In Reauthorizing the Dragnet, FISC Makes a Mockery of the Amicus Provision

/4 Comments/in /by

Between a ruling by Dennis Saylor issued on June 17, while I was away, and a ruling by Michael Mosman issued and released today, the FISA Court has done the predictable: ruled both that the lapse of the PATRIOT Act on June 1 did not mean the law reverted to its pre-PATRIOT status (meaning that it permitted collection of records beyond hotel and rental car records), and ruled that the dragnet can continue for 6 more months.

In other words, the government is back in the business of conducting a domestic dragnet of phone records. Huzzah!

As I said, the FISC’s ultimate rulings — that it will treat USA F-ReDux as if it passed before the lapse (a fair but contestable opinion) and that it will permit the dragnet to resume for 6 months — are unsurprising. It’s how they get there, and how they deal with the passage of USA F-ReDux and the rebuke from the 2nd Circuit finding the dragnet unlawful, that I find interesting.

Reading both together, in my opinion, shows how increasingly illegitimate the FISC is making itself. It did so in two ways, which I’ll address in two posts. In this one, I’ll treat the FISC’s differing approaches to the amicus provision.

USA F-ReDux was a deeply flawed bill (and some of my predictions about its weaknesses are already being fulfilled). But it was also intended as a somewhat flaccid critique of the FISC, particularly with its weak requirement for an amicus and its stated intent, if not an effective implementation, to rein in bulk collection.

Congress at least claimed to be telling the FISC it had overstepped both its general role by authorizing programmatic collection orders and its specific interpretation of Section 215. One of its solutions was a demand that FISC stop winging it.

The Court’s response to that was rather surly.

A timeline may help to show why.

June 1: Section 215 lapses

June 2: USA F-ReDux passes and government applies to restart the dragnet

June 5: Ken Cuccinelli and FreedomWorks challenge the dragnet but not resumption of post-PATRIOT Section 215 (Section 109)

June 5: Michael Mosman orders government response by June 12, a supplemental brief from FreedomWorks on Section 109 by June 12, immediate release of government’s June 2 memorandum of law

June 12: Government submits its response and FreedomWorks submits its Section 109 briefing, followed by short response to government submission

June 17: In response to two non-bulk applications, Dennis Saylor rules he doesn’t need amicus briefing to decide Section 109 question then rules in favor of restoration of post-PATRIOT Section 215

June 29: Michael Mosman decides to waive the 7-day application rule, decides to treat FreedomWorks as the amicus in this case while denying all other request for relief, and issues order restarting dragnet for until November 29 (the longest dragnet order ever)

After having been told by Congress FISC needs to start consulting with an amicus on novel issues, two judges dealt with that instruction differently.

In part, what happened here (as has happened in the past, notably when Colleen Kollar-Kotelly was reviewing the first Protect America Act certifications while Reggie Walton was presiding over Yahoo’s challenge to their orders) is that one FISC judge, Saylor, was ruling whether two new orders (BR 15-77 and 15-78) could be approved giving the lapse in Section 215 (which became a ruling on how to interpret Section 109) while another FISC judge, Mosman, was reviewing what to do with the FreedomWorks challenge. That meant both judges were reviewing what to do with Section 109 at the same time. On June 5, Mosman ordered up the briefing that would make FreedomWorks an amicus without telling them they were serving as such until today. FreedomWorks did offer up this possibility when they said they were “amenable to [designation as an amicus curiae] by this Court, as an alternative to proceeding under this Motion in Opposition,” but they also repeatedly requested an oral hearing, most recently a full 17 days ago.

The Court now turns to the Movants’ alternative request to participate as amici curiae. Congress, through the enactment of the USA FREEDOM Act, has expressed a clear preference for greater amicus curiae involvement in certain types of FISC proceedings.

[Mosman reviews of the amicus language of the law]

The Court finds that the government’s application “presents a novel or significant interpretation of the law” within the meaning of section 103(i)(2)(A). Because, understandably, no one has yet been designated as eligible to be appointed as an amicus curiae under section 103(i)(2)(A), appointment under that provision is not appropriate. Instead, the Court has chosen to appoint the Movants as amici curiae under section 103(i)(2)(B) for the limited purpose of presenting their legal arguments as stated in the Motion in Opposition and subsequent submissions to date.7

7 [footnote talking about courts’ broad discretion on how they use amicus]

That is, on June 29, Mosman found this circumstance requires an amicus under the law, and relied on briefing ordered way back on June 5 and delivered on June 12, while denying any hearing in the interim.

Meanwhile, in a June 17 ruling addressing what I consider the more controversial of the two questions Mosman treated — whether the lapse reverted Section 215 to its pre-PATRIOT status — Saylor used this logic to decide he didn’t need to use an amicus.

