Working Thread, Internet Dragnet Dump 2: 2004 Documents

/1 Comment/in /by

This will be a closer working thread on documents released yesterday.

X: Initial Dragnet Application (prior to July 14, 2004)

(2) From the start, the government said they wanted to disseminate the dragnet info, perhaps to tag into FBI’s investigative authorities.

(2) The footnote defining metadata hides all the stuff not associated with “standard e-mails.”

(4) The application discusses the briefing I discussed here, attended by (among others) John Brennan.

(5) The application is not submitted by a lawyer, but by Michael Hayden.

(6) The government hasn’t released a Tenet submission; back in November it hid that this submission was from him.

(16) ODNI maintains that the fictional example of metadata is classified.

(18) Originally access was restricted by making the metadata accessible only by 2 admin login accounts. That’s probably a carry-over from the compartments of the illegal program.

(20) RAS approval assigned to the same 7 authorizers that were in place for the beginning of the phone dragnet in 2006.

(21) They’re hiding at least one kind of Internet metadata.

(23) Metadata originally accessible for only 18 months. Is that what they used for the illegal dragnet?

Y. Memo of Law in Support of Original Dragnet Application, before July 14, 2004

(4) The government claims that only email metadata related to terrorism will be seen. By definition, that means anything returned in a query would be related to counterterrorism and therefore game for dissemination.

(4) This is the jist of the illegal use of PRTT for the dragnet:

Nevertheless, it involves nothing more than adapting the traditional tools of FISA to meet an unprecedented challenge and does so in a way that promotes both of the twin goals of FISA: facilitating the foreign-intelligence collection needed to protect American lives while at the same time providing judicial oversight to safeguard American freedoms.

This claim is followed by a 5-page redaction, which is mighty interesting as it would have to explain why this judicial review was so useful.

(9) Footnote 5 again makes it clear that this involves email and other online communications.

(12) This language is remarkable for a secret court document.

Collecting and archiving meta data is thus the best avenue for solving this fundamental problem: although investigators do know know exactly where the terrorists’ communications are hiding in the billions of bits of data flowing through the United States today, we do know that they are there, and if we archive the data now, we will be able to use it in a targeted way to find the terrorists tomorrow.

(20) This language is particularly important given debates about USA Freedom.

Nothing in the definitions of pen registers or trap and trace devices requires that the “instrument” or “facility” on which the device is placed carry the communications solely of a single user.

(20) This section really tries to constrain the Court.

Unlike certain other certifications made in other contexts under the statute, see, e.g., U.S.C. § 1805(a)(5), FISA does not subject the certification of relevance to any review by the Court.

Read more

James Clapper Thinks Fictitious Email Metadata Is Properly Classified

/4 Comments/in /by

If you didn’t already need proof that the FISA Court needs to consult technical advisors before they permit the government to collect all of Americans’ metadata, consider this lesson DOJ offered as part of its initial application for the Internet dragnet (see page 16).

Fictional Metadata

 

Of course, you’re prohibited from seeing the better part of that lesson — the fictional example of metadata they offered — because James Clapper has deemed it classified.

Funny. Eric Holder recently claimed in a Congressional hearing that if something’s not true it’s not classified. I guess the fictions they tell FISC judges are another matter.

Internet Dragnet Timeline

/5 Comments/in /by

This timeline provides known dates for the PRTT Internet dragnet, important related dates in the phone dragnet, upstream 702 collection, and SPCMA (overseas Internet dragnet). In addition, it provides links to the documents in this release; see this post for the listing of documents.

May 6, 2004: Jack Goldsmith opinion authorizes phone dragnet but not Internet dragnet.

Before July 14, 2004: Government applies for Internet dragnet. X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes, Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes, Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application

July 14, 2004: Colleen Kollar-Kotelly approves Internet dragnet, specifies categories of metadata (Document A in 8/12 dump).

Before October 12, 2004: the government provides notice it exceeded scope included in first order, in follow-up declarations attributes overcollection to poor management (response probably includes Paul Wolfowitz, Michael Hayden, and Joel Brenner)

Around October 12, 2004: Government reapplies without some collection, promises monthly spot checks.

April 27, 2005: In briefing leading up to PATRIOT reauthorization, Alberto Gonzales makes no mention of PRTT Internet dragnet.

November 17, 2007: Executive begins (internal) approval process for contact chaining on already-collected data which will become SPCMA.

Read more

Internet Dragnet Materials, Working Thread 1

/3 Comments/in , , /by

I Con the Record just released some ridiculously overclassified Internet dragnet documents it claims shows oversight but which actually shows how they evaded oversight. I’ve added letters to ID each document (I’ll do a post rearranging them into a timeline tomorrow or soon thereafter).

For a timeline I did earlier of the Internet dragnet program see this post.

This will be the first of several working threads, starting with descriptions of what we’ve got.

8/12: Note I will be updating this as I can clarify dates and content.

So-called Judicial oversight

A. FISC Opinion and Order: This is the Kollar-Kotelly order that initially approved the dragnet on July 14, 2004. A searchable version is here.

B. FISC Primary Order: This is an Internet dragnet order signed by Reggie Walton, probably in 2008 or very early 2009. It shows that the Internet dragnet program, which was almost certainly illegal in any case, had less oversight than the phone dragnet program (though at this point also collected fewer records). It was turned over pursuant to FAA requirements on March 13, 2009.

