Bob Litt: That Bill I Wrote Looks Great on First Read

/in /by

Supporters of USA F-ReDux are hailing Bob Litt’s comments approving of the bill.

“On first read, the new version of the USA Freedom Act looks like it accomplishes the president’s goals and will preserve important intelligence capabilities,” Robert Litt, the general counsel at the Office of the Director of National Intelligence, said on Friday.

“The administration has worked very closely with members of Congress, their staff — both parties in both houses — to come up with this bill,” he added.

But as even his comments make clear, to say nothing of the comments made during markup yesterday, he didn’t just “on first read it” Tuesday after it was released.

He largely wrote it.

In fact, when the Judiciary Committee tried to add things to the bill yesterday to make it comply with the Constitution, they claimed to be impotent to do so because that would blow up the bill. And so they bowed to IC demands.

No wonder Litt is fond of it.

How to Break the Law Under USA F-ReDux: The Emergency Provision that Would Blow Up the Bill

/in /by

Broadcast live streaming video on Ustream

As remarkable as was the House Judiciary Committee’s impotence to protect the Fourth Amendment in yesterday’s markup of USA F-ReDux, of equal importance was Raul Labrador’s effort to more narrowly tailor the emergency provision in the bill, which permits the Attorney General to authorize emergency production under Section 215 prior to getting FISA Court approval.

EMERGENCY AUTHORITY FOR PRODUCTION OF TANGIBLE THINGS.—

(1) Notwithstanding any other provision of this section, the Attorney General may require the emergency production of tangible things if the Attorney General—

(A) reasonably determines that an emergency situation requires the production of tangible things before an order authorizing such production can with due diligence be obtained;

(B) reasonably determines that the factual basis for the issuance of an order under this section to approve such production of tangible things exists;

Labrador (at 2:07) suggested that his amendment was very minor, just requiring the emergency provision be used only when there was an actual emergency.

I don’t see what it should blow up the bill, I don’t see why it would blow up the bill, all it’s doing is attempting to clarify the meaning of a term in the bill, which is an emergency situation, as one that involves the potential or imminent death or bodily harm to any person.

Yet, as Labrador noted, without the restriction would permit the AG to get records whenever she wanted.

As Zoe Lofgren noted, the lack of specificity in the bill is an invitation for abuse.

Labrador’s proposed change was even more minor given that we know NSA, at least, has redefined “threat of bodily harm” to “threat to property” in the case of corporate persons.

Jim Sensenbrenner, who argued that this emergency provision goes beyond what is required for emergency electronic surveillance or emergency physical surveillance under FISA, countered that tweaking the emergency provision would blow up the bill.

He and I may have a difference of opinion on what blows up this bill. You know, let me say this all was considered during the negotiations that were going on, I think there is an appropriate compromise to keep the dogs at bay, that is continued in the emergency appropriations of this bill and I am afraid that the amendment from the gentleman from Idaho would be who let the dogs out.

This is alarming.

I get that there’s a need for an emergency provision under Section 215 if it will cover things like Internet production, because the authorization process is too long for active investigations (which wouldn’t, mind you, meet the terms of Labrador’s amendment). But the emergency provision of USA F-ReDux will be one of the chief ways the IC will break the law under this bill (even going beyond what I believe to be a general violation of Riley‘s prohibition on searching smart phones without a warrant under the CDR provision).

That’s because of the way the bill significantly degrades the status quo on what happens if the FISC judges that this was an inappropriate use of Section 215. Currently, the FISC can make the government destroy the records. Under the bill, the government would be prevented from actually using the records in any official proceeding, but given that the AG polices that, and given that FBI basically has a department whose role is to parallel construct records like this, what this bill becomes is a means by which the FBI can get records they know to be illegal. Then, after the FISC rules the collection illegal (or, after FBI decides to “stop” collection before the 7 day deadline and thereby avoids telling the FISC what they’ve done), they can still keep those records so long as they parallel construct them. I’m not even sure collection ended before application would ever get reported to Congress.

