All These Muslim Organizations Have Probably Been Associationally Mapped

/11 Comments/in /by

The Intercept has published their long-awaited story profiling a number of Muslim-American leaders who have been targeted by the FBI and NSA. It shows that:

  • American Muslim Council consultant Faisal Gill was surveilled from April 17, 2006 to February 8, 2008
  • al-Haramain lawyer Asim Ghafoor was surveilled under FISA (after having been surveilled illegally) starting March 9, 2005; that surveillance was sustained past March 27, 2008
  • American Muslim Alliance founder Agha Saeed was surveilled starting June 27, 2007; that surveillance was sustained past May 23, 2008
  • CAIR founder Nihad Awad was surveilled from July 17, 2006 to February 1, 2008
  • American Iranian Council founder Hooshang Amirahmadi was surveilled from August 17, 2006 to May 16, 2008

In other words, the leaders of a number of different Muslim civil society organizations were wiretapped for years under a program that should require a judge agreeing they represent agents of a foreign power.

But they probably weren’t just wiretapped. They probably were also used as seeds for the phone and Internet dragnets, resulting in the associational mapping of their organizations’ entire structure.

On August 18, 2006, the phone dragnet primary order added language deeming “telephone numbers that are currently the subject of FISA authorized electronic surveillance … approved for meta data querying without approval of an NSA official due to the FISA authorization.”

Given the way the phone and Internet dragnet programs parallel each other (and indeed, intersect in federated queries starting at least by 2008), a similar authorization was almost certainly included in the Internet dragnet at least by 2006.

That means as soon as these men were approved for surveillance by FISA, the NSA also had the authority to run 3-degree contact chaining on their email and phone numbers. All their contacts, all their contacts’ contacts, and all their contacts’ contacts’ contacts would have been collected and dumped into the corporate store for further NSA analysis.

Not only that, but all these men were surveilled during the period (which continued until 2009) when the NSA was running automated queries on people and their contacts, to track day-to-day communications of RAS-approved identifiers.

So it is probably reasonable to assume that, at least for the period during which these men were under FISA-authorized surveillance, the NSA has an associational map of their organizations and their affiliates.

Which is why I find it interesting that DOJ refused to comment on this story, but told other reporters that FBI had never had a FISA warrant for CAIR founder Nihad Awad specifically.

The Justice Department did not respond to repeated requests for comment on this story, or for clarification about why the five men’s email addresses appear on the list. But in the weeks before the story was published, The Intercept learned that officials from the department were reaching out to Muslim-American leaders across the country to warn them that the piece would contain errors and misrepresentations, even though it had not yet been written.

Prior to publication, current and former government officials who knew about the story in advance also told another news outlet that no FISA warrant had been obtained against Awad during the period cited. When The Intercept delayed publication to investigate further, the NSA and the Office of the Director of National Intelligence refused to confirm or deny the claim, or to address why any of the men’s names appear on the FISA spreadsheet.

Awad’s organization, CAIR, is a named plaintiff in the EFF’s suit challenging the phone dragnet. They are suing about the constitutionality of a program that — the EFF suit also happens to allege — illegally mapped out associational relations that should be protected by the Constitution.

CAIR now has very good reason to believe their allegations in the suit — that all their relationships have been mapped — are absolutely correct.

Update: EFF released this statement on the Intercept story, reading, in part,

Surveillance based on First Amendment-protected activity was a stain on our nation then and continues to be today. These disclosures yet again demonstrate the need for ongoing public attention to the government’s activities to ensure that its surveillance stays within the bounds of law and the Constitution. And they once again demonstrate the need for immediate and comprehensive surveillance law reform.

We look forward to continuing to represent CAIR in fighting for its rights, as well as the rights of all citizens, to be free from unconstitutional government surveillance.

EFF represents CAIR Foundation and two of its regional affiliates, CAIR-California and CAIR-Ohio, in a case challenging the NSA’s mass collection of Americans’ call records. More information about that case is available at: First Unitarian Church of Los Angeles v. NSA.

