How the Second Circuit, FISC, and the Telecoms Might Respond to McConnell’s USA F-ReDux Gambit

/5 Comments/in /by

Update: Jennifer Granick (who unlike me, is a lawyer) says telecoms will be subject to suit if they continue to comply with dragnet orders. 

Any company that breaches confidentiality except as required by law is liable for damages and attorneys’ fees under 47 U.S.C. 206. And there is a private right of action under 47 U.S.C. 207.

Note that there’s no good faith exception in the statute, no immunity for acting pursuant to court order. Rather, the company is liable unless it was required by law to disclose. So Verizon could face a FISC 215 dragnet order on one side and an order from the Southern District of New York enjoining the dragnet on the other. Is Verizon required by law to disclose in those circumstances? If not, the company could be liable. And did I mention the statute provides for attorneys’ fees?

Everything is different now than it was last week. Reauthorization won’t protect the telecoms from civil liability. It won’t enable the dragnet. As of last Thursday, the dragnet is dead, unless a phone company decides to put its shareholders’ money on the line to maintain its relationships with the intelligence community.

Last night, Mitch McConnell introduced a bill for a 2-month straight reauthorization of the expiring PATRIOT provisions as well as USA F-ReDux under a rule that bypasses Committee structure, meaning he will be able to bring that long-term straight reauthorization, that short term one, or USA F-ReDux to the floor next week.

Given that a short term reauthorization would present a scenario not envisioned in Gerard Lynch’s opinion ruling the Section 215 dragnet unlawful, it has elicited a lot of discussion about how the Second Circuit, FISC, and the telecoms might respond in case of a short term reauthorization. But these discussions are almost entirely divorced from some evidence at hand. So I’m going to lay out what we know about both past telecom and FISA Court behavior.

Because of the details I lay out below, I predict that so long as Congress looks like it is moving towards an alternative, both the telecoms and the FISC will continue the phone dragnet in the short term, and the Second Circuit won’t weigh in either.

The phone dragnet will continue for another six months even under USA F-ReDux

As I pointed out here, even if USA F-ReDux passed tomorrow, the phone dragnet would continue for another 6 months. That’s because the bill gives the government 180 days — two dragnet periods — to set up the new system.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

The Second Circuit took note of USA F-ReDux specifically in its order, so it would be hard to argue that it doesn’t agree Congress has the authority to provide time to put an alternative in place. Which probably means (even though I oppose Mitch’s short-term reauth in most scenarios) that the Second Circuit isn’t going to balk — short of the ACLU making a big stink — at a short term reauth for the purported purpose of better crafting a bill that reflects the intent of Congress. (Though the Second Circuit likely won’t look all that kindly on Mitch’s secret hearing the other day, which violates the standards of debate the Second Circuit laid out.)

Heck, the Second Circuit waited 8 months — and one failed reform effort — to lay out its concerns about the phone dragnet’s legality that were, in large part, fully formed opinions at least September’s hearing. The Second Circuit wants Congress to deal with this and they’re probably okay with Congress taking a few more months to do so.

FISC has already asked for briefing on any reauthorization

A number of commentators have also suggested that the Administration could just use the grandfather clause in the existing sunset to continue collection or might blow off the Appeals Court decision entirely.

But the FISC is not sitting dumbly by, oblivious to the debate before Congress and the Courts. As I laid out here, in his February dragnet order, James Boasberg required timely briefing from the government in each of 3 scenarios:

  • A ruling from an Appellate Court
  • Passage of USA F-ReDux introduces new issues of law that must be considered
  • A plan to continue production under the grandfather clause

And to be clear, the FISC has not issued such an order in any of the publicly released dragnet orders leading up to past reauthorizations, not even in advance of the 2009-2010 reauthorizations, which happened at a much more fraught time from the FISC’s perspective (because FISC had had to closely monitor the phone dragnet production for 6 months and actually shut down the Internet dragnet in fall 2009). The FISC clearly regards this PATRIOT sunset different than past ones and plans to at least make a show of considering the legal implications of it deliberately.

FISC does take notice of other courts

Of course, all that raises questions about whether FISC feels bound by the Second Circuit decision — because, of course, it has its very own appellate court (FISCR) which would be where any binding precedent would come from.

There was an interesting conversation on that topic last week between (in part) Office of Director of National Intelligence General Counsel Bob Litt and ACLU’s Patrick Toomey (who was part of the team that won the Second Circuit decision). That conversation largely concluded that FISC would probably not be bound by the Second Circuit, but Litt’s boss, James Clapper (one of the defendants in the suit) would be if the Second Circuit ever issued an injunction.

Sunlight Foundation’s Sean Vitka: Bob, I have like a jurisdictional question that I honestly don’t know the answer to. The Court of Appeals for the Second Circuit. They say that this is unlawful. Obviously there’s the opportunity to appeal to the Supreme Court. But, the FISA Court of Review is also an Appeals Court. Does the FISC have to listen to that opinion if it stands?

Bob Litt: Um, I’m probably not the right person to ask that. I think the answer is no. I don’t think the Second Circuit Court of Appeals has direct authority over the FISA Court. I don’t think it’s any different than a District Court in Idaho wouldn’t have to listen to the Second Circuit’s opinion. It would be something they would take into account. But I don’t think it’s binding upon them.

Vitka: Is there — Does that change at all given that the harms that the Second Circuit acknowledged are felt in that jurisdiction?

Litt: Again, I’m not an expert in appellate jurisdiction. I don’t think that’s relevant to the question of whether the Second Circuit has binding authority over a court that is not within the Second Circuit. I don’t know Patrick if you have a different view on that?

Third Way’s Mieke Eoyang: But the injunction would be, right? If they got to a point where they issued an injunction that would be binding…

Litt: It wouldn’t be binding on the FISA Court. It would be binding on the persons who received the —

Eoyong: On the program itself.

Patrick Toomey: The defendants in the case are the agency officials. And so an injunction issued by the Second Circuit would be directed at those officials.

But there is reason to believe — even beyond FISC’s request for briefing on this topic — that FISC will take notice of the Second Circuit’s decision, if not abide by any injunction it eventually issues.

That’s because, twice before, it has even taken notice of magistrate judge decisions.

