Feinstein Enters the Non-Compromise Compromise Fray (Working Thread)

/4 Comments/in /by

Dianne Feinstein is the latest member of Congress to offer a non-compromise compromise to replace the compromise USA F-ReDux, this time with a bill that would:

  • Impose a 2-year data mandate in some cases (which would affect Apple and Verizon most immediately)
  • Extend the current dragnet order — which is already 89 days old — for an entire year
  • Require certification that the providers could provider phone data before moving over to the replacement system before that year runs out
  • Retain Richard Burr’s Section 215-specific Espionage Act imposing 10 year penalties on anyone who tells us what the intelligence community is really doing with the call records program
  • Retain Richard Burr’s counter-productive amicus provision
  • Revamps USA F-ReDux’s transparency provisions in ways that are less dishonest but just as useless
  • For key authorities, allow any member of Congress (under certain limits) to learn how the government is using them

This will be a working thread.

Update: Just to clarify, I believe Feinstein’s bill is almost certainly supposed to be the “face-saving” version of USA F-ReDux referred to in this article.

Feinstein accomplishes this:

Some leaders of the House Intelligence Committee, along with supporters in the Senate, hope they can assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

In Section 108, with the certification process.

Feinstein adds an odd data mandate — not listed in this story but a key complaint from Mitch and others — in Section 101 (page 4).

And Feinstein responds to this request,

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

By adopting the Section 215 dedicated Espionage Act at Section 501.

(3) DiFi’s bill explicitly permits the government to get call detail records in the old way.

(4) DiFi’s bill tweaks USA F-ReDux’s call chaining language for use with “individuals” who are not agents of foreign powers engaged in international terrorism. Those would be US persons.

(5) The data mandate is really fascinating. It only requires a company to retain data after getting a request but is vague about how much data must be retained (which is likely “all”).

(3) may include a request for an order that requires each recipient of the order under this section to retain the call detail records for up to 24 months from the date the call detail record was initially generated—

(A) if the request includes a certification made by the Director of the Federal Bureau of Investigation that the Government has reason to believe that the recipient of the order being applied for is not retaining call detail records for a period of up to 24 months and that the absence of call detail records for that period of time is resulting in, or is reasonably likely toresult in, the loss of foreign intelligence information relevant to an authorized investigation; and

(B) if the order provides that call detailrecords retained solely for purposes of complying with an order under this section may only be produced pursuant to an order under this section.

It’s an odd construct (though it does try to keep the records out of the hands of divorce lawyers, which I guess is good). Obviously, the government will have the records they actually ask for at any given time. So what it suggests is this will be a mandate on some or entire universe of the providers existing records so they can do pattern analysis.

(7) The scheme for call detail records is the same as in USA F-ReDux, but absent the HJC report language saying it can’t involve analysis I assume it does.

(12) DiFi retains the minimization procedures from USA F-ReDux.

(14) The bill adds immunity for records retention.

(17) The “limitation” language is different, and adds “indiscriminate.” Again, this still uses the IC definition of bulk, though, which is meaningless, even modified by “indiscriminate.” SST is the same, including the narrower limit for CDR function.

(19) DiFi eliminates IG reports, I guess because they show how sloppily these things are run and how generally useless they are.

(19) Here’s how DiFi deals w/Burr’s transition canard.

IN GENERAL.—The amendments made by sections 101 through 107 shall take effect on the date that is 180 days after the date of the enactment of this Act unless the President certifies to the appropriate committees of Congress that the transition from the existing procedures for the productionof business records under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.), as in effect prior to the effective date for the amendments made by section 101 through 107,to the new procedures, as amended by sections 101through 107, is not sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(2) EXTENSION FOR CERTIFICATION.—If the President makes a certification described in paragraph (1), the amendment made by sections 101 through 107 shall take effect on the date, that may be up to 1 year after the date of the enactment of this Act, that the President determines that the transition referred to in such paragraph is sufficiently operational to allow the timely retrieval of foreign intelligence information from recipients of an order under section 501 of such Act.

(3) LIMITATION ON TRANSITION PERIOD.—If the President makes a certification under paragraph(1) and does not determine an effective date under paragraph (2), the amendments made by sections 101 through 107 shall take effect on the date that is 1 year after the date of the enactment of this Act.

(b) NO EFFECT ON PRIOR AUTHORITY.—Nothing in this Act, or any amendment made by this Act, shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861 et seq.) as in effect on May 31, 2015, during the period ending on such effective date.

(c) TRANSITION.—(1) ORDERS IN EFFECT ON MA

Y 31, 2015.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, any order issued or made under title V of the Foreign Intelligence Surveillance Act of 1978 and in effect on May 31, 2015, shall continue in effect until the date of the expiration of such order.

(2) CONTINUED APPLICABILITY.—Notwithstanding any other provision of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.) or this Act or any amendment made by this Act, the order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26, 2015, in Docket No. BR 15–24, may be extended by order of that court until the effective date established in subsection (a).

(3) USE OF INFORMATION.—

(A) IN GENERAL.—Information acquired from the call detail records pursuant to an order issued under section 501 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1861) prior to the effective date in subsection (a) may continue to be used after the effective date of this Act, subject to the limitation in subparagraph (B).

(B) DESTRUCTION OF INFORMATION.—

Any record produced under any order entered by the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a)) on February 26 2015, in Docket No. BR 15–24 , or any predecessor order for such an order shall be destroyed no later than 5 years after the date such record was initially collected. Until that time, such a record may be used in accordance with the purpose prescribed and the procedures established in such order.

(23) DiFi’s bill takes out this language, which was in USA F-ReDux, in the PRTT section, but it does retain privacy procedures.

(C) For purposes of subparagraph (A), the term ‘address’ means a physical address or electronic address, such as an electronic mail address or temporarily assigned network address (including an Internet protocol address).

(24) Difi includes bulk controls on NSLs, but not the gag fix.

(26) The 215 reporting takes out the reporting on bulk collection to Congress that was in USA F-ReDux. Sharing of this is extended to everyone in Congress whom the HPSCI chair likes.

(33) DiFi gets rid of two-track reporting on all non-215 and consolidates it. The reporting is somewhat different (for example, Congress will no longer know when something has been used in a trial). DiFi pretends to extend this reporting to everyone in Congress, but since it’s subject to Congressional rules that will only happen in the senate.

(40) DiFi does include significant matter of law reporting to the appropriate committees (which exists).

(45) DiFi continues Burr’s Espionage Act.

(47) The amicus curiae is the John Bates Richard Burr version, which I think might be counterproductive.

(55) DiFi requires agencies that have not established minimization procedures required under the original EO 12333. See this post for more background.

