Here’s what self-confessed NEWB FISCR Judge Buzz Arnold said on what he claimed was his fourth day on the job (in reality it was several weeks in) during the hearing on the Yahoo challenge in 2008.
You know–that long tradition of “bottom end of the Fourth Amendment” jurisprudence?
I Con the Record has released the transcript for the Yahoo hearing before the FISA Court of Review.
I’ll come back to the substance of it, but I did want to point to the lie that underscores this entire case.
On page 41, Acting Solicitor General Gregory Garre claims there is no database of incidentally collected information.
That’s of course false — the incidentally collected information is kept right along with the targeted information.
The FISCR used this in its ruling Protect America Act was constitutional.
Funny how that works…
I’ve been laying low so supporters of USA Freedom can try to get a vote for cloture allowing debate for their bill in the Senate (and also trying to duck getting back into the arguments I made about Jonathan Gruber in 2009 and 2010). I’ve had my say on the former issue here and here.
But even as USA Freedom faces an uncertain future in the Senate, something interesting happened in the 11th Circuit.
I wrote in June about the 11th Circuit decision in US v. Quartavious Davis. In a decision written by David Sentelle (on loan from the DC Circuit) the Circuit overturned a conviction based almost entirely on stored cell site location information (CSLI).
The government filed for rehearing en banc which was granted.
AT&T just submitted an amicus brief generally supporting a higher standard for CSLI.
This is no hippie brief. Generally, it calls for more clarity for the providers, and ultimately concludes asking for one standard.
However the scope of the Fourth Amendment’s protection is resolved, a clear and categorical rule will benefit all parties involved in the application of Section 2703(d), including the technology companies subject to orders to produce information. Whatever standard the Court ultimately determines the government must satisfy, the third party records cases may provide an unsatisfactory basis for resolving this case. Smith and Miller rested on the implications of a customer’s knowing, affirmative provision of information to a third party and involved less extensive intrusions on personal privacy. Their rationales apply poorly to how individuals interact with one another and with information using modern digital devices. In particular, nothing in those decisions contemplated, much less required, a legal regime that forces individuals to choose between maintaining their privacy and participating in the emerging social, political, and economic world facilitated by the use of today’s mobile devices or other location based services.
But to support that stance, it argues that because of increasing accuracy, CSLI is probably more intrusive than the car-based GPS tracker found to require a warrant in US v. Jones.
CSLI at times may provide more sensitive and extensive personal information than the car tracking information at issue in Jones. Users typically keep their mobile devices with them during the entire day, potentially providing a much more extensive and continuous record of an individual’s movements and living patterns than that provided by tracking a vehicle; CSLI, therefore, is not limited to the largely public road system or to when the device user is in a vehicle.
More interesting still, it argues that the 3rd Party doctrine doesn’t work anymore.
The privacy and related social interests implicated by the use of modern mobile devices and by CSLI are fundamentally different and more significant than those evaluated in Miller and Smith. Miller, 425 U.S. at 443 (“We must examine the nature of the particular documents sought to be protected in order to determine whether there is a legitimate ‘expectation of privacy’ concerning their contents”); Smith, 442 U.S. at 741-42 (emphasizing the “limited capabilities” of pen registers). Use of mobile devices, as well as other devices or location based services, has become integral to most individuals’ participation in the new digital economy: those devices are a nearly ever-present feature of their most basic social, political, economic, and personal relationships. In recent years, this has become especially true of the data communications – from email and texting to video to social media connections – that occur on a nearly continuous basis whenever mobile devices are
turned on.[snip]
Nor does Miller or Smith address how individuals interact with one another and with different data and media using mobile devices in this digital age. Location enabled services of all types provide a range of information to their users. At the same time, mobile applications, vehicle navigation systems, mobile devices, or wireless services for mobile devices often collect and use data in the background.
As part of that, AT&T talks about CSLI shows interactions.
But perhaps my favorite part of the brief is this:
The brief was written by Peter Keisler, a longtime telecom attorney but also — during his brief stint as Acting Attorney General in 2007 — the guy who signed at least Directives (and possibly 2 Certificates) in Protect America Act. See page 34 for where Keisler signed Directives to Yahoo on his last day as Acting AG, November 8, 2007.
The White House has come out with an enthusiastic statement supporting USA Freedom Act.
The Administration strongly supports Senate passage of S. 2685, the USA FREEDOM Act. In January, the President called on Congress to enact important changes to the Foreign Intelligence Surveillance Act (FISA) that would keep our Nation safe, while enhancing privacy and better safeguarding our civil liberties. This past spring, a broad bipartisan majority of the House passed a bill that answered the President’s call. S. 2685 carefully builds on the good work done in the House and has won the support of privacy and civil liberties advocates and the private sector, including significant members of the technology community. As the Attorney General and the Director of National Intelligence stated in a letter dated September 2, 2014, the bill is a reasonable compromise that enhances privacy and civil liberties and increases transparency.
