the court in a manner that is consistent with the guidance set forth in this policy.

BREAKING! FBI has been using Stingrays in national security investigations! (Told ya!)

This language is itself slippery. FISC use of Stingrays probably won’t be consistent on the FISC side (even accounting for the many ways exigent uses could be claimed in national security situations), because we know that FISC already has different rules for PRTT on the FISC side, in that it permits collection of post cut through direct dialed numbers — things like extension numbers — so long as that gets minimized after the fact. The section on minimization here emphasizes the “law enforcement” application as well. So I would assume that not only will national security targets of Stingrays not get noticed on it, but they may use different minimization rules as well (especially given FBI’s 30 year retention for national security investigation data).

Other agencies use of Stingrays for content

DOJ suggests that DOJ never collects content using Stingrays by stating that its Stingrays always get set not to collect content.

Moreover, cell-site simulators used by the Department must be configured as pen registers, and may not be used to collect the contents of any communication, in accordance with 18 U.S.C. § 3127(3). This includes any data contained on the phone itself: the simulator does not remotely capture emails, texts, contact lists, images or any other data from the phone. In addition, Department cell-site simulators do not provide subscriber account information (for example, an account holder’s name, address, or telephone number).

But the rest of the policy makes it clear that department agents will work with other agencies on Stingray use. Some of those — such as JSOC — not only would have Stingrays that get content, but can even partner within the US with FBI.  So DOJ hasn’t actually prohibited its agencies from getting content from a Stingray (domestically — it goes without saying they’re permitted to do so overseas), just that it won’t do so using its own Stingrays.

Funny definitional games

Finally, while not necessarily a loophole (or at least not one I completely understand yet), I’m interested in this definition.

In the context of this policy, the terms “collection” and “retention” are used to address only the unique technical process of identifying dialing, routing, addressing, or signaling information, as described by 18 U.S.C. § 3 I 27(3), emitted by cellular devices. “Collection” means the process by which unique identifier signals are obtained; “retention” refers to the period during which the dialing, routing, addressing, or signaling information is utilized to locate or identify a target device, continuing until tlle point at whic!h such information is deleted.

This definition (which only applies to this policy and therefore perhaps not to national security uses of Stingrays) employs an entirely different definition for collection and retention than other collection that relies on collection then software analysis. Under upstream collection, for example, the government calls this definition of “retention” something closer to “collection.” Don’t get me wrong — this is probably a better definition than that used in other contexts. But I find it funny that FBI employs such different uses of these words in very closely connected contexts.

So, in sum, this is a real victory, especially the bit about actually telling judges what they’re approving when they approve it.

But there are some pretty obvious loopholes here….

Update: ACLU also welcomes this while pointing to some of the limits of the policy.

Update: Here are some of my posts on the FISA uses of PRTT, including (we now know) Stingrays.

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

FBI’s Pen Registers without Any Call Records

The Loss of PRTT Minimization Review in USA F-ReDux

Is There a Programmatic Stingray?

Government Recently Released Information Proving Larry Klayman Has Standing

/6 Comments/in /by

Screen Shot 2015-08-28 at 11.22.34 AM

As I noted, the DC Circuit Court reversed Judge Richard Leon’s injunction against the phone dragnet. The judges disagreed on whether Larry Klayman had standing — because he is a Verizon Wireless but not Verizon landline subscriber, which had been the only thing confirmed by the government. All agreed he had not shown he had the high certainty of standing required to uphold an injunction against the program. But the per curium opinion did agree that the case has not been mooted, because by immediately restarting the bulk program after the passage of USA F-ReDux, the government showed that the harm could recur.

That’s important, because information proving that Klayman does have standing has recently been released in an official (albeit probably inadvertent) release.

Part of the IG Reports on the phone dragnet Charlie Savage obtained by suing shows that — at least in 2010 — the Primary Order for the phone dragnet went to AT&T, Sprint, Verizon’s subsidiaries (the former MCI part of Verizon’s business, which I believe is its backbone), and “Cellco Partnership d/b/a Verizon Wireless.”