Why Does Richard Burr Think It Will Take Four Times Longer To Set Up a Metadata Compliance System than a Content One?

/in /by

On November 8, 2007, Yahoo received its first order to comply with the Protect America Act, the original law authorizing PRISM. Yahoo immediately told DOJ it would challenge the order. On May 12, 2008 — even as Yahoo appealed FISC’s order to comply with those PAA orders — Yahoo started complying with its PAA orders.

It took 185 days for Yahoo to set up a content compliance system under PRISM and challenge the underlying orders. And along the way, FBI’s requests expanded, from just a few items to nine, which appear to span the four business units Yahoo had at the time. Yet even in spite of FBI’s moving target and its ongoing legal challenge, Yahoo was able to start complying in about 6 months.

And yet Richard Burr believes — rather, claims to believe — that providers who already have sophisticated compliance systems (either under upstream and daily call records production, in the case of the telecoms, or PRISM production, in the case of other providers, not to mention that AT&T already provides roughly what it will under the new program under a contract with the FBI) will not be able to implement a system that will allow them to turn over phone records within 180 days.

Now, perhaps Burr really believes it will be tougher for providers to set up a metadata compliance system than set up content compliance systems that involve a heavy metadata component.

If so, that ought to raise real questions about what he thinks these providers will be doing, because it won’t just be turning over metadata.

Alternately, he’s wielding his ridiculous concerns about compliance for the same hoped effect as his bill did. He claimed that bill would institute a 2-year transition period for this program, but what it did in fact was to immediately grant the Intelligence Community all the authorities it has wanted, vastly expanding the dragnet. Then, a year after giving the IC everything it wanted, it would conduct a 1-year review (before any transition happened) that would show that it would be cheaper for the government to remain in the dragnet business. Only after 2 years would any “transition” happen, and it would in fact happen, if it did, immediately, with no transition period (though it probably never would happen, given that the IC would have already gotten everything it wanted).

That is, Burr’s claim that providers that have been complying with significant government requests for 7 years would need 2 more years to learn how to do it are probably just a bid to prevent the move to providers in the first place, a bid to have one more chance to argue in 6 months or a year or 2 years that it’s okay for the government to hold onto all our phone and Internet metadata.

But if not — if the new system will require more from providers than it did when they started turning over records under PRISM — than that is itself news.

Devin Nunes Will Let Dragnet Lapse So Mitch McConnell Can Save Face?!?!

/4 Comments/in /by

NYT has a remarkable article describing how a number of hawks are willing to risk letting PATRIOT Act authorities lapse so Mitch McConnell can save face.

Senior lawmakers are scrambling this week in rare recess negotiations to agree on a face-saving change to legislation that would rein in the National Security Agency’s dragnet of phone records, with time running out on some of the government’s domestic surveillance authority.

[snip]

If negotiators accept minor changes to the House bill, it will mark a significant retreat for Senator Mitch McConnell of Kentucky, the majority leader, and Senator Richard M. Burr of North Carolina, the chairman of the Senate Intelligence Committee.

Sadly, the NYT continues the typically credulous mainstream reporting on this topic. For example, Mitch McConnell never really wanted a straight reauthorization.

Mr. McConnell and Mr. Burr wanted a straight extension of the existing surveillance authority, although an appeals court judge ruled this month that such authority was illegal.

False. Burr revealed what they want Friday night. They want to move bulky Internet production back to NSLs. They want to expand the current dragnet to include Internet calls and even straight IP (and, oddly, documents!), and they want to expand it well beyond its counterterrorism focus to include all foreign intelligence. They want to criminalize whistleblowing about this law in particular. They want to eliminate all special privacy protections — over the standard NSA ones — for US persons.

And very importantly, they want to use the claim to need a 2-year transition period to finally obtain the authorities for NSA to conduct the bulk collection they actually want to do, in which place they’ll be well positioned to claim having the government retain the data is most efficient.

I could go on. But after Friday night no journalists with any self-respect should propagate Mitch’s “straight reauthorization” canard, which — it was clear over a month ago — was only ever a negotiating tactic.

NYT also falsely claims Burr wants just Lone Wolf and Roving Wiretap made permanent.

Mr. Burr wants the so-called lone wolf and roving authorities to be made permanent to avoid cliffhangers like the one Congress finds itself in now. The House bill would extend them to December 2019.

The title to that section of Burr’s bill reads,

PERMANENT AUTHORITY FOR ACCESS TO BUSINESS RECORDS, ROVING SURVEILLANCE, AND INDIVIDUAL TERRORISTS AS AGENTS OF FOREIGN POWERS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT OF 1978 [my emphasis]

And the language of it repeals both parts of both laws that include a sunset.

But the really absurd part of this story — and to be fair, NYT has to report these arguments as if they’re serious, and I should be grateful they have been recorded in all their absurdity — is that Burr and Nunes are now claiming that the largest phone companies in the US don’t know how to 1) store data, or 2) “search stored phone data after a warrant [actually, a Reasonable Articulable Suspicion order, not a warrant] is issued, then communicate the results to the government.”

The two men have said phone companies, which would collect the data instead of the N.S.A. under the USA Freedom Act, are not equipped to handle the task.

[snip]

Leaders of the House Intelligence and Judiciary Committees from both parties, along with supporters in the Senate, said they could assuage the concerns of Senate Republicans by adding a certification process to ensure that telephone companies had developed the technology they needed to store the reams of data that were now gathered by the government. If the technology could not be certified, a longer transition period would kick in.

Mr. Burr said he would like that period to be two years, a proposal not very likely to be accepted by the House.

“The question is whether the technology can be developed in time, over a six-month window,” Mr. Nunes said in an interview. “I think it can be. I was at N.S.A. reviewing this 10 days ago.”

He added: “We believe six months works, but it wouldn’t be bad to have a little longer.”

But even that change has irked lawmakers, who worked for months on the compromise that passed the House. Representative Adam B. Schiff of California, the ranking Democrat on the House Intelligence Committee, said the technology in question — the ability to search stored phone data after a warrant is issued, then communicate the results to the government — was “a pretty minor deal” that could easily meet a certification deadline.

The men overseeing our intelligence community claim to not understand that phone companies store this information — and respond to lawful government requests for it — every day.

In truth, this is likely another ploy to expand the role of providers down the road (as happened under PRISM), after we’ve all become less vigilant — beyond simply providing phone records (as these silly Congressmen claim) to doing far more analysis.

After all, the only way these claims make sense, is if the government expects to get real pushback from providers going forward — and that’s not going to happen if all they want is call records delivered to the government, which telecoms have been doing forever.

