The Foreign Metadata Problem

/in /by

In this post, I argued that a likely explanation for the NSA’s limits on collecting domestic cell phone data stem from a decision Verizon made in 2009 to stop participating in an FBI call records program. I’m not sure if I’m right about the cause (I know I’m not right about the timing), but I based part of my argument on how the FISA Court resolved a problem with telecoms turning over foreign data in 2009. And that resolution definitely indicates there’s something different about the way Verizon produces dragnet data from how AT&T does (Sprint is probably a third case, but not as important for these purposes).

Let me be clear: Verizon was not the only telecom to have the problem. It affected at least one other telecom; I believe it may have affected all of them. But the FISC resolved it differently with Verizon, which I believe shows that Verizon complies with the Section 215 orders in different fashion than AT&T and Sprint.

The problem was first identified when, in May 2009, Verizon informed the NSA it had been including foreign-to-foreign records in the data it provided to the NSA. Here’s how David Kris explained it in his report accompanying the phone dragnet end to end report.

NSA advised that for the first time, in May 2009, [redacted–Verizon] stated it produced foreign-to-foreign record pursuant to the Orders. [redacted–Verizon] stopped its production of this set of foreign-to-foreign records on May 29, 2009, after service of the Secondary Order in BR 09-06, which carves out foreign-to-foreign records from the description of records to be produced. (19)

In an accompanying declaration Keith Alexander provided more detail.

In May 2009, during a discussion between NSA and [redacted–Verizon] regarding the production of metadata, a [redacted–Verizon] representative stated that [redacted] produced the records [redacted] pursuant to the BR FISA Orders. This was the first indication that NSA had ever received from [redacted–Verizon] of its contrary understanding. At the May 28, 2009, hearing in docket number BR 09-06, the government informed the Court of [redacted redacted]. To address the issue, based on the government’s proposal, the Court issued a Secondary Order to [redacted] in docket number BR 09-06 that expressly excluded foreign-to-foreign call detail records from the scope of records to be produced. On May 29, 2009, upon service of the Secondary Order in docket number  BR 09-06, [redacted–Verizon] ceased providing foreign-to-foreign records [redacted]. (42/PDF67)

Almost every dragnet order since that May 29, 2009 one has broken its production order out into two subparagraphs to reflect this change.

Screen Shot 2014-11-09 at 11.28.29 AM

We can be virtually certain that Verizon is this provider, because the Verizon secondary order leaked by Edward Snowden includes the language excluding foreign-to-foreign data. That long redaction likely hides Verizon’s full name under this program, “Verizon Business Network Services, Inc. on behalf of MCI Communication Services Inc., d/b/a Verizon Business Services (individually and collectively “Verizon”), which is the name initially used in the secondary order.

Additionally, ODNI originally released the January 20, 2011 primary order with the paragraph that clarifies this with Verizon’s name unredacted. The paragraph remains in the dragnet orders, even after Verizon and Vodaphone split earlier this year (though if the split affected this issue, they may have hidden the fact by retaining the paragraph, given that they’re now anticipating declassification of the orders).

Less than a month after this incident, on June 25, the NSA finished its End-to-End report, which reported just the Verizon issue. Sometime between then and July 9, the FISC appears to have realized one of the other providers had a similar problem. The July 9, 2009 dragnet order, in the only exception I know to the two-part production order, looked like this:

Screen shot 2014-11-09 at 2.07.33 PM

The production order is to plural custodians of records, meaning at least two providers must be named. But it applies the Verizon rules to all of the named providers.

The order also requires an explanation for inclusion of the foreign-to-foreign records (see the bullet at 16-17). It is redacted in the released order but the DOJ submission (see page 6) shows that Judge Walton ordered,

a full explanation of the extent to which NSA has acquired call detail records of foreign-to-foreign communications from [redacted–too long to just be Verizon] pursuant to orders of the FISC, and whether the NSA’s storage, handling, and dissemination of information in those records, or derived therefrom, complied with the Court’s orders;

The September 3, 2009 order reverts to the two-paragraph structure. But it also orders retroactive production from one of the providers (AT&T or Sprint, probably the latter based on redaction length) named in the first paragraph (I first wrote about this here).

In addition, the Custodian of Records of [redacted] shall produce to NSA upon service of the appropriate Secondary Order an electronic copy of the same tangible things created by [redacted] for the period from 5:11 p.m. on July 9, 2009 to the date of this Order, to the extent those records still exist.

And adds a requirement that NSA report on any significant changes in reapplications, including on any changes to how the government obtains the data from carriers.

Any application to renew or reinstate the authority granted herein shall include a report describing: (1) the queries made since the end of the reporting period of the last report filed with the Court; (ii) the manner in which NSA applied the procedures set forth in paragraph (3)C above; and (iii) any proposed changes in the way in which the call detail records would be received from the carriers and any significant changes to the systems NSA uses to receive, store, process, and disseminate BR metadata. [my emphasis]

The DOJ report provides further evidence that at least one other provider provided foreign-to-foreign records. When Kris introduces this problem (see page 18), he references a three part discussion in Alexander’s declaration.

Screen shot 2014-11-09 at 3.52.19 PM

You can see the heading for the third provider on page 46/PDF 71 of the Alexander declaration.

So the report appears to have commented on all three providers. The problem clearly affected two of them.

But FISC only retains the clarification for Verizon.

As I said, I appear to be wrong about the timing of this. I had suggested it was tied to Verizon deciding not to reup its contract under the FBI phone program in 2009. That almost certainly had to have happened (as Charlie Savage noted to me via Twitter, the Exigent Letter IG Report was focused on AT&T, MCI, and Verizon, and one of the latter two, which means basically one part of Verizon, backed out).

But the End-to-End Report makes it clear Verizon first started turning over this data in January 2007.

This foreign-to-foreign metadata started coming into NSA in January 2007. (15)

There was not even a dragnet order signed in January 2007, so it can’t be tied primarily to the phone dragnet. It also preceded the end of the on-site phone provider program (which ended in December 2007) and even the release of the first NSL IG Report in March 2007, which led the providers to get squirrelly (see page 191 for these dates).

The details regarding the potential problems with Verizon’s provision of foreign-to-foreign records suggests this may have something to do with upstream production (Verizon had been providing upstream records to the NSA for years, but it only came under the oversight of the FISC in January 2007).