I’ll say more about what I think this really means in a later post — and why I think the suit against bulk surveillance needs to be, and can be, tweaked somewhat to ensure standing.

But for the moment, know that for at least one 90 day period in 2010, Verizon Wireless as well as Verizon’s landline was ordered to turn over phone records.

DC Circuit Reverses Judge Leon Order Overturning Phone Dragnet

/6 Comments/in /by

In a per curium decision, a DC Circuit panel including Janice Rogers Brown, Stephen Williams, and David Sentelle has reversed Judge Richard Leon’s decision preliminary injunction against the phone dragnet. They reversed on standing (which I’ll return to) but found the issue remains ripe.

This will be my working thread.

The panel pointed to the immediate resumption of the dragnet after USA F-ReDux to argue that the alleged violation could recur.

Cessation of a challenged practice moots a case only if “there is no reasonable expectation . . . that the alleged violation will recur.” Larsen v. U.S. Navy, 525 F.3d 1, 4 (D.C. Cir. 2008) (quotations and citations omitted). Here, any lapse in bulk collection was temporary. Immediately after Congress acted on June 2 the FBI moved the FISC to recommence bulk collection, United States’ Mem. of Law, In re Application of the FBI, No. BR 15-75 (FISC, filed Jun. 2, 2015), and the FISC confirmed that it views the new legislation as effectively reinstating Section 215 for 180 days, and as authorizing it to resume issuing bulk collection orders during that period.

Brown reversed because Klayman had shown it likely his records were collected, but had not reached the bar for a preliminary injunction.

However, plaintiffs are Verizon Wireless subscribers and not Verizon Business Network Services subscribers. Thus, the facts marshaled by plaintiffs do not fully establish that their own metadata was ever collected.

[snip]

Contrary to the assertions of my colleagues, these facts bolster plaintiffs’ position: where the Clapper plaintiffs relied on speculation and conjecture to press their claim, here, plaintiffs offer an inference derived from known facts.

However, the burden on plaintiffs seeking a preliminary injunction is high. Plaintiffs must establish a “substantial likelihood of success on the merits.” Sottera, Inc., 627 F.3d at 893. Although one could reasonably infer from the evidence presented the government collected plaintiffs’ own metadata, one could also conclude the opposite. Having barely fulfilled the requirements for standing at this threshold stage, Plaintiffs fall short of meeting the higher burden of proof required for a preliminary injunction. [citation omitted]

Williams reversed because he doesn’t think Klayman has standing. He points to Amnesty v Clapper to suggest he has only speculative standing.

Plaintiffs’ contention that the government is collecting data from Verizon Wireless (a contention that the government neither confirms nor denies, Gov’t’s Br. at 38-39), depends entirely on an inference from the existence of the bulk collection program itself. Such a program would be ineffective, they say, unless the government were collecting metadata from every large carrier such as Verizon Wireless; ergo it must be collecting such data. Appellee’s Br. 27-28. This inference was also the district judge’s sole basis for finding standing. Klayman v. Obama, 957 F. Supp. 2d 1, 27 & n.36 (2013).

Yet the government has consistently maintained that its collection “never encompassed all, or even virtually all, call records and does not do so today.”

[snip]

Here, the plaintiffs’ case for standing is similar to that rejected in Clapper. They offer nothing parallel to the Clapper plaintiffs’ evidence that the government had previously targeted them or someone they were communicating with (No. 3 above). And their assertion that NSA’s collection must be comprehensive in order for the program to be most effective is no stronger than the Clapper plaintiffs’ assertions regarding the government’s motive and capacity to target their communications (Nos. 2 & 4 above).

[snip]

Accordingly, I find that plaintiffs have failed to demonstrate a “substantial likelihood” that the government is collecting from Verizon Wireless or that they are otherwise suffering any cognizable injury. They thus cannot meet their burden to show a “likelihood of success on the merits” and are not entitled to a preliminary injunction.

Sentelle would boot the case entirely because Klayman doesn’t have standing.

