The FBI PRTT Documents: Combined Orders

/5 Comments/in /by

As I noted the other day, I’m working through documents submitted in EPIC’s FOIA for PRTT documents (see all of EPIC’s documents on this case here).

In addition to the documents released (the reports to Congress, the extensive reporting on the Internet dragnet), the government submitted descriptions of what appear to be two (possibly three) sets of documents withheld: documents pertaining to orders combining a PRTT and Section 215 order, and documents pertaining to a secret technique, which we’ll call the Paragraph 31 technique. In this post I’ll examine the “combined order” documents.

The Vaughn Index for this FOIA made it clear that a number of the documents Withheld in Full (WIF) pertained to orders combing the Pen Register and Section 215 (Business Record) authorities, as does this list from David Hardy’s second declaration.

Screen Shot 2014-11-30 at 11.46.30 AM

Footnotes 3, 4, and 5 all note that these documents have already been successfully withheld in the EFF’s FOIA for Section 215 documents, and by comparing the page numbers in that Vaughn Index in that case, we can guess with some confidence that these orders are the following documents and dates:

  • Document 16 is EFF 89D, dated  2/17/2006, 17 pages
  • Document 17 is EFF 89K,  dated 2/24/2006, 8 pages

As I’ll show, this correlates with what we can glean from the DOJ IG Reports on Section 215.

I’m less certain about Document 12. Both the EFF and ACLU Vaughn Indices show a 10/31/06 document (it is 82C in the EFF Vaughn) that is the correct length, 4 pages, that is linked with another 10/31/06 document (see 82B and 84, for example). For a variety of reasons, however, I think we can’t rule out Document 89S which appears only in the EFF FOIA (but not the ACLU FOIA), which is dated December 16, 2005 (intriguingly, the day after NYT exposed Stellar Wind), in which case the withheld portion might be the relevant 4 pages of a longer 16 page order.

Read more

The Congressional PRTT Reports

/2 Comments/in , /by

Screen Shot 2014-11-28 at 11.29.07 AM

In addition to liberating the document dump pertaining to the Internet dragnet program. (See my working threads: onetwothreefourfive.), EPIC has been fighting several other parts of the FOIA for the PRTT documentation to Congress. I’m going to have three more posts on these materials. This post will comment on the reports to Congress, all of which (except the December 2006 one, which I’ll ask them to fix) are available here.

Here’s a summary of the changes from report to report.

