USA F-ReDux: The Risks Ahead

/4 Comments/in /by

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Did the Government Comply with FISC Requirement of Notice on Appellate Decision

/2 Comments/in /by

I’m prepping a post on how all the various deadlines over the next several weeks will work together. So I’ve been reviewing the instructions James Boasberg laid out in the most recent dragnet order, which he signed on February 26.

First, Boasberg reminded the government — which had turned in its homework late in February — that FISC gets a week to consider any application. That means they need the next application by May 22.

Remember, the House breaks for Memorial Day on May 21 (that is, they’re not scheduled to be in session on May 22) and the Senate breaks on May 22.

The government will almost certainly have to submit a new dragnet order by May 22. That’s because USA F-ReDux allows bulk collection to continue for 6 months as it sets up PRISM-lite for provider compliance. But as I understand it, the new dragnet order has to happen under USA F-ReDux, not PATRIOT.

That may shave one day off the legislative schedule.

More interesting is Boasberg’s order that if any of the three appellate court reviewing the dragnet issues an opinion “prior to the expiration of this Order, the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result of such opinion(s).”

Now, in actually, the government might only have to send a short note saying, “the Second Circuit ruled, told us this is unlawful, but also did not issue an injunction because Congress is about to act on it.” But they have to send some kind of notice, per this order.

Did they?

Did the Second Circuit Decision ALSO Blow Up SPCMA?

/5 Comments/in , /by

In a post on last week’s Second Circuit opinion finding NSA’s Section 215 phone dragnet unlawful, Faiza Patel observed that the government may have problems with the court’s ruling that a seizure of metadata can constitute an injury. She points to DOD directive 5240.1-R as a rule that may be impacted.

Second, as Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

[snip]

Another set of programs for which “collection matters” are those conducted under Executive Order 12,333. Department of Defense directive 5240.1-R, which sets out procedures for intelligence activities that affect U.S. persons, states:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties … Data acquired by electronic means is “collected” only when it has been processed into intelligible form. (Emphasis added.)

Although the directive does not explain what constitutes an “intelligible form” of electronic data, another regulation (USSID 18) states that information becomes “intelligible” and is therefore “collected” when a NSA analyst “intentional[ly] task[s] or select[s]” a communication of interest for “inclusion in a report or retention as a file record.” This is a critical distinction because protections for US persons under Executive Order 12,333, Presidential Policy Directive 28, and subsidiary regulations are triggered when information is “collected” per the government’s definition.

All the caveats about not being a lawyer, I think there’s a subset of practices under 5240.1-R that may be particularly acutely affected: SPCMA, the authority that the NSA uses to contact (and, presumably, connection) chain on US person metadata collected overseas.

As I pointed out here, OIPR (during a period when it was headed by current FBI General Counsel James Baker) originally informally advised that NSA had to stop chaining when it hit a US person. But then, a rather suspiciously short period after Baker left in 2007, Steven Bradbury and Ken Wainstein came up with a theory whereby such data did not count as an acquisition — because it had already been collected — and therefore could be chained through.

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier. (S//SI)

[snip]

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definitions of, and thus restrictions on, the “interception” and “selection” of communications.

Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex. (S//SI)

As I’ve previously explained, it works out to a kind of virgin birth, all to avoid the actual seizure moment that would implicate EO 12333.

That virgin birth theory led to this paragraph in supplemental procedures that amend 5240.1-R to treat metadata analysis (it doesn’t say it here, but it means, of US persons) as something other than an interception.

S//SI) For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

I’m not sure, but Gerard Lynch’s opinion may pose real problems for this virgin birth theory. And oh, by the way, a lot of this data leads to data ending up in FBI’s hands which would be overseen by … James Baker, who may have had a problem with this argument in the past, even without the Second Circuit decision.

All of which is one way of saying that, in addition to creating some pressure on Congress to pass USA F-ReDux, this bill may have (though I await actual lawyers to consider this question) created far, far larger problems for SPCMA, which is understood to have been one of the places where the old domestic Internet dragnet went to (which might explain why Richard Burr was talking about Internet dragnets on the floor of the Senate the other day).

If so, the government has a far bigger headache than just the one created for the domestic phone metadata program.

HJC USA F-ReDux Report: Other Thoughts

/1 Comment/in /by

More thoughts on the House Judiciary Committee report on USA F-ReDux.