WaPo and PCLOB Agree: NSA Does Not Comply with Its Minimization Procedures

/1 Comment/in /by

There are a number of issues with Marc Ambinder’s interpretation of the WaPo’s analysis of the content of NSA’s 702 collections as a “bust.” Ambinder:

  • Overstates the specificity of the certifications, particularly in light of the general “foreign government” one recently revealed by WaPo
  • Makes the same email rather than overwhelmingly IM mistake Stewart Baker made
  • Doesn’t deal with the fact that the bulk of US identifiers that got minimized — the largest category, constituting over 57,000 instances — is IP address, which presents different privacy concerns than what he addresses
  • Suggests this collection includes traditional FISA warrants; WaPo suggests it is all 702 collection, which ought to mean it includes less US person content (but apparently doesn’t)
  • Ignores how readily the NSA provides unaudited access to raw data for tech personnel and SIGDEV, and therefore how (in)secure we should expect this data to be in practice

But the most troublesome problem with it is Ambinder’s treatment of the NSA’s minimization obligations and practices. Here are some statements Ambinder makes about NSA’s minimization requirements.

Ok, so: having run the data through an automatic minimization system of some sort, the NSA analysts are required to minimize every U.S.-person communication that they see. Minimize does not “to get rid of.” It means to anonymize the U.S.-based non-target source.

[snip]

Maybe I could be a customer service representative from the pizza place that got his order wrong, and I’m e-mailing him to apologize for it. The NSA and the FBI are required by statute to minimize the communication if they determine it has no intelligence value. (And why would the NSA waste time reading a conversation about pizza anyway?)

[snip]

The analyst’s judgment can be subjective. On the first instance, the analyst has to figure out whether the communication is relevant to a foreign intelligence purpose.

First he states that minimization does not mean “get rid of,” then states NSA is required by statute to get rid of communications that have no intelligence value, then notes an analyst has to determine whether a communication has foreign intelligence value. Overall, though, Ambinder suggests that NSA does get rid of communications involving US persons without foreign intelligence value.

Ambinder is absolutely right the law requires the government to get rid of US person data that has no foreign intelligence value.

Here’s what one version of the minimization requirements say:

(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably designed in light of the purpose and technique of the particular surveillance, to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons consistent with the need of the United States to obtain, produce, and disseminate foreign intelligence information;

(2) procedures that require that nonpublicly available information, which is not foreign intelligence information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner that identifies any United States person, without such person’s consent, unless such person’s identity is necessary to understand foreign intelligence information or assess its importance;

(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and dissemination of information that is evidence of a crime which has been, is being, or is about to be committed and that is to be retained or disseminated for law enforcement purposes; and

(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any communication to which a United States person is a party shall be disclosed, disseminated, or used for any purpose or retained for longer than 72 hours unless a court order under section 1805 of this title is obtained or unless the Attorney General determines that the information indicates a threat of death or serious bodily harm to any person.

And here’s how that translates into the minimization procedures approved in 2011.

Personnel will exercise reasonable judgment in determining whether information acquired must be minimized and will destroy inadvertently acquired communications of or concerning a United States person at the earliest practicable point in the processing cycle at which such communication can be identified either: as clearly not relevant to the authorized purpose of the acquisition (e.g., the communication does not contain foreign intelligence information); or, as not containing evidence of a crime which may be disseminated under these procedures. Except as provided for in subsection 3(c)(2) below, such inadvertently acquired communications of or concerning a United States person may be retained no longer than five years from the expiration date of the certification authorizing the collection in any event.

Both the law and the minimization procedures approved by the FISC require NSA to get rid of US person communications that have no foreign intelligence purpose.

But here’s what the WaPo reveals about what NSA analysts do when they determine collection has no foreign intelligence value (note, however, these passages do not specify how many of these conversations include US person communications, though almost half of these communications involve US person identifiers).

Many other files, described as useless by the analysts but nonetheless retained, have a startlingly intimate, even voyeuristic quality. They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless.

[snip]

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst. [my emphasis]

While these passages are not quantifiable — both because WaPo didn’t say how many files NSA had determined to be “useless” and because WaPo didn’t identify how many of those include US persons — they do suggest that NSA is not complying with the legal requirement that they destroy communications involving US persons that don’t have foreign intelligence value. Not even for communications they describe as “useless” or “not relevant.”

That’s not surprising. As I noted the other day, PCLOB found that NSA “rarely” complies with this requirement and CIA and FBI never do.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

Ambinder is absolutely right that WaPo’s sample shows that NSA is pretty good, but not perfect, at masking US person identities in their data.

