Bob Litt: No Contingency Plans for Section 215

/4 Comments/in /by

A month into the new Congress, neither USA Freedom Act nor a replacement has been reintroduced. Which has led to a discussion of what will happen if Section 215 sunsets in June.

I hope to do my own piece on all of what happens if Section 215 sunsets in the June. But in the meantime, I want to point to three things Bob Litt said in his speech on the topic yesterday. In his prepared speech, Litt defended the program and then re-endorsed USA Freedom with the caveats of his letter to Patrick Leahy on it. First, note a few details here.

Finally, the President directed specific steps to address concerns about the bulk collection of telephone metadata pursuant to FISA Court order under Section 215 of the USA PATRIOT Act. You’ll recall that this was the program set up to fix a gap identified in the wake of 9/11, to provide a tool that can identify potential domestic confederates of foreign terrorists. I won’t explain in detail this program and the extensive controls it operates under, because by now most of you are familiar with it, but there is a wealth of information about it available at IContheRecord.

Litt doubles down on the claim the phone dragnet closes a “gap” that never existed. And he suggests this is solely about “identifying potential domestic confederates” of foreigners. Not only does that obscure that it also serves to identify networks here in the US (as it did after the Marathon bombing, and with Najibullah Zazi) but that two court filings admit that it is also about identifying potential informants on networks of interest, not finding confederates.  It also helps NSA to identify which conversations to prioritize for translation or other analysis (meaning it necessarily ties directly to content).

Which is why I find it interesting that Litt follows that disingenuous description of the use of the phone dragnet.

Some have claimed that this program is illegal or unconstitutional, though the vast majority of judges who have considered it to date have determined that it is lawful. People have also claimed that the program is useless because they say it’s never stopped a terrorist plot. While we have provided examples where the program has proved valuable, I don’t happen to think that the number of plots foiled is the only metric to assess it; it’s more like an insurance policy, which provides valuable protection even though you may never have to file a claim. And because the program involves only metadata about communications and is subject to strict limitations and controls, the privacy concerns that it raises, while not non-existent, are far less substantial than if we were collecting the full content of those communications.

Twenty months after Snowden first revealed the phone dragnet, the IC is not admitting what or how this is used (and is maintaining the charade that there aren’t legal problems with having proclaimed everything relevant to terrorism in secret).

Even so, the President recognized the public concerns about this program and ordered that several steps be taken immediately to limit it. In particular, except in emergency situations NSA must now obtain the FISA court’s advance agreement that there is a reasonable articulable suspicion that a number being used to query the database is associated with specific foreign terrorist organizations. And the results that an analyst actually gets back from a query are now limited to numbers in direct contact with the query number and numbers in contact with those numbers – what we call “two hops” instead of three, as it used to be.

Fact check: The current language of the dragnet orders permits chaining on “connections,” not “contacts.”

Longer term, the President directed us to find a way to preserve the essential capabilities of this program without having the government hold the metadata in bulk. In furtherance of this direction, we worked extensively with Congress, on a bipartisan basis, and with privacy and civil liberties groups, on the USA FREEDOM Act. This was not a perfect bill. It went further than some proponents of national security would wish, and it did not go as far as some advocacy groups would wish. But it was the product of a series of compromises, and if enacted it would have accomplished the President’s goal: it would have prohibited bulk collection under Section 215 and several other authorities, while authorizing a new mechanism that – based on telecommunications providers’ current practice in retaining telephone metadata – would have preserved the essential capabilities of the existing program. Having invested a great deal of time in those negotiations, I was personally disappointed that the Senate failed by two votes to advance this bill, and with Section 215 sunsetting on June 1 of this year, I hope that the Congress acts expeditiously to pass the USA FREEDOM Act or another bill that accomplishes the President’s goal.

As a reminder, when Bob Litt says, “bulk collection,” he is not using common English usage. He is instead referring to the collection of stuff with no discriminators. So the aspiration to collect “all” phone records is bulk under his definition, but the aspiration to collect all US-to-foreign money transfers is not because the latter uses a discriminator (US-to-foreign).