And remember, there’s reason to believe that in the one year that the government has had an emergency provision for Section 215, it violated the prohibition on targeting someone for First Amendment protected activities.

If, as Sensenbrenner claims, closing some of the gaping loopholes on this provision would blow up the bill, it is an all but explicit admission that the Intelligence Community plans to use the immunity of this bill to be able to conduct illegal collection against people who are only “related” to an ongoing investigation.

John Ratcliffe, US Attorney until July 2008, Says He Did Back Door Searches

/in /by

Screen Shot 2015-05-01 at 12.07.31 PMAs I noted, Republican Congressman John Ratcliffe made an interesting admission during yesterday’s debate over USA F-ReDux in the House Judiciary Committee.

He said he had benefitted from back door searches — the discussion was specifically about FISA Amendments Act — when he was a prosecutor. That’s particularly interesting given the timing of his tenure Chief of Anti-Terrorism and National Security and then US Attorney for the Eastern District of Texas, which is shown to the right (and includes the suburbs of both Dallas and Houston).

Ratcliffe was the District’s top counterterrorism guy from 2004 until 2007, and US Attorney from 2007 until July 2008.

FISA Amendments Act passed in July 2008.

If Ratcliffe did back door searches, he did them off collection other than FAA.

Now, as I have suggested, there are signs they rolled out back door searches at least as early as they rearranged Protect America Act (at first, without telling Reggie Walton, who was presiding over a challenge to the law) such that collection would come in through FBI. Even still, those January 2008 changes would be rather late in the timing of Ratcliffe’s role as a prosecutor.

John Bates made it clear such an approval — for FISA authorized production anyway — happened in 2008.

Of course, there’s the other possibility that Ratcliffe did, and knew he was doing, back door searches off of Stellar Wind production.

In any case, Ratcliffe’s admission does raise some interesting timing questions about back door searches.

USA F-ReDux’s “Transparency” Provisions and Phone-PRISM

/in /by

I’m going to make an unpopular argument.

Most observers of USA F-ReDux point to weakened transparency provisions as one of the biggest drawbacks of the latest version of the bill. They’re not wrong: transparency procedures are worse, remarkably so.

But given that I already thought they were not only inadequate but dangerously misleading,* I’m actually grateful to have had the Intelligence Community do another version of transparency provisions, which shows what they’re most intent on hiding and/or hints at what they will really be doing behind the carefully scripted words they’re getting Congress to rubber-stamp.

For comparison, I’ve put the bulk of the required transparency provisions for USA F-ReDux and Leahy’s USA Freedom below the rules below.

Hiding how 702 numbers will explode

The most remarkable of the changes in the transparency provision is that they basically took out this language requiring a top level count of Section 702 targets and persons whose communications were affected — this language.

(i) the number of targets of such orders;

(ii) the number of individuals whose communications were collected pursuant to such orders; [sub 500 range]

(iii) the number of individuals whose communications were collected pursuant to such orders who are reasonably believed to have been located in the United States at the time of collection; [sub 500 range]

This leaves — in addition to the “number of 702 orders” requirement — just this reporting requirement for back door content and metadata searches which (like the Leahy bill) exempts the gross majority of the back door searches, because they are done by the FBI.

(A) the number of search terms concerning a known United States person used to retrieve the unminimized contents of electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of search terms used to prevent the return of information concerning a United States person; and [FBI Exemption]

(B) the number of queries concerning a known United States person of unminimized noncontents information relating to electronic communications or wire communications obtained through acquisitions authorized under such section, excluding the number of queries containing information used to prevent the return of information concerning a United States person; [FBI Exemption]

This is all the more remarkable given that ODNI has given us the topline number (though not the number of people sucked in) in each of its last two transparency reports.

Screen Shot 2015-05-01 at 9.28.43 AM

 

Screen Shot 2015-05-01 at 9.30.36 AM

 

In other words, ODNI was happy to tell us that the number of FISA 702 targets went up by 4% between 2013 and 2014, but not how much those numbers of targets will go up in 2015, when they presumably begin to roll out the new call chaining provision.