Furthermore, because the records are records of foreign-to-foreign communications, almost all of them do not concern the communications of U.S. persons. To the extent any of the records concern the communications of U.S. persons, such communications would be afforded the same protections as any other U.S. person communication [redacted] authorities. Id. at 43. (19)

[snip]

almost all of them concern the communications of non-U.S. persons located outside the United States. If NSA were to find that any of the records concerned U.S. persons, their dissemination would be governed by the terms of USSID 18 which are the procedures established pursuant to EO 12333, as amended. (68)

The discussion of records that might “concern the communications” sounds like an “about” search (though I’m not sure of what).

All that said, AT&T should have had the same upstream “about” obligations starting in January 2007 that Verizon did. I suspect (based on my guess that Sprint is the production that got shut down) the order in the July 9, 2009 order is the only instruction they ever got to stop providing foreign-to-foreign records. Yet FISC felt the need — still feels the need — to keep that explicit order to Verizon in every single primary order.

Mind you, all this shows that Verizon was able to shut down the foreign production immediately, on the same day. So it’s clear they can shut down certain kinds of production.

All this seems to suggest that — in addition to at least some part of Verizon withdrawing from the FBI’s records program, and to Verizon not retaining records for the same length of time AT&T does — Verizon also produces phone dragnet data differently than AT&T does.

Emergency Dragnet Chaining, Now with First Amendment Protections!

/2 Comments/in /by

Thursday, I Con the Record quietly released the most recent phone dragnet order, BR-125, dated September 11, 2014 (curiously, I Con the Record went back to correct its original release to indicate the order had been reauthorized on 9/11, not 9/12; I think FISC has been setting deadlines such that they are a Friday, but this one was approved on a Thursday).

Congratulations, Raymond Dearie! The government will point to your approval of this order as yet more proof of the soundness of the program.

There is one intriguing new addition to the order (the change shows up in two places). Both footnote 6 and footnote 7 add a requirement to the emergency provision for a First Amendment review. Footnote 7, which is more extensive, reads:

Before an emergency query is performed under this authority, NSA’s Office of General Counsel (OGC), in consultation with the Director or Acting Director shall confirm that any selection term reasonably believed to be used by a United States (U.S.) person is not regarded as associated with [redacted–description of terrorist groups acceptably included in this program] solely on the basis of activities that are protected by the First Amendment of the Constitution.

Such a requirement was not in the emergency procedures as originally proposed by the government nor in the orders issued since. (Update: Though of course, First Amendment review is required by the law; ultimately, the order for NSA to do a First Amendment review is tantamount to a reminder that it has to follow the law even when doing emergency queries.)

While we can’t know whether this got added because NSA used the emergency provisions to chain on someone for their speech, most changes to dragnet orders have historically been a response to some kind of problem.

And whether or not this language arose out of some issue or just intelligent caution, it provides yet another reason why the emergency provision of USA Freedom Act should not be passed as written.

As I have laid out, one of the ways in which Leahy’s emergency provision is notably worse than this emergency provision is because it puts the Attorney General in charge of compliance. It does not — as the current emergency provisions do — give broad authority to the FISC to remedy any collection conducted under the emergency provision that should not have been. As adopted, the current provisions even permit the FISC to order “destroying the results of the emergency query and recalling any reports or other disseminations based on those results”).

Under USA Freedom, if the FISC caught the government using an emergency authorization to identify the communications network of someone who engaged in protected speech, it would not have the explicit authority to demand the Attorney General destroy the records collected as a result. It has that authority right now.

And the latest dragnet order at least raises questions about whether it has already had to exercise that authority.

Why DOJ Withheld the Correlations Opinion: The DC Circuit’s Mosaic

/10 Comments/in /by

On January 9, 2014, the government appealed Judge Richard Leon’s decision finding the phone dragnet in Klayman v. Obama to the DC Circuit.

The DC Circuit, of course, is the court that issued US. v Maynard in 2010, the first big court decision backing a mosaic theory of the Fourth Amendment. And while the panel that ultimately heard the Klayman appeal included two judges who voted to have the entire circuit review Maynard, the circuit precedent in Maynard includes the following statement.

As with the “mosaic theory” often invoked by the Government in cases involving national security information, “What may seem trivial to the uninformed, may appear of great moment to one who has a broad view of the scene.” CIA v. Sims, 471 U.S. 159, 178 (1985) (internal quotation marks deleted); see J. Roderick MacArthur Found. v. F.B.I., 102 F.3d 600, 604 (D.C. Cir. 1996). Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one‘s not visiting any of these places over the course of a month. The sequence of a person‘s movements can reveal still more; a single trip to a gynecologist‘s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story.* A person who knows all of another‘s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.

With that precedent, the DC Circuit is a particularly dangerous court for the Administration to review a dragnet that aspires to collect all Americans’ call records and hold them for 5 years.

On March 31, 2014, the government submitted a motion for summary judgment in EFF’s FOIA for Section 215 documents with an equivalent to the ACLU. One of the only things the government specifically withheld — on the grounds that it described a dragnet analysis technique it was still using — was an August 20, 2008 FISC opinion authorizing the technique in question, which it did not name.

Two days before FISC issued that August 20, 2008 opinion, the NSA was explaining to the court how it made correlations between identifiers to contact chain on all those identifiers. Two days is about what we’ve seen for final applications before the FISC rules on issues, to the extent we’ve seen dates, suggesting the opinion is likely about correlations.

Here’s how the government described correlations, in various documents submitted to the court in 2009.

They define what a correlated address is (and note, this passage, as well as other passages, do not limit correlations to telephone metadata — indeed, the use of “address” suggests correlations include Internet identifiers).

The analysis of SIGINT relies on many techniques to more fully understand the data. One technique commonly used is correlated selectors. A communications address, or selector, is considered correlated with other communications addresses when each additional address is shown to identify the same communicant as the original address.

They describe how the NSA establishes correlations via many means, but primarily through one particular database.

NSA obtained [redacted] correlations from a variety of sources to include Intelligence Community reporting, but the tool that the analysts authorized to query the BR FISA metadata primarily used to make correlations is called [redacted].