  • April 2001 (covering July 2000 to December 2000): US persons described in sketches provided at request of SSCI, some applications filed in 1999, numbers not broken out by USP,  CIA not included, PRTT explicitly only FBI
  • December 2001 (covering first half 2001): signed by Jay Bybee as Acting, US persons described in sketches provided at request of SSCI,  PRTT explicitly only FBI
  • April 2002 (covering second half 2001): signed by Larry Thompson as Acting, 7 applications filed after PATRIOT, includes descriptions of the investigations as well as of USPs,  CIA not included, PRTT explicitly only FBI
  • December 2002 (covering first half 2002): signed by Ted Olson as Acting,  CIA not included, PRTT explicitly only FBI
  • September 2003 (covering second half of 2002): stop providing sketch of each American targeted; signed by John Ashcroft,  CIA not included, PRTT explicitly only FBI
  • December 2003 (covering first half of 2003): signed by John Ashcroft. mostly-redacted delayed PRTT approval for one target, CIA not included, PRTT explicitly only FBI
  • September 2004 (covering second half 2003): transmittal letters not included, not mentioned, CIA not included, PRTT explicitly only FBI
  • December 2004 (covering first half 2004): transmittal letters signed by AAG, first modifications, CIA not included, PRTT explicitly FBI and NSA
  • June 2005 (covering second half 2004): transmittal letters not included, not mentioned, modifications, the following report says that this report described combined orders, but that part is redacted (there is one footnote with a 7E exemption), CIA not included, PRTT not explicitly FBI and NSA
  • December 2005 (covering first half 2005): transmittal by AAG, definition of aggregate to include corporation etc, “at least” aggregate number, combined orders, modifications, CIA not included, PRTT not explicitly FBI and NSA
  • July 2006 (covering second half 2005) transmittal by AAG, definition of aggregate, delay from flood, “at least” aggregate number, more explicit description of combined with anticipation of end per PATRIOT, language on “scope of FISC jurisdiction,” modifications, CIA not included, PRTT not explicitly FBI and NSA
  • December 2006 (covering first half 2006): transmittal by Acting AAG, definition of aggregate, “at least” aggregate number, more explicit break out of combined, modifications, CIA not included, PRTT not explicitly FBI and NSA
  • June 2007 (covering second half 2006): transmittal letters not included, language on modifications and explanation for rise in number, reorganization of OIPR, footnote on some people listed (probably under trad FISA) may be targets of PRTT, no USP numbers broken out, include all 3 agencies with NSA and FBI PRTT numbers combined, modifications
  • December 2007 (covering first half 2007): transmittal letters not included, “at least” number, modifications, include all 3 agencies, with FBI and NSA combined for PRTT
  • June 2008 (covering second half 2007): transmittal letters not included, “at least” number, modifications, include all three agencies, with FBI and NSA combined for PRTT
  • December 2008 (covering first half 2008): transmittal letters not included, “at least” number, last modifications, include all 3 agencies, with FBI and NSA combined for PRTT
  • June 2009 (covering second half 2008): transmittal letters not included, no more “at least” number, no modifications, include all 3 agencies, with FBI and NSA combined for PRTT
  • December 2009 (covering first half 2009): transmittal letters not included, supplemental order, include all 3 agencies, with FBI and NSA combined for PRTT
  • June 2010 (covering second half 2009): transmittal letters not included, adjust targeted number for previous period (perhaps without explanation), include all 3 agencies with FBI and NSA combined for PRTT
  • December 2010 (covering first half 2010): transmittal letters not included, note one not considered util following period, break out FBI application, no NSA application to FISC
  • June 2011 (covering second half 2010): transmittal letters not included, introduction of “named US persons” category, one NSA denied in part (probably July Bates opinion), one approved, mention of compliances meetings with telecoms
  • December 2011 (covering first half 2011): transmittal letters not included, redaction of number and “named” in US persons targeted in narrative section, 4 approved outside reporting period, 3 NSA PRTT approved
  •  June 2012 (covering second half 2011): transmittal letters not included, redaction of number and “named” in US persons targeted in narrative section, and numerical breakout, 4 earlier FBI applications approved, 1 NSA PRTT approved (somewhere something in 2011 must have been withdrawn, given the approved numbers)
  • December 2012 (covering first half 2012): transmittal letters not included, number and “named” unredacted (including for previous period), no NSA application submitted
  • June 2013 (covering second half 2012 and submitted after first Snowden leaks): transmittal letters not included, number and “named” unredacted, no NSA application submitted

Here’s an explanation of what I make of these details:

How you count US persons

Throughout this reporting requirement, DOJ has been obligated to include the number of US persons targeted. How it has done so has varied by period. Here’s how it breaks out by reporting period (I’m doing it this way so we can match it up to known techniques).

July 2000 through December 2001: US person subjects of investigation described by sketch but not broken out by number

January 2002 through June 2002: US person targets identified by number and sketch

July 2002 through December 2004: US person targets identified by number “who were targeted”; sketches replaced by general language about First Amendment review

January 2005 through June 2006: Orders include a definition of aggregate that includes corporations and other non-individual legal persons, these orders provided an “at least” aggregate number (with a footnote explaining why that is redacted). This method covers most of the reports during the “combined” period. Update: The DOJ IG Report on Section 215 use in 2006 may explain some of this: for 215 orders in this period, FBI did not count the requested records of non-subjects, which would likely apply to combined orders.

July 2006 through December 2006: This report includes no discernible US person breakout.

January 2007 through June 2008: These reports used an “at least” number to count US persons.

July 2008 through June 2010:This period included exact numbers for USP targets, and also no longer includes modifications (which often are minimization procedures).

July 2010 through December 2012: This period uses “named US persons” as a reporting category, and to the extent it’s relevant, breaks out the NSA orders.

Note, some of the differential reporting (such as the “aggregate” language for the period before Congress got briefed on the bulk PRTT) to be get around informing Congress of certain collections. Some–such as the apparently still-current “named USP” suggests there’s a lot of incidental collection the government doesn’t count (which would be likely in the use of stingrays, though the prior use of target could be done there too).

