Did FBI Stall an IG Review of Innocent Americans Sucked Up in the Dragnet?

/6 Comments/in /by

I mentioned earlier that the FBI withheld information on the Bureau’s use of phone dragnet tippers from DOJ’s Inspector General long enough to make any review unusable for Congress’ consideration before it passed USA F-ReDux.

That’s important because of this passage from the Stellar Wind IG Report.

Another consequence of the Stellar Wind program and the FBI’s approach to assigning leads was that many threat assessments were conducted on individuals located in the United States, including U.S. persons, who were determined not to have any nexus to terrorism or represent a threat to national security.402 These assessments also caused the FBI to collect and retain a significant amount of personal identification about the users of tipped telephone numbers and e-mail addresses. In addition to an individual’s name and home address, such information could include where the person worked, records of foreign travel, and the identity of family members. The results of these threat assessments and the information that was collected generally were reported in communications to FBI Headquarters and uploaded into FBI databases.

The FBI’s collection of U.S. person information in this manner is ongoing under the NSA’s FISA-authorized bulk metadata collection. To the extent leads derived from this program generate results similar to those under Stellar Wind, the FBI will continue to collect and retain a significant amount of information about individuals in the United States, including U.S. persons, that do not have a nexus to terrorism or represent a threat to national security.

We recommend that as part of the [redacted] project, the Justice Department’s National Security Division (NSD), working with the FBI, should collect addresses disseminated to FBI field offices that are assigned as Action leads and that require offices to conduct threat assessments. The information compiled should include whether individuals identified in threat assessments are U.S. or non-U.S. persons and whether the threat assessments led to the opening of preliminary or full national security investigations. With respect to threat assessments that conclude that users of tipped telephone numbers or e-mail addresses are not involved in terrorism and are not threats to national security, the Justice Department should take steps to track the quantity and nature of U.S. person information collected and how the FBI retains and utilizes this information. This will enable the Justice Department and entities with oversight responsibilities, including the OIG and congressional committees, to assess the impact this intelligence program has on the privacy interests of U.S. persons and to consider whether, and for how long, such information should be retained. (PDF 666-7/329-330)

After a preceding section talking about how many of the tippers to FBI — which, after all, may be two hops away from someone of interest — weren’t all that useful, DOJ’s IG (the current IG, Michael Horowitz’s predecessor, Glenn Fine) noted how many Americans with no nexus to terrorism nevertheless have their names, home addresses, workplace, travel records, and family members’ identities collected and stored in an FBI database, potentially for decades. And, we now know, those assessments would include a search for any previously-collected content, which the FBI could read without a warrant.

Fine recommended that FBI begin to track what happens with the Americans sucked up in PATRIOT-authorized dragnets.

But we can be virtually certain FBI chose not to heed that recommendation, because it hasn’t heeded similar recommendations with NSLs, and because FBI refuses to track any of their other FISA-related activities.

And Horowitz has been very disciplined in following up on previous IG recommendations in reports that follow up on like topics, so that is likely one of the things he planned to investigate with his focus on the “receiving, processing, and disseminating [of] leads” from the phone dragnet.

The review will examine the FBI’s procedures for receiving, processing, and disseminating leads the NSA develops from the metadata, as well as any changes that have been made to these procedures over time. The review will also examine how FBI field offices respond to leads and the scope and type of information field offices collect as a result of any investigative activity that is initiated. In addition, the review will examine the role the leads have had in FBI counterterrorism efforts

Frankly, because NSA had to curtail so much of what they were doing with the phone dragnet in 2009, there should be fewer Americans sucked up in the dragnet now then there was when Fine did his Stellar Wind review in 2008-09. Though if FBI continued to require an assessment of every new identifier, it would still result in a lot of innocent Americans having their lives unpacked and stored for 30 years by the FBI.

But those numbers will likely be higher — potentially significantly higher — under USA F-ReDux, because any given query will draw off of more kinds of information. More importantly, FBI is exempted from counting the queries it does on any database of call detail records obtained under the new CDR function.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

[snip]

(A) FEDERAL BUREAU OF INVESTIGATION.—Paragraphs (2)(A), (2)(B), and (5)(C) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

This strongly suggests the data will come in through the FBI, be treated under FBI’s far more permissive (than NSA’s) minimization procedures, and searched regularly. Which likely means the privacy implications of innocent Americans sucked up into the dragnet will be far worse. And all that’s before any of the analysis NSA will do on these query results.

There was no public consideration of the privacy impact of the innocent Americans sucked in under the CDR function during the USA F-ReDux debate (though I wrote about it repeatedly).

But if DOJ’s IG intended to include past recommendations in its review of what FBI does with the phone dragnet data — which would be utterly consistent with past practice — that’s one of the things this review, the review FBI stalled beyond the point when it could be useful, would have focused on.

 

FBI Successfully Runs Out the Clock on DOJ’s Inspector General Review of Use of Phone Metadata

/9 Comments/in /by

While everyone was focused on USA F-ReDux last week, DOJ’s Inspector General submitted its semiannual report. In it, Michael Horowitz reiterated his complaint that FBI was stonewalling on document production. He listed 4 requests made after Congress defunded such stonewalling on which FBI was still stonewalling at the end of March.