But both WaPo’s detailed analysis and PCLOB’s general review show that NSA does not comply with another key part of its legally required minimization obligations, to destroy communications involving US persons that have no foreign intelligence value. US person identifiers may be masked, but many of them shouldn’t be in the NSA’s databases at all. That needs to be acknowledged in any discussion of the NSA’s minimization procedures. The law requires them to get rid of US person communications with no intelligence value. But they don’t.

That’s why the sheer volume of very personal information in this sample is of concern (aside from the concern we should have for foreigners’ privacy; though again, WaPo doesn’t say how much of the US person data includes that personal information). Because the NSA and FBI and CIA can access this data without needing any suspicion of wrongdoing.

Keith Alexander Has Finance Worried about Being Zeroed Out, Just Like President’s Review Group

/5 Comments/in , /by

Keith Alexander’s clients in the finance industry are proposing what he proposed to them: a government-finance industry council to protect against cyberthreats.

Alexander had been pitching Sifma and other bank trade associations to purchase his services through his new consulting firm, IronNet Cybersecurity Inc., for as much as $1 million per month, according to two people briefed on the talks.

He has made much the same argument to Sifma as the association is now making to the government about the emergence of new kinds of software assaults.

How tidy.

I’ll have more to say about their plot in a follow-up. But for the moment, look at what the consider one of the threats to the industry.

The next wave of attacks “in the near-medium term” is likely to be more destructive and could result in “account balances and books and records being converted to zeros,” while recovering the lost information “would be difficult and slow,” according to the Sifma document.

“We are concerned that the industry may not have the capabilities that we would like to effectively defend against this newer form of potential attack, the capability that we would like to stop such an attack once commenced from spreading to other financial institutions, or the capability we would like of effectively recovering if an initial attack is followed by waves of follow-on attacks,” the document says.

This seems like tacit admission that the finance industry doesn’t create enough backups, but instead of doing that, they apparently prefer setting up this government-finance council.

It’s great to see Keith Alexander creating such a profitable panic among the richest industry.

But I can’t help but note that this fear mimics one the President’s Review Group raised in an oblique recommendation.

(2) Governments should not use their offensive cyber capabilities to change the amounts held in financial accounts or otherwise  manipulate the financial systems;

Second, governments should abstain from penetrating the systems of financial institutions and changing the amounts held in accounts there. The policy of avoiding tampering with account balances in financial institutions is part of a broader US policy of abstaining from manipulation of the financial system. These policies support economic growth by allowing all actors to rely on the accuracy of financial statements without the need for costly re-verification of account balances. This sort of attack could cause damaging uncertainty in financial markets, as well as create a risk of escalating counter-attacks against a nation that began such an effort. The US Government should affirm this policy as an international norm, and incorporate the policy into free trade or other international agreements.

So are these seeming parallel worries based on classified information? If so, has Keith Alexander already started leaking classified information, as Alan Grayson raised concerns about?

Stewart Baker’s IM-y Numbers

/6 Comments/in /by

Screen shot 2014-07-08 at 9.11.30 AMStewart Baker accuses Bart Gellman and colleagues of inventing a phony statistic when they note that 89% of the communications collected under Section 702 were non-targets. He does some math to prove why they’re wrong in their interpretation of the scope of this.

The story is built around the implied claim that 90% of NSA intercept data is about innocent people.  I think the statistic is a phony.  Especially in an article that later holds up US law enforcement practice as a superior model.

What’s wrong with the statistic?  Well, let’s take an example from law enforcement.  Suppose I become the target of a government investigation.  The government gets a warrant and seizes a year’s worth of my email.  Looking at my email patterns, that’s about 35,000 messages.  About twenty percent – say 7500 –are one-off messages that I can handle with a short reply (or by ignoring the message).  Either way, I’ll never hear from that person again.  And maybe a quarter are from about 500 people I hear from at least once a week.  The remainder are a mix — people I trade emails with for a while and then stop, or infrequent correspondents that can show up any time.  Conservatively, let’s say that about 25 people are responsible for the portion of my annual correspondence that falls into that category.  In sum, the total number of correspondents in my stored email is 7500+500+25 = 8000 or so.  So the criminal investigators who seized and stored my messages from me, their investigative target, and over 8000 people who aren’t targets.

Or, as the Washington Post might put it “7999 out of 8000 account holders found in a large cache of communications seized by law enforcement were not the intended surveillance target but were caught in a net the investigators had cast for somebody else.”

I agree that the numbers would be impressive — if they actually were what Baker claims they are.