[3 paragraphs laying out how 103(i)(2)(A) requires an amicus unless the court finds it is not appropriate, while section 103(i)(2)(B) permits the appointment of an amicus]

The question presented here is a legal question: in essence, whether the “business records” provision of FISA has reverted to the form it took before the adoption of the USA PATRIOT Act in October 2001. That question is solely a matter of statutory interpretation; it presents no issues of fact, or application of facts to law, and requires no particular knowledge or expertise in technological or scientific issues to resolve. The issue is thus whether an amicus curiae should be appointed to assist the court in resolving that specific legal issue.

The legal question here is undoubtedly “significant” within the meaning of Section 1803(i)(2)(A). If Section 501 no longer provides that the government can apply for or obtain orders requiring the production of a broad range of business records and other tangible things under the statute, that will have a substantial effect on the intelligence-gathering capabilities of the government. It is likely “novel,” as well, as the issue has not been addressed by any court (indeed, the USA FREEDOM Act, is only two weeks old). The appointment of an amicus curiae would therefore appear to be presumptively required, unless the court specifically finds that such an appointment is “not appropriate.”

Because the the statute is new, the court is faced for the first time with the question of when it is “not appropriate” to appoint an amicus curiae. There is no obvious precedent on which to draw. Moreover, the court as a whole has not had an opportunity to consider or adopt any rules addressing the designation of amicus curiae.

The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, “not appropriate”) even though an application presents a “novel or significant interpretation of the law.” At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome. In other words, Congress must have intended the court need not appoint amicus curiae to point out obvious legal issues or obvious legal conclusions, even if the issue presented was “novel or significant.” Accordingly, the court believes that if the appropriate outcome is sufficiently clear, such that no reasonable jurist would reach a different decision, the appointment of an amicus curiae is not required under the statute.

This is such an instance. Although the statutory framework is somewhat tangled, the choice before the court is actually clear and stark: as described below, it can apply well established principles of statutory construction and interpret the USA FREEDOM Act in a manner that gives meaning to all its provisions, or it can ignore those principles and conclude that Congress passed an irrational statute with multiple superfluous parts.

That is, 5 days after FreedomWorks submitted briefing on the particular issue in question — Section 109 — Saylor decided he did not need an amicus even though this was obviously a novel issue. While FreedomWorks only addressed one of its responses to the question of the lapse, it did argue that, “Congress was fully aware ofthe problems associated with passing the expiration date and they chose to do nothing to fix those problems.”

And Saylor did not do what Mosman did, recognize that even though there wasn’t an amicus position set up, the court could easily find one, even if it asked the amicus to brief under 103(i)(2)(B). Indeed, by June 17, former SSCI Counsel Michael Davidson — literally the expert on FISA sunset provisions — had written a JustSecurity post describing the lapse as a “huge problem.” So by the time Saylor had suggested that “no reasonable jurist” could disagree with him, the author of the sunset provision in question had already disagreed with him. Why not invite Davidson to submit a brief?

It seems Mosman either disagrees with Saylor’s conclusion about the seriousness of Congress’ “preference for greater amicus curiae involvement” (though, having read Saylor’s opinion, he does say appointment under 103(i)(2)(A) “is not appropriate,” though without adopting his logic for that language in the least), or has been swayed by the criticism of people like Liza Goitein and Steve Vladeck responding to Saylor’s earlier opinion.

All that said, having found a way to incorporate an amicus — even one not knowingly acting as such during briefing — Mosman than goes on to completely ignore what the government and JudicialWatch said about the lapse — instead just declaring that “the government has the better end of the dispute” — and to justify that judgment, simply quoting from Saylor.

On June 1, 2015, the language of section 501 reverted to how it read on October 25, 2001. See page 2 supra. The government contends that the USA FREEDOM Act, enacted on June 2, 2015, restored the version of section 501 that had been in effect immediately before the June 1 reversion, subject to amendments made by that Act. Response at 4. Movants contend that the USA FREEDOM Act had no such effect. Supplemental Brief at 1-2. The Court concludes that the government has the better of this dispute.

Another judge of this Court recently held that the USA FREEDOM Act effectively restored the version of section 501 that had been in effect immediately before the June 1 sunset. See In reApplication of the FBI for Orders Requiring the Production ofTangible Things, Docket Nos. BR 15-77, 15-78, Mem. Op. (June 17, 2015). In reaching that conclusion, the Court noted that, after June 1, Congress had the power to reinstate the lapsed language and could exercise that power “by enacting any form of words” making clear “its intention to do so.” Id. at 9 (internal quotation marks omitted). The Court found that Congress indicated such an intention through section 705(a) of the USA FREEDOM Act, which amended the pertinent sunset clause8 by striking the date “June 1, 2015,” and replacing it with “December 15, 2019.” Id. at 7-9. Applying fundamental canons of statutory interpretation, the Court determined that understanding section 705(a) to have reinstated the recently-lapsed language of section 501 of FISA was necessary to give effect to the language of the amended sunset clause, as well as to amendments to section 501 of FISA made by sections 101 through 107 of the USA FREEDOM Act, and to fit the affected provisions into a coherent and harmonious whole. Id. at 10-12. The Court adopts the same reasoning and reaches the same result in this case.

