Leahy USA Freedom’s Bulky Corporate Persons

/5 Comments/in /by

As I said in my post the other day, the definition of Specific Selection Term in the Leahy version of USA Freedom addresses almost all my concerns about bulk collection under USA Freedom Act.

But not all of them.

I have two concerns.

First, some background. The bill actually uses two definitions of “specific selection term.” The definition as it applies to traditional Section 215, PRTT, and NSL collection is,

(i) means a term that specifically identifies a person, account, address, or personal device, or another specific identifier, that is used by the Government to narrowly limit the scope of tangible things sought to the greatest extent reasonably practicable, consistent with the purpose for seeking the tangible things; and [my emphasis]

It defines “address” this way:

ADDRESS.—The term ‘address’ means a physical address or electronic address, such as an electronic mail address, temporarily assigned network address, or Internet protocol address.

That’s my first concern. IP addresses can represent entire companies. And who knows what the NSA might consider “temporarily assigned network addresses”?

Then there’s the difference between that definition of “specific selection term” and the more narrow one used with the prospective contact chaining at telecoms, which is:

CALL DETAIL RECORD APPLICATIONS.—For purposes of an application submitted under subsection (b)(2)(C), the term ‘specific selection term’ means a term that specifically identifies an individual, account, or personal device. [my emphasis]

You’ll note the bill targets “individual” for its contact chaining, but “person” for the rest of Section 215 collection. The obvious reason to do that is if you’re collecting on an entire corporate person, like Western Union (which WSJ and NYT reported CIA uses Section 215 to collect on).

The bill does include limits on what kinds of corporate persons can be collected. The bill explicitly prohibits using electronic communication service providers and cloud providers as specific selection terms, unless they are being investigated.

(II) a term identifying an electronic communication service provider (as that term is defined in section 701) or a provider of remote computing service (as that term is defined  in section 2711 of title 18, United States Code), when not used as part of a specific identifier as described in clause (i), unless the provider is itself a subject of an authorized investigation for which the specific selection term is used as the basis of production.

That still seems to leave a whole slew of corporate persons who can be the selection term for collection.

The bill limits that collection in another way, through minimization procedures.

‘(C) for orders in which the specific selection term does not specifically identify an individual, account, or personal device, procedures that prohibit the dissemination, and require the destruction within a reasonable time period (which time period shall be specified in the order), of any tangible thing or information therein that has not been determined to relate to a person who is—

(i) a subject of an authorized investigation;

(ii) a foreign power or a suspected agent of a foreign power;

(iii) reasonably likely to have information about the activities of—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation; or

(iv) in contact with or known to—

(I) a subject of an authorized investigation; or

(II) a suspected agent of a foreign power who is associated with a subject of an authorized investigation,

unless the tangible thing or information therein indicates a threat of death or serious bodily harm to any person or is disseminated to another element of the intelligence community for the sole purpose of determining whether the tangible thing or information therein relates to a person who is described in clause (i), (ii), (iii),  or (iv)

This language is almost certainly not new — as CDT’s otherwise decent analysis suggests. We know the FISC has been modifying orders more and more in recent years. We don’t know — we have to rely on Congress, blindly — whether these minimization procedures are more strict or (likely, because other parts of this bill are) less restrictive than what the FISC itself has been imposing.

But even the existence of this language — and the differential use of “person” and “individual” — makes it clear the bill still permits the bulk collection of data. It just requires the agency in question to purge the data … sometime.

The question is whether this “agency protocol” — what Chief Justice John Roberts said was not enough to protect Americans’ privacy — is sufficient to protect Americans’ privacy.

I don’t think it is.

First, it doesn’t specify how long the NSA and FBI and CIA can keep and sort through these corporate records (or what methods it can use to do so, which may themselves be very invasive).

It also permits the retention of data that gets pretty attenuated from actual targets of investigation: agents of foreign powers that might have information on subjects of investigation and people “in contact with or known to” suspected agents associated with a subject of an investigation.

Known to?!?! Hell, Barack Obama is known to all those people. Is it okay to keep his data under these procedures?

Also remember that the government has secretly redefined “threat of death or serious bodily harm” to include “threats to property,” which could be Intellectual Property.

So CIA could (at least under this law — again, we have no idea what the actual FISC orders this is based off of) keep 5 years of Western Union money transfer data until it has contact chained 3 degrees out from the subject of an investigation or any new subjects of investigation it has identified in the interim.

