The Timing of the Contemplated Upstream Cyber-Grab

/4 Comments/in /by

There’s an aspect missing thus far from the discussion of NSA’s possible bid for a cyber certification under Section 702 for primary use in the collection of attack signatures that could not be attributed to a foreign government.

The timing.

The discussion of creating a new Section 702 certificate came in the aftermath of the 6-month back and forth between DOJ and the FISA Court over NSA having collected US person data as part of its upstream collection (for more detail than appears in the timeline below, see this post). During that process, John Bates ruled parts of the program — what he deemed the intentional collection of US person data within the US — to be unconstitutional. That part of his opinion is worth citing at length, because of the way Bates argues that the inability to detach entirely domestic communications that are part of a transaction does not mean that those domestic communications were “incidentally” collected. Rather, they were “intentionally” collected.

Specifically, the government argues that NSA is not “intentionally” acquiring wholly domestic communications because the government does not intend to acquire transactions containing communications that are wholly domestic and has implemented technical means to prevent the acquisition of such transactions. See June 28 Submission at 12. This argument fails for several reasons.

NSA targets a person under Section 702 certifications by acquiring communications to, from, or about a selector used by that person. Therefore, to the extent NSA’s upstream collection devices acquire an Internet transaction containing a single, discrete communication that is to, from, or about a tasked selector, it can hardly be said that NSA’s acquisition is “unintentional.” In fact, the government has argued, that the Court has accepted, that the government intentionally acquires communications to and from a target, even when NSA reasonably — albeit mistakenly — believes that the target is located outside the United States. See Docket No. [redacted]

[snip]

The fact that NSA’s technical measures cannot prevent NSA from acquiring transactions containing wholly domestic communications under certain circumstances does not render NSA’s acquisition of those transactions “unintentional.”

[snip]

[T]here is nothing in the record to suggest that NSA’s technical means are malfunctioning or otherwise failing to operate as designed. Indeed, the government readily concedes that NSA will acquire a wholly domestic “about” communication if the transaction containing the communication is routed through an international Internet link being monitored by NSA or is routed through a foreign server.

[snip]

By expanding its Section 702 acquisitions to include the acquisition of Internet transactions through its upstream collection, NSA has, as a practical matter, circumvented the spirit of Section 1881a(b)(4) and (d)(1) with regard to that collection. (44-45, 48)

There are a number of ways to imagine that victim-related data and communications obtained with an attack signature might be considered “intentional” rather than “incidental,” especially given the Snowden document acknowledging that so much victim data gets collected it should be segregated from regular collection. Add to that the far greater likelihood that the NSA will unknowingly target domestic hackers — because so much of hacking involves obscuring attribution — and the likelihood upstream collection targeting hackers would “intentionally” collect domestic data is quite high.

Plus, there’s nothing in the 2011 documents released indicating the FISC knew upstream collection included cyber signatures — and related victim data — in spite of the fact that “current Certifications already allow for the tasking of these cyber signatures.” No unredacted section discussed the collection of US person data tied to the pursuit of cyberattackers that appears to have been ongoing by that point.

Similarly, the white paper officially informing Congress about 702 didn’t mention cyber signatures either. There’s nothing public to suggest it did so after the Senate rejected a Cybersecurity bill in August, 2012, either. That bill would have authorized less involvement of NSA in cybersecurity than appears to have already been going on.

With all that in mind, consider the discussions reflected in the documents released last week. The entire discussion to use FBI’s stated needs to apply as backup to apply for a cyber certificate came at the same time as NSA is trying to decide what to do with the data it illegally collected. Before getting that certificate, DOJ approved the collection of cyber signatures under other certificates. It seems likely that this collection would violate the spirit of the ruling from just the prior year.

And NSA’s assistance to FBI may have violated the prior year’s orders in another way. SSO contemplated delivering all this data directly to FBI.

Screen Shot 2015-06-11 at 9.42.56 AM

Yet one of the restrictions imposed on upstream collection — voluntarily offered up by DOJ — was that no raw data from NSA’s upstream collection go to FBI (or CIA). If there was uncertainty where FBI’s targeting ended and NSA’s began, this would create a violation of prior orders.

