The Last Time NSA Submitted Secret Authorities, It Was Actively Hiding Illegal Wiretapping

/6 Comments/in , /by

Via Mike Masnick, I see that in addition to submitting a new state secrets declaration and a filing claiming EFF’s clients in Jewel v. NSA don’t have standing, the government also submitted a secret supplemental brief on its statement of authorities, which EFF has challenged.

The secret supplemental brief is interesting given the government’s outrageous state secrets claim in the lawsuit against United Against a Nuclear Iran, in which it refuses to explain why it must protect the intelligence sources and methods of an allegedly independent NGO. It seems the government’s state secrets claims are getting even more outrageous than they already were.

That’s particularly interesting given what appears to be the outlines of a claim that if the court recognizes Jewel’s standing, then all hell will break loose.

Due to the failings of Plaintiffs’ evidence described above, the Court need not consider the impact of the state secrets privilege on the standing issue. However, if the Court were to find Plaintiffs’ declarations admissible and sufficiently probative of Plaintiffs’ standing to raise a genuine issue meriting further inquiry (which it should not), adjudication f the standing issue could not proceed without risking exceptionally grave damage to national security (a threshold issue on which the Court requested briefing). That is so because operational details of Upstream collection that are subject to the DNI’s assertion of the state secrets privilege in this case are necessary to address Plaintiffs’ theory of standing. The Government presented this evidence to the Court in the DNI’s and NSA’s classified declarations of December 20, 2013, and supplements it with the Classified Declaration of Miriam P., NSA, submitted in camera, ex parte, herewith. Disclosure of this evidence would risk informing our Nation’s adversaries of the operational details of the NSA’s Upstream collection, including the identities of electronic-communications-service providers assisting with Upstream collection.

Behind these claims of grave harm are the reality that if US persons started to get standing under the dragnet, then under John Bates’ rules (in which illegal wiretapping is only illegal if the government knows US persons are targeted), the entire program would become illegal. So I suspect the government is ultimately arguing that Jewel can’t have standing because it would make the entire program illegal (which is sort of the point!).

But the biggest reason I’m intrigued by the government’s sneaky filing is because of what happened the last time it submitted such a sneaky filing.

I laid out in this post how a state secrets filing submitted in EFF’s related Shubert lawsuit by Keith Alexander on October 30, 2009 demonstrably lied. Go back and read it–it’s a good one. A lot of what I show involves Alexander downplaying the extent of the phone dragnet problems.

But we now know more about how much more Alexander was downplaying in that declaration.

As I show in this working thread, it is virtually certain that on September 30, 2009, Reggie Walton signed this order, effectively shutting down the Internet dragnet (I’m just now noticing that ODNI did not — as it has with the other FISC dragnet orders — release a copy with the timestamp that goes on all of these orders, which means we can’t determine what time of the day this was signed). Some time in the weeks before October 30, DOJ had submitted this notice, admitting that NSA had been violating the limits on “metadata” collection from the very start, effectively meaning it had been collecting content in the US for 5 years.

Precisely the kind of illegal dragnet Virginia Shubert was suing the government to prevent.

Mind you, there are hints of NSA’s Internet dragnet violations in Alexander’s declaration. In ¶59, Alexander says of the dragnet, “The FISC Telephone Business Records Order was most recently reauthorized on September 3, 2009, with authority continuing until October 30, 2009” (Walton signed the October 30, 2009 phone dragnet order around 2:30 ET, which would be 11:30 in NDCA where this declaration was filed). In ¶58, he says, “The FISC Pen Register Order was most recently reauthorized on [redacted], 2009, and requires continued assistance by the providers through [redacted] 2009” (this is a longer redaction than October 30 would take up, so it may reflect the 5PM shutdown Walton had imposed). So it may be that one of the redacted passages in Alexander’s declaration admitted that FISC had ordered the Internet dragnet shut down.

In addition, footnote 24 is quite long (note it carries onto a second page); particularly given that the tense used to describe the dragnets in the referenced paragraph differ (the Internet dragnet is in the past tense, the phone dragnet is in the present tense), it is possible Alexander admitted to both the compliance violation and that NSA had “voluntarily” stopped querying the dragnet data.

Further, in his later discussions, he refers to this data as “non-content metadata” and “records about communication transactions,” which may reflect a tacit (or prior) acknowledgment that the NSA had been collecting more than what, to the telecoms who were providing it, was legally metadata, or, if you will, was in fact “content as metadata.”

To the extent that the plaintiffs “dragnet” allegations also implicate other NSA activities, such as the bulk collection of non-content communications meta data or the collection of communications records, see, e.g., Amended Compl ¶58, addressing their assertions would require disclosure of NSA sources and methods that would cause exceptionally grave harm to national security.

