I Con the Record: Drop the Lawsuits and We’ll Release the Data Hostages

/2 Comments/in /by

I Con the Record just announced that the NSA will make the phone dragnet data it has “analytically unavailable” after the new system goes live in November, and unavailable even to techs three months later.

On June 29, 2015, the Foreign Intelligence Surveillance Court approved the Government’s application to resume the Section 215 bulk telephony metadata program pursuant to the USA FREEDOM Act’s 180-day transition provision. As part of our effort to transition to the new authority, we have evaluated whether NSA should maintain access to the historical metadata after the conclusion of that 180-day period.

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015.  However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Separately, NSA remains under a continuing legal obligation to preserve its bulk 215 telephony metadata collection until civil litigation regarding the program is resolved, or the relevant courts relieve NSA of such obligations. The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

As I understand it, whatever data has been found to be two or three degrees of separation from a baddie will remain in NSA’s maw, but the data that has never returned off a search will not.

I’m pleasantly surprised by this, as I suspect it reflects a decision to accept the Second Circuit verdict in ACLU v. Clapper and to move to shut down other lawsuits.

As I noted, two weeks ago, the ACLU moved for an injunction against the dragnet, which not only might have led to the Second Circuit ordering the government to purge ACLU’s data right away (and possibly, to stop collecting all data), but also basically teed up the Second Circuit to remind the FISC it is not an appellate court. I worried that would lead the FISC to ask FISCR to review its dragnet decisions under a provision newly provided under the USA F-ReDux.

Shortly after ACLU filed its request for an injunction, the government asked for an extension to … today, which the court granted.

So I assume we’ll shortly see that filing arguing that, since the government has voluntarily set a purge date for all the dragnet data, ACLU should not get its injunction.

That doesn’t necessarily rule out a FISCR fast track request, but I think it makes it less likely.

The other player here, however, is the EFF.

I believe both ACLU and EFF’s phone dragnet client Council on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.

EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).

We’ll see soon enough. For the moment, though, I’m a bit surprised by the cautious approach this seems to represent.

Update: Timeline on data availability fixed.

Update: Here’s the government’s brief submitted today. I’m rather intrigued by how often the brief claims USA F-ReDux was about bulk “telephony” data when it was supposed to be about all bulk collection. But I guess I can return to that point.

Update: They depart from describing USA F-ReDux as a ban bulk collection of telephony when they describe it as a ban on collection of bulk collection under Section 215, also not what the bill says.

Part of the compromise on which Congress settled, which the President supported, was to add an unequivocal ban on bulk collection under Section 215 specifying that “[n]o order issued under” Section 215(b)(2) “may authorize collection of tangible things without the use of a specific selection term that meets the requirements” of that subsection.

Update: This is key language — and slightly different from what they argued before FISC. I will return to it.

Plaintiffs assert that, by not changing the language of Section 215 authorizing the collection of business records during the transition period, Congress implicitly incorporated into the USA FREEDOM Act this Court’s opinion holding that Section 215 did not authorize bulk collection. See Pls.’ Mot. 7- 8. Plaintiffs rely on language providing that the legislation does not “alter or eliminate the authority of the Government to obtain an order under” Section 215 “as in effect prior to the effective date” of the statute. USA FREEDOM Act § 109, 129 Stat. at 276. That language does not advance plaintiffs’ argument, however, because the statute says nothing expressly about what preexisting authority the government had under Section 215 to obtain telephony metadata in bulk. It is implausible that Congress employed the  word “authority” to signify that the government lacked authority to conduct the Section 215 bulk telephony-metadata program during the 180-day transition period, contrary to the FISC’s repeated orders and the Executive Branch’s longstanding and continuing interpretation and application of the law, and notwithstanding the active litigation of that question in this Court. That is especially so because language in the USA FREEDOM Act providing for the 180-day transition period has long been a proposed feature of the legislation. It is thus much more plausible that the “authority” Congress was referring to was not the understanding of Section 215 reflected in this Court’s recent interpretation of Section 215, but rather the consistent interpretation of Section 215 by 19 different FISC judges: to permit bulk collection of telephony metadata.

