Will Verizon Challenge the Government’s Fishy Dragnet?

/9 Comments/in /by

Tim Edgar has a fascinating post on how the SCOTUS decision in Yates v US — in which a guy busted for throwing away undersized fish was let off because those fish do not constitute a tangible object under the law — might have repercussions for the phone dragnet.

The Supreme Court let Yates off the hook.  Five justices agreed that a fish is not a tangible object.  At first blush, this seems a bit implausible.  Justice Kagan certainly thought so.  Her eloquent dissent cites Dr. Seuss’s One Fish Two Fish Red Fish Blue Fish – for a time, my favorite book – as authority that fish are, indeed, tangible objects.  I expect it is the first use of any book by Dr. Seuss as legal authority in an opinion of the Supreme Court, and I must say that I found it squarely on point, if not ultimately persuasive.

Justice Ginsburg’s opinion for the plurality explains that fish are not tangible objects because “in law as in life . . . the same words, placed in different contexts, sometimes mean different things.”

[snip]

Surprisingly, Yates has real implications for national security surveillance.   The NSA’s bulk collection of telephone records is based on section 215 of the Patriot Act, which amended the business records provision of the Foreign Intelligence Surveillance Act (FISA).  That provision is titled “Access to certain business records for foreign intelligence and international terrorism investigations.”  It allows the government to obtain an order from the FISA court “requiring the production of any tangible things(including books, records, papers, documents, and other items)” in national security investigations.

Does this literally mean “any tangible things,” or is this just a catch-all ensuring that  all types of business records are covered?  While the provision is very broad even if limited to business records or data, until Yates it might have meant literally anything at all.  For example, it might be tempting for the government to use it to obtain, in national security investigations, the kind of physical items that would otherwise have required a physical search order.  As a FISA business records order requires only relevance, and not probable cause, that would be a dangerous loophole.  Yates closes it.

Perhaps more to the point, Yates also weakens the government’s bulk collection theory for telephone records.  While Yates is interpreting a different statute, the logic is clear: the words “any tangible things” should not be read literally.  Instead, they must be read in context, taking account of the words immediately surrounding it, the title of the section, the structure of the law, and its purpose.  Read in this way, it is clear that “tangible things” should not be read to encompass things far afield from the sorts of business records that Congress expected would be sought in national security investigations.

[snip]

Bulk collection is qualitatively, not just quantitatively, different from the sorts of requests for records, documents, or other “tangible things” ordinarily made by government both in law enforcement and intelligence investigations. 

Steve Vladeck made a similar observation on Twitter earlier today, so Edgar is not the only one raising this question.

As it happens, today is dragnet renewal day. Which not only means that some FISC judge will reapprove the dragnet, but that providers will get new Secondary Orders. And — as happened in January 2014, when Verizon challenged an order based on Richard Leon’s decision in Klayman v. Obama — that presents the providers with an opportunity to challenge the order based on new legal developments.

And it’s not just Verizon that has a new opportunity to challenge the government’s fishy dragnets.

I’ve long suspected that the government has, in limited fashion, used Section 215 to obtain DNA material (they have databases of DNA from Gitmo detainees, for example, and I can imagine that they’d love to obtain DNA samples where they exist).

More interestingly, we’ve been talking about the government’s use of Section 215 to obtain Internet data, probably in hacking investigations. If, as a number of people suspect, they’re using it to get data flow records, that may be deemed even further away from common definitions of “tangible things.” And the Internet companies are riled up.

So let’s have it, providers! Some challenges to the fishy dragnet!

Update: In the post announcing the reauthorization (yesterday, actually) of the dragnet, I Con the Record noted that this one expires on June 1. I suppose that’s designed to add pressure on the reauthorization fight.  I think that works out to be a 95 day dragnet.

The Government Continues to Play Hide and Seek with Surveillance Authorities

/in /by

Last year, I described the effort by the Reaz Qadir Khan’s lawyers to make the government list all the surveillance it had used to catch him (which, significantly, would either be targeted off a dead man or go back to the period during with the government used Stellar Wind). In October the government wrote a letter dodging most notice. Earlier this year, Judge Michael Mosman (who happens to also be a FISA judge) deferred the notice issues until late in the CIPA process. Earlier this month, Khan plead guilty to accessory to material support for terrorism after the fact.

Another defendant accused of material support, Jamshid Muhtorov, replicated that tactic, demanding notice of all the types of surveillance used against him (his co-defendant, Bakhtiyor Jumaev, joined the motion). The government responded to that motion yesterday.

A comparison of the two responses is instructive.

Part of what the government does in both is to rehearse the notice requirements of a particular statute, stating that in this case the evidence hasn’t met those terms. It does so, we can be certain, whether or not the surveillance has been used. That’s because the government addressed FISA Section 703 notice in the Khan case, and we know the government doesn’t use 703 by itself at all.

The responses the government made for both Section 215 request, in which the government said it has no duty to notice Section 215 and a defendant would not have standing nor would have a suppression remedy,

Screen Shot 2015-02-27 at 3.07.00 PM

And PRTT, in which the government listed 5 criteria, all of which must be met to require notice, were virtually identical.

Screen Shot 2015-02-27 at 3.08.35 PM

Which is why I’m interested that the government’s treatment of EO 12333 notice was different (in both cases, there’s good reason to believe EO 12333 surveillance was involved, though in the case of Khan, that would likely include the illegal dragnet).