[snip]

Accordingly, adjudication of plaintiffs’ allegations concerning the collection of non-content meta data and records about communication transactions would risk or require disclosure of critical NSA sources and methods for [redacted] contacts of terrorist communications as well as the existence of current NSA activities under FISC Orders. Despite media speculation about those activities, official confirmation and disclosure of the NSA’s bulk collection and targeted analysis of telephony meta data would confirm to all of our foreign adversaries [redacted] the existence of these critical intelligence capabilities and thereby severely undermine NSA’s ability to gather information concerning terrorist connections and cause exceptionally grave harm to national security.

So it seems that Alexander provided some glimpse to Vaughn Walker of the troubles with the Internet dragnet program. So when after several long paragraphs describing the phone dragnet problems (making no mention even of the related Internet dragnet ones), Alexander promised to work with the FISC on the phone dragnet “and other compliance issues,” he likely invoked an earlier reference to the far more egregious Internet dragnet ones.

NSA is committed to working with the FISC on this and other compliance issues to ensure that this vital intelligence tool works appropriately and effectively. For purposes of this litigation, and the privilege assertions now made by the DNI and by the NSA, the intelligence sources and methods described herein remain highly classified and the disclosure that [redacted] would compromise vital NSA sources and methods and result in exceptionally grave harm to national security.

I find it tremendously telling how closely Alexander ties the violations themselves to the state secrets invocation.

The thing is, at this point in the litigation, the only honest thing to submit would have been a declaration stating, “Judge Walker? It turns out we’ve just alerted the FISC that we’ve been doing precisely what the plaintiffs in this case have accused of us — we’ve been doing it, in fact, for 5 years.” An honest declaration would have amounted to concession of the suit.

But it didn’t.

And that state secrets declaration, like the one the government submitted at the end of September, was accompanied by a secret statement of authorities, a document that (unless I’m mistaken) is among the very few that the government hasn’t released to EFF.

Which is why I find it so interesting that the government is now, specifically with reference to upstream collection, following the same approach.

Do these secret statements of authority basically say, “We admit it, judge, we’ve been violating the law in precisely the way the plaintiffs claim we have. But you have to bury that fact behind state secrets privilege, because our dragnets are more important than the Fourth Amendment”? Or do they claim they’re doing this illegal dragnettery under EO 12333 so the court can’t stop them?

If so, I can see why the government would want to keep them secret.

Update: I originally got the name of Shubert wrong. Virginia Shubert is the plaintiff.

Going Postal. And Digital. And Financial: The Dragnet Elephant

/12 Comments/in , /by

Blind MenThe NYT has a report on an IG Report from May that reveals the Postal Service has been doing a lot more “mail covers” (that is, tracking the metadata from letters) than it had previously revealed.

In a rare public accounting of its mass surveillance program, the United States Postal Service reported that it approved nearly 50,000 requests last year from law enforcement agencies and its own internal inspection unit to secretly monitor the mail of Americans for use in criminal and national security investigations.

The number of requests, contained in a little-noticed 2014 audit of the surveillance program by the Postal Service’s inspector general, shows that the surveillance program is more extensive than previously disclosed and that oversight protecting Americans from potential abuses is lax.

Among the most interesting revelations is that USPS previously lowballed the number of covers it does in response to a NYT FOIA by simply not counting most of the searches.

In information provided to The Times earlier this year under the Freedom of Information Act, the Postal Service said that from 2001 through 2012, local, state and federal law enforcement agencies made more than 100,000 requests to monitor the mail of Americans. That would amount to an average of some 8,000 requests a year — far fewer than the nearly 50,000 requests in 2013 that the Postal Service reported in the audit.

The difference is that the Postal Service apparently did not provide to The Times the number of surveillance requests made for national security investigations or those requested by its own investigation and law enforcement arm, the Postal Inspection Service. Typically, the inspection service works hand in hand with outside law enforcement agencies that have come to the Postal Service asking for investigations into fraud, pornography, terrorism or other potential criminal activity.

The report led Ben Wittes to engage in a thought experience, predicting the response to this revelation will be muted compared to that of the phone dragnet.

All of this raises the question: Will this program generate the sort of outrage, legal challenge, and feverish energy for legislative reform that the NSA program has? Or will it fall flat?