Richard Burr’s Backdoor Data Retention Amendment

/6 Comments/in /by

The Senate Intelligence Authorization is now available here.

In addition to language requiring social media companies to report terrorist activity on their network to the government — which yesterday Jim Comey said they didn’t need — it has a provision that might to lead to data retention mandates under USA F-ReDux. It requires reporting if any provider stops retaining call detail records at least 18 months.

SEC. 602. NOTIFICATION OF CHANGES TO RETENTION OF CALL DETAIL RECORD POLICIES.
(a) Requirement To Retain.—Not later than 15 days after learning that an electronic communication service provider that generates call detail records in the ordinary course of business has changed its policy on the retention of such call detail records to result in a retention period of less than 18 months, the Director of National Intelligence shall provide written notification of such change to the congressional intelligence committees.

(b) Definitions.—In this section:

(1) CALL DETAIL RECORD.—The term “call detail record”—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

(2) ELECTRONIC COMMUNICATION SERVICE.—The term “electronic communication service” has the meaning given that term in section 2510 of title 18, United States Code. [my emphasis]

The important details of this provision, however, are in the definitions.

This retention requirement applies to all electronic communication service providers that generate call detail records. That means it applies not just to telecoms, traditionally defined, but also to internet service providers. And the definition of call detail record relies on “session identifier,” not any phone call made.

That either confirms that USA F-ReDux will apply to Internet companies as well as phone companies, and/or it suggests SSCI wants data retention to apply to far more than just the newfangled phone dragnet.

T-Mobile’s Transparency: “Other,” and Granularity to Come on National Security Reports

/in /by

I think CNet is correct to point out the most amazing thing from T-Mobile’s transparency report released yesterday: somehow, T-Mobile is getting a lot more legal requests than its bigger rivals — though I suspect that’s because pre-paid/contract-less cell phones are a much larger part of its business, and therefore it probably does more business with potential law enforcement targets (for example, both Tsarnaev brothers were using T-Mobile pre-paid phones the day of the attack, and Tamerlan had been since his return from Russia, and the taxi driver busted via the phone dragnet also used T-Mobile).

But I’m interested in three more things about this report. First, as with Amazon, I’m interested that this report comes just after USA F-ReDux rolled out new ways for providers to report national security requests. That offers one possible explanation for why these two companies waited to release their reports.

On a very related note, T-Mobile not only chose to use one of the newfangled reporting options, but it suggested it might be able to do more granular reporting in the future.

Providers are authorized by statute to report the national security requests in one of three ways. T-Mobile has chosen to report a combined total of national security requests for this reporting period, and may be able to report more granular information in the future. To the extent we are permitted to report this information in the aggregate, it must be in bands of 250 increments.

I’ll have to think about why this might be (but remember the initial agreement required a 2-year wait before reporting new requests, so that may be part of it). But I find T-Mobile’s optimism they’ll be able to report more in the future curious.

Then, finally, there is T-Mobile’s “other” category, for which they had 11,105 requests in 2013 and only 8,760 last year (every other category, except national security reporting, has been growing at an alarming clip). T-Mobile explains this category this way:

This may include requests to preserve information pursuant to 18 USC § 2704, requests for T-Mobile information (not customer information), requests pursuant to The Fair and Accurate Credit Transactions Act of 2003, and any other request that does not match a category above.

Given that T-Mobile uses AT&T’s backbone, I think it quite likely it gets a lot of preservation orders, because the FBI will frequently know immediately about T-Mobile traffic, but take some time for legal process on the actual account (indeed, I think that may have happened with the Tsarnaevs, given the way DOJ obscured whether it got T-Mobile information or AT&T information first). It’s also possible other providers don’t distinguish here, and only report the ultimate order or warrant that the information gets preserved for.