C. FISC Primary Order: This is an Internet dragnet order probably from May 29, 2009 (as identified in document D), signed by Reggie Walton. It shows the beginning of his efforts to work through the Internet violations. It appears to have been provided to Congress on August 31, 2009.

D. FISC Order and Supplemental Order: This is a version of the joint June 22, 2009 order released on several occasions before. It shows Reggie Walton’s efforts to work through the Internet dragnet violations. Here’s one version.

E. FISC Supplemental Order: This appears to be the dragnet order shutting down dragnet production. It would date to fall 2009 (production was likely shut down in October 2009, though this might reflect the initial shut-down).

F. FISC Primary Order: I’m fairly sure this is an order from after Bates turned the Internet dragnet back on in 2010 (and is signed by him), though I will need to verify that. It does require reports on how the NSA will segregate previously violative records, which is consistent with it dating to 2011 sometime (as is the requirement that the data be XML tagged).

G. FISC Memorandum Opinion Granting in Part and Denying in Part Application to Reinitiate, in Expanded Form, Pen Register/Trap and Trace Authorization: This is the order, from sometime between July and October 2010, where John Bates turned back on and expanded the Internet dragnet. Here’s the earlier released version (though I think it is identical).

H. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This was a report Walton required in document C, above, and so would be in the May-June 2009 timeframe. Update: Likely date June 18, 2009.

I. Government’s Response to the FISC’s Supplemental Order: This is the government’s response to an order from Walton, probably in his May 29, 2009 opinion (see this order for background), or even earlier in May.Update: This response dates to June 18, 2009 or slightly before.

J. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration submitted in support of Response I and cited in several places. Update: likely date June 18, 2009.

K. Supplemental Declaration of Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate, the National Security Agency: This appears to be the declaration that led to document C above.

L. Government’s Response to the FISC’s Supplemental Order Requesting a Corrective Declaration: This is a declaration admitting dissemination outside the rules responding to 5/29 order.

M. Government’s Response to a FISC Order: This is the government’s notice that it was using automatic queries on Internet metadata, just as it also was with the phone dragnet. This notice was provided to Congress in March 2009.

N. Declaration of Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Compliance with a FISC Order: After Walton demanded declarations in response to the initial phone dragnet violation, he ordered NSA to tell him whether the Internet dragnet also had the same problems. This is Keith Alexander’s declaration describing the auto scan for that program too. It was provided to Congress in March 2009.

O. Preliminary Notice of Potential Compliance Incident: This is the first notice of the categorical violations that ultimately led to the temporary shutdown of the dragnet, in advance of order E.

P. Notice of Filing: This is notice of a filing in response to inquiry from Judge Walton. It could be from any time during David Kris’ 2009 to early 2011 tenure.

Q: Government’s Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the application following Order E, above. I don’t think it’s the 2010 application that led to the reauthorization of the dragnet, because it refers to facilities whereas the 2010 order authorized even broader collection. (Remember Bates’ 2010 order said the government applied, but then withdrew, an application.) Update and correction: this application must post-date December 2009, because that’s when NSA changed retention dates from 4.5 years to 5. Also note reference to change in program and request to access illegally collected data from before 10/09.

R. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: This appears to be the memorandum of law accompanying application Q.

S. Declaration of General Keith B. Alexander, U.S. Army, Director, NSA, in Support of Pen Register/Trap and Trace Application: This is Alexander’s declaration accompanying Q.

T. Exhibit D in Support of Pen Register/Trap and Trace Application: This is a cover letter. I’m not sure whether it references prior communications or new ones.

U. First Letter in Response to FISC Questions Concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This is the first of several letters in support of reinitiation of the program. The tone has changed dramatically here. For that reason, and because so much of it is redacted, I think this was part of the lead-up to the 2010 reauthorization.

V. Second Letter in Response to FISC Questions concerning NSA bulk Metadata Collection Using Pen Register/Trap and Trace Devices: This second letter is entirely redacted except for the sucking up to Bates stuff.

W. Third Letter in Response to FISC Questions Concerning NSA Bulk Metadata Collection Using Pen Register/Trap and Trace Devices: More sucking up. Some language about trying to keep access to the existing illegally collected data. 

X. Application for Pen Register/Trap and Trace Devices for Foreign Intelligence Purposes: This is the first application for the Internet dragnet, from 2004. Very interesting. Note it wasn’t turned over until July 2009, after Congress was already learning of the new problems with it.

Y. Memorandum of Law and Fact in Support of Application for Pen Registers and Trap and Trace Devices for Foreign Intelligence Purposes: The memorandum of law accompanying X. Also turned over to Congress in 2009.

Z. Declaration of General Michael V. Hayden, U.S Air Force, Director, NSA, in Support of Pen Register/Trap and Trace Application: This goes with the initial application. NSA has left stuff unredacted that suggests they were access less bandwith than they, in the end, were. Also remember NSA violated this from the very beginning.

AA. Application for Use of Pen Register/Trap and Trace Devices for Foreign Intelligence PurposesThis appears to be the application for the second PRTT order. I’ll return to this tomorrow, but I don’t think it reflects the violation notice it should.

