Nobel Prize: The Surveillance Fight Remains Ahead of Us

/19 Comments/in /by

This morning, the Nobel Prize awarded the Peace Price to Pakistani activist Malala Yousafzai.

In a piece published earlier this morning at Salon, I pointed out that so long as countries like Norway participate in the NSA’s dragnet, Edward Snowden will never get a Nobel Prize.

No European country but Russia has offered Snowden asylum, so it’s unlikely the Norwegians will do something just as likely to piss off the U.S. Numerous European countries, after all, play willing partners in America’s global dragnet. Europe — including Norway — are the spies Snowden warned us against.

But I also made a more important point.

Like Obama — who got a Nobel Prize well before he had delivered on his promises — the world community has not yet really acted on Edward Snowden’s invitation to reform.

Snowden has completed a courageous act, leaking a mother lode of documents revealing just how exposed we are to the NSA’s glare. He has continued to speak out, to the extent he is able from Russia.

But the response remains very much in flux. Across the world, it’s quite possible Snowden’s leaks provide more repressive government the excuse to crack down. Certainly America’s Five Eyes spying partners (in addition to the UK, New Zealand, Australia, and Canada) are doing so: all but Canada have passed or are passing expansive laws legalizing still more surveillance. Citizens — in Five Eyes countries and outside — have not yet seized the opportunity created by Snowden to roll back the dragnet. Even in the U.S., the only reform on offer, Patrick Leahy’s USA Freedom Act, worsens some aspects of spying while achieving the important goal of removing all Americans’ phone records from the government.

Snowden did a courageous thing by leaking the NSA’s secrets, and continues to engage, as possible, in constructive fashion. If the world responded well to those disclosures, it might lead to a more just world, one much safer for dissent and human relationships. But we — the rest of the world — have not yet delivered on that promise yet, and may not. So a prize for Snowden — no matter how important his actions — may yet reward the merehope of change, not real progress towards it.

The world’s relative inaction in response to Snowden’s warnings does not at all detract from Snowden’s courage. But it does mean it is far too early to conclude that we’ve used this opportunity Snowden gave us to reverse a dangerous dragnet.

A Good Reason to Encrypt Your iPhone: To Prevent DEA from Creating a Fake Facebook Account

/24 Comments/in , /by

At Salon yesterday, I pushed back against the Apple hysteria again. In it, I look at the numbers that suggest far more Apple handsets are searched under the border exception than using warrants.

Encrypting iPhones might have the biggest impact on law enforcement searches that don’t involve warrants, contrary to law enforcement claims this is about warranted searches. As early as 2010, Customs and Border Patrol was searching around 4,600 devices a year and seizing up to 300 using what is called a “border exception.” That is when CBP takes and searches devices from people it is questioning at the border. Just searching such devices does not even require probable cause (though seizing them requires some rationale). These searches increasingly involve smart phones like the iPhone.

These numbers suggest border searches of iPhones may be as common as warranted searches of the devices. Apple provided account content to U.S. law enforcement 155 times last year. It responded to 3,431 device requests, but the “vast majority” of those device requests involved customers seeking help with a lost or stolen phone, not law enforcement trying to get contents off a cell phone (Consumer Reports estimates that 3.1 million Americans will have their smart phones stolen this year). Given that Apple has by far the largest share of the smart phone market in the U.S., a significant number of border device searches involving a smart phone will be an iPhone. Apple’s default encryption will make it far harder for the government to do such searches without obtaining a warrant, which they often don’t have evidence to get.

Almost 20% of Americans this year will have an iPhone, and that number will be far higher among those who fly internationally. If only 20% of 5,000 border searches involve iPhones, then there are clearly more border iPhone searches than warranted ones.

Meanwhile, we have an appalling new look at what law enforcement does once it gets inside your smart phone. A woman in Albany is suing DEA because — after she permitted DEA to conduct a consensual search of her phone — DEA then took photos obtained during the search, including one of her wearing only underwear, and made a fake Facebook page for her with them. They even sent a friend request to a fugitive and accepted other friend requests. They also posted pictures of her son and niece, on a site intended to lure those involved in the drug trade.

And they consider this a legitimate law enforcement activity!

In a court filing, a U.S. attorney acknowledges that, unbeknownst to Arquiett, Sinnigen created the fake Facebook account, posed as her, posted photos, sent a friend request to a fugitive, accepted other friend requests, and used the account “for a legitimate law enforcement purpose.”

The government’s response lays out an argument justifying Sinnigen’s actions: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

To be sure, DEA and FBI would still be able to obtain consensual access to phones, as they did in this case, by threatening people with harsher charges if they don’t cooperate (which appears to be how they got her to cooperate).

But this demonstrates just how twisted is the government’s view of legitimate use of phone data. The next time you hear a top officer wail about pedophiles, you might ask whether they’re actually the one planning to post sexy pictures.

Clouded Transparency in USA Freedom Act

/8 Comments/in /by

I noticed earlier yet another hole in USA Freedom Act’s “Transparency” provisions that I’m very intrigued about. It’s part of the definition of “individual whose communications were collected,” off of which all the individualized non-target reporting is based. That definition reads,

(3) INDIVIDUAL WHOSE COMMUNICATIONS WERE COLLECTED.—The term ‘individual whose communications were collected’ means any individual—

(A) who was a party to an electronic communication or a wire communication the contents or noncontents of which was collected; or

(B)

(i) who was a subscriber or customer of an electronic communication service or remote computing service; and

(ii) whose records, as described in subparagraph (A), (B), (D), (E), or (F) of section 2703(c)(2) of title 18, United States Code, were collected.