Also note that Litt claims this is based on “telecommunications providers’ current practices,” which is when (during the speech) I started tweeting requests for a divorce lawyer to subpoena some 20-month old Verizon records. Last summer, Verizon said in sworn testimony they only kept records 12 to 18 months, though during the debate Dianne Feinstein revealed they and another carrier had agreed “voluntarily” to keep their phone records 2 years. So has Verizon already extended how long it keeps these records? Or is Bob Litt fibbing here? (My bet is they haven’t because my bet is that “voluntary” retention would have been worked into the new compensation mechanisms of USA Freedom Act.)

After that endorsement for USAF or another bill to pass before the Section 215 sunset, Litt got two more questions on the topic (in addition to one on the FISC advocate, to which he responded he’d like the weak tea advocate of his interpretation of the bill).

In the first question, Cameron Kerry asked what happens if Section 215 sunsets. Litt responded (my transcription):

Good question. The President said he wants to have a mechanism that preserves the essential capabilities of the bulk collection program that we have now without the bulk collection. There’s a proposal up there that would accomplish that. I’m hopeful that we will get that passed. If it sunsets, if it goes away, obviously the program will end. We’ll also lose other authorities that are under the same section, which have nothing to do with bulk collection whatsoever. So at this point we’re still far enough away that I think that we’re not doing extensive contingency planning other than trying to map out the legislative way to get something passed that will accomplish the President’s goals.

One thing to emphasize here — which no one I saw noted — is Litt focuses on the “essential capabilities” of the existing program. That’s not just phone records for contact chaining, as I pointed out above. It includes connection chaining, which I strongly suspect is part of the problem with current compliance.

That is, it would not be enough to just get phone records, because that likely doesn’t give all the parameters for “connections” that are currently in place.

Furthermore, as Litt points out but others have not, if Section 215 sunsets, the IC loses the current authorization they’re using for the phone dragnet, but also the authorizations for what are probably several other bulky programs (the aforementioned money transfer one, one targeted at hotel rooms which might be imperiled anyway because of a pending SCOTUS case, and one or ones targeted at the purchase records of explosive precursors like fertilizer, acetone, hydrogen peroxide, and possibly pressure cookers). In addition, the FBI would lose the ability to get certain Internet records that providers have been able to refuse NSLs for; these currently make up the majority of Section 215 orders (given that I Con the Record said the IC had had 161 phone dragnet targets last year and there were around 180 Section 215 orders, there may well have been more of these Internet requests last year than phone dragnet targets).

Even if there are alternatives for the phone dragnet (I see problems with meeting the government’s goals, rather than just getting phone records, using either PRTT or NSLs), alternatives would be more difficult for the others, including the Internet one (for reasons I don’t understand). That is, a sunset of Section 215 comes with additional costs for the government that not passing USAF (which would close existing gaps) doesn’t.

Not long after this exchange, another questioner asked, “Does this mean government won’t take advantage of ways to extend phone dragnet,” apparently referring to this Charlie Savage report suggesting the government could just continue because the underlying investigations are.

Litt responded by saying there’d be problems to continue to do the dragnet “under this authority.”

I don’t think we’ve thought a lot about contingency plans. I think that if, there’s obviously, I don’t think I’m revealing any deep secrets here. There’s obviously a somewhat more substantial political hurdle in saying, Yes Congress, we know you didn’t reauthorize this but we’re going to go ahead and do it anyway under this authority. We’ll just — I’m hopeful we’ll never have to confront those issues.

While that definitely suggests Litt would advise against continuing the dragnet under Section 215, he was very specific about using Section 215 here, as opposed to some other authority.

Which brings me back to my take. I do believe the government could get some subset of phone records using PRTT or NSLs. But there is a reason why the Administration has resisted calls — specifically saying there are non-technical (suggesting legal) problems with doing so. At the very least, they’re holding out to get the immunity and compensation and provider assistance Congress would be trading for a few small reforms.