I have this feeling that the answer is the latter: The Postal Service’s looking at the outside of letters at the request of law enforcement just won’t have the same legs as does the big bad NSA looking at the routing information for telephone calls. The reason, I suspect, is not that there are profound legal differences between the two programs. Yes, one can certainly argue that the difference between a program that aspires to be totalizing and one that is notionally targeted, even if very large, is fundamental enough to justify regarding the former with great skepticism and tolerating the latter with a shrug. On the other hand, one could just as easily argue that a program that involves the active perusal of tens of thousands of people’s metadata without strict controls is far more threatening than one that involves tight procedures under judicial oversight and involves initial queries of only a few hundred people’s data.

The reason, I suspect, that this program will not excite the same sorts of passions as does the NSA’s program is that it involves old technology—paper—and it’s been going on for a long time.

I agree with Wittes that this won’t generate the same kind of outrage.

The fact that few noticed when Josh Gerstein reported on this very same report (and revealed that the USPS was trying to prevent the report’s release) back in June (I noticed, but did not write on it) supports Wittes’ point.

All that said, Wittes’ piece serves as an interesting example. Partly because he overstates the oversight of the phone dragnet program. Somehow Wittes doesn’t think the watchlisting of 3,000 presumed American persons with no First Amendment review until 2009 is not an example of abuse. Nor the preservation of 3,000 files worth of phone dragnet data on a research server, mixed in with Stellar Wind data, followed by its destruction before NSA had to explain what it was doing there (which is a more recent abuse than Joe Arpaio’s use of the mail dragnet to target a critic, reported in the NYT).

But also because Wittes misconstrues what a true comparison would entail.

To compare phone dragnet, generally, with the mail dragnet described by the NYT (now including both its national security and Postal Inspection searches), you’d have to compare Title III and local law enforcement phone metadata searches (which number in the hundreds of thousands and include the use of Stingrays to track phone location), Hemisphere (which must number in the 10s of thousands and not only undergo no court review, but are explicitly parallel constructed), the use of NSLs to obtain phone metadata (which number in the 10s of thousands, and which are not overseen by a court, have been subject to abuse, also miscount the most important requests, and access new kinds of data that probably aren’t really covered under the law), the Section 215 dragnet, the FBI bulk PRTT program, as well as the far far bigger EO 12333 phone dragnet.

That is, Wittes wants to compare the totality of the mail dragnet with a teeny segment of even the NSA phone dragnet, all while ignoring the state, local, and other federal agency (including at least FBI, USMS, and DEA) phone dragnets entirely, and declare the former roughly equivalent to the latter (better in some ways, worse in others). If you were to compare the totality of the mail dragnet (admittedly, you’d have to add Fedex and other courier dragnets) with the totality of the phone dragnet, the latter would vastly exceed the former in every way: in abuse, in lack of oversight, and in scale.

And to measure the “passions” mobilized against the phone dragnet, you’d have to measure it all. Attention to the various parts has been fleeting: today there’s more focus on Stingrays, for example, with comparatively less attention to the Section 215 phone dragnet, along with a focus on Hemisphere. There’s so much phone dragnet to go around, it’s like a never-ending game of whack-a-mole.

Or perhaps more appropriately, of that old fable of the 6 blind men and the elephant, where each of a series of blind men describe an elephant. These men each feel one part of the elephant and see a pillar, a rope, a tree branch, a hand fan, a wall, and a solid pipe.  Together, they fail to conceive of the elephant in its entirety.

Wittes’ partial view of the phone dragnet describes just one part of one part of the dragnet elephant. At both the NSA, the FBI, and local JTTFs (at a minimum) you’re not conceiving the dragnet unless you understand the implications of matching your phone records and email records to your financial purchases and Internet search cookies — and, your snail mail, which is ultimately just a part of the larger dragnet. Each of those dragnets has several interlocking forms, too. More Title III orders, more NSLs, more Section 215 orders, and more EO 12333 collection. All dumped into a black box that — even for the Section 215 phone dragnet — undergoes no apparent oversight.

But Wittes is by no means alone in his partial view of the dragnet elephant. We all suffer from it. Since the very start of the Snowden leaks, I have been trying hard to track how NSA data gets shared with other agencies (see, for example, NCTC, FBI and CIA, “Team Sport,” ATF). I suspect I’ve got as good an understanding of how this data worms its way through the government as anyone outside of some corners of government, but it still looks like an elephant trunk to me.

That, to me, is the real lesson from the focus on yet another dragnet available to yet more intelligence and law enforcement agencies. None of us yet have a good sense of the scope of the dragnet. It is, quite literally, inconceivable. And we have even less of an idea of what happens after the dragnet feeds all that data into a series of black boxes, most subject to very little oversight.

With each new elephant body part identified, we’d do well to remember, it’s just one more body part.

Deconfliction in Dragnet Databases

/1 Comment/in , /by

Hemisphere Deconfliction

I want to return to something that appears in both of the Hemisphere slide decks we’ve seen: Deconfliction.