BB. Declaration of NSA Chief, Special FISA Oversight and Processing, Oversight and Compliance, Signals Intelligence Directorate: This is NSA’s declaration in conjunction with the first reapplication for the dragnet. This should have declared violations. It was turned over to Congress in March 2009. [update: these appear to be early 2009 application]

CC. Declaration Lieutenant General Keith B. Alexander, U.S. Army, Director, NSA, Concerning NSA’s Implementation of Authority to Collect Certain Metadata: This is Alexander’s declaration accompanying the End-to-End report, from sometime in fall 2009.

DD: NSA’s Pen Register Trap and Trace FISA Review Report: The end-to-end report itself. it was provided to Congress in January 2010.

EE: DOJ Report to the FISC NSA’s Program to Collect Metadata: DOJ’s accompaniment to the end-to-end report.

FF: Government’s First Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: After Bates raauthorized the Internet dragnet, DOJ realized they might not be on the same page as him. Not sure if this was in the 2009 attempt or the 2010 reauthorization.

GG: Government’s Second Letter to Judge Bates to Confirm Understanding of Issues Relating to the FISC’s Authorization to Collect Metadata: A follow-up to FF.

HH: Tab 1 Declaration of NSA Chief, Special Oversight and Processing, Oversight and Compliance, Signals Intelligence: This appears to be the 90-day report referenced in document C. Update: Actually it is referenced in Document A: note the paragraphs describing the chaining that were discontinued before the dragnet approval.

II: Verified Memorandum of Law in Response to FISC Supplemental Order: This is one of the most fascinating documents of all. It’s a 2009-2011 (I think August 17, 2009, though the date stamp is unclear) document pertaining to 3 PRTT targets, relying on criminal PRTT law and a 2006 memo that might be NSA’s RAS memo (though the order itself is FBI, which makes me wonder whether it seeds the FBI program). It may have been what they used to claim that Internet content counted as metadata.

JJ: Memorandum of Law in Response to FISC Order: A September 25, 2006 response to questions from the FISC, apparently regarding whether rules from criminal pen registers apply to PATRIOT PRTT. While I think this addresses the application to Internet, I also think this language may be being used for location.

So-called Congressional oversight

KK: Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: This is a request to unseal an order — I suspect document E — so it could be briefed to Congress.

LL:  Order Granting the Government’s Motion to Unseal FISC Documents in Order to Brief Congressional Intelligence and Judiciary Committees: Walton’s order to unseal KK for briefing purposes. 

MM: April 27, 2005 Testimony of the Attorney General and Director, FBI Before the Senate Select Committee on Intelligence: This is the 2005 testimony in which — I pointed out before — Alberto Gonzales did not brief Congress about the Internet dragnet.

So-called Internal oversight

NN: NSA IG Memo Announcing its Audit of NSA’s Controls to Comply with the FISA Court’s Order Regarding Pen Register/Trap and Trace Devices: This lays out an audit with PRTT compliance, noting that the audit also pertains to BR FISA (phone dragnet). It admits the audit was shut down when the order was not renewed. It’s unclear whether this was the 2009 or the 2011 shutdown, but the implication is it got shut down because it would not pass audit. 

OO: NSA IG Memo Suspending its Audit of NSA after the NSA’s PRTT Metadata Program Expired: the formal announcement they were shutting down the IG report. Again, it’s not clear whether this was the 2009 or the 2011 shutdown.

If you find this work valuable, please consider donating to support the work.  

Did Anthony Coppolino Fib about NSA’s New Architecture?

/17 Comments/in /by

On Tuesday, EFF told the tale of yet another government freak-out over purportedly classified information. The DOJ lawyer litigating their multiple dragnet challenges, Anthony Coppolino, accidentally uttered classified information in a hearing in June. So the government tried to take the classified information out of the transcript without admitting they did so. After Judge Jeffrey White let EFF have a say about all this, the government ultimately decided the information wasn’t classified after all. So the Court finally released the transcript.

My wildarseguess is that this is the passage in question:

Judge Bates never ultimately held that the acquisition violated the Constitution. The problem in that case was the minimization procedures were not sufficient to protect the Fourth Amendment interests of the people of the United States.

And so he ordered that they be changed, and they were changed. And he approved them. And in addition, in the process of not only approving the minimization procedures, NSA implemented new system architecture that did a better job at assuring that those communications were minimized and ultimately destroyed, which is the goal here. It’s part of the statutory framework not to collect on U.S. citizens and when you’ve incidentally done it, destroy it. [my emphasis]

According to the John Bates opinions relating to this incident, the NSA implemented a new system of ingesting this data, marking it, checking it before it gets moved into the general repository of data, and purging it if it includes entirely domestic commuincations. But does that count as new architecture? I’m not sure.

Meanwhile, the NSA has been upgrading their architecture. We learned that (among other places) in the most recent Theresa Shea declaration on NSA systems in EFF’s Jewel case. It doesn’t mention new architecture pertaining to  upstream  702, though she does discuss a more general architecture upgrade and how it affects Section 215 specifically.

Then there’s this language, addressing the NSA’s inability to filter US person data reliably, from PCLOB.