So that’s the likely play: to set up some mechanism whereby the hawks can claim — in 6 months time — that telecoms are unwilling or unable (the same standard they use for drones killing!) to do what the government will ask. At which point we’ll be fighting to get the government out of an expanded dragnet business.

One more thing.

The Republicans also claim that the telecoms have been harassed by privacy advocates.

Republicans have also expressed a desire to protect the phone companies against harassment from privacy activists over their participation in a new surveillance program.

This is likely a bid to do something to shroud the dragnets (it won’t be just telecom going forward) in secrecy from here on out. Probably not the act-specific Espionage Act, like Burr wants, but probably some other means to ensure that no one ever gets standing to challenge what will still be an unconstitutional program going forward.

I guess they hope we won’t notice because we’re laughing at their other batty excuses so hard?

I’m Shocked, Shocked, to Find that Lying Is Going on in the Senate

/3 Comments/in /by

As I noted here, given the content of the radical bill Richard Burr introduced on Friday, it appears likely that his claim Section 215 sIpported an IP dragnet was no misstatement, as he claimed when I called him on it. But that — and the misstatements Mitch McConnell made on Friday about the bill — are not the only lies the authoritarians have been telling.

Just after USA F-ReDux failed in the Senate Friday night and Barbara Boxer tried to call it back up for a vote, Mitch McConnell falsely claimed that Dianne Feinstein was involved in Burr’s radical bill. Senator Feinstein actually had to interrupt and point out that not only doesn’t she think Burr’s bill is the way to go, but that pushing for it might put all the expiring provisions at risk. (h/t Steven Aftergood for pulling Congressional Research Service records)

McCONNELL. Mr. President, the Senate has demonstrated that the House-passed bill lacks the support of 60 Senators. I would urge a “yes” vote on the 2-month extension. Senator Burr, the chairman of the Intelligence Committee, and Senator Feinstein, the ranking member, as we all know, have been working on a proposal that they think would improve the version that the Senate has not accepted that the House sent over. It would allow the committee to work on this bill, refine it, and bring it before us for consideration. So the 2-month extension, it strikes me, would be in the best interest of getting an outcome that is acceptable to both the Senate and the House and hopefully the President.

[snip]

Mrs. FEINSTEIN. Mr. President, if I may a point of personal privilege. Mr. President, I would like to correct the majority leader, regretfully. I did not support the Burr bill. I do not believe that is the way to go. I have taken a good look at this. For those who want reform and want to prevent the government from holding the data, the FREEDOM Act is the only way to do it. The House has passed it. The President wants it. All of the intelligence personnel have agreed to it, and I think not to pass that bill is really to throw the whole program–that whole section 215 as well as the whole business records, the “lone wolf,” the roving wiretaps–into serious legal jeopardy.

That is, of course, precisely what has happened. In his bid to ram through Burr’s expanded dragnet, Mitch has now made it increasingly likely that all the expiring provisions will lapse on June 1.

Mitch McConnell Suggests He Wants a Bulk Document Collection System

/2 Comments/in , /by

On May 7, the very same day the Second Circuit ruled that Congress has to say specifically what a surveillance bill means for the bill to mean that thing, Richard Burr engaged in a staged colloquy on the Senate floor where he claimed that the Section 215 bulk collection program collects IP addresses. After Andrew Blake alerted me to that and I wrote it up, Burr stuffed the claim into the memory hole and claimed, dubiously, to have made a misstatement in a planned colloquy.

Then, after Mitch McConnell created a crisis by missing the first Section 215 reauthorization deadlines, Burr submitted a bill that would immediately permit the bulk collection of IP addresses, plus a whole lot more, falsely telling reporters this was a “compromise” bill that would ensure a smooth transition between the current (phone) dragnet and its replacement system.

Which strongly suggests Burr’s initial “misstatement” was simply an attempt to create a legislative record approving a vast expansion of the current dragnet that, when he got caught, led Burr to submit a bill that actually would implement that in fact.

This has convinced me we’re going to need to watch these authoritarians like hawks, to prevent them from creating the appearance of authorizing vast surveillance systems without general knowledge that’s what’s happening.

So I reviewed the speech Mitch made on Friday (this appears after 4:30 to 15:00; unlike Burr’s speech, the congressional record does reflect what Mitch actually said; h/t Steve Aftergood for Congressional Record transcript). And amid misleading claims about what the “compromise” bill Burr was working on, Mitch suggested something remarkable: among the data he’s demanding be retained are documents, not just call data.

I’ve placed the key part of Mitch’s comments below the rule, with my interspersed comments. As I show, one thing Mitch does is accuse providers of an unwillingness to provide data when in fact what he means is far more extensive cooperation. But I’m particularly interested in what he says about data retention:

The problem, of course, is that the providers have made it abundantly clear that they will not commit to retaining the data for any period of time as contemplated by the House-passed bill unless they are legally required to do so. There is no such requirement in the bill. For example, one provider said the following: “[We are] not prepared to commit to voluntarily retain documents for any particular period of time pursuant to the proposed USA FREEDOM Act if not otherwise required by law.”

Now, one credulous journalist told me the other day that telecoms were refusing to speak to the Administration at all, which he presumably parroted from sources like Mitch. That’s funny, because not only did the telecom key to making the program work — Verizon — provide testimony to Congress (which is worth reviewing, because Verizon Associate General Counsel — and former FBI lawyer — Michael Woods pointed to precisely what the dragnet would encompass under Burr’s bill, including VOIP, peer-to-peer, and IP collection), but Senator Feinstein has repeatedly made clear the telecoms have agreed with the President to keep data for two years.

Furthermore, McConnell’s quotation of this line from a (surely highly classified letter) cannot be relied on. Verizon at first refused to retain data before it made its data handshake with the President. So when did this provider send this letter, and does their stance remain the same? Mitch doesn’t say, and given how many other misleading comments he made in his speech, it’s unwise to trust him on this point.

Most curiously, though, look at what they’re refusing to keep. Not phone data! But documents.

Both USA F-ReDux and Burr’s bill only protect messaging contents, not other kinds of content (and Burr’s excludes anything that might be Dialing, Routing Addressing and Signaling data from his definition of content, which is the definition John Bates adopted in 2010 to be able to permit NSA to resume collecting Internet metadata in bulk). Both include remote computing services (cloud services) among the providers envisioned to be included not just under the bill, but under the “Call Detail Record” provision.

Perhaps there’s some other connotation for this use of the word “documents.” Remember, I think the major target of data retention mandates is Apple, because Jim Comey wants iMessage data that would only be available from their cloud.

But documents? What the hell kind of “Call Detail Records” is Mitch planning on here?