In addition to helping law enforcement find burner phones and contact chains, using connections that include location, Hemisphere helps deconflict between multiple investigative teams.

When multiple teams are working the same targets — in war or criminal investigations — you need to be aware of what other teams are doing. In war, this helps to ensure you don’t shoot a friendly. In investigations, it helps to protect turf and combine efforts.

In investigations — especially drug or terrorism ones that rely on informants — it also helps to distinguish legally sanctioned crime — that of informants — from that which no law enforcement agency is directing. And, as the Declaration deck explains, Hemisphere checks new queries against previous ones, and emails requestors if someone has already chained on that contact.

  • Target numbers, as well as every number they call and that call them will be cross checked against other Hemisphere results
  • Notification will be by email if applicable
  • The email provides contact information for all requestors

In other words, in addition to the way it serves as a quick investigative tool, Hemisphere also helps drug investigators to avoid stepping on each others’ toes (or at least communicate better).

Then there’s this:

  • Sensitive case information is masked

This seems to suggest Hemisphere doesn’t, presumably, provide any hints about how the original investigator is conducting their investigation, whether suspected traffickers are bring run or not. That’s the kind of thing that would be “masked.” (Note, this suggests that whoever is running this database would have access to that masked information.)

I raise all this because it poses questions for other databases involving informants. As I have noted, FBI uses the phone dragnet (and therefore presumably the Internet dragnet in whatever form and geographic locale it still exists) to identify potential informants. And one thing FBI does with its back door searches during assessments assessments is review actual content collected under traditional FISA and FAA in its quest for informants.

These dragnet databases play a key role in the selection and recruitment of informants to use in terrorism investigations.

But then what happens?

The example of David Headley — who played a crucial role in one of the most lethal terrorist attacks since 9/11, the Mumbai attack, the early period of which while he served as an informant for the DEA — is instructive. The FBI likes to boast that Section 702 helped stop Headley’s plot against Danish cartoonists. But Headley’s case should, instead, raise real questions about how it is a terrorist can plan a complicated terrorist attack while his known terrorist colleagues, presumably, are being surveilled without detection by the people supposedly handling him.

We know that the metadata dragnets, at least, put some identifiers on a “defeat list.” There’s reason to suspect (in part from the syntax of redacted references to the defeat list) they do so not just for high volume numbers, but for sensitive numbers (perhaps Congress, for example). But I also think they may put informants on a defeat list too. That’s, in part, because if you didn’t do so their handlers would become two degrees from terrorist suspects, which might have all sorts of unintended consequences. That’s just an educated guess, mind you, but if I’m right it would have some interesting implications.

That doesn’t appear to have prevented DEA from tracking Manssor Arbabsiar, the Scary Iran Plotter (I assume he at least used to be an informant, because there’s little else that would explain why the cousin of a top Quds Force Member busted for drug possession would nevertheless get citizenship, and deconfliction discussions show up in what was probably his immigration file).

But it would raise really big questions in other cases.

One way or another they need to give informants special treatment in databases — as they apparently do in Hemisphere. How they do so, however, may have real consequences for the efficacy of the entire dragnet.

Two Men with Weapons But No Passports in Another Country

/4 Comments/in /by

The more I think about this story, the more ridiculous it appears.

WSJ’s sources are concerned, apparently, that US counterterrorism officials did not have prior knowledge of two men who each killed a Canadian soldier this week.

Neither of the two Canadian men who attacked soldiers and Parliament this week were on a terror watch list in the U.S.—one because of privacy laws in Canada—raising concerns among American officials about possible intelligence gaps close to home.

On Monday, Martin Rouleau used his car to strike and kill one Canadian soldier and injure another outside Montreal, before being killed by police. On Wednesday, Michael Zehaf-Bibeau used a rifle to kill a soldier in Ottawa, then stormed Parliament where he died from shots fired by security personnel, including the sergeant-at-arms.

Neither were marked in U.S. databases of security threats, according to a person familiar with the investigation.

The concern is particularly crazy given that neither man had a passport, in the first case because it had been taken away; in the second because he had not yet obtained one.

In Mr. Rouleau’s case, that was especially alarming because Canadian authorities say they had taken away his passport and put him on a watch list because he had attempted to travel to Syria to join fighting there.

[snip]

Canadian investigators say Mr. Zehaf-Bibeau didn’t have a passport, but had come to Ottawa in the hopes of getting one so he could travel to Syria. Canadian officials have said that while they were aware of Mr. Zehaf-Bibeau, he wasn’t on their watch list.

