2nd Circuit Decision Striking Down Dragnet Should Require Tighter “Specific Selection Term” Language in USA F-ReDux

/1 Comment/in /by

When I wrote up the hearing in ACLU v. Clapper back in September, I noted that Judge Gerard Lynch got the problem with the definition of “relevant to” FISC had rubber stamped in secret. There’s nothing distinct about phone records. So if the government can hoover up all of those, then it can collect everything.

… You can collect everything there is to know about everybody and have it all in one big government cloud.

[snip]

I just don’t understand an argument as to what’s so special about telephone records that makes them so valuable, so uniquely interactive or whatever, that the same arguments you’re making don’t apply to every record in the hands of a third party business entity of every American’s everything.

Lynch made a very similar, albeit extended, observation in his opinion ruling the dragnet violated the Section 215 statute.

The interpretation urged by the government would require a drastic expansion of the term “relevance,” not only with respect to § 215, but also as that term is construed for purposes of subpoenas, and of a number of national security‐related statutes, to sweep further than those statutes have ever been thought to reach. For example, the same language is used in 18 U.S.C. § 2709(b)(1) and 20 U.S.C. § 1232g(j)(1)(A), which authorize, respectively, the compelled production of telephone toll‐billing and educational records relevant to authorized investigations related to terrorism. There is no evidence that Congress intended for those statutes to authorize the bulk collection of every American’s toll‐billing or educational records and to aggregate them into a database — yet it used nearly identical language in drafting them to that used in § 215. The interpretation that the government asks us to adopt defies any limiting principle. The same rationale that it proffers for the “relevance” of telephone metadata cannot be cabined to such data, and applies equally well to other sets of records. If the government is correct, it could use § 215 to collect and store in bulk any other existing metadata available anywhere in the private sector, including metadata associated with financial records, medical records, and electronic communications (including e‐mail and social media information) relating to all Americans.

Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans. Perhaps such a contraction is required by national security needs in the face of the dangers of contemporary domestic and international terrorism. But we would expect such a momentous decision to be preceded by substantial debate, and expressed in unmistakable language.

This is important because the “relevant to” language not only does show up elsewhere (as Lynch notes) but has been used elsewhere to conduct dragnets (as with the DEA’s dragnet).

It’s also the most important part of the opinion for the ongoing debate about USA F-ReDux. That’s because USA F-ReDux does not actually change that “relevant to” definition. And as I have argued (though bill boosters dispute this), because the bill only prohibits the use of communications corporate person names as specific selection terms, but not other kinds of corporations, the bill doesn’t actually prohibit bulk collection of non-communication tangible things.

In an ideal world, the decision would give reformers the opportunity to tighten up that part of the SST and provide a bit more guidance about what a suitably narrow SST constitutes. That’s probably not going to happen, but it should.

Share this entry

2nd Circuit Rules Phone Dragnet Exceeds Section 215

/3 Comments/in /by

Here’s the opinion. This will be a working thread.

(27) LOL! I love this line, which was surely written for Sam Alito.

Appellants here need not speculate that the government has collected, or may in the future collect, their call records.

(28) And they directly address Amnesty v. Clapper on the next page.

Amnesty International does not hold otherwise.  There, the Supreme Court, reversing our decision, held that respondents had not established standing because they could not show that the government was surveilling them, or thatsuch surveillance was “certainly impending.”  131 S. Ct. at 1148‐1150.  Instead, the Supreme Court stated that respondents’ standing arguments were based on a “speculative chain of possibilities” that required that:  respondents’ foreign contacts be targeted for surveillance; the surveillance be conducted pursuant to the statute challenged, rather than under some other authority; the FISC approve the surveillance; the government actually intercept the communications of the foreign contacts; and among those intercepted communications be those involving respondents.  Id.  Because respondents’ injury relied on that chain of events actually transpiring, the Court held that the alleged injury was not “fairly traceable” to the statute being challenged.  Id. at 1150.  As to costs incurred by respondents to avoid surveillance, the Court characterized those costs as “a product of their fear of surveillance” insufficient to confer standing.  Id. at 1152.

Here, appellants’ alleged injury requires no speculation whatsoever as to how events will unfold under § 215 – appellants’ records (among those of numerous others) have been targeted for seizure by the government; the government has used the challenged statute to effect that seizure; the orders have been approved by the FISC; and the records have been collected.  Amnesty International’s “speculative chain of possibilities” is, in this context, a reality.That case in no way suggested that such data would need to be reviewed or analyzed in order for respondents to suffer injury.

(38) Really interesting argument about whether secrecy can preclude standing.

These secrecy measures, the government argues, are evidence that Congress did not intend that § 215 orders be reviewable in federal court upon suit by an individual whose metadata are collected.

Upon closer analysis, however, that argument fails.  The government has pointed to no affirmative evidence, whether “clear and convincing” or “fairly discernible,” that suggests that Congress intended to preclude judicial review. Indeed, the government’s argument from secrecy suggests that Congress did not contemplate a situation in which targets of § 215 orders would become aware of those orders on anything resembling the scale that they now have.  That revelation, of course, came to pass only because of an unprecedented leak of classified information.  That Congress may not have anticipated that individuals like appellants, whose communications were targeted by § 215 orders, would become aware of the orders, and thus be in a position to seek judicial review, is not evidence that Congress affirmatively decided to revoke the right to judicial review otherwise provided by the APA in the event the orders were publicly revealed.