The Data Handshake

The bill seems to explicitly envision a data handshake, based off contractual agreements.

This section does not require any private entity to retain any record or information other than in the ordinary course of business.However, nothing in current law or this Act prohibits the government and telecommunications providers from agreeing voluntarily to retain records for periods longer than required for their business purposes.

[snip]

This section explicitly permits the government to compensate  third parties for producing tangible things or providing information, facilities, or assistance in accordance with an order issued under Section 501. It is customary for the government to enter into contractual agreements with third parties in order to compensate them for products and services provided to the government.

CBO provides a $15 million estimate for the unclassified costs of the bill over 5 years (though that includes $5 million for the amicus). But most of the contracts would be highly classified, so we have no way of knowing how much the providers will get for holding onto our data.

Minimization

The language on the section requiring the government to destroy data that is not foreign intelligence information is … underwhelming (though it might at least get the government to destroy high volume numbers, which they do anyway).

This section requires the government to adopt minimization procedures that require the prompt destruction of call detail records that are not foreign intelligence information.

 The passage discussing the new minimization procedures is more interesting.

This section provides that the court may evaluate the adequacy of minimization procedures under Section 501. Under current law, the court is only empowered to determine whether the government has minimization procedures in place. This section also makes clear that the FISC may require additional, particularized minimization procedures beyond those required under Section 501 with regard to the production, retention, or dissemination of certain business records, including requiring the destruction of such records within a reasonable time period. This language is intended to capture an existing practice by the FISC to require heightened minimization procedures when appropriate.

As the language makes clear (and contra a bunch of boosters last year), this simply “capture[s] an existing practice.” It does codify it, though. (Note, last year there were very few obvious modifications for minimization procedures, though that may mean everything is already set up with existing procedures).

Emergency Provision

There’s nothing in the language on the Attorney General enforced emergency provision language that leads me to believe they won’t just parallel construct any data the FISC tells them they’ve obtained illegally.

If the court denies an emergency application, the government may not use any of the information obtained under the emergency authority exceptin instances of a threat of death or serious bodilyharm.

Specific Selection Term

This section is worth examining at length.

This section requires that each application for the production of tangible things include ‘‘a specific selection term to be used as the basis for the production.’’ In so doing, the Act makes clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record under Section 501 of FISA. Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation. . . .’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection ‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.

Although this Act eliminates bulk collection, this section maintains Section 501 as a business records authority. The additional showing of a ‘‘specific selection term’’ that will be required in all Section 501 applications does not provide any new authority, but it is defined in such a way as to allow for standard business records collection to continue while prohibiting the use of this authority for indiscriminate, bulk collection.

First, the definitions section does not adopt an English language definition of “bulk.” It uses the IC’s version, which means “everything.” Thus, the promise that the government won’t engage in “indiscriminate bulk collection” only says “they won’t get all,” not that they won’t engage in bulky production.

The language on SST — along with the explicit permission to use more than one term — leads me to wonder if they’re going to limit this with descriptions of the cross-references they’ll make (so, the purchase records for all pressure cookers, which will be crossed against anyone who called the Tsarnaev brothers).

HJC’s insistence this doesn’t ratify FISC’s crummy “relevant to” definition would be a lot more convincing if it provided some sense of where the limits are. Further, the language “allow[ing] standard business records collection” to continue does not raise my confidence about past/existing bulk programs. (And remember, the bill adds language requiring reporting to Congressional oversight committees on bulky programs.)

But the definitions section adds to that.

For purposes of the call detail record authority, the term ‘‘specific selection term’’ is defined as a term specifically identifying an individual, account, or personal device.

The term ‘‘address’’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address. This definition may overlap with the term ‘‘account,’’ which also can be considered a ‘‘specific selection term’’ under the bill. These terms are not mutually exclusive, and an electronic mail address or account also qualifies as an ‘‘account’’ for purposes of the bill.