Sure, either of these men could have snuck across the border in the wilds of Minnesota and then attempted what they attempted in Canada. Which, had the succeeded in our more vigilant society, would make them less lethal than the latest school shooting.

Doesn’t the US have more dangerous things to worry about than every single disgruntled man in another country who happens to have a gun — or a car? I mean, if these guys starting actually plotting — making them a much bigger threat — then their very act of plotting would be likely to bring greater scrutiny.

The disproportionate nature of this concern is all the more apparent when you consider Mexico, where authorities — authorities that often have ties to our DEA  — can disappear 43 students without immediate alarm. Shouldn’t we be more concerned that lethal DEA allies will walk across the southern border and start disappearing students here? US authorities seem perfectly complacent about the often officially sanctioned violence in that adjoining country.

ISIL is a threat. Angry men armed with guns are a threat, whether they’re Muslim or not.

But a drive for omniscience divorced from any real awareness of how the failure of governance — not jus the vacuums we’ve contributed to in the Middle East, but increasingly here — fosters threats yoked to fear blown entirely out of proportion will not eliminate the threat, and it will suck the life out of our country in so many other ways.

Perhaps we’d be far better served offering an ideology that can compete with ISIL’s rather than simply dragnetting everyone?

Wyden Doesn’t Know What NSA Does with Its Dragnet Overseas

/3 Comments/in , /by

Kim Zetter has an interview with Ron Wyden that goes over a number of things I have already reported. She describes him hedging when asked when he first learned of the phone dragnet; as I have shown the government did not brief the Internet dragnet to the Intelligence Committees, not even during the PATRIOT reauthorization in 2005. Wyden describes the months — “literally months” –during which he tried to get the Intelligence Community to correct what Keith Alexander had said to DefCon before he asked James Clapper the question he is now so famous for; I laid that out here and here. Wyden describes how — “incredible as it sounds” — the Bush Administration shut down NSA’s back door search authorities., which I noted here. Zetter and Wyden also discuss how to manage zero day exploits.

But the most important detail in the interview, in my opinion, comes where Wyden makes clear he doesn’t know enough about what the government does under EO 12333.

But no one, not even lawmakers on Capitol Hill, have a full grasp of how EO 12333 is being used.

Wyden says, “I’m not sure we’re at the bottom or close to it” when it comes to understanding how it’s being used.” Wyden is suspicious that the White House and intelligence community have agreed to halt the phone records collection program, in the wake of intense criticism, only because the spy agency has other tricks to get the same data, possibly through EO 12333.

“The intelligence community is endorsing eliminating bulk-collection of phone records, and it makes me wonder what are the authorities under 12333 [through which they might do the same thing]?” he asks. “You can get a bill passed and everybody says, ‘Hey we banned bulk collection.’… [Then] we see the government go off in another direction. I will tell you that I don’t know today the full ramifications of 12333 on bulk collection. But I’m going to be spending a lot of time digging into it.”

I had pointed to Wyden’s concern about this issue when he raised it at the turn of the year and noted that the Administration made public its belief it can engage in the phone and Internet dragnet without any Congressional authorization just as the USA Freedom Act debate resumed.

But  Wyden’s confirmation that he doesn’t know what the government does overseas raises questions about, first, whether he knows what the government did with the Internet dragnet when he and Udall convinced the government to end the domestic collection of it in 2011. But it also underscores just how empty are the promises that there is adequate oversight of the NSA’s work.

If someone on the Intelligence Committees (a critic, admittedly, but he is one of the legal overseers of the Agency) doesn’t know, and doesn’t think he’d necessarily know, if the government replaced a congressionally limited program with the same program overseas, that means there’s no way the Intel Committees could ensure that the government had stopped practices Congress told it to stop.

Of course, given that Wyden got legislation passed in 2004 defunding any data mining of Americans only to have the Bush authorized dragnet continue, that must be a familiar position for the Senator.

No, Obama Doesn’t Need Legislation to Fix the Dragnet–Unless the “Fix” Isn’t One

/1 Comment/in /by

In an editorial calling on Congress to pass the USA Freedom Act, the USA Today makes this claim.

Obama’s proposal last January — to leave the data with phone companies, instead of with the government — can’t happen without a new law. And, as in so many other areas, the deeply divided Congress has failed to produce one.

I don’t know whether that is or is not the case.

I do know 3 Senate Intelligence Committee members say it is not the case.

Ron Wyden, Mark Udall, and Martin Heinrich wrote Obama a letter making just this point in June. They argued that Obama could accomplish most, if not all, of what he claimed he wanted without legislation, largely with a combination of Section 215 Orders to get hops and Pen Registers to get prospective collection.