With Khan, the government remained completely silent about the questions of EO 12333 collection.

Whereas with Muhtorov — who was likely included in the Internet metadata dragnet, but probably not in Stellar Wind — the government argues he would only get notice if Muhtorov could claim evidence used against him in a proceeding was obtained via allegedly illegal electronic surveillance.

Therefore, under circumstances where § 3504 applies, the government would be required to affirm or deny the occurrence of the surveillance only when a defendant makes a colorable claim that evidence is inadmissible because it was “the primary product of” or “obtained by the exploitation of” allegedly unlawful electronic surveillance as to which he is aggrieved.

Then it included a [sealed material redacted] notice.

Which seems tantamount to admission that EO 12333 data was used to identify Muhtorov, but that in some way his prosecution was did not arise from that data as a “primary product.”

Muhtorov was IDed in a chat room alleged to have ties to the Islamic Jihad Union, which I presume though don’t know is hosted overseas. So that may have  been EO 12333 surveillance. But it may be that his communications on it were collected via 702 using the Internet dragnet as an index.

Is the government arguing that using a dragnet the FISC declared to be in violation of FISC orders only as a Dewey Decimal system for other surveillance doesn’t really count?

NSA’s Dysfunctional Post-Tasking Checks

/in /by

I noted this in both my working threads on the NSA, CIA and FBI minimization procedures, but it deserves more attention. Sometime in the last several years, the process by which NSA determines whether something they’ve collected is of a person in the US started going flukey, during certain periods. So now there’s a subset of data that analysts — at NSA, CIA, and FBI — all have to check for foreignness before they use it. That also means there is US person data that has been collected but not properly identified.

All three minimization procedures have a paragraph like this:

In the event that NSA seeks to use any information acquired pursuant to section 702 during a time period when there is uncertainty about the location of the target of the acquisition because the [redacted] post-tasking checks described in NSA’s section 702 targeting procedures, NSA will follow its internal procedures for determining whether such information may be used (including, but not limited to, in FISA applications, section 702 targeting, and disseminations). Except as necessary to assess location under this provision, NSA may not use or disclose any information acquired pursuant to section 702 during such time period unless NSA determines, based on the totality of the circumstances, that the target is reasonably believed to have been located outside the United States at the time the information was acquired. If the NSA determines that the target is reasonably believed to have been located inside the United States at the time the information was acquired, such information will not be used and will be promptly destroyed.

Both the fact that this section appears in the Destruction of Raw Data section in NSA’s SMPs (and not the section dedicated to challenges with upstream collection), and the fact that it appears in both the CIA and FBI SMPs (suggesting this is data they’d be getting in raw format, which they don’t get from upstream collection), suggest that this is general 702 data, not upstream data, where NSA has been known to have had a problem in the past.

The fact that the same paragraph, almost verbatim, shows up in all three places, plus the language about using such data for FISA applications, suggests this language came from or is in the SMPs to keep the FISA Court happy. Indeed, there’s probably a nice FISC opinion that explains how FISC learned that NSA’s targeting process was flawed.

We know this problem was identified sometime between October 2011 and July 2014 because this language doesn’t show up in the 2011 NSA SMPs. There are few things that are identifiable in the Intelligence Oversight Board reports that could be a dysfunction that would merit a FISC order, though there are a number — such as these two redacted paragraphs on Systems Errors in the middle of the FISA section of the Q1 2013 (which covers the last three months of 2012) report that might be such a problem.

Screen Shot 2015-02-25 at 8.56.26 AM

Or perhaps the problem is even more recent, meaning it would have been reported in the 2 years of IOB reports we don’t have.

To be sure, it appears FISC has required that all agencies accessing raw data do the kind of location checks that the failed system would otherwise have done. So US person data won’t be used, it’ll just sit in NSA’s (or CIA or FBI’s) servers until it is discovered.

But this is one of a number of examples we see in the IOB reports (the purge process, which was also not working for a while, is another; that seems to have been or is being fixed with the Master Purge List that appears in these SMPs) where the software checks designed to protect Americans failed. That doesn’t indicate any animus or ill-intent. But it does suggest the complexity of this system continues to result in failures that — regardless of intent — also present a privacy risk.

Does the FBI STILL Have an Identity Crisis?

/2 Comments/in /by

I’ve finished up my working threads on the NSA, CIA, and FBI Section 702 minimization procedures. And they suggest that FBI has an identity crisis. Or rather, an inability to describe what it means by “identification of a US person” in unclassified form.

Both the NSA and CIA minimization procedures have some form of this definitional paragraph (this one is NSA’s):

Identification of a United States person means (1) the name, unique title, or address of a United States person; or (2) other personal identifiers of a United States person when appearing in the context of activities conducted by that person or activities conducted by others that are related to that person. A reference to a product by brand name, or manufacturer’s name or the use of a name in a descriptive sense, e.g., “Monroe Doctrine,” is not an identification of a United States person.

Even though the FBI minimization procedures have a (briefer than NSA and CIA’s) definitional section and gets into when someone counts as US person from a geographical standpoint, it doesn’t have the equivalent paragraph on what they consider US person identifying information, which is central to minimization procedures.