The Agencies

Note the variation in agencies named, with PRTT being listed as FBI only, then being listed as NSA and FBI, then all government, then both again, and finally, broken out by agency. This likely stems most significantly from efforts to hide that they were using PRTT for the dragnet, then incorporation of NSA into the FBI dragnet numbers.

The NSA numbers first get broken out for the December 2010 report, with a statement there were no NSA applications in the first half of 2010. That accords with the understanding that the Internet dragnet got shut down around October 30, 2009, then Bates approved it again in July 2010 (which would be the partial declination marked).

Who signs the transmittals

I was interested that John Ashcroft didn’t a bunch of reports during a period when DOJ provided narratives of the Americans targeted. Also, for the first few periods of Stellar Wind, the signee was not read into Stellar Wind. I’ve increasingly noticed AGs having someone else sign something as a workaround, and that may have been true here, too (remember that the government was obtaining Internet metadata even before Stellar Wind).

But then, to the extent we still got transmittal letters (they stopped entirely in June 2007), they were signed by the Congressional Liaison.

In Response to NYT Lawsuit, FBI Reclassifies 26 Words

/2 Comments/in , /by

Last week, a number of people hailed the further declassification of DOJ Inspector General’s Report on FBI’s use of Exigent Letters.

That enthusiasm is misplaced, however. What too few people noticed is the thankless work Charlie Savage did to identify what was newly declassified. He had FOIAed the IG Report, which is what set off the declassification review.

In fact, FBI redacted three things that had previously been visible. On page 55/PDF 68, it redacted the title, “Diagram 2.1: Calling Circle or “Community of Interest.” On page 105/PDF 118 they redacted language indicating they use a certain kind of “language” to order what are probably also communities of interest. Finally, on page 207/PDF 220, FBI newly redacted the title, “Chart 4.3 Records for 10 Telephone Numbers Uploaded to FBI Databases With the Longest Periods of Overcollection.”

So the NYT sued the FBI to declassify language that should be declassified, given everything we’ve learned about related programs subsequent to the Snowden leaks, and FBI responded by trying to pretend we don’t know they were getting (and still get, per DOJ IG’s most recently report) call chains from telecoms.

To be fair, FBI did declassify some new stuff. That includes:

  • Roughly 44 uses of some form of the word “search”
  • Roughly 33 uses of some form of “target”
  • Roughly 24 references to years, either 2004 or 2005
  • The names of 3 of a number of journalists whose records had been improperly collected and details of the collection

About the  most interesting declassification was a citation to a Carrie Johnson story, published well over a year before the IG Report came out, describing the collection on those 3 journalists. The IG Report invoked this language in the story…

Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.

… as evidence to support a footnote, which (except for the reference to Johnson’s article) had been unclassified, explaining,

In addition to the letter, Director Mueller called the editors of the two newspapers to express regret that the FBI agents had not followed proper procedures when they sought the reporters’ telephone records.

That is, they had classified reference to a published news article as S/NF! (Though I suppose it is possible that the fact they were hiding is that Glenn Fine had to read the WaPo to figure out what happened here, because Mueller wasn’t speaking directly to him.)

Congratulations to Carrie Johnson who I guess now classifies as a state secret!

I asked the Savage (and through him, NYT’s lawyer, David McCraw) how the NYT felt about FBI classifying, rather than declassifying language in response to his suit, and he suggested NYT expects DOJ to pay them for their time. “We have incurred no outside counsel fees and anticipate that the government will be required to pay us for the time spent by in-house counsel.”

Still, I think Savage (and FOIA requesters generally) should get finder’s fees every time the government newly classifies stuff years later … impose some kind of fine for stupid overclassification.

Update: Corrected timing on Johnson story which came out in August 2008, so 17 months before the IG Report.

A Radical Proposal of Following the Law

/6 Comments/in , , /by

Mieke Eoyang, the Director of Third Way’s National Security Program, has what Ben Wittes bills as a “disruptive” idea: to make US law the exclusive means to conduct all surveillance involving US companies.

But reforming these programs doesn’t address another range of problems—those that relate to allegations of overseas collection from US companies without their cooperation.

Beyond 215 and FAA, media reports have suggested that there have been collection programs that occur outside of the companies’ knowledge. American technology companies have been outraged about media stories of US government intrusions onto their networks overseas, and the spoofing of their web pages or products, all unbeknownst to the companies. These stories suggest that the government is creating and sneaking through a back door to take the data. As one tech employee said to me, “the back door makes a mockery of the front door.”