[W]e believe that, in the meantime, the government already has sufficient authorities today to implement most, if not all, of the Section 215 reforms laid out in your proposal without delay in a way that does not harm our national security. More comprehensive congressional action is vital, but the executive branch need not wait for Congress to end the dragnet collection of millions of Americans’ phone records for a number of reasons.

First, we believe that the Foreign Intelligence Surveillance Court’s (FISC) expansive interpretation of the USA PATRIOT Act to allow the collection of millions of Americans’ phone records makes it likely that the FISC would also agree to a more narrowly-drawn interpretation of the law, without requiring further congressional action. Certainly, it seems likely that the FISC would permit the executive branch to use its current authorities to obtain phone records up to two “hops” from a suspicious phone number or to compel technical assistance by and compensation for recipients of court orders. Unless the FISC has already rejected such a request from the government, it does not seem necessary for the executive branch to wait for Congress before taking action.

Second, we believe that the FISC would likely approve the defined and limited prospective searches for records envisioned under your proposal pursuant to current USA PATRIOT Act Section 214 pen register authorities, given how broadly it has previous interpreted these authorities. Again, we believe it is vital for Congress to enact reforms, but we also believe that the government has sufficient authorities today under the USA PATRIOT Act to conduct these targeted prospective searches in the interim.

Finally, although we have seen no evidence that the government has needed the bulk phone records collection program to attain any time-sensitive objectives, we agree that new legislation should provide clear emergency authorities to allow the government to obtain court approval of individual queries after the fact under specific circumstances. The law currently allows prospective emergency acquisitions of call records under Section 403 of the Foreign Intelligence Surveillance Act (FISA), and the acquisition of past records without judicial review under national security letter authorities. While utilizing a patchwork of authorities is not ideal, it could be done on an interim basis, while Congress works to pass legislation.

Just weeks before they sent this, Deputy Attorney General James Cole had seemed to say they could (if not already were) getting hybrid orders, in that case mixing phone and location. So it seems like DOJ is confident they could use such hybrid orders, using Section 215 for the hops and Pen Registers for the prospective collection (though, given that they’re already using Section 215 for prospective collection, I’m not sure why they’d need to use hybrids to get anything but emergency orders).

And it makes sense. After all, the public claims about what the Call Detail Record provision would do, at least, describe it as a kind of Pen Register on steroids, 2-degrees of Pen Register. As the Senators suggest, FBI already gets two-degree information of historical records with mere NSLs, so it’d be surprising if they couldn’t get 2 degrees prospectively with a court order.

So at least according to three members of the Senate Intelligence Committee, USA Today is simply wrong.

Mind you, I’m not entirely convinced they’re right.

That’s because I suspect the new CDR provision is more than a Pen Register on steroids, is instead something far more intrusive, one that gets far beyond mere call records. I suspect the government will ask the telecoms to chain on location, address books, and more — as they do overseas — which would require far more than a prospective Pen Register and likely would require super immunity, as the bill provides.

I suspect the Senators are wrong, but if they are, it’s because Obama (or his Intelligence Community) wants something that is far more invasive then they’ve made out.

Still, for USAF supporters, there seems no question. If all Obama wants to replace the phone dragnet is prospective 2-degree call (not connection) chaining on RAS targets, he almost certainly has that authority.

But if he needs more authority, then chances are very good he’s asking for something far more than he has let on.

Update: Note, USAT makes at least one other clear error in this piece, as where it suggests the “the program” — the phone dragnet — imposes costs on cloud companies like Microsoft and Google.

Another Attorney-Client Conversation Spied On

/2 Comments/in /by

Last month, I laid out the several attorney client conversations to which Raez Qadir Khan was party that the government wiretapped. Among the 7 privileged conversations wiretapped by the government was a January 2010 conversation he had with his immigration attorney after being told by the FBI he could not travel to see his family.

One of the defendants in a key CO terrorism case just revealed in a filing that he, too, was wiretapped when conversing with his immigration attorney’s office.

Bakhtiyor Jumaev, who through co-defendant Jamshid Muhtorov was the first to get notice his prosecution stemmed from FISA Amendments Act collection, revealed in a filing that a conversation he had with his retained immigration counsel’s paralegal was recorded even after the FBI had first questioned him.

FBI agents interrogated Mr. Jumaev at his Philadelphia apartment on February 14, 2012; at that time, Mr. Jumaev had been charged with an immigration violation, had posted bond that included electronic monitoring, was represented by an immigration attorney, Francois Mazur, Esq., and for approximately two years, unbeknownst to him, had also been under investigation for activities related to this case.15 The next day, February 15, 2012, Mr. Jumaev called Mr. Mazur and spoke with the attorney’s paralegal, seeking legal advice relating to Mr. Jumaev’s having been questioned the day prior by the FBI. A copy of the recording of the call, labeled as S2675971321_20120215194017_416.WAV, has been provided in discovery.16

15 The criminal Complaint filed against Mr. Jumaev notes that the FBI had been investigating him in this matter since shortly after his arrest in February 2010 for immigration charges. See Doc. 1 at ¶ 13.