The first known example came in the weeks before the March 2006 reauthorization of the PATRIOT Act would go into effect. During 2005, several magistrate judges had ruled that the government could not add a 2703(d) order to a pen register to obtain prospective cell site data along with other phone data. By all appearances, the government was doing the same with the equivalent FISA orders (this application of a “combined” Business Record and Pen Register order is redacted in the 2008 DOJ IG Report on Section 215, but contextually it’s fairly clear this is close to what happened). Those magistrate decisions became a problem when, in 2005, Congress limited Section 215 order production to that which could be obtained with a grand jury subpoena. Effectively, the magistrates had said you couldn’t get prospective cell site location with just a subpoena, which therefore would limit whether FBI could get cell site location with a Section 215 order.

While it is clear that FISC required briefing on this point, it’s not entirely clear what FISC’s response was. For a variety of reasons, it appears FISC stopped these combined application sometime in 2006 — the reauthorization went into effect in March 2006 — though not immediately (which suggests, in the interim, DOJ just found a new shell to put its location data collection under).

The other time FISC took notice of magistrate opinions pertained to Post Cut Through Dialed Digits (those are the things like pin and extension numbers you dial after your call or Internet connection has been established). From 2006 through 2009, some of the same magistrates ruled the government must set its pen register collection to avoid collecting PCTDD. By that point, FISC appears to have already ruled the government could collect that data, but would have to deal with it through minimization. But the FISC appears to have twice required the government to explain whether and how its minimization of PCTDD did not constitute the collection of content, though it appears that in each case, FISC permitted the government to go on collecting PCTDD under FISA pen registers. (Note, this is another ruling that may be affected by the Second Circuit’s focus on the seizure, not access, of data.)

In other words, even on issues not treating FISC decisions specifically, the FISC has historically taken notice of decisions made in courts that have no jurisdiction over its decisions (and in one case, FISC appears to have limited government production as a result). So it would be a pretty remarkable deviation from that past practice for FISC to completely blow off the Second Circuit decision, even if it may not feel bound by it.

Verizon responds to court orders, but in half-assed fashion

Finally, there’s the question of how the telecoms will react to the Second Circuit decision. And even there, we have some basis for prediction.

In January 2014, after receiving the Secondary Order issued in the wake of Judge Richard Leon’s decision in Klayman v. Obama that the dragnet was unconstitutional, Verizon made a somewhat half-assed challenge to the order.

Leon issued his decision December 16. Verizon did not ask the FISC for guidance (which makes sense because they are only permitted to challenge orders).

Verizon got a new Secondary Order after the January 3 reauthorization. It did not immediately challenge the order.

It only got around to doing so on January 22 (interestingly, a few days after ODNI exposed Verizon’s role in the phone dragnet a second time), and didn’t do several things — like asking for a hearing or challenging the legality of the dragnet under 50 USC 1861 as applied — that might reflect real concern about anything but the public appearance of legality. (Note, that timing is of particular interest, given that the very next day, on January 23, PCLOB would issue its report finding the dragnet did not adhere to Section 215 generally.)

Indeed, this challenge might not have generated a separate opinion if the government weren’t so boneheaded about secrecy.

Verizon’s petition is less a challenge of the program than an inquiry whether the FISC has considered Leon’s opinion.

It may well be the case that this Court, in issuing the January 3,2014 production order, has already considered and rejected the analysis contained in the Memorandum Order. [redacted] has not been provided with the Court’s underlying legal analysis, however, nor [redacted] been allowed access to such analysis previously, and the order [redacted] does not refer to any consideration given to Judge Leon’s Memorandum Opinion. In light of Judge Leon’s Opinion, it is appropriate [redacted] inquire directly of the Court into the legal basis for the January 3, 2014 production order,

As it turns out, Judge Thomas Hogan (who will take over the thankless presiding judge position from Reggie Walton next month) did consider Leon’s opinion in his January 3 order, as he noted in a footnote.

Screen Shot 2014-04-28 at 10.49.42 AM

And that’s about all the government said in its response to the petition (see paragraph 3): that Hogan considered it so the FISC should just affirm it.

Verizon didn’t know that Hogan had considered the opinion, of course, because it never gets Primary Orders (as it makes clear in its petition) and so is not permitted to know the legal logic behind the dragnet unless it asks nicely, which is all this amounted to at first.

Ultimately, Verizon asked to see proof that FISC had considered Leon’s decision. But it did not do any of the things people think might happen here — it did not immediately cease production, it did not itself challenge the legality of the dragnet, and it did not even ask for a hearing.

Verizon just wanted to make sure it was covered; it did not, apparently, show much concern about continued participation in it.

And this is somewhat consistent with the request for more information Sprint made in 2009.

So that’s what Verizon would do if it received another Secondary Order in the next few weeks. Until such time as the Second Circuit issues an injunction, I suspect Verizon would likely continue producing records, even though it might ask to see evidence that FISC had considered the Second Circuit ruling before issuing any new orders.

Share this entry

Some Thoughts on USA F-ReDux

/13 Comments/in /by

There’s a funny line in the House Judiciary Committee’s report on USA F-ReDux. Amid the discussion of the new Call Detail Record function, it explains the government will be doing CDR chaining on “metadata it already lawfully possesses,” even as providers will be chaining on metadata in their possession.

In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses.

The line should not be surprising. As I reported in 2013, the NSA does what are called “federated” queries, metadata chaining across data collected from a variety of sources. This line, then, simply acknowledges that the government will continue to conduct what amounts to federated queries even under the new system.

But the line ought to raise the question, “where does this lawfully possessed data come from?”

The data almost certainly comes from at least 3 sources: metadata taken from PRISM collection in databases that get copied wholesale (so Internet metadata within a hop of a foreign target), records of international phone calls, and records from Internet data collected overseas.

The latter two, of course, would be collected in bulk.

So within the report on a bill many claim ends bulk collection of American’s phone records is tacit admission that the bulk collection continues (not to mention that the government has broad access to data collected under PRISM).

After yesterday’s 338 – 88 vote in the House in favor of USA F-ReDux, a number of people asked me to explain my view on the bill.

First, the good news. As I noted, while the language on CDR chaining in the actual bill is muddled, the House report includes language that would prohibit most of the egregious provider-based chaining I can imagine. So long as nothing counters that, one of my big concerns dating back to last year has been addressed.

I also opposed USAF last fall because I expected the Second Circuit would weigh in in a way that was far more constructive than that bill, and I didn’t want a crappy bill to moot the Second Circuit. While there are many things that might yet negate the Second Circuit ruling (such as conflicting decisions from the DC or 9th Circuits or a reversal by SCOTUS), the Second Circuit’s decision was even more useful than I imagined.

But that’s part of why I’m particularly unhappy that Specific Selection Term has not been changed to require the government to more narrowly target its searches. Indeed, I think the bill report’s language on this is particularly flaccid.

Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation….’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v.Clapper.

Meaningful limits on “relevant to” would be specific guidelines for the court on what is reasonable and what is not. Instead, USA F-ReDux still subjects the narrowness of an SST to a “greatest extent reasonably practicable” standard, which in the past we’ve seen amount to prioritization of the practicability of spying over privacy interests. While people can respectfully disagree on this front, I believe USA F-ReDux still permits both bulk collection of non-communications records and bulky collection of communications records (including FBI’s Internet collection). In the wake of the Second Circuit opinion, I find that especially inexcusable.

I also am not convinced USA F-ReDux is an across-the-board privacy win. I argued last year that USAF swaps a well-guarded unexploded nuclear bomb for many more exploding IEDs striking at privacy. By that, I mean that the new CDR function will probably not result in any less privacy impact, in practice (that is, assuming NSA follows its own minimization rules, which it hasn’t always), than the prior dragnet. That’s true because:

  • We have every reason to believe the CDR function covers all “calls,” whether telephony or Internet, unlike the existing dragnet. Thus, for better and worse, far more people will be exposed to chaining than under the existing dragnet. It will catch more potential terrorists, but also more innocent people. As a result, far more people will be sucked into the NSA’s maw, indefinitely, for exploitation under all its analytical functions. This raises the chances that an innocent person will get targeted as a false positive.
  • The data collected under the new CDR function will be circulated far more broadly than status quo. Existing dragnet orders limit access to the results of queries to those with special training unless one of four named individuals certifies that the query result relates to counterterrorism. But USA F-ReDux (and the current minimization procedures for Section 702 data; USA F-ReDux will likely use the PRISM infrastructure and processing) makes it clear that FBI will get access to raw query results. That almost certainly means the data will be dumped in with FBI’s PRISM and FISA data and subjected to back door searches at even the assessment level, even for investigations that have nothing to do with terrorism. As on the NSA side, this increases the risk that someone will have their lives turned upside down for what amounts to being a false positive. It also increases the number of people who, because of something in their metadata that has nothing to do with a crime, can be coerced into becoming an informant. And, of course, they’ll still never get notice that that’s where this all came from, so they will have a difficult time suing for recourse.

One other significant concern I’ve got about the existing bill — which I also had last year — is that the emergency provision serves as a loophole for Section 215 collection; if the FISC deems emergency collections illegal, the government still gets to keep — and parallel construct — the data. I find this especially concerning given how much Internet data FBI collects using this authority.

I have — as I had last year — mixed feelings about the “improvements” in it. I believe the amicus, like initial efforts to establish PCLOB, will create an initially ineffective function that might, after about 9 years, someday become effective. I believe the government will dodge the most important FISC opinion reporting, as they currently do on FOIAs. And, in spite of a real effort from those who negotiated the transparency provisions, I believe that the resulting reporting will result in so thoroughly an affirmatively misleading picture of surveillance it may well be counterproductive, especially in light of the widespread agreement the back doors searches of Section 702 data must be closed (while there are a few improvements on reporting to Congress in this year’s bill, the public reporting is even further gutted than it was last year).

And now there’s new gunk added in.

One change no one has really examined is a change extending “foreign power” status from those proliferating WMDs to those “conspiring” or “abetting” efforts to do so. I already have reasons to believe the WMD spying under (for example) PRISM is among the more constitutionally problematic. And this extends that in a way no one really understands.

Even more troublesome is the extension of Material Support maximum sentences from 15 to 20 years. Remember, under Holder v. HLP, a person can be convicted of material support for First Amendment protected activities. Thus, USA F-ReDux effectively embraces a 20 year sentence for what could be (though isn’t always) thought crimes. And no one has explained why it is necessary! I suspect this is an effort to use harsh sentences to coerce people to turn informant. If so, then this is an effort to recruit fodder for infiltrators into ISIS. But if all that’s correct, it parallels similar efforts under the Drug War to use excessive sentences to recruit informants, who — it turns out in practice — often lead to false convictions and more corruption. In other words, at a moment when there is bipartisan support for sentencing reform for non-violent crimes (for which many cases of Material Support qualify), USA F-ReDux goes in the opposite direction for terrorism, all at a time when the government claims it should be putting more emphasis on countering extremism, including diversion.

So while I see some advantages to the new regime under USA F-ReDux (ironically, one of the most important is that what surveillance the government does will be less ineffective!), I am not willing to support a bill that has so many bad things in it, even setting aside the unconstitutional surveillance it doesn’t address and refuses to count in transparency provisions. I think there need to be privacy advocates who live to fight another day (and with both ACLU and EFF withdrawing their affirmative support for the bill, we at least have litigators who can sue if and when we find the government violating the law under this new scheme — I can already identify an area of the bill that is certainly illegal).

That said, it passed with big numbers yesterday. If it passes, it passes, and a bunch of authoritarians will strut their purported support for liberty.

At this point, however, the priority needs to be on preventing the bill from getting worse (especially since a lot of bill boosters seem not to have considered at what point they would withdraw their support because the bill had gotten too corrupted). Similarly, while I’m glad bill sponsors Jim Sensenbrenner and Jerry Nadler say they won’t support any short-term extension, that may tie their own hands if what comes back is far worse than status quo.

There’s some good news there, too. The no votes on yesterday’s House vote were almost exclusively from supporters of privacy who believe the bill doesn’t go far enough, from Justin Amash to Jared Polis to Tom Massie to Donna Edwards to Ted Poe to rising star Ted Lieu and — most interestingly — Jan Schakowsky (who voted for the crappier House bill when she was on HPSCI last year). Hopefully, if and when Mitch McConnell throws in more turdballs, those who opposed the bill yesterday can whip efforts to defeat it.

Stay tuned.

Share this entry

USA F-ReDux: The Risks Ahead

/4 Comments/in /by

Sometime after 2 today, the House will pass USA F-ReDux by a large margin. Last night the Rules Committee rejected all amendments, including two (a version of the Massie-Lofgren amendment prohibiting back doors and a Kevin Yoder amendment that would improved ECPA protections) that have majority support in the House.

After the bill passes the House today it will go to the Senate where Mitch McConnell will have his way with it.

What happens in the Senate is anyone’s guess.