The OIG has sent four letters to Congress to report that the FBI has failed to comply with Section 218 by refusing to provide the OIG, for reasons unrelated to any express limitation in Section 6(a) of the IG Act, with timely access to certain records in ongoing OIG reviews. Those reviews are:

  • Two FBI whistleblower retaliation investigations, letter dated February 3, 2015, which is available here;
  • The FBI documents related to review of the DEA’s use of administrative subpoenas, letter dated February 19, 2015, which is available here;
  • The FBI’s use of information derived from collection of telephony metadata under Section 215 of the Patriot Act, letter dated February 25, 2015, which is available here; and
  • The FBI’s security clearance adjudication process, letter dated March 4, 2015, which is available here.

As of March 31, 2015, the OIG document requests were outstanding in every one of the reviews and investigations that were the subject of the letters above. The OIG is approaching the 1 year anniversary of the Deputy Attorney General’s request in May 2014 to the Office of Legal Counsel for an opinion on these matters, yet that opinion remains outstanding and the OIG has been given no timeline for the issuance of the completed opinion. Although the OIG has been told the opinion is a priority for the Department, the length of time that has now passed suggests otherwise. Instead, the status quo continues, with the FBI repeatedly ignoring the mandate of Section 218 and the Department failing to issue an opinion that would resolve the matter. The result is that the OIG continues to be prevented from getting complete and timely access to records in the Department’s possession. The OIG’s ability to conduct effective and rigorous oversight is being undercut every day that goes by without a resolution of this dispute.

Of particular note, as of March 31, FBI was still stonewalling an October 10, 2014 request (and January 2015 deadline) connected with DOJ IG’s review of how FBI has been using metadata from phone dragnets.

The OIG requested these records in connection with its pending review of the FBI’s use of information derived from the National Security Agency’s collection of telephony metadata obtained from certain telecommunications service providers under Section 215 of the Patriot Act. The timeliness of production is particularly important given that Section 215 of the Patriot Act is set to expire in June of this year.

FBI was also still stonewalling records of how it used DEA’s dragnet, but in the case of phone metadata, Horowitz specifically tied the investigation to the upcoming sunset of Section 215 authority.

DOJ’s IG wanted to review what was happening with the 2-hop dragnet data that got turned over to FBI before Congress reauthorized Section 215. And FBI successfully stalled that effort until after Congress passed a bill that will almost certainly result in far more phone metadata being turned over to FBI, and under far more permissive rules than they had been under.

I’ll explain why that was probably important in a follow-up post. But for the moment, as pundits declare winners and losers on yesterday’s passage of USA F-ReDux (I’ll do my own version of that too, shortly!), it’s worth noting that FBI successfully ran out the clock on its own IG, preventing us from learning about the privacy impact of one little-considered aspect of the dragnet.

ACLU’s Poker Face

/6 Comments/in /by

Thus far, I have not seen a statement from the ACLU on last night’s developments with respect to the PATRIOT Act — the passage of cloture, McConnell’s failure to even ask for an immediate vote, followed by McConnell filing several amendments that would weaken USA F-ReDux. [Correction: here is one. h/t EG]

Indeed, no one even seems to be interested what the ACLU thinks about all this, reporting the key players to include Mitch McConnell and Richard Burr, the White House and Intelligence Agencies, and the House, especially House leadership that would be forced to shepherd any changes to USA F-ReDux back through the House, but not the ACLU.

I’m interested.

Especially with Burr’s amendment to extend the transition period to the new phone records program to a full year. After all, ACLU’s lawsuit just got punted back to the District to see what happens now, but it was punted based on the presumption that Congress was going to fix the illegal dragnet “soon.”

A year is not “soon,” at least not in my book.

If ACLU agrees with me, they can asks the judges to provide some relief “sooner” than a year from now, either by ordering an earlier end to the dragnet or — at the very least — requiring the NSA to pull all of ACLU’s records from their dragnet. Indeed, given the number of active court challenges the ACLU has against the government, they’d be able to argue pretty compellingly they need quicker relief than a year.

In the past, NSA has suggested it would be too onerous to pull the records of one plaintiff from the dragnet. Who knows whether they were just bullshitting judges, but if it is too onerous, that would present other issues.

All of which is my way of saying the ACLU may have a few cards of interest in their hand that no one is much considering. I’m not going to ask them what they’re holding, mind you. I like that they may be deliberating in secret to thwart efforts to extend the dragnet.

I’m just noting that they do appear to still be holding some cards…

Mitch McConnell Just Made the Country Less Safe in Bid to Ensure FISC Continues to Be Rubber Stamp

/5 Comments/in /by

I predicted back in April that Mitch McConnell would use the threat of straight reauthorization of a program that doesn’t do what the Intelligence Community wants to demand changes to USA F-ReDux.

And a data retention mandate — presented in the guise of a requirement that providers give notice if they plan not to retain data at least 18 months — is one the things McConnell will try to push through today.

(k) PROSPECTIVE CHANGES TO EXISTING PRACTICES RELATED TO CALL DETAIL RECORDS.—

(1) IN GENERAL.—Consistent with subsection (c)(2)(F), an electronic communication service provider that has been issued an order to produce call detail records pursuant to an order under subsection (c) shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 18 months.