But they aren’t.

First, remember that these are minimized communications. And while the NSA is keeping data that has no foreign intelligence value, it is almost certainly not keeping spam (we know this because other NSA documents talk about defeating spam). So eliminate that 20% — or likely higher — or so right off.

Furthermore, the 9/10 ratio does not reflect all the communications WaPo examined. It doesn’t include the minimized US person ones. Almost half of the communications NSA identified as US person communications — that’s somewhat clear from the graphics, but Gellman stated that on Twitter.

So the actual number is closer to 95% of communications not being targets, not 89%.

But Baker also doesn’t consider what he’s dealing with. For the most part it’s not email, it’s IMs.

Screen shot 2014-07-08 at 9.18.42 AM

 

76% of this sample is IMs. Just 14% are emails.

So while Baker’s email example is nifty, it’s largely off point. Because he’d need to look at his IM patterns (or those of a 25 year old, who is more likely to resemble a target), not his email patterns.

It would still be a low number, if you’re considering pre-processed communications. It makes more sense when you realize that’s not what you’re considering.

NYT Mischaracterizes PCLOB Report While Transcribing NSA Pushback to WaPo

/2 Comments/in /by

The NYT has a story transcribing Administration efforts to “play down new disclosures” from the WaPo showing that the bulk of people whose communications were collected in a sample provided by Edward Snowden were not targets. The key claim NYT transcribes is that NSA “filters out” US person communications.

Administration officials said the agency routinely filters out the communications of Americans and information that is clearly of no intelligence value.

In addition, the NYT claims that PCLOB had no problems with the way the government minimized all this data.

Just days before the Post article, an independent federal privacy board had largely endorsed the N.S.A.’s execution of the program. The Privacy and Civil Liberties Oversight Board concluded last week that the “minimizing” of that data was largely successful, at least under the current law, which Congress passed six years ago.

Um, no.

I hope to explain this at more length, but the WaPo suggests that the government did not comply with targeting and minimization requirements in two ways: first, because the standards for foreignness were not as stringent as witnesses have claimed for a year (something which NYT’s sources apparently don’t even try to rebut). But also, WaPo showed the NSA was not destroying communications that — at least from their own and even some of the analysts’ own descriptions of it — had no foreign intelligence value. Here are some analysts judging the data collected irrelevant.

“None of the hits that were received were relevant,” two Navy cryptologic technicians write in one of many summaries of nonproductive surveillance. “No additional information,” writes a civilian analyst.

It’s this second detail NYT’s sources attempt to rebut.

But NYT’s claim that PCLOB concluded minimization “was largely successful” ignores a number of concerns they raised about it, a number of which pertain to back door searches and upstream collection.

In addition to those concerns (which about four of PCLOB’s recommendations address), PCLOB raised this issue:

Therefore, although a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

A communication must be destroyed upon recognition if it’s a US person communication with no intelligence value — PCLOB restates the standard that NYT’s sources claim is actually used. But after laying out that standard, PCLOB immediately says meeting that requirement “rarely happens.”

NYT’s sources say it routinely happens. PCLOB says it rarely happens at NSA, and not at all at CIA and FBI.

PCLOB, incidentally, recommends addressing this issue by having FISC review what tasking standards are actually used and then reviewing a subset of the data returned — precisely what the WaPo just did, though we have no way of knowing if WaPo had a representative sample.

But the story here should have been, “Administration’s rebuttal has already been refuted by PCLOB’s independent review.”

PCLOB and WaPo disagree about the tasking — PCLOB sides with past Administration witnesses on the assiduousness of NSA’s targeting.

But PCLOB entirely backs WaPo on how many worthless communications NSA is keeping and documenting.

The Unaudited Tech Analyst Access to US Person Data

/16 Comments/in /by

In addition to its exposure of the sheer senselessness of much of the spying NSA engages in, yesterday’s WaPo story also shows that the government’s assurances that Edward Snowden could not access raw data have been misplaced.

For close to a year, NSA and other government officials have appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.

As recently as May, shortly after he retired as NSA director, Gen. Keith Alexander denied that Snowden could have passed FISA content to journalists.

“He didn’t get this data,” Alexander told a New Yorker reporter. “They didn’t touch —”

“The operational data?” the reporter asked.

“They didn’t touch the FISA data,” Alexander replied. He added, “That database, he didn’t have access to.”