As a result of these allegations, companies are moving to encrypt their data against their own government; they are limiting their cooperation with NSA; and they are pushing for reform.  Negative international reactions to media reports of certain kinds of intelligence collection abroad have resulted in a backlash against American technology companies, spurring data localization requirements, rejection or cancellation of American contracts, and raising the specter of major losses in the cloud computing industry. These allegations could dim one of the few bright spots in the American economic recovery: tech.

[snip]

How about making the FAA the exclusive means for conducting electronic surveillance when the information being collected is in the custody of an American company? This could clarify that the executive branch could not play authority shell-games and claim that Executive Order 12333 allows it to obtain information on overseas non-US person targets that is in the custody of American companies, unbeknownst to those companies.

As a policy matter, it seems to me that if the information to be acquired is in the custody of an American company, the intelligence community should ask for it, rather than take it without asking. American companies should be entitled to a higher degree of forthrightness from their government than foreign companies, even when they are acting overseas.

Now, I have nothing against this proposal. It seems necessary but wholly inadequate to restoring trust between the government and (some) Internet companies. Indeed, it represents what should have been the practice in any case.

Let me first take a detour and mention a few difficulties with this. First, while I suspect this might be workable for content collection, remember that the government was not just collecting content from Google and Yahoo overseas — they were also using their software to hack people. NSA is going to still want the authority to hack people using weaknesses in such software, such as it exists (and other software companies probably still are amenable to sharing those weaknesses).  That points to the necessity to start talking about a legal regime for hacking as much as anything else — one that parallels what is going on with the FBI domestically.

Also, this idea would not cover the metadata collection from telecoms which are domestically covered by Section 215, which will surely increasingly involve cloud data that more closely parallels the data provided by FAA providers but that would be treated as EO 12333 overseas (because thus far metadata is still treated under the Third Party doctrine here). This extends to the Google and Yahoo metadata taken off switches overseas. So, such a solution would be either limited or (if and when courts domestically embrace a mosaic theory approach to data, including for national security applications) temporary, because some of the most revealing data is being handed over willingly by telecoms overseas.

Read more

On the USA Freedom Act’s Data Handshake

/3 Comments/in /by

As I noted yesterday, part of the effort to pass the USA Freedom Act involved what I call a “data handshake:” A deal whereby all four major telecoms would keep call detail records 2 years, without a mandate to do so.

At Foreign Policy, I have more details on this — with a focus on how this works with the Business Records law that authorizes the phone dragnet.

The terms of the data handshake are the most interesting part. This promise is not in writing. According to Feinstein it is a “personal testament.” (And of course it wasn’t in the bill, where privacy advocates might have objected to it.) The telecom companies could say they were retaining the data for business purposes, though, until now, they’ve had no business purpose to keep the records.

The government has repeatedly told courts that under Section 215, the NSA can only ask telecoms for business records they already hold. Yet Feinstein seems to have revealed, perhaps unintentionally, that under the new law the telecom companies would be willing to hold records at least an extra six months just so the government could presumably spy on their customers, if necessary. And in order to keep the records available under the law, the companies would claim they were keeping the records for business reasons. By doing this orally, no records could be obtained under discovery in a customer lawsuit or leaked by an NSA whistleblower like Edward Snowden. The telecoms could claim that they are not agents of the nation’s spies, even after they seem to have agreed to a handshake deal making them into just that.

Compare agreeing to this data handshake with what Verizon said in June.

At a Senate hearing in June, Verizon’s Associate General Counsel Michael Woods explained that Verizon keeps call detail records for just 12 to 18 months. “We don’t have data five years back,” Woods explained in response to a question from Collins. “All collection would be from our ordinary business records.”

In June, Woods made clear that Verizon objected to holding call detail records longer. His written testimony insisted that “national security is a fundamental government function that should not be outsourced to private companies.” He described that if a telecom company were asked to “retain data for the use of intelligence agencies,” it would be serving as “an agent” of the government.

Now, as I conclude in my piece, the telecoms that agreed to the data handshakes were probably calculating, correctly, that their customers would be better off if they held the records for 6 months longer than they needed to given their business needs than having the government hold them at all. I get the logic behind this deal.