I suspect — and these are well educated but nevertheless wildarseguesses — there are several reasons.

The number of unique identifiers collected under 702 is astronomical

First, the reporting provisions as a whole move from tracking “individuals whose communications were collected” to “unique identifiers used to communicate information.” They probably did that because they don’t really have a handle on which of the identifiers all represent the same natural person (and some aren’t natural persons), and don’t plan on ever getting a handle on that number. Under last year’s bill, ONDI could certify to Congress that he couldn’t count that number (and then as an interim measure I understand they were going to let them do that, but require a deadline on when they would be able to count it). Now, they’ve eliminated such certification for all but 702 metadata back door searches (that certification will apply exclusively to CIA, since FBI is exempted). In other words, part of this is just an admission that ODNI does not know and does not planning on knowing how many of the identifiers they target actually fit together to individual targets.

But since they’re breaking things out into identifiers now, I suspect they’re unwilling to give that number because for each of the 93,000 targets they’re currently collecting on, they’re probably collecting on at least 10 unique identifiers and probably usually far, far more.

Just as an example (this is an inapt case because Hassanshahi, as a US person, could not be a PRISM target, but it does show the bare minimum of what a PRISM target would get), the two reports Google provided in response to administrative subpoenas for information on Shantia Hassanshahi, the guy caught using the DEA phone dragnet (these were subpoenas almost certainly used to parallel construct data obtained from the DEA phone dragnet and PRISM targeted at the Iranian, “Sheikhi,” they found him through), included:

  • a primary gmail account
  • two secondary gmail accounts
  • a second name tied to one of those gmail accounts
  • a backup email (Yahoo) address
  • a backup phone (unknown provider) account
  • Google phone number
  • Google SMS number
  • a primary login IP
  • 4 other IP logins they were tracking
  • 3 credit card accounts
  • Respectively 40, 5, and 11 Google services tied to the primary and two secondary Google accounts, much of which would be treated as separate, correlated identifiers

So just for this person who might be targeted under the new phone dragnet (though they’d have to play the same game of treating Iran as a terrorist organization that they currently do, but I assume they will), you’d have upwards of 15 unique identifiers obtained just from Google. And that doesn’t include a single cookie, which I’ve seen other subpoenas to Google return.

In other words, one likely reason the IC has decided, now that they’re going to report in terms of unique identifiers, they can’t report the number of identifiers targeted under PRISM is because it would make it clear that those 93,000 targets represent, very conservatively, over a million identifiers — and once you add in cookies, maybe a billion identifiers — targeted. And reporting that would make it clear what kind of identifier soup the IC is swimming in.

Hiding new PRISM providers

There is another reason I think they’ve grown reluctant to show much transparency under 702. Implementing the USA F-ReDux system — in which each provider sets up facilities they can use to chain on non-call detail record session identifying information — means more providers (smaller phone companies, and some new Internet providers, for example) will have what amount to PRISM-lite portals that can also be used for PRISM production. If you build it they will come!

In addition, Verizon and Sprint may be providing more PRISM smart phone materials in addition to upstream collection (AT&T likely already provides a lot of this because that’s how they roll).

So I suspect that, whereas now there’s a gap between the cumulative numbers providers report in their own transparency reports and what we see from ODNI, that number will grow notably, which would lead to questions about where the additional 702 production was coming from. (Until Amazon starts producing transparency reports, though, I’ll just assume they’re providing it all).

Hiding the smart-phone-PRISM

Finally, I think that once USA F-ReDux rolls out, the government (read, FBI, where this data will first be sucked in) will have difficulty distinguishing between the 702 and 215 production from a number of providers — probably AT&T, Verizon, Apple, Google, and Microsoft, but that’s just a guess.

Going back to the case of Hassanshahi, for example (and assuming, as I do, that the government has been parallel constructing the fact that they also targeted the Iranian Sheikhi identifier under PRISM, which would have immediately led them to his GMail account, as they very very easily could), the Tehran phone to Google call between Sheikhi and Hassanshahi would likely come in via at least 3 sources: Sheihki PRISM collection, Google USA F-ReDux returns on the Sheikhi number, and AT&T backbone USA F-ReDux returns on the Sheikhi number. And all that’s before you’ve taken a single hop into Hassanshahi’s accounts.