One more thing is remarkable about this. Mitch is suggesting it will take longer for providers to comply with this system than it took them to comply with Protect America Act. Yahoo, for example, challenged its orders and immediately refused to comply on November 8, 2007. Yet, even in spite of challenging that order and appealing, Yahoo started complying with it on May 5, 2008, that same 180-time frame envisioned here. And virtually all of the major providers already have some kind of compliance mechanism in place, either through PRISM (Apple, Google, and Microsoft) or upstream 702 compliance (AT&T and Verizon).
Read more

Mitch McConnell and Richard Burr’s Authoritarian Power Grab Fails

/6 Comments/in , /by

Last night, Mitch McConnell dealt himself a humiliating defeat. As I correctly predicted a month before events played out, McConnell tried to create a panic that would permit him and Richard Burr to demand changes — including iMessage retention, among other things — to USA F-ReDux. That is, in fact, what Mitch attempted to do, as is evident from the authoritarian power grab Burr released around 8:30 last night (that is, technically after the Administration had already missed the FISA Court deadline to renew the dragnet).

Contrary to a lot of absolutely horrible reporting on Burr’s bill, it does not actually resemble USA F-ReDux.

As I laid out here, it would start by gutting ECPA, such that the FBI could resume using NSLs to do the bulky Internet collection that moved to Section 215 production in 2009.

It also vastly expanded the application of the call record function (which it very explicitly applied to electronic communications providers, meaning it would include all Internet production, though that is probably what USA F-ReDux does implicitly), such that it could be used against Americans for any counterterrorism or counterintelligence (which includes leaks and cybersecurity) function, and for foreigners (which would chain onto Americans) for any foreign intelligence purpose. The chaining function includes the same vague language from USA F-ReDux which, in the absence of the limiting language in the House Judiciary Committee bill report, probably lets the government chain on session identifying information (like location and cookies, but possibly even things like address books) to do pattern analysis on providers’ data. Plus, the bill might even permit the government to do this chaining in provider data, because it doesn’t define a key “permit access” term.

Burr’s bill applies EO 12333 minimization procedures (and notice), not the stronger Section 215 ones Congress mandated in 2006; while USA F-ReDux data will already be shared far more widely than it is now, this would ensure that no defendant ever gets to challenge this collection. It imposes a 3-year data retention mandate (which would be a significant new burden on both Verizon and Apple). It appears to flip the amicus provision on its head, such that if Verizon or Apple challenged retention or any other part of the program, the FISC could provide a lawyer for the tech companies and tell that lawyer to fight for retention. And in the piece de la resistance, the bill creates its very own Espionage Act imposing 10 year prison terms for anyone who reveals precisely what’s happening in this expanded querying function at providers.

It is, in short, the forced-deputization of the nation’s communications providers to conduct EO 12333 spying on Americans within America.

Had Mitch had his way, after both USA F-ReDux and his 2-month straight reauthorization failed to get cloture, he would have asked for a week extension, during which the House would have been forced to come back to work and accept — under threat of “going dark” — some of the things demanded in Burr’s bill.

It didn’t work out.

Sure, both USA F-ReDux (57-42) and the short-term reauthorization (45-54) failed cloture votes.

But as it was, USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.

Then McConnell played the hand he believed would give himself and Burr leverage. The plan — as I stated — was to get a very short term reauthorization passed and in that period force through changes with the House (never mind that permitting that to happen might have cost Boehner his Speakership, that’s what McConnell and Burr had in mind).

First, McConnell asked for unanimous consent to pass an extension to June 8. (h/t joanneleon for making the clip) But Paul, reminding that this country’s founders opposed General Warrants and demanding 2 majority vote amendments, objected. McConnell then asked for a June 5 extension, to which Ron Wyden objected. McConnell asked for an extension to June 3. Martin Heinrich objected. McConnell asked for an extension to June 2. Paul objected.

McConnell’s bid failed. And he ultimately scheduled the Senate to return on Sunday afternoon, May 31.

By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.

But if not, it won’t be the immediate end of the world.

On this issue, too, the reporting has been horrible, even to almost universal misrepresentation of what Jim Comey said about the importance of expiring provisions — I’ve laid out what he really said and what it means here. Comey cares first and foremost about the other Section 215 uses, almost surely the bulky Internet collection that moved there in 2009. But those orders, because they’re tied to existing investigations (of presumably more focused subject than the standing counterterrorism investigation to justify the phone dragnet), they will be grand-fathered at least until whatever expiration date they have hits, if not longer. So FBI will be anxious to restore that authority (or move it back to NSLs as Burr’s bill would do), especially since unlike the phone dragnet, there aren’t other ways to get the data. But there’s some time left to do that.

Comey also said the Roving Wiretap is critical. I’m guessing that’s because they use it to target things like Tor relays. But if that’s the primary secretly redefined function, they likely have learned enough about the Tor relays they’re parked on to get individual warrants. And here, too, the FBI likely won’t have to detask until expiration days on these FISA orders come due.

As for the phone dragnet and the Lone Wolf? Those are less urgent, according to Comey.

Now, that might help the Republicans who want to jam through some of Burr’s demands, since most moderate reformers assume the phone dragnet is the most important function that expires. Except that McConnell and others have spent so long pretending that this is about a phone dragnet that in truth doesn’t really work, that skittish Republicans are likely to want to appear to do all they can to keep the phone dragnet afloat.

As I said, the most likely outcome is that a number of people flip their vote and help pass USA F-ReDux.

But as with last night’s “debate,” no one really knows for sure.

Working Thread Burr’s 11 Bullet Points

/5 Comments/in /by

Update May 31: I’m doing a second read of the bill and will put new things I find here in correct page order. I’ve corrected any previous errors I made with strike through. 

Richard Burr finally released the bill he pulled out of his ass. This will be a working thread.

(4) The bill defines Dialing, Routing, Addressing, and Signaling information as not-content, which would make it permissible to collect things like URLs.

(6) Look, they expanded their bulk carve-out to cloud providers.

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

(7) SPECIFIC SELECTION TERM.—The term ‘specific selection term’—

(A) means a term or set of terms that identifies or describes a person, account, address, or personal device, or another specific term, that is used by the Government to limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information; and

(B) does not include a term that solely identifies—

(i) a broad domestic geographic region, including the United States, a State, county, city, zip code, or area code, when not used as part of a specific term as described in subparagraph (A); or

(ii) an electronic communication service provider, when not used as part of a specific term as described in subparagraph (A), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

I’ve long noted that this language — which would prevent you from using a phone or email provider corporate names as your sole discriminator — did not include non-communications providers (like Western Union or Chase). But they’ve now excluded remote computing services (cloud providers) from that. Meaning they can do bulk on non-comm corporations AND cloud storage corporations.