That said, there’s a lot of these requests (and the decline is rather curious, given how quickly everything else has gone up).

One more thing. Remember that the current dragnet order may have added another provider. If so, T-Mobile is one of the most likely candidates.

Did NSA Add a New Dragnet Provider with Its Latest Order?

/1 Comment/in /by

Cryptome has published the latest phone dragnet order. Contrary to reports, the dragnet order is only for two months (until the end of August), not until the expiration of the bulk dragnet in November, plus retroactive collection to May 31. It also has new language reflecting changes in minimization requirements in USA Freedom Act, and updated language to reflect the Second Circuit’s decision in a paragraph ordering that the government inform FISC if anything changes because of the pending circuit court decisions.

But the most interesting change has to do with the redactions.

The initial redaction (which lists all the providers) is not the same size — the new order, 15-75, has a wider redaction than the last order, 15-24, but the earlier order may be a line longer. But it is very close.

But the paragraph addressing custodians of records is clearly different. Here’s what that first few lines in that paragraph in 15-24 looks like:

Screen Shot 2015-07-03 at 2.57.57 PM

Here’s what it looks like in 15-75.

Screen Shot 2015-07-03 at 3.01.01 PM

The following paragraph, which addresses Verizon, appears to be the same.

There are two things that might explain the change in redaction. First, the providers may remain the same (understood to be AT&T and Sprint), but the official name used to refer to one may have changed — though I’m not aware of any changes at AT&T or Sprint that might explain that.

Or, they may have added another provider.

Mind you, I expect the government to add new providers once they move to the new querying technique in November, as the government will almost certainly be querying more newfangled kinds of “calls” and “texts” (to include VOIP and other Internet-based communications). So I think additional providers are inevitable.

Still, at least from the redactions of this order, it appears NSA may have already added a new provider.

NSA Gets Full Take on FISA-Authorized Web Forums

/3 Comments/in /by

Screen Shot 2015-07-02 at 6.03.50 PMAmong the document dump associated with the Intercept’s two stories on XKeyscore, there’s one that has importance outside of the discussion of how XKeyscore works in the slide deck on how XKS works on web forum data.

It reveals what was fairly predictable, but has never been confirmed: That the NSA obtains “full take” on US-based web forums that it can get FISA orders for.

This has been suggested in a number of terrorist proceedings — that the targets were first identified in a forum, and from there targeted for more surveillance (or, just as often, for an FBI undercover sting).

The XKS deck in question further makes clear that the NSA saves all of the data from such forums, so that data will come up in XKS queries going forward. Further, the NSA can pull the messages that use one of the most popular extremist tools for encryption.

All this almost certainly means that the same web forum data would be available to FBI Agents for back door searches at the Assessment level, so even the mere participation in a web forum may target someone for further investigation (or even, for coercion to become an informant himself).

Again, this has been fairly clear for some time. But this slide deck confirms what the government has been obscuring from defense attorneys.

 

XKeyscore Suffers from Same Giant Oversight Loophole as Phone Dragnet and SIGDEV: No Tech Audits

/1 Comment/in /by

I’ve long pointed to a giant oversight hole in key NSA programs: in both the domestic phone dragnet and SIGDEV (research and development), tech activities are excluded from auditing requirements.

In a piece reviewing what happens with XKS today, Intercept’s Micah Lee points out that the same loophole appears to exist in XKeyscore, the querying system that filters through the globally collected data. Sysadmins not only don’t have their own audited log-ins (a condition that appears to be what was in existence for the PRTT dragnet until 2009), but they can access the system outside of the normal querying process that gets audited.

When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.

There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.

Now, Lee is just pointing out a problem that exists technically, based on the documents describing the system.

But as we’ve seen, with the phone dragnet, at least, this is by design. The NSA simply doesn’t track tech functions as closely as it does analysts, which are more closely watched (but some, not all, of whose activities are still subject to randomness of audits), even though some techs have more direct access to raw data (by necessity). Indeed, what Snowden accomplished would have been impossible — or at least, would have been tracked more quickly than months — if this weren’t the case.