Now, I might assume that this is just an oversight, something FBI forgot to incorporate as it was writing its own 702 minimization procedures incorporating what NSA has done.

Except that we know the FBI has suffered from this same kind of identity crisis in the past, in an analogous situation. As Glenn Fine described in the 2008 Inspector General Report on Section 215 (the one the successor for which has been stalled for declassification review for over 6 months), the FBI never got around to (and almost certainly still hasn’t gotten around to, except under modifications from the FISA Court) complying with Section 215’s requirement that it adopt minimization procedures specific to Section 215.

One holdup was disagreement over what constituted US person identifying information.

Unresolved issues included the time period for retention of information, definitional issues of “U.S. person identifying information,” and whether to include procedures for addressing material received in response to, but beyond the scope of, the FISA Court order; uploading information into FBI databases; and handling large or sensitive data collections.

(Note, there’s very good reason to believe FBI is still having all these problems, not least because several of them showed up in Michael Horowitz’ NSL IG Report last year.)

One problem Fine pointed out is that the AG Guidelines adopted in lieu of real minimization procedures don’t provide any guidance on when US identifying information is necessary to share.

When we asked how an agent would determine, for example, whether the disclosure of U.S. person identifying information is necessary to understand foreign intelligence or assess its importance, the FBI General Counsel stated that the determination must be made on a case-by-case basis.

While NSA’s 702 SMPs do lay out cases when FBI can and cannot share US person identifying information (those are, in some ways, less permissive than CIA’s sharing guidelines, if you ignore the entire criminal application and FBI’s passive voice when it comes to handling “sensitive” collections), if the guidelines for what counts as PII are not clear — or if they’re expansive enough to exempt (for example) Internet handles such as “emptywheel” that would clearly count as PII under NSA and CIA’s SMPs, then it would mean far more information on Americans can be shared in unminimized form.

And remember, FBI’s sharing rules are already far more lenient than NSA’s, especially with regards to sharing with state, local, and other law enforcement partners.

Call me crazy. But given the FBI’s past problems defining precisely this thing, I suspect they’re still refusing to do so.

Working Thread: 702 Minimization Procedures (NSA and CIA)

/in /by

NSA

These SMPs have not changed significantly since they were changed in the wake of the 2011 upstream ruling. The exceptions are:

(1) “of information, including non-publicly available information” was added to the first paragraph. This may suggest NSA is also using publicly available information (which you would think they would anyway, if only to integrate public Twitter and other social media) in their analysis.

(1) The third paragraph (which has a counterpart in FBI SMPs) is new. I wonder whether there have been IG access problems in the past, notably when both FBI and NSA did big 702 IG Reports in 2012?

(2) (f) I’ve added this to the FBI SMPs. But NSA and CIA SMPs, unlike FBI ones, include this language defining what identification means. FBI has been dodging this on other issues as well in recent years (including the illusory 215 SMPs), so I suspect its lack of such language suggests FBI’s interpreting it very narrowly.

(2) (j) Some of these paragraphs now marked unclassified, such as this one, were marked S/SI in 2011. That you Snowden.

(3) (k)(3) This changes an automatic loss of USP rights if someone loses their resident alien status from the 2011 SMPs.

(3) (b)(1) In 2011, this paragraph specified “in processing cycle” in the earliest practicable point, suggesting it may have gotten moved later.

(4) This takes out a paragraph (formerly paragraph 3) on retaining storage tapes.

(4) (1)(a) The “including metadata” language is newly unredacted, as another reference to obtaining metadata from upstream collection also is.

(5) Through these SMPs, including at (b)(1), add language about how to deal with upstream transactions, permitting the use of them if they’re targeted and aren’t all USPs.

(6) Paragraph 4 is the other newly unredacted discussion of metadata use.

(7-8) The destruction paragraphs 3 and 4 are both entirely new. The 2011 stuff seems to reflect a decision at the end of 2011 to destroy its upstream USP transactions. The litigation paragraph reflects some other language elsewhere.

(8) Paragraph e has counterparts in the FBI and CIA SMPs, suggesting there was a significant problem with location tracking. Unless I’m mistaken, that doesn’t show up in IOB reports (as, for example, the purge tool does).

(9) There are more strictures in place for deciding to keep domestic communications.

(10) The last (unnumbered) paragraph on the page adds the ability to share target location.

(11) Note the reference to the Master Purge List, which was a big issue in recent years (because it wasn’t functioning the way it was supposed to).

CIA

(1-2) CIA has better repository language than FBI.

(2) Note NCS Director gets to decide to retain things longer than 5 years (though I would assume this would change if Brennan gets his Cyber expansion).

(2) CIA gets to keep unminimized USP data if they “may be a target of intelligence activities of a foreign power.”

(2) As with NSA (though their language is different), the CIA gets to keep USP data if “a United States person has engaged or may be engaging in the unauthorized disclosure of properly classified national security information.” Surely the FBI gets to keep this too, they just describe it differently.

(2) I do believe this USP retention is unique to CIA:

The information concerns corporations or other commercial organizations the deletion of which would hamper the correlation of foreign intelligence information on the same subject;

(3) Amid a slew of USP retention clauses (including one for people who pose a threat of sabotage to any US IC facility, which is problematic), there’s entirely redacted h. My guess is this is about people who facilitate terrorism but who aren’t terrorists (or perhaps who read stuff that is bad).