I take that back: Burr’s bill uses the Section 702 definition of ECSP, which includes Remote Computing Services. This means Burr’s bill adds this more explicitly to those who might receive a CDR request:

any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored;

In addition, Burr’s bill does not require CDR SSTs be a specific individual or account. That means it could target a “person” (organizations like AQ can be considered a person), or an address (which could be an organization or Internet cafe’s IP address)

(29) The bill treats data from Section 215 as if it were EO 12333. As a threshold level, this s weaker minimization than under the existing program (then so was USA F-ReDux). But right now nothing under EO 12333 ever gets disclosed to defendants. So this creates a black hole, meaning this stuff will never be forcibly reviewed for constitutionality.

USE OF INFORMATION.—Information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title concerning any United States person may be used and disclosed by Federal officers and employees in accordance with the guidelines approved by the Attorney General under Executive Order 12333 (or a successor order). No otherwise privileged information acquired from tangible things received by the Federal Bureau of Investigation in accordance with the provisions of this title shall lose its privileged character. No information acquired from tangible things received by the Federal Bureau of Investigation in response to an order under this title may be used or disclosed by Federal officers or employees except for lawful purposes.

Here’s what the query language looks like (the “System” is defined before–we’ll just call it PRISM-Plus here).

(C) AUTHORIZED QUERIES.—Any order referred to in paragraph (1) or a directive under section 505 may permit access to the System—

(i) to perform a query using a specific selection term for which a recorded determination has been made that the specific selection term is relevant to an authorized investigation (other than a threat assessment) conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism, clandestine intelligence activities, or activities in preparation therefor;

(ii) to return information as authorized under paragraph (2); or

(iii) as may be necessary for technical assurance, data management or compliance purposes, or for the purpose of narrowing the results of queries, in which case no information produced pursuant to the order may be accessed, used, or disclosed for any other purpose, unless the information is responsive to a query authorized under paragraph (2).

(2) SCOPE OF PERMISSIBLE QUERY RETURN 7 INFORMATION.—For any query performed pursuant to paragraph (1)(C)(i), the query only may return information concerning—

(A) a first set of call detail records using the specific selection term that satisfies the standard required under paragraph (1)(C)(i); or

(B) a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under subparagraph (A).

First, note that language “permit access to the system.”  By whom?

This lets the government chain against foreigners for any FI purpose or against Americans for CT  or CI purposes (the latter of which includes cyber). This is a huge expansion off status quo.

The tech paragraph is nutty: it gives access to raw data but data obtained there can’t be used unless it’d be subject to a query. Which it wasn’t.

The querying language is the same from USA F-ReDux, which I argued required providers to do non-call chaining. I think that’s been the intent all along.

(33) Unlike USA F-ReDux, this bill doesn’t even pretend it’s only about phone companies. And this will double retention time periods for Verizon, and probably worse than that for Apple.

An electronic communication service provider shall notify the Attorney General if that service provider intends to retain its call detail records for a period less than 36 months.

When the provider refuses to keep data the FBI Director (Jim Comey, who has been whinging abt iMessage for months in the guise of whinging about encryption) can get FISC to require the provider to keep data for 3 years for only FI purpose.

‘(3) ORDERS.—Upon an application made pursuant to paragraph (2), if the judge finds that the failure to retain such call detail records for a period of at least 36 months is resulting in, or is reasonably likely to result in, the loss of foreign intelligence information relevant to an investigation conducted under this title, the judge may enter an ex parte order requiring the retention of such records for a period of at least 36 months.

(36) The interim procedure expands the application, I think.

(44) There are 3 restatements of the function:

  • Tangible things
  • CDR function
  • Transition function

Only the latter has minimization procedures, but in a bizarre cut and paste fail, it requires FBI to come up with new procedures that already exist (but didn’t change the date to 2015).

(f) MINIMIZATION PROCEDURES.—Not later than 180 days after the date of the enactment of the USA PATRIOT Improvement and Reauthorization Act of 2005, the Attorney General shall adopt specific minimization procedures governing the retention and dissemination by the Federal Bureau of Investigation of any tangible things, or information therein, received by the Federal Bureau of Investigation in response to an order under this section. Such minimization procedures shall include a procedure for using a reasonable articulable suspicion standard to make emergency queries of the tangible things acquired in response to an order under this section.

(45) This incents the government to go hogwild with bulk collection.

‘(h) CLARIFICATION.—Notwithstanding any other provision of law, the Government is authorized to obtain orders in accordance with this section for the purpose of obtaining tangible things produced in bulk, in the same manner as previously authorized by the court established by section 103(a) in orders issued by that court under this title prior to June 1, 2015. The Government is further authorized to continue to retain and use tangible things produced under such orders issued by that court prior to June 1, 2015, subject to any procedures prescribed by that court

(54) This has the same emergency provision as USA F-ReDux, which is an invitation for abuse and parallel construction. It’s telling that they still want this given how everything else has been permitted.

(54) They introduce the phrase “good faith” into the immunity section, but only for those being forced to retain their records.

‘(a) IN GENERAL.—No cause of action shall lie in 6 any court against a person who—

(1) produces tangible things or provides information, facilities, or technical assistance pursuant to 9 an order issued or an emergency directive required under this title;

(2) in good faith, retains call detail records under an order pursuant to this title; or

(3) otherwise provides technical assistance to the Government under this section or to implement this title.

(55) Burr’s bill compensates providers for all 215 compliance whereas USA F-ReDux only does for CDR function.

(57) By my read the government won’t even test its querying at providers

(57) On June 1, 2016, they assess the cost of moving to providers. But they won’t have started that yet.

(60) Wow. Burr also eliminates all sunset for business records provision (see Section 102 here)

(a) ACCESS TO BUSINESS RECORDS AND ROVING SURVEILLANCE.—Subsection (b) of section 102 of the USA PATRIOT Improvement and Reauthorization Act of 2005 (Public Law 109–177; 50 U.S.C. 1805 note, 50 U.S.C. 1861 note, and 50 U.S.C. 1862 note) is repealed.

(66) Huh. Burr goes well beyond what USAF does in making terrorism a bigger crime, extending the prison sentences in two additional provisions.

But this is fairly shocking.

(a) ACTS OF TERRORISM TRANSCENDING NATIONAL BOUNDARIES.—Section 2332b(g)(5)(B)(i) of title 18, United States Code, is amended by inserting ‘‘924(c)(relating to use, carrying, or possession of firearms),’’ after ‘‘844(i) (relating to arson and bombing of property used in interstate commerce),’’.