Whether or not you support NSA’s dragnet, this is a bureaucratic problem, one that rightly raises questions about the good faith of the system.

NSA said that after Snowden they instituted two person sign-off for some activities. They’d do well to release evidence they have actually done so.

Once Again Sammy Alito’s Speculative Chain of Possibilities Proves True

/3 Comments/in , /by

Back when SCOTUS Justice Sam Alito wrote the opinion booting the ACLU-argued challenge to Section 702, he said the plaintiffs’ worries — that the US government was collecting their international communications under Section 702 — were too speculative to give them standing to challenge the constitutionality of the statute.

In sum, respondents’ speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable to §1881a.

The named plaintiff in that suit — the NGO wildly speculating that the US government was reading its international communication with human rights victims and others — was Amnesty International.

Today, UK’s Investigatory Powers Tribunal informed Amnesty International that unnamed UK government agencies have been intercepting their communications.

In a shocking revelation, the UK’s Investigatory Powers Tribunal (IPT) today notified Amnesty International that UK government agencies had spied on the organization by intercepting, accessing and storing its communications.

[snip]

“After 18 months of litigation and all the denials and subterfuge that entailed, we now have confirmation that we were in fact subjected to UK government mass surveillance. It’s outrageous that what has been often presented as being the domain of despotic rulers has been occurring on British soil, by the British government,” said Salil Shetty, Amnesty International’s Secretary General.

Admittedly, this doesn’t confirm that Amnesty has been swept up in 702 collection, but given the likelihood that one of the agencies, plural, that has intercepted Amnesty’s communications is GCHQ, and given the broad sharing between it and its Five Eyes partner NSA, it is almost certain NSA has those communications as well (if they didn’t actually collect some of them).

Amnesty is trying to gain clarity from the US on whether it, too, has spied on the NGO.

But, predictably, Amnesty had a better idea of what a threat the government posed for its work than Sammy Alito did.

 

In Reauthorizing the Dragnet, FISC Makes a Mockery of the Amicus Provision

/4 Comments/in /by

Between a ruling by Dennis Saylor issued on June 17, while I was away, and a ruling by Michael Mosman issued and released today, the FISA Court has done the predictable: ruled both that the lapse of the PATRIOT Act on June 1 did not mean the law reverted to its pre-PATRIOT status (meaning that it permitted collection of records beyond hotel and rental car records), and ruled that the dragnet can continue for 6 more months.

In other words, the government is back in the business of conducting a domestic dragnet of phone records. Huzzah!

As I said, the FISC’s ultimate rulings — that it will treat USA F-ReDux as if it passed before the lapse (a fair but contestable opinion) and that it will permit the dragnet to resume for 6 months — are unsurprising. It’s how they get there, and how they deal with the passage of USA F-ReDux and the rebuke from the 2nd Circuit finding the dragnet unlawful, that I find interesting.

Reading both together, in my opinion, shows how increasingly illegitimate the FISC is making itself. It did so in two ways, which I’ll address in two posts. In this one, I’ll treat the FISC’s differing approaches to the amicus provision.

USA F-ReDux was a deeply flawed bill (and some of my predictions about its weaknesses are already being fulfilled). But it was also intended as a somewhat flaccid critique of the FISC, particularly with its weak requirement for an amicus and its stated intent, if not an effective implementation, to rein in bulk collection.

Congress at least claimed to be telling the FISC it had overstepped both its general role by authorizing programmatic collection orders and its specific interpretation of Section 215. One of its solutions was a demand that FISC stop winging it.

The Court’s response to that was rather surly.

A timeline may help to show why.