(3) As with FBI, the metadata paragraph (4a) is fairly broad, and permits copying of all such metadata.

(4) As with FBI, there’s this oblique paragraph (4b) that doesn’t require tracking of queries that don’t get to the underlying FISA data.

(4) CIA, unlike FBI and NSA, explicitly limits the technical database to technical personnel.

(5) CIA has a paragraph like FBI and NSA permitting them to keep data for a year to assess whether they’ve been compromised.

(5) CIA’s Attorney Client paragraph is similar to what FBI’s used to be.

(6) It’s odd that CIA has a long passage on federal translators or technical assistance, whereas NSA has its international one. I’d expect CIA to rely on other governments too (though it does have a foreign govt dissemination section too, of similar length).

(6) Unsurprisingly, CIA has multiple ways to share with foreign governments, all but translation redacted.

(9) Bizarrely, an entire big paragraph is redacted to end the SMPs. It probably deals with USP (or domestically collected) data, by context, but that’s a WAG.

How Internet Dragnettery Got Way More Permissive Under PRISM

/1 Comment/in , /by

I’m finally working through the minimization procedures released earlier this month as part of the blitz claiming that the Intelligence Community has made big changes in the year since President Obama’s surveillance speech. Here’s my first working thread, on FBI’s Section 702 minimization procedures (SMPs).

The SMPs provide one sense of why the NSA shut down the Internet dragnet in 2011. As a court filing last year made clear, one of the places the Internet metadata analysis moved to was Section 702. And FBI’s SMPs show that collecting and analyzing metadata via PRISM would be far more permissive in a number of ways than doing it under the rules laid out under the PRTT orders.

The first reason is obvious: whereas the PRTT dragnet could only be used for terrorism purposes, FBI can pull metadata from foreign selectors identified for any number of reasons: there are counterterrorism and counterproliferation certificates, as well as a foreign government one that appears to get used very broadly, including to cover hackers, which the government seems to treat as a counterintelligence function.

Moreover, FBI can disseminate metadata results far more broadly. It can disseminate USP data for all foreign intelligence information, which would include counterterrorism, counterproliferation, and (assuming they’re treating hacking as a clandestine intelligence activity) hackers. And it can disseminate such metadata analysis to state, local, tribal, and other agencies. There’s only protection for USP identities if FBI pulled it for foreign power purposes (that is, who’s chatting with Angela Merkel).

Those receiving the data would be told there are SMPs, but they wouldn’t require any training to receive such query results.

And that’s all before you consider that FBI can “transfer some or all such metadata to other FBI electronic and data storage systems,” which seems to broaden access to it still further.

Users authorized to access FBI electronic and data storage systems that contain “metadata” may query such systems to find, extract, and analyze “metadata” pertaining to communications. The FBI may also use such metadata to analyze communications and may upload or transfer some or all such metadata to other FBI electronic and data storage systems for authorized foreign intelligence or law enforcement purposes.

In this same passage, the definition of metadata is curious.

For purposes of these procedures, “metadata” is dialing, routing, addressing, or signaling information associated with a communication, but does not include information concerning the substance, purport, or meaning of the communication.

I assume this uses the very broad definition John Bates rubber stamped in 2010, which included some kinds of content. Furthermore, the SMPs elsewhere tell us they’re pulling photographs (and, presumably, videos and the like). All those will also have metadata which, so long as it is not the meaning of a communication, presumably could be tracked as well (and I’m very curious whether FBI treats location data as metadata as well).

Using PRISM data, it would be far, far easier to “correlate” multiple identities, so as to show (for example) all the people chained off of one person’s multiple Google identities, because the providers know these (note, too, this seems to have been something the government started asking Yahoo for months after Protect America Act started).

Then there’s retention. While some of the key numbers are redacted, the base retention level for FBI 702 data is 5 years, and for data deemed to have a foreign intelligence purpose it is longer — perhaps as long as the 20 and 30 year retention for FBI records (plus 5 years on the front end). So whereas the NSA had to throw out the underlying data after 4.5 and, for a period, 5 years, they can keep underlying data far longer at the FBI.

Finally, there’s tracking. It appears the FBI doesn’t have to track the metadata queries it makes at all.

The FBI shall identify FISA-acquired information in its storage systems, other than those used solely for link analysis of metadata, that has been reviewed and meets those standards.2

2 Although the FBI need not mark metadata as meeting the retention standards or as having been disseminated, the FBI must still assess whether the metadata meets the requirements for dissemination pursuant to Section V prior to actually disseminating the information.

Indeed, this may be the real problem for FBI’s counting of back door searches — that they don’t require the tracking of metadata queries at all.

And I think it’s possible (though I’m less sure about this) the curious language I noted in USA Freedom Act exempting communications metadata from cloud providers may also hide what isn’t already protected under back door searches, basically not counting this metadata collection as such.

So whereas under the PRTT program the NSA tracked every single metadata query, using PRISM data there’d be almost no tracking at all.

There are, I think, just two limits in using PRISM to do Internet dragnettery (but remember, some of this almost certainly moved overseas under SPCMA as well, which wouldn’t have these particular limits). First, depending on how a provider retains their data (and how long a user retains her own communications), the FBI might not have access to 5 years of communications data when it first started tracking someone (though it seems NSA primarily needed 2 years, and given how long people keep email, there’d often be far more than 5 years available).