But it is indefensible. The law, as written, cannot oblige Verizon to hold these records. The reason it can’t is because the law was never intended to set up an intrusive dragnet. Had it done so –and hopefully if the government tries to do so now — then it would have been publicly debated. And the program’s inefficacy would have been a much bigger issue.

The strong-arming of telecoms, presumably including Verizon, into this data handshake ought to refocus efforts to find a better solution to get the government the coverage it actually needs, but without inventing dragnets that have not shown to be useful.

 

Dianne Feinstein Describes the Data Handshake

/4 Comments/in /by

I’m going to transcribe some comments Dianne Feinstein made Tuesday night about how proponents of USA Freedom Act got around a data mandate requiring telecoms to keep data longer than they otherwise would. The short version? Rather than a data mandate, USA Freedom Act would have relied on a data handshake.

I’m prepared to make the compromise, which is that the metadata will be kept by the telecoms.  Senator Chambliss and I wrote a letter to the four big telecoms, and we asked them if they would hold the data. The answer came back from two, yes. And the answer came back from two, no. Since that time, the situation has changed — not in writing — but by personal testament from two of the companies, that they will hold the data for at least two years for business reasons. Now here’s the problem. The mandate that was inherent in the 215 Act is gone. But the fact is that the telecoms have agreed to hold the data. The President himself has assured me of this.

I’ll write more on this, which is legally unbelievably fascinating. But for now, I just wanted to post it.

Yes, the Government Does Spy Under Grandfathered Approvals

/in /by

Charlie Savage is catching no end of shit today because he reported on a provision in the PATRIOT Act (one I just noticed Tuesday, actually, when finding the sunset language for something else) that specifies ongoing investigations may continue even after a sunset.

The law says that Section 215, along with another section of the Patriot Act, expires on “June 1, 2015, except that former provisions continue in effect with respect to any particular foreign intelligence investigation that began before June 1, 2015, or with respect to any particular offense or potential offense that began or occurred before June 1, 2015.”

Michael Davidson, who until his retirement in 2011 was the Senate Intelligence Committee’s top staff lawyer, said this meant that as long as there was an older counterterrorism investigation still open, the court could keep issuing Section 215 orders to phone companies indefinitely for that investigation.

“It was always understood that no investigation should be different the day after the sunset than it was the day before,” Mr. Davidson said, adding: “There are important reasons for Congress to legislate on what, if any, program is now warranted. But considering the actual language of the sunset provision, no one should believe the present program will disappear solely because of the sunset.”

Mr. Davidson said the widespread assumption by lawmakers and executive branch officials, as well as in news articles in The New York Times and elsewhere, that the program must lapse next summer without new legislation was incorrect.

The exception is obscure because it was recorded as a note accompanying Section 215; while still law, it does not receive its own listing in the United States Code. It was created by the original Patriot Act and was explicitly restated in a 2006 reauthorization bill, and then quietly carried forward in 2010 and in 2011.

Now, I’m happy to give Savage shit when I think he deserves it. But I’m confident those attacking him now are wrong.

Before I get into why, let me first say that to some degree it is moot. The Administration believes that, legally, it needs no Congressional authorization to carry out the phone dragnet. None. What limits its ability to engage in the phone dragnet is not the law (at least not until some courts start striking the Administration’s interpretation down). It’s the willingness of the telecoms to cooperate. Right now, the government appears to have a significant problem forcing Verizon to fully cooperate. Without Verizon, you don’t have an effective dragnet, which is significantly what USA Freedom and other “reform” efforts are about, to coerce or entice Verizon’s full cooperation without at the same time creating a legal basis to kill the entire program.

That said, not only is Davidson likely absolutely correct, but there’s precedent at the FISA Court for broadly approving grandfathering claims that make dubious sense.

As Davidson noted elsewhere in Savage’s story, the FBI has ongoing enterprise investigations that don’t lapse — and almost certainly have not lapsed since 9/11. Indeed, that’s the investigation(s) the government appears, from declassified documents, to have argued the dragnet is “relevant” to. So while some claim this perverts the definition of “particular,” that’s not the word that’s really at issue here, it’s the “relevant to” interpretation that USAF leaves intact, effectively ratifying (this time with uncontested full knowledge of Congress) the 2004 redefinition of it that everyone agrees was batshit insane. If you want to prevent this from happening, you need to affirmatively correct that FISA opinion, not to mention not ratify the definition again, which USAF would do (as would a straight reauthorization of PATRIOT next year).