The bill strengthens the FISA’s privacy and civil liberties protections, while preserving essential authorities that our intelligence and law enforcement professionals need.
It says the bill ends bulk collection which might be a useful record if the President used a definition besides “without any discriminator,” but that is what he is on the record as meaning by “bulk.”
The bill would prohibit bulk collection through the use of Section 215, FISA pen registers, and National Security Letters while maintaining critical authorities to conduct more targeted collection. The Attorney General and the Director of National Intelligence have indicated that the bill will retain the essential operational capabilities of the existing bulk telephone metadata program while eliminating bulk collection, based on communications providers’ existing practices.
Perhaps the most troubling part of Obama’s statement, however, is its endorsement of John Bates’ language about the amicus as echoed by James Clapper and Eric Holder, which among other things said that the amicus could not be required to represent the interests of civil liberties and privacy.
The bill also authorizes an independent voice in significant cases before the Foreign Intelligence Surveillance Court (FISC) — the Administration is aware of the concerns with regard to this issue, as outlined in the letter from the Attorney General and the Director of National Intelligence, and the Administration anticipates that Congress will address those concerns. Finally, the bill will enhance transparency by expanding the amount of information providers can disclose and increasing public reporting requirements.
In sum, this legislation will help strengthen Americans’ confidence in the Government’s use of these important national security authorities. Without passage of this bill, critical authorities that are appropriately reformed in this legislation could expire next summer. The Administration urges Congress to take action on this legislation now, since delay may subject these important national security authorities to brinksmanship and uncertainty. The Administration urges the Senate to pass the USA FREEDOM Act and for the House to act expeditiously so that the President can sign legislation into law this year. [my emphasis]
As I said here, the designed impotence of the amicus is not a reason to oppose the bill; it’s just a reason to expect to have to wait 9 years before it becomes functional, as happened with PCLOB. Still, it is very very troubling that given all the evidence that the Executive has been abusing the process of the FISC for a decade, the Executive is moving to ensure they’ll still be able to do so.
I’ve been covering the DOJ Inspector General’s billion-day old review of Section 215.
If my calculation is correct, that report has been pending for 1,616 days.
Today, in a report on the most significant challenges faced by the government, the IG explains what happened to the review: it is caught up in declassification review.
Ongoing OIG work, such as our reviews of the Department’s requests for and use of business records under Section 215 of the USA PATRIOT Reauthorization Act and the Department’s use of pen register and trap-and-trace devices under the Foreign Intelligence Surveillance Act (FISA), also address privacy concerns implicated by the use of national security authorities to collect data. Although the OIG completed both of these reviews months ago, and we have provided classified briefings to Congress regarding them, we have been unable to release the classified reports to Congress or non-classified reports to the public because the classification review being conducted by the intelligence community, which includes the FBI, is still ongoing.
This is craziness! Congress is actively legislating on this topic … tomorrow! There’s also the matter of the secret FBI PRTT program, that I strongly suspect is a location dragnet, which this report likely covers.
But the IC is suppressing a report that has been in the works for over 4 years with a slow declassification review?
Update: From Glenn Fine’s original letter scoping out the review, here’s some of what it includes.
It will examine the number of Section 215 applications filed from 2007 through 2009, how the FBI is using the tool today, and describe any reported improper or illegal uses of the authority. Our review also will examine the progress the FBI has made in addressing recommendations contained in our prior reports that the FBI draft and implement minimization procedures specifically for information collected under Section 215 authority.
We also intend to conduct a programmatic review of the FBI’s use of its pen register and trap and trace authority under the FISA. That part of the review will examine issues such as how the FBI uses the authority to collect information, what the FBI does with the information it collects, and whether there have been any improper or illegal uses of the authority either reported by the FBI or identified by the OIG.
In addition to identifying any improper uses of these authorities (the report should provide some sense of how rigorous the First Amendment review is), it will certainly lay out how FBI has refused to implement minimization procedures are required by law and recommended in DOJ IG’s last Section 215 report (we know this to be the case because the FISC is imposing minimization procedures itself, and requiring compliance reviews).
All that would be rather important to know before extending Section 215 for another 3 years.
The government assures us that it does not maintain a database of incidentally collected information from non-targeted United States persons, and there is no evidence to the contrary. On these facts, incidentally collected communications of non-targeted United States persons do not violate the Fourth Amendment.(26)
That line, from the FISCR opinion finding the Protect America Act constitutional, gets to the core problem with the FISA Court scheme. Even in 2009, when the line was first made public, it was pretty clear the government had made a false claim to the FISA Court of Review.
Now that we know that FBI had already been given authority to keep PAA-collected content in databases that they could search at what is now called the assessment stage of investigations — warrantless searches of the content of Americans against whom the FBI has no evidence of wrong-doing — the claim remains one of the signature moments where the government got approval for a program by being less than candid to the court (the government has been caught doing so in both Title III courts and at FISC, and continues to do so).
That’s also why I find Greg McNeal’s paper on Reforming the FISC, while very important, ultimately unconvincing.