The government’s argument also ignores the fact that, in certain (albeit limited) instances, the statute does indeed contemplate disclosure.  If a judge finds that “there is no reason to believe that disclosure may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of any person,” he may grant a petition to modify or set aside a nondisclosure order.  50 U.S.C. § 1861(f)(2)(C)(i).  Such a petition could presumably only be brought by a § 215 order recipient, because only the recipient, not the target, would know of the order before such disclosure. But this provision indicates that Congress did not expect that all § 215 orders would remain secret indefinitely and that, by providing for such secrecy, Congress did not intend to preclude targets of § 215 orders, should they happen to learn of them, from bringing suit

(42) Court argues that because telecoms get immunity their interests are not coincident with their customers’.

As appellants point out, telecommunications companies have little incentive to challenge § 215 orders – first, because they are unlikely to want to antagonize the government, and second, because the statute shields them from any liability arising from their compliance with a § 215 order.  See 50 U.S.C. § 1861(e).  Any interests that they do have are distinct from those of their customers.  The telephone service providers’ primary interest would be the expense or burden of complying with the orders; only the customers have a direct interest in the privacy of information revealed in their telephone records.

(47) Court rebuts govt worry that millions of people would challenge this by pointing out that that’s only because millions of people had been collected on.

That argument, however, depends on the government’s argument on the merits that bulk metadata collection was contemplated by Congress and authorized by § 215.  The risk of massive numbers of lawsuits challenging the same orders, and thus risking inconsistent outcomes and confusion about the legality of the program, occurs only in connection with the existence of orders authorizing the collection of data from millions of people.

(48) Some of this is LOL funny.

While constitutional avoidance is a judicial doctrine, the principle should have considerable appeal to Congress:  it would seem odd that Congress would preclude challenges to executive actions that allegedly violate Congress’s own commands, and thereby channel the complaints of those aggrieved by such actions into constitutional challenges that threaten Congress’s own authority.  There may be arguments in favor of such an unlikely scheme, but it cannot be said that any such reasons are so patent and indisputable that Congress can be assumed, in the face of the strong presumption in favor of APA review, to have adopted them without having said a word about them.

(52) Court’s final kick at the claim that Congress has prohibited review.

In short, the government relies on bits and shards of inapplicable statutes, inconclusive legislative history, and inferences from silence in an effort to find an implied revocation of the APA’s authorization of challenges to government actions.  That is not enough to overcome the strong presumption of the general command of the APA against such implied preclusion.  Congress, of course, has the ability to limit the remedies available under the APA; it has only to say so. But it has said no such thing here.  We should be cautious in inferring legislative action from legislative inaction, or inferring a Congressional command from Congressional silence.  At most, the evidence cited by the government suggests that Congress assumed, in light of the expectation of secrecy, that persons whose information was targeted by a § 215 order would rarely even know of such orders, and therefore that judicial review at the behest of such persons was a non‐ issue.  But such an assumption is a far cry from an unexpressed intention to withdraw rights granted in a generally applicable, explicit statute such as the APA.

(59) This is the key passage.

Thus, the government takes the position that the metadata collected – a vast amount of which does not contain directly “relevant” information, as the government concedes – are nevertheless “relevant” because they may allow the NSA, at some unknown time in the future, utilizing its ability to sift through the trove of irrelevant data it has collected up to that point, to identify information that is relevant.5 We agree with appellants that such an expansive concept of “relevance” is unprecedented and unwarranted.

The statutes to which the government points have never been interpreted to authorize anything approaching the breadth of the sweeping surveillance at issue here.6   The government admitted below that the case law in analogous contexts “d[id] not involve data acquisition on the scale of the telephony metadata collection.”  ACLU v. Clapper, No. 13 Civ. 3994 (S.D.N.Y. Aug. 26, 2013), ECF No. 33 (Mem. of Law of Defs. in Supp. of Mot. to Dismiss) at 24.  That concession is well taken.  As noted above, if the orders challenged by appellants do not require the collection of metadata regarding every telephone call made or received in the United States (a point asserted by appellants and at least nominally contested by the government), they appear to come very close to doing so.  The sheer volume of information sought is staggering; while search warrants and subpoenas for business records may encompass large volumes of paper documents or electronic data, the most expansive of such evidentiary demands are dwarfed by the volume of records obtained pursuant to the orders in question here.

Moreover, the distinction is not merely one of quantity – however vast the quantitative difference – but also of quality.  Search warrants and document subpoenas typically seek the records of a particular individual or corporation under investigation, and cover particular time periods when the events under investigation occurred.  The orders at issue here contain no such limits.  The metadata concerning every telephone call made or received in the United States using the services of the recipient service provider are demanded, for an indefinite period extending into the future.  The records demanded are not those of suspects under investigation, or of people or businesses that have contact with such subjects, or of people or businesses that have contact with others who are in contact with the subjects – they extend to every record that exists, and indeed to records that do not yet exist, as they impose a continuing obligation on the recipient of the subpoena to provide such records on an ongoing basis as they are created.  The government can point to no grand jury subpoena that is remotely comparable to the real‐time data collection undertaken under this program.