One reason no one knows what Mitch has planned is because most people haven’t figured out what Mitch really wants. I think there are 3 possibilities:

  • He actually wants USA F-ReDux with some tweaks (about which more below) and the threat of a straight reauthorization is just a tactic to push through those tweaks; this makes the most sense because USA F-ReDux actually gives the IC things they want and need that they don’t currently have
  • There is something the government is doing — a bulk IP program, for example — that Mitch and Burr plan to provide Congressional sanction for even while basically adopting USA F-ReDux as a limit on Section 215 (but not other authorities); the problem with this plan is that secret briefings like the Administration offered the Senate, but not the House, last night don’t seem to meet the terms of ratification described by the Second Circuit
  • The Second Circuit decision threatens another program, such as SPCMA (one basis for Internet chaining involving US persons right now), that the Senate believes it needs to authorize explicitly and that’s what the straight reauthorization is about
  • [Update] I’m reminded by Harley Geiger that Mitch might just be playing to let 215 sunset so he can create a panic that will let him push through a worse bill. That’s possible, but the last time such an atmosphere of panic reigned, after Congress failed to replace Protect American Act in 2008, it worked to reformers’ advantage, to the extent that any cosmetic reform can be claimed to be a win.

I think — though am not certain — that it’s the first bullet, though Burr’s so-called misstatement the other day makes me wonder. If so Mitch’s procedural move is likely to consist of starting with his straight reauthorization but permitting amendments, Patrick Leahy introducing USA F-ReDux as an amendment, Ron Wyden and Rand Paul unsuccessfully pushing some amendments to improve the bill, and Richard Burr adding tweaks to USA F-ReDux that will make it worse. After that, it’s not clear how the House will respond.

Which brings me to what I think Burr would want to add.

As I’ve said before, I think hawks in the Senate would like to have data mandates, rather than the data handshake that Dianne Feinstein keeps talking about. While last year bill supporters — including corporate backers — suggested that would kill the bill, I wonder whether everyone has grown inured to the idea of data retention, given that they’ve been silent about the data handshake since November.

I also suspect the IC would like to extend the CDR authority to non-terrorism functions, even including drug targets (because they probably were already using it as such).

The Senate may try to tweak the Specific Selection Term language to broaden it, but it’s already very very permissive.

I’m also wondering if the Senate will introduce language undermining the limiting language HJC put in its report.

Those are the predictable additions Burr might want. There are surely a slew more (and there will be very little time to review it to figure out the intent behind what they add).

The two big questions there are 1) are any of those things significant enough to get the House to kill it if and when it gets the bill back and 2) will the House get that chance at all?

Share this entry

Did the Government Comply with FISC Requirement of Notice on Appellate Decision

/2 Comments/in /by

I’m prepping a post on how all the various deadlines over the next several weeks will work together. So I’ve been reviewing the instructions James Boasberg laid out in the most recent dragnet order, which he signed on February 26.

First, Boasberg reminded the government — which had turned in its homework late in February — that FISC gets a week to consider any application. That means they need the next application by May 22.

Remember, the House breaks for Memorial Day on May 21 (that is, they’re not scheduled to be in session on May 22) and the Senate breaks on May 22.

The government will almost certainly have to submit a new dragnet order by May 22. That’s because USA F-ReDux allows bulk collection to continue for 6 months as it sets up PRISM-lite for provider compliance. But as I understand it, the new dragnet order has to happen under USA F-ReDux, not PATRIOT.

That may shave one day off the legislative schedule.

More interesting is Boasberg’s order that if any of the three appellate court reviewing the dragnet issues an opinion “prior to the expiration of this Order, the government is directed to inform the Court promptly if the government’s implementation of this Order has changed as a result of such opinion(s).”

Now, in actually, the government might only have to send a short note saying, “the Second Circuit ruled, told us this is unlawful, but also did not issue an injunction because Congress is about to act on it.” But they have to send some kind of notice, per this order.

Did they?

Share this entry

Did the Second Circuit Decision ALSO Blow Up SPCMA?

/5 Comments/in , /by

In a post on last week’s Second Circuit opinion finding NSA’s Section 215 phone dragnet unlawful, Faiza Patel observed that the government may have problems with the court’s ruling that a seizure of metadata can constitute an injury. She points to DOD directive 5240.1-R as a rule that may be impacted.

Second, as Jennifer Daskal explained last Friday, “collection matters.” The Second Circuit rejected the government’s contention that there was no cognizable injury until plaintiffs’ phone records were actually analyzed and reviewed. It ruled that collection is properly analyzed as “seizure,” which if unlawful constitutes a separate injury from the “search” that takes place when records are analyzed either by a human being or a computer.

As the Supreme Court has recognized, in Fourth Amendment cases the analysis of standing is intertwined with the merits question of whether there has been an invasion of a protected privacy interest. Thus, the Second Circuit’s position on collection could have serious implications for other government programs beyond the standing question.

[snip]

Another set of programs for which “collection matters” are those conducted under Executive Order 12,333. Department of Defense directive 5240.1-R, which sets out procedures for intelligence activities that affect U.S. persons, states:

Information shall be considered as “collected” only when it has been received for use by an employee of a DoD intelligence component in the course of his official duties … Data acquired by electronic means is “collected” only when it has been processed into intelligible form. (Emphasis added.)

Although the directive does not explain what constitutes an “intelligible form” of electronic data, another regulation (USSID 18) states that information becomes “intelligible” and is therefore “collected” when a NSA analyst “intentional[ly] task[s] or select[s]” a communication of interest for “inclusion in a report or retention as a file record.” This is a critical distinction because protections for US persons under Executive Order 12,333, Presidential Policy Directive 28, and subsidiary regulations are triggered when information is “collected” per the government’s definition.

All the caveats about not being a lawyer, I think there’s a subset of practices under 5240.1-R that may be particularly acutely affected: SPCMA, the authority that the NSA uses to contact (and, presumably, connection) chain on US person metadata collected overseas.

As I pointed out here, OIPR (during a period when it was headed by current FBI General Counsel James Baker) originally informally advised that NSA had to stop chaining when it hit a US person. But then, a rather suspiciously short period after Baker left in 2007, Steven Bradbury and Ken Wainstein came up with a theory whereby such data did not count as an acquisition — because it had already been collected — and therefore could be chained through.

The fourth definition of electronic surveillance involves “the acquisition by an electronic, mechanical, or other surveillance device of the contents of any wire communication …. ” 50 U.S.C. § 1802(f)(2). “Wire communication” is, in turn, defined as “any communication while it is being carried by a wire, cable, or other like connection furnished or operated by any person engaged as a common carrier …. ” !d. § 1801 (1). The data that the NSA wishes to analyze already resides in its databases. The proposed analysis thus does not involve the acquisition of a communication “while it is being carried” by a connection furnished or operated by a common carrier. (S//SI)

[snip]

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definitions of, and thus restrictions on, the “interception” and “selection” of communications.

Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex. (S//SI)

As I’ve previously explained, it works out to a kind of virgin birth, all to avoid the actual seizure moment that would implicate EO 12333.

That virgin birth theory led to this paragraph in supplemental procedures that amend 5240.1-R to treat metadata analysis (it doesn’t say it here, but it means, of US persons) as something other than an interception.

S//SI) For purposes of Procedure 5 of DoD Regulation 5240.1-R and the Classified Annex thereto contact chaining and other metadata analysis don’t qualify as the “interception” or “selection” of communications, nor do they qualify as “us[ing] a selection term,” including using a selection term “intended to intercept a communication on the basis of … [some] aspect of the content of the communication.”

I’m not sure, but Gerard Lynch’s opinion may pose real problems for this virgin birth theory. And oh, by the way, a lot of this data leads to data ending up in FBI’s hands which would be overseen by … James Baker, who may have had a problem with this argument in the past, even without the Second Circuit decision.

All of which is one way of saying that, in addition to creating some pressure on Congress to pass USA F-ReDux, this bill may have (though I await actual lawyers to consider this question) created far, far larger problems for SPCMA, which is understood to have been one of the places where the old domestic Internet dragnet went to (which might explain why Richard Burr was talking about Internet dragnets on the floor of the Senate the other day).

If so, the government has a far bigger headache than just the one created for the domestic phone metadata program.

Share this entry

HJC USA F-ReDux Report: Other Thoughts

/1 Comment/in /by

More thoughts on the House Judiciary Committee report on USA F-ReDux.

The Data Handshake

The bill seems to explicitly envision a data handshake, based off contractual agreements.

This section does not require any private entity to retain any record or information other than in the ordinary course of business.However, nothing in current law or this Act prohibits the government and telecommunications providers from agreeing voluntarily to retain records for periods longer than required for their business purposes.

[snip]

This section explicitly permits the government to compensate  third parties for producing tangible things or providing information, facilities, or assistance in accordance with an order issued under Section 501. It is customary for the government to enter into contractual agreements with third parties in order to compensate them for products and services provided to the government.

CBO provides a $15 million estimate for the unclassified costs of the bill over 5 years (though that includes $5 million for the amicus). But most of the contracts would be highly classified, so we have no way of knowing how much the providers will get for holding onto our data.

Minimization

The language on the section requiring the government to destroy data that is not foreign intelligence information is … underwhelming (though it might at least get the government to destroy high volume numbers, which they do anyway).

This section requires the government to adopt minimization procedures that require the prompt destruction of call detail records that are not foreign intelligence information.

 The passage discussing the new minimization procedures is more interesting.

This section provides that the court may evaluate the adequacy of minimization procedures under Section 501. Under current law, the court is only empowered to determine whether the government has minimization procedures in place. This section also makes clear that the FISC may require additional, particularized minimization procedures beyond those required under Section 501 with regard to the production, retention, or dissemination of certain business records, including requiring the destruction of such records within a reasonable time period. This language is intended to capture an existing practice by the FISC to require heightened minimization procedures when appropriate.

As the language makes clear (and contra a bunch of boosters last year), this simply “capture[s] an existing practice.” It does codify it, though. (Note, last year there were very few obvious modifications for minimization procedures, though that may mean everything is already set up with existing procedures).

Emergency Provision

There’s nothing in the language on the Attorney General enforced emergency provision language that leads me to believe they won’t just parallel construct any data the FISC tells them they’ve obtained illegally.

If the court denies an emergency application, the government may not use any of the information obtained under the emergency authority exceptin instances of a threat of death or serious bodilyharm.

Specific Selection Term

This section is worth examining at length.

This section requires that each application for the production of tangible things include ‘‘a specific selection term to be used as the basis for the production.’’ In so doing, the Act makes clear that the government may not engage in indiscriminate bulk collection of any tangible thing or any type of record under Section 501 of FISA. Section 501(b)(2)(A) of FISA will continue to require the government to make ‘‘a statement of facts showing that there are reasonable grounds to believe that the tangible things sought are relevant to an authorized investigation. . . .’’50 Section 103 requires the government to make an additional showing, beyond relevance, of a specific selection term as the basis for the production of the tangible things sought, thus ensuring that the government cannot collect tangible things based on the assertion that the requested collection ‘‘is thus relevant, because the success of [an] investigative tool depends on bulk collection.’’ 51 Congress’ decision to leave in place the ‘‘relevance’’ standard for Section 501 orders should not be construed as Congress’ intent to ratify the FISA Court’s interpretation of that term. These changes restore meaningful limits to the‘‘relevance’’ requirement of Section 501, consistent with the opinion of the U.S. Court of Appeals for the Second Circuit in ACLU v. Clapper.

Although this Act eliminates bulk collection, this section maintains Section 501 as a business records authority. The additional showing of a ‘‘specific selection term’’ that will be required in all Section 501 applications does not provide any new authority, but it is defined in such a way as to allow for standard business records collection to continue while prohibiting the use of this authority for indiscriminate, bulk collection.

First, the definitions section does not adopt an English language definition of “bulk.” It uses the IC’s version, which means “everything.” Thus, the promise that the government won’t engage in “indiscriminate bulk collection” only says “they won’t get all,” not that they won’t engage in bulky production.

The language on SST — along with the explicit permission to use more than one term — leads me to wonder if they’re going to limit this with descriptions of the cross-references they’ll make (so, the purchase records for all pressure cookers, which will be crossed against anyone who called the Tsarnaev brothers).

HJC’s insistence this doesn’t ratify FISC’s crummy “relevant to” definition would be a lot more convincing if it provided some sense of where the limits are. Further, the language “allow[ing] standard business records collection” to continue does not raise my confidence about past/existing bulk programs. (And remember, the bill adds language requiring reporting to Congressional oversight committees on bulky programs.)

But the definitions section adds to that.

For purposes of the call detail record authority, the term ‘‘specific selection term’’ is defined as a term specifically identifying an individual, account, or personal device.

The term ‘‘address’’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address. This definition may overlap with the term ‘‘account,’’ which also can be considered a ‘‘specific selection term’’ under the bill. These terms are not mutually exclusive, and an electronic mail address or account also qualifies as an ‘‘account’’ for purposes of the bill.