Like Judge Williams, I believe that the failure to establish the likelihood of success depends at least in the first instance on plaintiffs’ inability to establish the jurisdiction of the court. I also agree with Judge Williams that plaintiffs have not established the jurisdiction of the court. That being the case, I would not remand the case for further proceedings, but would direct its dismissal.

[snip]

Plaintiffs have not demonstrated that they suffer injury from the government’s collection of records. They have certainly not shown an “injury in fact” that is “actual or imminent, not conjectural or hypothetical.” Friends of the Earth, Inc., 528 U.S. at 180. I agree with the conclusion of my colleagues that plaintiffs have not shown themselves entitled to the preliminary injunction granted by the district court. However, we should not make that our judicial pronouncement, since we do not have jurisdiction to make any determination in the cause. I therefore would vacate the preliminary injunction as having been granted without jurisdiction by the district court, and I would remand the case, not for further proceedings, but for dismissal.

Is the US Thwarting China’s Anti-Corruption (and Political Crime) Campaign to Retaliate for the OPM Hack?

/1 Comment/in , /by

Screen Shot 2015-08-17 at 6.13.36 PMTwo weeks after floating a story to the NYT the Obama asked for some creative ways to retaliate against China for the OPM hack, the NYT reported (in both English and a prominently linked Chinese translation) that “in recent weeks” the US told agents trying to chase down Chinese nationals accused of corruption to get out.

The Obama administration has delivered a warning to Beijing about the presence of Chinese government agents operating secretly in the United States to pressure prominent expatriates — some wanted in China on charges of corruption — to return home immediately, according to American officials.

The American officials said that Chinese law enforcement agents covertly in this country are part of Beijing’s global campaign to hunt down and repatriate Chinese fugitives and, in some cases, recover allegedly ill-gotten gains.

The Chinese government has officially named the effort Operation Fox Hunt.

The American warning, which was delivered to Chinese officials in recent weeks and demanded a halt to the activities, reflects escalating anger in Washington about intimidation tactics used by the agents. And it comes at a time of growing tension between Washington and Beijing on a number of issues: from the computer theft of millions of government personnel files that American officials suspect was directed by China, to China’s crackdown on civil liberties, to the devaluation of its currency.

Operation Fox Hunt is not new — or secret. It has been covered before by the US press, including updates on how many people official Chinese sources claim they have gotten to return for prosecution. The NYT follow-up admits — though the original didn’t provide the same level of detail — that DHS agreed in April to prosecute Chinese economic fugitives (which would extend the US habit of asserting jurisdiction where none exists) if provided real evidence of corruption.

But in April, the Department of Homeland Security worked out a new arrangement with China’s Ministry of Public Security, which oversees Operation Fox Hunt, to assist Beijing’s efforts to prosecute economic fugitives according to United States law. American officials, however, say China has so far failed to provide the necessary evidence.

Both NYT articles mention what the WSJ reports in more depth, including details of how these operatives are working: Among the economic fugitives in the US China is aggressively pursuing is Ling Wangcheng, the brother of a former top Hu Jintao aide

Mr. Ling’s brother was a top aide to China’s previous president, Hu Jintao, but was placed under investigation by the Communist Party in December and formally accused in July of bribe-taking, adultery and illegally obtaining state secrets.

For much of 2014, Mr. Ling was living under an alias in a mansion in a gated community in Loomis, Calif., near Sacramento, with Mr. Yuan’s ex-wife, neighbors said. The couple hasn’t been seen there since around October.

Mr. Ling is now the focus of political intrigue that could overshadow a visit to the U.S. in September by China’s leader, Xi Jinping.

Diplomats and analysts said Mr. Ling might have had access through this brother to sensitive information about Chinese leaders. If he sought political asylum, Mr. Ling would be the most significant Chinese defector in decades.

It isn’t clear why Mr. Ling, 55 years old, moved to the U.S. in 2013 or 2014. He lost touch with many friends in China around last fall, a family acquaintance said, but later reassured friends he was safe in the U.S.

The implication from this — and other recent reporting on Ling — is that he did get asylum in October, and has been cooperating with US authorities.