Meanwhile, the reauthorization process had already started, and as part of that (though curiously timed to coincide with the release of DOJ’s white paper on 702 collection) Ron Wyden and Mark Udall were trying to force NSA to figure out how much US person data they were collecting. Not only did the various Inspectors General refuse to count that data (which would have, under the logic of Bates’ opinions finding that illegally collected data was only illegal if the government knew it was US person data, made the data illegal), but the Senate Intelligence Committee refused to consider reconstituting their Technical Advisory Committee which might be better able to assess whether NSA claims were correct.

Sometime in that period, just as Wyden was trying to call attention to the fact that NSA was collecting US person data via its upstream collection, NSA alerted the Intelligence Committees to further “overcollection” under upstream collection.

2012 Upstream Notice

As I suggested here, the length of the redaction and mention of “other authorities” may reflect the involvement of another agency like FBI. One possibility, given the description of FBI collecting on cyber signatures using both PRTT and (presumably) traditional FISA in the discussions of SSO helping the FBI conduct this surveillance (note, I find it interesting though not conclusive that there is no mention of Section 215 to collect cybersecurity data), is that the initial efforts to go after these signatures in some way resulted in overcollection. If FISC interpreted victim-related data to be overcollection — as would be unsurprising under Bates’ 2011 upstream opinion — then it would explain the notice to Congress.

One more point. In this post, I noted that USA F-ReDux authorized FISC to let the government use data it had illegally collected but which FISC had authorized by imposing additional minimization procedures. It’s just a wildarseguess, but I find it plausible that this 2012 overcollection involved cyber signatures (because we know NSA was collecting it and there is reason to believe it violated Bates’ 2011 opinion), and that any victim data now gets treated under minimization procedures and therefore that any illegal data from 2012 may now, as of last week, be used.

All of which is to say that the revelation of NSA and FBI’s use of upstream collection to target hackers involves far more legal issues than commentary on the issue has made out. And these legal issues may well have been more appropriate for the government to reveal before passage of USA F-ReDux.

Update, 11/6: Some dates added from this opinionRead more

DOJ Doesn’t Care What the Text of the Law or the 2nd Circuit Says, Dragnet Edition

/13 Comments/in /by

Since USA F-ReDux passed JustSecurity has published two posts about how the lapse of Section 215 might create problems for the dragnet. Megan Graham argued that technically USA F-ReDux would have amended Section 215 as it existed in 2001, meaning the government couldn’t obtain any records but those that were specifically authorized before the PATRIOT Act passed. And former SSCI staffer Michael Davidson argued that a technical fix would address any uncertainty on this point.

DOJ, however, doesn’t much give a shit about what USA F-ReDux actually amends. In its memorandum of law accompanying a request to restart the dragnet submitted the night USA F-ReDux passed, DOJ asserted that of course Section 215 as it existed on May 31 remains in place.

Its brief lapse notwithstanding, the USA FREEDOM Act also expressly extends the sunset of Section 215 of the USA PATRIOT Act, as amended, until December 15, 2019, id.§ 705(a), and provides that, until the effective date of the amendments made by Sections 101through103, it does not alter or eliminate the Government’s authority to obtain an order under Section 1861 as in effect prior to the effective date of Sections 101through103 of the USA FREEDOM Act. Id.§ 109(b). Because the USA FREEDOM Act extends the sunset for Section 215 and delays the ban on bulk production under Section 1861until180 days from its enactment, the Government respectfully submits that it may seek and this Court may issue an order for the bulk production of tangible things under Section 1861 as amended by Section 215 of the USA PATRIOT Act as it did in docket number BR 15-24 and prior related dockets.

It cites comments Pat Leahy and Chuck Grassley made on May 22 (without, curiously, quoting either Rand Paul or legislative record from after Mitch McConnell caused the dragnet to lapse) showing that the intent of the bill was to extend the current dragnet.

While I think most members of Congress would prefer DOJ’s argument to hold sway, I would expect a more robust argument from DOJ on this point.