The term ‘‘personal device’’ refers to a device that can reasonably be expected to be used by an individual or a group of individuals affiliated with one another. For example, ‘‘personal device’’ would include a telephone used by an individual, family, or housemates, a telephone or computer provided by an employer to an employee or employees, a home computer or tablet shared by a family or housemates, and a Wi-Fi access point that is exclusively available to the inhabitants of a home, the employees of a business, or members of an organization. It would also include a local area network server that is used by a business to provide e-mail to its employees. The term ‘‘personal device’’ does not include devices that are made available for use by the general public or by multiple people not affiliated with one other, such as a pay phone available to the public, a computer available to library patrons to access the Internet, or a Wi-Fi access point made available to all customers at an Internet cafe´. Depending on the circumstances, however, such devices could qualify as ‘‘any other specific identifier’’ that is used to limit the scope of the tangible things sought consistent with the purpose for seeking the tangible things. The term ‘‘personal device’’ also does not include devices that are used by companies to direct public communications, such as a router used by an Internet service provider to route e-mails sent by its customers, or a switch used by a telecommunications carrier to route calls made by its customers.

As I wrote in an update here, this language adds to the evidence they plan on chaining on Internet “calls.” It also makes suggests they will chain on devices that use the same private IP, as opposed to an IP tied to an Internet cafe.

Effective date

I love how they make it very clear that any prohibition on bulk collection of any sort can continue for 6 months.

This section provides that the new call detail records authority, the new Section 501 emergency authority, and the prohibition on bulk collection of tangible things under Section 501 take effect 180 days after enactment.

Transparency

The latest version of USA F-ReDux included language on “unique identifiers used to communicate information collected pursuant to such orders,” which was not defined. Here, they say it includes all people collected under the authority, “not just the number of target email addresses or telephone numbers.” That’s actually a good thing. The transparency provisions still exempt out the FBI because “the agency has indicated it lacks the capacity to provide,” which is a piss poor reason to exempt an agency that can throw people into jail for this. And the report doesn’t explain why it eliminated the top level number for Section 702.

Material Support

The report doesn’t even try to explain why it needs to bump the punishment for material support for terrorism — which, remember, can be no more than speech — from 15 to 20 years.

Share this entry

HJC’s USA F-ReDux Report Narrows Language on Call Detail Records

/5 Comments/in /by

As I’ve written extensively, for the last 15 months, the government, FISC, and Congress have been playing around with the definition of Call Detail Records under the USA F-ReDux and its predecessors. As written, I believe the CDR language in USA F-ReDux would permit the government to ask providers for analysis (of the sort provided by AT&T under Hemisphere) using things like location data, without turning over location data.

The House Judiciary Committee report includes language that would go a long way to prohibiting the kind of analysis I worry about, however.

The government may require the production of up to two “hops”—i.e., the call detail records associated with the initial seed telephone number and call detail records (CDRs) associated with the CDRs identified in an initial “hop.” Subparagraph (F)(iii) provides that the government can obtain the first set of CDRs using the specific selection term approved by the FISC. In addition, the government can use the FISC-approved specific selection term to identify CDRs from metadata it already lawfully possesses. Together, the CDRs produced by the phone companies and those identified independently by the government constitute the first “hop.” Under subparagraph (F)(iv), the government can then present session identifying information or calling card numbers (which are components of a CDR, as defined in section 107) identified in the first “hop” CDRs to phone companies to serve as the basis for companies to return the second “hop” of CDRs. As with the first “hop,” a second “hop” cannot be based on, nor return, cell site or GPS location information. It also does not include an individual listed in a telephone contact list, or on a personal device that uses the same wireless router as the seed, or that has similar calling patterns as the seed. Nor does it exist merely because a personal device has been in the proximity of another personal device. These types of information are not maintained by telecommunications carriers in the normal course of business and, regardless, are prohibited under the definition of “call detail records.”

“Call detail records” include “session identifying information (including originating or terminating telephone number, International Mobile Subscriber Identity number, or International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call.” The Act explicitly excludes from that term the contents of any communication; the name, address, or financial information of a subscriber or customer; and cell site location or GPS information, and the Act should not be construed to permit the government to obtain any of this type of information through either of the two “hops.”

Some comments on this.

First, nothing in this passage suggests these “phone companies” are exclusively telephony companies (that is, old style phone companies). Indeed, it even mentions wireless routers, suggesting they’re accounting for IP addresses. That’s to be expected; much less of our call traffic is carried by such providers. But people should be aware this likely includes Google and Microsoft and Apple “calls.”

The passage explicitly permits the government to also chain on “metadata it already lawfully possesses.” Which means it will do the EO 12333 hops, while the providers do the 215 hop. Remember this will produce a largely duplicative production for international calls, with more metadata involved on the EO 12333. But there’s no way to deal with that. (Note, assuming the CDRs will come back in through FBI, this means they’ll probably get access to EO 12333 data out of this.)

The passage lists a lot of things I was worried about (in part, because we know the government has obtained similar information using both Hemisphere and its own EO 12333 analysis) that cannot be used for these hops, including:

  • Cell site or GPS location information
  • An individual listed in a telephone contact list
  • An individual on a personal device that uses the same wireless router as the seed
  • An individual that has similar calling patterns as the seed
  • A personal device has been in the proximity of another personal device

This would seem to rule out most of my concerns (especially if “calling patterns” included the kind of counter-surveillance tactics that last week’s Intercept story made clear NSA tracks). It would seem to permit chaining on “friends and family” members (but the FBI is getting those, from AT&T at least, using NSLs). And it doesn’t address owners of the same account (suggesting the government could use one device to obtain other related devices tied to the same account — but that’s the same person, which therefore seems totally justifiable).

Finally, note this language seems to confirm what I have understood: that the definition of CDR includes 5 components, only one of which must be met to be a CDR, meaning that the government can obtain nothing more than device identifying information. Again, I don’t find that problematic. It’s just something to pay attention to.

All of which to say that, if HPSCI and the House overall don’t come out with any language that changes this (Mike Rogers introduced some funky language last year, which is when I first started get worried about this), then I would be fairly comfortable that any non-call chaining under this CDR function would be perfectly reasonable. Indeed, these definitions exclude ones — like matching similar calling patters — that I wouldn’t be surprised if they retained. Moreover, last week’s Second Circuit ruling would seem to require any other interpretations of this language to be public to count as binding.

So for now, at least, one of my significant concerns about USA F-ReDux is alleviated.

Update: Adding, this language seems to envision the possibility of using 215 to get location data later, which is something James Cole explicitly admitted was possible last year.

This new authority—designed to allow the government to search telephone metadata for possible connections to international terrorism— does not preclude the government’s use of standard business records orders under Section 501 to compel the production of business records, including call detail records.