And finally — and this is a significant one — there’s the requirement that the government only target people overseas. So unless FBI is permitted to pull two or three degrees of communication off of targets (and they might be!), it would harder, though not impossible, to show internal communication patterns.

Still, I can see how they’d find the PRTT dragnet to have performance limits. Because, for the purpose of tracking those with ties to known overseas threats, pulling metadata from PRISM would be far permissive if you did it at FBI.

 

Working Thread: 702 Minimization Procedures (FBI)

/in /by

FBI

(2) Does the exclusion of data acquired with consent incorporate the Third Party doctrine assumption that you’ve given your metadata over willingly? Because the FBI is using 702 acquired data for metadata analysis.

(2) The definitions of who is and who is not a USP are very very permissive. That’s because being outside the US or “not known” is presumptively a non-USP — but we know they claim not to track location that closely. So it’s presumably very easy for them to not know and keep tracking a USP. Moreover, the IOB and 702 IG report show that the FBI doesn’t necessarily double check NSA data on location, so they may not learn even if NSA has subsequently learned someone is a USP.

(3) How many contractors are included in this definition of FBI personnel? And do they include “contractors” who troll chat rooms for potential targets?

(3) This states the procedures should not limit lawful oversight of among other things, the appropriate IGs. So why is DOJ IG having such a hard time tracking things like this?

(3-4) FBI can keep 702 data for up to a year to conduct security assessments of its own systems. Why would 702 data be targeted like that?

(4) This section appears to be the directly acquired data–so why is ODNI still redacting the description of it?

(4) What does FBI mean by “end user” among those who have to delete data that has been improperly collected? Does it include data handed onto localities?

(5) Note the specific permission for multiple users accessing information simultaneously “or sequentially” and sharing back and forth. What’s that about? Also, I’m struck by the absence of any requirement on login credentials, as NSA procedures often include. Is it possible FBI only audits this via log? And how is the log generated?

(5) Note the SMPs specifically include photos among FISA data.

(6) As with the NSA, the FBI is permitted to keep data that has been determined to be USP data if it is information “retained for cryptanalytic, traffic analytic, or signal exploitation process.” While this determination is supposed to happen on a communication-by-communication basis (which should work out to be more restrictive than NSA), it also broadly permits FBI to keep anything encrypted, even if it’s USP data collected domestically.

(7) If people “assisting in a lawful and authorized governmental function” are not doing it as part of their job duties, it seems to suggest sharing outside of professionals. Again, that could include broadly defined “consultants.”

(7) The audit language appears to require only audits of people who’ve accessed raw data, not what they’ve done while accessing it.

(7-8) This language appears to permit the FBI to retroactively reclassify something FI data. This permissiveness would seem to breed permanent retention.

(8) Those getting 702 data aren’t apparently required to go through training; they’re just informed the SMPs exist. This is one of a number of ways that FBI’s SMPs are more lenient than NSA’s, precisely on information sharing.

(8) What does this mean, legally? “Such personnel shall exercise reasonable judgment in making such determinations” [about whether something is foreign intelligence, important, or evidence of a crime]?

(9) The footnote on metadata is key: the FBI case managers don’t have to identify whether metadata has been disseminated, nor that it has met retention standards. This means the standards on PRISM-acquired metadata are vastly more lenient than they were under the PRTT program.

(10) SMPs use the passive voice when instructing people “particular care should be taken” when reviewing sensitive information. A classic rule in procedures writing is if you don’t intend the procedures to work, write them in the passive voice.

Information that reasonable appears to be foreign intelligence information, necessary to understand foreign intelligence information, or necessary to assess the importance of foreign intelligence information may be retained, processed, and disseminated in accordance with these procedures even if it is sensitive information.

(11) I’m wondering if the redaction talks about how those not authorized to access this data can get others to do so for them (as was indicated in PCLOB).

(11) This is interesting. After saying that queries need to be tracked (see above for my concern about whether these queries are audited), it says this:

For purposes of this section, the term query does not include a user’s search or query of an FBI electronic and data storage system that contains raw FISA-acquired information, where the user does not receive the raw FISA-acquired information in response to the search or query or otherwise have access to the raw FISA-acquired information that is searched.

This seems to suggest, first of all, that if someone queries data they shouldn’t, no record will be kept. But also recall my suspicions about how defeat lists work, including that informants would be defeated from a lot of kinds of searches. That means (if my guess is correct) that FBI would never be held accountable for researching on one of their informants but getting no return. Consider how this would work if, for example, Tam Tsarnaev was informing for FBI, as some evidence suggests he was.

(11) More on the permissions involving metadata:

Users authorized to access FBI electronic and data storage systems that contain “metadata” may query such systems to find, extract, and analyze “metadata” pertaining to communications. The FBI may also use such metadata to analyze communications and may upload or transfer some or all such metadata to other FBI electronic and data storage systems for authorized foreign intelligence or law enforcement purposes. For purposes of these procedures, “metadata” is dialing, routing, addressing, or signaling information associated with a communication, but does not include information concerning the substance, purport, or meaning of the communication.

Bet you $100 there’s a juicy FISC opinion on this. Note, especially, that FBI clearly has access to stuff that is metadata but that has nothing to do with a communication. These SMPs already told us they’re also getting photos. They also don’t comment, one way or another, about location.