McNeal’s paper is invaluable for the way he assesses the decision — in May 2006 — to authorize the collection of all phone records under Section 215. Not only does the paper largely agree with the Democratic appointees on PCLOB that the program is not authorized by the Section 215 statute, McNeal conducts his own assessment of the government’s application to use Section 215 for that purpose.
The application does not fare well.
Moreover, the government recognized that not all records would be relevant to an investigation, but justified relevance on what could best be described as usefulness or necessity to enable the government’s metadata analysis, stating:
The Application fully satisfies all requirements of title V of FISA. In particular, the Application seeks the production of tangible things “for” an international terrorism investigation. 50 U.S.C. § 1861(a)(1). In addition, the Application includes a statement of facts demonstrating that there are reasonable grounds to believe that the business records sought are “relevant” to an authorized investigation. Id. § 1861(b)(2). Although the call detail records of the [redacted] contain large volumes of metadata, the vast majority of which will not be terrorist-related, the scope of the business records request presents no infirmity under title V. All of the business records to be collected here are relevant to FBI investigations into [redacted] because the NSA can effectively conduct metadata analysis only if it has the data in bulk.49
The government went even further, arguing that if the FISC found that the records were not relevant, that the FISC should read relevance out of the statute by tailoring its analysis in a way that would balance the government’s request to collect metadata in bulk against the degree of intrusion into privacy interests. Disregarding the fact that the balancing of these interests was likely already engaged in by Congress when writing section 215, the government wrote:
In addition, even if the metadata from non-terrorist communications were deemed not relevant, nothing in title V of FISA demands that a request for the production of “any tangible things” under that provision collect only information that is strictly relevant to the international terrorism investigation at hand. Were the Court to require some tailoring to fit the information that will actually be terrorist-related, the business records request detailed in the Application would meet any proper test for reasonable tailoring. Any tailoring standard must be informed by a balancing of the government interest at stake against the degree of intrusion into any protected privacy interests. Here, the Government’s interest is the most compelling imaginable: the defense of the Nation in wartime from attacks that may take thousands of lives. On the other side of the balance, the intrusion is minimal. As the Supreme Court has held, there is no constitutionally protected interest in metadata, such as numbers dialed on a telephone.50
Thus, what the government asked the court to disregard the judgment of the Congress as to the limitations and privacy interests at stake in the collection of business records. Specifically, the government asked the FISC to disregard Congress’s imposition of a statutory requirement that business records be relevant, and in disregarding that statutory requirement rely on the fact that there was no constitutionally protected privacy interest in business records. The government’s argument flipped the statute on its head, as the purpose of enhancing protections under section 215 was to supplement the constitutional baseline protections for privacy that were deemed inadequate by Congress.
McNeal is no hippie. That he largely agrees and goes beyond PCLOB’s conclusion that this decision was not authorized by the statute is significant.
But as I said, I disagree with his remedy — and also with his assessment of the single source of this dysfunction.
McNeal’s remedy is laudable. He suggests all FISC decisions should be presumptively declassified and any significant FISC decision should get automatic appellate review, done by FISCR. That’s not dissimilar to a measure in Pat Leahy’s USA Freedom Act, which I’ve written about here. With my cautions about that scheme noted, I think McNeal’s remedy may have value.
The reason it won’t be enough stems from two things.
First, the government has proven it cannot be trusted with ex parte proceedings in the FISC. That may seem harsh, but the Yahoo challenge — which is the most complete view we’ve ever had of how the court works, even with a weak adversary — really damns the government’s conduct. In addition to the seemingly false claim to FISCR about whether the government held databases of incidentally collected data, over the course of the Yahoo challenge, the government,
In short, the materials withheld or misrepresented over the course of the Yahoo challenge may have made the difference in FISCR’s judgment that the program was legal (even ignoring all the things withheld from Yahoo, especially regarding the revised role of FBI in the process). (Note, in his paper, McNeal rightly argues Congress and the public could have had a clear idea of what Section 702 does; I’d limit that by noting that almost no one besides me imagined they were doing back door searches before that was revealed by the Snowden leaks).
One problem with McNeal’s suggestion, then, is that the government simply can’t be trusted to engage in ex parte proceedings before the FISC or FISCR. Every major program we’ve seen authorized by the court has featured significant misrepresentations about what the program really entailed. Every one! Until we eliminate that problem, the value of these courts will be limited.
But then there is the other problem, my own assessment of the source of the problem with FISC. McNeal thinks it is that Congress wants to pawn its authority off onto the FISC.
The underlying disease is that Congress wants things to operate the way that they do; Congress wants the FISC and has incentives to maintain the status quo.
Why does Congress want the FISC? Because it allows them to push accountability off to someone else. If members ofCongress are responsible for conducting oversight of secretoperations, their reputations are on the line if the operations gotoo far toward violating civil liberties, or not far enoughtoward protecting national security. However, with the FISC conducting operations, Congress has the ability to dodge accountability by claiming they have empowered a court to conduct oversight.