Likewise their dismissal of the Second Circuit decision in ACLU v. Clapper (which they say they’re still considering appealing). While it notes the Second Circuit did not immediately issue an injunction, DOJ’s base argument is weaker: it likes FISC’s ruling better and so it thinks FISC’s District Court judges should consider but ultimately ignore what the Second Circuit said.

The Government believes that this Court’s analysis of Section 215 reflects the better interpretation of the statute, see, e.g., In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-109, Amended Mem. Op., 2013 WL 5741573 (FISA Ct. Aug. 29, 2013) (Eagan, J.) and In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-158, Mem. (FISA Ct. Oct. 11, 2013) (McLaughlin, J.), disagrees with the Second Circuit panel’s opinion, and submits that the request for renewal of the bulk production authority is authorized under the statute as noted above.

[snip]

The Government submits that this Court’s analysis continues to reflect the better reading of Section 1861.

This is where, incidentally, the flaccid report language attached to USA F-ReDux is so problematic. In a filing affirming the importance of legislative language, had the HJC report said something more than “Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term,” DOJ might have to take notice of the language. But as it is, without affirmatively rejecting FISC’s opinion, the government will pretend it doesn’t matter.

I’m no more surprised with DOJ’s argument about the Second Circuit decision than I am its insistence that lapsing a bill doesn’t have legal ramifications.

But I would expect both arguments to make some effort to appear a bit less insolent. I guess DOJ is beyond that now.

In Advance of FISA Amendments Act Reauthorization, DOJ Did Not Tell Congress about Cyber Signature Collection

/5 Comments/in , /by

As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.

But first, there’s one more detail that deserves its own post.

By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of [] cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”

And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.

On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:

Screen Shot 2015-06-08 at 8.13.37 AM

Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.

It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.

If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.

Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).

The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.

NSA Reported a Section 702 Upstream Overcollection Incident in 2012

/6 Comments/in /by

I’m working on a longer post on the timing of the NSA’s bid to get a cyber Section 702 certificate in 2012. But I wanted to point to a detail about upstream 702 collection that may be relevant to the issue.

According to the 4Q FY2012 Intelligence Oversight Board report — the one covering the quarter ending September 30, 2012 — NSA notified Congress of an overcollection (a polite way of saying “illegal data collection”) under both upstream collection and “other authorities.” The overcollection was fairly significant, both because NSA did notify Congress, which it doesn’t do for individual incidences of overcollection, and because NSA had to implement both a short-term and long-term solution to the collection issue.

2012 Upstream Notice

This is almost certainly separate from the upstream violations reported in 2011, which resulted in Judge John Bates declaring the collection of entirely US-person data as part of Multi-Communication Transactions collected using upstream 702 collection to be a violation of the Fourth Amendment. Reference to that notice appeared in the 3Q FY2011 report, the one covering the quarter ending June 30, 2011. Not only does the earlier IOB Report show Congress had already been notified of the 2011 violations, but that (unlike some earlier notices) they were notified in timely fashion.

Which suggests the 2012 notification was probably provided to Congress shortly after its official discovery, too.

Moreover, a description of the 2011 problems with upstream collection appeared in a May 4, 2012 letter to Congress, in anticipation of FISA Amendments Act reauthorization that year, by which point NSA had already informed Bates they were going to purge the overcollected MCT data (that happened in April 2012). Thus, no new notice would have been necessary (and would have been sent exclusively to the Intelligence Committees) in 3Q FY2012, which started on July 1.

So this 2012 notice almost certainly represents yet another incidence where NSA (and possibly another agency, given the redaction length and reference to other authorities) illegally collected content it wasn’t entitled to collect inside the US.

This overcollection is significant for two reasons.

First, as will become more clear when I do this timeline, DOJ and NSA would have been dealing with this overcollection at precisely the same time the two agencies were preparing to apply for a Section 702 certification authorizing the collection of cyber signatures. Indeed, it’s possible that is why this overcollection was officially identified, as I’ll lay out, though there are plenty of other possibilities as well.