(12) As with NSA under 12333 but not their old 702 SMPs, FBI has to consult with GC on whether something is privileged. Doesn’t that suggest you already haven’t protected it enough? But note how weak the “shall consult as appropriate” language is.

(12) Most of the Attorney Client language is redacted, but it seems they primary focus on stuff targeted at that person, and not necessarily other data.

(13) It’s very clear, however, that the FBI permits itself to listen to protected communications, even those who have been charged locally.

(16) It appears NSA has a fairly persistent post-tasking problem determining location (is this just upstream collection?). I wonder if this passage was a response to the 2012 IG Report.

(17) Paragraph 3 affirmatively ensures that USP identities must “are accessible when a search or query is conducted or made of FISA-acquired information.” I’m curious how this works, above, when some of this might not show up in queries. I’m just as interested by the “when a search or query is conducted or made.” Why use this construction? Does this suggest something about searches that are substantively different than queries?

(17) Who all is included in those working at “others working at [prosecutors] discretion”?

(19) Prosecutors can access raw FISA data with Assistant Director approval.

(20) FBI has a retention exemption of metadata:

The FBI is authorized to retain data in electronic and data storage systems other than those solely used for link analysis of metadata…

(20) FBI can retain data it has never reviewed longer than 5 years if they say it contains “significant foreign intelligence information.”

(20) Even after deciding information is not FI, it will be retained for an additional period after the certification used to collect it expires. Apparently, if that data responds to a search, the searcher must get approval from the Assistant Director or that person’s designee to gain full access to this info. What officially counts as the expiration date, I’m not sure. Note that if this is held in an ad hoc database, it gets destroyed 5 years after the expiration of the cert.

(24) Does paragraph 2 say this doesn’t get audited as closely as more established databases?

(24) Of course there’s the indefinite decryption provision (though it is triggered to when the data is “subject to cryptanalysis.”

(25) Interesting redaction of FBI’s analytical techniques. Does that hide that FBI is permitted more pattern analysis than NSA, which is supposed to be limited for some of this to link analysis?

(28) FBI makes a dissemination distinction between foreign intelligence info (related to a threat), which can include USP data, and foreign power intelligence (not), which can only include USP data if necessary.

(28) This section does not list the crimes that Bob Litt listed (except for child porn).

(29) Go back and compare foreign govt redactions with 2006 SMPs.

(30) Why doesn’t FBI have to report foreign disseminations to foreign govts?

(32) I think the NCTC language is designed to hand entire investigative files over (by case type — so presumably using  a terrorism designation). This would seem to include significant tangential data. Also, is this limited to foreign terrorism?

(33) I believe the language in the computer intrusion dissemination is more lenient than language on info sharing.

(33) The serious harm designation matches NSA’s, in that it permits serious harm to property.

(21) Note how the original copy gets saved for 5 years but then can still be granted on a case-by-case basis. How?

(21) Paragraph 3 doesn’t say it, but the “any other form” must be the 20/30 year retention practices.

(22) Retention for time outside of retention limits for litigation reasons must be documented. Where? Is it kept with the investigative file? Would defense attorneys ever learn of it?

(23) The ad hoc section repeats the “unconsenting” language, again raising questions of whether they’re making a Third Party doctrine argument.

(##) A general comment. Other SMPs state very clearly what they mean by “US person identity” (these focus only on USP). We know from Section 215 discussions that FBI fights for very liberal definitions of what counts as an identifier (presumably not counting a unique email or phone number). So presume that applies here as well.

Judge White Makes Crucial Error While Capitulating to State Secrets, Again

/1 Comment/in , /by

Judge Jeffrey White, who has been presiding over the EFF’s challenges to warrantless wiretapping since Vaughn Walker retired, just threw out part of Carolyn Jewel’s challenge to the dragnet on standing and state secrets ground (h/t Mike Scarcella).

Based on the public record, the Court finds that the Plaintiffs have failed to establish a sufficient factual basis to find they have standing to sue under the Fourth Amendment regarding the possible interception of their Internet communications. Further, having reviewed the Government Defendants’ classified submissions, the Court finds that the Claim must be dismissed because even if Plaintiffs could establish standing, a potential Fourth Amendment Claim would have to be dismissed on the basis that any possible defenses would require impermissible disclosure of state secret information.

White also does what no self-respecting judge should ever do: cite Sammy Alito on Amnesty’s “speculative” claims about Section 702 collection in Amnesty v. Clapper, which have since been proven to be based off false government claims.

In Clapper, the Court found that allegations that plaintiffs’ communications were intercepted were too speculative, attenuated, and indirect to establish injury in fact that was fairly traceable to the governmental surveillance activities. Id. at 1147-50. The Clapper Court held that plaintiffs lacked standing to challenge NSA surveillance under FISA because their “highly speculative fear” that they would be targeted by surveillance relied on a “speculative chain of possibilities” insufficient to establish a “certainly impending” injury.

Also along the way, White claims the plaintiffs had made errors in their depiction of the upstream dragnet.

But I’m fairly certain he has done the same when he claims that only specific communications accounts can be targeted under both PRISM and upstream Section 702 collection.