In other words, probably no different and potentially more lenient than what it does now.

Leahy Freedom Act Exempts FBI from Counting Its Back Door Searches

/2 Comments/in /by

As I said in my post last night, Pat Leahy’s version of USA Freedom Act is a significant improvement over USA Freedumber, the watered down House version. But it includes language that no one I’ve met has been able to explain. I believe it may permit the NSA to have its immunized telecom providers contact chain on (at least) location, and possibly worse. Thus, it may well be everyone applauding the bill — including privacy NGOs — are applauding increased use of techniques like location spying even as judges around the country are deeming such spying unconstitutional. I strongly believe this bill may expand the universe of US persons who will be thrown into the corporate store indefinitely, to be subjected to the full brunt of NSA’s analytical might.

But that’s not the part of the bill that disturbs me the most. It’s this language:

‘(3) FEDERAL BUREAU OF INVESTIGATION.—

Subparagraphs (B)(iv), (B)(v), (D)(iii), (E)(iii), and (E)(iv) of paragraph (1) of subsection (b) shall not apply to information or records held by, or queries conducted by, the Federal Bureau of Investigation.

The language refers, in part,  to requirements that the government report to Congress:

(B) the total number of orders issued pursuant to section 702 and a good faith estimate of—

(iv) the number of search terms that included information concerning a United States person that were used to query any database of the contents of electronic communications or wire communications obtained through the use of an order issued pursuant to section 702; and

(v) the number of search queries initiated by an officer, employee, or agent of the United States whose search terms included information concerning a United States person in any database of noncontents information relating to electronic communications or wire communications that were obtained through the use of an order issued pursuant to section 702;

These are back door searches on US person identifiers of Section 702 collected data — both content (iv) and metadata (v).

In other words, after having required the government to report how many back door searches of US person data it conducts, the bill then exempts the FBI.

The FBI — the one agency whose use of such data can actually result in a prosecution of the US person in question.

We already know the government has not provided all defendants caught using 702 data notice. And yet, having recognized the need to start counting how many Americans get caught in back door searches, Patrick Leahy has decided to exempt the agency that uses back door searches the most.

And if they’re not giving defendants notice (and they’re not), then this is an illegal use of Section 702.

There is no reason to exempt the FBI for this. On the contrary, if we’re going to count back door searches on US persons, the first place we should start counting is at FBI, where it likely matters most. But the Chair of the Senate Judiciary Committee has decided it’s a good idea to exempt precisely those back door searches from reporting requirements.

 

Improved USA Freedom Retains “Connection” Chaining and “Foreign Intelligence” Retention

/3 Comments/in /by

Thanks to this NYT editorial, everyone is talking about Patrick Leahy’s version of USA Freedom, which he will introduce tomorrow.

Given what I’ve heard, my impression is the editorial is correct that Leahy’s bill is a significant improvement off of USA Freedumber.

That’s not saying much.

It tightens the definition for Specific Selection Term significantly (though there may still be limited cause for concern).

It improves the FISA Advocate (but not necessarily enough that it would be meaningful).

It improves transparency (but there’s one aspect of “improved” transparency that actually disturbs me significantly).

It pretends to fix concerns I had about the PRTT minimization, but I don’t think it succeeds.

Still, an improvement off of the USA Freedumber.

I’m not convinced that makes it an acceptable improvement off of the status quo (especially the status quo requiring court approval for each seed). That’s because — from what I’ve heard — Leahy’s bill retains the language from USA Freedumber on contact chaining, which reads,

(iii) provide that the Government may require the prompt production of call detail records—

(I) using the specific selection term that satisfies the standard required under subsection (b)(2)(C)(ii) as the basis for production; and

(II) using call detail records with a direct connection to such specific selection term as the basis for production of a second set of call detail records;

Now, I have no idea what this language means, and no one I’ve talked to outside of the intelligence committees does either. It might just mean they will do the same contact chaining they do now, but if it does, why adopt this obscure language? It may just mean they will correlate identities, and do contact chaining off all the burner phones their algorithms say are the same people, but nothing more, but if so, isn’t there clearer language to indicate that (and limit it to that)?