But I think they need that package — immunity, compensation, and provider assistance — to do what they want to be done. And they’re not going to get it under PRTT or NSL.

Remember, the President’s Review Group Consulted with ATF

/3 Comments/in , /by

In a follow-up to its release on the DEA’s use of a license plate reader database the other day, ACLU reveals an email that shows ATF in Phoenix considered using the database to track people leaving gun shows in April 2009.

The April 2009 email states that “DEA Phoenix Division Office is working closely with ATF on attacking the guns going to [redacted] and the gun shows, to include programs/operation with LPRs at the gun shows.” The government redacted the rest of the email, but when we received this document we concluded that these agencies used license plate readers to collect information about law-abiding citizens attending gun shows. An automatic license plate reader cannot distinguish between people transporting illegal guns and those transporting legal guns, or no guns at all; it only documents the presence of any car driving to the event. Mere attendance at a gun show, it appeared, would have been enough to have one’s presence noted in a DEA database.

Responding to inquiries about the document, the DEA said that the monitoring of gun shows was merely a proposal and was never implemented.

Given the timing, location, and target — 2009, Arizona, and legal permanent residents, or Green Card holders — this consideration intersects interestingly with Fast and Furious.

But don’t worry, DEA says, this was just a consideration, tracking the movements of legal gun show attendees didn’t really happen.

All that said, I couldn’t help but remember that among the more obvious intelligence agencies the President’s Review Group into the NSA consulted in 2013 was ATF, which suggests that ATF is using at least some of the nifty toys NSA is using. As I noted at the time, that may be quite explicable, in that Section 215 has been used to track explosives precursors (and probably has been used to track acetone and hydrogen peroxide — where are TATP precursors, fertilizer, and maybe even pressure cookers).

But the fact that ATF is considering tapping into other agencies dragnets does raise further questions for me about why the PRG would need to consult with ATF.

Working Thread on DOJ IG Report on 702

/2 Comments/in /by

Charlie Savage liberated a 2012 Inspector General Report on Section 702 which he wrote about here. Here’s my working thread on the report.

Cover: This was released sometime (undated) in September 2012. Around that time, Pat Leahy was complaining they hadn’t received everything from Inspectors General they were due. That said, there was a counterpart NSA report that initially said there had been violations, but after its release changed its mind.

(ix) IG had to rely on “a former senior Justice Department official” for details on the 2007 fight.

(x) No mention of the extension in February for PAA, or the approval process.

(xii) Note the b7E (law enforcement method) in redaction on this page.

(xiii) During the period of IG’s review, only NSA could initiate targets.

(xiv) Note the PRISM reference, which is the second way FBI reviews selectors (presumably for certain kinds of investigations, likely CT ones).

(xvi, footnote 9) NSA got snippy by the suggestion that FBI didn’t have authority to override NSA, it appears

(xvi) Note the discussion of some “factor” the NSA uses to determine foreignness. I find it particularly interesting that the FBI IG found this legit because FISC had already approved it outside the FAA context.

(xvii footnote 10) NSA’s targeting procedures remained the same throughout the review period. But we know NSA changed them in 2011.

(xxii) This section describes that FBI would start nominating selectors in 2012.

(xxii) Report says it was being finalized in April 2012, which suggests another long delay in agency review.

(xxii) Late 2007, ODNI Cv Libs raised concerns about people who had traveled to US. This is interesting given the discussion of Yahoo case.

(xxv) FBI got a draft of this in February 2012. Also, FBI wasn’t doing its yearly reviews of what USP data it had gotten.

(xxv) FBI submitted its 2010 and 2011 annual reviews on May 22, 2012. They were received too late for DOJ IG to consider them here.

(xxvii) Claims the first time FBI dual routed data was October 14, 2009.

Read more

The Latest Phone Dragnet Addition: Imminent Death Overrides

/6 Comments/in /by

As I noted in this post, I Con the Record has released the latest phone dragnet order, this one signed by Oregon judge Michael Mosman.