JudicialWatch’s argument was the mirror image of Saylor’s — that “Congress was fully aware of the problems associated with passing the expiration date and they chose to do nothing to fix those problems” — and yet Mosman doesn’t deal with it in the least. His colleague had ruled, and so the government must have the better side of the argument.

That’s basically the logic Mosman uses on the underlying question, which I hope to return to. Even in making a symbolic nod to the amicus, Mosman is still engaging in the legally suspect navel gazing that has become the signature of the FISC.

Mind you, I’m not surprised by all this. That was very clearly what was going to happen to the amicus, and one reason why I said it’d be likely a 9-year process until we had an advocate that would make the FISC a legitimate court.

But this little exhibition of navel gazing has only reinforced my belief that we should not wait that long. There is no reason to have a FISC anymore, not now that virtually every District court has the ability to conduct the kind of classified reviews that FISC judges do. And as we’re about to see (Jameel Jaffer promised he’s going to ask the 2nd Circuit for an injunction today), the competing jurisdictions that in this case let District Court judges dismiss Appellate judges as less preferable than the government are going to create legal confusion for the foreseeable future (though one the government and FISC are likely going to negate by using the new fast track review process I warned about).

The FISC is beyond saving. We should stop trying.

Share this entry

Amazon’s Transparency Report: “Certain Purchase History”

/in /by

Last week, precisely 10 days after USA F-Redux — with its different formulas allowing for provider transparency –passed, Amazon released its first transparency report. In general, the report shows that Amazon either doesn’t retain — or successfully pushes back — against a lot of requests. For example, Amazon provided no or only partial information to a third of the 813 subpoenas it received last year.

Also of note, in a post accompanying the report, Stephen Schmidt claimed that “Amazon never participated in the NSA’s PRISM program,” which may not be all that surprising given that it has only received 25 non-national security search warrants.

As I’ve already suggested, I find the most interested detail to be the timing: given that Amazon has gotten crap as the only major company not to release a transparency report before, I suspect either that Amazon had a new application 2 years ago when everyone started reporting, meaning it had to wait until the new collection had aged under the reporting guidelines, or something about the more granular reporting made the difference for Amazon. Amazon reported in the 0-250 range (including both NSLs and other FISA orders), so it may just have been waiting to be able to report that lower number.

That said, Amazon received 13 non-national security court orders (aside from the one take down order they treat separately, which I believe has to do with an ISIL site), only 4 of which they responded fully to. I think this category would be where Amazon would count pen registers. And I’d expect Amazon to get pen registers in connection with their hosting services. If any of the 0 to 250 National Security orders are pen registers, it could be fairly intrusive.

Finally, Amazon clarified (sort of) something of particular interest. While Amazon makes clear that content stored in a customer’s site is content (self-evident, I know, but there are loopholes for stored content, which is a big part of why Amazon would be of interest (and was when Aaron Swartz was using them as a hosting service).

Non-content. “Non-content” information means subscriber information such as name, address, email address, billing information, date of account creation, and certain purchase history and service usage information. Content.

“Content” information means the content of data files stored in a customer’s account.

But Amazon doesn’t include “certain purchase history information” to be content.

As the country’s biggest online store, that’s where Amazon might be of the most interest. Indeed, in the legal filings pertaining to Usaamah Abdullah Rahim (the claimed ISIL follower whom Boston cops shot and killed on June 2) show they were tracking Rahim’s Amazon purchase of a knife very closely.

If you wanted to do a dragnet of purchase records, you’d include Amazon in there one way or another. And such a dragnet order might represent just one (or four) of the fewer than 250  orders Amazon got in a year.

It’s not surprising they’re treating (“certain”) purchase records as metadata. But it is worth noting.

Share this entry

DOJ IG: FBI’s Secret Applications of PRTT Are Even More Secret than Its Secret Applications of Section 215

/3 Comments/in /by

DOJ’s Inspector General just released its unclassified summary of its classified report on FBI’s use of Pen Register/Trap and Trace authority.

It is rather thin, just 5 pages long. It explains what it is in the secret report.

We described the different types of pen registers that were used and the variety of information that was collected, as well as some of the technological and legal issues the Department and FBI faced with particular uses of pen register authority. We also describe the investigative circumstances under which the authority is generally used and trends in its use. The FBI and the Intelligence Community determined that much of this information is classified or “for official use only,” and therefore we cannot include it in this Executive Summary.