In other words, what you’re actually getting with USA F-ReDux is a way to get to the metadata of US persons identified via incidental collection under PRISM (again, this should just before for targets of a somewhat loosey goosey definition of terrorism targets). It’s basically a way to get a metadata “hop” off of all the Americans already “incidentally” collected under PRISM (note, permission to do this for targets identified under a probable cause warrant is already written into every phone dragnet order; this just extends that, with FISC review, to PRISM targets). And for the big providers that have anything that might be considered “call” service, the portals from which that will derive will likely be very very closely related.

Read more

The Loss of PRTT Minimization Review in USA F-ReDux

/in /by

As I noted earlier, the House Judiciary Committee just released a new version of USA Freedom Act, which I’ve dubbed USA F-ReDux. I’ll have a lot more to say about it, but I want to make two minor point about things that got taken out of Leahy’s bill from last year.

Section 215 Minimization

215 tracker

First, last year’s bill had minimization procedures tied to bulky Section 215 collection effectively requiring the government to destroy the data that had not been determined to be two hops from a target within a period of time.

(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized 21 investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation;

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

Those minimization procedures resemble what we’ve seen from the minimization procedures FISC imposed on the phone dragnet, which probably means they also resemble what FISC was imposing in other cases. In the previous year (2013), FISC had imposed minimization procedures on almost 80% of all orders.

In other words, the clause basically required the government to do what the FISC was probably already forcing it to do in the majority of orders (which, in any case, permitted the government to keep, indefinitely, the records associated with people two hops out of someone whom the government had a traffic stop suspicion had ties to terror or spying).

Last year, however, the FISC modified fewer than 3% of orders, and at least one of those was probably a phone dragnet one. Perhaps the change means the government finally started complying with the requirement laid out in 2006 that it adopt minimization procedures (the impending Section 215 IG Report likely created an incentive to do that, as following the law on minimization was one of the recommendations Glenn Fine had made in 2008, so Michael Horowitz surely followed up on that recommendation; plus, the generally law-abiding James Baker assumed FBI’s General Counsel role in this period). Perhaps it means the government stopped making bulky collections (though that is unlikely). But for some reason, the number of orders on which the FISC imposed minimization procedures and a report back fell off a cliff.

And now the requirement that the government adopt minimization procedures for bulky collection is gone from the bill.

I might be alarmed by that, but this year’s bill does add a Rule of Construction clarifying that the FISA Court can impose additional minimization procedures on top of what the bill requires the government to adopt for Section 215. So it may be that if the FBI returns to its recidivist ways on minimization procedures, we’ll see the number of modified orders spike again.

PRTT “Privacy Procedures”

I’m more concerned about what happened on the Pen Register side.

Last year, the PRTT section added new “privacy” (not “minimization”) procedures.

IN GENERAL.—The Attorney General shall ensure that appropriate policies and procedures are in place to safeguard nonpublicly available information concerning United States persons that is collected through the use of a pen register or trap and trace device installed under this section. Such policies and procedures shall, to the maximum extent practicable and consistent with the need to protect national security, include privacy protections that apply to the collection, retention, and use of information concerning United States persons.

Compare how squishy those privacy procedures are to the required Section 215 minimization procedures FBI blew off for years.

A) specific procedures that are reasonably designed in light of the purpose and technique of an order for the production of tangible things, to minimize the retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(B) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance; and

Rather than requiring the procedures minimize the retention and dissemination, the bill required only that privacy protections be applied. And there was no requirement limiting dissemination of non-foreign intelligence data.

But at least there were privacy procedures, right? Baby steps?

Last year’s bill had, and this year’s bill retains, a Rule of Construction (like that added to Section 215) that notes nothing limits FISC’s power to impose additional minimization procedures.