But we know in the equivalent program for DEA — Hemisphere — the government uses location to chain people. So to argue this doesn’t include location chaining, you’d have to argue that NSA is satisfied with less than DEA gets and explain why the language of this bill specifically prohibits it. (The bill — as USA Freedumber before it did — requires NSA to use Call Detail Records at each step; that may or may not impose such limits.)

I remain concerned, too, that such obscure language would permit the contact chaining on phone books and calendars, both things we know NSA obtains overseas, both things NSA might have access to through their newly immunized telecom partners.

In addition, Leahy’s bill keeps USA Freedumber’s retention language tied to Foreign Intelligence purpose, allowing the NSA to keep all records that might have a foreign intelligence purpose.

Why, after having read PCLOB’s 702 report stating that, “when an NSA analyst recognizes that [a communication] involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,” destruction of it, which is required by the law, “rarely happens,” would anyone applaud a Section 215 bill that effectively expands retention using that very same utterly meaningless “foreign intelligence” language? And with it may expand the permitted dissemination of such data?

The bill is definitely an improvement over USA Freedumber. But until someone explains what that connection chaining language does — and includes limiting language to make sure that’s all it will ever do — I have no way of knowing whether Leahy’s bill is better than the status quo. As it is, however, it is certainly conceivable Leahy’s bill will result in more innocent Americans ending up in the corporate store.

(I may have two more new concerns about Leahy’s bill, but I’ll hold those until I see what precise language the bill uses for them.)

NSA’s Disingenuous Claims about EO 12333 and the First Amendment

/5 Comments/in , /by

SIGINT and 215Thanks to John Napier Tye’s Sunday op-ed, some surveillance watchers are just now discovering EO 12333, which I’ve written some 50 posts about over the last year.

Back in January, I focused on one of the most alarming disclosures of the 2009 phone dragnet problems, that 3,000 presumed US person identifiers were on an alert list checked against each day’s incoming phone dragnet data. That problem — indeed, many of the problems reported at the beginning of 2009 — arose because the NSA dumped their Section 215 phone dragnet data in with all the rest of their metadata, starting at least as early as January 4, 2008. It took at least the better part of 2009 for the government to start tagging data, so the NSA could keep data collected under different authorities straight, though once they did that, NSA trained analysts to use those tags to bypass the more stringent oversight of Section 215.

One thing that episode revealed is that US person data gets collected under EO 12333 (that’s how those 3,000 identifiers got on the alert list), and there’s redundancy between Section 215 and EO 12333. That makes sense, as the metadata tied to the US side of foreign calls would be collected on collection overseas, but it’s a detail that has eluded some of the journalists making claims about the scope of phone dragnet.

Since I wrote that early January post, I’ve been meaning to return to a remarkable exchange from the early 2009 documents between FISC Judge Reggie Walton and the government. In his order for more briefing, Walton raised questions about tasking under NSA’s SIGNIT (that is, EO 12333) authority.

The preliminary notice from DOJ states that the alert list includes telephone identifiers that have been tasked for collection in accordance with NSA’s SIGINT authority. What standard is applied for tasking telephone identifiers under NSA’s SIGINT authority? Does NSA, pursuant to its SIGINT authority, task telephone identifiers associated with United States persons? If so, does NSA limit such identifiers to those that were not selected solely upon the basis of First Amendment protected activities?

The question reveals how little Walton — who had already made the key judgments on the Protect America Act program 2 years earlier — knew about EO 12333 authority.

I’ve put NSA’s complete response below the rule (remember “Business Records” in this context is the Section 215 phone dragnet authority). But basically, the NSA responded,

  • Even though the alert list included IDs that had not been assessed or did not meet Reasonable Articulable Suspicion of a tie to one of the approved terrorist groups, they at least had to have foreign intelligence value. And occasionally NSA’s counterterrorism people purge the list of non-CT IDs.
  • Usually, NSA can only task (a form of targeting!) a US person under a FISA authority.
  • Under EO 12333 and other related authorities, NSA can collect SIGINT information for foreign and counterintelligence purposes; its collection, retention, and dissemination of US person is governed by Department of Defense Regulation 5240.1-R and a classified annex. (see page 45 for the unclassified part of this)
  • Since 2008, if the NSA wants to target a US person overseas they need to get and comply with a FISA order.
  • NSA provides First Amendment protection in two ways — first, by training analysts to spy “with full consideration of the rights of United States persons.”
  • NSA provides First Amendment protection under EO 12333 by prohibiting NSA “from collecting or disseminating information concerning US persons’ ‘domestic activities’ which are defined as ‘activities that take place in the domestic United States that do not involve a significant connection to a foreign power, organization, or person.'”