Our classified report also describes the FBI’s practices for storing and handling pen register information, most of which have remained substantially unchanged since our 2007 – 2009 review period, and it provides an overview of the compliance process and a summary of the compliance incidents involving the use of pen register authority that occurred from 2007 through 2009. Our classified report also includes several findings, only one of which we can describe in this unclassified Executive Summary.

The claim is rather interesting, given that documents EPIC obtained under FOIA make it clear FBI has used PRTT orders to get location data (not at all surprising given that it does so under criminal PRTTs as well), and that it has 7 exotic applications of Post Cut Through Dialed Digits. Those EPIC documents also reveal that John Bates redefined the meaning of Dialing, Routing, Addressing, and Signaling to include some content.

How is it EPIC could obtain those documents but DOJ’s IG can’t tell us what he found about these practices?

The one conclusion DOJ’s IG can share, sort of, is that FBI has problems weeding out data it shouldn’t have.

[W]e highlighted the challenges the Department faced, and still faces, in ensuring that the government collects or uses only that information that it is lawfully permitted to obtain.

[snip]

We found that the Department’s National Security Division and FBI do not conduct systematic compliance reviews of pen registers, and instead rely on personnel assigned to cases involving pen registers to report any compliance violations.

The report repeatedly notes that “the government is not authorized under FISA to obtain the contents of wire or electronic communications with a pen register order.” Which, of course, we know it has, both under the NSA program, as well as under PCTDD (indeed, discussions with the FISC over both the content collection under the NSA collection and the PCTDD uses took place in 2009, within the scope of the report).

So I assume part of the problem — part of the reason why FBI treats its PRTT programs with greater secrecy than its Section 215 programs — is because it violates the law but doesn’t have the means in place to catch its own violations.

I mean, if FBI wants to declassify the proof that that isn’t true, by all means they should do so. But the available evidence suggests the FBI and government more generally is probably still violating the terms of PRTT under FISA.

Share this entry

The Timing of the Contemplated Upstream Cyber-Grab

/4 Comments/in /by

There’s an aspect missing thus far from the discussion of NSA’s possible bid for a cyber certification under Section 702 for primary use in the collection of attack signatures that could not be attributed to a foreign government.

The timing.

The discussion of creating a new Section 702 certificate came in the aftermath of the 6-month back and forth between DOJ and the FISA Court over NSA having collected US person data as part of its upstream collection (for more detail than appears in the timeline below, see this post). During that process, John Bates ruled parts of the program — what he deemed the intentional collection of US person data within the US — to be unconstitutional. That part of his opinion is worth citing at length, because of the way Bates argues that the inability to detach entirely domestic communications that are part of a transaction does not mean that those domestic communications were “incidentally” collected. Rather, they were “intentionally” collected.

Specifically, the government argues that NSA is not “intentionally” acquiring wholly domestic communications because the government does not intend to acquire transactions containing communications that are wholly domestic and has implemented technical means to prevent the acquisition of such transactions. See June 28 Submission at 12. This argument fails for several reasons.

NSA targets a person under Section 702 certifications by acquiring communications to, from, or about a selector used by that person. Therefore, to the extent NSA’s upstream collection devices acquire an Internet transaction containing a single, discrete communication that is to, from, or about a tasked selector, it can hardly be said that NSA’s acquisition is “unintentional.” In fact, the government has argued, that the Court has accepted, that the government intentionally acquires communications to and from a target, even when NSA reasonably — albeit mistakenly — believes that the target is located outside the United States. See Docket No. [redacted]

[snip]

The fact that NSA’s technical measures cannot prevent NSA from acquiring transactions containing wholly domestic communications under certain circumstances does not render NSA’s acquisition of those transactions “unintentional.”

[snip]

[T]here is nothing in the record to suggest that NSA’s technical means are malfunctioning or otherwise failing to operate as designed. Indeed, the government readily concedes that NSA will acquire a wholly domestic “about” communication if the transaction containing the communication is routed through an international Internet link being monitored by NSA or is routed through a foreign server.

[snip]

By expanding its Section 702 acquisitions to include the acquisition of Internet transactions through its upstream collection, NSA has, as a practical matter, circumvented the spirit of Section 1881a(b)(4) and (d)(1) with regard to that collection. (44-45, 48)

There are a number of ways to imagine that victim-related data and communications obtained with an attack signature might be considered “intentional” rather than “incidental,” especially given the Snowden document acknowledging that so much victim data gets collected it should be segregated from regular collection. Add to that the far greater likelihood that the NSA will unknowingly target domestic hackers — because so much of hacking involves obscuring attribution — and the likelihood upstream collection targeting hackers would “intentionally” collect domestic data is quite high.