(2) TIMING OF NOTICE.—A notification under paragraph (1) shall be made not less than 180 days prior to the date such electronic communications service provider intends to implement a policy to retain such records for a period less than 18 months.’’.

McConnell repeated his justification for a retention mandate last night by pointing to a provider that refused to agree to keep documents for a call record program, as he did last week. Why is Mitch worried about document retention for a call record program?

Remarkably, McConnell’s data mandate is for a shorter period of time than the 2 year data handshake the major telecoms have agreed to, according to Dianne Feinstein.

McConnell also submitted standalone amendments, the first requiring certification from James Clapper that the dragnet works before existing dragnet authorities expire, with the second one extending the expiration of the dragnet to a year.

McConnell submitted an amicus provision that simply codifies the status quo, which already permits a court to name an amicus. Significantly, McConnell’s amicus provision eliminates the reporting to Congress that Richard Burr’s bill at least had. But McConnell’s bill does include FISCR fast-track review, which I believe may actually be counterproductive. So McConnell’s amicus amendment permits the FISC to go on making shit up without any notice that’s what they’re doing.

Finally, there’s one other provision in one of two substitute bills Mitch put forward this month: an elimination of the reporting requirement of any significant FISC decisions (Section 402 is removed entirely).

Now, frankly, even in the existing USA F-ReDux, the reporting requirement permits the Executive too much discretion about what kind of details they’ll release. Even in FOIA suits, where a judge gets to weigh in, the government has been able to withhold even information that is almost certainly in the public record. Their summaries of important decisions would surely look like useless Vaughn Index summaries.

But that’s too much for Mitch McConnell — and the Intelligence Community folks whose demands he is serving. And, of course, elimination of this weak reporting requirement eliminates the only check against ongoing bulk or bulky collection, because the language surrounding Specific Selection Term includes big potential loopholes.

So consider what this means.

Over the last two weeks, Mitch McConnell has pursued policies that have led to a lapse in the phone (and CIA money transfer) dragnets. He didn’t even try to bring USA F-ReDux for an immediate vote last night; he only tried to bring up Lone Wolf and Roving Wiretap.

And his goal, for letting the dragnet expire, is to ensure the FISA Court continues to be dysfunctional.

Mitch McConnell has — according to his claims, not mine — made the country less safe with this lapse in the dragnet. All in a bid to ensure the FISC continues to operate as a rubber stamp.

FBI Doesn’t Want You To Know It Uses NSLs to “Correlate” All the Identities You Use Online

/2 Comments/in /by

Back in March, I parsed the declaration Nicholas Merrill submitted in his bid to reveal the contents of what he was asked to turn over via an NSL back in 2004. As a reminder, here’s what FBI permitted Merrill to reveal at the beginning of this suit.

Screen Shot 2015-03-29 at 8.36.05 AM

And here’s Merrill’s description of what kind of records his ISP, Calyx, might have had on customers.

Calyx Internet Access, like most ISPs, collected a wide array of information about its clients. For a given client, we may have collected their [1] name, [2] address and [3] telephone number; [4] other addresses associated with the account; [5] email addresses associated with the account; [6] IP addresses associated with the account; [7] Uniform Resource Locator (URL) addresses assigned to the account; [8] activity logs for the account; [9] logs tracking visitors to the client’s website; [10] the content of a client’s electronic communications; [11] data files residing on Calyx’s server; [12] the client’s customer list; [13] the client’s bank account and [14] credit card numbers; [15] records relating to merchandise bought and sold; and the [16] date the account was opened or closed. [numbers 1 through 16 added]

FBI has submitted a counter-declaration (posted by Cryptome) that — even in its excessively redacted form — includes a number of interesting details.

FBI’s limited new admission

The FBI now concedes that it had publicly confirmed some aspects of what it asked for from Merrill. It specifically admits that “screen names or other online names associated with the account” and “all email addresses associated with the account” may be disclosed, as well as that the request involved an “account number” from an “Internet service provider” (though in the sections that must describe these requests, those phrases remain redacted).

In addition, this paragraph appears without redaction:

The NSA issued to [Merrill’s ISP] Calyx requested “the names, addresses, lengths of service and electronic communication transaction records, to include existing transaction/activity logs and all e-mail header information (not to include message content and/or subject fields)” for the email account [email protected].

FBI disses Merrill for interacting with his ISP client

Part of — potentially a big part of — the declaration seems to insinuate that Merrill’s lawsuit should be distrusted because he had a personal relationship with the target of the NSL. It describes,

Merrill stated that he previously “engaged in ongoing communications with [redacted] on a variety of issues,” including “topics related to politics and current events.”

Interestingly, the declaration makes clear the NSL — which was almost certainly authorized as a terrorism investigation — was authorized in Pittsburgh. I raise that because Pittsburgh’s FBI office was investigating a number of anti-war targets as terrorists in the 2004-timeframe. So I do wonder whether Merrill thought the investigation improper for that reason.