I don’t, in general, disagree with this sentiment in the least. The last thing Congress wants to do is make a decision that might later be tied to an intelligence failure, a terrorist attack, a botched operation. Heck, I’d add that the last thing most members of Congress serving on the Intelligence Committees would want to do is piss off the contractors whose donations provide one of the perks of the seat.
But the dysfunction of the FISC stems, in significant part, from something else.
In his paper on the phone dragnet (which partly incorporates the Internet dragnet), David Kris suggests the original decision to bring the dragnets under the FISC (in the paper he was limited by DOJ review about what he could say of the Internet dragnet, so it is not entirely clear whether he means the Colleen Kollar-Kotelly opinion that paved the way for the flawed Malcolm Howard one McNeal critiques, or the Howard one) was erroneous. Read more →
I’m now being accused by USA Freedom Act champions of not providing constructive suggestions on how to improve USAF (even though I have, both via channels they were involved in and channels they are not party to) [oops, try this tweet, which is still active].
Now that it appears people who previously claimed I was making all this up now concede some of my critiques as a valid, here goes: my suggestions for how to fix the problems I identified in this post.
There is one application of connection chaining that I find legitimate, and two that are probably unconstitutional. The legitimate application is the burner phone one: to ask providers to use their algorithms (including new profiles of online use) to find the new phones or online accounts that people adopt after dropping previous ones, which is what AT&T offers under Hemisphere. To permit that, you might alter the connection chaining language to say providers can chain on calls and texts made, as well as ask providers to access their own records to find replacement phones. Note, however, that accuracy on this mapping is only about 94% per Hemisphere documents, so it seems there needs to be some kind of check before using those records.
The two other applications — the ones I’m pretty sure are or should be unconstitutional without a warrant — are 1) the use of cloud data, like address books, calendars, and photos, to establish connections, and 2) the use of phone records like Verizon’s supercookie to establish one-to-one correlations between identities across different platforms. I think these are both squarely unconstitutional under the DC Circuit’s Maynard decision, because both are key functions in linking all these metadata profiles together, and language in Riley would support that too. But who knows? I’m not an appellate judge.
To prevent the government from doing this without really independent judicial review — and more generally to ensure Section 215 is not abused going forward — the best fix is to require notice to defendants if any evidence from Section 215 or anything derived from it, including the use of metadata as an index to identify content, is used in a proceeding against them. Given that Section 215’s secret application is now unclassified, they should even get a fairly robust description of how it was used. After all, if this is just third party doctrine stuff, it can’t be all that secret!
I’m frankly of the opinion that ACLU’s Alex Abdo kicked DOJ’s ass so thoroughly in the 2nd Circuit, that unless that decision is mooted, it will provide a better halt to dragnets than any legislation could. But I get that that’s a risk, especially with Larry Klayman botching an even better setup in the DC Circuit.
But I do think the one way to make sure we don’t lose the opportunity for a judicial fix to this is to provide notice to defendants of any use or derivative use of Section 215. The government has insisted (most recently in the Reaz Qadir Khan case, but also did so in the Dzhokhar Tsarnaev and derivative cases, where we know they used the phone dragnet) that it doesn’t have to give such notice. If they get it — with the ability to demonstrate that their prosecution arises out of a warrantless mosaic analysis of their lives which provides the basis for the order providing access to their content — then at least there may be a limited judicial remedy in the future, even if it’s not Abdo fighting for his own organization. FISCR said PAA was legal because of precisely these linking procedures, but if they’re not (or if they require a warrant) then PRISM is not legal either. Defendants must have the ability to argue that in court.
USAF prohibits using a communications provider corporate person as a selector, but permits the use of a non-communications corporate person as a selector, meaning it could still get all of Visa’s or Western Union’s records. I understand the government claims it needs to retain the use for corporate person selectors to get things like all the guests at Caesars Palace to see if there are suspected terrorists there. The way to permit this, without at the same time permitting a programmatic dragnet (of, say, all Las Vegas hotels all the time), might be to temporally limit the order — say, limit the use of any non-communications provider order to get a month of records.
But this creates a problem, which is that it currently takes (per the NSL IG Report) 30-40 days to get a Section 215 order. The way to make it possible to get records when you need them, rather than keeping a dragnet, is to permit the use of the emergency provision more broadly. You might permit it to be used with counterintelligence uses as well as the current counterterrorism use (that is, make it available in any case where Section 215 would be available), though you should still limit use of any data collected to the purpose for which it was collected. You might even extend the deadline to submit an application beyond 7 days.
That exacerbates the existing problems with the emergency provision, however, which is that the government gets to keep records if the court finds they misused the statute. To fix this, I’d advise tying the change to the adoption of the existing language from the emergency provision currently in place on the phone dragnet order, specifically permitting FISC to require records be discarded if the government shouldn’t have obtained them. I’d also add a reporting requirement on how many emergency provisions were used (that one would be included in the public reporting) and, in classified form to the intelligence and judiciary committees, fairly precisely what it had been used for. I’d additionally require FBI track this data, so it can easily report what has become of it.