As with the last order (which added language ensuring the government do a First Amendment review even when obtaining emergency orders), this one made a subtle, but potentially very significant addition. In a long-running footnote noting that technical controls prevented analysts from chaining on a selector that was not RAS approved,

Screen Shot 2015-01-12 at 4.54.49 PM

This order added language noting that NSA could override those controls in case of imminent threat to human life.

Screen Shot 2015-01-12 at 4.56.47 PM

I’m glad they specify “human life” here — because elsewhere NSA has defined “life” to include “property.” And if this is truly about overriding technical controls in case of threat to life, I’m fine with the change. And while the footnote isn’t terrifically clear, I assume this might be used (and since it shows up in the order, might have been used) in a case where NSA was sure a selector was Reasonably Associated with a terrorist affiliate, but had not gone through the formal approval process yet, and therefore had to override the software.

All that said, one thing I saw a remarkable amount of in the IOB reports was software controls (particularly purging functions, but also access controls) that weren’t working as intended.

Let’s hope this is just a way to turn off the safeguards in cases where really necessary and not another (as the IOB repeatedly call software failures) “glitch.”

Michael Mosman’s Interesting 10 Days

/2 Comments/in /by

On November 24, 20114, Oregon District Court Judge Michael Mosman issued a somewhat curious order explaining his decision, issued 3 days earlier, not to grant Raez Qadir Khan notice of all the surveillance authorities used to investigate him.

While Mosman loves efficiency, he explained, the time was not yet ripe for the issues raised in Khan’s effort to learn how he had been linked to an associate who had conducted a suicide bombing in Pakistan in 2009. But — Mosman promised —

The day will come when the standing, collection, and other issues foreshadowed in this motion will be litigated in this case. Due to the constraints of CIPA, properly applied in this case, that day will come in the next round of motions, without the narrowing of issues that detailed disclosure would allow.

Ten days after signing that order, Mosman signed another one: the latest authorization for the dragnet. In doing so, not only did he authorize the collection of Khan and Khan lawyer Amy Baggio’s call records (as well as those of ACLU lawyers Jameel Jaffer and Pat Toomey; they joined this case in mid-December) — remember that Khan’s conversations with several lawyers were spied on by FBI over the course of their investigation with him.

But by signing the order, Mosman also signed something that has long been in the dragnet orders but — as far as I can tell — utterly ignored: that it envisions the use of the dragnet for exculpatory information.

Early in this case, Khan challenged Mosman’s ability to serve both as trial judge and as FISC judge, a challenge Mosman dismissed.

It will be interesting to see how he handles both roles going forward.

If IPs Are So Solid, Why Won’t FBI Tell Us How Many Americans Get Sucked Up in Section 702?

/8 Comments/in , /by

By his own admission, James Clapper had dinner with the North Korean General who (again, according to Clapper) ordered the hack on Sony just weeks before the hack happened. That puts him at most two degrees away from the actual hackers, according to the evidence presented by Clapper and Jim Comey. According to the Intelligence Community’s at times naive analytical game of Three Degrees of Osama bin Laden — one which has repeatedly targeted negotiators like Clapper was in November, rather than culprits —  Clapper should be sanctioned along with all the others President Obama has targeted.

That is, of course, absurd. We know James Clapper. And while his word may have not much more credibility at this point than Kim Jong-Un’s, that doesn’t mean his effort to negotiate a hostage release (and whatever else he and North Korea believed was being discussed at the time) makes him a culprit in the hack.

But I think the thought experiment provides useful background to consideration of Comey’s further explanation — littered with infantilizing language about bad guys and the “very dark jobs” of FBI’s behavioral analysts who “profile bad actors” — of why he and the rest of the Intelligence Community is so certain North Korea, the country, did the Sony hack.

Comey says the data deletion used in the hack was used by “the North Koreans” in the past (his conflation of “North Koreans” and “North Korea” continues throughout).