FBI mentions just one kind of Internet production as having moved to Section 215 orders

As I’ve noted, we know some production obtained until 2009 using NSLs has moved under Section 215. This paragraph seems to acknowledge that, even while saying the FBI may ignore what the Office of Legal Counsel has told it ECPA permits FBI to obtain using an NSL.

Merrill NSL to 215 paragraph

Curiously, this pertains only to the second bullet of the request (above), of 17 categories of information, suggesting just one kind of production moved to Section 215 orders.

FBI doesn’t want you to know how much of your activities it can correlate by going to your ISP

The FBI has a separate paragraph addressing why it cannot reveal the other 15 categories of information it requested from Merrill 11 years ago. The paragraphs are worth reading, because they’re each somewhat different. Some say not just counterterrorism and counterintelligence investigations might be affected with the release of the information, some claim greater use than others, some warn that potential criminals might avoid turning over certain kinds of information (perhaps an alternate email or phone number?) if they knew it could be obtained via an NSL.

All seem to pretend that a lot of this isn’t already available from exhibits submitted in other cases.

As I noted in this post, for example, here’s what the government obtains from Google subpoenaing a Google voice account and then the underlying Google account as a whole.

[T]he two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:

  • a primary gmail account
  • two secondary gmail accounts
  • a second name tied to one of those gmail accounts
  • a backup email (Yahoo) address
  • a backup phone (unknown provider) account
  • Google phone number
  • Google SMS number
  • a primary login IP
  • 4 other IP logins they were tracking
  • 3 credit card accounts
  • Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

There’s surely a significant overlap between this list and the things FBI says Merrill can’t reveal because if he did, it would tip off intelligence and criminal targets that the FBI can obtain them (though as Merrill made clear in his description of what Calyx had to turn over, they had more details about the websites run under an account).

Ultimately, though, the FBI seems to want to prevent anyone from realizing how much information your Internet providers have — and can be forced to turn over — that correlate all your multiple identities online.

FBI’s false transparency going forward

There’s one more really funny part of this declaration. It notes that Office of Director of National Intelligence released a report in February claiming that “the FBI will now presumptively terminate National Security Letter nondisclosure orders at the earlier of three years after the opening of a fully predicated investigation or the investigations close.”

But it says it won’t have to comply with that policy for this NSL because “the investigation at issue here was closed prior to the implementation of the policy.”

One would think that they would reveal all these categories of information going forward if they were really going to comply with ODNI’s order.

Unless the FBI has already started to change the way they write NSLs (or perhaps plan on leaving more to verbal communications with Agents or some other means of communicating the list without including these descriptions) so as to get all the information without stating that they’re demanding all that information.

Richard Burr Wants to Label People Who Make Threats and Carry Guns “Terrorists”

/14 Comments/in /by

The bill Senate Intelligence Chair Richard Burr released last Friday is bad enough for the way it expanded the existing illegal dragnet. I argued here Burr’s bill would give the Intelligence Community everything they lost in 2009 and 2011.

But there’s something just as troubling in Burr’s stack of additional goodies for the IC. As USA F-ReDux does, Burr’s bill extends maximum sentences for material support for terrorism. Both bills increase the maximum sentence under 18 USC 2339B, which prohibits material support for a terrorist group formally designated as such by the government. Burr would also increase the maximum sentence under 18 USC 2339A, which prohibits material support for people who may not be formally designated as terrorists, but who violate one of a bunch of other laws that are deemed terrorist acts. (Burr also tweaks the penalty for getting military training from terrorists in ways that might actually lower the punishment.)

The shocking move came in Burr’s proposal to add 18 USC 924(c) — which prohibits the “use, carrying, or possession of fire arms” during the commission of a crime of violence — among those crimes listed in 18 USC 2332b that make someone a terrorist.

Let me be clear: I’m in favor of doing whatever we can to keep guns out of the hands of terrorists and dangerous people, so much so my libertarian and gun activist friends surely consider me squishy on the Constitution.

But there are a number of reasons why making the possession of gun while committing a crime of violence, “a terrorist act,” is a dangerous idea.

It starts from the fact that the term “crime of violence” is horribly vague (so much so that SCOTUS is reviewing a similar designation right now). It “has as an element the use, attempted use, or threatened use of physical force against the person or property of another.” That is, the “violence” may all stem from that perceived threat of physical force, which in turn may stem from someone’s possession of a gun (or, as often happens in our still very racially charged society, the possession of a gun by a particular kind of someone).

Then, to meet the terms of 18 USC 2332b that makes something a terrorist act, it may only involve a threat to “conspir[e] to destroy or damage any structure, conveyance, or other real or personal property within the United States.” As with the crime of violence, it may be the perceived threat of a crime, rather than a committed crime. And one way to qualify under this provision, the act would be “calculate[] to influence or affect the conduct of government by intimidation or coercion, or to retaliate against government conduct.”

Altogether, Burr’s proposed change could — if the Federal Government pushed far enough — get people labeled as a terrorist for posing a threat or risk to the government while carrying a gun. The required element — beyond being or making a threat — is that gun, which, of course, is protected under the Constitution. The rest is just the risk to property in a way to influence politics. But ordinary dissidents and protestors intend to influence politics and have, at times, been called a threat to property, and looters who definitely (and indefensibly) destroy property have, throughout history, often been described as a “risk to the government” (and especially, a risk to law enforcement). Certainly dissidents should not be deemed terrorists because they carry guns and sit in the wrong park. And while looting is wrong, it’s not terrorism.