Plus, there’s nothing in the 2011 documents released indicating the FISC knew upstream collection included cyber signatures — and related victim data — in spite of the fact that “current Certifications already allow for the tasking of these cyber signatures.” No unredacted section discussed the collection of US person data tied to the pursuit of cyberattackers that appears to have been ongoing by that point.

Similarly, the white paper officially informing Congress about 702 didn’t mention cyber signatures either. There’s nothing public to suggest it did so after the Senate rejected a Cybersecurity bill in August, 2012, either. That bill would have authorized less involvement of NSA in cybersecurity than appears to have already been going on.

With all that in mind, consider the discussions reflected in the documents released last week. The entire discussion to use FBI’s stated needs to apply as backup to apply for a cyber certificate came at the same time as NSA is trying to decide what to do with the data it illegally collected. Before getting that certificate, DOJ approved the collection of cyber signatures under other certificates. It seems likely that this collection would violate the spirit of the ruling from just the prior year.

And NSA’s assistance to FBI may have violated the prior year’s orders in another way. SSO contemplated delivering all this data directly to FBI.

Screen Shot 2015-06-11 at 9.42.56 AM

Yet one of the restrictions imposed on upstream collection — voluntarily offered up by DOJ — was that no raw data from NSA’s upstream collection go to FBI (or CIA). If there was uncertainty where FBI’s targeting ended and NSA’s began, this would create a violation of prior orders.

Meanwhile, the reauthorization process had already started, and as part of that (though curiously timed to coincide with the release of DOJ’s white paper on 702 collection) Ron Wyden and Mark Udall were trying to force NSA to figure out how much US person data they were collecting. Not only did the various Inspectors General refuse to count that data (which would have, under the logic of Bates’ opinions finding that illegally collected data was only illegal if the government knew it was US person data, made the data illegal), but the Senate Intelligence Committee refused to consider reconstituting their Technical Advisory Committee which might be better able to assess whether NSA claims were correct.

Sometime in that period, just as Wyden was trying to call attention to the fact that NSA was collecting US person data via its upstream collection, NSA alerted the Intelligence Committees to further “overcollection” under upstream collection.

2012 Upstream Notice

As I suggested here, the length of the redaction and mention of “other authorities” may reflect the involvement of another agency like FBI. One possibility, given the description of FBI collecting on cyber signatures using both PRTT and (presumably) traditional FISA in the discussions of SSO helping the FBI conduct this surveillance (note, I find it interesting though not conclusive that there is no mention of Section 215 to collect cybersecurity data), is that the initial efforts to go after these signatures in some way resulted in overcollection. If FISC interpreted victim-related data to be overcollection — as would be unsurprising under Bates’ 2011 upstream opinion — then it would explain the notice to Congress.

One more point. In this post, I noted that USA F-ReDux authorized FISC to let the government use data it had illegally collected but which FISC had authorized by imposing additional minimization procedures. It’s just a wildarseguess, but I find it plausible that this 2012 overcollection involved cyber signatures (because we know NSA was collecting it and there is reason to believe it violated Bates’ 2011 opinion), and that any victim data now gets treated under minimization procedures and therefore that any illegal data from 2012 may now, as of last week, be used.

All of which is to say that the revelation of NSA and FBI’s use of upstream collection to target hackers involves far more legal issues than commentary on the issue has made out. And these legal issues may well have been more appropriate for the government to reveal before passage of USA F-ReDux.

Update, 11/6: Some dates added from this opinionRead more

Share this entry

DOJ Doesn’t Care What the Text of the Law or the 2nd Circuit Says, Dragnet Edition

/13 Comments/in /by

Since USA F-ReDux passed JustSecurity has published two posts about how the lapse of Section 215 might create problems for the dragnet. Megan Graham argued that technically USA F-ReDux would have amended Section 215 as it existed in 2001, meaning the government couldn’t obtain any records but those that were specifically authorized before the PATRIOT Act passed. And former SSCI staffer Michael Davidson argued that a technical fix would address any uncertainty on this point.

DOJ, however, doesn’t much give a shit about what USA F-ReDux actually amends. In its memorandum of law accompanying a request to restart the dragnet submitted the night USA F-ReDux passed, DOJ asserted that of course Section 215 as it existed on May 31 remains in place.

Its brief lapse notwithstanding, the USA FREEDOM Act also expressly extends the sunset of Section 215 of the USA PATRIOT Act, as amended, until December 15, 2019, id.§ 705(a), and provides that, until the effective date of the amendments made by Sections 101through103, it does not alter or eliminate the Government’s authority to obtain an order under Section 1861 as in effect prior to the effective date of Sections 101through103 of the USA FREEDOM Act. Id.§ 109(b). Because the USA FREEDOM Act extends the sunset for Section 215 and delays the ban on bulk production under Section 1861until180 days from its enactment, the Government respectfully submits that it may seek and this Court may issue an order for the bulk production of tangible things under Section 1861 as amended by Section 215 of the USA PATRIOT Act as it did in docket number BR 15-24 and prior related dockets.