Once designated by the NSA as a target, the NSA tries to identify a specific means by which the target communicates, such as an e-mail address or telephone number. That identifier is referred to a “selector.” Selectors are only specific communications accounts, addresses, or identifiers. (See id; see also Privacy and Civil Liberties Oversight Board Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (“PCLOB Report”) at 32-33, 36.)

Indeed, his citation to PCLOB doesn’t support his point at all. Here are what I guess he means to be the relevant sections.

The Section 702 certifications permit non-U.S. persons to be targeted only through the “tasking” of what are called “selectors.” A selector must be a specific communications facility that is assessed to be used by the target, such as the target’s email address or telephone number.113 Thus, in the terminology of Section 702, people (non-U.S. persons reasonably believed to be located outside the United States) are targeted; selectors (e.g., email addresses, telephone numbers) are tasked.

[snip]

Because such terms would not identify specific communications facilities, selectors may not be key words (such as “bomb” or “attack”), or the names of targeted individuals (“Osama Bin Laden”).114 Under the NSA targeting procedures, if a U.S. person or a person located in the United States is determined to be a user of a selector, that selector may not be tasked to Section 702 acquisition or must be promptly detasked if the selector has already been tasked.115

[snip]

The process of tasking selectors to acquire Internet transactions is similar to tasking selectors to PRISM and upstream telephony acquisition, but the actual acquisition is substantially different. Like PRISM and upstream telephony acquisition, the NSA may only target non-U.S. persons by tasking specific selectors to upstream Internet transaction collection.131 And, like other forms of Section 702 collection, selectors tasked for upstream Internet transaction collection must be specific selectors (such as an email address), and may not be key words or the names of targeted individuals.132

First of all, unless they’ve changed the meaning of “such as” and “for example,” PCLOB’s use of email and telephone numbers is not exhaustive (though it does mirror the party line witnesses before PCLOB used, and accurately reflects PCLOB’s irresponsible silence on the use of 702 — upstream and downstream — for cybersecurity, even after ODNI has written publicly on the topic). Indeed, the NSA uses other selectors, including cyberattack signatures, in addition to things more traditionally considered a selector.

And given the government’s past, documented, expansion of the term “facility” beyond all meaning, there’s no reason to believe the government’s use of “use” distinguishes appropriately between participants in communications.

Ah well, all that discussion probably counts as a state secret. A concept which is getting more and more farcical every year.

Update: Clarified to note this is only partial summary judgment.

DOJ IG Michael Horowitz Points Out How Premature 215 Reauthorization Would Be. Again.

/in /by

Back in November, I pointed out how batshit crazy it was to rush to pass USA Freedom Act — legislation purporting to provide new transparency requirements and requiring new IG Reports — when a report that was pending for 1,616 days was being held up in declassification review.

Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.

Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data.  Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.

This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.

But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?

My common sense observation that we should not pass new legislation on Section 215 without benefitting from an independent review of what really happened back in 2009 (and to a lesser degree, what was going on now, and what has been going on with PRTT) was met with a remarkable din of crickets.

Today, DOJ Inspector General Michael Horowitz made the same point again.

Department of Justice Inspector General Michael E. Horowitz today issued a classified report entitled, The Federal Bureau of Investigation’s Use of Section 215 Orders:  Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009.  The Department of Justice (DOJ) Office of the Inspector General (OIG) provided a final draft of the report to the Intelligence Community in June 2014 for a classification review, but the OIG has not been informed of when that review will be completed.  We have therefore provided today’s classified report, with certain information redacted, to the relevant Congressional oversight and intelligence committees, as well as to DOJ leadership offices.  We will issue a public, unclassified version of the report, with any necessary redactions, at the conclusion of a separate and final classification review currently being conducted by the FBI.

If anyone is counting (well, I am) that review has now been pending for 1,701 days.

Um, hello??? How can the IC be considered a good faith partner in passing dragnet reform, including requirements for IG review, if by stalling for over 6 months on declassification it can make such IG review useless?

Why Did ODNI Fight So Hard to Hide the Census Opinion?

/3 Comments/in , /by

Congratulations to EFF, which yesterday liberated another document on Section 215: a 2010 OLC opinion finding that the Department of Commerce (then counseled by Cameron Kerry who, curiously enough, hosted the Bob Litt speech the other day) did not have to turn over data to the FBI under Section 215 (which was the only one of many statutes it reviewed that OLC considered possibly binding).

After reviewing a bunch of legislative language on both Congress’ intent to provide affirmative confidentiality to census data and on its silence on census data during the PATRIOT Act reauthorization debates, Deputy Assistant Attorney Genereal Jeannie Rhee concluded,

We therefore conclude that section 215 should not be construed torepeal otherwise applicable Census Act protections for covered census information, such that they would require their disclosure by the Department of Commerce.Because no other PatriotAct provision that you have, identified, nor any such provision that we have separately reviewed, would appear to have that effect, we agree that the Patriot Act, as amended, does not alter the. confidentiality protections in sections 8, 9, and 214 of the Census Act in a manner that could require the Secretary of Commerce to disclose such information.

Many outlets are hailing this as OLC noting some limits to the otherwise unlimited demands the government thinks it can make under Section 215.

But I’m left puzzled.

Why did the Administration fight so hard to keep this secret? This suit has been going on for years, and ODNI tried to keep this secret long after reams of more interesting — and more classified — information got released on the phone dragnet and related authorities.