The NSA’s acquisition of MCTs is a function of the collection devices it has designed. Based on government representations, the FISC has stated that the “NSA’s upstream Internet collection devices are generally incapable of distinguishing between transactions containing only a single discrete communication to, from, or about a tasked selector and transactions containing multiple discrete communications, not all of which are to, from, or about a tasked selector.”155 While some distinction between SCTs and MCTs can be made with respect to some communications in conducting acquisition, the government has not been able to design a filter that would acquire only the single discrete communications within transactions that contain a Section 702 selector. This is due to the constant changes in the protocols used by Internet service providers and the services provided.156 If time were frozen and the NSA built the perfect filter to acquire only single, discrete communications, that filter would be out-of-date as soon as time was restarted and a protocol changed, a new service or function was offered, or a user changed his or her settings to interact with the Internet in a different way. Conducting upstream Internet acquisition will therefore continue to result in the acquisition of some communications that are unrelated to the intended targets.

The fact that the NSA acquires Internet communications through the acquisition of Internet transactions, be they SCTs or MCTs, has implications for the technical measures, such as IP filters, that the NSA employs to prevent the intentional acquisition of wholly domestic communications. With respect to SCTs, wholly domestic communications that are routed via a foreign server for any reason are susceptible to Section 702 acquisition if the SCT contains a Section 702 tasked selector.157 With respect to MCTs, wholly domestic communications also may be embedded within Internet transactions that also contain foreign communications with a Section 702 target. The NSA’s technical means for filtering domestic communications cannot currently discover and prevent the acquisition of such MCTs.158 

The footnotes in this section all cite to John Bates’ 2011 opinion (including, probably, some language that remains redacted in the public copy, such as on page 47). So we might presume it is out of date.  Except that PCLOB has done independent work on these issues and the end of the first paragraph includes language not sourced at all.

That is, PCLOB seems to think there remain technical problems with sorting out US person data, the filtering problem cannot be solved. (Which makes the ridiculous John Bates more skeptical on this point than PCLOB.)

So do the data segregation techniques implemented in 2011 amount to new architecture? Does the larger architecture upgrade going on going to affect upstream collection in some more meaningful fashion?

I don’t know. One other reason I think this might be the language is because Coppolino was — as he frequently does — running his mouth. Bates did rule the US person data collected before 2011 violated the Fourth Amendment, even if the task before him was solely to judge whether the minimization procedures before him did. More importantly, Bates was quite clear that this US person collection was intentional, not incidental.

So Coppolino was making claims about one of the practices (the PRTT collection is another) that is most likely to help EFF win their suit, upstream collection, which actually does entail domestic wiretapping of US person content. He made a claim that suggested — with the fancy word “architecture” — that NSA had made technical fixes. But PCLOB, at least, doesn’t believe they’ve gotten to the real issue.

Who knows? It’s just a guess. What’s not a guess is that Coppolino seems to recognize upstream 702 presents a real problem in this suit.

A Better Reform than USA Freedom: Get Rid of the FISA Court

/6 Comments/in /by

As he did once before, John Bates has written a letter in the guise of raising concerns about the resources of the FISA Court (though in this case, not actually raising any such concerns) to provide his — or someone else’s — policy views on Patrick Leahy’s version of USA Freedom (see Steve Vladeck’s great post arguing that this letter presents solely Bates defending the executive; though I think Vladeck misreads claimed cooperation with the Administration on Leahy’s bill for assent to it). But also as his earlier letter did, this does nothing so much as make a compelling case to eliminate the FISC.

While Bates raises legitimate concerns about whether summaries of court opinions are better than redacted versions (he would prefer the most sensitive ones remain secret) and the constitutionality of the appeals process, his chief gripe arises from the increased independence Leahy’s bill gives a special advocate.

Bates maintains that by requiring the FISC special advocate to advocate for privacy or civil liberties would not further the interests of privacy or civil liberties.

That’s because actually requiring the advocate to advocate for something would put her in an adversarial position vis-a-vis the government. And that, Bates is sure, would lead the government to withhold information from the Court.

Introducing an adversarial special advocate in FISA proceedings creates the risk that representatives of the Executive Branch — who, as noted, have a heightened duty of candor in ex parte FISA court procedings — would be reluctant to disclose to the courts particularly sensitive factual information, or information detrimental to a case, because doing so would also disclose the information to an independent adversary.

Mind you, the public record shows the government already withholds crucial information, such as how many Americans get collected under upstream collection, as well as how the government is actually using back door searches and how prevalent they are, as well as the torture from which some of their evidence introduced at FISC derives, as well as that EFF had a protection order for data that might incorporate the Section 215 program. So the notion that ex parte proceedings currently give the FISC all the information it needs is farcical.

But Bates worries that requiring the government to expose all the information about its plans to an adversary might lead the government to forgo “potentially valuable intelligence-gathering activities under FISA.” That’s an admission that some of the government’s current programs could not have withstood even the classified scrutiny of someone not positioned as a partner in implementing all the possible intelligence gather activities. The FISC has become, Bates makes clear, the government’s partner in approving every possible collection program that might be valuable.

And all of this complaint is an admission from Bates that it never intended to provide the advocate, as described under USA Freedumber, all the information she needed to do her job.

Bates had already made that complaint in his last letter. In this one, he adds a new one: that because Leahy’s USA Freedom requires the special advocate to be involved in novel cases — and actually defines what novel means — she would be involved in too many.

Section 401 would seem to apply to a potentially large number of cases. The requirement to designate a special advocate would be triggered in the first instance in any matter involving a “novel or significant interpretation of the law.” That term is defined expansively to include, among other things, matters involving the “application … of settled law to novel … circumstances.” Because nearly every application involves distinct (i.e., “novel”) facts and circumstances, Section 401 could be read as applying in a broad swath of cases.