Robert S. Litt, the general counsel for the Office of the Director of National Intelligence, said in a prepared statement that Alexander and other officials were speaking only about “raw” intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.

“We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access,” Litt said. “Nothing that you have given us indicates that Snowden was able to circumvent that in any way.”

In the interview, Snowden said he did not need to circumvent those controls, because his final position as a contractor for Booz Allen at the NSA’s Hawaii operations center gave him “unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special ‘Dual Authorities’ role,” a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content — and “task” new collection — without prior approval of his search terms.

No one should ever have believed those assurances.

That’s because the documentation on the Section 215 program makes it clear how little oversight there is over tech people just like Snowden. The current phone dragnet order, for example, makes it clear that:

  • Tech personnel may access the phone dragnet data to tweak it in preparation for contact-chaining
  • Unlike intelligence analysts, tech personnel may query the phone dragnet data with selectors that have not been RAS-approved
  • Tech personnel may also conduct regular queries using RAS-approved selectors
  • Tech personnel may access the dragnet data to search for high volume numbers — this may require access to raw data
  • Some of the tech personnel (those in charge of infrastructure and receiving data from the telecoms) are exempt from special training on the phone dragnet data

The audit language in the dragnet order applies only to “foreign intelligence analysis purposes or using foreign intelligence analysis tools,” suggesting the tech analysis role access to the dragnet data is not audited.

Language in the order defining “NSA” suggests contractors may access the data (though it’s unclear whether they do so in a technical or intelligence analysis function); something made explicit in Dianne Feinstein’s bill.

That is, it is at least possible that Booz analysts are currently conducting audit-free tech massaging of the raw phone dragnet data.

And NSA knew this access was a vulnerability. As recently as 2012, tech analysts were found to have 3,000 files worth of phone dragnet data (it’s unclear how much data each file included) on an improper server past its required destruction date. NSA destroyed that data before definitively researching what it was doing there.

Thus, the risk of tech analyst breach is very real, and no one — not NSA, and not Congress, which has only codified this arrangement — seems to be addressing it.

Indeed, it is likely that some kind of Booz-type contractors will continue to have direct access to this data after it gets outsourced to the telecoms, otherwise USA Freedumber would not extend immunity to such second-level contractors.

For months, intelligence officials claimed not only that Snowden had not accessed raw data, but could not. That was always a dubious claim; even if Snowden couldn’t have accessed that data, other contractors just like him could and still can, with less oversight than NSA’s intelligence analysts get.

But it turns out Snowden could and did. And thanks to that, we now know many of the other claims made by government witnesses are also false.

NSA’s Spying: Medical Records, Resumés … and [about] Obama

/7 Comments/in /by

The WaPo has been working for months to understand a chunk of incidentally collected data Edward Snowden took from the NSA. They discovered the bulk of people being spied on — who were for the most part incidentally collected — were innocent people living their everyday lives.

No government oversight body, including the Justice Department, the Foreign Intelligence Surveillance Court, intelligence committees in Congress or the president’s Privacy and Civil Liberties Oversight Board, has delved into a comparably large sample of what the NSA actually collects — not only from its targets but from people who may cross a target’s path.

Among the latter are medical records sent from one family member to another, résumés from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

Most alarming (but something they bury in the story) is that President Obama was spied on both before and after he was inaugurated. [Correction: That’s not right. What they spied on were conversations about Obama, and they kept them but masked them in foolish fashion.]

Some of them border on the absurd, using titles that could apply to only one man. A “minimized U.S. president-elect” begins to appear in the files in early 2009, and references to the current “minimized U.S. president” appear 1,227 times in the following four years.

WaPo then tries to apply the ratio of target to incidental they discovered to the number of targets to which the government admitted.

 In a June 26 “transparency report,” the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year’s collection under FISA Section 702. At the 9-to-1 ratio of incidental collection in Snowden’s sample, the office’s figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.

And all of this is available for back door search, for both “intelligence” and criminal purposes.

What Happened to Obama’s Ordered Restrictions on Back Door Searches?

/3 Comments/in /by

In the wake of yesterday’s PCLOB Report, Presidential Review Board Member Geoffrey Stone reminded that Obama’s hand-picked group recommended requiring warrants before accessing US person data collected via Section 702.

In effect, the Review Group recommended that backdoor searches for communications involving American citizens should be prohibited unless the government has probable cause and a warrant. This is essentially what the recently enacted House amendment endorsed.