[redacted] — a database that holds correlations [redacted] between identifiers of interest, to include results from [redacted] was the primary means by which [redacted] correlated identifiers were used to query the BR FISA metadata.

They make clear that NSA treated all correlated identifiers as RAS approved so long as one identifier from that user was RAS approved.

In other words, if there: was a successful RAS determination made on any one of the selectors in the correlation, all were considered .AS-a. ,)roved for purposes of the query because they were all associated with the same [redacted] account

And they reveal that until February 6, 2009, this tool provided “automated correlation results to BR FISA-authorized analysts.” While the practice was shut down in February 2009, the filings make clear NSA intended to get the automated correlation functions working again,

While it’s unclear whether this screen capture describes the specific database named behind the redactions in the passages above, it appears to describe an at-least related process of identifying all the equivalent identities for a given target (in this case to conduct a hack, but it can be used for many applications).

Correlations

If I’m right that the August 20, 2008 memo describes this correlations process, it means one of the things the government decided to withhold from EFF and ACLU (who joined Klayman as amici) after deciding to challenge Leon’s decision in a court with a precedent of recognizing a mosaic theory of the Fourth Amendment was a document that shows the government creates a mosaic of all these dragnets.

It’s not just a phone dragnet (and it’s not just US collected phone records). It’s a domestic and internationally-collected phone and Internet and other metadata dragnet, and after that point, if it sucks you into that dragnet, it’s a financial record and other communications dragnet as well (for foreigners, I imagine, you get sucked in first, without an interim stage).

Even though both Janice Rogers Brown and David Sentelle voted to reconsider the mosaic theory in 2010, Sentelle’s questions seemed to reflect a real concern about it. Unsurprisingly, given that he authored a fairly important opinion in US v Quartavious Davis holding that the government needed a warrant to get stored cell site location data while he was out on loan to the 11th Circuit earlier this year, his questions focused on location.

Sentelle: What information if any is gathered about the physical location of wireless callers, if anything? Cell tower type information.

Thomas Byron: So Judge Sentelle, what is not included. Cell tower information is not included in this metadata and that’s made clear in the FISC orders.  The courts have specified that it’s not included.

Note how Byron specified that “cell tower information is not included in this metadata”? Note how he also explains that the FISC has specified that CSLI is not included, without explaining that that’s only been true for 15 months (meaning that there may still be incidentally collected CSLI in the databases). Alternately, if the NSA gets cell location from the FBI’s PRTT program (my well-educated guess is that the FBI’s unexplained dragnet — the data from which it shares with the NSA — is a Stingray program), then that data would get analyzed along with the call records tied to the same phones, though it’s not clear that this location data would be available from the known but dated metadata access, which is known only to include Internet, and EO 12333 and BRFISA phone metadata).

Stephen Williams seemed even more concerned with the Maynard precedent, raising it specifically, and using it to express concern about the government stashing 5 years of phone records.

Williams: Does it make a significant difference that these data are collected for a five year period.

Byron’s response was particularly weak on this point, trying to claim that the government’s 90-day reauthorizations made the 5 years of data that would seem to be clearly unacceptable under Maynard (which found a problem with one week of GPS data) acceptable.

Byron: It’s not clear in the record of this case how much time the telephone companies keep the data but the point is that there’s a 90 day period during which the FISC orders are operative and require the telephone companies to turn over the information from their records to the government for purposes of this program. Now the government may retain it for five years but that’s not the same as asking whether the telephone company must keep it for five years.

Williams: How can we discard the five year period that the government keeps it?

Williams also, later, asked about what kind of identities are involved, which would also go to the heart of the way the government correlates identities (and should warrant questions about whether the government is obtaining Verizon’s supercookie).

Byron expressed incredible (as in, not credible) ignorance about how long the phone companies keep this data; only AT&T keeps its data that long. Meaning the government is hoarding records well beyond what users should have an expectation the third party in question would hoard the data, which ought to eliminate the third party justification by itself.

Janice Rogers Brown mostly seemed to want things to be easy, one bright line that cops could use to determine what they could and could not obtain. Still, she was the only one to raise the other kinds of data the government might obtain.

JRB: Does it matter to whom the record has been conveyed. For instance, medical records? That would be a third party’s record but could you draw the same line.

Byron: Judge Brown, I’m glad you mentioned this because it’s really important to recognize in the context of medical records just as in the context, by the way, of telephone records, wiretap provisions, etcetera, Congress has acted to protect privacy in all of these areas. For example, following the Miller case, Congress passed a statute governing the secrecy of bank records. Following the Smith case, Congress passed a statute governing wiretaps. HIPAA, in your example, Judge Brown, would govern the restrictions, would impose restrictions on the proper use of medical information. So too here, FISA imposes requirements that are then enforced by the Foreign Intelligence Surveillance Court. And those protections are essential to understanding the program and the very limited intrusion on any privacy interest.

While Byron had a number of very misleading answers, this probably aggravated me the most. After all, the protections that Congress created after the Miller case and the Smith case were secretly overridden by the FISC in 2008 and 2010, when it said limitations under FISA extended for NSLs could also be extended for 215 orders. And we have every reason the government could, if not has, obtained medical records if not actual DNA using a Section 215 order; I believe both would fall under a national security exception to HIPAA. Thus, whatever minimization procedures FISC might impose, it has, at the same time blown off precisely the guidelines imposed by Congress.

The point is, all three judges seemed to be thinking — to a greater or lesser extent — of this in light of the Maynard precedent, Williams particularly so. And yet because the government hid the most important useful evidence about how they use correlations (though admittedly the plaintiffs could have submitted the correlations data, especially in this circuit), the legal implications of this dragnet being tied to other phone and Internet dragnets and from there more generalized dragnets never got discussed.

Don’t get me wrong. Larry Klayman likely doomed this appeal in any case. On top of being overly dramatic (which I think the judges would have tolerated), he misstated at least two things. For example, he claimed violations reported at the NSA generally happened in this program alone. He didn’t need to do that. He could have noted that 3,000 people were dragnetted in 2009 without the legally required First Amendment review. He could have noted 3,000 files of phone dragnet data were not destroyed in timely fashion, apparently because techs were using the real data on a research server. The evidence to show this program has been — in the past at least — violative even of the FISC’s minimization requirements is available.