(66)  And more.

The government’s emphasis on the potential breadth of the term “relevant,” moreover, ignores other portions of the text of § 215.  “Relevance” does not exist in the abstract; something is “relevant” or not in relation to a particular subject.  Thus, an item relevant to a grand jury investigation may not be relevant at trial.  In keeping with this usage, § 215 does not permit an investigative demand for any information relevant to fighting the war on terror, or anything relevant to whatever the government might want to know.  It permits demands for documents “relevant to an authorized investigation.”  The government has not attempted to identify to what particular “authorized investigation” the bulk metadata of virtually all Americans’ phone calls are relevant.  Throughout its briefing, the government refers to the records collected under the telephone metadata program as relevant to “counterterrorism investigations,” without identifying any specific investigations to which such bulk collection is relevant.  See, e.g., Appellees’ Br. 32, 33, 34.8   The FISC orders, too, refer only to “authorized investigations (other than threat assessments) being conducted by the FBI . . . to protect against international terrorism,” see, e.g., 2006 Primary Order at 2; Joint App’x 127, 317, merely echoing the language of the statute.  The PCLOB report explains that the government’s practice is to list in § 215 applications multiple terrorist organizations, and to declare that the records being sought are relevant to the investigations of all of those groups.  PCLOB Report 59.  As the report puts it, that practice is “little different, in practical terms, from simply declaring that they are relevant to counterterrorism in general. . . . At its core, the approach boils down to the proposition that essentially all telephone records are relevant to essentially all international terrorism investigations.”  Id. at 59‐60.  Put another way, the government effectively argues that there is only one enormous “anti‐terrorism” investigation, and that any records that might ever be of use in developing any aspect of that investigation are relevant to the overall counterterrorism effort.

(70) I’ll come back to this but this language on assessments could actually pose a problem for USAF.

The government’s approach also reads out of the statute another important textual limitation on its power under § 215.  Section 215 permits an order to produce records to issue when the government shows that the records are “relevant to an authorized investigation (other than a threat assessment).”  50 U.S.C. § 1861(b)(2)(A) (emphasis added).  The legislative history tells us little or nothing about the meaning of “threat assessment.”  The Attorney General’s Guidelines for Domestic FBI Operations, however, tell us somewhat more.  The Guidelines divide the category of “investigations and intelligence gathering” into three subclasses: assessments, predicated investigations (both preliminary and full), and enterprise investigations.  See Attorney General’s Guidelines for Domestic FBI Operations 16‐18 (2008), https://www.ignet.gov/sites/default/files/files/invprg1211appg1.pdf. Assessments are distinguished from investigations in that they may be initiated without any factual predication.

[snip]

In limiting the use of § 215 to “investigations” rather than “threat assessments,” then, Congress clearly meant to prevent § 215 orders from being issued where the FBI, without any particular, defined information that would permit the initiation of even a preliminary investigation, sought to conduct an inquiry in order to identify a potential threat in advance.  The telephone metadata program, however, and the orders sought in furtherance of it, are even more remote from a concrete investigation than the threat assessments that – however important they undoubtedly are in maintaining an alertness to possible threats to national security – Congress found not to warrant the use of § 215 orders.  After all, when conducting a threat assessment, FBI agents must have both a reason to conduct the inquiry and an articulable connection between the particular inquiry being made and the information being sought.  The telephone metadata program, by contrast, seeks to compile data in advance of the need to conduct any inquiry (or even to examine the data), and is based on no evidence of any current connection between the data being sought and any existing inquiry.

(74) As I pointed out here, this is what really concerned Lynch during the argument.

The interpretation urged by the government would require a drastic expansion of the term “relevance,” not only with respect to § 215, but also as that term is construed for purposes of subpoenas, and of a number of national security‐related statutes, to sweep further than those statutes have ever been thought to reach.  For example, the same language is used in 18 U.S.C. § 2709(b)(1) and 20 U.S.C. § 1232g(j)(1)(A), which authorize, respectively, the compelled production of telephone toll‐billing and educational records relevant to authorized investigations related to terrorism.  There is no evidence that Congress intended for those statutes to authorize the bulk collection of every American’s toll‐billing or educational records and to aggregate them into a database — yet it used nearly identical language in drafting them to that used in § 215.  The interpretation that the government asks us to adopt defies any limiting principle.  The same rationale that it proffers for the “relevance” of telephone metadata cannot be cabined to such data, and applies equally well to other sets of records.  If the government is correct, it could use § 215 to collect and store in bulk any other existing metadata available anywhere in the private sector, including metadata associated with financial records, medical records, and electronic communications (including e‐mail and social media information) relating to all Americans.

Such expansive development of government repositories of formerly private records would be an unprecedented contraction of the privacy expectations of all Americans.  Perhaps such a contraction is required by national security needs in the face of the dangers of contemporary domestic and international terrorism.  But we would expect such a momentous decision to be preceded by substantial debate, and expressed in unmistakable language.  There is no evidence of such a debate in the legislative history of § 215, and the language of the statute, on its face, is not naturally read as permitting investigative agencies, on the approval of the FISC, to do any more than obtain the sorts of information routinely acquired in the course of criminal investigations of “money laundering [and] drug dealing.”