You know the technical analysis of the data deletion malware from the attack shows clear links to other malware that we know the North Koreans previously developed. The tools in the Sony attack bore striking similarities to another cyber attack the North Koreans conducted against South Korean banks and media outlets. We’ve done a—I have, as you know from watching Silence of the Lambs—about people who sit at Quantico, very dark jobs. Their jobs are to try to understand the minds of bad actors. That’s our behavioral analysis unit. We put them to work studying the statement, the writings, the diction of the people involved claiming to be the so-called guardians of peace in this attack and compared it to other attacks we know the North Koreans have done. And they say, “Easy. For us it’s the same actors.”

(See Errata for some nuance about that claim.)

Comey then explained how the IC (but not outside skeptics) red teamed the IC’s own conclusions.

We brought in a red team from all across the intelligence community and said let’s hack at this. What else could be explaining this? What other explanations might there be? What might be missing? What competing hypotheses might there be? Evaluate possible alternatives—what might be missing? And we ended up in the same place.

Then, before Comey admitted that FBI still doesn’t know how “the North Koreans” hacked their way into Sony, Comey offered this detail to rebut the outside skeptics’ concerns.

Now I know because I’ve read in the newspaper—seen in the news—that some serious folks have suggested that we have it wrong. I would suggest—not suggesting, I’m saying—that they don’t have the facts that I have—don’t see what I see—but there are a couple things I have urged the intelligence community to declassify that I will tell you right now.

The Guardians of Peace would send e-mails threatening Sony employees and would post online various statements explaining their work. And in nearly every case they used proxy servers to disguise where they were coming from. And sending those e-mails and then sending and pasting and posting those statements.

And several times they got sloppy. Several times either because they forgot or because they had a technical problem they connected directly and we could see them. And we could see that the IP addresses being used to post and to send the e-mails were coming from IPs that were exclusively used by the North Koreans. It was a mistake by them that we haven’t told you about before that was a very clear indication of who was doing this. They shut it off very quickly once they realized the mistake. But not before we knew where it was coming from.

That is, Comey’s new tell — which has, with apparent other leaking about a Facebook account from Mandiant, gotten headlines — is that the FBI identified the hackers using “IPs that were exclusively used by the North Koreans.” [my emphasis]

Let me interject here and remind you that NSA and the FBI refuse to count how many US persons get sucked up in Section 702 upstream and PRISM collection because IPs aren’t a reliable indicator of the location of a person. The USA Freedom Act, by law, excluded any consideration of IP (frankly, any consideration of Internet location at all) from its obligation to report on the location of people sucked up in the dragnet. According to the FBI, tracking location based off anything but a (US based) phone number is too onerous for the Bureau.

IP is unreliable when it comes to transparency on the FBI, but rock solid when it comes to claims of attribution.

Now, I admit that’s a very different thing than spending months and years tracking one IP and attributing it to one particular actor.

But as Jeffrey Carr notes, even there the FBI’s claims have problems. He points out that the claims Comey made yesterday are remarkably similar to those used to attribute the Dark Seoul attack in 2013.

This sounded remarkably similar to the mistake made by the alleged North Korean hackers in the Dark Seoul attack of March 2013:

“SEOUL – A technical blunder by a hacker appears to have reinforced what South Korea has long suspected: North Korea has been behind several hacking attacks on South Korea in recent years…. The hacker exposed the IP address (175.45.178.xx) for up to several minutes due to technical problems in a communication network, giving South Korea a rare clue into tracing the origin of the hacking attack that took place on March 20, according to South Korean officials.”

The evidence that the FBI believes it has against the DPRK in the Sony attack stems from the data that it received on the Dark Seoul attack last year from the private sector.

He then notes North Korea’s Internet isn’t as locked down as it was just a few years ago — and one possible point of entry is geographically close to the St. Regis Hotel increasingly pinpointed in such attacks.