This might seem far-fetched, but one of the rare instances where non-Muslims have been charged as terrorists under a related provision — which deems even FBI-supplied bombs “Weapons of Mass Destruction” and therefore terrorist weapons — were three guys tied to Occupy Cleveland who were caught in an FBI-crafted sting.

As with that case, the effect of labeling someone’s threat of violence a terrorist crime would involve expanding the potential sentences significantly, not to mention labeling someone a terrorist as they contemplated a jury trial. Since 9/11, jurors have been very credulous of evidence involving alleged terrorists, meaning it would become a lot easier for the government to win convictions even with dodgy evidence or (as in the Cleveland case) a plot invented by the FBI.

It probably, also, involves lots of extra investigative tools.

There are so many other ways to designate people who are really conspiring under the direction of actual terrorists as terrorists that this seems like dangerous overkill. It would invite Feds to label looters who happen to be armed or dissidents who mouth off and train with guns as terrorists — and thereby all their associates as material supporters of terrorism.

Richard Burr’s bill is horrible, as it is, for how it would expand the dragnet. But that he is, at the same time, envisioning dangerously expanding the definition of “terrorist” in a way that could be badly abused is another reason to distrust Burr’s effort to capitalize on fear-mongering around the PATRIOT reauthorization to expand the security state.

Administration Feeds Journalists Hints of More Secret Law … Journalists Instead Parrot “Russian Roulette” Line

/17 Comments/in , /by

Back in January, Charlie Savage revealed that in 2007 the FISC approved a secret interpretation of the Roving Wiretap provision, one of the provisions due to sunset Sunday night. To support a domestic content collection order targeting al Qaeda targets overseas, Judge Roger Vinson rubber-stamped DOJ’s argument that — because Congress had let it wiretap individual targets without naming each of the phones they were using, that also meant it could target al Qaeda as a target — without naming each of the phones and email addresses it was targeting until after tasking them [this sentence updated for accuracy].

Judge Vinson ruled that this procedure was a legitimate interpretation of FISA because of a provision Congress had added to the surveillance law in the Patriot Act. The provision created so-called roving wiretap authority, which allows the F.B.I. to get orders to swiftly follow targets who switch phones, telling the court about the new numbers later.

Public discussion of the purpose and meaning of roving wiretap authority has focused on targeting individual terrorists or spies who seek to evade detection. But Judge Vinson accepted a Justice Department proposition that the target could be Al Qaeda in general, so if the N.S.A. learned of a new Qaeda suspect, it could immediately collect his communications and get after-the-fact approval.

The government stopped using this particular application as it transitioned to Protect America Act (though it even grandfathered some of the existing targets tasked under the prior argument). But the premise — that DOJ can target entire communication nodes based on the argument that a specific target is using unknown accounts passing through that node — surely remains on the books.

This secret interpretation of the law may not be as outrageous as FISC’s redefinition of the word “relevant” to mean “all,” but it is nevertheless a fairly breathtaking argument, with potentially dangerous ongoing implications.

Yet, in spite of the fact that a top journalist (not some dirty hippie like me!) revealed this secret interpretation, the journalists who transcribed Administration claims that sunsetting PATRIOT would amount to playing “national security Russian roulette” have also transcribed Administration claims that they’re only using Roving Wiretaps individually.

A second tool is the “roving wiretap,” which enables the FBI to use one warrant to wiretap a spy or terrorist suspect who is constantly switching cellphones. Those two in particular are of “tremendous value,” the first official said.

We don’t know they’re using Roving Wiretaps to tap entire circuits anymore. But we know they can. That detail should be included in any description before a journalist parrots the Administration claim this is an “uncontroversial” authority. If it’s not controversial, it should be.

Ditto the Lone Wolf provision.

Reporters are reporting something that — 11 years after passage of the Lone Wolf provision — ought to raise serious questions (note: Lone Wolf was actually not part of the PATRIOT Act; it was passed in 2004 as part of the Intelligence Reform and Terrorism Prevention Act).

A third tool allows the FBI to surveil a “lone wolf” suspect who cannot be tied to a foreign terrorist group such as al-Qaeda. It has never been used, but officials said it is a valuable authority they do not want to lose.

That provision has been on the book for 11 years, and the FBI still says they have never used it but even though they have never used it is a valuable authority. It was not used in cases — such as that of Khalid Ali-M Aldawsari — that solidly fit the definition of a Lone Wolf. Even if the FBI found someone who they thought was an international terrorist but didn’t know to what group he belonged, they could get an emergency wiretap to help them find evidence.

So what “value” does the Lone Wolf provision have, if it’s not to authorize the wiretapping of Lone Wolves?

I think there’s increasing reason to ask whether this, like the Roving Wiretap, serves to justify some other secret law, allowing the government to spy on people against whom it has no evidence of ties to al Qaeda or any other terrorist group, but on whom it nevertheless wants to use its terrorist authorities against.