Klayman also claimed the government was collecting location data. He got caught, like a badly prepared school child, scrambling for the reference to location in Ed Felten’s declaration, which talked about trunk location rather than CSLI.

In substantive form, I don’t think those were worse than Byron’s bad evasions … just more painful.

All that said, all these judges — Williams in particular — seemed to want to think of this in terms of how it fit in a mosaic. On that basis, the phone dragnet should be even more unsustainable than it already is. And some of that evidence is in the public record, and should have been submitted into the record here.

Still, what may be the most important part of the record was probably withheld, by DOJ, after DOJ decided it was going to appeal in a circuit where that information would have been centrally important.

The Klayman Hearing: Everyone Can Stand If DOJ Has the Backbone

/2 Comments/in /by

Update: See this post, which explains that I’m wrong about the timing of Verizon’s different approach to production than AT&T. And that difference precedes Verizon’s withdrawal from the FBI call record program in 2009 — it goes back to 2007.

I’m finally getting around to listening to the Klayman v. Obama hearing from the other day, which you can listen to here. I’ll have more to say on it later. But my impression is that — because of the incomplete reporting of a bunch of NSA beat reporters — Klayman may be improperly thrown out on standing because he is only a Verizon cell customer, not a Verizon landline customer.

Back on June 14, 2013, the WSJ reported that Verizon Wireless and T-Mobile don’t turn over records under the phone dragnet, but that the government obtains those records anyway as they travel across the domestic backbone, largely owned by AT&T and Verizon Business Services.

The National Security Agency’s controversial data program, which seeks to stockpile records on all calls made in the U.S., doesn’t collect information directly from T-Mobile USA and Verizon Wireless, in part because of their foreign ownership ties, people familiar with the matter said.

The blind spot for U.S. intelligence is relatively small, according to a U.S. official. Officials believe they can still capture information, or metadata, on 99% of U.S. phone traffic because nearly all calls eventually travel over networks owned by U.S. companies that work with the NSA.

[snip]

Much of the U.S.’s telecom backbone is owned by two companies: AT&T and Verizon Business Network Services Inc., a U.S. subsidiary of Verizon Communications that it views as a separate network from its mobile business. It was the Verizon subsidiary that was named in the FISA warrant leaked by NSA contractor Edward Snowden to the Guardian newspaper and revealed last week.

When a T-Mobile or Verizon Wireless call is made, it often must travel over one of these networks, requiring the carrier to pay the cable owner. The information related to that transaction—such as the phone numbers involved and length of call—is recorded and can then be passed to the NSA through its existing relationships.

Then, on February 7, 2014, the WSJ (and 3 other outlets) reported something entirely different — that the phone dragnet only collects around 20% of phone records (others reported the number to be a higher amount).

The National Security Agency’s collection of phone data, at the center of the controversy over U.S. surveillance operations, gathers information from about 20% or less of all U.S. calls—much less than previously thought, according to people familiar with the NSA program.

The program had been described as collecting records on almost every phone call placed in the U.S. But, in fact, it doesn’t collect records for most cellphones, the fastest-growing sector in telephony and an area where the agency has struggled to keep pace, the people said.

Over the course of 8 months, the WSJ’s own claim went from the government collecting 99% of phone data (defined as telephony) to the government collecting 20% (probably defining “call data” broadly to include VOIP), without offering an explanation of what changed. And it was not just its own earlier reporting with which WSJ conflicted; aspects of it also conflicted with a lot of publicly released primary documents about what the program has done in the past. Nevertheless, there was remarkably little interest in explaining the discrepancy.

I’m getting a lot closer to being able to explain the discrepancy in WSJ’s reporting. And if I’m right, then Larry Klayman should have standing (though I’m less certain about Anna Smith, who is appealing a suit in the 9th Circuit).

I’m fairly certain (let me caveat: I think this is the underlying dynamic; the question is the timing) the discrepancy arises from the fact that, for the first time ever, on July 19, 2013 (a month after the WSJ’s first report) the FISA Court explicitly prohibited the collection of Cell Site Location Information.

Furthermore, this Order does not authorize the production of cell site location information (CSLI).

We’ve learned several details since February that puts this in context.

First, the NSL IG Report revealed that one of the three providers who had been part of FBI’s onsite call records access from 2003 to 2006 did not renew the contract for that program in 2009.

Company A, Company B, and Company C are the three telephone carriers described in our Exigent Letters Report that provided telephone records to the TCAU in response to exigent letters and other informal requests between 2003 and 2006. As described in our Exigent Letters Report, the FBI entered into contracts with these carriers in 2003 and 2004, which required that the communication service providers place their employees in the TCAU’s office space and give these employees access to their companies’ databases so they could immediately service FBI requests for telephone records. Exigent Letters Report, 20. As described in the next chapter, TCAU no longer shares office space with the telephone providers. Companies A and C continue to serve FBI requests for telephone records and provide the records electronically to the TCAU. Company B did not renew its contract with the FBI in 2009 and is no longer providing telephone records directly to the TCAU. Company B continues to provide telephone records in response to NSL requests issued directly by the field without TCAU’s assistance.

The original WSJ, in retrospect, makes it fairly clear that Company B is Verizon (though I believe it provides the wrong explanation otherwise for Verizon’s inability to provide records, that it was partly foreign owned–though admittedly it only claims to be providing part of the explanation).

Unlike Sprint and AT&T, [Verizon Wireless and T-Mobile] also don’t perform classified work for the government. Such contracts require secure facilities that make cooperating with NSA programs simpler, people familiar with the matter said.

Verizon Associate General Counsel Michael Woods’ response to questions at a hearing earlier this year made it even more clear. He said that Verizon does not keep call detail records — as distinct from billing records — long at all (and they only keep billing records on the landline side for 18 months).

The contract with TCAU, the NSL IG Report (and the earlier Exigent Letters report) makes clear, would require providers to keep records for longer to facilitate some bells and whistles. That’s a big part of what the “make cooperating with NSA programs simpler” is likely about. Therefore, Verizon must be the provider that stopped retaining records in 2009 for the purpose of the government (It also just so happens to be the provider that doesn’t need the government cash as part of its business model). I suspect that TCAU remains closely related to Hemisphere, which may be why when I asked FBI about its participation in that unclassified project, FBI refused to comment at all.