(78) This language on ratification may be as important as the language on “relevant to.”

Third, as the above precedents suggest, the public nature of an interpretation plays an important role in applying the doctrine of legislative ratification.  The Supreme Court has stated that “[w]here an agency’s statutory construction has been fully brought to the attention of the public and the Congress, and the latter has not sought to alter that interpretation although it has amended the statute in other respects, then presumably the legislative intent has been correctly discerned.”  North Haven Bd. of Educ. v. Bell, 456 U.S. 512, 535 (1982) (internal quotation marks omitted); see also United States v. Chestman, 947 F.2d 551, 560 (2d Cir. 1991).  Congressional inaction is already a tenuous basis upon which to infer much at all, even where a court’s or agency’s interpretation is fully accessible to the public and to all members of Congress, who can discuss and debate the matter among themselves and with their constituents.  But here, far from the ordinarily publicly accessible judicial or administrative opinions that the presumption contemplates, no FISC opinions authorizing the program were made public prior to 2013 — well after the two occasions of reauthorization upon which the government relies, and despite the fact that the FISC first authorized the program in 2006.

Sack concurrence  (11)

It may be worth considering that the participation of an adversary to the government at some point in the FISCʹs proceedings could similarly provide a significant benefit to that court.  The FISC otherwise may be subject to the understandable suspicion that, hearing only from the government, it is likely to be strongly inclined to rule for the government.  And at least in some cases it may be that its decision‐making would be improved by the presence of counsel opposing the governmentʹs assertions before the court.  Members of each branch of government have encouraged some such development.

Share this entry

Ten Goodies USA F-ReDux Gives the Intelligence Community

/4 Comments/in , /by

Update, November 20, 2015: I’ve updated (and corrected, in the case of the parallel construction loophole) this post here

Amid renewed tactical leveraging from Mitch McConnell, USA F-ReDux boosters continue to remain silent (or worse, in denial) about the many advantages USA F-ReDux offers the Intelligence Community over the status quo.

But there are many reasons — aside from the general uselessness of the phone dragnet in its existing form — why USA F-ReDux is an improvement for the Intelligence Community. That doesn’t mean it doesn’t also have benefits for reformers (though we can respectfully disagree about how real those benefits are). It just means it also has at least as many benefits for the IC. Some of these are:

1. Inclusion of Internet calls, along with phone calls, in chaining system

Up until 2009, and then again from 2010 to 2011, NSA had two interlocking systems of domestic metadata tracking: the phone dragnet under Section 215 and the Internet dragnet under PRTT. Since the government shut down the latter, however, it has likely lost access to some purely domestic links that can’t be collected (and chained under SPCMA) overseas.

Update, May 7: According to Richard Burr, the government has been collecting IP “addresses,” so I guess they already include Internet access in their dragnet.

USA F-ReDux is technology neutral; unlike phone dragnet orders, it does not limit collection to telephony calls. This probably means the government will fill the gap in calls that has been growing of late (which anonymous sources have dubiously claimed to make up 70% of all calls). While it’s unlikely the NSA is really missing 70% of all domestic calls of interest, closing a significant gap of any kind will be a huge benefit for the IC.

2. Addition of emergency provision for all Section 215 applications

Currently, there is a FISC-authorized emergency provision for the phone dragnet, but not the rest of Section 215 production. That’s a problem, because the most common use of Section 215 is for more targeted (though it is unclear how targeted it really is) Internet production, and the application process for Section 215 can be slow. USA F-ReDux makes emergency application procedures available for all kinds of Section 215 applications.

3. Creation of giant parallel construction loophole under emergency provision

Not only does USA F-ReDux extend emergency provision authority to all Section 215 applications, but it changes the status quo FISC created in a way that invites abuse. That’s because, even if the FISC finds an agency collected records improperly under the emergency provision, the government doesn’t have to destroy those records. Indeed, the only restriction on those records is that they cannot be entered into any official proceeding. The Attorney General polices this, not the FISC. Moreover, the bill says nothing about derivative records. This is tantamount to saying that the government can do whatever it wants using the emergency provisions, so long as it promises to parallel construct improperly collected records if they want to use them against an American. The risk that the government will do this is not illusory; in the year since FISC created this emergency provision, they’ve already had reason to explicitly remind the government that even under emergency collection, the government still can’t collect on Americans solely for First Amendment protected activities.

4. Provision for a super-hop that might be used to access unavailable smart phone data

As happened last year, no one seems to understand the chaining procedure that is the heart of this bill. What’s clear is that, as written, it does not do what every news article (save mine) say it does; it does not simply provide an extra “hop” of call data. The language appears to permit the government to ask providers to use session-identifying information that cannot be collected (which might include things like location or super-cookies) to provide additional data that does fit the definition of Call Detail Record. As an example, the government might be able to ask providers to use location data to find co-located phones, which is a service AT&T already offers under Hemisphere; the government would only get the device identifiers for the phones, not the location itself, but would benefit from that location data. Another possible application would be to ask providers to use supercookie data to track online behavior. While there are likely good reasons for permitting the government to ask providers to conduct analysis on non CDR session identifying information — such as it provides a way for providers to help the government find burner phones or accounts — without more oversight or limiting language it might be very badly abused.