We’re on the fifth or so reauthorization debate where FBI has said “we don’t use this thing but we find it very valuable anyway.” At some point, we need to start assuming that when they say they haven’t “used” it, they only mean in the literal sense, and they’re using it to support some secret, unintended purpose.

Rather than parroting Administration claims of “Russian roulette,” shouldn’t journalists be asking why, after 11 years, their claims of necessity make no sense?

DOJ IG Issues Yet Another Classified Report that Should Be Public Before Congress Votes on PATRIOT Act

/in , /by

DOJ’s Inspector General just announced it completed its draft report on the use of Pen Register/Trap and Trace between 2007 and 2009 15 months ago, but the Intelligence Community only finished its classification review last month. It has now issued a classified version of that report to the Judiciary and Intelligence Committees.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Pen Register and Trap and Trace Devices under the Foreign Intelligence Surveillance Act in 2007 through 2009. The Department of Justice (DOJ) Office of the Inspector General (OIG) completed a draft of this report in February 2014. At that time, we provided the draft report to DOJ, the Federal Bureau of Investigation (FBI), and the Intelligence Community to conduct factual accuracy and classification reviews. In May 2014, we circulated an updated draft report that reflected minor revisions made in response to the factual accuracy comments we received. We did not receive the final results of the classification reviews until April 30, 2015.

We are providing today’s classified report to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices. We recently submitted a short unclassified Executive Summary of the report to DOJ, the FBI, and the Intelligence Community for review. We will publicly release the Executive Summary as soon as that review is completed.

This is another report that should have been released long before the current debate on the PATRIOT Act. While PRTT is not among the authorities that sunsets on Sunday, the issues surrounding the shut-down of the bulk Internet program in (around) October 2009 are central to the debate about the dragnet going forward, because “call” records are increasingly Internet records.

Moreover, the USA F-ReDux calls for “privacy guidelines” that I believe are still inadequate to protect US persons’ privacy in the ways the IC is likely using PRTT today. Plus, PRTT is likely used for applications — such as tower dumps and Stingrays — that affect the privacy of many people not otherwise targeted. Congress should have details about that before they legislate.

In addition, Richard Burr’s bill actually adopts a definition of “content” — excluding Dialing, Routing, Addressing, and Signaling data from the definition of content — that responds directly to the issues behind the Internet dragnet shutdown in 2009.

Last week, much of DC discovered for the first time — because of the delayed release of DOJ IG’s report on Section 215 — what I had been reporting for months: that the bulk of Section 215 orders actually collect bulky Internet data. That report also disclosed that, at least as used up until 2009 (that is, as FBI just started using 215 for that Internet collection), Section 215 wasn’t all that useful.

It is highly likely that the 15-month old PRTT report DOJ’s IG just released would have information that is equally important to this debate.

But the public is not going to have access to it.

Behold, BR 15-24, the Longest-Serving Phone Dragnet Order Ever

/12 Comments/in /by

By my calculation today marks the 91st day of the life of phone dragnet order BR 15-24, making it the longest running dragnet order ever. Though the order offered no explanation, FISC judge James Boasberg approved a 95-day expiration for this order back on February 26 so the dragnet order expiration would coincide with PATRIOT Act’s sunset.

It probably seemed wise at the time, but it definitely exacerbates the impact of Mitch McConnell’s miscalculation last week, as it means there’s is no grace period after the current order expires.

The 90-day renewals appear to arise out of both the Stellar Wind practice and the FISA Pen Register practice. Under the former, the Bush Administration reviewed the dragnet every 45 days to make sure it was still necessary and give it the appearance of oversight. (The renewal dates appear on this timeline.) When FISC approved the use of the Pen Register statute to collect the Internet dragnet, it adhered to that statute’s renewal process, which requires 90-day renewals. I assume the phone dragnet adopted the same, even though Section 215 has no renewal requirement, because the phone dragnet collected even more data than the Internet dragnet did.

So already, we’re a day longer than the spirit of the law should permit, four days before Sunday’s scheduled resolution (or lack thereof) of the current impasse.

Given Charlie Savage’s account, it appears the Administration did not — as ordered by Boasberg — brief the FISC on the impact of the 2nd Circuit decision if it would change the program. Rather, they’re just hiding out, hoping they don’t need to raise this or any other issue with regards to the dragnet with the FISC.

The Foreign Intelligence Surveillance Court had given the government a deadline of last Friday to file a new application to extend the bulk phone records program for 90 days. Given the disarray in the Senate and the looming deadline, the Justice Department did not file, the official said, speaking on condition of anonymity to discuss intelligence-related matters.

[snip]

The administration is holding to its decision not to invoke the grandfather clause to keep collecting bulk phone records past next Monday, the official said. But the government has not ruled out invoking such a clause for using the business records provision — as well as the other two powers that are expiring — to gather specific records for more routine investigations.

“We will not use the grandfather clause in the Patriot Act to continue the bulk metadata collection program; it would not be tenable for us to do so,” the senior official said.

“Thus, because of the pending sunset of the current authority, we have not filed an application with the FISA court to continue collection,” the official said, referring to the Foreign Intelligence Surveillance Act court, also known as FISC.