The First Amendment claims in the last two bullets are pretty weak tea, as they don’t actually address First Amendment issues and contact chaining is, after all, chaining on associations.

That’s all the more true given what we know had already been approved by DOJ. In the last months of 2007, they approved the contact chaining through US person identifiers of already-collected data (including FISA data). They did so by modifying DOD 5240.1 and its classified annex so as to treat what they defined (very broadly) as metadata as something other than interception.

The current DOD procedures and their Classified Annex may be read to restrict NSA’s ability to conduct the desired communications metadata analysis, at least with respect to metadata associated with United States persons. In particular, this analysis may fall within the procedures’ definition of, and thus restrictions on, the “interception” and “selection” of communications. Accordingly, the Supplemental Procedures that would govern NSA’s analysis of communications metadata expressly state that the DOD Procedures and the Classified Annex do not apply to the analysis of communications metadata. Specifically, the Supplemental Procedures would clarify that “contact chaining and other metadata analysis do not qualify as the ‘interception’ or ‘selection’ of communications, nor do they qualify as ‘us[ing] a selection term,’ including using a selection term ‘intended to intercept a communication on the basis of. .. [some] aspect of the content of the communication.” Once approved, the Supplemental Procedures will clarify that the communications metadata analysis the NSA wishes to conduct is not restricted by the DOD procedures and their Classified Annex.

Michael Mukasey approved that plan just as NSA was dumping all the Section 215 data in with EO 12333 data at the beginning of 2008 (though they did not really roll it out across the NSA until later in 2009).

Nowhere in the government’s self-approval of this alternate contact chaining do they mention First Amendment considerations (or even the domestic activities language included in their filing to Walton). And in the rollout, they explicitly permitted starting chains with identifiers of any nationality (therefore presumably including US person) and approved the use of such contact chaining for purposes other than counterterrorism. More importantly, they expanded the analytical function beyond simple contact chaining, including location chaining.

All with no apparent discussion of the concerns a FISC judge expressed when data from EO 12333 had spoiled Section 215 data.

We will, I expect, finally start discussing how NSA has been using EO 12333 authorities — and how they’ve represented their overlap with FISA authorized collection. This discussion is an important place to start. Read more

Fact-Checking 9/11 Anniversary Report on Info and Dragnets with 9/11 Report

/4 Comments/in , , , /by

In Salon, I point out something funny about the report released on Tuesday to mark the 10 year anniversary of the release of the 9/11 Commission report. The report says we must fight the “creeping tide of complacency.” But then it says the government has done almost everything the 9/11 Commission said it should do.

There is a “creeping tide of complacency,” the members of the 9/11 Commission warned in a report released on Tuesday, the 10-year anniversary of the release of their original report. That complacency extends not just to terrorism. “On issue after issue — the resurgence and transformation of al Qaeda, Syria, the cyber threat — public awareness lags behind official Washington’s.” To combat that “creeping tide of complacency,” the report argues, the government must explain “the evil that [is] stalking us.”

Meanwhile, the commissioners appear unconcerned about complacency with climate change or economic decline.

All that fear-mongering is odd, given the report’s general assessment of counterterrorism efforts made in the last decade. “The government’s record in counterterrorism is good,” the report judged, and “our capabilities are much improved.”

If the government has done a good job of implementing the 9/11 Commission recommendations but the terror threat is an order of magnitude worse now, as the report claims, then those recommendations were not sufficient to addressing the problem. Or perhaps the 13 top security officials whom the Commission interviewed did a slew of other things — like destabilizing Syria and Libya — that have undermined the apparatus of counterterrorism recommended by the original 9/11 Commission?

Which is a polite way of saying the 10-year report is unsatisfying on many fronts, opting for fear-mongering than another measured assessment about what we need to do to protect against terrorism.

Perhaps that’s because, rather than conduct the public hearings with middle-level experts, as it boasted it had done in the original report, it instead privately interviewed just the people who’ve been in charge for the last 10 years, all of whom have a stake in fear and budgets and several of whom now have a stake in profiting off fear-mongering?