Given that the government may have already abused the emergency provisions, this requires close monitoring. So no loosening of the emergency provision should be put into place without the simultaneous controls.
I’d do two things to fix the current overly expansive immunity provisions. First, I’d put the language that exists in other immunity provisions requiring good faith compliance with orders, such that providers can’t be immunized for stuff that they recognize is illegal.
I’d also add language giving them an appeal if the government were obtaining proprietary information. While under current law the government should be able to obtain call records, they shouldn’t be able to require providers also share their algorithms about business records, which is (I suspect) where this going (indeed, the Yahoo documents suggest that’s where it has already gone under PRISM). So make it clear there’s a limit to what is included under third party doctrine, and provide providers with a way to protect their data derived from customer records.
This should be simple. Just include language letting the court review minimization procedures and review compliance, which is currently what happens and should happen as we get deeper and deeper into mosaic collection (indeed, this might be pitched as a solution to what should be a very urgent constitutional problem for the status quo practice).
Additionally, the bill should integrate the emergency provision currently applicable to the phone dragnet for all Section 215 use, along with reporting on how often and how it is used.
Both of these, importantly, simply codify the current status quo. If the government won’t accept the current status quo, after years of evidence on why it needs this minimal level of oversight from FISC, then that by itself should raise questions about the intelligence community’s intent going forward.
One minimal fix to the transparency provisions is to require reporting not just from all communications providers, but from all providers who have received orders, such that the government would have to report on financial and location dragnets, which are both currently excluded. This would ensure that financial and location dragnets that currently exist and are currently exempted from reporting are included.
As to the other transparency provisions, the biggest problem is that the bill permits both the NSA and FBI to say “omigosh we simply can’t count all this.” I think they’re doing so for different reasons. In my opinion, the NSA is doing so because it is conducting illegal domestic wiretapping, especially to pursue cybersecurity targets. It is doing so because it hasn’t gotten Congress to buy off on using domestic wiretapping to pursue cybertargets. I would impose a 2 year limit on how long ODNI can avoid reporting this number, which should provide plenty of time for Congress to legislate a legal way to pursue cybertargets (along with limits to what kind of cybertargets merit such domestic wiretapping, if any).
I think the FBI refusing to count its collection because it wants to passively collect huge databases of US persons so it can just look up whether people who come under its radar are suspicious. I believe this is unconstitutional — it’s certainly something the government lied to the FISCR in order to beat back Yahoo’s challenge, and arguably the government made a similar lie in Amnesty v. Clapper. If I had my way, I’d require FBI to count how many US persons it was collecting on and back door searching yesterday. But if accommodation must be made, FBI, too, should get just 2 years (and significant funding) to be able to 1) tag all its data (as NSA does, so most of it would come tagged) 2) count it and its back door searches 3) determine whether incoming data is of interest within a short period of time, rather than sitting on it for 30 years. Ideally, FBI would also get 2 years to do the same things with its NSL data.
Again, I think the better option is just to make NSA and FBI count their data, which will show both are violating the Constitution. Apparently, Congress doesn’t want to make them do that. So make them do that over the next 2 years, giving them time to replace unconstitutional programs.
In this post, I noted that the provision requiring the advocate have all the material she needs to do to do her job conflicts with the provision permitting the government to withhold information on classification or privilege grounds. If there is any way to limit this — perhaps by requiring the advocate be given clearance into any compartments for the surveillance under question (though not necessarily the underlying sources and methods used in an affidavit), as well as mandating that originator controlled (ORCON) documents be required to be shared. This might work like a CIPA provision, that the government must be willing to share something if it wants FISC approval (and with it, the authority to obligate providers).
But since that post, we’ve seen how, in the Yahoo challenge, the government convinced Reggie Walton to apply the ex parte provisions applying to defendants to Yahoo. That precedent would now, in my opinion, apply language on review to any adversary. To fix that, the bill should include conforming language in all the places (such as at 50 USC 1861(c)) that call for ex parte review to make it clear that ex parte review does not apply to an advocate’s review of an order.
I fully expect the IC to find this unacceptable (Clapper has already made it clear he’ll only accept an advocate that is too weak to be effective). But bill reformers should point to the clear language in the President’s speech calling for “a panel of advocates from outside government to provide an independent voice in significant cases before the Foreign Intelligence Surveillance Court.” If the IC refuses to have an advocate that can do the job laid out by statute, they should have to answer to the President, who has called for real advocates (not amici).
To recap — all this pertains only to the bill on its face, not to the important things the bill is missing, such as a prohibition on back door searches. But these are things that would make USA Freedom Act far better.
I suspect the intelligence community would object to many, if not all of them. But if they do, then it would certainly clarify what their intent really is.
Back in 1993, cartoonist Peter Steiner famously captured a largely held belief about the Internet: “On the Internet, no one knows you’re a dog.”
According to a fascinating new study from Pew, that’s no longer true.