And as I said, there is precedent for this kind of grandfathering at FISA, all now in the public record thanks to the declassification of the Yahoo challenge documents (and all probably known to Davidson, given that he was a lead negotiator on FISA Amendments Act which included significant discussion about sunset procedures, which they lifted from PAA.

For starters, on January 15, 2008, in an opinion approving the certifications for Protect America Act submitted in August and September 2007, Colleen Kollar-Kotelly approved the grand-fathering of the earlier 2007 large content dockets based on the government’s argument that they had generally considered the same factors they promised to follow under the PAA certifications and would subject the data obtained to the post-collection procedures in the certifications. (See page 15ff)

Effectively then, this permitted them to continue collection under the older, weaker protections, under near year-long PAA certifications.

In the weeks immediately following Kollar-Kotelly’s approval of the underlying certifications (though there’s evidence they had planned the move as far back as October, before they served Directives on Yahoo), the government significantly reorganized their FAA program, bringing FBI into a central role in the process and almost certainly setting up the back door searches that have become so controversial. They submitted new certifications on January 31, 2008, on what was supposed to be the original expiration date of the PAA. As Kollar-Kotelly described in an June 18, 2008 opinion (starting at 30), that came to her in the form of new procedures received on February 12, 2008, 4 days before the final expiration date of PAA.

On February 12, 2008, the government filed in each of the 07 Dockets additional sets of procedures used by the Federal Bureau of Investigation(FBI) when that agency acquires foreign intelligence information under PAA authorities. These procedures were adopted pursuant to amendments made by the Attorney General and the Director of National Intelligence (DNI) on January 31, 2008 to the certifications in the 07 Dockets.

Then, several weeks later — and therefore several weeks after PAA expired on February 16, 2008 — the government submitted still new procedures.

On March 3, 2008, the government submitted NSA and FBI procedures in a new matter [redacted]

[snip]

Because the FBI and NSA procedures submitted in Docket No. [redacted] are quite similar to the procedures submitted in the 07 Dockets, the Court has consolidated these matters for purposes of its review under 50 U.S.C. § 1805c.

For the reasons explained below, the Court concludes that it retains jurisdiction to review the above-described procedures under §1805c. On the merits, the Court finds that the FBI procedures submitted in each of the 07 Dockets, and the NSA and FBI procedures submitted in Docket No. [redacted] satisfy the applicable review for clear error under 50 U.S.C. § 1805c(b).

She regarded these new procedures, submitted well after the law had expired, a modification of existing certifications.

In all [redacted] of the above-captioned dockets, the DNI and the Attorney General authorized acquisitions of foreign intelligence information by making or amending certifications prior to February 16, 2009, pursuant to provisions of the PAA codified at 50 U.S.C. § 1805b.

She did this in part by relying on Reggie Walton’s interim April 25, 2008 opinion in the Yahoo case that the revisions affecting Yahoo were still kosher, without, apparently, considering the very different status of procedures changed after the law had expired.

The government even considered itself to be spying with Yahoo under a September 2007 certification (that is, the latter of at least two certifications affecting Yahoo) past the July 10, 2008 passage of FISA Amendments Act, which imposed additional protections for US persons.

These are, admittedly, a slightly different case. In two cases, they amount to retaining older, less protective laws even after their replacement gets passed by Congress. In the third, it amounts to modifying procedures under a law that has already expired but remains active because of the later expiration date of the underlying certificate.

Still, this is all stuff the FISC has already approved.

The FISC also maintains — incorrectly in my opinion, but I’m not a FISC judge so they don’t much give a damn — that the 2010 and 2011 PATRIOT reauthorizations ratified everything the court had already approved, even the dragnets not explicitly laid out in the law. This sunset language was public, and there’s nothing exotic about what they say. To argue the FISC wouldn’t consider these valid clauses grand-fathering the dragnet, you’d have to argue they don’t believe the 2010 and 2011 reauthorizations ratified even the secret things already in place. That’s highly unlikely to happen, as it would bring the validity of their 40ish reauthorizations under question, which they’re not going to do.

Again, I think it’s moot. The “reform” process before us is about getting Verizon to engage in a dragnet that is not actually authorized by the law as written. They’re not doing what the government would like them to do now, so there’s no reason to believe this grandfathered language would lead them to suddenly do so.