The Review Group concluded that the situation under section 702 is distinguishable from the situation when the government lawfully intercepts a communication when it has probable cause and a warrant. This is so because, in the section 702 situation, the government is not required to have either probable cause or a warrant to intercept the communication. Because section 702 was not intended to enable the government to intercept the communications of American citizens, because our recommended reform would leave the government free to use section 702 to obtain the types of information it was designed and intended to acquire—the communications of non-U.S. citizens, and because the recommended reform would substantially reduce the temptation the government might otherwise have to use section 702 impermissibly in an effort intentionally to intercept the communications of American citizens, we concluded that this reform was both wise and essential.

But there’s a forgotten detail from ancient history of greater interest. Even the President ordered up changes for back door searches in criminal contexts.

Specifically, I am asking the Attorney General and DNI to institute reforms that place additional restrictions on government’s ability to retain, search, and use in criminal cases, communications between Americans and foreign citizens incidentally collected under Section 702.

Yet in spite of the fact the President asked the Attorney General and DNI to place additional restrictions on the government’s ability to keep, search, and use Section 702 collected information in criminal cases, here’s what we learned yesterday.

[A]lthough a communication must be “destroyed upon recognition” when an NSA analyst recognizes that it involves a U.S. person and determines that it clearly is not relevant to foreign intelligence or evidence of a crime,531 in reality this rarely happens. Nor does such purging occur at the FBI or CIA: although their minimization procedures contain age-off requirements, those procedures do not require the purging of communications upon recognition that they involve U.S. persons but contain no foreign intelligence information.

[snip]

FBI requires that metadata queries, like content queries, be reasonably designed to return foreign intelligence or evidence of a crime. As noted above, however, the FBI does not separately track which of its queries involve U.S. person identifiers, and so the number of such metadata queries is not known.

As illustrated above, rules and oversight mechanisms are in place to prevent U.S. person queries from being abused for reasons other than searching for foreign intelligence or, in the FBI’s case, for evidence of a crime. In pursuit of the agencies’ legitimate missions, however, government analysts may use queries to digitally compile the entire body of communications that have been incidentally collected under Section 702 that involve a particular U.S. person’s email address, telephone number, or other identifier, with the exception that Internet communications acquired through upstream collection may not be queried using U.S. person identifiers.540 In addition, the manner in which the FBI is employing U.S. person queries, while subject to genuine efforts at executive branch oversight, is difficult to evaluate, as is the CIA’s use of metadata queries.

And the best estimate we’ve been given for how many of these FBI queries take places is a “substantial” amount.

It has been 6 months since the President ordered changes. And the FBI still can’t even count its US person queries, much less quantify them. PCLOB calls it “difficult to evaluate.”

Um, did James Clapper and Eric Holder just blow off the President’s order in January? Because it sure looks like FBI’s back door searches remain a relatively unregulated mess.

In Advance of USA Freedom and CISA Fights, PCLOB Pretends Section 702 Doesn’t Have a Cyber Function

/2 Comments/in , /by

In a piece for Salon, I note some of the weird silences in yesterday’s PCLOB report, from things like the failure to give defendants notice (which I discussed yesterday) to the false claim that Targeting Procedures haven’t been released (they have been — by Edward Snowden). One of the most troubling silences, however, pertains to cybersecurity.

That’s especially true in one area where PCLOB inexplicably remained entirely silent. PCLOB noted in its report that, because Congress limited its mandate to counterterrorism programs, it focused primarily on those uses of Section 702. That meant a number of PCLOB’s discussions — particularly regarding “incidental collections” of Americans sucked up under Section 702 — minimized the degree to which Americans who corresponded with completely innocent foreigners could be in a government database. That said, PCLOB did admit there were other uses, and it discussed the government’s use of Section 702 to pursue weapons proliferators.

Yet PCLOB remained silent about a use of Section 702 that both Director of National Intelligence James Clapper’s office, in its very first information sheet on Section 702 released in June 2013, and multiple government witnesses at PCLOB’s own hearing on this topic in March, discussed: cybersecurity. Not only should that have been discussed because Congress is preparing to debate cybersecurity legislation that would be modeled on Section 702. But the use of Section 702 for cybersecurity presents a number of unique, and potentially more significant, privacy concerns.