Just 24% of adults “agree” (20%) or “strongly agree” (3%) with the statement: “It is easy for me to be anonymous when I am online.” By contrast, 74% “disagree” (52%) or “strongly disagree” (22%) that it is easy for them to be anonymous.
The poll suggests this is partly because of coverage of government spying, and partly because of corporate spying.
I find two other things about this most interesting. First, the demographics on the specific answers are very fascinating. Just as one example, more affluent people are more likely to check how they come up on Internet searches.
Self-searching activity varies greatly across different groups, particularly by age, income, and household education. Adults under the age of 50 are far more likely to be “self-searchers” than those ages 50 and older, and adults with higher levels of household income and education stand out as especially likely to check up on their own digital footprints.
But I can imagine that’s because they live more of their life online (and they’re more apt to use things like Linked In to apply for jobs). There are also demographic differences in what people find sensitive (see differences in sensitivity about email content at 50, for example). Again, that may reflect the degree to which these tools are available, and therefore are likely to include sensitive communications.
The other thing, however, is that people appear far less worried about metadata than they should be. I get why people are almost universally worried about social security privacy — and this likely reflects the fact that the most immediate threat to everyone is identity theft, not government spying or abuse from Google. But in both government and commercial hands, metadata have become more revealing than content. Respondents don’t seem to worry about it though.
Earlier today, Harry Reid filed for cloture for the USA Freedom Act. So Patrick Leahy’s reform for the phone dragnet will get a vote in the lame duck.
As you may remember, I don’t support USAF. Here’s a summary of why.
USAF rolls out a new Call Detail Record provision providing for prospective daily collection of selected phone records. While it would replace the phone dragnet — which is a really really important improvement– there are many questions about the provision that James Clapper’s office refused to answer (and refused to respond to a FOIA I filed to find out). Most importantly, no one can explain what “connection chaining” — which clearly permits the chaining on things other than phone calls and texts made — includes. I worry that language will be used to connect on things available through phone cloud storage, like address books, calendars, and photos (which we know the NSA uses overseas). I also strongly believe (though some people I’ve talked to disagree) that Verizon’s supercookie qualifies as a CDR under the bill (it can be collected under other authorities in any case) and therefore will make it easier to access communications records for “correlated” identities accessed via the same phone. Whether this is the intent or not, we know from the Yahoo precedent that there will be significant mission creep within months of passing this bill.
Right now, the main PATRIOT authorities at question here — Section 215 and PRTT — are scheduled to sunset in June. They’ll be renewed one way or another. But in April to May, reformers will have more leverage than they do now.
Bill supporters claim civil liberties groups have never gotten concessions from a sunset. That’s plainly wrong, because reformers did on FISA Amendments Act, where (among other things) protection for Americans overseas was won with the wait. Admittedly, given the new Senate, we’d be worse positioned (with the exception of Thad Cochran being potentially better than Barb Mikulski at Appropriations). That said, we would likely be better prepared not to squander our far stronger position in the House, as civil liberties groups did on USAF, so legislatively it might be a wash, though with reformers having more leverage.
More importantly, passing this now may moot court decisions in 3 circuit courts (the 2nd and DC, where phone dragnet challenges have already been heard, and the 9th, where the hearing hasn’t been held yet). While Larry Klayman clearly botched his hearing in DC with a surprisingly receptive panel and a precedent that would make this program glaringly illegal, the 2nd seems otherwise poised to rule the FISC’s redefinition of “relevant to” to mean “everything” illegal, across all programs. In other words, this legislation will probably pre-empt making real change in the courts in the near term. And no one will get standing again on these issues in the near future.
As I said, I believe USAF eliminates the existing phone dragnet by requiring the use of selectors for collection. That’s good!
However, because the bill permits non-communications companies to be used as selectors, it almost certainly won’t end known financial dragnets involving Western Union transfers and purchase records (and as I describe below, those dragnets are also excluded from transparency provisions). I also think the bill will do nothing to limit FBI’s PRTT program (if it still exists — it existed and was sharing data with the NSA at least until 2012); I suspect — this is a wildarseguess — that is a bulky, not bulk, use of Stingrays to get location, which also would be exempted from reporting. There’s absolutely no reason to believe that the bill would affect other PRTT or NSL programs, because the ones included are all currently bulky, not bulk, programs. So it will eliminate the ability for the government to get every phone record in the US, but it will leave other non-phone dragnets intact and largely hidden by deceptive “transparency” provisions.
USAF provides providers — and 2nd level contractors — expansive immunity. So long as they are ordered to do something, whether they believe it is legal or not, they cannot be held liable. In addition, the bill compensates providers, which the existing Section 215 cannot do (the government even had to stop compensating telecoms after the first 2 dragnet orders). Finally, the bill requires assistance of providers, whereas the existing law can only collect existing business records (I believe the absence of all three things explains the big gaps in the government’s cell phone coverage). These three provisions are designed, I strongly suspect, to overcome Verizon’s disinterest in being an affirmative spy wing of the government, which is probably the real point of this bill. Possibly, they’re designed to get Verizon — the most important mobile provider — to do the kind of affirmative analysis for the government that AT&T currently does.