The official added, “We will consider, in light of our national security needs and the status of our authorities, whether to make an appropriate filing with the FISC about accessing previously collected metadata.”

[snip]

The administration is hoping to avoid any need to go to the court for permission to query already-acquired bulk phone data, which would raise additional legal complications.

But one plan being floated — Dianne Feinstein’s non-compromise compromise — would simply permit the FISC to extend the current order until a year after whenever her bill might be passed into law (which couldn’t be Sunday night), as if nothing had ever happened.

CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a) [that is, one year after the passage of this bill]

In other words, Feinstein proposes to take a dragnet collecting the phone records of all Americans, and extend it for an entire year, when even a Pen Register targeting an individual would need to be formally renewed.

A Brief History of the PATRIOT Reauthorization Debate

/7 Comments/in , /by

I wanted to provide some background of how we got to this week’s PATRIOT Reauthorization debate to explain what I believe the surveillance boosters are really aiming for. Rather than a response to Edward Snowden, I think it is more useful to consider “reform” as an Intelligence Community effort to recreate functionalities they had and then lost in 2009.

2009 violations require NSA to start treating PATRIOT data like PATRIOT data and shut down automated functions

That history starts in 2009, when NSA was still operating under the system they had established under Stellar Wind while pretending to abide by FISC rules.

At the beginning of 2009, the NSA had probably close to full coverage of phone records in the US, and coverage on the most important Internet circuits as well. Contrary to the explicit orders of the FISC, NSA was treating all this data as EO 12333 data, not PATRIOT data.

On the Internet side, it was acquiring data that it considered Dialing, Routing, Addressing, and Signaling information but which also constituted content (and which violated the category limits Colleen Kollar-Kotelly had first imposed).

On the phone side, NSA was not only treating PATRIOT data according to NSA’s more general minimization procedures as opposed to those dictated by the FISC. But in violation of those minimization procedures, NSA was submitting phone dragnet data to all the automated procedures it submitted EO 12333 data to, which included automated searches and automatic chaining on other identifiers believed to belong to the same user  (the latter of which NSA calls “correlations”). Either these procedures consisted of — or the data was also treated to — pattern analysis, chaining users on patterns rather than calls made. Of key importance, one point of having all the data in the country was to be able to run this pattern analysis. Until 2008 (and really until 2009) they were sharing the results of this data in real time.

Having both types of data allowed the NSA to chain across both telephony and Internet data (obtained under a range of authorities) in the same query, which would give them a pretty comprehensive picture of all the communications a target was engaging in, regardless of medium.

I believe this bucolic state is where the surveillance hawks want us to return to. Indeed, to a large extent that’s what Richard Burr’s bill does (with a lot of obstructive measures to make sure this process never gets exposed again).

But when DOJ disclosed the phone violations to FISC in early 2009, they shut down all those automatic processes. And Judge Reggie Walton took over 6 months before he’d even let NSA have full ability to query the data.

Then, probably in October 2009, DOJ finally confessed to FISC that every single record NSA had collected under the Internet dragnet for five years violated Kollar-Kotelly’s category rules. Walton probably shut down the dragnet on October 30, 2009, and it remained shut down until around July 2010.

At this point, not only didn’t NSA have domestic coverage that included Internet and phone, but the phone dragnet was a lot less useful than all the other phone data NSA collected because NSA couldn’t use its nifty automatic tools on it.

Attempts to restore the pre-2009 state

We know that NSA convinced John Bates to not only turn the Internet dragnet back on around July 2010 (though it took a while before they actually turned it on), but to expand collection to some or all circuits in the US. He permitted that by interpreting anything that might be Dialing, Routing, Addressing, and Signaling (DRAS) to be metadata, regardless of whether it also was content, and by pointing back to the phone dragnet to justify the extension of the Internet dragnet. Bates’ fix was short-lived, however, because by 2011, NSA shut down that dragnet. I wildarseguess that may partly because DOJ knew it was still collecting content, and when Bates told NSA if it knew it was collecting content with upstream collection, it would be illegal (NSA destroyed the Internet dragnet data at the same time it decided to start destroying its illegal upstream data). I also think there may have been a problem with Bates’ redefinition of DRAS, because Richard Burr explicitly adopted Bates’ definition in his bill, which would have given Bates’ 2010 opinion congressional sanction. As far as we know, NSA has been coping without the domestic Internet dragnet by collecting on US person Internet data overseas, as well as off PRISM targets.

Remember, any residual problems the Internet dragnet had may have affected NSA’s ability to collect any IP-based calls or at least messaging.

Meanwhile, NSA was trying to replace the automated functions it had up until 2009, and on November 8, 2012, the NSA finally authorized a way to do that. But over the next year plus, NSA never managed to turn it on.

The phone records gap

Meanwhile, the phone dragnet was collecting less and less of the data out there. My current theory is that the gap arose because of two things involving Verizon. First, in 2009, part or all of Verizon dropped its contract with the FBI to provide enhanced call records first set up in 2002. This meant it no longer had all its data collected in a way that was useful to FBI that it could use to provide CDRs (though Verizon had already changed the way it complied with phone records in 2007, which had, by itself, created some technical issues). In addition, I suspect that as Verizon moved to 4G technology it didn’t keep the same kind of records for 4G calls that transited its backbone (which is where the records come from, not from customer bills). The problems with the Internet dragnet may have exacerbated this (and in any case, the phone dragnet orders only ask for telephony metadata, not IP metadata).