Suffice it to say I’m unimpressed with the report.

Which brings me to this really odd detail about it.

The report takes a squishy approach to Edward Snowden’s leaks. It condemns his and Chelsea Manning’s leaks and suggests they may hinder information sharing. It also suggests Snowden’s leaks may be impeding recruiting for cybersecurity positions.

But it also acknowledges that Snowden’s leaks have been important to raising concerns about civil liberties — resulting in President Obama’s decision to impose limits on the Section 215 phone dragnet.

Since 2004, when we issued the report, the public has become markedly more engaged in the debate over the balance between civil liberties and national security. In the mid-2000s, news reports about the National Security Agency’s surveillance programs caused only a slight public stir. That changed with last year’s leaks by Edward Snowden, an NSA contractor who stole 1.7 million pages of classified material. Documents taken by Snowden and given to the media revealed NSA data collection far more widespread than had been popularly understood. Some reports exaggerated the scale of the programs. While the government explained that the NSA’s programs were overseen by Congress and the courts, the scale of the data collection has alarmed the public.

[snip]

[I]n March, the President announced plans to replace the NSA telephone metadata program with a more limited program of specific court-approved searches of call records held by private carriers. This remains a matter of contention with some intelligence professionals, who expressed to us a fear that these restrictions might hinder U.S. counterterrorism efforts in urgent situations where speedy investigation is critical.

Having just raised the phone dragnet changes, the report goes on to argue “these programs” — which in context would include the phone dragnet — should be preserved.

We believe these programs are worth preserving, albeit with additional oversight. Every current or former senior official with whom we spoke told us that the terrorist and cyber threats to the United States are more dangerous today than they were a few years ago. And senior officials explained to us, in clear terms, what authorities they would need to address those threats. Their case is persuasive, and we encountered general agreement about what needs to be done.

Senior leaders must now make this case to the public. The President must lead the government in an ongoing effort to explain to the American people—in specific terms, not generalities—why these programs are critical to the nation’s security. If the American people hear what we have heard in recent months, about the urgent threat and the ways in which data collection is used to counter it, we believe that they will be supportive. If these programs are as important as we believe they are, it is worth making the effort to build a more solid foundation in public opinion to ensure their preservation.

This discussion directly introduces a bizarre rewriting of the original 9/11 Report.

Given how often the government has falsely claimed that we need the phone dragnet because it closes a gap that let Khalid al-Midhar escape you’d think the 9/11 Commission might use this moment to reiterate the record, which shows that the government had the information it needed to discover the hijacker was in the US.

Nope.

It does, however, raise a very closely related issue: the FBI’s failure to discover Nawaf al Hazmi’s identity. Read more

David Medine’s PCLOB Defense

/2 Comments/in /by

Today, David Medine attempts to answer (most) of the questions Jennifer Granick argues weren’t answered in the Privacy and Civil Liberties Oversight Board’s report on Section 702. Here’s my summary of how he does so:

Screen shot 2014-07-22 at 9.15.15 AM

Even while Medine “challenges” Granick’s assessment that her questions weren’t answered, he admits “Professor Granick may not find that all of her questions have been fully answered.”

And that’s clear from my summary: for classification reasons, PCLOB didn’t answer the questions about volume of US person communications collected (question 1) or the kinds of selectors used (question 5), and only hinted at an answer to whether NSA had direct access to providers’ networks (question 2). As I’ve suggested, even with the 100 new pieces of data PCLOB got declassified, their subjection to obviously bogus government classification claims discredits their report.

The most useful response Medine provides Granick — though not for what it says about the underlying question — is to inform us that buddy lists and a bunch of other things are treated as communications.


  1. “Do intelligence agencies minimize address books, buddy lists, stored documents, system backups and/or other electronic transmissions where there is no human being on the received end of the transmission as “communications” under the minimization procedures? Or are those fair game?”

The report answers this question directly: “Everything that is collected under Section 702 is treated as a ‘communication’ and therefore is protected by the applicable minimization procedures.” PCLOB report at p. 127 n. 524. As explained elsewhere in the report, the statute itself “requires that all acquired data be subject to minimization procedures.” PCLOB report at p. 50 (emphasis added).