(A), as I’ve explained, clearly exempts all the non-communication tangible things collected under Section 215 — things like bank records and purchase records — from any individualized reporting. That has the effect of hiding at least two known dragnet programs, that collecting international money transfers and that collecting explosives precursors that usually have innocent uses–things like hydrogen peroxide, acetone, and pressure cookers.

I believe it also exempts location data — as communication from a tracking device — from any reporting, though would be welcome to be proven wrong on that point. If I’m right, though, it will have the effect of hiding likely Stingray and other location tracking programs under PRTT, potentially including the more systematic PRTT program FBI had at least as recently as 2012.

(B), though, is even more fascinating. First, note that (A) does not reflect all electronic communication records collected — only those that involve a “party to a communication” (and no, I don’t understand the boundary there). The underlying definition of communication is very broad, including a bunch of non-communication things, but this “party to” language might limit it. (B), by contrast, is built off a person being a “subscriber or customer” of an electronic communication service or remote computer service, which would include both Internet sites, including search engines, and cloud storage. So I believe this would, if measured in good faith, provide numbers relating to the collection on URL searches and cloud storage uses.

But here’s where it gets interesting. Note what is excluded from the definition being used here, which as far as I know is just pulled outta someone’s arse for this bill (in strikethrough).

(2) A provider of electronic communication service or remote computing service shall disclose to a governmental entity the—
(A) name;
(B) address;
(C) local and long distance telephone connection records, or records of session times and durations;
(D) length of service (including start date) and types of service utilized;
(E) telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and
(F) means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena or any means available under paragraph (1).

This language from 2703(c)(2) describes what the government can obtain from stored communication providers without a court order; but note that 2703(c)(1) permits the government to obtain other information (though not content of communications) with a court order based on a relevance standard.

As I read it [insert standard caveats about not being a lawyer, invitations for lawyers to correct me here], if all the government obtains from a cloud or web provider is what are deemed call records or session times (or those other things permissible with a court oder under 2703(1), then it doesn’t count as a communication provided. If they ask for other stuff — identifying information — then it’s a communication. But if they only ask for the communications stuff, then it’s not a communication. And, if I’m reading this correctly (though I’m less sure of this), obtaining someone’s non-communication content stored in the cloud does not amount to collecting communications on them under the larger definition.

Given how crazy this formula is, I’m going to assume this pulled-outta-arse definition is designed to hide some fairly substantive dragnet.

I confess, I have no idea what this is designed to hide. But here are three non-exclusive possibilities.

The Exotic Section 215 Requests

First, consider that the stored communication definition used here is not a definition used for FISA. The closest definition to that is in 18 USC 2709, which is the NSL equivalent for what they’re using here, which is a Title III administrative subpoena. The NSL permits the government to obtain fewer things:

name
address
local and long distance toll billing records
length of service

In fact, that NSL definition is behind the bulk of Section 215 orders. After DOJ published an OLC memo limiting what FBI could get under that NSL definition, more than one Internet company started refusing NSLs for a certain kind of request in 2009, which led FBI to obtain that information under Section 215. Now such orders are now the majority of Section 215 orders.

I had been assuming these searches were for the URL searches of individuals, based on James Cole’s confirmation they can use Section 215 to get URL searches. And they may well be. But that shouldn’t generate a large number people affected (except insofar as someone searched on US businesses, which count as US persons). There’d be no reason to hide that (especially since it will show up as foreign, not domestic, collection under FBI’s exemption). Besides, a person’s URL search might count as a party to a communication.

Perhaps, though, these exotic requests are either collected in bulk (perhaps searches for a certain thing) or they are for some other kind of use.

PRISM Non-Communication

We usually talk about PRISM — Section 702 collection from US-based Internet providers — in terms of communications collected: emails and instant messages.

But we know that, even in the first year of Protect America Act, the government had broadened its requests to include 9 things. Even 6 years ago, those requests seem to include cloud storage, information searches, and Yahoo’s internal records on customers.

The definition of “communications collected from” would seem to exempt not only non-communication data stored in the cloud from its counts, but even communication data.

As with the exotic Internet requests, I’m not sure how these requests would drive up the numbers of people affected. But if they do, by structuring the request in this way, they’d artificially lower the number of people affected by PRISM.

Phone connection chaining 

We know the other two kinds of collection — the exotic Internet 215 requests and cloud collection under PRISM — occur. We don’t know what “connection chaining” means in the context of the phone dragnet.

As I have noted, the new Section 215 Call Detail Record function meant to replace the phone dragnet doesn’t actually chain on calls and texts made. It chains on “connections.” Nobody knows what the fuck that means, though in spite of promises ODNI would explain it in their letter supporting the bill, they did not do so. And ODNI has denied my FOIA requests for related language.

It’s SEKRIT. Which means it must be interesting.

That said, I have speculated that it might include finding burner phones (which is fairly uncontroversial, and FBI does it under Hemisphere anyway), using location to map connections (again, that’s something available under Hemisphere), or things like address books and calendars and even personal pictures.

And of course, most of those things would be accessible with smart phones because cloud content is available. Precisely the kind of cloud content dodged by this definition.

Now, I’m still not sure this works. After all, as a Verizon subscriber, if I get connection chained because I’m in someone else’s Verizon address book, it would seem they would have to count me. Or maybe not, because the actual request (all done at the telecom, of course!) wouldn’t be triggered to me, it’d be triggered to my friend.

But it seems at least possible that this definition would hide a great number of potential connections made via cloud information, whether obtained under PRISM or under Section 215’s CDR connection chaining.