All that is probably only tangentially related to the US leak of its earlier decision — taken precisely as the US tries to find a way to retaliate for the OPM hack — to start cracking down on this Chinese effort.

There are two things I haven’t seen mentioned in coverage of this. First, remember that the US has engaged in a similar effort, using an offer of amnesty for rich tax cheats who had stashed their money in Swiss banks (though there have been what I believe to be similar efforts on the part of the US to expose tax cheats that have mostly focused on non-US citizens).

And don’t forget the lengths to which the US went to get someone who had top secrets to come back to the US, including when it had Austria ground Evo Morales’ plane so it could search for Edward Snowden.

In any case, I suspect the US used Operation Fox Hunt as an opportunity to let China know it knew of these admitted agents. Sort of a way for the US to tell China we know where its operatives in the US are, just as it knows where our operatives are in China, thanks to the OPM hack.

For its part, China’s Xinhua paper has scolded the US for harboring crooks (and provided slightly different details of the agreement pertaining to Fox Hunt).

Corruption is not only a serious problem in China, but also in the rest of the world. And in a world which is more and more connected, countries should take coordinated efforts in fighting corruption.

Although there is no extradition agreement between the United States and China, the two countries actually have already agreed on anti-corruption cooperation.

In April 2015, U.S. Homeland Security Secretary Jeh Johnson met Chinese Public Security Minister Guo Shengkun in Beijing, and they agreed to strengthen cooperation in law enforcement.

They agreed not to provide shelter for the other side’s fugitives and would try to repatriate them in accordance with law. Specifically, Johnson also promised to actively support China’s “Sky Net” and “Fox Hunt” operations, which aim to bring back corrupt officials.

So the U.S. government’s decision to force China’s law enforcement stuff to leave the country obviously reveals that Washington lacks sincerity and has failed to translate its words into action.

Some analysts even say that the United States is reluctant to repatriate those corrupt officials for the sake of their money of course.

Therefore, the United States, as a country that often stresses the rule of law, should clarify the issue and by no means become a safe haven for Chinese criminal suspects.

The US may have decided this would be an easy way to push back on China, but that won’t prevent China from scoring points from it.

What’s a Little (or a Lot) Cooperation Among Spies?

/12 Comments/in , , /by

Screen Shot 2015-08-15 at 8.33.46 PMA key point in the ProPublica/NYT piece on AT&T’s close cooperation with the NSA (and, though not stated explicitly, other agencies) on spying is that AT&T was the telecom that helped NSA spy on the UN.

It provided technical assistance in carrying out a secret court order permitting the wiretapping of all Internet communications at the United Nations headquarters, a customer of AT&T.

If you read the underlying document, it actually shows that NSA had a traditional FISA order requiring the cooperation (remember, “agents of foreign powers,” as diplomats are, are among the legal wiretap targets under FISA, no matter what we might think about NSA spying on UN in our own country) — meaning whatever telecom serviced the UN legally had to turn over the data. And a big part of AT&T’s cooperation, in addition to technically improving data quality, involved filtering the data to help NSA avoid overload.

BLARNEY began intermittent enablement  of DNI traffic for TOPI assessment and feedback. This feedback is being used by the BLARNEY target development team to support an ongoing filtering and throttling of data volumes. While BLARNEY is authorized full-take access under the NSA FISA, collected data volumes would flood PINWALE allocations within hours without a robust filtering mechanism.

In other words, AT&T helped NSA, ironically, by helping it limit what data it took in. Arguably, that’s an analytical role (who builds the algorithms in the filter?), but it’s one that limits how much actually gets turned over to the government.

That doesn’t mean the cooperation was any less valued, nor does it mean it didn’t go beyond what AT&T was legally obliged to do under the FISA order. But it’s not evidence AT&T would wiretap a non-legal (private corporation) target as a favor for NSA. That evidence may exist, somewhere, but it’s not in this story, except insofar as it mentions Stellar Wind, where AT&T was doing such things.