Bates’ former colleagues disagree on this point. James Robertson and James Carr have said the vast majority of what FISC judges approve are fairly simple warrants.

Both and his colleagues, however, may be right: that is, it may well be the FISC has now gotten to the point where each application represents an expansion or a new tweak of previous approvals. I would actually be shocked if the expanding number of Section 215 orders — accompanied as they have been by FISC-imposed minimization procedures — don’t represent such an expansion.

Given Deputy Attorney General James Coles’ confirmation of Zoe Lofgren and Mark Warner’s questions about what Section 215 may be used for — including credit card data, URL searches, and location data — this morphing use of 215 now likely provides the government access programmatically to things they previously needed individualized warrants for.

Even with the opinions and applications we’ve seen — most of which pre-date the significant 2010 expansion of 215-based programs — it becomes clear the FISC judges (or at least those in DC who review the more novel applications) have become a rubber stamp for programs that far surpass the language of the law and likely conflict with other laws. With the vast expansion of dragnets starting in 2004, the FISC has become a court of reasonableness generally, not reasonableness within the letter of the law as written by Congress. The series of plaintive and laughably weak FISC opinions since the exposure of the Section 215 program underscores this: exposed as having far exceeded the law and intent of the Section 215 program, the FISC was left trying to invent the law post hoc.

Bates has, even more than his earlier letter, made it clear that he, at least, believes the FISC is and should be a partner with the Executive, providing legal cover for novel new surveillance that may not fit the intent of Congress. I’d say, too, that even in the area of individualized warrants, it has presided over the redefinition of things like “agent of foreign power,” such that confused Muslim young men become legitimate targets for invasive surveillance that can never be checked in the context of criminal proceedings.

So let’s get rid of it!

It may be the case that in 1978 traditional Title III courts couldn’t handle the secrecy required by FISC proceedings. But they can and do now, routinely. There’s no reason judges throughout the country couldn’t be asked to weigh FISC probable cause as they currently weigh criminal probable cause; and having more judges do so might stay closer to the definition of foreign power as intended by Congress, and if it doesn’t (which given the rubber stamp of magistrates, might well happen), it would be more likely to be reviewed at the appellate level.

Similarly, the courts have and are proving able to deal with new applications, as their treatment of FBI’s request for nationwide warrants to hack makes clear. But they do so in deliberative fashion, actual weighing the language of the law, rather than just secretly approving an application that pretty clearly violates Congress’ intent.

Eliminating the FISC wouldn’t fix all the problems of out-of-control surveillance. Requiring notice for EO 12333 collection is another necessary step, as is actual prosecution for violations of surveillance law. But it seems that just eliminating the FISC would be a far better fix for the problems exposed by Snowden’s leaking than USA Freedom would be.

USA Freedom Does Not Rein in the Spies

/5 Comments/in , , /by

Honest. I started writing about this David Cole column asking, “Can Congress rein in the spies?” before John Brennan admitted that, contrary to his earlier assurances, his spooks actually had been spying on their Congressional overseers and also before President Obama announced that, nevertheless, he still has confidence in Brennan.

Cole’s column isn’t about the the Senate Intelligence Committee’s struggles to be able to document CIA torture, however. It’s about how Patrick Leahy introduced his version of USA Freedom Act “not a moment too soon.”

I don’t want to gripe with the column’s presentation of Leahy’s version of Freedom; with a few notable exceptions (one which I’ll get to), it accurately describes how Leahy’s bill improves on the bill the spies gutted in the House.

I first wanted to point to why Cole says Leahy’s bill comes not a moment too soon.

Leahy’s bill comes not a moment too soon. Two reports issued on Monday bring into full view the costs of a system that allows its government to conduct dragnet surveillance without specific suspicions of wrongdoing. In With Liberty to Monitor All, Human Rights Watch and the ACLU make a powerful case that mass surveillance has already had a devastating effect on journalists’ ability to monitor and report on national security measures, and on lawyers’ ability to represent victims of government overreaching. And the same day, the New America Foundation issued Surveillance Costs, a report noting the widespread economic harm to US tech companies that NSA surveillance has inflicted, as potential customers around the world take their business elsewhere.

Together, these reports make concrete the damaging effects of out-of-control surveillance, even to those with “nothing to hide.” Our democracy has long rested on a vibrant and vigorous press and open legal system. On matters of national security, journalists probably serve as a more important check on the executive than even the courts or Congress.

[snip]

And, it turns out, tech companies also need to be able to promise confidentiality. Customers of Internet services or cloud computing storage programs, for example, expect and need to be certain that their messages and stored data will be private. Snowden’s revelations that the NSA has been collecting vast amounts of computer data, and has exploited vulnerabilities in corporate encryption programs, have caused many to lose confidence in the security of American tech companies in particular.

Cole describes the great costs out-of-control surveillance imposes on journalists, lawyers, and cloud providers, and implies we cannot wait to reverse those costs.

Then he embraces a bill that would not protect journalists’ conversations with whistleblowers (Leahy’s Freedom still permits the traditional access of metadata for counterintelligence purposes as well as the Internet dragnet conducted overseas) or alleged terrorists, would not protect lawyers’ discussions with their clients (the known attorney-client protected collections happened under traditional FISA, EO 12333, and possibly Section 702, none of which get changed in this bill), and would expose American companies’ clouds even further to assisted government access under the new Call Detail Record provision.