The Continuing Myth about USA Freedom Transparency

/3 Comments/in /by

Summary: This is a response to an Elizabeth Goitein claim that USA Freedom would provide detailed reporting on FISA programs. That’s false. As I show below, the only three kinds of collection for which reasonably real numbers will be reported are Individual FISA orders, NSLs (though FBI refuses to count those accurately), and the new CDR provision (though it will be presented as foreign collection even though it will be domestic). On everything else, the reporting will be excepted away beyond usefulness. Further, both PRTT and traditional 215 will likely get reported only as “fewer than 500,” a significant regression from current reporting.

In a piece at Just Security, Brennan Center’s Elizabeth Goitein bemoans what she claims as a distraction from passing the USA Freedom Act in the form of ISIS.

Then came ISIS. Following the group’s capture of territory in Iraq, its beheading of two American journalists, and its calls for followers to launch attacks in the US, some American lawmakers claimed it would be irresponsible to ratchet back surveillance authorities in the face of a new terrorist threat. 

I’m skeptical that USAF was going to pass anyway, and equally skeptical the Republicans are really responding to ISIS and not improving GOP Senate chances.

But I’m more interested in Goitein’s portrayal of the bill.

To her credit, she limits her most aggressive claims that the bill would end bulk collection to the phone dragnet. Though she claims continuation of the financial dragnets would be a misreading of the bill.

The bill also would prohibit bulk collection of other types of transactional data, although the wording of these bans is susceptible to distorted readings, as some have observed.

That’s something on which we can fairly disagree. In my opinion, this language does nothing to limit the financial dragnet.

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; 

As I’ve noted, permitting “person” as a selector permits the use of “Western Union.” And the language “to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things” closely resembles claims we’ve seen in released applications and orders. I would be fairly shocked if the applications for the Western Union dragnet didn’t say — as NSA said of the phone dragnet — that FBI required all foreign money transfers to be able to track such transfers. If so, then FISC has already bought off on the government’s claim that the existing financial dragnets are as narrowly limited as “reasonably practicable, consistent with the purpose for seeking the tangible things.” If so — and given public FISC releases, this is actually not a distorted reading in the least — then this bill will not affect the existing dragnets in the least. 

Still, I commend Goitein for exercising far more caution than other USAF supporters have in the past about the extent of the bill.

But Goitein’s claims about the transparency required under the bill are simply wrong.

The USA Freedom Act also would require more detailed statistical reporting by the government on the number of people affected by specific surveillance authorities –including, for most FISA programs, a separate tally of U.S. persons affected. These numbers give meaning to abstract legal interpretations. It’s clear that the FISC endorsed a broad interpretation of the term “relevance,” but only the numbers can tell us exactly how broad.

This bill will be less than useless in helping us understand how broadly the government is collecting; it will be counter-productive.

Here’s what, to the best of my understanding, we’ll actually get:

Individual orders (Titles I, III, 703, 704): We’ll get a “good faith” estimate of how many individuals are targeted. The government won’t reveal the split of this targeting. That will likely hide that much of its “targeting” consists of obtaining already collected data. The government won’t reveal that it does not use 703. At all.

702: We’ll get the number “1” for total orders, and something like 90,000 for targets. We’ll get a grossly misrepresentative number for number of people located in the US collected under PRISM, because the government will not be required to count IPs in the US as someone in the US. We’ll also get a certificate saying it cannot estimate whether more than 56,000 US persons are collected in upstream every year (because if the government did so it would then be illegal). We’ll get numbers like NSA 100 and CIA 1000 for back door searches, but we will get nothing on FBI back door searches, which can be done with no suspicion of wrong-doing. This leaves out 56,000 or more Americans affected via upstream, probably 100s of 1000s under an IP dodge, and probably 10s of 1000s affected in back door searches, and that’s assuming the DNI doesn’t use a Certificate to refuse to report all people affected by PRISM. Update: See this post for something else that may be hidden — non-communication cloud data.

Title IV (PRTT): We’ll start with a number like 140, as currently counted this would show as something like 300 targets, 70 of whom are named US persons who got their phone or email records collected. But this may not count US persons who have their email records collected, because the government won’t have to treat a US IP as a US person. It also won’t count the people sucked up in Stingray use, as that is not counted as a communication collected. That’ll ensure the number is fewer than 500, meaning that’s the only number we’ll get, which is far worse then reporting we currently get. Moreover, if as I suspect any bulkier PRTT program collects location, it will show only something like 4 al Qaeda related targets (because location data is not a communication). And the government can issue a claim that it can’t count those in the US (because if it did so it’d be illegal). One way or another, this will leave out hundreds of thousands, and perhaps millions, of affected Americans. 

Traditional 215: Under current counting we’d get a number like 210 orders, targeting 800 targets. Here’s how it’ll break out in this reporting:

Exotic Internet requests (currently the majority of 215 orders): These are in the US, but they won’t be counted as such because they’re FBI orders and FBI is exempted from counting that. I suspect they’re also exempted even more generally from total persons affected counts as subscriber session time (see below regarding the definition of communications collected), though that’s a guess. Update: see this post for more on this language.

Less exotic Internet orders: These won’t have to be reported as US persons either, because the government doesn’t have to treat US IPs as US location.

Known non-financial dragnets: Under current counting this would probably count as roughly 24 orders (assuming 6 programs with 90 day renewals), with 4 targets — the al Qaeda groups included — each. Under USAF reporting, none of the individuals affected by the known bulk non-communications dragnets — which we know to include financial records and purchase records and which may include travel records — will get reported because the bill doesn’t require non-communications 215 orders to be individualized.

Having exempted almost every known kind of 215 order from individualized reporting, it’ll bring the total number affected well under 500, meaning that’s all we’ll get for persons affected, a far worse report than we currently get. This will definitely leave out millions of affected Americans, and will present the false impression that most 215 orders affect foreigners. 