It cites comments Pat Leahy and Chuck Grassley made on May 22 (without, curiously, quoting either Rand Paul or legislative record from after Mitch McConnell caused the dragnet to lapse) showing that the intent of the bill was to extend the current dragnet.

While I think most members of Congress would prefer DOJ’s argument to hold sway, I would expect a more robust argument from DOJ on this point.

Likewise their dismissal of the Second Circuit decision in ACLU v. Clapper (which they say they’re still considering appealing). While it notes the Second Circuit did not immediately issue an injunction, DOJ’s base argument is weaker: it likes FISC’s ruling better and so it thinks FISC’s District Court judges should consider but ultimately ignore what the Second Circuit said.

The Government believes that this Court’s analysis of Section 215 reflects the better interpretation of the statute, see, e.g., In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-109, Amended Mem. Op., 2013 WL 5741573 (FISA Ct. Aug. 29, 2013) (Eagan, J.) and In Re Application of the FBI for an Order Requiring the Production of Tangible Things, docket no. BR 13-158, Mem. (FISA Ct. Oct. 11, 2013) (McLaughlin, J.), disagrees with the Second Circuit panel’s opinion, and submits that the request for renewal of the bulk production authority is authorized under the statute as noted above.

[snip]

The Government submits that this Court’s analysis continues to reflect the better reading of Section 1861.

This is where, incidentally, the flaccid report language attached to USA F-ReDux is so problematic. In a filing affirming the importance of legislative language, had the HJC report said something more than “Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term,” DOJ might have to take notice of the language. But as it is, without affirmatively rejecting FISC’s opinion, the government will pretend it doesn’t matter.

I’m no more surprised with DOJ’s argument about the Second Circuit decision than I am its insistence that lapsing a bill doesn’t have legal ramifications.

But I would expect both arguments to make some effort to appear a bit less insolent. I guess DOJ is beyond that now.

Share this entry

In Advance of FISA Amendments Act Reauthorization, DOJ Did Not Tell Congress about Cyber Signature Collection

/5 Comments/in , /by

As I noted here, I’m working on a post that puts last week’s report on NSA’s use of upstream Section 702 collection in context.

But first, there’s one more detail that deserves its own post.

By March 23, 2012, NSA had drafted a certificate exclusively for cyber, with the intent of getting the FISC to approve it that year (which probably would have been in October). Yet “the current Certifications already allow[ed] for the tasking of [] cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.”

And whether or not NSA was already collecting cyber signatures in March 2012, by May, DOJ approved their collection on the Foreign Government certificate.

On May 4, 2012, DOJ sent the Intelligence Committee Chairs a white paper on Section 702 to be shared with the rest of Congress. Here’s the passage that describes how NSA uses upstream collection:

Screen Shot 2015-06-08 at 8.13.37 AM

Given that the only redaction here addresses terrorists and the unredacted remainder describes only the collection of email and phone identifiers, it seems virtually certain that the passage — and therefore the white paper — made no mention of the cyber signature collection the NSA and DOJ were actively preparing to collect, and would collect before the reauthorization of FAA that December.

It’s certainly possible DOJ gave Congress notice that the use of Section 702 had changed significantly by the time Congress voted in December, but there’s no public record of it. In the interim period, the Senate defeated a cybersecurity bill that would even have restricted NSA from obtaining domestically collected cyber data, reflecting real skepticism about spying for cybersecurity purposes in the US.

If, as the record strongly suggests, the government expanded NSA upstream 702 to include cyber signatures without telling Congress before they reauthorized the underlying authority, it would not be the first time: DOJ did not tell even the House Judiciary Committee — much less Congress as a whole — that it was using Section 215 to collect location data until after both the 2010 and 2011 Patriot Act reauthorizations.

Whatever the merit to using 702 upstream collection to hunt hackers — even ignoring the real privacy problems with it — the public record raises real questions about whether the practice was authorized and would have been authorized by Congress. Given that such collection involves an expansion of the intentional collection of domestic data, the apparent absence of Congressional sanction raises real problems about the practice (though, as I’ve suggested, Congress just retroactively authorized the use of whatever illegally-collected 702 data NSA can get FISC to approve the use of).

The NSA’s defenders like to claim Congress always gets notice. But the record shows that, over and over, NSA only asks for for forgiveness after the fact rather than asking for permission before the collection.

Share this entry

NSA Reported a Section 702 Upstream Overcollection Incident in 2012

/6 Comments/in /by

I’m working on a longer post on the timing of the NSA’s bid to get a cyber Section 702 certificate in 2012. But I wanted to point to a detail about upstream 702 collection that may be relevant to the issue.