In at least 3 areas, I worry that USAF will actually weaken existing minimization procedures. Under both the PRTT and Section 215 authority, the FISC currently imposes minimization procedures. For the former, the bill would put the authority to devise “privacy procedures” in the hands of the Attorney General (though says it doesn’t change the law; thing is, FISC minimization procedures aren’t in the law). The bill mandates minimization procedures for bulky collection, but it’s not clear whether those procedures are even as good as what the FISC currently imposes (they’re probably very similar). Most troubling of all, the bill doesn’t provide the FISC authority to require the government to destroy records collected under the emergency provision if found to have been improperly collected, a significant deterioration from the status quo, and one that it appears the FISC may have already needed to use.
I don’t mean to be an asshole on this point, but I actually think many of USAF’s “transparency” provisions are counter-productive, because they are very obviously designed to hide the programs that we know exist, but that won’t be affected by USAF’s selection term provisions, because only communications dragnets get counted, sort of; financial dragnets won’t get counted and location dragnets won’t get counted. That will make it very very difficult to organize to eliminate any of the residual bulk programs (because the bill champions will have assured people they don’t exist and they won’t show up in transparency provisions). In addition, they tacitly permit the NSA and FBI to pretend they’re not conducting fairly bulky domestic wiretapping by providing them ways to avoid counting that illegal wiretapping. In addition, the FBI will be permitted to hide how much spying they’re doing on Americans (though for some, not all, provisions, their collection will be reported misleadingly as foreign collection). And the introduction of ranges will hide still more of they spying. See this post for my estimate of how the bill hides millions of Americans affected.
My other big warning about the bill is not meant to disqualify it, but is meant to suggest supporters are vastly overestimating its impact. James Clapper has made it very clear that he intends to ensure the Advocate (or amicus, as Clapper calls it) remains powerless. And the Yahoo documents make it clear that precedent at the FISCR says the ex parte procedures in FISA will be used to prevent the Advocate from reviewing materials she needs to do her job. As I said here, though, that’s not reason to oppose the bill; if PCLOB is any indication, the bill will start us down a 9-year process at the end of which we might have a functioning advocate. But it’s reason to be honest about how leaving ex parte provisions intact in FISA will make this Advocate very weak.
All this is before the things the bill doesn’t even claim to address: back door searches, EO 12333, spying on foreigners.
The bill will get phone records out of the hands of the government. But from that point on, I’m not sure how much of an improvement it is.
To Shane Harris’ misfortune, his book, @War, out today, came out on the same day that General Daniel Bolger’s book, Why We Lost, came out.
That means Harris’ first excerpt, initially titled “How the NSA Sorta Won the Last Iraq War,” came out just days before Bolger’s op-ed today, mourning another Veteran’s Day to contemplate the 80 men he lost. Bolger wants us to stop telling the lie that the surge won the Iraq War.
Here’s a legend that’s going around these days. In 2003, the United States invaded Iraq and toppled a dictator. We botched the follow-through, and a vicious insurgency erupted. Four years later, we surged in fresh troops, adopted improved counterinsurgency tactics and won the war. And then dithering American politicians squandered the gains. It’s a compelling story. But it’s just that — a story.
The surge in Iraq did not “win” anything. It bought time. It allowed us to kill some more bad guys and feel better about ourselves. But in the end, shackled to a corrupt, sectarian government in Baghdad and hobbled by our fellow Americans’ unwillingness to commit to a fight lasting decades, the surge just forestalled today’s stalemate. Like a handful of aspirin gobbled by a fevered patient, the surge cooled the symptoms. But the underlying disease didn’t go away. The remnants of Al Qaeda in Iraq and the Sunni insurgents we battled for more than eight years simply re-emerged this year as the Islamic State, also known as ISIS.
Harris’s story, which explains how network analysis and then hacking of Iraqi insurgents — including Al Qaeda in Iraq — helped us to win the surge, relies on that legend.
TAO hackers zeroed in on the leaders of the al Qaeda group. Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.
For TAO, hacking into the communications network of the senior al Qaeda leaders in Iraq helped break the terrorist group’s hold on the neighborhoods around Baghdad. By one account, it aided U.S. troops in capturing or killing at least ten of those senior leaders from the battlefield.
[snip]
For the first time in the now four-year-old Iraq War, the United States could point to a strategy that was actually working. The overall success of the surge, which finally allowed U.S. forces to leave Iraq, has been attributed to three major factors by historians and the commanders and soldiers who served there. First, the additional troops on the ground helped to secure the most violent neighborhoods, kill or capture insurgents, and protect Iraq’s civilians. The cities became less violent, and the people felt safer and more inclined to help the U.S. occupation. Second, insurgent groups who were outraged by al Qaeda’s brutal, heavyhanded tactics and the imposition of religious law turned against the terrorists, or were paid by U.S. forces to switch their allegiances and fight with the Americans. This so-called Sunni Awakening included 80,000 fighters, whose leaders publicly denounced al Qaeda and credited the U.S. military with trying to improve the lives of Iraqi citizens.