Cole does admit the bill does not address Section 702; he doesn’t mention EO 12333 at all, even though both the HRW and NAF reports did.

Senator Leahy’s bill is not a cure-all. It is primarily addressed to the collection of data within the United States, and does little to reform Section 702, the statute that authorizes the PRISM program and allows the government to collect the content of electronic communications of noncitizens abroad, even if they are communicating with US citizens here. And it says nothing about the NSA’s deeply troubling practice of inserting vulnerabilities into encryption programs that can be exploited by any hacker. It won’t, therefore, solve all the problems that the HRW and New American Foundation reports identify. But it would mark an important and consequential first step.

But he doesn’t admit the bill does little to address the specific sources of the costs identified in the two reports. It’s not a minute too soon to address these costs, he says, but then embraces a bill that doesn’t really address the actual sources of the costs identified in the reports.

That is mostly besides the point of whether Leahy’s bill is a fair apples-to-oranges trade-off with the status quo as to represent an improvement — an answer to which I can’t yet give, given some of the obvious unanswered questions about the bill. It is, however, a testament to how some of its supporters are overselling this bill and with it anyone’s ability to rein in the intelligence community.

But it’s one testament to that that bugs me most about Cole’s column. As I noted, he does mention Leahy’s failure to do anything about Section 702. Nowhere in his discussion of 702, however, does he mention that it permits warrantless access to Americans’ content, one which FBI uses when conducting mere assessments of Americans. Which of course means Cole doesn’t mention the most inexcusable part of the bill — its exemption on already soft reporting requirements to provide the numbers for how many Americans get exposed to these back door searches.

I’m not a fancy Georgetown lawyer, but I strongly believe the back door searches — conducted as they are with no notice to anyone ultimately prosecuted based off such information — are illegal, and probably unconstitutional. When retired DC Circuit Court judge Patricia Wald raised these problems with the practice, Director of National Intelligence Counsel Bob Litt simply said it would be “impracticable” to add greater oversight to back door searches. And in spite of the fact that both the President’s Review Group and PCLOB advised significant controls on this practice (which implicates the costs identified in both the HRW and NAF reports), the version of USA Freedom Act crafted by the head of the Senate Judiciary Committee — the Committee that’s supposed to ensure the government follows the law — not only doesn’t rein in the practice, but it exempts the most egregious part of the practice from the transparency applauded by people like Cole, thereby tacitly endorsing the worst part of the practice.

And all that’s before you consider that the IC also conducts back door searches of EO 12333 collected information — as first reported by me, but recently largely confirmed by John Napier Tye. And before you consider the IC’s explicit threat — issued during the passage of the Protect America Act — that if they don’t like any regulation Congress passes, they’ll just move the program to EO 12333.

The point is, Congress can’t rein in the IC, and that’s only partly because (what I expect drives the Senate’s unwillingness to deal with back door searches) many members of Congress choose not to. The have not asserted their authority over the IC, up to and including insisting that the protections for US persons under FISA Amendments Act actually get delivered.

In response to the news that Brennan’s spies had been spying on its Senate overseers, Patrick Leahy (who of course got targeted during the original PATRIOT debate with a terrorist anthrax attack) issued a statement insisting on the importance of Congressional oversight.

Congressional oversight of the executive branch, without fear of interference or intimidation, is fundamental to our Nation’s founding principle of the separation of powers.

Yet his bill — which is definitely an improvement over USA Freedumber but not clearly, in my opinion, an improvement on the status quo — tacitly endorses the notion that FBI can conduct warrantless searches on US person communications without even having real basis for an investigation.

That’s not reining in the spies. That’s blessing them.

Did ACLU and EFF Just Help the NSA Get Inside Your Smart Phone?

/10 Comments/in /by

EFF ACLUThe ACLU and EFF normally do great work defending the Fourth Amendment. Both have fought the government’s expansive spying for years. Both have fought hard to require the government obtain a warrant before accessing your computer, cell phone, and location data.

But earlier this week, they may have taken action that directly undermines that good work.

On Wednesday, both civil liberties organizations joined in a letter supporting Patrick Leahy’s version of USA Freedom Act, calling it a necessary first step.

We support S. 2685 as an important first step toward necessary comprehensive surveillance reform. We urge the Senate and the House to pass it quickly, and without
making any amendments that would weaken the important changes described above.

ACLU’s Laura Murphy explained why ACLU signed onto the bill in a column at Politico, analogizing it to when, in 2010, ACLU signed onto a bill that lowered, but did not eliminate,  disparities in crack sentencing.

Reform advocates were at a crossroads. Maximalists urged opposition despite the fact the bill would, in a very real way, make life better for thousands of people and begin to reduce the severe racial and ethnic inequality in our prison system. Pragmatists, fearing that opposition to the bill would preclude any reform at all, urged support.

It was a painful compromise, but the ACLU ultimately supported the bill. It passed, astoundingly, with overwhelming support in both chambers.

And then something amazing happened. Conservative lawmakers, concerned about government waste, increasingly came to the table to support criminal justice reform. Liberals realized they could vote their conscience on criminal justice without accusations of being “soft on crime.” It has not been easy and there have been many steps backward, but in recent years, we’ve seen greater public opposition to mandatory minimum sentences and real movement on things like reducing penalties for low-level drug offenses.