The term ‘‘personal device’’ refers to a device that can reasonably be expected to be used by an individual or a group of individuals affiliated with one another. For example, ‘‘personal device’’ would include a telephone used by an individual, family, or housemates, a telephone or computer provided by an employer to an employee or employees, a home computer or tablet shared by a family or housemates, and a Wi-Fi access point that is exclusively available to the inhabitants of a home, the employees of a business, or members of an organization. It would also include a local area network server that is used by a business to provide e-mail to its employees. The term ‘‘personal device’’ does not include devices that are made available for use by the general public or by multiple people not affiliated with one other, such as a pay phone available to the public, a computer available to library patrons to access the Internet, or a Wi-Fi access point made available to all customers at an Internet cafe´. Depending on the circumstances, however, such devices could qualify as ‘‘any other specific identifier’’ that is used to limit the scope of the tangible things sought consistent with the purpose for seeking the tangible things. The term ‘‘personal device’’ also does not include devices that are used by companies to direct public communications, such as a router used by an Internet service provider to route e-mails sent by its customers, or a switch used by a telecommunications carrier to route calls made by its customers.

As I wrote in an update here, this language adds to the evidence they plan on chaining on Internet “calls.” It also makes suggests they will chain on devices that use the same private IP, as opposed to an IP tied to an Internet cafe.

Effective date

I love how they make it very clear that any prohibition on bulk collection of any sort can continue for 6 months.

This section provides that the new call detail records authority, the new Section 501 emergency authority, and the prohibition on bulk collection of tangible things under Section 501 take effect 180 days after enactment.

Transparency

The latest version of USA F-ReDux included language on “unique identifiers used to communicate information collected pursuant to such orders,” which was not defined. Here, they say it includes all people collected under the authority, “not just the number of target email addresses or telephone numbers.” That’s actually a good thing. The transparency provisions still exempt out the FBI because “the agency has indicated it lacks the capacity to provide,” which is a piss poor reason to exempt an agency that can throw people into jail for this. And the report doesn’t explain why it eliminated the top level number for Section 702.

Material Support

The report doesn’t even try to explain why it needs to bump the punishment for material support for terrorism — which, remember, can be no more than speech — from 15 to 20 years.

HJC’s USA F-ReDux Report Narrows Language on Call Detail Records

/5 Comments/in /by

As I’ve written extensively, for the last 15 months, the government, FISC, and Congress have been playing around with the definition of Call Detail Records under the USA F-ReDux and its predecessors. As written, I believe the CDR language in USA F-ReDux would permit the government to ask providers for analysis (of the sort provided by AT&T under Hemisphere) using things like location data, without turning over location data.

The House Judiciary Committee report includes language that would go a long way to prohibiting the kind of analysis I worry about, however.

The government may require the production of up to two “hops”—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial “hop.” Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first “hop.” Under subparagraph (F)(iv), the government can then present session identifying information or calling card numbers (which are components of a CDR, as defined in section 107) identified in the first “hop” CDRs to phone companies to serve as the basis for companies to return the second “hop” of CDRs. As with the first “hop,” a second “hop” cannot be based on, nor return, cell site or GPS location information. It also does not include an individual listed in a telephone contact list, or on a personal device that uses the same wireless router as the seed, or that has similar calling patterns as the seed. Nor does it exist merely because a personal device has been in the proximity of another personal device. These types of information are not maintained by telecommunications carriers in the normal course of business and, regardless, are prohibited under the definition of “call detail records.”

“Call detail records” include “session identifying information (including originating or terminating telephone number, International Mobile Subscriber Identity number, or International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call.” The Act explicitly excludes from that term the contents of any communication; the name, address, or financial information of a subscriber or customer; and cell site location or GPS information, and the Act should not be construed to permit the government to obtain any of this type of information through either of the two “hops.”

Some comments on this.

First, nothing in this passage suggests these “phone companies” are exclusively telephony companies (that is, old style phone companies). Indeed, it even mentions wireless routers, suggesting they’re accounting for IP addresses. That’s to be expected; much less of our call traffic is carried by such providers. But people should be aware this likely includes Google and Microsoft and Apple “calls.”

The passage explicitly permits the government to also chain on “metadata it already lawfully possesses.” Which means it will do the EO 12333 hops, while the providers do the 215 hop. Remember this will produce a largely duplicative production for international calls, with more metadata involved on the EO 12333. But there’s no way to deal with that. (Note, assuming the CDRs will come back in through FBI, this means they’ll probably get access to EO 12333 data out of this.)