5. Elimination of pushback from providers

USA F-ReDux gives providers two things they don’t get under existing Section 215: immunity and compensation. This will make it far less likely that providers will push back against even unreasonable requests. Given the big parallel construction loophole in the emergency provisions and the super-hop in the chaining provision, this is particularly worrisome.

6. Expansion of data sharing

Currently, chaining data obtained under the phone dragnet is fairly closely held. Only specially trained analysts at NSA may access the data returned from phone dragnet queries, and analysts must get a named manager to certify that the data is for a counterterrorism purpose to share outside that group of trained analysts. Under this bill, all the returned data will be shared — in full, apparently — with the NSA, CIA, and FBI. And while the bill would require the government to report how often NSA and CIA does back door searches of the data, the FBI would be exempted from that reporting requirement.

Thus, this data, which would ostensibly be collected for a counterterrorism purpose, will apparently be available to FBI every time it does an assessment or opens up certain kinds of intelligence, even for non-counterterrorism purposes. Furthermore, because FBI’s data sharing rules are much more permissive than NSA’s, this data will be able to be shared more widely outside the federal government, including to localities. Thus, not only will it draw from far more data, but it will also share the data it obtains far more broadly.

7. Mooting of court challenges

Passage of USA F-ReDux would also likely moot at least the challenges to the phone dragnet (there are cases before the 2nd, 9th, and DC Circuits right now, as well as a slightly different challenge from EFF in Northern California). That’s important because these challenges — particularly as argued in the 2nd Circuit — might get to the underlying “relevant to” decision issued by the FISC back in 2004, as well as the abuse of the 3rd party doctrine that both bulk and bulky collection rely on. That’s important because USA F-ReDux not only does nothing about that “relevant to” decision, it relies on the language anew in the new chaining provision.

The bill would probably also moot a challenge to National Security Letter gag orders EFF has.

Update, May 7. Oops! I guess Congress didn’t move quickly enough to moot the 2nd Circuit.

8. Addition of 72-hour spying provisions

In addition to the additional things the IC gets related to its Section 215 spying, there are three unrelated things the House added. First, the bill authorizes the “emergency roamer” authority the IC has been asking for since 2013. It permits the government to continue spying on a legitimate non-US target if he enters the US for a 72-hour period, with Attorney General authorization. While in practice, the IC often misses these roamers until after this window, this will save the IC a lot of paperwork and bring down their violation numbers.

9. Expansion of proliferation-related spying

USA F-ReDux also expands the definition of “foreign power” under FISA to include not just those proliferating in weapons of mass destruction, but also those who “knowingly aid or abet” or “conspire” with those doing so. This will make it easier for the government to spy on more Iran-related targets (and similar such targets) in the US.

10. Lengthening of Material Support punishments

In perhaps the most gratuitous change, USA F-ReDux lengthens the potential sentence for someone convicted of material support for terrorism — which, remember, may be no more than speech! — from 15 years to 20. I’m aware of no real need to do this (except, perhaps, to more easily coerce people to inform for the government). But it is clearly something someone in the IC wanted.

Let me be clear: some of these provisions (like permission to chain on Internet calls) will likely make the chaining function more useful and therefore more likely to prevent attacks, even if it will also expose more innocent people to expanded spying. Some of these provisions (like the roamer provision) are fairly reasonably written. Some (like the changes from status quo in the emergency provision) are hard to understand as anything but clear intent to break the law, particularly given IC intransigence about fixing obvious problems with the provision as written. I’m not claiming that all of these provisions are bad for civil liberties (though a number are very bad).

But to pretend these don’t exist — to pretend the IC isn’t getting a whole lot that it has been asking for, sometimes for as long as 6 years — is either bad faith or evidence of ignorance about what the existing dragnet does and what this bill would do. It’s also bad negotiating strategy.

Share this entry

McConnell Prepares to Retreat to Short-Term Reauthorization

/in /by

The National Journal yesterday quoted John Cornyn admitting that Republican Senate Leadership may have a short term Section 215 reauthorization in the works.

Senate Majority Leader Mitch McConnell on Tuesday said his chamber would not address government spying reform or highway infrastructure funding despite fast-approaching deadlines for both looming at the end of the month until it cleared the deck on Iran and trade.

But McConnell’s top deputy, Majority Whip John Cornyn, said a shorter reauthorization to the Patriot Act authorities could be in the works.

“That’s one of the possibilities, because we’re going to run into some real time constraints,” Cornyn told reporters, when asked specifically about a short extension.

McConnell last month introduced a fast-track bill that would extend until 2020 the three provisions of the Patriot Act due to expire on June 1, including the controversial Section 215, which the National Security Agency uses to justify its bulk collection of U.S. phone records.

It is unclear how long a shorter extension might be, though it would likely be far shorter than the 5 and ½ years so far favored by McConnell. Multiple sources said an extension ranging from 4 to 6 months was one option being considered.

In response to this tacit admission from McConnell that he can’t (in actuality, doesn’t want to) slam through straight reauthorization, USA F-ReDux boosters are incautiously claiming McConnell is still pushing for straight reauthorization, even while linking to articles stating clearly that’s not going to happen.