New-Fangled 215: For CIA and NSA — which are unlikely to use this provision — the government will have to report the targets, plus the people within 2 degrees sucked in with those targets. For FBI, which is likely to collect this data now that it doesn’t require ingesting all the phone records in the US and because FBI has far more liberal sharing rules, it’ll probably report 300 targets, and a total of 3 million people affected. But those won’t be identified as Americans because the FBI is exempted from that. Moreover, since this will bring the number under 500, that’s all we’ll get for targets (though not persons affected). This will probably hide hundreds of thousands of Americans affected.

Update, 10/5: See this post for one other thing USAF may hide: cloud-related metadata that might be used for connection chaining.

NSLs: This bill provides slightly more breakout on US/non-US NSL reporting, though that has largely been available via IG report (plus, FBI refuses to count it accurately), except for subscriber data.

To sum up, what USAF effectively does is require reporting on the number of people affected by surveillance programs, and for most requires a break-out of the number of US persons affected. But then it uses the following exemptions to hide by far the bulk of the US persons affected — and in most cases, the number of persons affected — by surveillance:

  • 603(b)(2): Only a phone number registered in the US provides a reasonable basis that a person is located in the US. Thus all bulky Internet collection in the US can and will be hidden as foreign collection.
  • 603(e)(2): For several target and affected numbers, DNI will report numbers under 500 as fewer than 500. This will result in significantly less granular reporting than we currently have for some authorities, especially PRTT and 215.
  • 603(e)(3): If records are held by FBI or queries are conducted for them, 702 back door searches, communications-related traditional 215 orders, and newfangled 215 results don’t have to report on US persons affected. FBI will effectively be even more of a black hole where reporting goes to die than it already is.
  • 603(e)(4): DNI can certify that it can’t report on the 702 and PRTT Americans caught in the dragnet. Unless they use the IP dodge, they’ll almost certainly do this because if they admit this is US person collection, it’ll become illegal.
  • 603(g)(3): The definition of “individual whose communications were collected,” on which non back door 702, PRTT, and both traditional and newfangled 215 individualized reporting is based, would (according to my reading–lawyers should definitely check this) exclude:
    • Any location data (tracking devices are excluded)
    • Any financial, purchase, or other non-communication record (they are non-communication)
    • Any subscriber to an electronic computer service who is not a party to a communication who has had only her call records or session times collected [(B)(ii) excludes subparagraph (C) of 2703(c)(2)]

That is, after requiring reporting for most FISA reports, it then exempts virtually all of it from reporting.

Psyche!

This is not serious transparency reporting. Rather, it’s a hoax, at best reporting knowingly false information, but usually creating nothing but propaganda creating a grossly misleading description of what collection occurs.

Updated 10/4 with summary and some clarifications.

Protect America Act Was Designed to Collect on Americans, But DOJ Hid that from the FISC

/7 Comments/in , /by

The government released a document in the Yahoo dump that makes it clear it intended to reverse target Americans under Protect America Act (and by extension, FISA Amendments Act). That’s the Department of Defense Supplemental Procedures Governing Communications Metadata Analysis.

The document — as released earlier this month and (far more importantly) as submitted belatedly to the FISC in March 2008 — is fairly nondescript. It describes what DOD can do once it has collected metadata (irrespective of where it gets it) and how it defines metadata. It also clarifies that, “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communcations, nor to they qualify as ‘us[ing] a selection term’.”

The procedures do not once mention US persons.

There are two things that should have raised suspicions at FISC about this document. First, DOJ did not submit the procedures to FISC in a February 20, 2008 collection of documents they submitted after being ordered to by Judge Walton after he caught them hiding other materials; they did not submit them until March 14, 2008.

The signature lines should have raised even bigger suspicions.

Gates Mukasey

First, there’s the delay between the two dates. Robert Gates, signing as Secretary of Defense, signed the document on October 17, 2007. That’s after at least one of the PAA Certifications underlying the Directives submitted to Yahoo (the government is hiding the date of the second Certification for what I suspect are very interesting reasons), but 6 days after Judge Colleen Kollar-Kotelly submitted questions as part of her assessment of whether the Certifications were adequate. Michael Mukasey, signing as Attorney General, didn’t sign the procedures until January 3, 2008, two weeks before Kollar-Kotelly issued her ruling on the certifications, but long after it started trying to force Yahoo to comply and even after the government submitted its first ex parte submission to Walton. That was also just weeks before the government redid the Certifications (newly involving FBI in the process) underlying PAA on January 29. I’ll come back to the dates, but the important issue is they didn’t even finalize these procedures until they were deep into two legal reviews of PAA and in the process of re-doing their Certifications.

Moreover, Mukasey dawdled two months before he signed them; he started at AG on November 9, 2007.

Then there’s the fact that the title for his signature line was clearly altered, after the fact.

Someone else was supposed to sign these procedures. (Peter Keisler was Acting Attorney General before Mukasey was confirmed, including on October 17, when Gates signed these procedures.) These procedures were supposed to be approved back in October 2007 (still two months after the first PAA Certifications) but they weren’t, for some reason.

The backup to those procedures — which Edward Snowden leaked in full — may explain the delay.

Those procedures were changed in 2008 to reverse earlier decisions prohibiting contact chaining on US person metadata. 

NSA had tried to get DOJ to approve that change in 2006. But James Baker (who was one of the people who almost quit over the hospital confrontation in 2004 and who is now FBI General Counsel) refused to let them.