The passage lists a lot of things I was worried about (in part, because we know the government has obtained similar information using both Hemisphere and its own EO 12333 analysis) that cannot be used for these hops, including:

  • Cell site or GPS location information
  • An individual listed in a telephone contact list
  • An individual on a personal device that uses the same wireless router as the seed
  • An individual that has similar calling patterns as the seed
  • A personal device has been in the proximity of another personal device

This would seem to rule out most of my concerns (especially if “calling patterns” included the kind of counter-surveillance tactics that last week’s Intercept story made clear NSA tracks). It would seem to permit chaining on “friends and family” members (but the FBI is getting those, from AT&T at least, using NSLs). And it doesn’t address owners of the same account (suggesting the government could use one device to obtain other related devices tied to the same account — but that’s the same person, which therefore seems totally justifiable).

Finally, note this language seems to confirm what I have understood: that the definition of CDR includes 5 components, only one of which must be met to be a CDR, meaning that the government can obtain nothing more than device identifying information. Again, I don’t find that problematic. It’s just something to pay attention to.

All of which to say that, if HPSCI and the House overall don’t come out with any language that changes this (Mike Rogers introduced some funky language last year, which is when I first started get worried about this), then I would be fairly comfortable that any non-call chaining under this CDR function would be perfectly reasonable. Indeed, these definitions exclude ones — like matching similar calling patters — that I wouldn’t be surprised if they retained. Moreover, last week’s Second Circuit ruling would seem to require any other interpretations of this language to be public to count as binding.

So for now, at least, one of my significant concerns about USA F-ReDux is alleviated.

Update: Adding, this language seems to envision the possibility of using 215 to get location data later, which is something James Cole explicitly admitted was possible last year.

This new authority—designed to allow the government to search telephone metadata for possible connections to international terrorism— does not preclude the government’s use of standard business records orders under Section 501 to compel the production of business records, including call detail records.

Again, that’s not surprising. But this report explicitly limits prospective call record chaining to the CDR function, so they could not get location under this authority prospectively (they’d probably use PRTT for that in any case).

Update: Now that I read the definitions section, I do have a few more reservations about how they can chain — and am all but certain this is intended to include Internet “calls.” Here’s that section.

For purposes of the call detail record authority, the term ‘‘specific selection term’’ is defined as a term specifically identifying an individual, account, or personal device.

The term ‘‘address’’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address. This definition may overlap with the term ‘‘account,’’ which also can be considered a ‘‘specific selection term’’ under the bill. These terms are not mutually exclusive, and an electronic mail address or account also qualifies as an ‘‘account’’ for purposes of the bill.

The term ‘‘personal device’’ refers to a device that can reasonably be expected to be used by an individual or a group of individuals affiliated with one another. For example, ‘‘personal device’’ would include a telephone used by an individual, family, or housemates, a telephone or computer provided by an employer to an employee or employees, a home computer or tablet shared by a family or housemates, and a Wi-Fi access point that is exclusively available to the inhabitants of a home, the employees of a business, or members of an organization. It would also include a local area network server that is used by a business to provide e-mail to its employees. The term ‘‘personal device’’ does not include devices that are made available for use by the general public or by multiple people not affiliated with one other, such as a pay phone available to the public, a computer available to library patrons to access the Internet, or a Wi-Fi access point made available to all customers at an Internet cafe. Depending on the circumstances, however, such devices could qualify as ‘‘any other specific identifier’’ that is used to limit the scope of the tangible things sought consistent with the purpose for seeking the tangible things. The term ‘‘personal device’’ also does not include devices that are used by companies to direct public communications, such as a router used by an Internet service provider to route e-mails sent by its customers, or a switch used by a telecommunications carrier to route calls made by its customers.

First, this section goes out of its way to say CDR SST includes “account” which includes “email address or account.” This strongly suggests they intend to go to Google and get everything associated with, for example, the “account” emptywheel. Again, I’m not at all surprised about that. But it is worth noting.

The “personal device” description distinguishes the “individual on a personal device that uses the same wireless router as the seed,” which is prohibited for chaining under the bill, from an individual “on the same personal device” which may include a home (or even business’, which is something FBI has obtained using NSLs) WiFi access point. That is, it does seem like your roommates could be chained, but not those using the same Internet cafe as you.

But again, these are legitimate chains, in my opinion.

Will Ben Wittes Pre-Prove Ben Wittes is NAKED?

/2 Comments/in /by

Ben Wittes wrote a post about last week’s Second Circuit ruling deeming the NSA 215 phone dragnet unlawful, arguing that the ruling is actually good for the Agency.