To be fair, AT&T’s UN cooperation is actually emphasized in this story because it was a key data point in the worthwhile ProPublica piece explaining how they proved Fairview was AT&T.

In April 2012, an internal NSA newsletter boasted about a successful operation in which NSA spied on the United Nations headquarters in New York City with the help of its Fairview and Blarney programs. Blarney is a program that undertakes surveillance that is authorized by the Foreign Intelligence Surveillance Court.

FAIRVIEW and BLARNEY engineers collaborated to enable the delivery of 700Mbps of paired packet switched traffic (DNI) traffic from access to an OC192 ring serving the United Nations mission in New York … FAIRVIEW engineers and the partner worked to provide the correct mapping, and BLARNEY worked with the partner to correct data quality issues so the data could be handed off to BLARNEY engineers to enable processing of the DNI traffic.

We found historical records showing that AT&T was paid $1 million a year to operate the U.N.’s fiber optic provider in 2011 and 2012. A spokesman for the U.N. secretary general confirmed that the organization “has a current contract with AT&T” to operate the fiber optic network at the U.N. headquarters in New York.

That is, the UN story is important largely because there are public records proving that AT&T was the provider in question, not because it’s the most egregious example of AT&T’s solicitous relationship with the nation’s spies.

Also in that story proving how they determined Fairview was AT&T and Stormbrew included Verizon was the slide above, bragging that the Comprehensive National Cybersecurity Initiative 100% subsidized Verizon’s Breckenridge site at a new cable landing carrying traffic from China.

It’s not entirely clear what that means — it might just refer to the SCIF, power supply, and servers needed to run the TURMOIL (that is, passive filtering) deployments the NSA wanted to track international traffic with China. But as ProPublica lays out, the NSA was involved the entire time Verizon was planning this cable landing. Another document on CNCI shows that in FY2010 — while significantly less than AT&T’s Fairview — NSA was dumping over $100M into Stormbrew and five times as much money into “cyber” than on FISA (in spite of the fact that they admit they’re really doing all this cybering to catch attacks on the US, meaning it has to ostensibly be conducted under FISA, even if FISC had not yet and may never have approved a cyber certificate for upstream 702). And those numbers date to the year after the Breckenridge project was put on line, and at a time when Verizon was backing off an earlier closer relationship with the Feds.

How much did Verizon really get for that cable landing, what did they provide in exchange, and given that this was purpose-built to focus on Chinese hacking 6 years ago, why is China still eating our lunch via hacking? And if taxpayers are already subsidizing Verizon 100% for capital investments, why are we still paying our cell phone bills?

Particularly given the clear focus on cyber at this cable landing, I recall the emphasis on Department of Commerce when discussing the government’s partnership with industry in PPD-20, covering authorizations for various cyber activities, including offensive cyberwar (note the warning I gave for how Americans would start to care about this Snowden disclosure once our rivals, like China, retaliate). That is, the government has Commerce use carrots and sticks to get cooperation from corporations, especially on cybersecurity.

None of this changes the fact that AT&T has long been all too happy to spy on its customers for the government. It just points to how little we know about these relationships, and how much quid pro quo there really is. We know from PRISM discussions that the providers could negotiate how they accomplished an order (as AT&T likely could with the order to wiretap the UN), and that’s one measure of “cooperation.” But there’s a whole lot else to this kind of cooperation.

Update: Credo released a statement in response to the story.

As a telecom that can be compelled to participate in unconstitutional surveillance, we know how important it is to fight for our customers’ privacy and only hand over information related to private communications when required by law,” said CREDO Mobile Vice President Becky Bond. “It’s beyond disturbing though sadly not surprising what’s being reported about a secret government relationship with AT&T that NSA documents describe as ‘highly collaborative’ and a ‘partnership, not a contractual relationship,’

CREDO Mobile supports full repeal of the illegal surveillance state as the only way to protect Americans from illegal government spying,” Bond continued, “and we challenge AT&T to demonstrate concern for its customers’ constitutional rights by joining us in public support of repealing both the Patriot Act and FISA Amendments Act.