After Baker (and Alberto Gonzales) departed DOJ, and after Congress passed the Protect America Act, the spooks tried again. On November 20, 2007, Ken Wainstein and Steven Bradbury tried to get the Acting Deputy Attorney General Craig Morford (not Mukasey, who was already AG!) to approve the procedures. The entire point of the change, Wainstein’s memo makes clear, was to permit the contact chaining of US persons.

The Supplemental Procedures, attached at Tab A, would clarify that the National Security Agency (NSA) may analyze communications metadata associated with United States persons and persons believed to be in the United States.

What the government did, after passage of the PAA, was make it permissible for NSA to figure out whom Americans were emailing.

And this metadata was — we now know — central to FISCR’s understanding of the program (though perhaps not FISC’s; in an interview today I asked Reggie Walton about this document and he simply didn’t remember it).

The new declassification of the FISCR opinion makes clear, the linking procedures (that is, contact chaining) NSA did were central to FISCR’s finding that Protect America Act, as implemented in directives to Yahoo, had sufficient particularity to be reasonable.

The linking procedures — procedures that show that the [redacted] designated for surveillance are linked to persons reasonably believed to be overseas and otherwise appropriate targets — involve the application of “foreign intelligence factors” These factors are delineated in an ex parte appendix filed by the government. They also are described, albeit with greater generality, in the government’s brief. As attested by affidavits  of the Director of the National Security Agency (NSA), the government identifies [redacted] surveillance for national security purposes on information indicating that, for instance, [big redaction] Although the FAA itself does not mandate a showing of particularity, see 50 U.S.C. § 1805(b). This pre-surveillance procedure strikes us as analogous to and in conformity with the particularly showing contemplated by Sealed Case.

In fact, these procedures were submitted to FISC and FISCR precisely to support their discussion of particularity! We know they were using these precise procedures with PAA because they were submitted to FISC and FISCR in defense of a claim that they weren’t targeting US persons.

Except, by all appearances, the government neglected to tell FISC and FISCR that the entire reason these procedures were changed, subsequent to the passage of the PAA, was so NSA could go identify the communications involving Americans.

And this program, and the legal authorization for it? It’s all built into the FISA Amendments Act.

Hiding Yahoos: ORCON and the FISC Special Advocate

/1 Comment/in /by

Some weeks ago, I noted the language in James Clapper’s letter purportedly “supporting” Patrick Leahy’s USA Freedom Act making it clear he intended to retain the information asymmetry that currently exists in the FISA Court — specifically, ex parte communication with the court.

We note that, consistent with the President’s request, the bill estsablishes a process for the appointment of an amicus curiae to assist the FISA Court and FISA Court of Review in matters that present a novel or significant interpretation of the law. We believe that the appointment of an amicus in selected cases, as appropriate, need not interfere with important aspects of the FISA process, including the process of ex parte consultation between the Court and the government. We are also aware of the concerns that the Administrative Offices of the U.S. Courts expressed in a recent letter, and we look forward to working with you and your colleagues to address these concerns.

The Yahoo documents released a few weeks back illustrate how this might work in practice.

We’ve known since January 2009 that Yahoo (which we then only knew was an Internet company) didn’t receive the materials — perhaps most importantly, the minimization procedures — it needed to adequately challenge the program.

The cover sheet to the ex parte appendix provided to the FISCR illustrates the range of things withheld from Yahoo’s attorney, Marc Zwillinger, who apparently had a Top Secret clearance. In addition to the minimization procedures for NSA and FBI, the government withheld the “linking” procedures used to identify targets (the titles of these documents are redacted in the released version, but this post explains why at least some must pertain to these procedures; note, I think the government also withheld these from Judge Reggie Walton at the FISC level!), and a January 15, 2008 Colleen Kollar-Kotelly FISC opinion assessing the adequacy of the original certifications.

Comparing two versions of Walton’s April 25, 2008 opinions — a version redacted for Yahoo’s use in 2008, and the version redacted for public release now — provides context on the key issues obscured or suppressed entirely from Yahoo’s view. (Note two things about these redactions: first, with the exception of language on the information the government demanded from Yahoo, we’re receiving more information than Yahoo’s cleared attorney received when he was fighting this case. And the older document actually includes two sets of redactions: the more faded redactions used for Yahoo, and a more opaque set done for this release, the latter of which hide details about the Directives given to Yahoo.)

Effectively, the government hid what they changed when they rewrote Certifications underlying their demands to Yahoo just 2 weeks before the law expired. A significant part of those changes involves getting FBI involved in the process (I increasingly suspect those January 29, 2008 Certifications are when the government first obtained official permission for FBI back door searches).

Notice of the new Certificates was given to Yahoo on February 16, 2008, the day PAA expired, and signed by then Solicitor General Paul Clement, though signed as Acting Attorney General (see page 81). One day earlier, Judge Walton had given the government an ex parte order requiring them to address whether the ex parte materials they had submitted to him in December “constitutes the complete and up-to-date set of certifications … applicable to the directives that are at issue in this proceeding.” Walton also required the government to provide notice to Yahoo they were going to submit a new classified appendix.

Apparently, Walton had gotten wind of the fact — but had not been told formally — that the government had submitted entirely new Certifications affecting their treatment of the data they would obtain from Yahoo. So he ordered them to update the record so his review actually considered the surveillance as it would be implemented.

I’ve listed most of the differences between the two memoranda below. While much of it pertains to prior classified decisions and the operation of FISC generally, the biggest sections redacted from Yahoo but released in part to us now describe the new certifications, including FBI’s new role in the process.  Of particular concern, the government withheld Walton’s comment admonishing the government for changing the certifications, “without appropriately informing the Court or supplementing the record in this matter until ordered to do so” (page 4), though footnote 4 and page 35 make it clear that Walton revealed some details of the government’s belated disclosures in a February 29 order for more briefing.