(2) RULE OF CONSTRUCTION.—Nothing in this subsection limits the authority of the court established under section 103(a) or of the Attorney General to impose additional privacy or minimization procedures with regard to the installation or use of a pen register or trap and trace device.

Which is all well and good, but FISC’s authority to do so with PRTT has no statutory basis, unlike Section 215. And during both the 2004 initial application for the Internet dragnet and John Bates’ 2010 reauthorization of it, the government made some fairly aggressive claims about FISC’s impotence to do anything but rubber stamp applications. So this Rule of Construction may not have the same weight as that in Section 215.

Which is why I worry that this section was removed from the bill.

(3) COMPLIANCE ASSESSMENT.—At or before the end of the period of time for which the installation and use of a pen register or trap and trace device is approved under an order or an extension under this section, the judge may assess compliance with the privacy procedures required by this subsection by reviewing the circumstances under which information concerning United States persons was collected, retained, or disseminated.

As the documents on the phone dragnet violations showed, unless FISC has and exercises the authority to ensure compliance with minimization procedures, the government will cheat (or, more charitably, not find systematic years-long violations staring them in the face). FISC seemed to recognize this when it imposed compliance reports on its minimization of Section 215 orders in recent years. But it won’t have statutory authority to review assessment with these already-squishy “privacy procedures.”

Read more

Google Applauds USA F-ReDux Because It “Modernizes” Surveillance

/2 Comments/in , /by

Thus far, none of the Internet providers who have issued statements in support of the latest incarnation of USA Freedom Act (which I’m calling USA F-ReDux) have mentioned that they will be getting expansive immunity and compensation for helping the government spy on you.

Google didn’t mention it either.

Along with two other features, Google argues USA F-ReDux would,

[E]nd the bulk collection of communications metadata under various legal authorities. This not only includes telephony metadata collected under Section 215, but also Internet metadata that has been or could be collected under other legal authorities.

I find that an interesting way to describe the bill, particularly given that Google calls this “modernizing” surveillance, not limiting it.

Congress Has Only A Few Weeks Left to Modernize Surveillance Laws

Both the government and some providers used that same language — “modernize” — during the FISA Amendments Act, too. Sure, that was partly because it accommodated the law to growing Internet reliance. USA F-ReDux will do that too, to the extent it allows the government to obtain metadata for things like Google Meet-Ups and other VOIP calls and Internet messaging, which the government needs if it really wants dragnet coverage. FAA also involved deputizing Internet providers so that their data could not longer be collected in bulk by phone companies.

Modernizing surveillance, they called that.

And as I’ve just begun to lay out, this bill will set up a system similar in many respects to PRISM, where the government would go to the provider to get what they wanted on a target. Under PRISM, what the government wanted quickly expanded. Within 6 months of the roll-out of PRISM, the government was already asking for 9 different types of data from providers like Yahoo, apparently spanning Yahoo’s four business functions (meaning email, information services, data storage, and Yahoo internal functions).

Here, as with FAA, the government will go to providers to get what they want. And given that the bill permits the government to ask providers to chain on non-Call Detail Record session identifiers (things like cookies and location data), the government will benefit from, though not directly access, some of the same data that the government started obtaining under PRISM. And while I would hope the FISA Court would exert some oversight, I would also bet the government will make increasingly expansive claims about what constitutes a “session identifier” that can be used to chain (we know that, overseas, they chain on address books and photographs, for example).

And in one way, USA F-ReDux is worse than PRISM. Unlike FAA, USA F-ReDux will feature an added role for a Booz-type contractor compiling all this data, possibly in some cloud somewhere that would be about as safe as all the documents Edward Snowden took, to make it easier to chain across providers.

This is what Google celebrates as “modernization.”

But let’s go back to Google’s representation of this as ending bulk collection of, “Internet metadata that has been or could be collected under other legal authorities.”

We’ve long discussed the Section 215 dragnet as covering just calls made by phone companies (though Verizon’s Counsel, in a hearing last year, noted that the government would have to get VOIP if it wanted full coverage).