AT&T Pulled Cell Location for Its “Mobility Cell Data”

/5 Comments/in /by

ProPublica and NYT have an important story that confirms what we’ve long known — that AT&T, operating under the Fairview program — is all too happy to do business with the NSA. As part of the story, they note that in 2011, AT&T started providing cell data to NSA under the BR FISA program.

In 2011, AT&T began handing over 1.1 billion domestic cellphone calling records a day to the NSA after “a push to get this flow operational prior to the tenth anniversary of 9/11,” according to an internal agency newsletter. This revelation is striking because after Snowden disclosed the program of collecting the records of Americans’ phone calls, intelligence officials told reporters that, for technical reasons, it consisted mostly of landline phone records.

They base the claim on this document, which reads,

On 29 August, FAIRVIEW started delivering Mobility Business Records traffic into MAINWAY under the existing Business Record (BR) FISA authorization. The intent of the Business Records FISA program is to detect previously unknown terrorist threats in the United States through the cell chaining of metadata. This new metadata flow is associated with a cell phone provider and will generate an estimated 1.1 billion cellular records a day in addition to the 700M records delivered currently under the BR FISA. After extensive dialogue with the consumers of the BR data, repeated testing, a push to get this flow operational prior to the tenth anniversary of 9/11, and extensive coordination with external entities via our OGC (to include: FBI, DOJ, ODNI, and FISC) NSA received approval to initiate this dataflow on August 29, 2011. Analysts have already reported seeing BR Cellular records in the Counter Terrorism call-chaining database queries.

Though it provides important new context, that NSA started receiving mobile data on August 29, 2011 is not new news (though that it was getting it from AT&T is). The government released the notice it gave to the House Judiciary Committee that it was receiving that data in October 2013 under FOIA (indeed, this document is one I have pointed to to refute claims that the program didn’t collect cell data).

All that said, the notice, taken together with the context of the internal announcement, does explain more about why the NSA wasn’t getting as much cell data as they wanted.

In the case of Fairview and the collection started on August 29, 2011, the provider “remove[d] the cell [redacted] location information [redacted] before providing the CDRs to NSA.”

Before initiating the acquisition of mobility data, NSA undertook extensive testing to ensure strict compliance with the terms of the FISC Orders. The Court’s Orders are designed to protect the civil liberties and privacy interests of Americans. Following completion of testing, on 29 August 2011, NSA began to receive approximately [redacted] CDRs per day and enter these records into our BR FISA bulk metadata architecture.

[redacted] NSA requested that the [redacted] remove the cell [redacted] location information [redacted] before providing the CDRs to NSA. Consequently, NSA is not currently receiving this field as part of the data being acquired. [redacted]

As the NYT reported earlier this week, NSA had given Verizon Wireless a separate order for phone dragnet order in 2010. But the redaction in the notice to Congress on obtaining mobility data from a year later seems to address the problem with obtaining location information.

We know from the Congressional notice AT&T was willing to strip it. For a lot of reasons, it’s likely Verizon was unwilling to strip it.

This is one of the possible explanations I’ve posited for why NSA wasn’t getting cell data from Verizon, because any provider is only obliged to give business records they already have on hand, and it would be fairly easy to claim stripping the cell location data made it a new business record.

Which is another important piece of evidence for the case made against AT&T in the story. They were willing to play with records they were handing over to the government in ways not required by the law.

Though who knows if that remain(ed) the case? To get to the 30% figure quoted in all the pieces claiming NSA wasn’t getting cell data, you’d probably have to have AT&T excluded as well. So maybe after the Snowden releases, they, too, refused to do things they weren’t required to do by law (though because it had the Hemisphere database which could easily select records, that may have been harder to do).

Update: Adding that FISC took judicial notice of some magistrates’ rulings you needed more than a subpoena for location data in 2006, after Congress said you could only get what you could get with a subpoena in the 2006 PATRIOT Reauthorization. So it’s possible any squeamishness about location collection dates to that point, though we know FISC did still permit the government to get location data with 215 orders.