Again, that’s not surprising. But this report explicitly limits prospective call record chaining to the CDR function, so they could not get location under this authority prospectively (they’d probably use PRTT for that in any case).

Update: Now that I read the definitions section, I do have a few more reservations about how they can chain — and am all but certain this is intended to include Internet “calls.” Here’s that section.

For purposes of the call detail record authority, the term ‘‘specific selection term’’ is defined as a term specifically identifying an individual, account, or personal device.

The term ‘‘address’’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address. This definition may overlap with the term ‘‘account,’’ which also can be considered a ‘‘specific selection term’’ under the bill. These terms are not mutually exclusive, and an electronic mail address or account also qualifies as an ‘‘account’’ for purposes of the bill.

The term ‘‘personal device’’ refers to a device that can reasonably be expected to be used by an individual or a group of individuals affiliated with one another. For example, ‘‘personal device’’ would include a telephone used by an individual, family, or housemates, a telephone or computer provided by an employer to an employee or employees, a home computer or tablet shared by a family or housemates, and a Wi-Fi access point that is exclusively available to the inhabitants of a home, the employees of a business, or members of an organization. It would also include a local area network server that is used by a business to provide e-mail to its employees. The term ‘‘personal device’’ does not include devices that are made available for use by the general public or by multiple people not affiliated with one other, such as a pay phone available to the public, a computer available to library patrons to access the Internet, or a Wi-Fi access point made available to all customers at an Internet cafe. Depending on the circumstances, however, such devices could qualify as ‘‘any other specific identifier’’ that is used to limit the scope of the tangible things sought consistent with the purpose for seeking the tangible things. The term ‘‘personal device’’ also does not include devices that are used by companies to direct public communications, such as a router used by an Internet service provider to route e-mails sent by its customers, or a switch used by a telecommunications carrier to route calls made by its customers.

First, this section goes out of its way to say CDR SST includes “account” which includes “email address or account.” This strongly suggests they intend to go to Google and get everything associated with, for example, the “account” emptywheel. Again, I’m not at all surprised about that. But it is worth noting.

The “personal device” description distinguishes the “individual on a personal device that uses the same wireless router as the seed,” which is prohibited for chaining under the bill, from an individual “on the same personal device” which may include a home (or even business’, which is something FBI has obtained using NSLs) WiFi access point. That is, it does seem like your roommates could be chained, but not those using the same Internet cafe as you.

But again, these are legitimate chains, in my opinion.

Share this entry

Will Ben Wittes Pre-Prove Ben Wittes is NAKED?

/2 Comments/in /by

Ben Wittes wrote a post about last week’s Second Circuit ruling deeming the NSA 215 phone dragnet unlawful, arguing that the ruling is actually good for the Agency.

It may seem odd to suggest that a unanimous panel defeat on a basic legal theory underlying an NSA program is good for the agency, but consider: A few days ago, the 215 program was on a glide-path to expiration. The House seemed to be coming together around a version of the USA Freedom Act, which would substitute a different metadata acquisition mechanism for the 215 authority and create other reforms as well. But the Senate had lacked the votes to move that bill even last year, and Senator McConnell was pushing instead what he called a “clean” reauthorization—which would reauthorize 215 without modification and do none of the other reforms both the administration and civil libertarians have supported. It was not at all clear that the House bill could pass the Senate, and it was entirely clear that McConnell’s bill could not pass the House. Betting on a compromise within three weeks was, given the normal state of congressional competence these days, optimistic, to put it mildly. So the program seemed likely to expire, less as a result of any decision to let it sunset than as the result of a collective action problem.

The Second Circuit opinion meaningfully changes that. It is a sharp reminder to those who favor McConnell’s approach that is not viable—or, at least, that it involves serious litigation risk. Yes, it is possible—likely, even—that the D.C. Circuit will disagree with the Second Circuit, and that the meaning of 215 will thus be ultimately subject to the whimsical mind of Anthony Kennedy. So yes, it’s also still possible that a vote for a “clean” reauthorization will yield maximal flexibility for the agency. But that’s not a bet I would want to lay if I were a congressional proponent of strong signals intelligence and counterterrorism programs. Rather, I would say that it is far better to have a legally sustainable version of this capacity than to have no capacity at all, and supporting clean reauthorization will either cause there to be no bill—in which case the authority lapses—or, if the bill were to pass, it risks that the Supreme Court’s ultimately agrees with the Second Circuit, not with the FISA Court interpretation of the law. The far better approach for the agency is the compromise that the administration has long supported. And for the first time in a long time, I can see a path to that outcome.

While I don’t necessarily agree with all details, I think he’s right. USA F-ReDux is actually the best outcome for the government. It always has been. But no pro-spying people were making that case, and so even people like Bill Nelson opposed it. Last week’s decision prevents the spying hawks from voting against their best interests.

But — particularly given Ben’s long campaign to hold people accountable for what they should know — I have to laugh at this bit.

The litigation risk of relying on 215 is the principal reason I have been arguing for almost two years now that Congress needs to clarify the law, both to authorize access to metadata contact chaining under appropriate circumstances and to build in protections that exist under the current program only through court order.

I laugh because, even if it is Congress’ intent to “clarify the law … authoriz[ing] access to metadata contact chaining,” USA F-ReDux does not do that. On the contrary, for the last 15 months, the actual chaining function being authorized in the bill has been a moving target. The notion that this involved exclusively contact chaining was jettisoned, with court approval, in February 2014. And no one I’ve spoken with knows what the current chaining language (or the previous use of “connection chaining”) means.

So Congress is not clarifying things, it is obscuring it, though almost all in Congress (and, apparently, Ben, who unlike most in Congress has been writing about this bill throughout) have missed that this is no longer authorizing just contact chaining. According to Ben, Ben has no excuse for not knowing better, but apparently Ben doesn’t, yet.

I remain hopeful there will be some clarifying (and limiting) language added to the actual chaining procedure before it gets passed. If it doesn’t, it’s unlikely we’ll ever hear about it unless someone else decides to risk life in prison to alert Americans to what NSA and FBI are really doing. But if we do learn that what started as defensible “connection chaining” on burner phones morphed under this obscurantist language into something more problematic, I do hope Ben realizes that he, along with almost all of Congress, should have known, from the language of the bill, that it did more than approve contact chaining.

Share this entry

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again

/6 Comments/in /by

As I noted last November, in her defense of USA Freedom Act last year, Dianne Feinstein suggested the telecoms (principally, Verizon) had agreed to retain their data for longer than their business purposes required without any mandate — what I dubbed the “data handshake.”