In a sense, Granick’s original question was overtaken by events when it was confirmed — both in the WaPo’s analysis of 702 collected data and in PCLOB — that minimization doesn’t work as mandated by law (though PCLOB seems relatively untroubled by that). Sure, US person names in an address book will be masked, but they won’t be destroyed because they have no foreign intelligence value. So even US person names in buddy lists will be available for analysis.

But Medine’s answer — emphasizing that “everything .. is treated as ‘communication'” — is important for his answer regarding what the government uses for upstream selectors. Read more

Dick Durbin’s Obscure Transparency Bid

/1 Comment/in /by

Steven Aftergood notes that the Senate Appropriations Committee has included a reporting requirement on NSA on its “bulk collection” programs.

That’s all well and good, if the language isn’t stripped before final passage. But there are a couple of limits to the language.

First, the reporting requirements on Section 215 only go back to 2009.

For the last 5 years, on an annual basis, the number of records acquired by NSA as part of the bulk telephone metadata program authorized by the Foreign Intelligence Surveillance Court, pursuant to section 215 of the USA PATRIOT Act, and the number of such records that have been reviewed by NSA personnel in response to a query of such records;

Of course, the program changed significantly in 2009; the collection scope may have narrowed at that point. And many of the abuses were ended in that year.

And there are two problems with the requirement to provide a list of all “bulk collection” programs.

A report, unclassified to the greatest extent possible, and with a classified annex if necessary, describing all NSA bulk collection activities, including when such activities began, the cost of such activities, what types of records have been collected in the past, what types of records are currently being collected, and any plans for future bulk collection.

We know the intelligence community only includes programs that use no discriminator as “bulk collection.” So the report would list what the IC considers bulk collection, not what normal human beings do.

In addition, only NSA would have to report its bulk programs. We know, for example, that the FBI has a Pen Register program that presumably involves some bulk. That would not show up in this list.

So, great! Transparency!

But not transparency that will tell us what we need to know.

Edward Snowden’s Smut

/9 Comments/in /by

In an interview with the Guardian published yesterday, Edward Snowden claimed that compromising pictures get shared around NSA.

Made a startling claim that a culture exists within the NSA in which, during surveillance, nude photographs picked up of people in “sexually compromising” situations are routinely passed around.

Boing Boing transcribed his comments on it.

The usual whiners are suggesting Snowden is making this up and demanding proof.

They seem to have forgotten the proof we’ve already seen of NSA officially retaining sexually compromising material. Here’s what Bart Gellman described in a follow-up to WaPo’s recent report on the data collected under Section 702.

Among the large majority of people who are not NSA targets, many of the conversations in our sample are exceedingly private. Often they are very far from publishable, without editing.

Him: “How about you [verb, possessive adjective, noun]

Her: “I [verb] if you [another verb].”

Him: “That can be arranged.”

Her: “I really need punishment.”

Another young woman, also not a target, responds to a suitor who proposes to pay a visit.

Her: “don’t think that would b fair on the guy im seeing”

Him: “you can be a bit naughty at times lol”

Her: “Yeah lol”

The conversation proceeds from there.

This is stuff officially retained by NSA. This is stuff they claim has foreign intelligence value. This is sexually compromising. And Gellman says many of the retained communications are like that.

Sure, I get that NSA wants to contact chain on who’s fucking whom, just as they want to chain on who’s calling whom.  But to do that, they’re retaining smut.

NSA Only Finds 59% of Its Targeting of US Persons

/4 Comments/in /by

This will be a minor point, but one that should be made.

The Privacies and Civil Liberties Oversight Board report on Section 702 included this little detail:

In 2013, the DOJ undertook a review designed to assess how often the foreignness determinations that the NSA made under the targeting procedures as described above turned out to be wrong — i.e., how often the NSA tasked a selector and subsequently realized after receiving collection from the provider that a user of the tasked selector was either a U.S. person or was located in the United States. The DOJ reviewed one year of data and determined that 0.4% of NSA’s targeting decisions resulted in the tasking of a selector that, as of the date of tasking, had a user in the United States or who was a U.S. person. As is discussed in further detail below, data from such taskings in most instances must be purged. The purpose of the review was to identify how often the NSA’s foreignness determinations proved to be incorrect. Therefore, the DOJ’s percentage does not include instances where the NSA correctly determined that a target was located outside the United States, but post-tasking, the target subsequently traveled to the United States.

0.4% of NSA’s targeting decisions falsely determine someone is a foreigner who is in fact a US person.