Just as importantly, USA F-ReDux probably just authorized the government to use the data collected under this second incident of apparently systemic overcollection under upstream 702.

On its face, Section 301 of USA F-ReDux appears to prohibit the use (but not the parallel construction of) data collected unlawfully under Section 702 unless it presents a threat of death or serious bodily harm (which NSA has secretly redefined to include threat to property).

[I]f the Court orders a correction of a deficiency in a certification or procedures under subparagraph (B), no information obtained or evidence derived pursuant to the part of the certification or procedures that has been identified by the Court as deficient concerning any United States person shall be received in evidence or otherwise disclosed in any trial [… or any other Federal proceeding …] except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.

But in substance, the Section actually authorizes the government to use such data once it has satisfied the FISC.

If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information obtained before the date of the correction under such minimization procedures as the Court may approve for purposes of this clause.

The Section likely addresses something that happened as John Bates tried to deal with both the PRTT Internet dragnet violations in 2010 and the upstream collection violations in 2011. In both cases, he found the government had intentionally collected US person content in the US. And so, Bates determined, under 50 U.S.C. § 1809(a), it would be a crime for the government to disseminate the data.

In 2010, Bates rejected a slew of government arguments (see pages 100 to 113) that he could just retroactively make this illegal collection legal.

Finally, insofar as the government suggests that the Court has an inherent authority to permit the use and disclosure of all unauthorized collection without regard to Section 1809, see Memorandum of Law at 73-74 & n.37, the Court again must disagree.

[snip]

The Court simply lacks the power, inherent or otherwise, to authorize the government to engage in conduct that Congress has unambiguously prohibited

Bates’ interpretation of 50 U.S.C. § 1809(a) is what led the government to purge the illegally collected upstream data in April 2012 (that may have also been why NSA purged its illegally collected Internet dragnet data in December 2011).

Section 301 of USA F-ReDux was clearly intended to give FISC the authority Bates said he didn’t have in 2010: to permit a FISC judge to permit the government to disseminate data found to be illegally collected, but retroactively sanctioned via the use of minimization procedures.

At first, I didn’t think the Section would affect any known data, because NSA purged both the illegal PRTT data and the illegal upstream data, so that couldn’t be used anymore.

But the IOB report shows there was more illegal upstream data collected, within a year. And the reference to a “long-term solution” to it may suggest that NSA held onto the data and was just finding a way to retroactively authorize it.

From the IOB description, we can’t know what data NSA had illegally collected or why. But there’s a decent chance USA F-ReDux just retroactively made the use of it legal.

FreedomWorks Challenges the Transitional Dragnet

/5 Comments/in /by

On Friday, FreedomWorks and Ken Cuccinelli challenged the phone dragnet.

The challenge is a basic legal challenge, not a technical one arising from the lapse of the dragnet. It is smarter than others I’ve read because it recognizes the dragnet is about backbone usage, not specific provider. It also has more language on contracting than other challenges I’ve read closely (though I haven’t read Rand Paul’s, and I expect that language was in his challenge).

But as I said, there’s nothing I saw in the challenge that questions how USA F-ReDux can simply extend Section 215 when that provision had already lapsed.

At the very least, because of this challenge, we’ll get to see what the government argued about that lapse. That’s because Michael Mosman (who signed the December dragnet order, but was also remarkably willing to review a challenge to FISA- and EO 12333-authorized methods in Reaz Qadir Khan’s case) not only ordered the government to brief whether ongoing dragnettery was legal under Title V of FISA as modified by USA F-ReDux by next Friday, but he ordered the government to turn over an unclassified version of the memorandum of law it submitted on June 2 to restart the dragnet.

Screen Shot 2015-06-06 at 9.08.12 PM

 

In addition to whatever else this says, it makes it clear that (unsurprisingly) the Administration filed to restart the dragnet on Tuesday night, just after the President signed USA F-ReDux.

Why Is the Aramco Hack Considered a Significant NSA Milestone?

/8 Comments/in , , /by

Screen Shot 2015-06-06 at 10.04.57 AMI’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.

For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).