The analogy is inapt. You don’t end crack disparities by increasing the number of coke dealers in jail. But Leahy’s USA Freedom Act almost certainly will increase the number of totally innocent Americans who will be subjected to the full brunt of NSA’s analytical authorities indefinitely.

That’s because by outsourcing to telecoms, NSA will actually increase the total percentage of Americans’ telephone records that get chained on; sources say it will be more “comprehensive” than the current dragnet and Deputy NSA Director Richard Ledgett agrees the “the actual universe of potential calls that could be queried against is [potentially] dramatically larger.” In addition, the telecoms are unlikely to be able to remove all the noisy numbers like pizza joints — as NSA currently claims to — meaning more people with completely accidental phone ties to suspects will get sucked in. And USA Freedom adopts a standard for data retention — foreign intelligence purpose — that has proven meaningless in the past, so once a person’s phone number gets turned over to the NSA, they’ll be fair game for further NSA spying, the really invasive stuff, indefinitely.

But that’s not the reason I find ACLU and EFF’s early support for USA Freedom so astounding.

I’m shocked ACLU and EFF are supporting this bill because they don’t know what the NSA will be permitted to do at the immunized telecoms. They have blindly signed onto a bill permitting “connection chaining” without first understanding what connection chaining entails.

As I have reported extensively, while every witness who has talked about the phone dragnet has talked about chaining on phone calls made — all the calls Anwar al-Awlaki made, all the calls those people made — the language describing this chaining process has actually been evolving. Dianne Feinstein’s Fake FISA Fix last fall allowed the NSA to chain on actual calls — as witnesses had described — but also on communications (not just calls) “to or from any selector reasonably linked to the selector.” A February modification and the last two dragnet orders permitted NSA to chain on identifiers “with a contact and/or connection” with the seed, making it clear that a “connection” is something different than a “contact.” The House bill USA Freedumber adopted the same language in a legislative report. Leahy’s bill adopts largely the same language for chaining.

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, it’s possible that this language does nothing more than what NSA illegally did until 2009: chain on both the identifier itself, but also on identifiers it has determined to be the same person. Back in 2009, NSA referred to a separate database to determine these other identifiers. Though that’s unlikely, because the bill language suggests the telecoms will be identifying these direct connections.

It’s possible, too, that this language only permits the telecoms to find “burner” phones — a new phone someone adopts after having disposed of an earlier one — and chain on that too.

But it’s also possible that this language would permit precisely what AT&T does for DEA in its directly analogous Hemisphere program: conduct analysis using cell site data. The bill does not permit NSA to receive cell site data, but it does nothing to prohibit NSA from receiving phone numbers identified using cell site data. When Mark Warner asked about this, Ledgett did not answer, and James Cole admitted they could use these orders (with FISC approval) to get access to cell location.

It’s possible, too, that the telecoms will identify direct connections using other data we know NSA uses to identify connections in EO 12333 data, including phone book and calendar data.

The point is, nobody in the public knows what “connections” NSA will be asking its immunized telecom partners to make. And nothing in the bill or even the public record prohibits NSA from asking telecoms to use a range of smart phone information to conduct their analysis, so long as they only give NSA phone identifiers as a result.

In response to questions from Senators about what this means, Leahy’s office promised a letter from James Clapper’s office clarifying what “connections” means (No, I don’t remember the part of Schoolhouse Rock where those regulated by laws get to provide “clarifications” that don’t make it into the laws themselves). That letter was reported to be due on Tuesday, by close of business — several days ago. It hasn’t appeared yet.

I asked people at both EFF and ACLU about this problem. EFF admitted they don’t know what this language means. ACLU calls the language “ambiguous,” but based on nothing they were able to convey to me, insists getting smart phone data under the guise of connection chaining would be an abuse. ACLU also pointed to transparency provisions in the bill, claiming that would alert us if the NSA starting doing something funky with its connection language; that of course ignores that “connection chaining” is an already-approved process, meaning that existing processes won’t ever be need to be released. It also ignores that the Administration has withheld what is probably a directly relevant phone dragnet opinion from both ACLU and EFF in their dragnet FOIA.

I get Laura Murphy’s point about using USA Freedom to start the process of reform. But what I don’t understand is why you’d do that having absolutely no idea whether that “reform” codifies the kind of warrantless probable cause-free access to device data that ACLU and EFF have fought so hard to prevent elsewhere.

ACLU and EFF are supposed to be leaders in protecting the privacy of our devices, including smart phones. I worry with their embrace of this bill, they’re leading NSA right into our smart phones.

Microsoft’s Very Public Spat in the Cloud

/9 Comments/in /by

A few weeks back, I did a Salon piece laying out how both the US and UK were claiming they can demand data stored in a cloud in any country. The UK is doing that with their new DRIP law, which will increase their ability to demand data from companies within and outside of the UK. The US is doing that by serving warrants on US companies for data stored in their clouds overseas.

The next battle in the latter war will take place on Thursday, at a hearing in NYC. In anticipation, Microsoft’s counsel Brad Smith wrote a WSJ op-ed to make the spat good and public. Here’s how he describes the government’s efforts to use Third Party doctrine to get around border limits on warrants.