That’s a pretty low amount. Though based on ODNI’s number — showing 89,138 people were targeted in 2013 — that means 356 US persons get wrongly targeted each year. Again, still not a huge number, but it compares rather interestingly with the 1,144 people targeted under FISA each year. Those wrongly targeted under Section 702 actually make up 24% of those targeted in a year.

Just as interesting is comparing the NSA’s internal audit (see page 6)  with DOJ’s results. For a period presumably covering some of the same time period, NSA discovered 20 US persons tasked (for some reason there was a big increase in this number for the last quarter of the report) and 191 incidences of “other inadvertent” tasking violations, which are described as, “situations where targets were believed to be foreign but who later turn out to be U.S. persons and other incidents that do not fit into the previously identified categories” (my emphasis). Not all of those 191 incidents should be counted as wrongly targeted US persons — the description includes other inadvertent targeting. But even counting them all as such, that means NSA only found 211 of the potential wrongly targeted US persons in a year, while DOJ found 356.

Again, in a country of 310 million people, these numbers are small, particularly as compared to the collection of US person communications under upstream collection, which is thousands of times higher.

But it does say that NSA’s internal reviews don’t find all the Americans who get wrongly targeted.

Correction: I originally mistranscribed DOJ’s number as .o4%–though I had calculated using .4%.

Anonymous Pushback Emphasizes that Surveillance Leads to Informants

/9 Comments/in , /by

I’ve already suggested I suspect the government falsely claimed it didn’t have a a FISA warrant on CAIR’s Executive Director Nihad Awad in an attempt to gain an advantage in EFF’s suit challenging the phone dragnet.

The conflicting denials anonymous officials gave to ABC about the story — with one senior official implying the people the Intercept profiled actually were profiled, but other current and former officials claiming the Intercept may have misunderstood what they were looking at — don’t change that suspicion in the least.

A senior government official said without knowing the underlying probable cause presented to a federal judge from the FISA court in each case, Greenwald and The Intercept cannot know why the e-mails of the purported targets were collected.

As a result, the official said, Greenwald and Snowden cannot know whether the surveillance revealed evidence or intelligence in each case that was incriminating or exculpatory — or whether some targets later cooperated with the FBI. Several officials said it was “irresponsible” to name individuals as surveillance targets when no public court record exists. The identified targets could be guilty or innocent or even cooperating with the government, the officials said.

You don’t know if somebody was later approached to become an informant,” the senior official said. “To the extent any of these people were targets, [The Intercept report] is a serious compromise. And if they weren’t targets, they shouldn’t be named.”

The Intercept said many of the emails on the spreadsheet titled “FISA Recap,” which they said Snowden provided, “appear to belong to foreigners whom the government believes are linked to al Qaeda, Hamas and Hezbollah.” But the report says their three-month investigation showed that “in practice, the system for authorizing NSA surveillance affords the government wide latitude in spying on U.S. citizens.”

However, current and former U.S. officials told ABC News that Snowden or Greenwald may have misunderstood some of the NSA documents, which they reported are spreadsheets with 7,485 email addresses, including many among multiple accounts by individuals.

“You should not assume all of the names Glenn Greenwald has were targets of surveillance,” a senior official familiar with Snowden’s pilfered cache told ABC News last week.

A former senior official once closely involved in the FISA warrant process told ABC News that The Intercept’s reporters were repeatedly warned by him that they “were getting it wrong” in how they interpreted what the NSA spreadsheets from Snowden signified. The documents also were curiously absent of the markings secret files typically carry which denote its specific level of classification and distribution limitations.

“The documents indicated to me that they were not targets,” the former official said. [brackets original, emphasis mine]

Surely DOJ will point to any doubts about the document in an effort to prevent it from being used to obtain standing to sue.

I’m just as interested in the logic the anonymous senior official used to say these names shouldn’t be released: that the person might have been approached to be an informant!

Sure, I get why the FBI probably wouldn’t want its informants exposed (though more and more GWOT era informants have exposed themselves without being harmed).

But I’m particularly interested in how quickly this official talked about informants. As Ted Olson did, more obliquely, back in 2002.

NSA has offered hint after hint that its surveillance does serve to identify people to coerce into informing. I find it odd that this official, hiding behind the veil of anonymity, introduces it with such little self-awareness.