I can think of several possible reasons (and these are all speculative):

FISC decisions

Perhaps the government thinks this might endanger FISC’s decision that Section 215 does repeal two other privacy statutes. In 2008, Judge Reggie Walton found that Section 215 overrode the privacy protections for call data under ECPA [SCA]. And in 2010, John Bates found that it overrode the privacy protections in RFPA. Effectively, both decisions found that the government could do with Section 215 (and court review) what the FBI could otherwise do with NSLs. But of course, by doing them under Section 215, the government managed to do them in greater bulk, and probably with some exotic requests added in. At least the ECPA opinon was probably elicited by DOJ IG pointing out that the NSL rule did prevent other access to such data. In both opinions, the FISC reviewed the absence of legislative language and used it to conclude something dissimilar to what OLC concluded here: that in the absence of language, it provided permission. Does ODNI think the publication of this OLC opinion will make it easier to challenge the use of Section 215 for phone and financial records?

Update: This passage, from ACLU’s challenge to the phone dragnet, more eloquently suggests this is precisely why ODNI wanted to bury this opinion. It cites the importance of statutory construction, and then notes ties it to earlier statements on the Census Act.

On its face, Section 215 provides the government with general authority to compel the disclosure of tangible things. However, the Stored Communications Act (“SCA”) specifically addresses the circumstances in which the government can compel the disclosure of phone records in particular. The SCA provision states that a “provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any governmental entity.” 18 U.S.C. § 2702(a)(3). While the SCA provision lists exceptions to its otherwise categorical prohibition, see id. §§ 2702(c), 2703, Section 215 is not among them. This omission is particularly notable because Congress enacted sections 2702(c) and 2703 in the same bill as Section 215.

The district court held that Section 215 constitutes an implicit exception to Section 2702 because Section 215 orders “are functionally equivalent to grand jury subpoenas.” SPA027. But well-settled rules of statutory construction require that the list of exceptions in section 2702 and 2703 be treated as exhaustive. See United States v. Smith, 499 U.S. 160, 167 (1991) (“Where Congress explicitly enumerates certain exceptions . . . additional exceptions are not to be implied, in the absence of evidence of a contrary legislative intent.” (quotation marks omitted)). Congress has enacted a comprehensive scheme to regulate the government’s collection of electronic communications and records relating to those communications. That comprehensive scheme, which addresses the precise circumstances in which the government can collect the records at issue in this case, must be given precedence over provisions that are more general. See In re Stoltz, 315 F.3d 80, 93 (2d Cir. 2002) (holding that it is a “basic principle of statutory construction that a specific statute . . . controls over a general provision” (quoting HCSC–Laundry v. United States, 450 U.S. 1, 6 (1981))); see also PCLOB Report 92–93.

Indeed, the Justice Department has itself acknowledged that it would contravene the structure of the SCA to “infer additional exceptions” to the “background rule of privacy” set out in section 2702(a). See Office of Legal Counsel, Memorandum Opinion for the General Counsel [of the] FBI: Requests for Information Under the Electronic Communications Privacy Act 3 (Nov. 5, 2008), http://1.usa.gov/1e5GbvC (concluding that the FBI could not use national security letters to compel the production of records beyond those specifically exempted from the general privacy rule). Moreover, it has acknowledged that principle with respect to Section 215 itself, concluding that the statute does not override the privacy protections of the Census Act, 13 U.S.C. §§ 8, 9, 214. Letter from Ronald Weich, Assistant Attorney General, to Hon. Nydia Velázquez, Chair, Congressional Hispanic Caucus, U.S. House of Representatives (Mar. 3, 2010), http://wapo.st/aEsETd. [my emphasis]

The Second Circuit already sounded like it wanted to boot the dragnet on statutory grounds (if they did, doing so should have the same effect for financial records as well). And the release of this opinion may well help them do that.

Presumptive Section 215 Collection

In 2010, this OLC memo reveals, DOJ’s National Security Division — then headed by David Kris — believed that the government ought to be able to use Section 215 to obtain raw census data (the rest of DOJ, curiously, did not agree). Kris lost that battle.

But data very similar to census data is readily available, from private marketing brokers. If NSD saw the need to obtain this kind of data, it’s not clear what would prevent the government from just obtaining very similar data from marketing firms. Should we assume it has done so?

Census data in racial profiling

I also wonder whether this came up in the context of ways both the NYPD (with CIA assist) and FBI have used census data to conduct their racial profiling efforts. Both have relied on published (aggregated) census data to find which neighborhoods to spy on. Was there some kind of effort to fine tune this racial profiling by using the underlying data?

NCTC’s access to internal databases

Finally, I wonder whether ODNI’s reticence about this OLC opinion pertains to its own National Counterterrorism Center guidelines  on information sharing, which permit NCTC to demand entire databases from other government agencies if it says the database includes information on terrorists (effectively making us all terrorists). Discussions about doing so started in 2011 and resulted in broad new data sharing guidelines in 2012, so that change actually took place after this opinion. Also note the opinion’s interesting timing: January 4, 2010, so probably too soon after the UndieBomb attempt on Christmas day in 2009 to be considered part of the expanded information sharing that happened after that attack, though not so long after the Nidal Hassan attack.

Whatever the timing, I’m curious how this opinion has influenced discussions about and limits to that data-sharing initiative — and how it should have influenced such data sharing?