And PCLOB just dodged that issue entirely, even though Section 702′s use for cybersecurity is unclassified.

In the transcript of the March PCLOB hearing on Section 702 uses, the word “cyber” shows up 12 times. Four of those references come from DOJ’s Deputy Assistant Attorney General Brad Wiegmann’s description of the kinds of foreign intelligence uses targeted under Section 702. (The other references came from Information Technology Industry Council President Dean Garfield.)

MR. WIEGMANN: You task a selector. So you’re identifying, that’s when you take that selector to the company and say this one’s been approved. You’ve concluded that it is, does belong to a non-U.S. person overseas, a terrorist, or a proliferator, or a cyber person, right, whoever it is, and then we go to the company and get the information.

[snip]

It’s aimed at only those people who are foreign intelligence targets and you have reason to believe that going up on that account that I mentioned, bad guy at Google.com is going to give you back information, information that is foreign intelligence, like on cyber threats, on terrorists, on proliferation, whatever it might be.

[snip]

So in other words, if I need to, if it’s Joe Smith and his name is necessary if I’m passing it to that foreign government and it’s key that they understand that it’s Joe Smith because that’s relevant to understanding what the threat is, or what the information is, let’s say he’s a cyber, malicious cyber hacker or whatever, and it was key to know the information, then you might pass Joe Smith’s name.

Yesterday’s report, however, doesn’t mention “cyber” a single time. Indeed, it seems to go out of its way to avoid mentioning it.

As discussed elsewhere in this Report, the Board believes that the Section 702 program significantly aids the government’s efforts to prevent terrorism, as well as to combat weapons proliferation and gather foreign intelligence for other purposes.

[snip]

The Section 702 program, for instance, is also used for surveillance aimed at countering the efforts of proliferators of weapons of mass destruction.473 Given that these other foreign intelligence purposes of the program are not strictly within the Board’s mandate, we have not scrutinized the effectiveness of Section 702 in contributing to those other purposes with the same rigor that we have applied in assessing the program’s contribution to counterterrorism. Nevertheless, we have come to learn how the program is used for these other purposes, including, for example, specific ways in which it has been used to combat weapons proliferation and the degree to which the program supports the government’s efforts to gather foreign intelligence for the benefit of policymakers.

Its footnote to that last section cites DOJ’s 2012 report to SSCI on the uses of Section 702 (which doesn’t mention cyber) rather than the information sheet released in June 2013, which does.

I find PCLOB’s silence about the use of Section 702 to pursue cyber targets particularly interesting for several reasons.

First, because cyber targets pose unique privacy threats — in part because cyberattackers are more likely to hide their location and exploit the communications of entirely innocent people, meaning Section 702’s claimed targeting limits offer no protection to Americans. Additionally, targeting (as Wiegmann describes it) a “malicious cyber hacker” goes beyond any traditional definition of foreign agent; it is telling he didn’t use a Chinese military hacker as his example instead! Indeed, while proliferation (along with foreign governments, the other presumed certification) is solidly within FISA Amendment Act’s definition of foreign intelligence, cybersecurity is not. In its discussion of back door searches, PCLOB admits there are concerns raised by back door searches that are heightened (or perhaps more sensitive, because they involve affluent white people) outside the counterterrorism context, that’s especially true for cybersecurity targeting.

Consider, too, the likelihood that cyber collection is among the categories of about collection that PCLOB obliquely mentions but doesn’t describe due to classification.

Although we cannot discuss the details in an unclassified public report, the moniker “about” collection describes a number of distinct scenarios, which the government has in the past characterized as different “categories” of “about” collection. These categories are not predetermined limits that confine what the government acquires; rather, they are merely ways of describing the different forms of communications that are neither to nor from a tasked selector but nevertheless are collected because they contain the selector somewhere within them.

At the beginning of the report, PCLOB repeated the government’s claim this is primarily about emails; here in the guts of it, it obliquely references other categories of collection, without really considering whether these categories present different privacy concerns.

Remember, too, that the original, good version of USA Freedom Act remains before the Senate Judiciary Committee. That bill would disallow the use of upstream 702 for any use but counterterrorism and counterproliferation. Did PCLOB ignore this use of Section 702 just to avoid alerting Senators who haven’t been briefed on it that it exists?