The 2009 Last Ditch Attempt to Undercut the FISA Court

/in /by

As I laid out in this timeline, sometime in fall 2009, the NSA submitted an end-to-end report describing the Internet dragnet. Then, weeks later, David Kris wrote Reggie Walton, admitting that the had been collecting data outside the categories approved by Colleen Kollar-Kotelly in 2004 — that is, admitting that the rosy picture NSA had painted in its end-to-end report was entirely false. Sometime shortly thereafter, DOJ decided not to submit its Internet dragnet reauthorization application, effectively shutting down the Internet dragnet on or around October 30, 2009 until John “Bates-Stamp” Bates reauthorized it sometime around July 2010.

Which is why I find the discussion of the PATRIOT reauthorization during precisely that time period so interesting.

On October 1 the Senate Judiciary Committee had its first open hearing on PATRIOT reauthorization.  At that point, an effort to require Section 215 have particular ties to terrorism got shut down in an action we now know served to preserve the phone dragnet. The discussion around it created the interest for a classified briefing. On October 7, they got that briefing. Also on October 7, the Obama Administration gave Jeff Sessions a bunch of changes they wanted off of what the bill had been on October 1.

On October 8, the Senate Judiciary Committee had another open hearing on PATRIOT reauthorization. The committee adopted Sessions changes over DiFi’s already watered down version of what Pat Leahy had originally pushed on October 1 (this is what elicited Russ Feingold’s concerns about SJC acting as the Prosecutors Committee). The changes limited Section 215 protections for libraries, fixed the gag order problem with NSLs with a non-fix that is similar to one included in USA Freedom Act. Most significantly, they watered down what would have been new minimization procedures for the PRTT authority (which were ultimately stripped in any case), making clear minimization procedures should only be adopted in exceptional circumstances. As I guessed correctly at the time, this was probably done to protect the PRTT dragnet that was collecting vast amounts of Internet metadata (as well as, contrary to Jeff Sessons’ claims in the hearing, content).

They absolutely gutted the minimization procedures tied to pen registers! Pen registers are almost certainly the means by which the government is conducting the data mining of American people (using the meta-data from their calls and emails to decide whether to tap them fully). And Jeff Sesssions–I mean Barack Obama–simply gutted any requirement that the government get rid of all this meta-data when they’re done with it. They gutted any prohibitions against sharing this information widely. In fact, they’ve specified that judges should only require minimization procedures in extraordinary circumstances. Otherwise, there is very little limiting what they can do with your data and mine once they’ve collected it.

By asserting it had the authority to impose minimization procedures on the Internet dragnet, the FISC tried, utterly unsuccessfully, to prevent the NSA from illegally wiretapping Americans. When the FISC again asserted its authority to impose minimization procedures, NSA just took its toys and went overseas, where it didn’t have that meanie rubber stamp FISC to contend with.

I raise this not only because it suggests DOJ was making legislative efforts to undercut the FISC just as they discovered a huge problem with their Internet dragnet. But also because, in my opinion, the USA Freedom Act makes a similar effort to withdraw any claim the court might make to be able to impose and review compliance with minimization procedures. I don’t think it’s an Internet dragnet this time — as I’ll write later, I think it’s either location (which is fairly banal) or more interesting flow analyses. But I think Congress — with the support of civil liberties NGOs, this time — is still trying to undercut the way that FISC has best been able to impose some controls on the government’s spying.

The 2009 Challenge to the Dragnet

/in /by

Ken Dilanian has a story about someone who looks a lot like Chris Inglis raising questions about the phone dragnet in 2009.

A now-retired NSA senior executive, who was a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing the calling records of nearly every American fundamentally changed the character of the agency, which is supposed to eavesdrop on foreigners, not Americans.

Alexander politely disagreed, the former official told The Associated Press.

The former official, who spoke only on condition of anonymity because he didn’t have permission to discuss a classified matter, said he knows of no evidence the program was used for anything other than hunting for terrorism plots in the U.S. But he said he and others made the case that the collection of American records in bulk crossed a line that had been sacrosanct.

He said he also warned of a scandal if it should be disclosed that the NSA was storing records of private calls by Americans – to psychiatrists, lovers and suicide hotlines, among other contacts.