This would permit DOJ to charge people busted for another felony (which isn’t that much) who brandish their guns in such a way to intimidate the government terrorists. It would make it very easy to call any dissident with a gun a terrorist, or call any looters who happen to be armed terrorists.

(67) This language moves the Internet production back to NSLs

 REQUIRED CERTIFICATION.—The Director of the Federal Bureau of Investigation, or the designee of the Director in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may request the name, address, length of service, local and long distance toll billing records, and electronic communications transactional records of a person or entity if the Director (or the designee) certifies in writing to the wire or electronic communication service provider to which the request is made that such information is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States.

(68) When a bill creates its own special Espionage Act, you know they intend to break the law.

(a) PROHIBITION ON UNAUTHORIZED DISCLOSURE.—An officer, employee, contractor, or consultant of the United States, or an officer, employee, contractor, or consultant of a recipient of an order issued pursuant to title V of the Foreign Intelligence Surveillance Act of 1978 18 (50 U.S.C. 1861 et seq.) who—

(1) knowingly comes into possession of classified information or documents or materials containing classified information of the United States that—

(A) was submitted in connection with an application to the court established under section 103(a) of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803(a));

(B) was submitted in connection with an order approved by such court; or

(C) was acquired pursuant to an order or directive of such court; and (2)(A) knowingly and willfully communicates, transmits, or otherwise makes available to an unauthorized person, such classified information or documents or materials; or

(B) knowingly removes such classified information or documents or materials without authority and with the intent to retain such classified information or documents or materials at an unauthorized location, shall be punished according to subsection (b).

(b) TERM OF IMPRISONMENT.—A person who violates this section shall be fined under title 18, United States Code, or—

(1) for a violation of paragraph (2)(A) of subsection (a), imprisoned for not more than 10 years;

or (2) for a violation of paragraph (2)(B) of such subsection, imprisoned for not more than 1 year, or both.

(70) The bill changes the amicus in interesting ways.

(B) COVERED MATTER.—The term ‘covered matter’ means a matter before a court established under subsection (a) or (b)—

(i) that, in the opinion of such a court, presents a legal or technical issue regarding which the court’s deliberations would benefit from participation by an amicus curiae; and

(ii) that pertains to—

(I) an application for an order under this title, title III, IV, or V of 12 this Act, or section 703 or 704 of this Act;

(II) a review of a certification or procedures under section 702 of this Act; or

(III) a notice of non-compliance with any such order, certification, or procedures.

[snip]

(5) DUTIES.—An amicus curiae appointed under paragraph (1) to assist with the consideration of a covered matter shall carry out the duties assigned by the appointing court.

[snip]

(6) NOTIFICATION.—A court established under subsection (a) or (b) shall notify the Attorney General of each exercise of the authority to appoint an amicus curiae under paragraph (1).

First of all, this does not include all significant matters. One that would benefit might be broader, but might be more narrow.

It doesn’t include traditional FISA, nor does it include anything but certification process for 702, the latter of which suggests they have been having problems with the latter. Correction: This language is an amendment to traditional FISA so it DOES include that in its reference to “under this title.” I also think the separate language for 702 arises from the different certification process. But it seems like this language is designed to exclude something…

But non-compliance can trigger this (perhaps meaning providers can no longer have their own lawyers?)

I’m particularly intrigued that non-compliance is in here. Does that mean providers can no longer have their own lawyers? Note, too, that FISC can ask their one lawyer to represent their own views–basically no more than the staffers they already have.

Also note, the court need only appoint one lawyer here.

Which probably means this is worse than status quo.

One thing about the amicus which is very important is this is John Bates’ wish list. He was appointed by John Roberts.

Also, USAF required notice when FISC didn’t use the amicus. This only requires notice when they do.

(73) Note, I’ve always believed the fast-track to FISCR is a bad thing, because it provides a way to get appellate rubber stamp on an issue to bypass (say) the 2nd Circuit fixing something. This retains that, which leads me to believe I was right.

(74) This waters down the provider reporting permissions significantly. Fine, that’s something they can sue about!

(78) I’m not sure but I think this introduces more of a delay on new kinds of production (like under PRISM Plus??).

 

The Section 215 Rap Sheet

/3 Comments/in /by

Marco Rubio, who is running for President as an authoritarian, claims that “There is not a single documented case of abuse of this program.”

He’s not alone. One after another defender of the dragnet make such claims. FBI witnesses who were asked specifically about abuses in 2011 claimed FBI did not know of any abuses (even though FBI Director Robert Mueller had had to justify FBI’s use of the program to get it turned back on after abuses discovered in 2009).

Comment — Russ Feingold said that Section 215 authorities have been abused. How does the FBI respond to that accusation?

A — To the FBI’s knowledge, those authorities have not been abused.

Though Section 215 boosters tend to get sort of squishy on their vocabulary, changing language about whether this was illegal, unconstitutional, or abusive.

Here’s what we actually know about the abuses, illegality, and unconstitutionality of Section 215, both the phone dragnet program and Section 215 more generally.

Judges

First, here’s what judges have said about the program:

1) The phone dragnet has been reapproved around 41 times by at least 17 different FISC judges

The government points to this detail as justification for the program. It’s worth noting, however, that FISC didn’t get around to writing an opinion assessing the program legally until 10 judges and 34 orders in.  Since Snowden exposed the program, the FISC appears to have made a concerted effort to have new judges sign off on each new opinion.

2) Three Article III courts have upheld the program:

Judges William Pauley and Lynn Winmill upheld the constitutionality of the program (but did not asses the legality of it); though Pauley was reversed on statutory, not constitutional grounds. Judge Jeffrey Miller upheld the use of Section 215 evidence against Basaaly Moalin on constitutional grounds.

3) One Article III court — Judge Richard Leon in Klayman v. Obama — found the program unconstitutional.

4) The Second Circuit (along with PCLOB, including retired Circuit Court judge Patricia Wald, though they’re not a court), found the program not authorized by statute.

The latter decision, of course, is thus far the binding one. And the 2nd Circuit has suggested that if it has to consider the program on constitution grounds, it might well find it unconstitutional as well.

Statutory abuses

1) As DOJ’s IG confirmed yesterday, for most of the life of the phone dragnet (September 2006 through November 2013), the FBI flouted a mandate imposed by Congress in 2006 to adopt Section 215-specific minimization procedures that would give Americans additional protections under the provision (note–this affects all Section 215 programs, not just the phone dragnet). While, after a few years, FISC started imposing its own minimization procedures and reporting requirements (and rejected proposed minimization procedures in 2010), it nevertheless kept approving Section 215 orders.

In other words, in addition to being illegal (per the 2nd Circuit), the program also violated this part of the law for 7 years.