But that’s not true. As I reported the other day, at least one of the phone metadata dragnets was collecting VOIP metadata. Google’s VOIP metadata. In fact, the only known use of the DEA dragnet involved a US user subscribing to Google calls.

In other words, the Shantia Hassanshahi case is important not just because it led to us learning about the DEA dragnet, but because it revealed that (in addition to Google’s Internet metadata being collected under PRTT illegally for years), Google’s VOIP data also got sucked up in at least one phone dragnet.

Google doesn’t like other people being able to spy on its customers.

But now that USA F-ReDux will return it to the position of having the monopoly on spying on its customers, it calls this “modernization.”

The Government’s Two Freebie Phone Dragnet Orders

/in /by

The mood among dragnet reformers has been outright panic about how we need to do something now omigosh we only have 6 weeks.

That’s true, to a point.

But as people scream about the urgency of this, they should consider that the government plans to be operating with the old-style dragnet for up to another 6 months.

For what are surely good logistical reasons (the government has to tell the phone companies how they’ll have to chain on their smart phone users’ data, and Booz will have to set up a giant insecure cloud to conduct the cross-provider chaining), the newfangled chain-on-your-smart-phone dragnet won’t start for 6 months after this bill passes.

(a) IN GENERAL.—The amendments made by sections 101 through 103 shall take effect on the date that is 180 days after the date of the enactment of this Act.

(b) RULE OF CONSTRUCTION.—Nothing in this Act shall be construed to alter or eliminate the authority of the Government to obtain an order under title V of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 24 1861 et seq.) as in effect prior to the effective date described in subsection (a) during the period ending on such effective date.

That means the government plans on relying on the old-fashioned suck-it-all-up dragnet for another 6 months.

It also provides a narrow window for the government to rush through new definitions (for example, of session-identifying information that is not a CDR) that won’t be subject to USA F-ReDux’s notice requirements.

Hopefully, the FISC would look askance at that ploy. In the last dragnet order, James Boasberg asked most of the right questions about what the government plans to do to convince me he, at least, doesn’t intend to be snookered in this lame duck period.

But those running around screaming “PANIC!” should recognize that even under the passage of USA F-ReDux, the dragnet will continue another 6 months.

USA F-ReDux: Chaining on “Session Identifying Information” that Is Not Call Detail Records

/4 Comments/in /by

The House Judiciary Committee just released the latest incarnation of USA Freedom Act, which for now I’m calling USA F-ReDux.

One thing they’ve changed from the Patrick Leahy version is to reword what, under Leahy’s bill, provided for two hops of “connection chaining,” without defining what “connection chaining” meant.

Now, they provide a first hop that produces call detail records…

(iii) provide that the Government may require the prompt production of a first set of call detail records using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii);

Later on in the bill, they define call detail record, which is what it was under the Leahy bill.

‘(3) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session-identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location or global positioning system information.

In other words, that first hop cannot include one definition of content or, most importantly, cell site location.

But the second one can.

The second hop is based off session-identifying information that is not limited by that CDR definition.

(iv) provide that the Government may require the prompt production of a second set of call detail records using session-identifying information or a telephone calling card number identified by the specific selection term used to produce call detail records under clause (iii)

They might as well have said, you can get call detail records, which we’ll define as a limited kind of session-identifying information, and then you can get call detail records (which have to be no more than a SIM card ID) using session-identifying information that doesn’t qualify under our CDR definition.

And that second session-identifying information could easily include cell location, cookies and permacookies, or a slew of other things that count as session-identifying information when you’re talking smart phones.

In other words, this seems to confirm the concerns I have had from day one that by going to the providers, they intend to do chaining off of information that doesn’t qualify under the narrow definition of session-identifying information.

Update: Here’s one more piece of evidence this is about getting smart phone data. USA F-ReDux introduces a new definition of “specific selection term” just for the CDR function. And it specifically permits the chaining on “accounts.”

(B) CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device.

Now, it’s possible that they just mean to chain on Friends and Family accounts, as AT&T will gladly do with just an NSL.