June 1: Section 215 lapses

June 2: USA F-ReDux passes and government applies to restart the dragnet

June 5: Ken Cuccinelli and FreedomWorks challenge the dragnet but not resumption of post-PATRIOT Section 215 (Section 109)

June 5: Michael Mosman orders government response by June 12, a supplemental brief from FreedomWorks on Section 109 by June 12, immediate release of government’s June 2 memorandum of law

June 12: Government submits its response and FreedomWorks submits its Section 109 briefing, followed by short response to government submission

June 17: In response to two non-bulk applications, Dennis Saylor rules he doesn’t need amicus briefing to decide Section 109 question then rules in favor of restoration of post-PATRIOT Section 215

June 29: Michael Mosman decides to waive the 7-day application rule, decides to treat FreedomWorks as the amicus in this case while denying all other request for relief, and issues order restarting dragnet for until November 29 (the longest dragnet order ever)

After having been told by Congress FISC needs to start consulting with an amicus on novel issues, two judges dealt with that instruction differently.

In part, what happened here (as has happened in the past, notably when Colleen Kollar-Kotelly was reviewing the first Protect America Act certifications while Reggie Walton was presiding over Yahoo’s challenge to their orders) is that one FISC judge, Saylor, was ruling whether two new orders (BR 15-77 and 15-78) could be approved giving the lapse in Section 215 (which became a ruling on how to interpret Section 109) while another FISC judge, Mosman, was reviewing what to do with the FreedomWorks challenge. That meant both judges were reviewing what to do with Section 109 at the same time. On June 5, Mosman ordered up the briefing that would make FreedomWorks an amicus without telling them they were serving as such until today. FreedomWorks did offer up this possibility when they said they were “amenable to [designation as an amicus curiae] by this Court, as an alternative to proceeding under this Motion in Opposition,” but they also repeatedly requested an oral hearing, most recently a full 17 days ago.

The Court now turns to the Movants’ alternative request to participate as amici curiae. Congress, through the enactment of the USA FREEDOM Act, has expressed a clear preference for greater amicus curiae involvement in certain types of FISC proceedings.

[Mosman reviews of the amicus language of the law]

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.7

7 [footnote talking about courts’ broad discretion on how they use amicus]

That is, on June 29, Mosman found this circumstance requires an amicus under the law, and relied on briefing ordered way back on June 5 and delivered on June 12, while denying any hearing in the interim.

Meanwhile, in a June 17 ruling addressing what I consider the more controversial of the two questions Mosman treated — whether the lapse reverted Section 215 to its pre-PATRIOT status — Saylor used this logic to decide he didn’t need to use an amicus.

[3 paragraphs laying out how 103(i)(2)(A) requires an amicus unless the court finds it is not appropriate, while section 103(i)(2)(B) permits the appointment of an amicus]

The question presented here is a legal question: in essence, whether the “business records” provision of FISA has reverted to the form it took before the adoption of the USA PATRIOT Act in October 2001. That question is solely a matter of statutory interpretation; it presents no issues of fact, or application of facts to law, and requires no particular knowledge or expertise in technological or scientific issues to resolve. The issue is thus whether an amicus curiae should be appointed to assist the court in resolving that specific legal issue.

The legal question here is undoubtedly “significant” within the meaning of Section 1803(i)(2)(A). If Section 501 no longer provides that the government can apply for or obtain orders requiring the production of a broad range of business records and other tangible things under the statute, that will have a substantial effect on the intelligence-gathering capabilities of the government. It is likely “novel,” as well, as the issue has not been addressed by any court (indeed, the USA FREEDOM Act, is only two weeks old). The appointment of an amicus curiae would therefore appear to be presumptively required, unless the court specifically finds that such an appointment is “not appropriate.”

Because the the statute is new, the court is faced for the first time with the question of when it is “not appropriate” to appoint an amicus curiae. There is no obvious precedent on which to draw. Moreover, the court as a whole has not had an opportunity to consider or adopt any rules addressing the designation of amicus curiae.