BREAKING: What emptywheel Reported Two Years Ago

/9 Comments/in /by

The NYT today:

The National Security Agency has used its bulk domestic phone records program to search for operatives from the government of Iran and “associated terrorist organizations” — not just Al Qaeda and its allies — according to a document obtained by The New York Times.

[snip]

The inclusion of Iran and allied terrorist groups — presumably the Shiite group Hezbollah — and the confirmation of the names of other participating companies add new details to public understanding of the once-secret program. The Bush administration created the program to try to find hidden terrorist cells on domestic soil after the attacks of Sept. 11, 2001, and government officials have justified it by using Al Qaeda as an example.

emptywheel, 15 months ago:

I want to post Dianne Feinstein’s statement about what Section 215 does because, well, it seems Iran is now a terrorist. (This is around 1:55)

The Section 215 Business Records provision was created in 2001 in the PATRIOT for tangible things: hotel records, credit card statements, etcetera. Things that are not phone or email communications. The FBI uses that authority as part of its terrorism investigations. The NSA only uses Section 215 for phone call records — not for Google searches or other things. Under Section 215, NSA collects phone records pursuant to a court record. It can only look at that data after a showing that there is a reasonable, articulable that a specific individual is involved in terrorism, actually related to al Qaeda or Iran. At that point, the database can be searched. But that search only provides metadata, of those phone numbers. Of things that are in the phone bill. That person, um [flips paper] So the vast majority of records in the database are never accessed, and are deleted after a period of five years. To look at, or use content, a court warrant must be obtained.

Is that a fair description, or can you correct it in any way?

Keith Alexander: That is correct, Senator. [underline/italics added]

Some time after this post Josh Gerstein reported on Keith Alexander confirming the Iran targeting.

The NYT today:

One document also reveals a new nugget that fills in a timeline about surveillance: a key date for a companion N.S.A. program that collected records about Americans’ emails and other Internet communications in bulk. The N.S.A. ended that program in 2011 and declassified its existence after the Snowden disclosures.

In 2009, the N.S.A. realized that there were problems with the Internet records program as well and turned it off. It then later obtained Judge Bates’s permission to turn it back on and expand it.

When the government declassified his ruling permitting the program to resume, the date was redacted. The report says it happened in July 2010.

emptywheel in November 2013:

I’ve seen a lot of outright errors in the reporting on the John Bates opinion authorizing the government to restart the Internet metadata program released on Monday.

Bates’ opinion was likely written in July 2010.

[snip]

It had to have been written after June 21, 2010 and probably dates to between June 21 and July 23, 2010, because page 92 footnote 78 cites Holder v. HLP (which was released on June 21), but uses a “WL” citation; by July 23 the “S. Ct.” citation was available. (h/t to Document Exploitation for this last observation).

So: it had to have been written between June 21, 2010 and October 3, 2011, but was almost certainly written sometime in the July 2010 timeframe.

The latter oversight is understandable, as this story — which has been cited in court filings — misread Claire Eagan’s discussions of earlier bulk opinions, which quoted several sentences of Bates’ earlier one (though it was not the among the stories that really botched the timing of the Bates opinion).

In September, the Obama administration declassified and released a lengthy opinion by Judge Claire Eagan of the surveillance court, written a month earlier and explaining why the panel had given legal blessing to the call log program. A largely overlooked passage of her ruling suggested that the court has also issued orders for at least two other types of bulk data collection.

Specifically, Judge Eagan noted that the court had previously examined the issue of what records are relevant to an investigation for the purpose of “bulk collections,” plural. There followed more than six lines that were censored in the publicly released version of her opinion.

There have been multiple pieces of evidence to confirm my earlier July 2010 deduction since.

The big news in the NYT story (though not necessarily the NYT documents, which I’ll return to) is that in 2010, Verizon Wireless also received phone dragnet orders. I’ll return to what that tells us too.

But the news that Iran was targeted under the phone dragnet was confirmed publicly — and reported here — in a prepared statement from the Senate Intelligence Chair and confirmed by the Director of National Security Agency a week after the first Snowden leak story.