While interesting, it’s the kind of story — and it is accompanied by enough obvious errors and general lack of awareness about the program — that it raises questions about the further backstory (as for the errors, the most obvious include badly misstating how many people access the data, misstating where Basaaly Moalin is from, and accepting the source’s claim it has only been used to hunt terrorist plots rather than informants).

How do you write an intelligent story about anything having to do with the dragnet in 2009 and not mention the other issues going on with the dragnet, the 9 month process during which the ultimate structure leftover from Stellar Wind was cleaned up?

Indeed, the buried lede of this story is that someone this senior in the NSA would just be discovering the program, 8 years after it started and 3 years after it got put under FISC review. That’s consistent with what we saw from dragnet data, mind you — one reason the program was so screwed up in 2009 was that NSA’s regular coders hadn’t been overseeing its integration, even while the program appears to have gotten integrated into ICREACH in 2008.

But especially given the evidence that tech people committed the worst known violation and had access to commit far more serious ones, this part of the story should be the news.

It also raises questions about two other things going on that year. It is true that DOJ delayed quite some time from when Dianne Feinstein and Kit Bond first asked for language to resume the reauthorization program. Then, once they did start the process, DiFi was up boasting about how this (and presumably the PRTT program) were the most important investigations going on. Whether the government was honest about what they told SSCI about the program, it’s fairly clear that’s where the legislative push to retain it came from.

Then there’s the question I already raised: the change in FBI’s interpretation of Basaaly Moalin’s donations to Al-Shabaab, which earlier in 2009 they viewed as an effort to fight back against (US-backed) Ethiopian invaders. That is, did Moalin get prosecuted solely so they could have a dragnet win to justify all the other things they’re doing with the data?

Only Remaining Senator Personally Targeted by Terrorist Attack Still Believes in Constitution

/16 Comments/in , /by

The Senate just voted down cloture on the USA Freedom Act, 58-42. Even while we disagreed on the bill, I extend sincere condolences to civil liberties allies who worked hard to pass this in good faith. I know you all have worked hard in good faith to pass something viable.

Several things about the vote were predictable (in fact, I predicted them in June). Just as one example, I noted to allies that if Jeff Flake — who had a great record on civil liberties while he was still in the House — did not support the effort, it would fail. Four Senators — cosponsors Mike Lee, Ted Cruz, and Dean Heller, plus Lisa Murkowski voted for cloture; Rand Paul did not. Bill Nelson voted against cloture as well (there are reports he is claiming it was a mistake, but given how closely this bill was whipped that would be … telling).

Equally predictable was the fear-mongering. GOP Senator after GOP Senator got up and insisted if the phone dragnet ended, ISIL would attack the country. None noted, of course, that the phone dragnet had never succeeded in preventing a terrorist attack. Pat Leahy made that point but it’s one opponents of the dragnet need to make in more concerted fashion.

Then there was a piece of news that neither side — supporter or opponent — seemed to want to mention. Dianne Feinstein revealed that at first 2 of 4 providers (presumably the fourth is T-Mobile though it could even be Microsoft, given that Skype is a more important phone carrier for international traffic) had refused to keep phone records, but that they had voluntarily agreed to do so for a full two years (this is at least a 6 month extension for Verizon, though may be significantly longer for cell calls).

The most dramatic part of the debate came after everyone left, when a frustrated Pat Leahy made the case for defending the Constitution. He recalled the anthrax letter addressed to him, on September 18, 2001, that killed a postal worker who processed it (another letter killed a Tom Daschle aide see Meryl Nass’ correction). “13 years ago this week, a letter was sent to me, addressed to me. It was so deadly, with the antrax in it that one person who touched the envelope–addressed to me, that I was supposed to open–They died!” Leahy reminded that the FBI had still not caught all the culprits for the attack. (That he believes that was first reported here in 2008; I believe FBI has, in fact, caught none of the culprits.) That attack targeting him personally, Leahy noted, did not convince him he had to abrogate the Constitution. “This nation should not let our liberties to be set aside by passing fears.” Leahy said. “If we do not protect our Constitution we do not deserve to be in this body.”

Senators like Marco Rubio got up and screamed about terrorists. But unless I’m mistaken, Pat Leahy is the only one remaining in the Senate who was personally targeted by a terrorist.

Maybe we ought to highlight that point?

Updated w/additions from Leahy’s comments.