More troubling still, they hid Walton’s still significantly-redacted assessment that the changes in the Certifications would not change the nature of the government’s demand from Yahoo (page 38).

Neither type of amendment altered the nature of the assistance to be rendered by Yahoo,40

40 Yahoo has submitted a sworn statement that, prior to serving the directives on Yahoo, representatives of the government “indicated that, at the outset, it only would expect…

I wrote about these changing requests here. And while on paper the changing requests couldn’t have been a result of the changed Certification — Yahoo’s Manager of Legal Compliance described them in a January 23 submission, and the new Certifications were issued the following week — I find the timing, and the government’s failure to notice Walton on them, suspect enough that it’s the kind of thing that should have been briefed. Plus, as I’ll show in a follow-up post, I’m fairly certain the government hid  from both FISC and FISCR the degree to which this was about targeting Americans.

Once Walton learned that the government’s requests to Yahoo had changed between the date of Kollar-Kotelly’s initial approval and the expiration of the law, it seems it should have merited more direct briefing, but that would have required admitting that the changes put domestic law enforcement in the center of the program, which presents (or should present) significantly different Fourth Amendment concerns, notably increasing the importance of prior interpretations of the “significant purpose” language instituted under the PATRIOT Act.

In other words, not only did the ex parte nature of this proceeding hide the details Yahoo would have needed to make a robust Fourth Amendment argument, as well as evidence that the government was not being entirely forthcoming to FISC (which would have bolstered Yahoo’s separation of powers claim), it also hid what may be specifically pertinent details behind the government’s last minute changed certifications.

In theory, this shouldn’t happen with the USA Freedom Advocate, because the bill specifically requires the Advocate have access to certifications necessary for her to complete her duties.

(A) IN GENERAL.—If a court established under subsection (a) or (b) designates a special advocate to participate as an amicus curiae in a proceeding, the special advocate—

[snip]

(ii) shall have access to all relevant legal precedent, and any application, certification, petition, motion, or such other materials as are relevant to the duties of the special advocate;

By comparison, the government was challenging Yahoo’s legal standing to take this challenge in the first place.

But I find the apparent basis for withholding information from Yahoo to be relevant. This memorandum, at least, was originally classified Top Secret/ORCON (Originator Controlled); the redacted memorandum given to Yahoo was classified Secret. That means that the changes arose, at least in part, from the ability of the originator (which may be DOJ’s National Security Division, given that Mark Bradley conducted the declassification review) to determine who gets the document. As I noted, there are two bases in USAF that would permit the government to withhold information, classification and privilege. Withholding information under an ORCON claim likely stems from both (though I am checking this).

So while the government should not be able to treat the advocate the same way they treated Yahoo (which, after all, FISC treated as a Congressionally sanctioned challenger to the orders, just as it would the advocate), they seem to have the prerogative to. (Update: I should add that Walton permitted the government to do all the ex parte briefing here under FISA’s ex parte briefing language; given that USAF doesn’t change that for any of the authorities in question, we should assume this precedent will apply to the advocate.)

To be clear, the USAF advocate is not one of the things that I believe sets back a slow reform process (as, for example, I believe the “transparency” provisions and some weakened minimization procedures do). I think it most likely that the advocate will evolve the way PCLOB has, which was first authorized in 2004, thwarted by Executive obstruction (on precisely these kinds of issues), reauthorized as a more effective body in 2007, then slow-walked again — partly by President Obama, though partly by Congress — for another 6 years. That is, if the advocate is at least as self-respecting as Lanny Davis (!), she will quit if the Executive ignores the intent of Congress that she have access to the materials she needs to do her job, exposing the inefficacy of the existing system. All that, of course, assumes she will cop onto what has been withheld. Clearly, Yahoo got a sense of it during this process, though FISC and FISCR seem to have realized only some of the other stuff withheld from them.

That is, judging by the PCLOB example, if all goes well and if USAF were to pass this year, we might have a fully functional advocate by 2023!

The Yahoo materials released show that the government withheld pertinent information from Yahoo, FISC, and FISCR until forced to provide it, and they never provided any of them with all the information they should have.

That it retains the ability to do so under USAF doesn’t bode well for the advocate. But that’s really just a subset to a larger issue that, even when authorized by Congress to provide oversight of this executive spying, the government has consistently, for years, been less than fully cooperative with FISC’s authority to do so.

As I’ve said, the surest way to reform surveillance is to eliminate the FISA Court.

Read more

Yahoo’s FISA Content Requests Went up 30% in Second Half of Last Year

/4 Comments/in /by

Yahoo just released their transparency report for the first half of this year, which means they can report on the National Security requests from the last half of last year.

And that data shows a pretty alarming spike in FISA Content Requests.

The first half of the year showed their FISA content requests affected <40,000 accounts.

Screen Shot 2014-09-25 at 4.00.32 PM

 

The second half of the year showed their FISA content requests affected <51,000 accounts.

Screen Shot 2014-09-25 at 3.58.48 PM

 

That’s a 30% increase in accounts affected in just 6 months.

It’s possible, of course, what we’re seeing is a new kind of service being accessed by the government, which might by itself justify such a spike. Or it may be that the government is doing that much more spying.

Law Enforcement’s Apple Security Hysteria: About Border Searches?

/5 Comments/in , /by

Border Zone MapAs I noted the other day, Apple just rolled out — and Google plans to match with its next Android release — passcode protected encryption for its cell phone handsets.

Last night WSJ had a story quoting some fairly hysterical law enforcement types complaining mightily not just that Apple is offering its customers security, but that it is a marketing feature.