16 Based upon information and belief, to date, the government has not provided all of Mr. Jumaev’s intercepted communications. It is therefore currently unknown whether other communications between Mr. Jumaev and his immigration attorney were intercepted.

As the footnotes make clear, at this point the FBI had already been investigating him for years, but didn’t have the caution to avoid recording his conversations with his immigration attorney (something which, in the Khan case, the government admitted should have been treated as a privileged conversation).

Call me crazy, but this is beginning to look like a pattern — the FBI wiretapping the earliest privileged conversations after their targets get alerted to the FBI investigation into them.

Richard Burr Prepares to Capitalize on Refusing to Exercise Intelligence Oversight

/1 Comment/in , /by

In James Risen’s new book, he provides new details on what happened to the NSA whistleblowers — Bill Binney, Kurt Wiebe, Ed Loomis, Thomas Drake — who tried to stop President Bush’s illegal wiretap program, adding to what Jane Mayer wrote in 2011. He pays particular attention to the effort Diane Roark made, as a staffer overseeing NSA on the House Intelligence Committee, to alert people that the Agency was conducting illegal spying on Americans.

As part of that, Risen describes an effort Roark made to inform another Congressman of the program, one who had not been briefed: Richard Burr.

Despite the warning from (HPSCI’s Republican Staff Director Tim) Sample not to talk with anyone else on the committee about the program, she privately warned Chris Barton, the committee’s new general counsel, that “there was an NSA program of questionable legality and that it was going to blow up in their faces.” In early 2002, Roark also quietly arranged a meeting between Binney, Loomis, and Wiebe and Richard Burr, a North  Carolina Republican on the House Intelligence Committee. Binney told Burr everything they had learned about the NSA wiretapping program, but Burr hardly said a word in response. Burr never followed up on the matter with Roark, and there is no evidence he ever took any action to investigate the NSA program.

I’m not actually surprised that Burr learned the Intelligence Community was engaging in illegal behavior and did nothing. From what we’ve seen in his response to torture, he has served entirely to help CIA cover up the program and protect the torturers. Indeed, in his treatment of John Brennan’s confirmation, he made efforts to ensure Brennan would have to protect the torturers too.

So it’s no surprise that Burr heard details of an illegal program and ignored them.

Still, it’s worth highlighting this detail because, if Democrats do lose the Senate as they are likely to do in November, Richard Burr will most likely become Senate Intelligence Committee Chair. While Dianne Feinstein may be a badly flawed Chair overseeing the IC, Burr will be a nightmare, unloosing them to do whatever they’re ordered.

That’s the kind of career advancement that comes to a guy who remains silent about wrongdoing.

Jim Comey Lied When He Claimed FBI Needs a Judge to Read Your Email

/13 Comments/in /by

I believe that Americans should be deeply skeptical of government power. You cannot trust people in power. The founders knew that. That’s why they divided power among three branches, to set interest against interest. — FBI Director Jim Comey

As part of a piece on James Risen’s stories, 60 Minutes did an interview with Jim Comey. It rehearsed his role in running up hospital steps in 2004 to prevent Andy Card from getting an ill John Ashcroft to rubber stamp illegal surveillance — without mentioning that Comey and the other hospital heroes promptly got the same program authorized by bullying the FISA Court. Trevor Timm called out this aspect of 60 Minutes’ report here.

CBS also permitted Comey to engage in Apple encryption fear-mongering without challenge. CNN, to its credit, called Comey on his misrepresentations here.

But perhaps Comey’s biggest stretcher came when Scott Pelley asked him whether FBI engages in surveillance without a court order.

Scott Pelley: There is no surveillance without court order?

James Comey: By the FBI? No. We don’t do electronic surveillance without a court order.

Scott Pelley: You know that some people are going to roll their eyes when they hear that?

James Comey: Yeah, but we cannot read your emails or listen to your calls without going to a federal judge, making a showing of probable cause that you are a terrorist, an agent of a foreign power, or a serious criminal of some sort, and get permission for a limited period of time to intercept those communications. It is an extremely burdensome process. And I like it that way.