Microsoft believes you own emails stored in the cloud, and that they have the same privacy protection as paper letters sent by mail. This means, in our view, that the U.S. government can obtain emails only subject to the full legal protections of the Constitution’s Fourth Amendment. It means, in this case, that the U.S. government must have a warrant. But under well-established case law, a search warrant cannot reach beyond U.S. shores.

The government seeks to sidestep these rules, asserting that emails you store in the cloud cease to belong exclusively to you. In court filings, it argues that your emails become the business records of a cloud provider. Because business records have a lower level of legal protection, the government claims that it can use its broader authority to reach emails stored anywhere in the world.

Courts have long recognized the distinction between a company’s business records and an individual’s personal communications. For example, the government can serve a subpoena on UPS to disclose business records that show where a customer shipped packages, but it must establish probable cause and get a warrant from a judge to look at what a customer put inside.

[snip]

Microsoft believes the higher legal protection for personal conversations should be preserved for new forms of digital communication, such as emails or text and instant messaging.

This is a battle about cloud storage. But it’s also a proxy war for questions of how the government conducts its more secret surveillance — as well as a very public show of opposing the government’s more expansive claims (the amici in this case include other companies — like AT&T — that have never complained about the government’s surveillance requests but that have good reason to make a good show of complaining here).

Which makes it interesting that Microsoft is so aggressively reaching out to the public.

 

A Good Idea that May Backfire: FISCR Fast Track

/in /by

I’ve written several posts about Leahy’s USA Freedom already. To recap:

  • The bill is definitely an improvement off of USA Freedumber, though it retains “connection” chaining language I’m seriously concerned about
  • The bill permits the government to collect “bulky” collections in at least two ways: the use of IP addresses and non-individual persons (aka corporations)
  • The bill inexplicably exempts the FBI from reporting requirements on back door searches

My last new concern about the bill pertains to a measure that means well, but might backfire.

The bill includes language designed to provide for appeals of significant issues, first to the FISA Court of Review, and then to SCOTUS.

(j) REVIEW OF FISA COURT DECISIONS.—After issuing an order, a court established under subsection (a) shall certify for review to the court established under subsection (b) any question of law that the court determines warrants such review because of a need for uniformity or because consideration by the court established under subsection (b) would serve the interests of justice. Upon certification of a question of law under this paragraph, the court established under subsection (b) may give binding instructions or require the entire record to be sent up for decision of the entire matter in controversy.

(k) REVIEW OF FISA COURT OF REVIEW DECISIONS.—

(1) CERTIFICATION.—For any decision issued by the court of review established under subsection (b) approving, in whole or in part, an application by the Government under this Act, such court may certify at any time, including after a decision, a question of law to be reviewed by the Supreme Court of the United States.

(2) SPECIAL ADVOCATE BRIEFING.—Upon certification of an application under paragraph (1), the court of review established under subsection (b) may designate a special advocate to provide briefing as prescribed by the Supreme Court.

(3) REVIEW.—The Supreme Court may review any question of law certified under paragraph (1) by the court of review established under subsection (b) in the same manner as the Supreme Court reviews questions certified under section 1254(2) of title 28, United States Code.

That is, it provides a way for FISC to ask FISCR to review their work, and for FISCR to ask SCOTUS to review their work.

To some degree, the more eyes that look at these novel decisions, the better.

But neither the FISCR review nor the SCOTUS review requires even the Special Advocate. While FISCR has, in the past, permitted amici, they (and Yahoo, in the case where Yahoo appealed FISC’s 2007 recision on Protect America Act) were shooting in the dark. the new advocate, such as it exists, would be able to argue before FISCR if the court wanted it.

So to a significant extent that would result in the same people (the government and the Court’s permanent staff, on one side, and the unproven advocate on the other) arguing the same issue over and over. with the courts themselves choosing to have their own decisions certified by the higher courts.

With the potential result that you’d have appellate decisions or even a SCOTUS instruction without ever giving a real adversary a shot at the issue. If FISC responded to the phone dragnet question before the way they have since Snowden leaked details of it, they would have gotten it certified to confirm their authority.

One addition to Leahy’s bill could exacerbate that. His bill requires the FISC to consult with PCLOB on appointees as  Advocates. With today’s PCLOB, that’d be a good thing. But if Republicans win back the Senate — especially if Mitch McConnell retains his seat — you’d see another PCLOB member the likes of Elisabeth Collins Cook and Rachel Brand. Both are really smart. But both were architects of the surveillance regime while serving as DOJ Policy AAGs. Add a third of that ilk, and PCLOB could load up the Advocates corp with people like Steven Bradbury.

Moreover, for the foreseeable future, Justice John Roberts will be handpicking these judges, which doesn’t give me a lot of confidence.

I just think the Advocate system is unproven right now. It may work out, it may be gamed to reinforce the dysfunction of the court. And the record of the FISCR — especially Laurence Silberman’s efforts to rule FISA illegal in 2002 — give me no confidence this kind of self-appeal would do anything but sanction bad decisions.

Mind you, the Leahy bill also permits the government to go on denying aggrieved people of review of Section 215 collection, so it’s not clearly anyone else will get standing to challenge this program in particular.

But it seems like the FISC system is so dysfunctional, there’s no reason to pre-empt the possibility of real adversarial court function.

Update: Orin Kerr thinks this is unconstitutional.