Last week’s announcements surprised senior federal law-enforcement officials, some of whom described it as the most alarming consequence to date of the frayed relationship between the federal government and the tech industry since the Snowden revelations prompted companies to address customers’ concerns that the firms were letting—or helping—the government snoop on their private information.

Senior U.S. law-enforcement officials are still weighing how forcefully to respond, according to several people involved in the discussions, and debating how directly they want to challenge Apple and Google.

One Justice Department official said that if the new systems work as advertised, they will make it harder, if not impossible, to solve some cases. Another said the companies have promised customers “the equivalent of a house that can’t be searched, or a car trunk that could never be opened.”

Andrew Weissmann, a former Federal Bureau of Investigation general counsel, called Apple’s announcement outrageous, because even a judge’s decision that there is probable cause to suspect a crime has been committed won’t get Apple to help retrieve potential evidence. Apple is “announcing to criminals, ‘use this,’ ” he said. “You could have people who are defrauded, threatened, or even at the extreme, terrorists using it.”

I think the outrage about the stated case — that law enforcement will not longer be able to have Apple unlock a phone with a warrant — is overblown. As Micah Lee points out, the same data will likely be available on Apple’s Cloud.

But despite these nods to privacy-conscious consumers, Apple still strongly encourages all its users to sign up for and use iCloud, the internet syncing and storage service where Apple has the capability to unlock key data like backups, documents, contacts, and calendar information in response to a government demand. iCloud is also used to sync photos, as a slew of celebrities learned in recent weeks when hackers reaped nude photos from the Apple service. (Celebrity iCloud accounts were compromised when hackers answered security questions correctly or tricked victims into giving up their credentials via “phishing” links, Cook has said.)

And the stuff that won’t be on Apple’s Cloud will largely be available from a user’s phone provider — AT&T and Verizon will have call records and texts, for example. So one effect of this will be to put warrant decisions into a review process more likely to be scrutinized (though not in the case of AT&T, which has consistently proven all to happy to share data with the Feds).

Which is why I think the hysteria is either overblown or is about something else.

It may be that this prevents NSA from getting into handsets via some means we don’t understand. Matthew Green lays out how this change will bring real security improvement to your phone from all matter of hackers.

But the most immediate impact of this, I suspect, will be seen at borders — or rather, the government’s expansive 100 mile “border zone,” which incorporates roughly two-thirds of the country’s population. At “borders” law enforcement works under a warrant exception that permits them to search devices — including cell phones — without a warrant, or even any articulable suspicion.

And while it is the case that really aggressive security wonks can and do encrypt their phones now, it is not the default. Which means most people who cross an international border — or get stopped by some authority in that border zone — have their phone contents readily available to those authorities to search. Authorities routinely use their expanded border authority to obtain precisely the kinds of things at issue here, without any suspicion. The terrorist watchlist guidelines (see page 68), for example, note that border encounters may provide evidence from “electronic media/devices observed or copied,” including cell phones.

In 2011, DHS whipped out similarly hysterical language about what horribles actually requiring suspicion before searching a device might bring about.

[A]dding a heightened [suspicion-based] threshold requirement could be operationally harmful without concomitant civil rights/civil liberties benefit. First, commonplace decisions to search electronic devices might be opened to litigation challenging the reasons for the search. In addition to interfering with a carefully constructed border security system, the litigation could directly undermine national security by requiring the government to produce sensitive investigative and national security information to justify some of the most critical searches. Even a policy change entirely unenforceable by courts might be problematic; we have been presented with some noteworthy CBP and ICE success stories based on hard-to-articulate intuitions or hunches based on officer experience and judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual’s device without the presence of articulable factors capable of being formally defended, despite having an intuition or hunch based on experience that justified a search.

That is, DHS thinks it should be able to continue to search your phone at the border, because if it had to provide a rationale — say, to get a warrant — it might have to disclose the dodgy watchlisting policies that it uses to pick whose devices to search without any cause.

In other words, I’m arguing that the most immediate impact of this will be to lessen the availability of data increasingly obtained without a warrant, and given that the alternate means — administrative orders and warrants — require actual legal process, may mean these things will not be available at all.

If I’m right, though, that’s not a technical impediment. It’s a legal one, one which probably should be in place.

Update: Argh! This is even worse fear-mongering. A former FBI guy says he used intercepted communications to find kidnappers.

Once we identified potential conspirators, we quickly requested and secured the legal authority to intercept phone calls and text messages on multiple devices.

Then claims losing an entirely unrelated ability to search — for data stored on, and only on, handsets — would have prevented them from finding that kidnap victim.

Last week, Apple and Android announced that their new operating systemswill be encrypted by default. That means the companies won’t be able to unlock phones and iPads to reveal the photos, e-mails and recordings stored within.

It also means law enforcement officials won’t be able to look at the range of data stored on the device, even with a court-approved warrant. Had this technology been used by the conspirators in our case, our victim would be dead.

Instead of proving this guy would be dead, the story instead proves that this is not the most pressing information.

Raez Qadir Khan: Hoisting the FBI on Its Own Metadata Problems

/5 Comments/in , /by

Surveillance

As I said earlier, the lawyers defending Pakistani-American Raez Qadir Khan — who is accused of material support of terrorist training leading up to an associate’s May 2009 attack on the ISI in Pakistan — are doing some very interesting things with the discovery they’ve gotten.

Request for Surveillance Authorities

The first thing they did, in a July 14, 2014 filing, was to list all the kinds of surveillance they’ve been shown in discovery with a list of possible authorities that might be used to conduct that surveillance. The motion is an effort to require the government to describe what it got how.