If all that’s right, then AT&T and Sprint retain their call detail records because they have signed a contract with the government to do so. Verizon does not.

That means, at least since 2009, Verizon has been relying on actual call detail records to fulfill its obligations under Section 215, not a database that makes it easier to pull out precisely what the government wants (indeed, I suspect the end of the contract created the problems where Verizon was providing entirely foreign calls along with its domestic calls starting with the May 29, 2009 order).  The business records that Verizon had on hand was a CDR that, in the case of cell phones, necessarily included CSLI.

Verizon is still (the Verizon-specific language remains in the dragnet orders, and they challenged the first order after Leon’s decision in this case) providing records of landline calls that traverse its backbone.

But when FISC made it a violation — rather than just overproduction they otherwise would have and have, in both this and other programs, approved — to provide CSLI, and made that public, it gave Verizon the opportunity to say it had no way to provide the cell data legally.

That’s sort of what the later WSJ report says, though it doesn’t explain why this would be limited in time or why NSA would have a problem when it collects CDRs internationally with CSLI with no problem.

Moreover, the NSA has been stymied by how to remove location data—which it isn’t allowed to collect without getting additional court approval—from U.S. cellphone records collected in bulk, a U.S. official said.

I’m not sure whether it’s the case that Verizon couldn’t very easily pull that CSLI off or not. But I do suspect — particularly for a program that offers no compensation — that Verizon no longer had a legal obligation to. (This probably answers, by the way, how AT&T and Sprint are getting paid here: they’re being paid to keep their CDRs under the old TCAU contracts with the FBI.)

The government repeats over and over that they’re only getting business records the companies already have. Verizon has made it clear it doesn’t have cell call detail records without the location attached. And therefore, I suspect, the government lost its ability to make Verizon comply. That is also why, I suspect, the President claims he needs new legislation to make this happen: because he needs language forcing the providers to provide the CDRs in the form the government wants it in.

If I’m right, though — that the government had 99% coverage of telephony until Claire Eagan specifically excluded cell location — then Klayman should have standing. That’s because Richard Leon’s injunction not only prohibited the government from collecting any new records from Klayman, he also required the government to “destroy any such metadata in its possession that was collected through the bulk collection program.”

Assuming Verizon just stopped providing cell data in 2013 pursuant to Eagan’s order, then there would still be over 3 years of call records in the government’s possession available for search. Which would mean he would still be exposed to the government’s improper querying of his records.

It is certainly possible that Verizon stopped providing cell data once it ended its TCAU contact in 2009. If that’s the case, the government’s hasty destruction of call records in March would probably have eliminated the last of the data it had on Klayman (though not on ACLU, since ACLU is a landline customer as well as a wireless customer).

But if Verizon just stopped handing over cell records in 2013 after Claire Eagan made it impossible for the government to force Verizon to comply with such orders, then Klayman — and everyone else whose records transited Verizon’s backbone — should still have standing.

Update: I provided this further explanation to someone via email.

I should have said this more clearly in the post. But the only way everyone is correct: including WSJ in June, Claire Eagan’s invocation of “substantially all” in July, the PRG’s claims they weren’t getting as much as thought in December, and WSJ’s claims they weren’t much at all in February, is if Verizon shut down cell collection sometime during that period. The July order and the aftermath would explain that.

I suspect the number is now closer to 50-60% of US based telephony records within the US (remember, on almost all international traffic, there should be near duplication, because they’re collecting that at scale offshore), but there’s also VOIP and other forms of “calls” and texts that they’re not getting, which is how you get down to the intentionally alarmist 20%. One reason I think Comey’s going after Apple is because iMessage is being carved out, and Verizon is already pissed, so he needs to find a way to ensure that Apple doesn’t get a competitive advantage over Verizon by going through WiFi that may not be available to Verizon because it is itself the backbone. But if you lose both Verizon’s cell traffic AND any cell traffic they carry, you lose a ton of traffic.
That gets you to the import of the FBI contract. It is a current business purpose of AT&T and Sprint to create a database that they can charge the FBI to use to do additional searching, including location data and burner phones and the like. AT&T’s version of this is probably Hemisphere right now (thus, in FBI-speak, TCAU would be Hemisphere), meaning they also get DEA and other agencies to pay for it. In that business purpose, the FBI is a customer of AT&T and Sprint’s business decision to create its own version of the NSA’s database, including all its calls as well as things like location data the FBI can get so on individualized basis.
Verizon used to choose to pursue this business (this is the significance, I think, of the government partially relying on a claim to voluntary production, per Kris). In 2009, they changed their business approach and stopped doing that. So they no longer have a business need to create and keep a database of all its phone records.
What they do still have are SS7 routing records of all traffic on their backbone, which they need to route calls through their networks (which is what AT&T uses to build their database). That’s the business record they use to respond to their daily obligations.
But there seem to be two likely reasons why the FISC can’t force Verizon to alter those SS7 records, stripping the CSLI before delivering it to the government. First, there is no means to compensate the providers under Section 215. That clearly indicates Congress had no plan to ask providers to provide all their records on a daily basis. But without compensation, you can’t ask the providers to do a lot of tweaking.
The other problem is if you’re asking the providers to create a record, then you’re getting away from the Third Party doctrine, aren’t you? In any case, the government and judges have repeated over and over, they can only get existing business records the providers already have. Asking Verizon to do a bunch to tweak those records turns it into a database that Verizon has created not for its own business purpose, but to fulfill the government’s spying demands.
I think this is the underlying point of Woods’ testimony where he made it clear Verizon had no intent of playing Intelligence agent for the government. Verizon seems to have made it very clear they will challenge any order to go back into the spying for the government business (all the more so after losing some German business because of too-close ties to the USG). And since Verizon is presumably now doing this for relatively free (since 2009, as opposed to AT&T and Sprint, who are still getting paid via their FBI contract), the government has far less ability to make demands.
This is also where I think the cost from getting complete coverage comes from. You have to pay provider sufficiently such that they are really doing the database-keeping voluntarily, which presumably gets it well beyond reasonable cost compensation.
Update: One final point (and it’s a point William Ockham made a billion years ago). The foreign data problem Verizon had starting in 2009 would be completely consistent with a shift from database production to SS7 production, because SS7 records are going to have everything that transits the circuit.