But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?

The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.

Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.

So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.

But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?

 

In October 2013, Patrick Leahy and Jim Sensenbrenner Rolled Out a Bill That Would Have Ended Upstream Cyber Collection

/8 Comments/in , /by

Back in October 2013, Jim Sensenbrenner and Patrick Leahy released the original, far better, version of the USA Freedom Act. As I noted in November 2013, it included a provision that would limit upstream collection to international terrorism and international proliferation of WMD uses.

It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of  the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or  username used to uniquely identify an account.

At the time, I noted that this would give the NSA 6 months to shut down the use of upstream collection to collect cyber signatures.

Jonathan Mayer’s comments on the NYT/PP story today reveals why that would be important to do (this is a point I’ve been making for years): because if you’re collecting signatures of cyber attacks, you’re collecting victim data, as well, a problem that would only get worse under the cyberinformation sharing bills before Congress.

This understanding of the NSA’s domestic cybersecurity authority leads to, in my view, a more persuasive set of privacy objections. Information sharing legislation would create a concerning surveillance dividend for the agency.

nsa_cyber_2

Because this flow of information is indirect, it prevents businesses from acting as privacy gatekeepers. Even if firms carefully screen personal information out of their threat reports, the NSA can nevertheless intercept that information on the Internet backbone.

Furthermore, this flow of information greatly magnifies the scale of privacy impact associated with information sharing. Here’s an entirely realistic scenario: imagine that a business detects a handful of bots on its network. The business reports a signature to DHS, who hands it off to the NSA. The NSA, in turn, scans backbone traffic using that signature; it collects exfiltrated data from tens of thousands of bots. The agency can then use and share that data.12 What began as a tiny report is magnified to Internet scale.

But, instead of giving NSA 6 months to close this loophole, we instead passed USA F-ReDux, which does nothing to rein domestic spying in the name of cybersecurity.

Leahy released a remarkable statement in response to today’s story that doesn’t reveal whether he knew of this practice (someone knew to forbid it in their original bill!), but insisting he’ll fight for more limits on surveillance and transparency.

Today’s report that the NSA has expanded its warrantless surveillance of Internet traffic underscores the critical importance of placing reasonable and commonsense limits on government surveillance in order to protect the privacy of Americans.  Congress took an important step in this direction this week by passing the USA FREEDOM Act, but I have always believed and said that more reforms are needed.  Congress should have an open, transparent and honest debate about how to protect both our national security and our privacy.  As Congress continues to work on surveillance and cybersecurity legislation, I will continue to fight for more reforms, more transparency, and more accountability – particularly on issues related to the privacy of Americans’ personal communications.

Remember: on Tuesday, Richard Burr vehemently denied we had secret law. And while this application of FISA wasn’t entirely secret — I figured it out pretty quickly, but a great great many people doubted me, as per usual — even Leahy is faced with a situation where he can’t admit he knew about a practice he already tried to shut down once.

Section 702 Used for Cybersecurity: You Read It Here First

/3 Comments/in /by

I have been reporting for years that the government uses Section 702 for cybersecurity purposes, including its upstream application.

ProPublica and NYT have now confirmed and finally liberated related Snowden documents on the practice. They show that DOJ tried to formalize the process in 2012 (though I have reasons to doubt that the NSA documents released tell all of the story, as I hope to show in upcoming posts).

Without public notice or debate, the Obama administration has expanded the National Security Agency’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking, according to classified NSA documents.

In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to computer intrusions originating abroad — including traffic that flows to suspicious Internet addresses or contains malware, the documents show.

The Justice Department allowed the agency to monitor only addresses and “cybersignatures” — patterns associated with computer intrusions — that it could tie to foreign governments. But the documents also note that the NSA sought to target hackers even when it could not establish any links to foreign powers.

The disclosures, based on documents provided by Edward J. Snowden, the former NSA contractor, and shared with the New York Times and ProPublica, come at a time of unprecedented cyberattacks on American financial institutions, businesses and government agencies, but also of greater scrutiny of secret legal justifications for broader government surveillance.