The table above is my summary of what the motion reveals and shows only if a particular kind of surveillance happened during a given year; it only gives more specific dates for one-time events.

The brown (orange going dark!) reflects that emails were turned over in discovery from this period, but that the 2013 search warrant apparently says “authorization to collect emails existed from August 2009 to May 2012.” That’s not necessarily damning; they could get those earlier emails legitimately via a number of avenues that don’t involve “collecting” them. But it is worth noting for reasons I explain below.

The filing itself includes tables with more specific dates, Bates numbers, possible authorities, and — where relevant — search warrant items reliant on the items in question. It also describes surveillance they know to have occurred — further Internet and email surveillance, for example, a 2009 search of Khan’s apartment, as well as surveillance in later 2012 — that was not turned over in discovery.

Effectively, the motion lays out all the possible authorities that might be used to collect this data and then makes very visible that the criminal search warrant was derivative of it (there’s a bit of a problem, because the warranted March 2013 search actually took place after the indictment, and so Khan’s indictment can’t be entirely derivative of this stuff; that relies largely on emails).

I also think some of the authorities may not be comprehensive; for example, the pre-2009 emails may have been a physical FISA search. We also know FISC has permitted the government to collect URL searches under Section 215.

But it’s a damn good summary of the multiple authorities the government might use to obtain such information, by itself a superb demonstration of the many ways the government can obtain and parallel construct evidence.

The filing seems to suggest that the investigation started in fall 2009, some months after Khan’s alleged co-conspirator, Ali Jalil, carried out a May 2009 suicide attack in Pakistan. If that’s right, then the government obtained miscellaneous records (which is not at all surprising; these are things like immigration and PayPal records), email content, and call detail records retroactively. Alternately (Jalil was arrested in the Maldives in April 2006 and interrogated by people presenting themselves as FBI), the government conducted all the other surveillance back to 2005 in real time, but doesn’t want to show Khan’s team it has. In a response to this motion, the government claims that when the surveillance of Khan began is classified.

The motion for a description of which authorities the government used to obtain particular information is still pending.

Motion to Throw Out the Emails

Here’s where things get interesting.

On September 15, Khan’s lawyers submitted a filing moving to throw out all the email evidence (which is the bulk of what has been shown so far and — as I said — most of what the indictment relies on). It argues the 504 emails provided in discovery — spanning from February 2005 to February 2012–lack much of the metadata detail necessary to be submitted as authenticated evidence. Some of the problems, but by no means all, stem from FBI having printed out the emails, hand-redacted them, then scanned them and sent them as “electronic production” to Khan’s lawyers.

That argument is highly unlikely to get anywhere on its own, though a declaration from a forensics expert does raise real questions about the inconsistency of the metadata provided in discovery.

But the filing does pose interesting questions that — in conjunction with questions about the authorities used to investigate Khan — may be more fruitful.

Read more

Oregon Prosecutors Wiretapped Defense Investigators on Mohamed Osman Mohamud Case

/5 Comments/in /by

I’m working on a post on some interesting FISA moves the defense attorney for Reaz Qadir Khan, a Pakistani American indicted for material support for terrorism back in 2012, recently made. But before that, I wanted to note something revealed by documents in his prosecution that I wasn’t aware of before.

The FBI wiretapped 2 conversations and one voicemail defense investigators for Mohamed Osman Mohamud had with Khan in June 2011 and then handed those recordings over to the prosecutor who prosecuted Mohamud and is prosecuting Khan.

In a filing in April, Khan’s lawyers moved to obtain information about the government’s minimization procedures. They pointed to 4 different privileged conversations that had been included in discovery:

  • January 21, 2010 conversation between Khan and his immigration attorney seeking help because the FBI had told him he would be unable to fly overseas to visit his family
  • June 9, 2011 phone interview of Khan by Public Defenders conducting an investigation on behalf of Mohamed Osman Mohamud
  • June 14, 2011 phone interview between Khan and Mohamud’s investigators
  • June 14, 2011 voice mail in which a Mohamud investigator asked Khan to look for something needed by the defense

While the filing doesn’t identify Mohamud as the client in this case, the judge’s subsequent order to unseal the exhibits pertaining to those calls so as to be handed over to the defendant in that case references Mohamud’s docket.

Share with Mohamud

This also likely explains why, at the beginning of this case, the government submitted notice of a possible conflict involving Khan’s lawyer Amy Baggio[Update, that may refer to Lawrence Matasar, who then represented Khan.] She used to work at the Public Defenders office (for all we know, she could have been recorded on those calls). Also, it may begin to explain why the government indicted Khan on December 27, 2012, just weeks before Mohamud’s trial began, but waited to arrest him until March 5, 2013, after Mohamud’s trial had concluded.

Mohamud was right in the middle of his fight to throw out his conviction because he was not noticed about the government’s use of FAA at the time the judge issued this order on May 14, but I don’t see any sign of it in his docket.

While all this doesn’t explain what the tie between Khan and Mohamud is — in its response, the government actually claims it is “unrelated” and that it was not handed over to prosecutors until after the conclusion of Mohamud’s case (which would mean it wasn’t provided to the prosecutor before he indicted Khan) — it does make it clear that the government would share the privileged conversations of one defendant with that defendant’s prosecutor via the prosecution of another defendant under FISA.

In related news, the minimization procedures tied to FBI electronic surveillance released as part of the Yahoo dump have been on the fritz since the release. Here is a copy, but the section on privileged communication is entirely redacted.

Update: In a follow-up, Khan’s lawyer noted 3 more privileged conversations, all January 28, 2012 contacts between Khan and a T Nelson, who is probably Thomas Nelson, who was involved in — among other things — the al-Haramain case.