Even the Government Can’t Figure Out How It Uses Its FISA Dragnet

/1 Comment/in , /by

Things are getting interesting in the case of Raez Qadir Khan in Oregon, who was charged in 2011 with conspiring to materially support a suicide bombing that took place in Pakistan in 2009.

As I laid out in September, his lawyers asked to know what types of surveillance it used to collect all the data that went into a search warrant on Khan’s house.

At a hearing on September 11, the government said that it had provided all the notice Khan needed with its traditional, FAA, and physical search FISA notices.

JUDGE MOSMAN: Am I reading your brief correctly that in some way the defense has been told which authorities they ought to think about challenging here, maybe informally?

MR. GORDER: Well, both formally and informally, Your Honor. The formal way was the notices that we filed with the Court, which indicates that the government intends to use evidence derived from FISA Title I and FISA Title IIand FISA Title VII.

In response, at the hearing, Khan attorney Amy Baggio said she’d hold the government to those 3 FISA authorities.

MS. BAGGIO: Now, I understand the point that you made earlier, Your Honor, is they’ve narrowed that somewhat if we’re going to hold them to Title 1, 3 and 7,

Just over a month later, the government wrote the judge, Michael Mosman, a letter, changing its mind. It basically said:

  • It didn’t have to give Khan notice that they used FISA’s PRTT authority against him (most likely in the illegal Internet dragnet), because he didn’t meet all 5 of the criteria required before the government would have to give notice.
  • It didn’t have to give notice under FAA 703 because the government doesn’t intend to enter that electronic surveillance into evidence.
  • It didn’t have to give notice it used Section 215 (note, they almost surely used both the phone dragnet and the Western Union dragnet against him), because Khan lacks standing to contest the admission of this evidence. (Predictably, the government made no mention of the language in phone dragnet orders specifically permitting it to be used for discovery purposes.)

The government said nothing about Protect America Act, Section 704 of FISA (at least according to a Snowden document, the government doesn’t use 703, they use 704, which if that remains true Judge Mosman should know as a FISC judge), or EO 12333. The latter of which, in particular, Baggio has raised repeatedly.

In short, after a month of thinking about it, the government realized that its statements at the hearing were not correct, and that these other authorities were used, and maybe it ought to sort of confess to that after all.

Which Baggio pointed out in a letter filed yesterday.

In the October 15, 2014, letter, the government no longer claims that FISA Titles I, II, and VII (§702) are the only authorities relied on in this case. Instead the government advances, for the first time, arguments about why it is not legally required to provide Mr. Khan with notice that it used FISA subchapters III (PR/TT), IV (§ 215 business records), or FAA § 703. Effectively, the October 15, 2014, letter tacitly admits use of these provisions, but goes on to argue that there are other reasons it need not provide notice.

She also pointed out that, in submitting its letter over a month after the hearing, the government had violated the court’s briefing schedule without obtaining permission to do so.

On October 15, 2014, 65 days after the government’s briefing was due and 34 days after the motion was taken under advisement by the Court, the government submitted a letter raising new arguments and taking new positions in support of its request that the Court deny Mr. Khan’s Motion to Compel Notice. Exhibit B.

[snip]

When the Court sets deadlines in a Rule 12(c) scheduling order, a party who fails to raise a “defense, objection, or request” related to a pretrial motion to suppress waives that argument. Fed. R. Crim. P. 12(e).1 A court may grant a party leave to submit a late argument if the party establishes “good cause.” Id. Here, the government did not seek leave before offering additional arguments over two months after its briefing was due. Moreover, the letter makes no attempt to establish good cause.

She goes on to hammer the government for its tortured definitions of “collect,” citing — among other things — James Clapper’s lie to Oregon’s Senator.

That is, the DoD definition permits the NSA to obtain communications and store them in a government database without a “collection” occurring. These regulations establish that government takes the position that the communications were “collected” only after an algorithm searches them for key words and analyzes the metadata.

Similarly, Director of National Intelligence (DNI) Clapper explained in Senate testimony in response to a direct question from Senator Wyden in which DNI Clapper denied “collecting” data on millions or hundreds of millions of Americans by stating: “[T]here are honest differences on the semantics when someone says ‘collection’ to me, that has a specific meaning, which may have a different meaning to him [Senator Wyden].”

While she doesn’t say it, we know that the government uses both phone and Internet dragnet data — the Section 215 and PRTT collection the government refuses to notice — as the index to pull up this already collected data. Given that the investigation into Khan likely started only after his alleged co-conspirator’s suicide bombing, much of the evidence was almost certainly stored communication, pulled up using metadata as an index.

Baggio ends by calling on Mosman — a Title III judge but also a FISC judge — to guard his prerogative as the former.

The government’s letter attempts to justify a blanket policy of non-disclosure by coopting this Court’s constitutional role to resolve legal questions about whether (1) particular government conduct constitutes a search or seizure, (2) whether the search or seizure violated Mr. Khan’s constitutional rights and (3) if so, whether evidence obtained or derived from the search or seizure should be suppressed. The government’s argument amounts to an assertion that it need not provide Mr. Khan with notice because, even if it did, Mr. Khan would lose a motion to suppress. Such arguments offend the fundamental principles of the criminal justice system, and the Court should reject them. Without the type of notice requested in Mr. Khan’s Motion to Compel Notice,

I originally thought that having Mosman preside over this case would be a bit of a disaster, given FISC judges’ apparent willingness to make ridiculous arguments to defend the viability of their secret court. But I think Baggio is giving Mosman an important lesson in how the authorities he approves in secret actually play out in practice.

We’ll see whether he’s more interested in defending the prerogative of his Title III role or the claimed legitimacy of his secret judge role.

Connecting the Dots: Putting Both Sides of Conversations in One Database

/in /by

In addition to its comments about Section 215 which I discussed earlier, the FBI’s statement for my article on surveillance at VICE included one other passage of interest. As part of its explanation for why it couldn’t keep track of its back door searches into incidentally collected Section 702 data, the FBI offered up this explanation, unsolicited.

(702 collection is co-located with other FISA collection to allow the FBI to “connect the dots” between the different types of collection.).

Now, we’ve known since the PCLOB Section 702 report this co-mingling was part of their explanation for not being able to count their back door searches.