2) Along with all the violations of minimization procedures imposed by FISC discovered in 2009, the NSA admitted that it had been tracking roughly 3,000 presumed US persons against data collected under Section 215 without first certifying that they weren’t targeted on the basis of First Amendment protected activities, as required by the statute.

Between 24 May 2006 and 2 February 2009, NSA Homeland Mission Coordinators (HMCs) or their predecessors concluded that approximately 3,000 domestic telephone identifiers reported to Intelligence Community agencies satisfied the RAS standard and could be used as seed identifiers. However, at the time these domestic telephone identifiers were designated as RAS-approved, NSA’s OGC had not reviewed and approved their use as “seeds” as required by the Court’s Orders. NSA remedied this compliance incident by re-designating all such telephone identifiers as non RAS-approved for use as seed identifiers in early February 2009. NSA verified that although some of the 3,000 domestic identifiers generated alerts as a result of the Telephony Activity Detection Process discussed above, none of those alerts resulted in reports to Intelligence Community agencies.

NSA did not fix this problem by reviewing the basis for their targeting; instead, it simply moved these US person identifiers back onto the EO 12333 only list.

While we don’t have the background explanation, in the last year, FISC reiterated that the government must give First Amendment review before targeting people under Emergency Provisions. If so, that would reflect the second time where close FISC review led the government to admit it wasn’t doing proper First Amendment reviews, which may reflect a more systematic problem. That would not be surprising, since the government has already been chipping away at that First Amendment review via specific orders.

Minimization procedure abuses

1) The best known abuses of minimization procedures imposed by the FISC were disclosed to the FISC in 2009. The main item disclosed involved the fact that NSA had been abusing the term “archive” to create a pre-archive search against identifiers not approved for search. While NSA claimed this problem arose because no one person knew what the requirements were, in point of fact, NSA’s Inspector General warned that this alert function should be disclosed to FISC, and it was a function from the Stellar Wind program that NSA simply did not turn off when FISC set new requirements when it rubber-stamped the program.

But there were a slew of other violations of FISC-imposed minimization procedures disclosed at that time, almost all arising because NSA treated 215 data just like it treats EO 12333, in spite of FISC’s clear requirements that such data be treated with additional protections. That includes making query results available to CIA and FBI, the use of automatic search functions, and including querying on any “correlated” identifiers. These violations, in sum, are very instructive for the USA F-ReDux debate because NSA has never managed to turn these automated processes back on since, and one thing they presumably hope to gain out of moving data to the providers is to better automate the process.

2) A potentially far more egregious abuse of minimization procedures was discovered (and disclosed) in 2012, when NSA discovered that raw data NSA’s techs were using over 3,000 files of phone dragnet data on their technical server past the destruction date.

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

But rather than investigate this violation — rather than clarify how much data this entailed, whether it had been mingled with Stellar Wind data, whether any other violations had occurred — NSA destroyed the data.

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

From everything we’ve seen the tech and research functions are not audited, not even when they’re playing with raw data (which is, I guess, why SysAdmin Edward Snowden could walk away with so many records). So not only does this violation show that tech access to raw data falls outside of the compliance mechanisms laid out in minimization procedures (in part, with explicit permission), but that NSA doesn’t try very hard to track down very significant violations that happen.

Overall sloppiness

Finally, while sloppiness on applications is not a legal violation, it does raise concerns about production under the statute. The IG Report reviewed just six case files which used Section 215 orders. Although the section is heavily redacted, there are reasons to be significantly concerned about four of those.

  • An application made using expedited approval that made a material misstatement about where FBI obtained a tip about the content of a phone call. The FBI agent involved “is no longer with the FBI.” The target was prosecuted for unlawful disclosure of nuke information, but the Section 215 evidence was not introduced into trial and therefore he did not have an opportunity to challenge any illegal investigative methods.
  • A 2009 application involving significant minimization concerns and for which FBI rolled out a “investigative value” exception for access limits on Section 215 databases. This also may involve FBI’s secret definition of US person, which I suspect pertains to treating IP addresses as non-US persons until they know it is a US person (this is akin to what they do under 702 MPs). DOJ’s minimization report to FISC included inaccuracies not fixed until June 13, 2013.
  • A 2009 application for a preliminary investigation that obtained medical and education records from the target’s employer. FBI ultimately determined the target “had no nexus to terrorism,” though it appears FBI kept all information on the target (meaning he will have records at FBI for 30 years). The FBI’s minimization report included an error not fixed until June 13, 2013, after the IG pointed it out.
  • A cyber-investigation for which the case agent could not locate the original production, which he claims was never placed in the case file.

And that’s just what can be discerned from the unredacted bits.

Remember, too: the inaccuracies (as opposed to the material misstatement) were on minimization procedures. Which suggests FBI was either deceitful — or inattentive — to how it was complying with FISC-mandated minimization procedures designed to protect innocent Americans’ privacy.

And remember — all this is just Section 215. The legal violations under PRTT were far more egregious, and there are other known violations and misstatements to FISC on other programs.

This is a troubling program, one that several judges have found either unconstitutional or illegal.

 

Comey’s Emphasis on Expiring PATRIOT Provisions: Other 215 Uses and Roving Wiretaps

/2 Comments/in /by


A number of outlets have reported that, in an appearance Wednesday at Georgetown, Jim Comey suggested the other PATRIOT Act provisions expiring on June 1, not Section 215, are the critical ones. Here’s one example:

In a speech Wednesday, FBI Director James B. Comey said losing the ability to use roving wiretaps or track lone wolves in terrorism investigations would be a “big problem.” The bureau since the 1980s has been able to follow criminal suspects as they changed phones, he said, and the Patriot Act extended that capability to terrorism cases.

“That’s going to go away” unless the law is reauthorized, Comey said.

That’s not actually what Comey said. (Starting at 20:45) Rather, he said that losing other uses of Section 215 — in situations where FBI can’t get use a grand jury subpoena or an NSL — would be “a big problem.” He did say that losing Roving Wiretap Authority would be “a big problem.” About Lone Wolf, he said only that it, “matters.”

Significant impact, in ways that we’re not talking about much, and I’m trying to make sure we’re talking about. A lot of the focus on 215 is on the NSA’s telephony metadata — should that be with the NSA, should that be with individual telepho–telephony providers and accessed by the NSA, and that’s an important discussion. That’s a useful tool the FBI [shrugs] so it’s a conversation I care about, but there are critical tools to the FBI that are going to sunset on June 1 that people don’t talk about.