Except you get into accounts when you’re dealing with calls and messaging tied to a computer account and not any device. So they could chain on my “emptywheel” account to get Skype calls.

That’s fine, to an extent. They need such accounts to have anything close to full coverage, given how much messaging traffic takes place online. But that also says you’re already broaching any distinction between “calls” and Internet.

The “Accidental” Phone Dragnet Violations IDed in 2009 Were Actually Retained Stellar Wind Features

/2 Comments/in , /by

I have long scoffed at the claim that the phone dragnet violations discovered in 2009 were accidental. It has always been clear they were, instead, features of Stellar Wind that NSA simply never turned off, even though they violated the FISC orders on it.

The Stellar Wind IG Report liberated by Charlie Savage confirms that.

It describes that numbers were put on an alert list and automatically chained.

An automated process was created to alert and automatically chain new and potential reportable telephone numbers using what was called an “alert list.” Telephone numbers on the alert list were automatically run against incoming metadata to look for contacts. (PDF 31)

This was precisely the substance of the violations admitted in 2009.

So NSA lied to FISC about that, and the IC lied to us about it when this came out in 2013.

Update: Note the reference to the violations on PDF 36 — though they don’t admit that it’s the same damn alert list and that NSA’s IG considered telling FISC from the start.

On Mitch’s PATRIOT Gambit

/4 Comments/in , /by

Mitch McConnell, as you’ve probably heard, has just introduced a bill to reauthorize the expiring provisions of the PATRIOT Act until 2020.

The move has elicited a bunch of outraged comments — as if anyone should ever expect anything but dickishness from Mitch McConnell. But few interesting analytical comments.

For example, Mitch is doing this under Rule 14, meaning it bypasses normal committee process. But that’s not as unusual, in ultimate effect, as people are making out. After all, last year the House Judiciary Committee was forced to adopt a much more conservative opening bill under threat of having its jurisdiction stripped entirely — something that Bob Goodlatte surely liked because it helped him rein in the reformers on his committee. Particularly given Chuck Grassley’s dawdling, I suspect something similar is at issue, an effort to give him leverage to rein in last year’s USA Freedom Act in order to undercut Mitch’s ploy.

Moreover, I think it would be utterly naive to believe Mitch and Richard Burr when they claim they would prefer straight reauthorization.

That’s because we know the IC can’t do everything they want to do under Section 215 right now. While reports that they only get 30% of calls are misleading (not least because NSA gets plenty of international calls into the US under EO 12333), for legal or technical or some other reason, the NSA isn’t currently getting all the records it needs to have full coverage. But it could get all or almost all if it worked with providers.

In addition — and this may be related — the NSA has never been able to turn its automated processes back on for US collected telephone data since they had to turn them off in 2009. They gave up trying last year, when Obama decided to move data to the providers. I suspect that the combination of mandated assistance, record delivery in optimal form, and immunity will permit NSA to dump this data into its existing automated system.

So while Mitch and Burr may pretend they’d love straight reauthorization, it is far, far more likely they’re using this gambit to demand changes to USAF that permit the IC to claim more authorities while pretending to reluctantly adopt reform.

And chief on that list is likely to be data retention, something reformers have been conspicuously silent about since Dianne Feinstein revealed USAF would have had a data retention handshake, but not a mandate. Data retention is why most SSCI members opposed USAF last year, it’s why Bill Nelson (working off his dated understanding of the program from when he served on SSCI) voted against it, and Bob Litt has renewed his emphasis on data retention.

Moreover, given the debates about encryption of the last year, especially Jim Comey’s concerns that Apple would have an unfair advantage over Verizon if it can shield iMessage data, I suspect that by data retention they also mean “forced retention of non-telephony messaging metadata.” I’m not sure whether they would be able to pull this off, but I wouldn’t be surprised if the IC plans to use “NSA reform” as an opportunity to force Apple to keep iMessage metadata.

So that’s what I expect this is about: I expect Mitch deliberately caused outright panic among those fighting straight reauthorization that even he doesn’t really want to demand more things from this “reform” bill.