The FBI is required under its minimization procedures to maintain records of all terms used to query content. These records identify the agent or analyst who conducted the query, but do not identify whether the query terms are U.S. person identifiers. Although the FBI’s minimization procedures do not require the FBI to keep records of metadata-only queries, such queries are conducted in the same databases that contain the content collection; therefore, such metadata queries are also recorded. The NSD and ODNI conduct oversight reviews of both the content and metadata queries, as described below.

Because they are not identified as such in FBI systems, the FBI does not track the number of queries using U.S. person identifiers. The number of such queries, however, is substantial for two reasons.

First, the FBI stores electronic data obtained from traditional FISA electronic surveillance and physical searches, which often target U.S. persons, in the same repositories as the FBI stores Section 702–acquired data, which cannot be acquired through the intentional targeting of U.S. persons. As such, FBI agents and analysts who query data using the identifiers of their U.S. person traditional FISA targets will also simultaneously query Section 702–acquired data.

Two details on this.

First, note that FBI”s refusal to identify whether emails are used by people in the US extends to this querying process. If you don’t know that they’re Americans, you don’t have to count how many Americans whose email you’re reading without a warrant. Of course, if you’re querying the database, you should have information about who this person is, but FBI refuses to!

Just as interestingly, consider what “connecting the dots” means in this context.

It’s not, just, about identifying all the possible evidence that might indicate a potential terrorist.

Rather, it’a also about having both sides of conversations in the same place.  This suggests the FBI not only wants to see what conversations particular identifiers have had. But they want to see how those conversations fit into a network of conversations.

 

The FBI’s Black Hole of Devised Ignorance Surrounding Americans Subject to Section 215

/9 Comments/in /by

Over at VICE, I’ve got a long piece summarizing all the ways (well, probably just some of them) FBI refuses to count its intelligence surveillance, meaning there’s a black hole about what FBI does with some of its most intrusive surveillance.

Among other things in the piece, it includes this explanation of why FBI doesn’t want to count how many Americans get sucked up in Section 215 collection under USA Freedom Act (though the FBI improbably depicted that as a independent decision of Congress).

The bill also exempts the FBI from counting how many US persons get swept up in its use of another authority, Section 215 of the Patriot Act, the statute currently used to collect some significant subset of all Americans’ phone records. In addition to those phone records, FBI also uses Section 215 for other “tangible things,” which it can collect in significant bulk. The FBI says it won’t start counting the Section 215 records obtained because the records it collects (which include email metadata, hotel records, and sales transactions, in addition to phone records) “typically do not indicate the location of the sender or recipient at the time of communication or collection.” So learning the location would “require the FBI to scrutinize certain communications or take additional investigative steps to determine the location of the communicants.” Basically, FBI says tracking what it is doing would, by itself, be a privacy invasion.

The FBI’s comments on why it should not track how many Americans get sucked up in Section 215 collection is worth further focus, however.

The types of business records collected under a Section 215 order rarely contain information sufficient to determine the location of the person(s) referenced in the records.  The FBI collects a variety of information from FISA business records orders, from hotel records to sales transactions to e-mail metadata – many of which provide little or no information regarding the location of those referenced in the records.  The majority of communications collected by business records are related to e-mail metadata.  This information is only provided in a to-from format and does not include subscriber information for the communicants.  In addition, the records typically do not indicate the location of the sender or recipient at the time of communication or collection.  Imposing a reporting requirement to track the number persons located in the U.S. whose information had been collected under Section 215 would thus require the FBI to scrutinize certain communications or take additional investigative steps to determine the location of the communicants.  In many instances, the FBI would otherwise have elected not to scrutinize these communicants or take additional investigative steps.  The imposition of a reporting requirement, therefore, could actually result in a greater intrusion of privacy on certain communicants.  It simply does not make sense for a reporting requirement designed to monitor privacy impact on U.S. persons to result in further scrutiny or investigative activity that may not otherwise be pursued.

First, because FBI confirms how it is using Section 215 (though much of this has been made public, much of it covered here first).

  • Email metadata
  • Hotel records
  • Sales transactions (which would include explosives precursors like acetone, hydrogen peroxide, fertilizer, and pressure cookers)

(Note the silence about money transfers; but maybe FBI just disavows that program, which is a CIA focus.)

Given many things the government has said in legal filings, I would understand “email metadata” very broadly to include “Internet communications metadata.”

The rest of the statement expands on arguments (that are implicit in USAF’s refusal to count a US-based IP address as US location) about why the Intelligence Community can’t count how many Americans are subject to Section 215 surveillance: Because it professes to be unable to track whether email participants are in the US.

So they argue that their devised helplessness in determining where email takes place makes it counterproductive for them to give any sense of how many Americans’ email they’re surveilling.

Of course, there’s another side to this devised ignorance.

John Bates has twice told the Intelligence Community that illegal wiretapping of email in the US is only illegal if the government knows that the emails in question are domestic. So by refusing to find some solution to their devised ignorance, the FBI also ensures that it can never be held to account if it happens to start collecting things — like content as metadata — that it should not legally be able to obtain without a warrant.

It’s a brilliant scheme, this black hole of FBI surveillance. Not only doesn’t it have to alert Americans to how many Americans the FBI is surveilling. But unlike every American the FBI might target, it can claim that ignorance is a defense.

New and Improved FBI! Now with 12 New Pages of Investigative Methods!

/5 Comments/in , /by

Among the documents ACLU obtained as part of its EO 12333 FOIA are 3 pages out of the bajillion-paged Domestic Investigations and Operations Guide.

The actual content of the pages isn’t all that interesting. The content has been available for years.

But this is interesting.

Screen Shot 2014-11-03 at 2.29.38 PM

The pagination of the third page, discussing wiretapping of a targeted American overseas, shows two things.

First — as the description of the document provided to ACLU also describes — this is a new version of the DIOG. The publicly available DIOG is dated October 15, 2011. This DIOG is dated October 16, 2013, two years later.

Also, the pagination reveals that there are at least 12 new pages in Section 18, which describes investigative methods.

What do you want to bet FBI has already added hacking to its investigative methods?