Jonathan Mayer, whom ProPublica and NYT cite in the article, has his own worthwhile take on what the documents say.

Stay tuned!

On Carrots, Sticks, and Rand Paul

/8 Comments/in /by

Now that USA F-ReDux has become USA FreeDone, I wanted to look at Steve Vladeck’s two bizarre posts attacking Rand Paul’s opposition to USA F-ReDux as a way of doing a post-mortem on the process.

I say bizarre because Vladeck complains that Paul “seize[d] the national spotlight in order to focus everyone’s attention on a hyper-specific question” — that of the Section 215 dragnet — when Vladeck has, at this late date, joined those of us who have long been pushing a focus on broader issues, specifically EO 12333 and Section 702. To support his claim that Paul is singularly focused on Section 215, Vladeck links to a second-hand report of a sentence in Paul’s campaign announcement, rather than to the announcement itself which (while more muddled than in other statements where Paul has named EO 12333 directly) invokes surveillance authorized by Executive Order, not the PATRIOT Act.

The president created this vast dragnet by executive order. And as president on day one, I will immediately end this unconstitutional surveillance.

Contrary to Vladeck’s miscitation, in this and other comments, Paul seized the national spotlight, in significant part, to talk about the broader issues, specifically EO 12333 and Section 702, that those pushing USA F-ReDux had set aside for future fights. Indeed, big parts of Paul’s filibuster speech — including his 10 and Ron Wyden’s 2 references to EO 12333 and his 18 and Wyden’s 3 references to 702 — sounds a lot like Vladeck’s series of posts worrying that this will be the only shot at reform and therefore regretting that we didn’t talk about the bigger issues as part of it.

Another deficiency of the USA FREEDOM Act is that it does not address bulk collection under Executive Order 12333. The bill also fails to address bulk collection under section 702 of the FISA Amendments Act.

One could say: What are you complaining about? You are getting some improvement. You still have problems, but you are getting some improvement.

I guess my point is that we are having this debate, and we don’t have it very often. We are having the debate every 3 years, and some people have tried to make this permanent, where we would never have any debate. Even though we are only having it every3 years, it is still uncertain whether I will be granted any amendments to this bill.

So, yes, I would like to address everything while we can. I think we ought to address section 702. I think we ought to–for goodness’ sake, why won’t we have some hearings on Executive Order 12333? I think they may be having them in secret, but I go back to what Senator Wyden said earlier. I think the principles of the law could be discussed in public. We don’t have to reveal how we do stuff. Do we think anybody in the world thinks we are not looking at their stuff? Why don’t we
explore the legality and the law of how we are doing it as opposed to leaving it unsaid and unknown in secret?

In other words, unlike the drone filibuster Vladeck points to as proof of “libertarian hijacking” — where Paul definitely defined his terms narrowly (but in a later iteration did succeed in getting more response from Jim Comey than Ron Wyden making demands) — Paul was arguing for precisely what Vladeck said we should be arguing about. He just has cooties, I guess is the substance of Vladeck’s argument, so Vladeck doesn’t want him as an ally.

Equally bizarre is Vladeck’s claim that, “it was the very same Senator Paul who all-but-singlehandedly torpedoed the Leahy bill back in November, helping to force the entirely unnecessary political and legal brinkmanship of the past week.” That’s bizarre because, as a matter of fact, Paul did not “singlehandedly” torpedo the bill; Bill Nelson played an equal role (and that’s even assuming the bill had enough votes to pass, which given that I know of 1 pro-cloture vote who was a no vote on passage and a significant number who weren’t committed to vote for it without improving amendment, was never a foregone conclusion). It’s easy to blame Paul because it absolves whoever it was that whipped a bill but didn’t even count all the Democratic votes on it, but Paul was in no way singlehandedly responsible.