According to the 4Q FY2012 Intelligence Oversight Board report — the one covering the quarter ending September 30, 2012 — NSA notified Congress of an overcollection (a polite way of saying “illegal data collection”) under both upstream collection and “other authorities.” The overcollection was fairly significant, both because NSA did notify Congress, which it doesn’t do for individual incidences of overcollection, and because NSA had to implement both a short-term and long-term solution to the collection issue.

2012 Upstream Notice

This is almost certainly separate from the upstream violations reported in 2011, which resulted in Judge John Bates declaring the collection of entirely US-person data as part of Multi-Communication Transactions collected using upstream 702 collection to be a violation of the Fourth Amendment. Reference to that notice appeared in the 3Q FY2011 report, the one covering the quarter ending June 30, 2011. Not only does the earlier IOB Report show Congress had already been notified of the 2011 violations, but that (unlike some earlier notices) they were notified in timely fashion.

Which suggests the 2012 notification was probably provided to Congress shortly after its official discovery, too.

Moreover, a description of the 2011 problems with upstream collection appeared in a May 4, 2012 letter to Congress, in anticipation of FISA Amendments Act reauthorization that year, by which point NSA had already informed Bates they were going to purge the overcollected MCT data (that happened in April 2012). Thus, no new notice would have been necessary (and would have been sent exclusively to the Intelligence Committees) in 3Q FY2012, which started on July 1.

So this 2012 notice almost certainly represents yet another incidence where NSA (and possibly another agency, given the redaction length and reference to other authorities) illegally collected content it wasn’t entitled to collect inside the US.

This overcollection is significant for two reasons.

First, as will become more clear when I do this timeline, DOJ and NSA would have been dealing with this overcollection at precisely the same time the two agencies were preparing to apply for a Section 702 certification authorizing the collection of cyber signatures. Indeed, it’s possible that is why this overcollection was officially identified, as I’ll lay out, though there are plenty of other possibilities as well.

Just as importantly, USA F-ReDux probably just authorized the government to use the data collected under this second incident of apparently systemic overcollection under upstream 702.

On its face, Section 301 of USA F-ReDux appears to prohibit the use (but not the parallel construction of) data collected unlawfully under Section 702 unless it presents a threat of death or serious bodily harm (which NSA has secretly redefined to include threat to property).

[I]f the Court orders a correction of a deficiency in a certification or procedures under subparagraph (B), no information obtained or evidence derived pursuant to the part of the certification or procedures that has been identified by the Court as deficient concerning any United States person shall be received in evidence or otherwise disclosed in any trial [… or any other Federal proceeding …] except with the approval of the Attorney General if the information indicates a threat of death or serious bodily harm to any person.

But in substance, the Section actually authorizes the government to use such data once it has satisfied the FISC.

If the Government corrects any deficiency identified by the order of the Court under subparagraph (B), the Court may permit the use or disclosure of information obtained before the date of the correction under such minimization procedures as the Court may approve for purposes of this clause.

The Section likely addresses something that happened as John Bates tried to deal with both the PRTT Internet dragnet violations in 2010 and the upstream collection violations in 2011. In both cases, he found the government had intentionally collected US person content in the US. And so, Bates determined, under 50 U.S.C. § 1809(a), it would be a crime for the government to disseminate the data.

In 2010, Bates rejected a slew of government arguments (see pages 100 to 113) that he could just retroactively make this illegal collection legal.

Finally, insofar as the government suggests that the Court has an inherent authority to permit the use and disclosure of all unauthorized collection without regard to Section 1809, see Memorandum of Law at 73-74 & n.37, the Court again must disagree.

[snip]

The Court simply lacks the power, inherent or otherwise, to authorize the government to engage in conduct that Congress has unambiguously prohibited

Bates’ interpretation of 50 U.S.C. § 1809(a) is what led the government to purge the illegally collected upstream data in April 2012 (that may have also been why NSA purged its illegally collected Internet dragnet data in December 2011).

Section 301 of USA F-ReDux was clearly intended to give FISC the authority Bates said he didn’t have in 2010: to permit a FISC judge to permit the government to disseminate data found to be illegally collected, but retroactively sanctioned via the use of minimization procedures.

At first, I didn’t think the Section would affect any known data, because NSA purged both the illegal PRTT data and the illegal upstream data, so that couldn’t be used anymore.

But the IOB report shows there was more illegal upstream data collected, within a year. And the reference to a “long-term solution” to it may suggest that NSA held onto the data and was just finding a way to retroactively authorize it.

From the IOB description, we can’t know what data NSA had illegally collected or why. But there’s a decent chance USA F-ReDux just retroactively made the use of it legal.

Share this entry

FreedomWorks Challenges the Transitional Dragnet

/5 Comments/in /by

On Friday, FreedomWorks and Ken Cuccinelli challenged the phone dragnet.