However the easiest way to compromise a node on North Korea’s Internet is to go through its ISP – Star Joint Venture. Star JV is a joint venture between North Korea Post and Telecommunications Corporation and another joint venture – Loxley Pacific (Loxpac). Loxpac is a joint venture with Charring Thai Wire Beta, Loxley, Teltech (Finland), and Jarungthai (Taiwan).

I explored the Loxley connection as soon as this story broke, knowing that the FBI and the NSA was most likely relying on the myth of a “closed” North Korean Internet to base their attribution findings upon. Loxley is owned by one of Thailand’s most well-connected families and just 4 kilometers away is the five star St. Regis hotel where one of the hackers first dumped Sony’s files over the hotel’s WiFi. It would be a simple matter to gain access to Loxley’s or Loxpac’s network via an insider or through a spear phishing attack and then browse through NK’s intranet with trusted Loxpac credentials.

Once there, how hard would it be to compromise a server? According to HP’s North Korea Security Briefing (August 2014) it would be like stealing candy from a baby. 

Now, none of that proves the FBI is wrong (just as none of it, without more proof, is enough to unquestioningly believe the FBI). I frankly am a lot more interested in what went on in Clapper’s meeting right now than I am in IP claims without more proof.

But if the FBI is going to claim that IP is a rock solid indicator of someone’s ID, then can it also tell us how many Americans it sucks up into the dragnet?

The NSA’s Funny Numbers, Again

/5 Comments/in , /by

Back when the WaPo published a quarterly NSA compliance audit from 2012, I caught the largest math organization in the world failing basic arithmetic. I’ve been comparing that report with the Intelligence Oversight Board report covering the same period, and I’m finding the numbers might, once again, not add up (though it’s hard to tell given the redactions).

According to NSA’s internal numbers, the organization had 865 violations in the first quarter of calendar year 2012 (670 EO 12333 violations and 195 FISA violations). Yet NSA described just 163 violations in depth (75 EO 12333 violations and 88 FISA violations, though further violations are likely hidden behind redactions in bulk descriptions).

Here’s how the numbers compare, broken down by category (I used the categories used in the IOB Report heading, unless the violation was clearly a roamer or a US Person).

Screen Shot 2015-01-05 at 5.12.52 PM

Whereas some numbers are very close — such as for the illegal targeting of a US Person — there were other things, such as sharing a US person’s data or some fairly troubling unauthorized access violations not explicitly mentioned in the internal audit. Nor are unauthorized targeting and access mentioned as such.

And then there are all the “roamer” incidences, which apparently don’t all get reported to IOB (though you can definitely see an increase in them over the years), and which often look a lot less accidental when explained in the IOB report.

Then there are the rather measured descriptions the NSA gives IOB (which we’ve seen in other areas, as with the Internet dragnet, and which might be worst with the upstream violations).

Here’s what the NSA reported internally:

As of 16 February 2012, NSA determined that approximately 3,032 files containing call detail records potentially collected pursuant to prior BR Orders were retained on a server and been collected more than five years ago in violation of the 5-year retention period established for BR collection. Specifically, these files were retained on a server used by technical personnel working with the Business Records metadata to maintain documentation of provider feed data formats and performed background analysis to document why certain contact chaining rules were created. In addition to the BR work, this server also contains information related to the STELLARWIND program and files which do not appear to be related to either of these programs. NSA bases its determination that these files may be in violation of BR 11-191 because of the type of information contained in the files (i.e., call detail records), the access to the server by technical personnel who worked with the BR metadata, and the listed “creation date” for the files. It is possible that these files contain STELLARWIND data, despite the creation date. The STELLARWIND data could have been copied to this server, and that process could have changed the creation date to a timeframe that appears to indicate that they may contain BR metadata.