The first is, Section 215 is the vehicle through which the NSA, telephony database, was assembled, but we use Section 215 in individual cases, in very important circumstances fewer than 200 times a year we go to the FISA Court in a particular case and get particular records that are important to a Counterintelligence investigation or a Counterterrorism investigation. If we lose that authority, which I don’t think is controversial with folks, that is a big problem. Because we will find ourselves in circumstances where we can’t use a grand jury subpoena or we can’t use a National Security Letter, unable to obtain information, with the court’s approval that I think everybody wants us to be able to obtain, in individual cases, so that’s a problem.

The second that’s a big problem is the Roving Wiretap Authority is gonna expire on June 1. This is an authority we’ve had in criminal cases since the early, mid-eighties, where if a drug dealer or a criminal is dropping phones repeatedly, the judge can give us authority to intercept that individual’s communications, no matter what device they’re on, so we don’t have to go back and start the process each time they dump a phone. What the PATRIOT Act did in 2001 was extend that authority to international terrorism investigations and counterintelligence investigations. That is not a controversial thing. That’s gonna go away June 1 unless it’s reauthorized.

And there’s one other provision that matters. And that’s the so-called Lone Wolf — that’s not a term I like but it’s call a Lone Wolf provision by most people. And that is if we can’t, if we can establish probable cause that someone in this country is up to terrible no good, they have probable cause to believe they are an international terrorist of some sort, but we can’t prove what particular organization they’re hooked up with, this provision would allow us — the judge — to authorize the interception, even if we can’t say, “well they’re Al Qaeda, no they’re ISIL, no they’re AQAP. That’s an important, I think uncontroversial authority, these 3 are going to go away June 1. And I don’t want them to get lost in the conversation about metadata.

The emphasis, then, is on the first two — other uses of Section 215 and Roving Wiretaps — and not Lone Wolf as much.

To be fair, Comey is likely obfuscating about all three of these.

We know that when the Internet collection that had formerly (until 2009) been done under NSLs is bulky; the FISC spent a lot of time policing minimization procedures on that collection until FBI finally started complying with the law in 2013. And when Comey says these are “individual cases,” he likely means they are things like US-based Jihadist fora encompassing the communications of many individuals, or frequent or critical cyber targets with which many individual people might communicate as well. Indeed, these collection points are probably — like the phone dragnet — tied to enterprise investigations, which would explain why grand jury subpoenas would not be available.

As for the Roving Wiretap, remember that in 2007 the FISC reinterpreted that statute in secret to mean NSA could collect from entire circuits because al Qaeda targets used many different email and phone addresses served by that circuit. While NSA is likely not relying on that particular opinion anymore (the Protect America Act and FISA Amendments Act replaced that collection), the opinion has likely been repurposed in similar ways to permit NSA to target far more broadly than actual suspect individuals. For example, for a frequent cybersecurity target, I could imagine NSA making an argument that hackers are frequently using (in reality, attacking) those servers, and therefore the FBI can collect on it. Similarly, I could imagine them using Roving Wiretaps to authorize US-based efforts to undermine the Tor network.

The same is almost certainly true of the Lone Wolf provision (in fact it has to be, because for years FBI insisted on extending even though they admitted they had never used it directly). Remember, Lone Wolves are supposed be US-based non-US persons engaged in international terrorism. But for a bunch of reasons, I suspect the provision is used to claim someone with zero tie to a terrorist organization overseas is a Lone Wolf (making him a foreign power) and then use that to claim some young Muslim man in the US “planning” plots with the foreign-based Lone Wolf can be targeted under FISA. (There must be some such explanation because there are lot of young sting targets apparently targeted using traditional FISA orders who have no discernible status as an agent of a Foreign Power.)

For what it’s worth, I suspect the extension of WMD trafficking designations under USA F-ReDux to include those who conspire with or abet actual proliferators is intended to work the same way: to expand the Foreign Power definition to encompass many fairly.

All that said, Comey’s emphasis was, in large part, on those other use of Section 215, and certainly didn’t seem to be on the Lone Wolf provision. And he may well be correct that FBI can’t replace this function easily, if my guess that FBI uses Section 215 to conduct bulky collection for enterprise investigations is correct. Moreover, note that the assessments of agents in the IG Report released yesterday — that they could not “identify any major case developments from the records obtained in response to Section 215 orders” — predates the big spike in use of Section 215 to collect those Internet communications. So the question would need to be asked again about this collection to see if it has been critical.

All that said, if these other uses are so important, than the Intelligence Community shouldn’t have played a game of chicken to retain a phone dragnet function which FBI largely duplicates with individualized collection already, which has never been critical to stopping a terrorist plot, and which may well hold up these purportedly critical other uses.

Finally! That Person Who Claims Section 215 Involves Interception of Communications!

/2 Comments/in /by

Comey LynchFor two years, a key pushback strategy against those complaining about the phone dragnet program collecting records of every single American has been to falsely claim that opponents of the dragnet were claiming the dragnet collected content.

Of course, this was a straw man, as Mike Lee laid out brilliantly during his second speech supporting Rand Paul’s filibuster the other night.

So while it is true people point out that under section 215 of the PATRIOT Act, under this particular program, the NSA is not listening to telephone conversations. They are not listening to them.

Interestingly enough, this is very often a straw man argument that is thrown out by those who want to make sure that section 215 of the PATRIOT Act is reauthorized without any reforms. They claim that those who are opposed to this type of action are out there falsely claiming that the NSA is listening to phone calls over this program.

Well, that accusation of falsehood is, itself, false. That accusation of falsehood is, itself, a straw man effort. It is a red herring. It is a lie. It is a lie intended to malign and mischaracterize those of us who have genuine, legitimate concerns with this very program, because the fact is we don’t make that argument. The argument we are making is that the NSA doesn’t even need to do that. The NSA can tell all kinds of things about people just by looking at that data.

Because it is automated and because it is within a system thatoperates with a series of computers, they can tell very quickly it is alot less human resource-intensive than it would be if they were havingto listen to countless hours of phone conversations. It is a lot moreefficient.

Nevertheless I finally have — after two years of this debate — found someone actually suggesting that Section 215 involves the interception of communications.

Lynch Intercept

Now, to be fair, Attorney General Loretta Lynch likely misstated here. Or perhaps because she knows that the dragnet serves to identify content of interest, she may treat the two as connected (because they are to a degree program defenders like to obscure). Or maybe she is simply admitting what dragnet opponents keep arguing — that collecting metadata amounts to interception of very revealing data. [Update: As Josh Gerstein points out, she could be talking about Roving Wiretaps, which would mean CBS should not introduce this paragraph as being about the phone dragnet.]

Whatever the reason for AG Lynch to make this claim, I think it worth noting that the most prominent person suggesting that Section 215 gives “the ability to intercept communications” is the nation’s top law enforcement officer, not some dirty hippie trying to impugn the phone dragnet.