Once you lose cell calls transiting Verizon’s backbone, you’ve got a big hole in the system.

At the same time, more and more people (and, disproportionately, terrorist targets) were relying more and more on IP-based communications — Skype, especially, but also texting and other VOIP calls. And while AT&T gets some of what crosses its backbone (and had and still has a contract for that enhanced call record service with the FBI, which means it will be accessible), a lot of that would not be available as telephony. Again, any limits on Internet collection may also impact IP based calls and messaging.

Edward Snowden provides a convenient excuse

Which brings you to where the dragnets were in 2013, when Edward Snowden alerted us to their presence. The domestic PATRIOT-authorized Internet dragnet had been shut down (and with it, potentially, Internet-based calls and messaging). The phone dragnet still operated, but there were significant gaps in what the telecoms would or could turn over (though I suspect NSA still has full coverage of data that transits AT&T’s backbone). And that data couldn’t be subjected to all the nifty kinds of analysis NSA liked to subject call data to. Plus, complying with the FISC-imposed minimization procedures meant NSA could only share query results in limited situations and even then with some bureaucratic limits. Finally, it could only be used for counterterrorism programs, and such data analysis had become a critical part of all of NSA’s analysis, even including US collection.

And this is where I suspect all those stories about NSA already considering, in 2009 and in 2013, shutting down the dragnet. As both Ken Dilanian stories on this make clear, DOJ believed they could not achieve the same search results without a new law passed by Congress. Bob Litt has said the same publicly. Which makes it clear these are not plain old phone records.

So while Edward Snowden was a huge pain in the ass for the IC, he also provided the impetus to make a decision on the phone dragnet. Obama made a big show of listening to his Presidential Review Group and PCLOB, both of which said to get rid of it (the latter of which said it was not authorized by Section 215). But — as I noted at the time — moving to providers would fix some of their problems.

In their ideal world, here’s what we know the IC would like:

  • Full coverage on both telephony and IP-based calls and messaging and — ideally — other kinds of Internet communications
  • Ability to share promiscuously
  • Ability to use all NSA’s analytical tools on raw data (the data mandates are about requiring some kind of analytical work from providers)
  • Permission to use the “call” function for all intelligence purposes
  • Ability to federate queries with data collected under other authorities

And the IC wants this while retaining Section 215’s use of bulky collections that can be cross-referenced with other data, especially the other Internet collection it conducts using Section 215, which makes up a majority of Section 215 orders.

Those 5 categories are how I’ve been analyzing the various solutions (which is one of about 10 reasons I’m so certain that Mitch McConnell would never want straight reauthorization, because there’s nothing that straight reauthorization would have ratified that would have fixed the existing problems with the dragnet), while keeping in mind that as currently constructed, the Internet 215 collection is far more important to the IC than the phone dragnet.

How the bills stack up

USA F-ReDux, as currently incarnated, would vastly expand data sharing, because data would come in through FBI (as PRISM data does) and FBI metadata rules are very permissive. And it would give collection on telephony and IP-based calls (probably not from all entities, but probably from Apple, Google, and Microsoft). It would not permit use for all intelligence purposes. And it is unclear how many of NSA’s analytical tools they’d be able to use (I believe they’d have access to the “correlations” function directly, because providers would have access internally to customers’ other accounts, but with the House report, other kinds of analysis should be prohibited, though who knows what AT&T and Microsoft would do with immunity). The House report clearly envisions federated queries, but they would be awkward to integrate with the outsourced collection.

Burr’s bill, on the other hand, would expand provider based querying to all intelligence uses. But even before querying might —  maybe — probably wouldn’t — move to providers in 2 years, Burr’s bill would have immediately permitted NSA to obtain all the things they’d need to return to the 2009 bucolic era where US collected data had the same treatment as EO 12333 collected data. And Burr’s bill would probably permit federated queries with all other NSA data. This is why, I think, he adopted EO 12333 minimization procedures, which are far more restrictive than what will happen when data comes in via FBI, because since it will continue to come in in bulk, it needs to have an NSA minimization procedure. Burr’s bill would also sneak the Section 215 Internet collection back into NSL production, making that data more promiscuously available as well.

In other words, this is why so many hawks in the House are happy to have USA F-ReDux: because it is vastly better than the status quo. But it’s also why so many hawks in the Senate are unsatisfied with it: because it doesn’t let the IC do the other things — some of the analytical work and easy federated queries — that they’d like, across all intelligence functions. (Ironically, that means even while they’re squawking about ISIS, the capabilities they’d really like under Burr’s bill involve entirely other kinds of targets.)

A lot of the debate about a phone dragnet fix has focused on other aspects of the bill — on transparency and reporting and so on. And while I think those things do matter (the IC clearly wants to minimize those extras, and had gutted many of them even in last year’s bill), what really matters are those 5 functionalities.