On Tuesday, Nov. 18, Feinstein explained how she had resolved the problem presented by telecoms like Verizon that don’t hold these records as long as the NSA currently does. She and Chambliss had written the country’s four biggest telecom companies a letter — she didn’t say when — asking whether the companies would retain phone records longer than they currently do. Two said yes; two said no. “Since that time, the situation has changed,” Feinstein said. “Not in writing, but by personal testament from two of the companies that they will hold the data for at least two years for business reasons.” President Barack Obama even vouched for the telecom companies’ willingness to hold the data. “The fact is that the telecoms have agreed to hold the data. The president himself has assured me of this,” Feinstein said.

Taken in context, Feinstein’s comments reveal how proponents of the USA Freedom Act solved the intelligence community’s problem with the reform bill — that the period of time that records would be held would shrink dramatically. Rather than a legal mandate requiring that telecoms hold onto the data — which some members of the Senate Intelligence Committee demanded in June — the reform bill would use a “data handshake.”

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein, it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

While some, like Bob Litt, have suggested one challenge for having telecoms retain phone records concerned whether telecoms would retain enough of their call records to do pattern analysis, the issue of data retention has largely been unspoken in this round of debate over USA F-ReDux.

But Dianne Feinstein just raised it again this morning on Meet the Press, again endorsing a “data handshake” behind USA F-ReDux and seemingly referring to the assurances the President got from telecoms they would keep the data.

CHUCK TODD:

Senator, while I have you, the Patriot Act, obviously the big, bulk data collection was struck down, in Court. Not quite saying it was unconstitutional, basically saying that the law doesn’t cover what the administration has said it covers, which is this idea of bulk data collection. And says, “If Congress wants to be able to do this, then they need to explicitly pass a law that forces telephone companies to do this or not.” Where are you on this? Are you willing to pass a specific law that allows for bulk data collection, whether held by the phone companies or the government?

SENATOR DIANNE FEINSTEIN:

I think here’s the thing. The president, the House and a number of members of the Senate believe that we need to change that program. And the way to change it is simply to go to the FISA Court for a query, permission to go to a telecom and get that data. The question is whether the telecoms will hold the data. And the answer to that question is somewhat mixed. I know the president believes that the telecoms will hold the data. I think we should try that.

CHUCK TODD:

An act of Congress could force them to do that, correct?

SENATOR DIANNE FEINSTEIN:

An act of Congress could force them to do that.

CHUCK TODD:

And can that pass this Congress?

SENATOR DIANNE FEINSTEIN:

Well, that’s the problem. The House does not have it in their bill. Senator Leahy does not have that in his bill.

If I had to bet on the most likely outcome for the USA F-ReDux bill, it would be USA F-ReDux, with some more shit added in because USA F-ReDux boosters are reluctant to talk about how much more it gives the Intelligence Community than what they have now, and with data retention mandates. As I have said, I think that’s one of the ultimate purposes of Mitch McConnell’s PATRIOT gambit.

One thing is clear, however, which is that Intelligence insiders like Feinstein are talking about data mandates among themselves, even if they’re not discussing them publicly.

Share this entry

In 2003, OLC Doubled Down on Unlimited (de)Classification Authority for the President

/2 Comments/in , , /by

One of the tactics those in DOJ attempted to use in 2004 to put some controls on Stellar Wind, it appears from the DOJ IG Report, was to point to legal requirements to inform Congress (for example, to inform Congress that the Attorney General had decided not to enforce particular laws), which might have led to enough people in Congress learning of the program to impose some limits on it. For example, Robert Mueller apparently tried to get the Executive to brief the Judiciary Committees, in addition to the Gang of Four, about the program.

On March 16, 2004 Gonzales wrote a letter to Jim Comey in response to DOJ’s efforts to force the Administration to follow the law. Previous reporting revealed that Gonzales told Comey he misunderstood the White House’s interest in DOJ’s opinion.

Your memorandum appears to have been based on a misunderstanding of the President’s expectations regarding the conduct of the Department of Justice. While the President was, and remains, interested in any thoughts the Department of Justice may have on alternative ways to achieve effectively the goals of the activities authorized by the Presidential Authorization of March 11, 2004, the President has addressed definitively for the Executive Branch in the Presidential Authorization the interpretation of the law.

This appears to have led directly to Comey drafting his resignation letter.

But what previous reporting didn’t make clear was that Gonzales also claimed the Administration had unfettered authority to decide whether or not to share classified information (and that, implicitly, it could blow off statutory Congressional reporting requirements).

Gonzales letter also addressed Comey’s comments about congressional notification. Citing Department of the Navy v. Egan, 484 U.S. 518 (1988) and a 2003 OLC opinion, Gonzales’s letter stated that the President has the constitutional authority to define and control access to the nation’s secrets, “including authority to determine the extent to which disclosure may be made outside the Executive Branch.” (TS//STLW//SI/OC/NF) [PDF 504]

I’m as interested in this as much for the timing of the memo — 2003 — as the indication that the Executive asserted the authority to invoke unlimited authority over classification as a way to flout reporting mandates (both with regards to Stellar Wind, but the implication is, generally as well).

The most likely time frame for this decision would be around March 25, 2003, when President Bush was also rewriting the Executive Order on classification (this EO is most famous because it gave the Vice President new authorities over classifying information). If that’s right, it would confirm that Bush’s intent with the EO (and the underlying OLC memo) was to expand the ability to invoke classification for whatever reasons.

And if that OLC opinion was written around the time of the March 2003 EO, it would mean it was on the books (and, surely, known by David Addington) when he counseled Scooter Libby in July 2003 he could leak whatever it was Dick Cheney told him to leak to Judy Miller, up to and including Valerie Plame’s identity.

But I’m also interested that this footnote was classified under STLW, the Stellar Wind marking. That may not be definitive, especially given the innocuous reference to the OLC memo. But it’s possible that means the 2003 opinion — the decision to share or not share classified information according to the whim of the President — was tied to Stellar Wind. That would be interesting given that George Tenet and John Yoo were declaring Iraq and their claimed conspirators in the US were terrorists permissible for surveillance around the same time.

Finally, I assume this OLC memo, whatever it says, is still on the books. And given how it was interpreted in the past — that OLC could simply ignore reporting mandates — and that the government continued to flout reporting mandates until at least 2010, even those tied specifically to surveillance, I assume that the Executive still believes it can use a claimed unlimited authority over classification to trump legally mandated reporting requirements.

That’s worth keeping in mind as we debate a bill, USA F-ReDux, celebrated, in part, for its reporting requirements.

Share this entry