Christie Lied about 9/11 to Try to Shut Down Paul’s Opposition to Dragnet Spying [Updated]

/25 Comments/in /by

One of the most contentious exchanges in last night’s debate came when Megyn Kelly raised Chris Christie’s past attacks on Rand Paul for opposing the bulk dragnet.

KELLY: Alright, gentlemen, we’re gonna switch topics now and talk a bit about terror and national security.

Governor Christie. You’ve said that Senator Paul’s opposition to the NSA’s collection of phone records has made the United States weaker and more vulnerable, even going so far as to say that he should be called before Congress to answer for it if we should be hit by another terrorist attack.

Do you really believe you can assign blame to Senator Paul just for opposing he bulk collection of people’s phone records in the event of a terrorist attack?

CHRISTIE: Yes, I do. And I’ll tell you why: because I’m the only person on this stage who’s actually filed applications under the Patriot Act, who has gone before the federal — the Foreign Intelligence Service court, who has prosecuted and investigated and jailed terrorists in this country after September 11th.

I was appointed U.S. attorney by President Bush on September 10th, 2001, and the world changed enormously the next day, and that happened in my state.

This is not theoretical to me. I went to the funerals. We lost friends of ours in the Trade Center that day. My own wife was two blocks from the Trade Center that day, at her office, having gone through it that morning.

Never mind that most US Attorneys don’t, themselves, go before the FISC to present cases (usually it is people from the National Security Division, though it was OIPR when Christie was US Attorney), never mind that the name of the court is the “Foreign Intelligence Surveillance Court.

The real doozie here is Chris Christie’s claim that he “was appointed U.S. attorney by President Bush on September 10th, 2001.”

On December 7, 2001 — three months after the attacks — President Bush released this notice of nomination.

The President intends to nominate Christopher J. Christie to be United States Attorney for the District of New Jersey.   Christie has been a partner with Dughi, Hewitt and Palatucci of Cranford, New Jersey since 1987.  He is a graduate of the University of Delaware and Seton Hall University School of Law.

Christie was confirmed quickly and started as US Attorney in January 2002.

Now, maybe Bush spoke with his big New Jersey fundraiser Chris Christie and assured him the payoff — in the form of a key appointment — would be coming. Maybe that conversation even happened on September 10.

But it is not the case that he was nominated on September 10.

I attribute this fib — like the mistakes about the name of FISC — to be bluster and debate confusion. What I find more offensive is that Andrea Mitchell, when hailing Christie’s national security credentials later in the night, literally claimed he was nominated on September 10 and started on September 12.

And there’s a far bigger subtext here.

Christie implies he was involved in the dragnet in question. He was US Attorney from January 2002 to December 2008 — so he in fact would have been in office during the two years when the phone dragnet worked through the Servic–um, Surveillance court, and four years of the Internet dragnet. But if, as he implies, he was involved in the dragnet for the entire span of his tenure — and remember, there were huge cases run out of Trenton right out of 9/11 — then he was also using the fruits of illegal wiretapping to do his job. Not Servic — um, Surveillance court authorized dragnets and wiretaps, but also illegal wiretaps.

Which may explain why he’s so invested in rebutting any questions about the legitimacy of the program.

Update: Here’s what his official biography says about his tenure as US Attorney. (h/t JH)

Christie was named U.S. Attorney for the District of New Jersey in 2002. As the chief federal law enforcement officer in New Jersey, earning praise from leaders in both parties and drawing national attention for his efforts in battling political corruption, corporate crime, human trafficking, gangs, terrorism and environmental polluters.

Update: In an absolutely hysterical attempt to rebut the clear fact that he was not nominated when he said he was, Christie’s people said he was informed he would be on September 10 at 4:30 (as I suggested was likely). But the rest of the explanation makes it clear they hadn’t even done a background check yet!

The intervening crisis caused by the terrorist attacks on New York and Washington then delayed action on the nomination. In the interview for the book, Christie said he didn’t hear again from the White House for two weeks and that things were slowed because there were no available FBI agents to do background checks, as they had been assigned to investigating the 9/11 attacks.