It may seem odd to suggest that a unanimous panel defeat on a basic legal theory underlying an NSA program is good for the agency, but consider: A few days ago, the 215 program was on a glide-path to expiration. The House seemed to be coming together around a version of the USA Freedom Act, which would substitute a different metadata acquisition mechanism for the 215 authority and create other reforms as well. But the Senate had lacked the votes to move that bill even last year, and Senator McConnell was pushing instead what he called a “clean” reauthorization—which would reauthorize 215 without modification and do none of the other reforms both the administration and civil libertarians have supported. It was not at all clear that the House bill could pass the Senate, and it was entirely clear that McConnell’s bill could not pass the House. Betting on a compromise within three weeks was, given the normal state of congressional competence these days, optimistic, to put it mildly. So the program seemed likely to expire, less as a result of any decision to let it sunset than as the result of a collective action problem.

The Second Circuit opinion meaningfully changes that. It is a sharp reminder to those who favor McConnell’s approach that is not viable—or, at least, that it involves serious litigation risk. Yes, it is possible—likely, even—that the D.C. Circuit will disagree with the Second Circuit, and that the meaning of 215 will thus be ultimately subject to the whimsical mind of Anthony Kennedy. So yes, it’s also still possible that a vote for a “clean” reauthorization will yield maximal flexibility for the agency. But that’s not a bet I would want to lay if I were a congressional proponent of strong signals intelligence and counterterrorism programs. Rather, I would say that it is far better to have a legally sustainable version of this capacity than to have no capacity at all, and supporting clean reauthorization will either cause there to be no bill—in which case the authority lapses—or, if the bill were to pass, it risks that the Supreme Court’s ultimately agrees with the Second Circuit, not with the FISA Court interpretation of the law. The far better approach for the agency is the compromise that the administration has long supported. And for the first time in a long time, I can see a path to that outcome.

While I don’t necessarily agree with all details, I think he’s right. USA F-ReDux is actually the best outcome for the government. It always has been. But no pro-spying people were making that case, and so even people like Bill Nelson opposed it. Last week’s decision prevents the spying hawks from voting against their best interests.

But — particularly given Ben’s long campaign to hold people accountable for what they should know — I have to laugh at this bit.

The litigation risk of relying on 215 is the principal reason I have been arguing for almost two years now that Congress needs to clarify the law, both to authorize access to metadata contact chaining under appropriate circumstances and to build in protections that exist under the current program only through court order.

I laugh because, even if it is Congress’ intent to “clarify the law … authoriz[ing] access to metadata contact chaining,” USA F-ReDux does not do that. On the contrary, for the last 15 months, the actual chaining function being authorized in the bill has been a moving target. The notion that this involved exclusively contact chaining was jettisoned, with court approval, in February 2014. And no one I’ve spoken with knows what the current chaining language (or the previous use of “connection chaining”) means.

So Congress is not clarifying things, it is obscuring it, though almost all in Congress (and, apparently, Ben, who unlike most in Congress has been writing about this bill throughout) have missed that this is no longer authorizing just contact chaining. According to Ben, Ben has no excuse for not knowing better, but apparently Ben doesn’t, yet.

I remain hopeful there will be some clarifying (and limiting) language added to the actual chaining procedure before it gets passed. If it doesn’t, it’s unlikely we’ll ever hear about it unless someone else decides to risk life in prison to alert Americans to what NSA and FBI are really doing. But if we do learn that what started as defensible “connection chaining” on burner phones morphed under this obscurantist language into something more problematic, I do hope Ben realizes that he, along with almost all of Congress, should have known, from the language of the bill, that it did more than approve contact chaining.

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again

/6 Comments/in /by

As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”

On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.

Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.

But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.

CHUCK TODD:

Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?

SENATOR DIANNE FEINSTEIN:

I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.

CHUCK TODD:

An act of Congress could force them to do that, correct?

SENATOR DIANNE FEINSTEIN:

An act of Congress could force them to do that.

CHUCK TODD:

And can that pass this Congress?

SENATOR DIANNE FEINSTEIN:

Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.

If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.

One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.

In 2003, OLC Doubled Down on Unlimited (de)Classification Authority for the President

/2 Comments/in , , /by

One of the tactics those in DOJ attempted to use in 2004 to put some controls on Stellar Wind, it appears from the DOJ IG Report, was to point to legal requirements to inform Congress (for example, to inform Congress that the Attorney General had decided not to enforce particular laws), which might have led to enough people in Congress learning of the program to impose some limits on it. For example, Robert Mueller apparently tried to get the Executive to brief the Judiciary Committees, in addition to the Gang of Four, about the program.