The challenge is a basic legal challenge, not a technical one arising from the lapse of the dragnet. It is smarter than others I’ve read because it recognizes the dragnet is about backbone usage, not specific provider. It also has more language on contracting than other challenges I’ve read closely (though I haven’t read Rand Paul’s, and I expect that language was in his challenge).

But as I said, there’s nothing I saw in the challenge that questions how USA F-ReDux can simply extend Section 215 when that provision had already lapsed.

At the very least, because of this challenge, we’ll get to see what the government argued about that lapse. That’s because Michael Mosman (who signed the December dragnet order, but was also remarkably willing to review a challenge to FISA- and EO 12333-authorized methods in Reaz Qadir Khan’s case) not only ordered the government to brief whether ongoing dragnettery was legal under Title V of FISA as modified by USA F-ReDux by next Friday, but he ordered the government to turn over an unclassified version of the memorandum of law it submitted on June 2 to restart the dragnet.

Screen Shot 2015-06-06 at 9.08.12 PM

 

In addition to whatever else this says, it makes it clear that (unsurprisingly) the Administration filed to restart the dragnet on Tuesday night, just after the President signed USA F-ReDux.

Share this entry

Why Is the Aramco Hack Considered a Significant NSA Milestone?

/8 Comments/in , , /by

Screen Shot 2015-06-06 at 10.04.57 AMI’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.

For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).

But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?

The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.

Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.

So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.

But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?

 

Share this entry

In October 2013, Patrick Leahy and Jim Sensenbrenner Rolled Out a Bill That Would Have Ended Upstream Cyber Collection

/8 Comments/in , /by

Back in October 2013, Jim Sensenbrenner and Patrick Leahy released the original, far better, version of the USA Freedom Act. As I noted in November 2013, it included a provision that would limit upstream collection to international terrorism and international proliferation of WMD uses.

It basically adds a paragraph to section d of Section 702 that limits upstream collection to two uses: international terrorism or WMD proliferation.

(C) limit the acquisition of the contents of any communication to those communications—

(i) to which any party is a target of  the acquisition; or

(ii) that contain an account identifier of a target of an acquisition, only if such communications are acquired to protect against international terrorism or the international proliferation of weapons of mass destruction.;

And adds a definition for “account identifier” limiting it to identifiers of people.

(1) ACCOUNT IDENTIFIER.—The term ‘account identifier’ means a telephone or instrument number, other subscriber number, email address, or  username used to uniquely identify an account.

At the time, I noted that this would give the NSA 6 months to shut down the use of upstream collection to collect cyber signatures.

Jonathan Mayer’s comments on the NYT/PP story today reveals why that would be important to do (this is a point I’ve been making for years): because if you’re collecting signatures of cyber attacks, you’re collecting victim data, as well, a problem that would only get worse under the cyberinformation sharing bills before Congress.

This understanding of the NSA’s domestic cybersecurity authority leads to, in my view, a more persuasive set of privacy objections. Information sharing legislation would create a concerning surveillance dividend for the agency.

nsa_cyber_2

Because this flow of information is indirect, it prevents businesses from acting as privacy gatekeepers. Even if firms carefully screen personal information out of their threat reports, the NSA can nevertheless intercept that information on the Internet backbone.

Furthermore, this flow of information greatly magnifies the scale of privacy impact associated with information sharing. Here’s an entirely realistic scenario: imagine that a business detects a handful of bots on its network. The business reports a signature to DHS, who hands it off to the NSA. The NSA, in turn, scans backbone traffic using that signature; it collects exfiltrated data from tens of thousands of bots. The agency can then use and share that data.12 What began as a tiny report is magnified to Internet scale.

But, instead of giving NSA 6 months to close this loophole, we instead passed USA F-ReDux, which does nothing to rein domestic spying in the name of cybersecurity.

Leahy released a remarkable statement in response to today’s story that doesn’t reveal whether he knew of this practice (someone knew to forbid it in their original bill!), but insisting he’ll fight for more limits on surveillance and transparency.

Today’s report that the NSA has expanded its warrantless surveillance of Internet traffic underscores the critical importance of placing reasonable and commonsense limits on government surveillance in order to protect the privacy of Americans.  Congress took an important step in this direction this week by passing the USA FREEDOM Act, but I have always believed and said that more reforms are needed.  Congress should have an open, transparent and honest debate about how to protect both our national security and our privacy.  As Congress continues to work on surveillance and cybersecurity legislation, I will continue to fight for more reforms, more transparency, and more accountability – particularly on issues related to the privacy of Americans’ personal communications.

Remember: on Tuesday, Richard Burr vehemently denied we had secret law. And while this application of FISA wasn’t entirely secret — I figured it out pretty quickly, but a great great many people doubted me, as per usual — even Leahy is faced with a situation where he can’t admit he knew about a practice he already tried to shut down once.

Share this entry