Comey was admittedly careful to caveat his answer, stating that FBI does not engage in “electronic surveillance” without a court order. That probably excludes FBI’s use of National Security Letters. Though as DOJ’s Inspector General has made clear, FBI uses NSLs for a number of things — including communities of interest, obtaining one or possibly two degree collection of phone records, as well as a bunch of other things that remain redacted — that the NSL law didn’t envision. Indeed, FBI’s NSL requests have gotten so exotic that some Internet companies started to refuse — successfully — in 2009 to comply with the requests, forcing FBI to use Section 215 orders instead.

But the second part of that exchange — Comey’s claim that “we cannot read your emails without going to a federal judge” is egregiously false.

As both ODNI and PCLOB have made clear, FBI can and does query incidentally collected data obtained under Section 702 (PRISM) — that is, it accesses email content — without a warrant. Alarmingly, it does so at the assessment level, before FBI even has any real evidence of wrong-doing.

Second, whenever the FBI opens a new national security investigation or assessment, FBI personnel will query previously acquired information from a variety of sources, including Section 702, for information relevant to the investigation or assessment. With some frequency, FBI personnel will also query this data, including Section 702–acquired information, in the course of criminal investigations and assessments that are unrelated to national security efforts.

That’s not conducting electronic surveillance — because FBI gets the email after the electronic surveillance has already occurred. But that does entail warrantless access of US person content, and does so without any review by a judge. Indeed, with Section 702 collection, a judge never even reviews the foreign targets, much less the US incidental collection accessed by the FBI.

Now I get that Jim Comey is a terrifically charismatic guy, with great PR instincts. But still, 60 Minutes is supposed to be a journalism show. Why, when Comey was telling 60 Minutes straight out they should not trust the government, did they let him make so many bogus claims?

The No Fly List and DOJ’s Notice Concessions

/4 Comments/in /by

Congratulations to the ACLU, which last week got 6 of its 13 No Fly List plaintiffs moved off the No Fly List.

Seven American citizens who were banned by the government from air travel received word yesterday evening that they are cleared to fly. For them, the notice ends a years-long struggle to find out why they were blacklisted and clear their names. As of last night, the seven can finally make plans to visit family, travel for work, and take vacations abroad.

The seven – six men and one women – had been on the government No Fly List, which prevented them from flying to, from, and over U.S. airspace. Even after they were surrounded by TSA agents at the airport and questioned by the FBI, the government refused to officially confirm that they were included on the list. They were also never provided reasons for being banned from air travel, or given a meaningful opportunity to contest the ban. In short, our clients have been locked in a fight to regain their freedoms with virtually no information.

The notice that the seven are “not currently on the No Fly List” came after a federal court last week set deadlines for the government in the ACLU’s challenge to the No Fly List. The court ruled that the government must notify our clients of their status on or off the No Fly List, give reasons to those still on the list, and provide an opportunity for them to challenge those reasons. The first of those deadlines was yesterday, and the government must complete reconsideration of the remaining cases by January 16.

The remaining 6 (2 of whom, curiously, worked in the Middle East with tech companies) will now be given some kind of due process.

Which got me thinking about this Charlie Savage story from several weeks ago. It describes how, following DOJ’s recognition that it needs to give notice to some, but definitely not all of the people identified using Section 702, the government is now debating whether it needs to give those sanctioned by the Treasury notice under FISA. At the very end of the story, Savage notes that legal experts say DOJ may have to give notice to some on the No Fly List as well.

Legal specialists said the government could also be invoking arguments against providing a FISA notice even at the court stage, which is adversarial. It may say, for example, that Congress could not have intended the law to apply in situations where the recipients of the notice could not do anything with that information. For example, most foreigners abroad could not argue that the warrantless surveillance violated their rights — because the Constitution does not cover them — and so they could not ask to have the evidence suppressed.

Still, the experts said surveillance-derived information could affect Americans who did have constitutional rights, like the approximately 800 people placed on the “no fly” list, which prevents people from boarding aircraft, as well as applicants for licenses like those that allow people to work behind airport security checkpoints.

“Very significant decisions about people’s lives are made on this kind of evidence,” said Jameel Jaffer, an American Civil Liberties Union lawyer. “When all this takes place in secret, you don’t have an opportunity to challenge the constitutionality of the government’s surveillance methods.”

In June, a Federal District Court judge struck down the process for challenging being put on the “no fly” list, saying it was too opaque and violated Americans’ due-process rights. She ordered the government to give people more information about why they are on the list.

Which has me wondering: what may distinguish the 7 ACLU plaintiffs who were removed from the No Fly List from the 6 who remain on it is how they were identified. That is, the government can avoid giving notice simply by moving people off the list.

There is some reason to believe the government does use Section 702 data — and nothing more — to put people on the No Fly List. If that’s right, then the legal requirement that those affected get more notice may make the government more cautious about whom it places on the list.