On March 16, 2004 Gonzales wrote a letter to Jim Comey in response to DOJ’s efforts to force the Administration to follow the law. Previous reporting revealed that Gonzales told Comey he misunderstood the White House’s interest in DOJ’s opinion.

Your memorandum appears to have been based on a misunderstanding of the President’s expectations regarding the conduct of the Department of Justice. While the President was, and remains, interested in any thoughts the Department of Justice may have on alternative ways to achieve effectively the goals of the activities authorized by the Presidential Authorization of March 11, 2004, the President has addressed definitively for the Executive Branch in the Presidential Authorization the interpretation of the law.

This appears to have led directly to Comey drafting his resignation letter.

But what previous reporting didn’t make clear was that Gonzales also claimed the Administration had unfettered authority to decide whether or not to share classified information (and that, implicitly, it could blow off statutory Congressional reporting requirements).

Gonzales letter also addressed Comey’s comments about congressional notification. Citing Department of the Navy v. Egan, 484 U.S. 518 (1988) and a 2003 OLC opinion, Gonzales’s letter stated that the President has the constitutional authority to define and control access to the nation’s secrets, “including authority to determine the extent to which disclosure may be made outside the Executive Branch.” (TS//STLW//SI/OC/NF) [PDF 504]

I’m as interested in this as much for the timing of the memo — 2003 — as the indication that the Executive asserted the authority to invoke unlimited authority over classification as a way to flout reporting mandates (both with regards to Stellar Wind, but the implication is, generally as well).

The most likely time frame for this decision would be around March 25, 2003, when President Bush was also rewriting the Executive Order on classification (this EO is most famous because it gave the Vice President new authorities over classifying information). If that’s right, it would confirm that Bush’s intent with the EO (and the underlying OLC memo) was to expand the ability to invoke classification for whatever reasons.

And if that OLC opinion was written around the time of the March 2003 EO, it would mean it was on the books (and, surely, known by David Addington) when he counseled Scooter Libby in July 2003 he could leak whatever it was Dick Cheney told him to leak to Judy Miller, up to and including Valerie Plame’s identity.

But I’m also interested that this footnote was classified under STLW, the Stellar Wind marking. That may not be definitive, especially given the innocuous reference to the OLC memo. But it’s possible that means the 2003 opinion — the decision to share or not share classified information according to the whim of the President — was tied to Stellar Wind. That would be interesting given that George Tenet and John Yoo were declaring Iraq and their claimed conspirators in the US were terrorists permissible for surveillance around the same time.

Finally, I assume this OLC memo, whatever it says, is still on the books. And given how it was interpreted in the past — that OLC could simply ignore reporting mandates — and that the government continued to flout reporting mandates until at least 2010, even those tied specifically to surveillance, I assume that the Executive still believes it can use a claimed unlimited authority over classification to trump legally mandated reporting requirements.

That’s worth keeping in mind as we debate a bill, USA F-ReDux, celebrated, in part, for its reporting requirements.

How the NSA Connection Chains without Calls

/6 Comments/in , /by

Screen Shot 2015-05-08 at 3.19.27 PMFor a very long time, I’ve been trying to figure out what the government means when it says it “connection chains” data call detail records under its Section 215 dragnet (and, possibly, once it passes, under USA F-ReDux).

The phone dragnet first started moving towards “connection chaining” in 2013, when Dianne Feinstein included the concept in her Fake FISA Fix.

Scope of permissible query return information:

For any query performed pursuant to paragraph (1)(D)(i), the query only may return information concerning communications—

(A) to or from the selector used to perform the query;
(B) to or from a selector in communication with the selector used to perform the query; or
(C) to or from any selector reasonably linked to the selector used to perform the query, in accordance with the court approved minimization procedures required under subsection (g). [my emphasis]

The February phone dragnet order that approved Obama’s modified approach also approved (though it may have approved earlier) chaining on “connections” in addition to “contacts” made.

The first “hop” from a seed returns results including all identifiers (and their associated metadata) with a contact and/or connection with the seed. The second “hop” returns results that include all identifiers (and their associated metadata) with a contact and/or connection with an identifier revealed by the first “hop.”