Update: Via Mike German, I learn that FBI did a 2012 edition as well, for which just a fragment plus the Table of Contents got released. The methods section grew about 4 pages between 2011 and 2012. So that leaves 8 pages that are new in this 2013 edition.

Also note, the latest revision came the day before Charlie Savage reported that DOJ would start giving defendants notice of Section 702 usage.

An Unclassified Statement about Where NSA’s Internet Dragnet Went

/4 Comments/in , /by

In a declaration submitted in EPIC’s FOIA for the PRTT dragnet data, NSA’s David Sherman tried to explain why NSA can’t reveal additional details of the domestic Internet dragnet shut down in 2011.

In an effort to explain why NSA can’t reveal the categories of content-as-metadata the NSA had been (illegally) collecting in the US, as well as why it can’t reveal all the types of electronic communications metadata it collects (ALL), he says the following.

While the bulk PR/TT electronic communications metadata program is no longer operational, NSA is authorized to acquire and collect certain categories of electronic communications metadata under other authorities (such as Executive Order 12333, as amended, and Section 702 of the FISA Amendments Act of 2008). The continuing importance of the specific categories of Internet metadata that were collected under the bulk PR/TT program underscores the need to protect the still-classified operational details of this activity.

[snip]

As noted above, while the  bulk PR/TT program is no longer operational, NSA’s core mission continues to include the acquisition and collection of electronic communications under other authorities.

That is, in a declaration reminding that NSA shut down its domestic bulk dragnet program, it admits it still conducts Internet metadata collection, and suggests it does so under EO 12333 and FAA.

Which is precisely where I’ve been suggesting it moved the program.

There are other aspects of this declaration that are interesting — especially when read in conjunction with DOJ National Security Division Mark Bradley’s declaration.

But for the moment, I’ll just leave it at this language, affirming NSA’s known continued collection of Internet metadata, even after shutting down the domestic Internet dragnet.

Do Verizon and AT&T’s Super Cookies Count as Sesson Identifiers?

/25 Comments/in /by

Over the past weeks, we’ve been learning more and more about a supercookie that Verizon and AT&T have stuck in the phone browsing of users on their mobile network. In the case of Verizon, you can’t opt out of sending the supercookie any time you browse using Verizon’s network, and websites you visit will be able to use Verizon’s supercookie to track you as well.

Whatever the merits of Verizon’s new business model, the technical design has two substantial shortcomings. First, the X-UIDH header functions as a temporary supercookie.3 Any website can easily track a user, regardless of cookie blocking and other privacy protections.4 No relationship with Verizon is required.

Second, while Verizon offers privacy settings, they don’t prevent sending the X-UIDH header.5 All they do, seemingly, is prevent Verizon from selling information about a user.

Unless you opt out, this cookie will also track your your geography and demography.

Kashmir Hill has been doing great work on it, including today’s responses from the two phone companies about what they’ve been doing.

How long have they been tagging their users this way?

Verizon: Two years. Given how long Verizon has been doing it, Kasowic said she was “surprised” by the attention this week.
AT&T: “A little while.” AT&T is just “testing it” at this point.

Why are they tagging customers this way?

Verizon: To deliver ads, to authenticate users and allow them to avoid filling out forms, and for fraud prevention.
AT&T: To deliver ads.

Is there any privacy protection built in?

Verizon: The code is “dynamic” and will change on a “regular basis” — at least once per week.
AT&T: The code is dynamic and will change daily.

[snip]

Can they opt out of anything?

Verizon: Customers can’t opt out of the header code being sent “because it’s used for multiple purposes,” says Kasowic. But they can opt out of it being used to show them relevant ads. “When it’s used for the advertising program, there’s a place where information is tied to the UIDH (Unique Identifier Header) — such as ‘Females in Alexandria, VA. between the ages of 25 and 50,” said Kasowic. “It’s just segments that other people wouldn’t understand. There’s no personal identification. If you opt out, there’s no information stored there.” But the tracking code remains.
AT&T: Siegel says customers will be able to opt out of ad delivery and tracking.

Among all the other worries I have about this, I have my lingering worry: that the government will use the supercookie if and when USA Freedom Act passes. As a reminder, here’s how USAF defines “call detail record,” which is a key part of their ongoing daily production.

(2) CALL DETAIL RECORD.—The term ‘call detail record’—

(A) means session identifying information (including an originating or terminating telephone number, an International Mobile Subscriber Identity number, or an International Mobile Station Equipment Identity number), a telephone calling card number, or the time or duration of a call; and

(B) does not include—

(i) the contents (as defined in section 2510(8) of title 18, United States Code) of any communication;

(ii) the name, address, or financial information of a subscriber or customer; or

(iii) cell site location information.

This definition uses language tied to phone calls, but with the limited exception of the CDR definition used for NSLs, there is a well-established tradition of using phone CDR language to get Internet records. And a cookie is the quintessential “session identifier.” While Verizon’s supercookies might provide access to things that might qualify as content — “any information concerning the substance, purport, or meaning of that communication” — it would not seem to necessitate this. Plus, the supercookie would provide generalized location without cell site location.

In other words, the Verizon supercookie would provide FBI and NSA a way to get rich information on the target and his online actions — including co-presence on sites that might include chat rooms (which would serve as your hops) — that they could then match up to the backside, tracking the cookie on across the web. Depending on what Verizon uses it to authenticate users for, it may give a lot more. (Note, too, that Sprint appears to be working on the equivalent of a burner phone application for mobile devices based off cookies; this supercookie would seem to make that even easier.)

The Yahoo example — where the government moved from requesting emails and instant messages to requesting 9 things, potentially across all of Yahoo’s business units in 5 months — is instructive. Even if they aren’t already planning on using this (which I doubt, given that it has been out there for 2 years), they will use it. And nothing in the bill seems to prohibit it.

I’m not convinced this is the only answer to my question about what connection chaining does. But I think it is one of answer.

Update: Propublica reports that Twitter has adopted Verizon’s UIDH for its own advertising purposes.

The data can be used by any site – even those with no relationship to the telecoms — to build a dossier about a person’s behavior on mobile devices – including which apps they use, what sites they visit and for how long.

MoPub, acquired by Twitter in 2013, bills itself as the “world’s largest mobile ad exchange.” It uses Verizon’s tag to track and target cellphone users for ads, according to instructions for software developers posted on its website.