I take two things away from this. First, while McConnell still is trying to get tactical leverage, especially by pushing through an Iran bill ahead of any Section 215 fix, he has already backed off his claim to be pursuing straight reauthorization. Don’t get me wrong, McConnell still is the most powerful player here, so it would be stupid to underestimate what he will do with leverage if his tactics are successful.

But neither should boosters be making what increasingly look like bad faith claims that McConnell really is pursuing straight reauthorization. There are many things the IC gets out of this bill — even aside from things like the 72-hour emergency spying provision and extended material support sentences — that make it a far better outcome for them than straight reauthorization (which is not the same thing as saying that the IC won’t do what they can to squeeze more concessions out of boosters). This bill will give the IC phone and Internet call metadata, an emergency provision that not only is probably necessary for traditional Section 215 production, but which provides a way to break the law so long as they parallel construct it, and may give them a kind of super hop to benefit from materials that they can’t get now. Plus, it will lead to far more liberal sharing of data. These are all improvements over the status quo for the IC, some on functions the IC has been trying to replace since 2009. USA F-ReDux boosters need to understand that to understand the tactics of the other side.

In any case, McConnell apparently now believes his best negotiating position is a short term reauthorization, as happened in 2007 with the Protect America Act. While I don’t think reformers are anywhere near as strongly positioned as we were then (in part because Barack Obama was still pretending to oppose unfettered spying), it is worth remembering that the delay did lead to some concessions.

Share this entry

The Double-Edged Sword of Counter-Proliferation Spying

/2 Comments/in , /by

When Congress passed FISA Amendments Act in 2008, they added language approving of spying for counterproliferation purposes. One of three known certificates under Section 702 is for counterproliferation. President Obama’s Directive purporting to limit the government’s EO 12333 spying explicitly says bulk data can be used to police sanctions, and explicitly says the US does not consider sanctions spying to constitute spying for competitive advantage. USA F-ReDux even expands the authorization to use traditional FISA orders to spy on those who “knowingly aid or abet” or “knowingly conspire with any person to engage in” WMD proliferation.

The US is very clear that it will focus the tools of its spying on those involved in proliferation and weapons sanctions violations and in fact plans to intensify that focus.

Which is why it is so easy for NSA to spy on a target at Airbus in charge of Export Controls Licenses (even if it did violate NSA’s Memorandum of Understanding with BND, though it’s not entirely clear this targeting happened in Germany).

In other documents from the Snowden archive, the aerospace concern EADS, which is now called the Airbus Group, is even connected to a specific name together with a Saudi Arabian telephone number.

The EADS employee works in a sensitive department in the company: He is responsible for securing arms exports licenses for the company’s defense division. Many such deals are top secret and are reviewed only by the Federal Security Council, a cabinet committee that is not under parliamentary supervision. The man is marked as a hit and as a potentially interesting new surveillance target.

That’s precisely where you’d look to find out if someone was illicitly creating export control licenses to bypass sanctions. Of course, it’s also where you’d look to find out if the Europeans were cutting into US arms sales business to Saudi Arabia.

Airbus is suing for illegal spying because it was targeted by the NSA via Germany, which should get fun.

But at the exact moment France is squawking about that, they’re nuzzling up with the Saudis, trying to obstruct or slow the deal with Iran.

Saudi Arabia invited French President Francois Hollande, whose country is deemed to have the toughest stance among the six world powers negotiating with Iran, to Riyadh to discuss regional issues with Gulf Arab leaders who fear a rapprochement with Tehran could further inflame the region.

“France and Saudi Arabia confirmed the necessity to reach a robust, lasting, verifiable, undisputed and binding deal with Iran,” Hollande and the new Saudi King Salman said in a statement after meeting on Monday.

This strong stance in the face of a deal comes as France has worked to supplant some of US arms sales in the Gulf.

There’s a supreme irony here. The only way that an Iran deal will be verifiable is via unfettered spying (including in the US, where Iranian proliferation targets appear to get treated as terrorist targets do). But the rationale for that unfettered spying would also permit NSA to spy on arms dealers competing with American dealers.

The US says it never uses such spying for competitive advantage. An Airbus suit may really test that claim.

Share this entry

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record

/in /by

As part of a larger effort to get some people who understand the intersection of telephony and Internet technologies well to review the chaining process that would be introduced under USA F-ReDux, I want to compare the definitions of Call Detail Record used under the current dragnet orders and that which would be adopted under USA F-ReDux (both of which I’ve put below).

Obviously, the definitions are very closely related. Both prohibit the collection of the name, address, or financial information of a subscriber or customer (which makes this definition far narrower than an administrative subpoena for phone records). Both prohibit the collection of “contents” (though using a definition tied to a communication sent, which may not include stored content). Both prohibit the collection of non-trunk identifier location data, though the USA F-ReDux definition explicitly adds GPS data to the definition.

And both include certain things in their definitions of “session identifying information,” including originating and terminating telephone number, IMSI and IMEI numbers, calling card numbers, and time and duration of a call. Though the existing definition uses the conjunction “and” in its orders that ultimately go to providers, but notes the definition “includes but is not limited to” this session-identifying information. USA F-ReDux uses a non-exclusive “or” for its description of what session-identifying information is, suggesting only one of those things must be included in a CDR. At least as I read it, then, the existing phone dragnet definition of “session identifying information” is expansive, ordering providers to turn over at least this much, though possibly more (cough, AT&T), just so long as that “more” doesn’t include anything from the 3 kinds of prohibited information. Whereas the USA F-ReDux definition provides a list of things, one of which must be included, to be considered a CDR that can be returned to the government at the end of the process. As I read it, a CDR might consist of nothing more than an IMEI or an IMSI number.