Here’s what NSA told the IOB about this violation:

[redacted] NSA determined that a technical service contained BR call detail records older than the approved five years. Approximately [redacted] records comprising approximately [fairly big redaction] records were retained for more than five years. The records were found on an access-controlled server that is used exclusively  by technical personnel and is not accessible to intelligence analysts. [2 lines redacted]

Here’s what PCLOB had to say about this violation:

In one incident, NSA technical personnel discovered a technical server with nearly 3,000 files containing call detail records that were more than five years old, but that had not been destroyed in accordance with the applicable retention rules. These files were among those used in connection with a migration of call detail records to a new system. Because a single file may contain more than one call detail record, and because the files were promptly destroyed by agency technical personnel, the NSA could not provide an estimate regarding the volume of calling records that were retained beyond the five-year limit. The technical server in question was not available to intelligence analysts.

While it appears NSA managed to give IOB (completely redacted) numbers for the files involved, it appears PCLOB never got a clear count of how many were involved. It’s not clear that NSA ever admitted this data may have gotten mixed in with Stellar Wind data. No one seems to care that this was a double violation, because techs are supposed to destroy data when they’re done with it.

Though, if you ask me, you should wait to figure out why so many records were lying around a tech server before you destroy them all. But I’m kind of touchy that way.

One thing I realize is consistent between the internal audit and the IOB report. The NSA, probably the owner of the most powerful computing power in the world, consistently uses the term “glitch” to describe software that doesn’t do what it is designed to to keep people out of data they’re not supposed to have access to.

The glitches are letting us down.

 

What the Reporting on the Re-Released DOJ IG Report on Section 215 Missed about FBI’s Misuse of Terrorism Tools

/3 Comments/in /by

I’ve been meaning to return to coverage of the re-release of the DOJ IG Reports on Section 215 liberated by Charlie Savage just before Christmas. I’ve been seeing a lot of focus on posts like this which “report” that FBI used NSLs to get data the FISA Court would not approve under Section 215 for First Amendment reasons. Such a focus drives me batshit for 3 reasons:

  • It is not news that the FBI used an NSL to get data the FISC deemed improper under the First Amendment
  • There are actual, current problems with NSL practice to be more concerned about
  • In addition, the FBI has been sitting on a current Section 215 IG Report

It is not news that the FBI used an NSL to get data the FISC deemed improper under the First Amendment

As I noted (and as most outlets seem to have missed) these two reports are re-releases of old DOJ IG reports, part of a series of re-released reports in response to a Charlie Savage lawsuit. And while this release is not quite so bad as the previous release — in which FBI actually reclassified previously public words!  — there’s still very little that’s new. In addition to the phone dragnet appendix we’ve all been waiting for (which I wrote about here), the most significant newly released material pertains to how FBI shares Section 215 information with foreign governments (including the declassification of descriptions of that use, as on page 27, 29). The most interesting new material may be a reference on page 20 that reveals OIPR only temporarily stopped using combination orders in 2006 after the passage of the PATRIOT Reauthorization. This suggests they may have resumed using them to get location data, as I laid out here(and as clearly admitted by James Cole here).

But that’s, for the most part, it. There are only words here or there that are newly released.

Not only was the NSL-replacing-a-215-request not new, but there were congressional hearings on it when the report initially got released.

Indeed if you compare this passage from the original 2008 release:

Screen Shot 2015-01-03 at 11.12.50 AM,

With the same passage from the re-release:

Screen Shot 2015-01-03 at 11.13.05 AM

 

You can see that the revelation about the use of an NSL where the court had already rejected a Section 215 order has not changed (there are a few new words revealed elsewhere).

Read more

FISA “Physical Searches” of Raw Traffic Feeds, Hiding in Plain Sight?

/4 Comments/in /by

I’m still trudging through NSA’s reports to the Intelligence Oversight Board, which were document dumped just before Christmas. In this post, I want to examine why NSA is redacting one FISA authority, starting with this section of the Q1 2011 report.