The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, “not appropriate”) even though an application presents a “novel or significant interpretation of the law.” At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome. In other words, Congress must have intended the court need not appoint amicus curiae to point out obvious legal issues or obvious legal conclusions, even if the issue presented was “novel or significant.” Accordingly, the court believes that if the appropriate outcome is sufficiently clear, such that no reasonable jurist would reach a different decision, the appointment of an amicus curiae is not required under the statute.

This is such an instance. Although the statutory framework is somewhat tangled, the choice before the court is actually clear and stark: as described below, it can apply well established principles of statutory construction and interpret the USA FREEDOM Act in a manner that gives meaning to all its provisions, or it can ignore those principles and conclude that Congress passed an irrational statute with multiple superfluous parts.

That is, 5 days after FreedomWorks submitted briefing on the particular issue in question — Section 109 — Saylor decided he did not need an amicus even though this was obviously a novel issue. While FreedomWorks only addressed one of its responses to the question of the lapse, it did argue that, “Congress was fully aware ofthe problems associated with passing the expiration date and they chose to do nothing to fix those problems.”

And Saylor did not do what Mosman did, recognize that even though there wasn’t an amicus position set up, the court could easily find one, even if it asked the amicus to brief under 103(i)(2)(B). Indeed, by June 17, former SSCI Counsel Michael Davidson — literally the expert on FISA sunset provisions — had written a JustSecurity post describing the lapse as a “huge problem.” So by the time Saylor had suggested that “no reasonable jurist” could disagree with him, the author of the sunset provision in question had already disagreed with him. Why not invite Davidson to submit a brief?

It seems Mosman either disagrees with Saylor’s conclusion about the seriousness of Congress’ “preference for greater amicus curiae involvement” (though, having read Saylor’s opinion, he does say appointment under 103(i)(2)(A) “is not appropriate,” though without adopting his logic for that language in the least), or has been swayed by the criticism of people like Liza Goitein and Steve Vladeck responding to Saylor’s earlier opinion.

All that said, having found a way to incorporate an amicus — even one not knowingly acting as such during briefing — Mosman than goes on to completely ignore what the government and JudicialWatch said about the lapse — instead just declaring that “the government has the better end of the dispute” — and to justify that judgment, simply quoting from Saylor.

On June 1, 2015, the language of section 501 reverted to how it read on October 25, 2001. See page 2 supra. The government contends that the USA FREEDOM Act, enacted on June 2, 2015, restored the version of section 501 that had been in effect immediately before the June 1 reversion, subject to amendments made by that Act. Response at 4. Movants contend that the USA FREEDOM Act had no such effect. Supplemental Brief at 1-2. The Court concludes that the government has the better of this dispute.

Another judge of this Court recently held that the USA FREEDOM Act effectively restored the version of section 501 that had been in effect immediately before the June 1 sunset. See In reApplication of the FBI for Orders Requiring the Production ofTangible Things, Docket Nos. BR 15-77, 15-78, Mem. Op. (June 17, 2015). In reaching that conclusion, the Court noted that, after June 1, Congress had the power to reinstate the lapsed language and could exercise that power “by enacting any form of words” making clear “its intention to do so.” Id. at 9 (internal quotation marks omitted). The Court found that Congress indicated such an intention through section 705(a) of the USA FREEDOM Act, which amended the pertinent sunset clause8 by striking the date “June 1, 2015,” and replacing it with “December 15, 2019.” Id. at 7-9. Applying fundamental canons of statutory interpretation, the Court determined that understanding section 705(a) to have reinstated the recently-lapsed language of section 501 of FISA was necessary to give effect to the language of the amended sunset clause, as well as to amendments to section 501 of FISA made by sections 101 through 107 of the USA FREEDOM Act, and to fit the affected provisions into a coherent and harmonious whole. Id. at 10-12. The Court adopts the same reasoning and reaches the same result in this case.