But by far the most interesting difference between these two definitions is that the existing phone dragnet orders requires this be telephony session-identifying information (and also seems to require some communications routing information). Not only doesn’t USA F-ReDux require the session-identifying information to relate to telephony sessions, the word “telephony” doesn’t appear in USA F-ReDux at all.

Thus, while the bill requires that reports back to the government include something that is considered a telephony identifier — a phone number or one of two numbers identifying a device — it doesn’t actually say that the sessions in question must be telephony sessions.

Update 5/6: Actually, I think this paragraph is incorrect. A CDR, as defined, involves one of 5 things: telephone number, IMSI number, IMEI number, calling card number, or time and duration of a call. Given the “or,” only one of those things must be included. So if time and duration of a call is included (perhaps described as tied to Internet identifiers rather than device identifiers), that should fulfill the definition.

That’s important, because people increasingly make their calls using Internet technology, whether via things that feel like phone calls (VOIP), via video conversations, or via messaging (most notably iMessage) that — if sent across wifi — would not hit a telecom network as telephony. Nothing I see in this bill excludes those “calls” from this definition of CDR.

USA F-ReDux Definition of Call Detail Record

(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

Existing Section 215 Definition of Call Detail Records

From the February 26, 2015 order, footnote 1.

For the purposes of this Order, “telephony metadata” includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identifier (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication, as defined by 18 U.S.C. § 2510(8), or the name, address, or financial information of a subscriber or customer. Furthermore, this Order does not authorize the production of cell site location information (CSLI).

Share this entry

emptywheel Coverage of USA F-ReDux, or, PRISM for Smart Phones

/10 Comments/in , /by

This post will include all my coverage on USA F-ReDux.

Ten Goodies USA F-ReDux Gives the Intelligence Community 

USA F-ReDux’s boosters often suggest the bill would be a big sacrifice for the Intelligence Community. That’s nonsense. This post lists just 10 of the goodies the IC will get under the bill, including chaining on Internet calls, a 2nd super-hop, emergency provisions ripe for abuse, and expansions of data sharing.

2nd Circuit Decision Striking Down Dragnet Should Require Tighter “Specific Selection Term” Language in USA F-ReDux 

The 2nd Circuit just ruled that the phone dragnet was not authorized by Section 215. The language in the opinion on DOJ’s misinterpretation of “relevant to” ought to lead Congress to tighten the definition of “Specific Selection Term” in the bill to better comply with the opinion.

USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records 

As I correctly predicted a year ago, by outsourcing “connection chaining” to the providers, the Intelligence Community plans to be able to chain on session identifying information (things like location and cookies) that is probably illegal.

USA F-ReDux: Dianne Feinstein Raises the Data Handshake Again (Latest post)

Some months ago, Bob Litt emphasized USA Freedom would only work if the telecoms retained enough data for pattern analysis (which may or may not back my worry the government plans to outsource such pattern analysis to the telecoms). Nevertheless, no one seems to want to discuss whether and if so how USA F-ReDux will ensure providers do keep data. Except Dianne Feinstein, who today once again suggested there is a kind of “data handshake” whereby the telecoms will retain our data without being forced.

Unlike the Existing Phone Dragnet, USA F-ReDux Does Not Include “Telephony” in Its Definition of Call Detail Record 

The definition of Call Detail Record that will be adopted under USA F-ReDux is closely related to the definition currently used in the phone dragnet — though the USA F-ReDux does not require CDRs to be comprehensive records of calls as the existing phone dragnet does. The big difference, however, is that USA F-ReDux never specifies that calls include only telephony calls.

Congress’s Orwellian spying “reforms”: Why the government wants to outsource its surveillance to your Internet provider 

At Salon, I explain more about why the IC wants to create PRISM for Smart Phones with USA F-ReDux.

Google Applauds USA F-ReDux Because It “Modernizes” Surveillance 

Neither Google nor any of the other providers are admitting they’ll be getting expansive immunity to help spy on their users if USA F-ReDux passes. But Google does reveal they consider this move “modernization,” not reform. Is that because they’ll once again get a monopoly on spying on their users?

Read more

Share this entry

Congress Finally Gets Around to (Secretly) Tracking Section 215 Dragnets

/in /by

There’s one transparency related aspect of USA F-ReDux that appears to be a necessary improvement over Leahy’s version.

Congress is mandating the Intelligence Community report (to the Judiciary and Intelligence Committees, but not to the public) on how many dragnets it is conducting under Section 215.

(b) REPORTING ON CERTAIN TYPES OF PRODUCTION.—Section 502(c)(1) (50 U.S.C. 1862(c)(1)) is amended—

[snip]

(3) by adding at the end the following new subparagraphs:

(C) the total number of applications made for orders approving requests for the production of tangible things under section 501 in which the specific selection term does not specifically identify an individual, account, or personal device;

(D) the total number of orders described in subparagraph (C) either granted, modified, or denied; and

(E) with respect to orders described in subparagraph (D) that have been granted or modified, whether the court established under section 103 has directed additional, particularized minimization procedures beyond those adopted pursuant to section 501(g).