But the third and arguably the most pivotal element of the surge was the series of intelligence operations undertaken by the NSA and soldiers such as Stasio. Former intelligence analysts, military officers, and senior Bush administration officials say that the cyber operations opened the door to a new way of obtaining intelligence, and then integrating it into combat operations on the ground. The information about enemy movements and plans that U.S. spies swiped from computers and phones gave troops a road map to find the fighters, sometimes leading right to their doorsteps. This was the most sophisticated global tracking system ever devised, and it worked with lethal efficiency.
Gen. David Petraeus, the commander of all coalition forces in Iraq, credited this new cyber warfare “with being a prime reason for the significant progress made by U.S. troops” in the surge, which lasted into the summer of 2008, “directly enabling the removal of almost 4,000 insurgents from the battlefield.” The tide of the war in Iraq finally turned in the United States’ favor.
I didn’t get a review copy of Harris’ book, so I’ll have to let you know whether he grapples with the fact that this victory lap instead led us to where we are now, escalating the war in Iraq again, with ISIL even more powerful for having combined Saddam’s officers with terrorist methods. I’ll also have to let you know why Harris claims this started in 2007, when we know NSA was even wiretapping Iraqi targets in the US as early as 2004, a program that got shut down in the hospital confrontation.
Harris would have done well to consider Bolger’s call for an assessment of this failure.
That said, those who served deserve an accounting from the generals. What happened? How? And, especially, why? It has to be a public assessment, nonpartisan and not left to the military. (We tend to grade ourselves on the curve.) Something along the lines of the 9/11 Commission is in order. We owe that to our veterans and our fellow citizens.
Such an accounting couldn’t be more timely. Today we are hearing some, including those in uniform, argue for a robust ground offensive against the Islamic State in Iraq. Air attacks aren’t enough, we’re told. Our Kurdish and Iraqi Army allies are weak and incompetent. Only another surge can win the fight against this dire threat. Really? If insanity is defined as doing the same thing over and over and expecting different results, I think we’re there.
That is, if this network analysis and hacking is so superb, then why didn’t it work? Did we not understand the networks that our spectacular tech exposed? Or did we do the wrong thing with it, try to kill it rather than try to win it over? Not to mention, did we account for the necessarily temporary value of all these techniques, given that targets will figure out that their cell phones, the RFID tags, their laptops, or whatever new targeting means we devise are serving as a beacon.
And there’s one more lesson in Harris’ excerpt, one I doubt he admits.
Earlier in the except, he explains in giddy language how the NSA’s hackers broke an insurgent method of leaving draft unsent emails.
Centering their operations in Baghdad, they scooped up e-mail messages that the terrorists had left in draft form in their personal accounts, where they could be picked up by fellow fighters without having to be sent over the Internet. This was a common trick terrorists used to avoid detection. TAO had been on to it for years.
Even while he provides David Petraeus opportunity to do a victory lap for the surge that in fact did not win the war, he doesn’t mention that Petraeus adopted this insurgent technique to communicate with his mistress, Paula Broadwell. Harris also doesn’t mention that the FBI, like the NSA before it, easily broke the technique.
More important still, Harris doesn’t mention that FBI found reason to do so. These techniques — described with such glee — were turned back on even the man declaring victory over them. They didn’t win the war in either Iraq or Afghanistan, but they sure made it easy for President Obama to take out Petraeus when he became inconvenient.
I have no sympathy for Petraeus, don’t get me wrong. But he is an object lesson in how these techniques have not brought victory to the US. And it’s time to start admitting that fact, and asking why not.
Update: In a post I could have written (though probably not as well), Stephen Walt engages in a counterfactual asking if we didn’t have the dragnet we might be doing better at fighting terrorism. Go read the whole thing, but here’s part of it:
Second, if we didn’t have all these expensive high-tech capabilities, we might spend a lot more time thinking about how to discredit and delegitimize the terrorists’ message, instead of repeatedly doing things that help them make their case and recruit new followers. Every time the United States goes and pummels another Muslim country — or sends a drone to conduct a “signature strike” — it reinforces the jihadis’ claim that the West has an insatiable desire to dominate the Arab and Islamic world and no respect for Muslim life. It doesn’t matter if U.S. leaders have the best of intentions, if they genuinely want to help these societies, or if they are responding to a legitimate threat; the crude message that drones, cruise missiles, and targeted killings send is rather different.
If we didn’t have all these cool high-tech hammers, in short, we’d have to stop treating places like Afghanistan, Pakistan, Iraq, and Syria as if they were nails that just needed another pounding, and we might work harder at marginalizing our enemies within their own societies. To do that, we would have to be building more effective partnerships with authoritative sources of legitimacy within these societies, including religious leaders. Our failure to do more to discredit these movements is perhaps the single biggest shortcoming of the entire war on terror, and until that failure is recognized and corrected, the war will never end.