But the view all the more bizarre, coming from Vladeck, because if Paul singlehandedly torpedoed the bill (he didn’t) he also singlehandedly made the 2nd Circuit ruling for ACLU possible (he didn’t, but that is Vladeck’s logic). And unlike most USA F-ReDux champions, Vladeck has been very attentive– if, at times, arguably mistaken in his understanding of it — to the interaction of USA F-ReDux legislation and the courts. While USA F-ReDux is — important additional Congressional reporting requirements on PRTT and bulky 215 collection notwithstanding — definitely a worse bill than its predecessor, that’s not the measure. So long as the 2nd Circuit decision ruling against “relevant to” and finding a Fourth Amendment interest at the moment of collection rather than review stands (the government still has a few weeks to challenge it), the measure is USA F-ReDux plusthe 2nd Circuit decision as compared to USAF without the additional leverage of an appellate court ruling. There are very important things the 2nd Circuit decision may add to USA F-ReDux. Every commenter is entitled to weigh that measure themselves, but if you’re going to hold Paul responsible for torpedoing the legislation last fall you also have to credit him with buying time so the 2nd Circuit could weigh in.

Which brings me to leverage.

I was not a fan of any version of USAF because all left every key provision save the CDR function (and even some of that was left dangerously open to interpretation until HJC wrote its final bill report) subject to the whim of the Executive and/or the FISC, and the bill itself jettisoned necessary leverage over the Executive (Vladeck has written about the gutting of the FISC advocate, and a parallel gutting has happened on transparency provisions from the start). That is, rather than exercise some kind of authority over the Executive, Congress basically wrote down what the Executive wanted and passed it in a way that the Executive still had a lot of leeway to decide what it wanted to do.

I get why that happened and I don’t mean to diminish the work of those who pushed for more: the votes and leadership buy-in simply isn’t there yet to actually start limiting what Article II will do in secret.

But that means none of the other things Vladeck wants will be possible until we get more leverage. And while the outcome of the bill may be the same and/or worse, what is different about the passage of USA F-ReDux is that leadership in both house of Congress barely kept it together.

And Rand Paul, whether he has cooties or not, was key to that process.

That’s true, in large part, because Mitch McConnell was aiming to set up an urgent crisis as a way to scare people into making the bill worse. He succeeded in doing so by delaying consideration of the bill until the last minute, but when Paul — and Ron Wyden and Martin Heinrich — prevented him from getting a short-term extension to do so without lapsing the dragnet, that changed the calculus of the crisis. It meant those who had bought into the idea you need a dragnet to keep the country safe could be pressured to vote against McConnell’s efforts to weaken USA F-ReDux. (Note, there are some who have claimed that Paul objected to immediately considering USA F-ReDux Sunday night, giving McConnell his opportunity to amend the bill, but the congressional record doesn’t support that; McConnell didn’t call for immediate consideration of the bill itself until he had already filled the tree with amendments.)

And while I don’t want to minimize the utterly crucial efforts of Mike Lee to actually whip the vote, that effort was made easier by the very real threat that if the bill had to go back to the House it would die, resulting in a more permanent lapse to Section 215 and the other expired authorities. Leahy and others used that threat repeatedly, in fact, to argue that surveillance hawks needed to support an amended bill. And the threat was heightened because John Boehner had real worries that if he tried something funny, his own leadership would be at risk.

Last year, the privacy community was mostly fighting with carrots against an Executive branch that was dictating what it was willing to give up. Now, it’s fighting with carrots and sticks. We haven’t gotten the Executive branch to give up anything it didn’t already want to give up yet. But having dealt McConnell a big defeat and having the threat to do so with Boehner might make that possible going forward.

Having someone like Rand Paul, who is not afraid to be accused of having cooties, to make that possible is a critical part of that process. That doesn’t negate the efforts of anyone else (again, I’m really encouraged by Mike Lee’s role in all this). But it does mean people holding carrots but demanding things that will only be obtained with some sticks, too, ought not to dismiss the efforts to make the threat of a stick real.

 

Did FBI Stall an IG Review of Innocent Americans Sucked Up in the Dragnet?

/6 Comments/in /by

I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.

That’s important because of this passage from the Stellar Wind IG Report.

Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.

The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.

We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)

After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.

Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.

But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.

And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.

The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts

Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.

But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

[snip]

(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.

There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).

But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.