This basically requires the IC to tell the oversight committees how many of the applications made to the FISC court are bulky (they use “application” to discuss bulk programs to reflect the fact that one primary order may results in 3 secondary orders, as it does with the phone dragnets, or perhaps — who knows — may orders?). It also requires the IC to tell Congress if the FISC modifies any of these orders, a good indication the court finds them overly broad.

I guess this is tacit admission from Congress the dragnets are not ending under this bill? And that the oversight committees are finally getting around to informing themselves, on a yearly basis, about how many dragnets there are, even if they won’t know what the dragnets collect?

Shouldn’t they have this information before they write a bill? (In truth, they likely got this information from the IG Report on Section 215, which the IC is still pretending to be declassifying to stall the public being able to read it, which may be why it’s only showing up now).

The really pathetic thing is there is an identifiable metric that Congress will almost certainly realize they need, even if it is 9 years too late (as it is in this case), that they don’t have included in this bill. They need to be tracking how often the government is using the emergency provision, and how often the government doesn’t submit or the FISC doesn’t approve (or modifies it) after collection. Because that’s the part of this bill the IC will abuse going forward.

Share this entry

FBI’s Pen Registers without Any Call Records

/in , /by

There’s one more aspect of the transparency procedures in USA F-ReDux I find notable (in addition to the IC’s sudden unwillingness to share the scope of Section 702 and the fact that FBI will get all the returns from CDR searches, as opposed to a tiny subset as happens now).

As under the Leahy version of USA Freedom Act, the bill only requires the government to count communications collected pursuant to the Pen Register statute.

(3) the total number of orders issued pursuant to title IV and a good faith estimate of—

(A) the number of targets of such orders; and

(B) the number of unique identifiers used to communicate information collected pursuant to such orders;

Location tracking does not count as a communication (and there may be other loopholes in the new, undefined language). So to the extent they’re using PRTTs primarily to conduct location tracking, that won’t show up.

Remarkably (and in good news, maybe, but who knows?), the FBI exemption they give to everything interesting only applies to non telephone and email identifiers.

(B) ELECTRONIC MAIL ADDRESS AND TELEPHONE NUMBERS.—Paragraph (3)(B) of subsection (b) shall not apply to orders resulting in the acquisition of information by the Federal Bureau of Investigation that does not include electronic mail addresses or telephone numbers.

(Bob Litt, didn’t your Yale professors ever tell you not to use a double negative if you wanted to avoid confusing people?)

Again, perhaps this means the FBI is exclusively using PRTT for location data (but even there, to claim they weren’t collecting it, they’d have to claim a device identifier was different than a phone number, which it is, but jeebus are they that cynical?). But we know they’ve got their PCTDD production, which ought to be based off a traditional pen register which ought to collect emails and telephone numbers.

To be honest, I’m confused. I can’t imagine how any of the FBI exemptions do anything but hide some of the most interesting collection, which may be the case if they’re only using PRTT for location. But still, it doesn’t seem to make sense…

One more point of interest. The bill adds to reporting to the oversight committees a requirement that the government list all of the agencies that have been using PRTT.

(4) each department or agency on behalf of which the Attorney General or a designated attorney for the Government has made an application for an order authorizing or approving the installation and use of a pen register or trap and trace device under this title; and

Share this entry

Back Door Searching the Data Coming into FBI’s Front Door

/in /by

As I noted, the big takeaway of the changes to USA F-ReDux’s transparency provisions is that, after having given us a topline number for Section 702 collection, the IC has decided it can no longer do so. I provided some reasons why that might be here.

But there are several other interesting aspects of the transparency procedures worthy of note.

As with the Leahy bill, the transparency procedures simply don’t count the non-communications production under traditional Section 215. Though the means by which it counts exclusively communication has changed to “unique identifiers used to communicate information collected pursuant to such orders,” which the bill doesn’t define.

For the CDR function, it includes that (which should show some kind of return, though given that they’re not chaining exclusively on calls made any more, may exclude some of the production because it represents a “connection” chain rather than a “contact” chain). But then it adds a paragraph to track back door searches.

(C) the number of search terms that included information concerning a United States person that were used to query any database of call detail records obtained through the use of such orders;

This reveals the unsurprising detail that once they’ve collected all these records – under which, in the current scheme, they can be subject to all of NSA’s analytical toys – they do back door searches on them. It’s not clear what would be counted here or not (is a device identifier “concerning” a US person?). But this also would seem to exclude analysis done immediately upon intake, which we’ve seen that they do.

And, in case you haven’t already guessed, the FBI is exempted from counting the searches they do of the database, which likely means for them the data will be stuck into the database that gets searched with every assessment. That likely is new. I would bet a good deal that this data will come into the government via the FBI, rather than the NSA (because the FBI can legally share more widely, and because there’s no great technical burden to process the data as there currently is with the phone dragnet). In other words, whereas now the NSA must certify every dissemination to the FBI that is derivative of the phone dragnet, under this scheme, the FBI will be able to get everything in raw form.

Share this entry