And all versions of USA Freedom Act, once the Intelligence Community got their whack at them, chained on “connections” as well as calls.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

The latest version of USA F-ReDux takes a different approach, with two hops, neither of which requires that Call Detail Records — defined as a set of 5 things that may but are not required to be included, just one of which involves calls made — reflect calls made. And the second hop invokes “session identifying information” that is divorced from the definition of CDRs that excludes (for example) location data.

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)

Absent more limiting language, I read this as permitting the government to require (immunized and compensated) providers to find CDRs using session identifier information that the government itself is not permitted to receive to find a set of “CDRs” of interest (again, without requiring that the CDRs have to reflect calls made, because that’s not a required aspect of the definition).

I’ve been having a hard time explaining what that might involve.

But today’s Intercept story shows what chaining NSA does that does not involve calls made.

Screen Shot 2015-05-08 at 3.37.45 PMAs the slide, above (from this deck), makes clear, with data collected from Pakistan, they start with selectors of people who have not left Af-Pak, and then match phone use not involving calls made. It does this by training the computer on what is normal and what is unique to identifiers previously IDed as couriers. It proves its data works, of course, by showing that Ahmed Muwafak Zaidan is the top match, even though Zaidan isn’t a terrorist at all! But it shows that the government will use location data to “chain” on people connected primarily by location habits.

The other deck describes the Automated Bulk Cloud Analytics, SKYNET. The slide to the left describes tracking things, all but one of which involves “session identifying information” that doesn’t involve any actual calls made (though this scheme also has access to phrases made, which any domestic program could not).

  • Travel patterns, including repeated visits to particular locations (obtained using location data)
  • Patterns of call usage (incoming only, “excessive” SIM or handset swapping or power-downs probably indicating counter-surveillance)
  • Co-travelers (obtained using location data — and we know AT&T does this under Hemisphere)
  • Similar travel patterns (again, obtained using location data)
  • Common contacts

Screen Shot 2015-05-08 at 3.43.55 PM

Only common contacts involve calls made (though that could even come from address books, which we know NSA collects).

And the outcome of this process is a set of identifiers — some tasked, the others not yet tasked — all of which (as either IMSIs or Handsets) would qualify as CDRs under USA F-ReDux.

None of this proves this is what the government wants to do with the hop process under USA F-ReDux.

But it does show that the NSA has a whole approach to analysis that has nothing to do with contact chaining, chaining on calls made, but instead chains on connections. The key input to that process is location data, which the government can’t obtain as a CDR under USA F-ReDux, but which telecoms need to provide service and therefore would have available to conduct analysis (and again, AT&T does some of this analysis now under Hemisphere).

These slides don’t prove that’s what the government intends under USA F-ReDux. But it does show it’s the kind of thing the NSA does, regularly, with its metadata analysis.

Richard Burr’s IP Dragnet Disappears into the Memory Hole

/6 Comments/in , /by

As I noted yesterday, Richard Burr gave a planned colloquy on the Senate floor yesterday in which he said bulk collection included IP addresses.

Now what’s bulk data? Bulk data is storing telephone numbers and IP addresses — we have no idea who they belong to — that are domestic. And the whole basis behind this program is that as a cell phone is picked up in Syria, and you look at the phone numbers that phone talked to, if there’s some in the United States we’d like to know that — at least law enforcement would like to know it — so that we can understand if there’s a threat against us here in the homeland or somewhere else in the world. So Section 215 allows the NSA to collect in bulk telephone numbers and IP addresses with no identifier on it. We couldn’t tell you who that American might be. [my emphasis]

Here’s a CSPAN clip of that discussion.

Curiously, here’s how that passage looks in the Congressional Record. (h/t Steven Aftergood)

What is bulk data? Bulk data is storing telephone numbers–we have no idea to whom they belong–that are foreign and domestic. The whole basis behind this program is that as a cell phone is picked up in Syria and we look at the phone numbers that phone talked to, if it is someone in the United States, we would like to know that–at least law enforcement would like to know it–so we can understand if there is a threat against us here in the homeland or somewhere else in the world.

Section 215 allows the NSA to collect, in bulk, telephone numbers with no identifier on them. We couldn’t tell you who that American might be. [my emphasis]

Note, the Congressional record also added “foreign” on to the description of telephone numbers collected. We know NSA collects IP addresses overseas, so it may be that’s what Burr was thinking about (or it may be in this doctored Congressional record, he added foreign because that would be unsurprising).

I called Burr’s office yesterday to ask about this, but have thus far gotten no response.