Finally, I also find PCLOB’s silence about NSA’s admitted use of Section 702 to pursue cyberattackers curious given that, after Congress largely ditched ideas to involve PCLOB in various NSA oversight — such as providing it a role in the FISA Advocate position — Dianne Feinstein’s Cyber Information Sharing Act all of a sudden has found a use for PCLOB again (serving a function, I should add, that arguably replaces FISC review).

(1) BIENNIAL REPORT FROM PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD.—Not later than 1 year after the date of the enactment of this Act and not less frequently than once every 2 years thereafter, the Privacy and Civil Liberties Oversight Board shall submit to Congress and the President a report providing—

(A) an assessment of the privacy and civil liberties impact of the type of activities carried out under this Act; and

(B) an assessment of the sufficiency of the policies, procedures, and guidelines established pursuant to section 5 in addressing privacy and civil liberties concerns.

Feinstein introduced this bill on June 17, several weeks after PCLOB briefed her staffers on their report (they briefed Congressional committee aides on June 2, and the White House on June 17 — see just after 9:00).

A renewed openness to expanding PCLOB’s role may be entirely unmotivated, or it may stem from PCLOB’s chastened analysis of the legal issues surrounding Section 702.

But I do find it interesting that PCLOB uttered, literally, not one word about the topic that, if DiFi’s bill passes, would expand their mandate.

Working Thread, PCLOB Report

/7 Comments/in /by

The pre-release PCLOB report on Section 702 is here. This will be a working thread.

PDF 16: First recommendation is to include more enunciation of foreign intel purpose. This was actually a Snowden revelation the govt poo pooed.

PDF 17: Recommends new limits on non-FI criminal use of FBI back door searches, and some better tracking of it (surprised that’s not stronger!). Also recommends new documentation for NSA, CIA back door queries.  Must mean CIA is a problem.

PDF 17: Recommends FISC get the “rules” NSA uses. That suggests there may be some differences between what the govt does and what it tells FISC it does.

PDF 17: Recommends better assessment of filtering for upstream to leave out USP data. John Bates was skeptical there wasn’t better tech too.

PDF 18: Suggestion there are more types of upstream collection than there needs to be.

PDF 27 fn 56: Notes some room in the definition of Foreign Intelligence.

PDF 30: Note how PCLOB deals with issues of scope.

PDF 34: Note the discussion of due diligence. Due diligence problems amount for about 9% of NSA violations.

PDF 34-35: This must be a response to violations reported by Risen and Lichtblau, and is probably one of the things referred to in NSA’s review of its own COINTELPRO like problems.

In a still-classified 2009 opinion, the FISC held that the judicial review requirements regarding the targeting and minimization procedures required that the FISC be fully informed of every incident of noncompliance with those procedures. In the 2009 opinion, the court analyzed whether several errors in applying the targeting and minimization procedures that had been reported to the court undermined either the court’s statutory or constitutional analysis. (The court concluded that they did not.)

PDF 39: NSA gets all PRISM collection, and it goes from there to CIA and FBI. CIA and FBI get only PRISM data.

PDF 42: Another FISC opinion to be released.

In a still-classified September 2008 opinion, the FISC agreed with the government’s conclusion that the government’s target when it acquires an “about” communication is not the sender or recipients of the communication, regarding whom the government may know nothing, but instead the targeted user of the Section 702–tasked selector.

PDF 43: This sounds like a lot of about collection is of forwarded emails.

There are technical reasons why “about” collection is necessary to acquire even some communications that are “to” and “from” a tasked selector. In addition, some types of “about” communications actually involve Internet activity of the targeted person.138 The NSA cannot, however, distinguish in an automated fashion between “about” communications that involve the activity of the target from communications that, for instance, merely contain an email address in the body of an email between two non-targets.139 

PDF 45: I’ll have to check but some of these cites to Bates may be to still redacted sections.

[Headed to bed–will finish my read in the AM]

PDF 47: One thing PCLOB doesn’t explain is if the FBI and CIA targeting takes place at NSA or at those agencies. In the past, it had been the former.

PDF 49: .4% o f targeting ends up getting an American.

PDF 55: NSA shares technical data for collection avoidance purposes. This sounds like the defeat list in the phone dragnet, and like that, seems tailored not just for protecting USPs generally, but sensitive communications (like those of MoCs) more specifically.

PDF 57: This was implicit in some of the docs released by Snowden, but the govt now tags Section 702 data, as they do Section 215, so as to ensure it gets the heightened treatment provided by the law.

Read more