JudicialWatch’s argument was the mirror image of Saylor’s — that “Congress was fully aware of the problems associated with passing the expiration date and they chose to do nothing to fix those problems” — and yet Mosman doesn’t deal with it in the least. His colleague had ruled, and so the government must have the better side of the argument.

That’s basically the logic Mosman uses on the underlying question, which I hope to return to. Even in making a symbolic nod to the amicus, Mosman is still engaging in the legally suspect navel gazing that has become the signature of the FISC.

Mind you, I’m not surprised by all this. That was very clearly what was going to happen to the amicus, and one reason why I said it’d be likely a 9-year process until we had an advocate that would make the FISC a legitimate court.

But this little exhibition of navel gazing has only reinforced my belief that we should not wait that long. There is no reason to have a FISC anymore, not now that virtually every District court has the ability to conduct the kind of classified reviews that FISC judges do. And as we’re about to see (Jameel Jaffer promised he’s going to ask the 2nd Circuit for an injunction today), the competing jurisdictions that in this case let District Court judges dismiss Appellate judges as less preferable than the government are going to create legal confusion for the foreseeable future (though one the government and FISC are likely going to negate by using the new fast track review process I warned about).

The FISC is beyond saving. We should stop trying.

Amazon’s Transparency Report: “Certain Purchase History”

/in /by

Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.

Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.

As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.

That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.

Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).

Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.

“Content” information means the content of data files stored in a customer’s account.

But Amazon doesn’t include “certain purchase history information” to be content.

As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.

If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250  orders Amazon got in a year.

It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

/3 Comments/in /by

DOJ’s Inspector General just released its unclassified summary of its classified report on FBI’s use of Pen Register/Trap and Trace authority.

It is rather thin, just 5 pages long. It explains what it is in the secret report.

We described the different types of pen registers that were used and the variety of information that was collected, as well as some of the technological and legal issues the Department and FBI faced with particular uses of pen register authority. We also describe the investigative circumstances under which the authority is generally used and trends in its use. The FBI and the Intelligence Community determined that much of this information is classified or “for official use only,” and therefore we cannot include it in this Executive Summary.

Our classified report also describes the FBI’s practices for storing and handling pen register information, most of which have remained substantially unchanged since our 2007 – 2009 review period, and it provides an overview of the compliance process and a summary of the compliance incidents involving the use of pen register authority that occurred from 2007 through 2009. Our classified report also includes several findings, only one of which we can describe in this unclassified Executive Summary.

The claim is rather interesting, given that documents EPIC obtained under FOIA make it clear FBI has used PRTT orders to get location data (not at all surprising given that it does so under criminal PRTTs as well), and that it has 7 exotic applications of Post Cut Through Dialed Digits. Those EPIC documents also reveal that John Bates redefined the meaning of Dialing, Routing, Addressing, and Signaling to include some content.

How is it EPIC could obtain those documents but DOJ’s IG can’t tell us what he found about these practices?

The one conclusion DOJ’s IG can share, sort of, is that FBI has problems weeding out data it shouldn’t have.

[W]e highlighted the challenges the Department faced, and still faces, in ensuring that the government collects or uses only that information that it is lawfully permitted to obtain.

[snip]

We found that the Department’s National Security Division and FBI do not conduct systematic compliance reviews of pen registers, and instead rely on personnel assigned to cases involving pen registers to report any compliance violations.

The report repeatedly notes that “the government is not authorized under FISA to obtain the contents of wire or electronic communications with a pen register order.” Which, of course, we know it has, both under the NSA program, as well as under PCTDD (indeed, discussions with the FISC over both the content collection under the NSA collection and the PCTDD uses took place in 2009, within the scope of the report).

So I assume part of the problem — part of the reason why FBI treats its PRTT programs with greater secrecy than its Section 215 programs — is because it violates the law but doesn’t have the means in place to catch its own violations.

I mean, if FBI wants to declassify the proof that that isn’t true, by all means they should do so. But the available evidence suggests the FBI and government more generally is probably still violating the terms of PRTT under FISA.