Screen shot 2015-01-02 at 7.55.15 AM

During that period, the reports grew to have a bit more structure (this may have been Matt Olsen’s doing, who took over as NSA GC in 2010). Here’s what that Q1 2011 report looks like:

  • Violations
  1. EO 12333 violations
  2. FISA violations
  3. Unauthorized data retention
  4. Consensual collection
  5. Unauthorized retention of COMSEC
  6. Computer Network Exploitation (aka hacking, a section which is always entirely redacted and keeps growing in size)
  7. Counterintelligence
  8. Intelligence-related
  • OIG Inspections
  • Substantive changes to Intelligence Oversight
  • Changes to directives and policies
  • Procedures

The key change, though, is that the FISA section breaks down by authority, like this, as seen in the Q1 2012 report, which is the most complete example of this

  1. NSA/CSS Title I FISA
  2. [redacted]
  3. BR FISA (phone dragnet)
  4. PRTT (Internet dragnet)
  5. FAA
    1. 702
    2. 704
    3. 705(b)

After that Q1 2011 report, every single report has that redacted category in the same spot, and every single report redacts it (though I suppose it is possible that whatever is redacted there changes).

I wondered, briefly, if that meant NSA was using a secret authority, some new program that egregiously interpreted a law in a way no one could imagine, just like NSA redefined Section 215 and PRTT. But I don’t think that’s right.

Rather, I think NSA is making a rather pathetic effort to hide that it uses FISA’s physical search provision to obtain emails and other data “stored” in the cloud.

Remember that intercepts (50 USC 1806, which is subchapter I of FISA) and physical search (50 USC 1821, which is subchapter II) are different authorities under FISA, each requiring notice to defendants, though they are usually noticed in the same filing (as here to Reaz Qadir Khan).  While it’s possible the redacted authority instead designates a different agency (remember that FBI is the front end on a lot of Internet collection), the analysts referred to in these sections are described as NSA analysts. So I suspect it distinguishes between the two types of individualized FISA orders. And it’d be hard to believe there were no IOB violations under 1821, so it must be there somewhere.

Further, I suspect NSA is hiding what appears in some of these reports as a redacted unclassified detail because the descriptions make it clear NSA is querying out of raw traffic databases.

Read more

The IOB Reports on the Internet Dragnet Violations: “Nothing to Report”

/1 Comment/in /by

I’ve been working through the NSA’s reports to the Intelligence Oversight Board. Given that we know so much about the phone and Internet dragnets, I have been particularly interested in how they got reported to the IOB.

By and large, though, they didn’t. Even though we know there were significant earlier violations (some of the phone dragnet violations appear in this timeline; there was an Internet violation under the first order and at least one more of unknown date), I believe neither gets any mention until the Q1 2009 report. These are on the government’s fiscal year calendar, which goes from October to September, so this report covers the last quarter of 2008. The Q1 2009 reports explains a few (though not the most serious) 2008-related phone dragnet problems and then reveals the discovery of the alert list, which technically happened in Q2 2009.

Now, it may be that the IOB received other notice of the earlier violations. Or it may be that the NSA still treated them under the “reported to the President” loophole created for Stellar Wind. (That loophole was still in the reports in 2013, so they could still be using it today!)

In any case, with the notice of the phone dragnet orders in Q1 2009, NSA also listed the Internet dragnet, but said it had nothing to report.

Before its discussion of the known systemic phone dragnet problems, the Q2 2009 report includes this violation which doesn’t appear in this form (it may well be described in different fashion) in the other phone dragnet discussions.

On 7 January 2009, while searching collection [redacted] NSA analysts found BR FISA data included in the query results. Of the [redacted] selectors used in queries, only [redacted] had been approved under the reasonable articulable suspicion (RAS) standard. Although the numbers were associated with a foreign target, the selectors had not been approved for call chaining in the BR FISA data. The analyst did not know that approval must be sought for BR FISA[redacted–note, not space] call chaining. No data was retained, and no reports were issued.

I find it interesting because that’s precisely where the problem with the phone dragnet stemmed from: BR FISA data had gotten thrown into the EO 12333 data without any technical controls or markings. Indeed, it’s possible this is how the phone dragnet problems were first discovered.

It then has a 3 paragraph description of the phone dragnet problems. Read more